1Password 7.3.701 Beta 1 update is available

MikeTMikeT Agile Samurai

Team Member
edited July 11 in Windows Beta

Hi guys,

We hope you enjoyed the holidays this week.

We have a new beta update for you guys, which is focusing on security improvements, support for Opera 60 Stable, and a new feature coming soon for 1Password.com accounts. The biggest change in this update is 1Password now requiring the administrator rights to be installed.

Please test 1Password can install and uninstall without any glitches on your computers. We probably will ship an update early next week to test the update process as well.

As for 1Password 7.4, we're working hard on it and will release details as soon as it is ready to roar.

New

  • Added support for an upcoming feature with 1Password memberships. Stay tuned for more details. {OPW-3904}

Improved

  • Added temporary support for Opera 60 stable version with an expired key within a valid certificate. {OPW-4001}
  • 1Password will notify if an attempt to run 1Password with administrator rights is made. Instead, run 1Password normally and it'll request it when needed. {OPW-3775}

Security

  • 1Password now require administrator rights to install and to update. {OPW-3959, OPW-3887}
  • Inform Windows to limit our DLL search to the 1Password's app directory only and not look for it elsewhere in the default list of known locations. {OPW-3833}
  • Added 1Password.brain.exe to be opt'ed out of Windows Error Reporting. {OPW-3804}
  • Removed the --database-path support from 1Password.exe as it could be abused to redirect 1Password to an unexpected location. We recommend using Group Policy to set the database path instead. Thanks @zemnmez! {OPW-3776, OPW-3778}

Comments

  • Hello,

    The auto update and the manual setup execution fail :

    I'm on Windows 7 x64 with UAC totally deactivated (I know that's not a good practice ;) )

    So "1Password now require administrator rights to install and to update. {OPW-3959, OPW-3887}" is probably not happy with this always administrator access, I can set again UAC ON but it needs to restart computer, if I want to re-deactive again UAC, that means : 2 restart each time 1Password wants to update, not so user friendly.

  • MikeTMikeT Agile Samurai

    Team Member
    edited July 8

    Hi @Sylv1,

    Thanks for writing in.

    [Update: we're working to figure out why this Windows 7 admin accounts work differently with UAC disabled]

  • MikeTMikeT Agile Samurai

    Team Member
    edited July 5

    Hi @Sylv1,

    I do want to clarify one thing, there's a good chance that in 1Password 7.4, you will only need to do it once. We'll have an improved updater that can run with admin rights by default, so that 1Password can update itself without UAC prompts. However, we're not 100% sure on this until we get it out to you guys to test.

    Hopefully, when 1Password 7.4 is out, it'll turn into 1Password will need admin rights to install but not after that.

  • Hello MikeT, thanks for the quick reply :)
    I just turn UAC ON, update worked, I will get used to it, it's safer, my old Win 9x habits need to be changed after all these years ;)

  • MikeTMikeT Agile Samurai

    Team Member

    Awesome, thanks for letting us know!

  • Any help?

  • lumarellumarel
    edited July 6

    Hey there,
    Another great update :chuffed: Especially the security fixes are always a welcome improvement :+1:

    I'm just curious about why admin rights are needed now. As it is installed in the appdatalocal of the current user, there shouldn't be anything what needs such permissions, right? :unamused:
    Maybe I'm just thinking in a too narrow view.
    Nevertheless its your decision to take this step now ^^
    Another question then is, why it is the installed in the appdatalocal?

    I know that are some quite fundamental questions, you don't have to answer them if they are just needed design-decissions (or so).

    As always, thank you for your awesome updates,
    ~lumarel

  • Hi

    I'm wondering too about the reason for switching to need admin elevation to install, particularly when the installed files still end up in the %localappdata% path in the user context. I push out 1Password to my users silently using MS System Center Config Manager using the /verysilent switch. I push the installer out in the user context, and the install works fine.

    It will be difficult to deploy the installer if it continues to install in the user context, but needs one time admin elevation before starting the install. My only way to elevate the installation during deployment is to install machine-wide (system context), which by product would put the installed files in the %localappdata% of the SYSTEM account (i.e. not the logged in user).

    If admin elevation is desired during the install, my preference would be for the whole install is run in the machine-wide context, rather than mix-and-match user-context with admin elevation.

    Mark

  • MikeTMikeT Agile Samurai

    Team Member
    edited July 7

    Hi guys!

    [Note, this is still beta and all subject to change]

    Basically, we need to protect our files as we continue to add more interaction between 1Password files and processes; so it was time to lock our directory down. Someone has reported and pointed out that this could be used against us if we don't. It's not about the user context but any current running processes in that user context that can harm us; you don't need admin rights to replace files in %localappdata%.

    @portbury, we plan to work on a separate MSI installer that will support machine install, installing to the Program Files directory instead but it would be without automatic updates support. We've tried combining both in the same installer but it didn't meet our standards, there were too many edge cases. The MSI installer would be offered alongside our current installer, the latter is designed with automatic updates in mind. We actually used MSI for 1Password 6 for a while; it came with a lot of problems, especially when switching between admin and standard users on the same machine and automatic updates wasn't working well at all for most users. So, we'll continue to use our installer as the default option while businesses would be encouraged to use MSI with their own deployment tools instead, which they would have to update by themselves.

    For 1Password 7.4, we are working to improve our updater to be registered with Windows in the admin context, so that updates can be done without any UAC prompts. For security reasons, we want to make sure our users can update our app effortlessly but we do realize the current pain right now with shipping this now without the updater improvement. We just do not want to hold this update back further as it has a lot of other security improvements we can ship now. We're working as fast as we can to get both 1Password 7.4 and MSI installer out soon.

    As for sticking with the %localappdata% directory, it's about minimizing the impact of updating 1Password for all of our existing users. Moving to Program Files would mean any shortcuts, pinned taskbar, and other stuff will have to be updated and it would be more painful than it already is (since program files would still need admin rights). We've thought about ripping off the band aid and do it all at once but we think it is too much. Some of you may remember when we tried renaming our app directories to prevent file is in use errors while updating, it caused worse problems with weird edge cases.

    However, it is probable that we'll change this entirely in a future new version like 1Password 8 where we'll make that transition to Program Files for everyone but for now, we want to keep this simple while we continue to put all of our efforts on 1Password 7.4 with more security improvements to come.

  • Thank's for the deeper insight @MikeT !

    That makes sense for me, as it is set now the user is only possible to run & execute :+1:
    I don't think this is a problem but as I checked the rights, this message was brought up to me:

    For the %appdatalocal% / %ProgramFiles% topic, I'm thinking about something like what the vscode team did.
    They changed the previous installer to the naming of "System Installer" and added another one to install it with an "User Installer" as well, so they now support two different installation options, but didn't have to break someones shortcuts and so on :+1:

    But I know you are trying to not break something and just improve more and more parts, so for me this is totally okay as it is :chuffed:

  • MikeTMikeT Agile Samurai

    Team Member
    edited July 6

    Hi @lumarel

    [Update] Good catch on that, we're investigating, I can reproduce it on both Windows 7 and 10. Strangely, it is fine on the app folder and app files but not the 7.

    Do you have a source on VSCode's installer changes? We'd love to learn from what they did and why.

    We've also thought about installing to %Program Files% for new users while maintaining the current directory for existing users. It's always a balance we have to figure out but sustainability is an issue, trying to tell people to look in one directory where they don't see it and they then have to check other directory, updating our docs, and stuff like that is also a big factor. It's best to do this with a single version with one path.

    I'll get back to you on that error.

  • Hey @MikeT,

    Yeah.. I did notice this as well, but as I also haven't seen this issue before, I could only search for it and found this and on this page then that (if you didn't already find this yourself ^^)

    Visual Studio did this change for the Insider Channel in 1.25 (Release Notes) and for the Stable in 1.26 (Release Notes).
    Furthermore, as this complete project is open-source there is everything about it on Github :chuffed: : here
    Yes it is the opposite change from ProgramFiles to AppData to get rid of any admin rights needed, but it's described quite well how they did it :+1:

    Thank you very much :+1:

  • MikeTMikeT Agile Samurai

    Team Member

    Thanks!

    It looks like they uninstalled and then install the user setup separately, which doesn't cure the same problems I mentioned before. Your taskbar and start menu entries are gone when you uninstall VSCode in order to install the user setup version of VSCode. I just tested this and I had to repin everything anyway.

    Although, all of this is still beta and subject to change anyway, so we'll keep this in mind.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi guys,

    I just want to give you an update on our investigation; the UAC limitation is only applicable to Windows 7 admin accounts; we have found no problems installing 1Password as is with UAC disabled on Windows 10 and Windows 7 standard users.

    We'll investigating to see what we can do with Windows 7 admin accounts.

    Thanks again for reporting this!

  • @MikeT

    Hopefully, when 1Password 7.4 is out, it'll turn into 1Password will need admin rights to install but not after that.

    That would be unfortunate.
    I do not have any administrator permissions on my work machine -- and still I use 1Password für managing my loging (of which I have many, even at work).

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @thomas_ganter,

    Do you have a 1Password membership? If yes, you'd be able to use 1Password X extension in Firefox or Chrome (or upcoming Edge version) in that restricted setup if you can't get approval from the IT department for the desktop app.

    This is a security measure to ensure that no other current processes (no admin rights) can overwrite any of 1Password files.

  • @MikeT -- I even do have a family account.
    I was unaware that the Browser extension (Chrome -> work browser, Firefox -> private Browser) is runnable without the desktop app being installed. I seem to recall it not working because the connection could not be established with the desktop app.

    Am I missing something?

    --Thomas

  • lumarellumarel
    edited July 9

    Hi @MikeT,

    It looks like they uninstalled and then install the user setup separately, which doesn't cure the same problems I mentioned before. Your taskbar and start menu entries are gone when you uninstall VSCode in order to install the user setup version of VSCode. I just tested this and I had to repin everything anyway.

    I might have overlooked that, more or less I just meant the concept how they "switched" from System Installer to User Installer.
    But as you also mentioned there could also be a better solution you are looking for, we will see.
    At least it is good to see the UAC-off problem only on a legacy OS, which looses its support in a few month.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi guys,

    @thomas_ganter;

    I was unaware that the Browser extension (Chrome -> work browser, Firefox -> private Browser) is runnable without the desktop app being installed.

    1Password X is a separate browser extension that runs within the browser itself, it does not require the local desktop program to be installed. You can find more information here: https://support.1password.com/getting-started-1password-x/

    I'd recommend giving it a try, a lot of folks find it more enjoyable to use as compared to our regular browser extensions for the desktop app. We do plan to add an integration support between 1Password X and the desktop app later; so you can use both 1Password X and the desktop app at home while using 1Password X elsewhere.

    @lumarel,

    At least it is good to see the UAC-off problem only on a legacy OS, which looses its support in a few month.

    Actually, we found another edge case with a customer that has this same issue on Windows 10; so Windows 7 with UAC set to never notify while Windows 10 with group policy modifications to disable run all admins in approval mode. Fun times!

    The fix we found seems to work for both cases. W're validating the fix and will ship it in the next beta update.

  • MikeTMikeT Agile Samurai

    Team Member

    Hey folks, we just shipped 7.3.702 Beta 2 update: https://discussions.agilebits.com/discussion/105400/1password-7-3-702-beta-2-update-is-available/p1?new=1

    I'll close this one for now, please reply above if you see anything.

This discussion has been closed.