You can view and configure the account policy for Remembered Devices. This policy helps you to determine whether a user has attempted to authenticate from either an unregistered device or a device with inconsistent characteristics.

Remembered Devices employ device identification through means such as a browser plug-in or JavaScript-based device fingerprinting.

	Trusted Device is a plug-in that installs a security certificate, associating the device with a unique ID. That ID becomes the assigned credential for the user’s device.
	Device Fingerprint evaluates attributes such as the operating system, screen size and resolution, browser, language, and time zone for a specific device.

This policy allows you to:

	Allow your users to register devices to be remembered, and select the types of devices that they can remember.
	Set when a device fingerprint expires. Expiring the device fingerprint forces users to re-authenticate and prove continued possession of the device over time. The user can always choose to remember the device again, after authentication. For Device Fingerprint expiration, set two expiration periods: Specify the number of days before expiration. Select from 30 days to 730 days (365 days is the default). Set the number of days before the device fingerprint expires if users do not use their device to successfully authenticate themselves. Select from 15 days to 365 days (90 days is the default). The device fingerprint expires when either of these conditions are met.
	Set whether to delete devices for a user. If you enable this setting, VIP runs a scheduled job nightly to automatically unbind devices from users and delete the devices for any device fingerprints that expired that day.
	Set whether the Trusted Device plug-in is automatically upgraded to the latest version. Users on supported platforms automatically receive the latest version of the plug-in the next time they sign in. Once you have initiated the auto-upgrade, the new version of the Trusted Device credential immediately begins to roll out to all of your Trusted Device credential users. Users on supported platforms begin receiving the new credentials the next time that they sign in. Downgrading to an earlier version of Registered Computer requires manual intervention by the user and the VIP administrator. As a result, Symantec recommends that you do not attempt to return your users to the previous version. See Downgrading Trusted Devices
	Set the maximum number of devices your users can register. Users can register from 1 to 20 devices.
	Set how Trusted Device registrations are deleted for a user, when the user attempts to register more than the maximum allowed: Auto: Automatically delete the least-recently used Trusted Device registration when the user registers another device. Users and administrators can manually delete Trusted Device registrations at any time. Admin Only: Only the VIP administrator can delete a Trusted Device registration. The user will not be able to delete any Trusted Device registrations without administrator intervention. Note: Trusted Device registrations do not expire. If users want to delete a remembered device registration, they can remove the registration manually in the VIP Self Service Portal. Administrators can delete the registration in VIP Manager.

If you enable Remembered Devices, you also need to generate the VIP integration code for Javascript, to include the VIP JavaScript library in your application's sign-in page:

	Enter your externally-accessible domain name(s) for your web applications in the provided field. (As an example, if your sign-in page URL is https://vpn.example.com, you would enter example.com)
	Select VIP Integration Code for Javascript.

To set the policy for Remembered Devices for your VIP account:

	Select Policies in the navigation bar at the top of the page.
	Select the "Account" tab.
	Select the Edit link to configure the Remembered Device policy settings.

You can also customize the Remembered Device policy at the user group level. Settings at the user group level overwrite the account policy settings for members of that user group.

The Remembered Device policy defined at the group level always overwrites the account policy. If a user belongs to more than one group with different Remembered Device policies, the user is assigned the stricter policy under the following rules:

	The user can authenticate using a trusted device if the Enable Trusted Device policy is set to Yes in at least one of the applicable policies.
	The user’s trusted device will not be automatically upgraded if the Auto-Upgrade Trusted Device policy is set to No in any of the applicable policies.
	The user can authenticate using a device fingerprint if the Enable Device Fingerprint policy is set to Yes in at least one of the applicable policies. The expiry time is set to the smaller period and the smaller number of unsuccessful authentications present in all applicable policies.
	The maximum number of registered devices a user can use to authenticate is set to the smaller of the numbers present in all applicable policies.
	The user is assigned the stricter Registered Device Deletion policy, in the order Admin only > Auto.

See Editing the User Group Policies