Breadcrumbs

Deploying Enpass via UEM/MDM

Enpass Password Manager is a native application that runs entirely on the user's device. Unlike browser-based or cloud-hosted password managers, Enpass stores and processes all data locally and synced across devices through your organization's own cloud storage — such as Microsoft 365 (OneDrive/SharePoint) or Google Workspace (Google Drive) — without ever transiting Enpass infrastructure. Enpass must be installed as a native app on each user's endpoint before it can be used.

Why a Native App

Unlike browser-based password managers, Enpass runs as a native application directly on the user's device. This architectural choice has meaningful security and operational implications:

  • No browser dependency — Enpass runs as a standalone process, isolated from browser vulnerabilities and web-based attack surfaces.

  • OS-level autofill — Enpass integrates directly with operating system autofill APIs on iOS and Android. On Windows, macOS and Linux, browser extensions communicate locally with the native app to autofill credentials — no data is sent to any server.

  • Local cryptography — All encryption and decryption happens on-device. No credentials or vault data are processed on Enpass servers.

  • Data sovereignty — Vault data never transits Enpass infrastructure. Your organization controls where data is stored and synced.

  • High fault tolerance and offline capability — Because the vault also lives on-device, Enpass remains fully functional even without an internet connection or when your sync storage is unavailable. Users are never locked out due to a cloud outage or network disruption.

Because Enpass is a native app, it must be installed on each user's endpoint before it can be used — it cannot be accessed via a browser or a URL. Browser extensions, where used, act as a companion interface to the native app installed on the same device.

Why Managed Deployment

In an open environment, users can install Enpass themselves from a store or the Enpass website. In a controlled enterprise environment this is typically not possible: self-service downloads are restricted, app installations require IT approval, and devices are managed centrally.

Managed deployment via a UEM or MDM platform solves this by allowing administrators to:

  • Push Enpass silently to all enrolled devices without user action.

  • Pre-configure policy keys (policy-enforced, policy-email) so users are activated under the organization's license from first launch.

  • Ensure consistent app versions and settings across the fleet.

  • Deploy browser extensions alongside the native app in a single workflow.

Deployment Approaches

Scenario

Recommended Approach

Unmanaged devices / small teams

Share direct download or store link with users

Managed devices via MDM/UEM

Package and push via your endpoint management platform

App Configuration Keys

Before deploying Enpass, administrators can pre-configure the application using supported configuration keys. These keys are applied at installation time and allow you to enforce policy and pre-populate user details.

For a full reference of all supported keys, their purpose, platform availability, and configuration examples, see App Configuration Keys Reference.

Platform Deployment Guides

Select your target platform to get started: