fix(tde-offboarding): Auth/PM-19165 - Handle TDE offboarding on an untrusted device with warning message (#15430)

When a user logs in via SSO after their org has offboarded from TDE, we now show them a helpful error message stating that they must either login on a Trusted device, or ask their admin to assign them a password. Feature flag: `PM16117_SetInitialPasswordRefactor`
2025-12-10 21:33:27 +00:00 · 2025-07-08 12:58:03 -04:00
parent 3da58e1752
commit b9f930a609
17 changed files with 257 additions and 41 deletions
--- a/libs/angular/src/auth/guards/auth.guard.spec.ts
+++ b/libs/angular/src/auth/guards/auth.guard.spec.ts
@@ -70,10 +70,10 @@ describe("AuthGuard", () => {
          { path: "lock", component: EmptyComponent },
          { path: "set-password", component: EmptyComponent },
          { path: "set-password-jit", component: EmptyComponent },
-          { path: "set-initial-password", component: EmptyComponent },
-          { path: "update-temp-password", component: EmptyComponent },
+          { path: "set-initial-password", component: EmptyComponent, canActivate: [authGuard] },
+          { path: "update-temp-password", component: EmptyComponent, canActivate: [authGuard] },
          { path: "change-password", component: EmptyComponent },
-          { path: "remove-password", component: EmptyComponent },
+          { path: "remove-password", component: EmptyComponent, canActivate: [authGuard] },
        ]),
      ],
      providers: [
@@ -124,6 +124,34 @@ describe("AuthGuard", () => {
    expect(router.url).toBe("/remove-password");
  });

+  describe("given user is Locked", () => {
+    describe("given the PM16117_SetInitialPasswordRefactor feature flag is ON", () => {
+      it("should redirect to /set-initial-password when the user has ForceSetPasswordReaason.TdeOffboardingUntrustedDevice", async () => {
+        const { router } = setup(
+          AuthenticationStatus.Locked,
+          ForceSetPasswordReason.TdeOffboardingUntrustedDevice,
+          false,
+          FeatureFlag.PM16117_SetInitialPasswordRefactor,
+        );
+
+        await router.navigate(["guarded-route"]);
+        expect(router.url).toBe("/set-initial-password");
+      });
+
+      it("should allow navigation to continue to /set-initial-password when the user has ForceSetPasswordReason.TdeOffboardingUntrustedDevice", async () => {
+        const { router } = setup(
+          AuthenticationStatus.Unlocked,
+          ForceSetPasswordReason.TdeOffboardingUntrustedDevice,
+          false,
+          FeatureFlag.PM16117_SetInitialPasswordRefactor,
+        );
+
+        await router.navigate(["/set-initial-password"]);
+        expect(router.url).toContain("/set-initial-password");
+      });
+    });
+  });
+
  describe("given user is Unlocked", () => {
    describe("given the PM16117_SetInitialPasswordRefactor feature flag is ON", () => {
      const tests = [
--- a/libs/angular/src/auth/guards/auth.guard.ts
+++ b/libs/angular/src/auth/guards/auth.guard.ts
@@ -61,9 +61,22 @@ export const authGuard: CanActivateFn = async (
    return router.createUrlTree(["/set-initial-password"]);
  }

+  // TDE Offboarding on untrusted device
  if (
    authStatus === AuthenticationStatus.Locked &&
-    forceSetPasswordReason !== ForceSetPasswordReason.SsoNewJitProvisionedUser
+    forceSetPasswordReason === ForceSetPasswordReason.TdeOffboardingUntrustedDevice &&
+    !routerState.url.includes("set-initial-password") &&
+    isSetInitialPasswordFlagOn
+  ) {
+    return router.createUrlTree(["/set-initial-password"]);
+  }
+
+  // We must add exemptions for the SsoNewJitProvisionedUser and TdeOffboardingUntrustedDevice scenarios as
+  // the "set-initial-password" route is guarded by the authGuard.
+  if (
+    authStatus === AuthenticationStatus.Locked &&
+    forceSetPasswordReason !== ForceSetPasswordReason.SsoNewJitProvisionedUser &&
+    forceSetPasswordReason !== ForceSetPasswordReason.TdeOffboardingUntrustedDevice
  ) {
    if (routerState != null) {
      messagingService.send("lockedUrl", { url: routerState.url });
@@ -91,7 +104,7 @@ export const authGuard: CanActivateFn = async (
    return router.createUrlTree([route]);
  }

-  // TDE Offboarding
+  // TDE Offboarding on trusted device
  if (
    forceSetPasswordReason === ForceSetPasswordReason.TdeOffboarding &&
    !routerState.url.includes("update-temp-password") &&
--- a/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.html
+++ b/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.html
@@ -7,28 +7,38 @@
    ></i>
  </div>
 } @else {
-  <bit-callout
-    *ngIf="resetPasswordAutoEnroll"
-    type="warning"
-    title="{{ 'resetPasswordPolicyAutoEnroll' | i18n }}"
-  >
-    {{ "resetPasswordAutoEnrollInviteWarning" | i18n }}
-  </bit-callout>
+  @if (userType === SetInitialPasswordUserType.OFFBOARDED_TDE_ORG_USER_UNTRUSTED_DEVICE) {
+    <div class="tw-mt-4"></div>
+    <bit-callout type="warning">
+      {{ "loginOnTrustedDeviceOrAskAdminToAssignPassword" | i18n }}
+    </bit-callout>
+    <button type="button" bitButton block buttonType="secondary" (click)="logout()">
+      {{ "logOut" | i18n }}
+    </button>
+  } @else {
+    <bit-callout
+      *ngIf="resetPasswordAutoEnroll"
+      type="warning"
+      title="{{ 'resetPasswordPolicyAutoEnroll' | i18n }}"
+    >
+      {{ "resetPasswordAutoEnrollInviteWarning" | i18n }}
+    </bit-callout>

-  <auth-input-password
-    [flow]="inputPasswordFlow"
-    [email]="email"
-    [userId]="userId"
-    [loading]="submitting"
-    [masterPasswordPolicyOptions]="masterPasswordPolicyOptions"
-    [primaryButtonText]="{
-      key:
-        userType === SetInitialPasswordUserType.OFFBOARDED_TDE_ORG_USER
-          ? 'setPassword'
-          : 'createAccount',
-    }"
-    [secondaryButtonText]="{ key: 'logOut' }"
-    (onPasswordFormSubmit)="handlePasswordFormSubmit($event)"
-    (onSecondaryButtonClick)="logout()"
-  ></auth-input-password>
+    <auth-input-password
+      [flow]="inputPasswordFlow"
+      [email]="email"
+      [userId]="userId"
+      [loading]="submitting"
+      [masterPasswordPolicyOptions]="masterPasswordPolicyOptions"
+      [primaryButtonText]="{
+        key:
+          userType === SetInitialPasswordUserType.OFFBOARDED_TDE_ORG_USER
+            ? 'setPassword'
+            : 'createAccount',
+      }"
+      [secondaryButtonText]="{ key: 'logOut' }"
+      (onPasswordFormSubmit)="handlePasswordFormSubmit($event)"
+      (onSecondaryButtonClick)="logout()"
+    ></auth-input-password>
+  }
 }
--- a/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.ts
+++ b/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.ts
@@ -1,6 +1,7 @@
 import { CommonModule } from "@angular/common";
 import { Component, OnInit } from "@angular/core";
 import { ActivatedRoute, Router } from "@angular/router";
+// import { NoAccess } from "libs/components/src/icon/icons";
 import { firstValueFrom } from "rxjs";

 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
@@ -30,9 +31,11 @@ import { SyncService } from "@bitwarden/common/platform/sync";
 import { UserId } from "@bitwarden/common/types/guid";
 import {
  AnonLayoutWrapperDataService,
+  ButtonModule,
  CalloutComponent,
  DialogService,
  ToastService,
+  Icons,
 } from "@bitwarden/components";
 import { I18nPipe } from "@bitwarden/ui-common";

@@ -46,7 +49,7 @@ import {
@Component({
  standalone: true,
  templateUrl: "set-initial-password.component.html",
-  imports: [CalloutComponent, CommonModule, InputPasswordComponent, I18nPipe],
+  imports: [ButtonModule, CalloutComponent, CommonModule, InputPasswordComponent, I18nPipe],
 })
 export class SetInitialPasswordComponent implements OnInit {
  protected inputPasswordFlow = InputPasswordFlow.SetInitialPasswordAuthedUser;
@@ -106,6 +109,14 @@ export class SetInitialPasswordComponent implements OnInit {
      this.masterPasswordService.forceSetPasswordReason$(this.userId),
    );

+    if (this.forceSetPasswordReason === ForceSetPasswordReason.TdeOffboardingUntrustedDevice) {
+      this.userType = SetInitialPasswordUserType.OFFBOARDED_TDE_ORG_USER_UNTRUSTED_DEVICE;
+      this.anonLayoutWrapperDataService.setAnonLayoutWrapperData({
+        pageTitle: { key: "unableToCompleteLogin" },
+        pageIcon: Icons.NoAccess,
+      });
+    }
+
    if (this.forceSetPasswordReason === ForceSetPasswordReason.SsoNewJitProvisionedUser) {
      this.userType = SetInitialPasswordUserType.JIT_PROVISIONED_MP_ORG_USER;
      this.anonLayoutWrapperDataService.setAnonLayoutWrapperData({
--- a/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.service.abstraction.ts
+++ b/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.service.abstraction.ts
@@ -22,9 +22,15 @@ export const _SetInitialPasswordUserType = {

  /**
   * A user in an org that offboarded from trusted device encryption and is now a
-   * master-password-encryption org
+   * master-password-encryption org. User is on a trusted device.
   */
  OFFBOARDED_TDE_ORG_USER: "offboarded_tde_org_user",
+
+  /**
+   * A user in an org that offboarded from trusted device encryption and is now a
+   * master-password-encryption org. User is on an untrusted device.
+   */
+  OFFBOARDED_TDE_ORG_USER_UNTRUSTED_DEVICE: "offboarded_tde_org_user_untrusted_device",
 } as const;

 type _SetInitialPasswordUserType = typeof _SetInitialPasswordUserType;
--- a/libs/angular/src/services/jslib-services.module.ts
+++ b/libs/angular/src/services/jslib-services.module.ts
@@ -498,6 +498,7 @@ const safeProviders: SafeProvider[] = [
      VaultTimeoutSettingsService,
      KdfConfigService,
      TaskSchedulerService,
+      ConfigService,
    ],
  }),
  safeProvider({
--- a/libs/auth/src/common/login-strategies/login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.ts
@@ -265,8 +265,6 @@ export abstract class LoginStrategy {

    result.resetMasterPassword = response.resetMasterPassword;

-    await this.processForceSetPasswordReason(response.forcePasswordReset, userId);
-
    if (response.twoFactorToken != null) {
      // note: we can read email from access token b/c it was saved in saveAccountInformation
      const userEmail = await this.tokenService.getEmail();
@@ -278,6 +276,9 @@ export abstract class LoginStrategy {
    await this.setUserKey(response, userId);
    await this.setPrivateKey(response, userId);

+    // This needs to run after the keys are set because it checks for the existence of the encrypted private key
+    await this.processForceSetPasswordReason(response.forcePasswordReset, userId);
+
    this.messagingService.send("loggedIn");

    return result;
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
@@ -5,10 +5,12 @@ import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
 import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
 import { AdminAuthRequestStorable } from "@bitwarden/common/auth/models/domain/admin-auth-req-storable";
+import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
 import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
 import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
 import { IUserDecryptionOptionsServerResponse } from "@bitwarden/common/auth/models/response/user-decryption-options/user-decryption-options.response";
 import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
 import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service";
@@ -19,6 +21,7 @@ import {
 } from "@bitwarden/common/key-management/vault-timeout";
 import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -26,6 +29,7 @@ import { MessagingService } from "@bitwarden/common/platform/abstractions/messag
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
+import { EncryptedString } from "@bitwarden/common/platform/models/domain/enc-string";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { FakeAccountService, mockAccountServiceWith } from "@bitwarden/common/spec";
 import { CsprngArray } from "@bitwarden/common/types/csprng";
@@ -66,6 +70,7 @@ describe("SsoLoginStrategy", () => {
  let vaultTimeoutSettingsService: MockProxy<VaultTimeoutSettingsService>;
  let kdfConfigService: MockProxy<KdfConfigService>;
  let environmentService: MockProxy<EnvironmentService>;
+  let configService: MockProxy<ConfigService>;

  let ssoLoginStrategy: SsoLoginStrategy;
  let credentials: SsoLoginCredentials;
@@ -102,6 +107,7 @@ describe("SsoLoginStrategy", () => {
    vaultTimeoutSettingsService = mock<VaultTimeoutSettingsService>();
    kdfConfigService = mock<KdfConfigService>();
    environmentService = mock<EnvironmentService>();
+    configService = mock<ConfigService>();

    tokenService.getTwoFactorToken.mockResolvedValue(null);
    appIdService.getAppId.mockResolvedValue(deviceId);
@@ -133,6 +139,7 @@ describe("SsoLoginStrategy", () => {
      deviceTrustService,
      authRequestService,
      i18nService,
+      configService,
      accountService,
      masterPasswordService,
      keyService,
@@ -203,6 +210,45 @@ describe("SsoLoginStrategy", () => {
    );
  });

+  describe("given the PM16117_SetInitialPasswordRefactor feature flag is ON", () => {
+    beforeEach(() => {
+      configService.getFeatureFlag.mockImplementation(async (flag) => {
+        if (flag === FeatureFlag.PM16117_SetInitialPasswordRefactor) {
+          return true;
+        }
+        return false;
+      });
+    });
+
+    describe("given the user does not have the `trustedDeviceOption`, does not have a master password, is not using key connector, does not have a user key, but they DO have a `userKeyEncryptedPrivateKey`", () => {
+      it("should set the forceSetPasswordReason to TdeOffboardingUntrustedDevice", async () => {
+        // Arrange
+        const mockUserDecryptionOptions: IUserDecryptionOptionsServerResponse = {
+          HasMasterPassword: false,
+          TrustedDeviceOption: null,
+          KeyConnectorOption: null,
+        };
+        const tokenResponse = identityTokenResponseFactory(null, mockUserDecryptionOptions);
+        apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+
+        keyService.userEncryptedPrivateKey$.mockReturnValue(
+          of("userKeyEncryptedPrivateKey" as EncryptedString),
+        );
+        keyService.hasUserKey.mockResolvedValue(false);
+
+        // Act
+        await ssoLoginStrategy.logIn(credentials);
+
+        // Assert
+        expect(masterPasswordService.mock.setForceSetPasswordReason).toHaveBeenCalledTimes(1);
+        expect(masterPasswordService.mock.setForceSetPasswordReason).toHaveBeenCalledWith(
+          ForceSetPasswordReason.TdeOffboardingUntrustedDevice,
+          userId,
+        );
+      });
+    });
+  });
+
  describe("Trusted Device Decryption", () => {
    const deviceKeyBytesLength = 64;
    const mockDeviceKeyRandomBytes = new Uint8Array(deviceKeyBytesLength).buffer as CsprngArray;
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.ts
@@ -9,9 +9,11 @@ import { SsoTokenRequest } from "@bitwarden/common/auth/models/request/identity-
 import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
 import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
 import { HttpStatusCode } from "@bitwarden/common/enums";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
 import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service";
 import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { UserId } from "@bitwarden/common/types/guid";

@@ -72,6 +74,7 @@ export class SsoLoginStrategy extends LoginStrategy {
    private deviceTrustService: DeviceTrustServiceAbstraction,
    private authRequestService: AuthRequestServiceAbstraction,
    private i18nService: I18nService,
+    private configService: ConfigService,
    ...sharedDeps: ConstructorParameters<typeof LoginStrategy>
  ) {
    super(...sharedDeps);
@@ -343,13 +346,38 @@ export class SsoLoginStrategy extends LoginStrategy {
    tokenResponse: IdentityTokenResponse,
    userId: UserId,
  ): Promise<void> {
-    const newSsoUser = tokenResponse.key == null;
+    const isSetInitialPasswordFlagOn = await this.configService.getFeatureFlag(
+      FeatureFlag.PM16117_SetInitialPasswordRefactor,
+    );

-    if (!newSsoUser) {
-      await this.keyService.setPrivateKey(
-        tokenResponse.privateKey ?? (await this.createKeyPairForOldAccount(userId)),
-        userId,
-      );
+    if (isSetInitialPasswordFlagOn) {
+      if (tokenResponse.hasMasterKeyEncryptedUserKey()) {
+        // User has masterKeyEncryptedUserKey, so set the userKeyEncryptedPrivateKey
+        // Note: new JIT provisioned SSO users will not yet have a user asymmetric key pair
+        // and so we don't want them falling into the createKeyPairForOldAccount flow
+        await this.keyService.setPrivateKey(
+          tokenResponse.privateKey ?? (await this.createKeyPairForOldAccount(userId)),
+          userId,
+        );
+      } else if (tokenResponse.privateKey) {
+        // User doesn't have masterKeyEncryptedUserKey but they do have a userKeyEncryptedPrivateKey
+        // This is just existing TDE users or a TDE offboarder on an untrusted device
+        await this.keyService.setPrivateKey(tokenResponse.privateKey, userId);
+      }
+      // else {
+      //    User could be new JIT provisioned SSO user in either a MP encryption org OR a TDE org.
+      //    In either case, the user doesn't yet have a user asymmetric key pair, a user key, or a master key + master key encrypted user key.
+      // }
+    } else {
+      // A user that does not yet have a masterKeyEncryptedUserKey set is a new SSO user
+      const newSsoUser = tokenResponse.key == null;
+
+      if (!newSsoUser) {
+        await this.keyService.setPrivateKey(
+          tokenResponse.privateKey ?? (await this.createKeyPairForOldAccount(userId)),
+          userId,
+        );
+      }
    }
  }

@@ -389,7 +417,7 @@ export class SsoLoginStrategy extends LoginStrategy {
      return false;
    }

-    // Check for TDE offboarding - user is being offboarded from TDE and needs to set a password
+    // Check for TDE offboarding - user is being offboarded from TDE and needs to set a password on a trusted device
    if (userDecryptionOptions.trustedDeviceOption?.isTdeOffboarding) {
      await this.masterPasswordService.setForceSetPasswordReason(
        ForceSetPasswordReason.TdeOffboarding,
@@ -398,6 +426,39 @@ export class SsoLoginStrategy extends LoginStrategy {
      return true;
    }

+    // If a TDE org user in an offboarding state logs in on an untrusted device, then they will receive their existing userKeyEncryptedPrivateKey from the server, but
+    // TDE would not have been able to decrypt their user key b/c we don't send down TDE as a valid decryption option, so the user key will be unavilable here for TDE org users on untrusted devices.
+    // - UserDecryptionOptions.trustedDeviceOption is undefined -- device isn't trusted.
+    // - UserDecryptionOptions.hasMasterPassword is false -- user doesn't have a master password.
+    // - UserDecryptionOptions.UsesKeyConnector is undefined. -- they aren't using key connector
+    // - UserKey is not set after successful login -- because automatic decryption is not available
+    // - userKeyEncryptedPrivateKey is set after successful login -- this is the key differentiator between a TDE org user logging into an untrusted device and MP encryption JIT provisioned user logging in for the first time.
+    const isSetInitialPasswordFlagOn = await this.configService.getFeatureFlag(
+      FeatureFlag.PM16117_SetInitialPasswordRefactor,
+    );
+
+    if (isSetInitialPasswordFlagOn) {
+      const hasUserKeyEncryptedPrivateKey = await firstValueFrom(
+        this.keyService.userEncryptedPrivateKey$(userId),
+      );
+      const hasUserKey = await this.keyService.hasUserKey(userId);
+
+      // TODO: PM-23491 we should explore consolidating this logic into a flag on the server. It could be set when an org is switched from TDE to MP encryption for each org user.
+      if (
+        !userDecryptionOptions.trustedDeviceOption &&
+        !userDecryptionOptions.hasMasterPassword &&
+        !userDecryptionOptions.keyConnectorOption?.keyConnectorUrl &&
+        hasUserKeyEncryptedPrivateKey &&
+        !hasUserKey
+      ) {
+        await this.masterPasswordService.setForceSetPasswordReason(
+          ForceSetPasswordReason.TdeOffboardingUntrustedDevice,
+          userId,
+        );
+        return true;
+      }
+    }
+
    // Check if user has permission to set password but hasn't yet
    if (
      !userDecryptionOptions.hasMasterPassword &&
--- a/libs/auth/src/common/services/login-strategies/login-strategy.service.spec.ts
+++ b/libs/auth/src/common/services/login-strategies/login-strategy.service.spec.ts
@@ -21,6 +21,7 @@ import {
  VaultTimeoutSettingsService,
 } from "@bitwarden/common/key-management/vault-timeout";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -75,6 +76,7 @@ describe("LoginStrategyService", () => {
  let vaultTimeoutSettingsService: MockProxy<VaultTimeoutSettingsService>;
  let kdfConfigService: MockProxy<KdfConfigService>;
  let taskSchedulerService: MockProxy<TaskSchedulerService>;
+  let configService: MockProxy<ConfigService>;

  let stateProvider: FakeGlobalStateProvider;
  let loginStrategyCacheExpirationState: FakeGlobalState<Date | null>;
@@ -107,6 +109,7 @@ describe("LoginStrategyService", () => {
    vaultTimeoutSettingsService = mock<VaultTimeoutSettingsService>();
    kdfConfigService = mock<KdfConfigService>();
    taskSchedulerService = mock<TaskSchedulerService>();
+    configService = mock<ConfigService>();

    sut = new LoginStrategyService(
      accountService,
@@ -134,6 +137,7 @@ describe("LoginStrategyService", () => {
      vaultTimeoutSettingsService,
      kdfConfigService,
      taskSchedulerService,
+      configService,
    );

    loginStrategyCacheExpirationState = stateProvider.getFake(CACHE_EXPIRATION_KEY);
--- a/libs/auth/src/common/services/login-strategies/login-strategy.service.ts
+++ b/libs/auth/src/common/services/login-strategies/login-strategy.service.ts
@@ -26,6 +26,7 @@ import { VaultTimeoutSettingsService } from "@bitwarden/common/key-management/va
 import { PreloginRequest } from "@bitwarden/common/models/request/prelogin.request";
 import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -131,6 +132,7 @@ export class LoginStrategyService implements LoginStrategyServiceAbstraction {
    protected vaultTimeoutSettingsService: VaultTimeoutSettingsService,
    protected kdfConfigService: KdfConfigService,
    protected taskSchedulerService: TaskSchedulerService,
+    protected configService: ConfigService,
  ) {
    this.currentAuthnTypeState = this.stateProvider.get(CURRENT_LOGIN_STRATEGY_KEY);
    this.loginStrategyCacheState = this.stateProvider.get(CACHE_KEY);
@@ -423,6 +425,7 @@ export class LoginStrategyService implements LoginStrategyServiceAbstraction {
              this.deviceTrustService,
              this.authRequestService,
              this.i18nService,
+              this.configService,
              ...sharedDeps,
            );
          case AuthenticationType.UserApiKey:
--- a/libs/common/src/auth/models/domain/force-set-password-reason.ts
+++ b/libs/common/src/auth/models/domain/force-set-password-reason.ts
@@ -37,6 +37,15 @@ export enum ForceSetPasswordReason {
   */
  TdeOffboarding,

+  /**
+   * Occurs when an org admin switches the org from trusted-device-encryption to master-password-encryption,
+   * which forces the org user to set an initial password. User must not already have a master password,
+   * and they must be on an untrusted device.
+   *
+   * Calculated on client based on server flags and user state.
+   */
+  TdeOffboardingUntrustedDevice,
+
  /*----------------------------
      Change Existing Password  
  -----------------------------*/
--- a/libs/common/src/auth/models/response/identity-token.response.ts
+++ b/libs/common/src/auth/models/response/identity-token.response.ts
@@ -17,8 +17,8 @@ export class IdentityTokenResponse extends BaseResponse {
  tokenType: string;

  resetMasterPassword: boolean;
-  privateKey: string;
-  key?: EncString;
+  privateKey: string; // userKeyEncryptedPrivateKey
+  key?: EncString; // masterKeyEncryptedUserKey
  twoFactorToken: string;
  kdf: KdfType;
  kdfIterations: number;
@@ -62,4 +62,8 @@ export class IdentityTokenResponse extends BaseResponse {
      );
    }
  }
+
+  hasMasterKeyEncryptedUserKey(): boolean {
+    return Boolean(this.key);
+  }
 }