Managing Registered Devices and renew tokens in the Admin UI

The Registered Devices page (Usage > Registered Devices) lists all registered devices and allows users to remove a device from the system. The most recently seen devices are listed first. By default, registered devices are purged 90 days after they were last seen by the Collective. This can be changed in Global Settings.

Background information

See the following to learn more about registered devices:

Learn about device trust in the Multi-stage authorization section.
Learn how to configure the on-boarding of new devices in the Identity Provider Configuration section.
Learn about the Client on-boarding cookie in the Device Registration section.
Learn about changing Entitlements in the Disable, change or remove access section.
Learn about token renewal and the denylist in the System Operation Token Flow section.

Actions

It is possible to use bulk actions on the Registered Devices page to perform Claims (and AdminClaims), Administrator, and Entitlement token renewals. A confirmation dialogue will be shown were you can enter the reason for the renewal. When this is used, the rate of token renewal is limited to 6.66/sec, so for 1,200 users it might take three minutes to occur.

Action Buttons

Action buttons are accessed by clicking the three dots icon ( Three circular shapes stacked vertically on a dark background, selected to access a menu. ) to the right of each line item in the page or from the <Actions> button within the item. They are contextual, changing depending on the type of item and the state of the item. The Action button in the Registered Devices page displays the following options:

Renew Tokens. Use this option to refresh tokens for this device, such as when you implement changes to a user's Entitlements. Even though this may force an immediate change in the user's Entitlements or Claims, token renewal will be transparent to the user. A confirmation dialogue will include the reason for the renewal.
Remove. Deletes the record of the device from the Controller. The next time the user signs in using that device, it will be treated as a new device. Depending on how on-boarding has been configured in the user's identity provider, the Controller will prevent the device from being used altogether or use the on-boarding cookie verification process before allowing the device to connect. Removing a device will revoke the user's tokens so all the current user's sessions on that device will be terminated.
Add User to Denylist. Removes access from all devices for this user by revoking all related tokens and prevents them from signing in again. If a user has been added to the denylist accidentally, it is possible to restore the user's status from the Denylist form.