VIP Policy Configuration
You can view and configure the account policy for Remembered Devices. This policy helps you to determine whether a user has attempted to authenticate from either an unregistered device or a device with inconsistent characteristics.
Remembered Devices employ device identification through means such as a browser plug-in or JavaScript-based device fingerprinting. Device Fingerprint evaluates attributes such as the operating system, screen size and resolution, browser, language, and time zone for a specific device.
This policy allows you to:
If you enable Remembered Devices, you also need to generate the VIP integration code for Javascript, to include the VIP JavaScript library in your application's sign-in page:
To set the policy for Remembered Devices for your VIP account:
You can also customize the Remembered Device policy at the user group level. Settings at the user group level overwrite the account policy settings for members of that user group.
The Remembered Device policy defined at the group level always overwrites the account policy. If a user belongs to more than one group with different Remembered Device policies, the user is assigned the stricter policy under the following rules:
See Editing the User Group Policies
Remembered Devices employ device identification through means such as a browser plug-in or JavaScript-based device fingerprinting. Device Fingerprint evaluates attributes such as the operating system, screen size and resolution, browser, language, and time zone for a specific device.
This policy allows you to:
| Allow your users to register devices to be remembered, and select the types of devices that they can remember. | |
| Set when a device fingerprint expires. Expiring the device fingerprint forces users to re-authenticate and prove continued possession of the device over time. The user can always choose to remember the device again, after authentication. For Device Fingerprint expiration, set two expiration periods:
| |
| Set whether to delete devices for a user. If you enable this setting, VIP runs a scheduled job nightly to automatically unbind devices from users and delete the devices for any device fingerprints that expired that day. | |
| Set the maximum number of devices your users can register. Users can register from 1 to 20 devices. |
If you enable Remembered Devices, you also need to generate the VIP integration code for Javascript, to include the VIP JavaScript library in your application's sign-in page:
| Enter your externally-accessible domain name(s) for your web applications in the provided field. (As an example, if your sign-in page URL is https://vpn.example.com, you would enter example.com) | |
| Select VIP Integration Code for Javascript. |
To set the policy for Remembered Devices for your VIP account:
| Select Policies in the navigation bar at the top of the page. | |
| Select the "Account" tab. | |
| Select the Edit link to configure the Remembered Device policy settings. |
You can also customize the Remembered Device policy at the user group level. Settings at the user group level overwrite the account policy settings for members of that user group.
The Remembered Device policy defined at the group level always overwrites the account policy. If a user belongs to more than one group with different Remembered Device policies, the user is assigned the stricter policy under the following rules:
| The user can authenticate using a device fingerprint if the Enable Device Fingerprint policy is set to Yes in at least one of the applicable policies. The expiry time is set to the smaller period and the smaller number of unsuccessful authentications present in all applicable policies. | |
| The maximum number of registered devices a user can use to authenticate is set to the smaller of the numbers present in all applicable policies. | |
| The user is assigned the stricter Registered Device Deletion policy, in the order Admin only > Auto. |
See Editing the User Group Policies