Skip to main content
Version: Next

Device Approvals

Device approvals let organization admins control which devices can access the vault. When enabled, new devices are placed into a pending state until an admin explicitly approves them. This prevents unauthorized devices from syncing vault data, even if the user has valid credentials.

Enabling Device Approvals

  1. Navigate to Admin Console > Settings > Security.
  2. Toggle Require device approval for new devices to on.
  3. Click Save.

Once enabled, every new device that a member logs into will be held in a pending state. The member sees a "Device Pending Approval" screen and cannot access their vault until an admin acts.

note

Devices that were already authenticated before you enable this setting are automatically marked as approved. Only new device registrations require approval.

Approval Workflow

New Device Registration

When a member signs in from an unrecognized device:

  1. The member completes authentication (email, master password, 2FA).
  2. SyVault registers the device fingerprint (OS, browser or app version, IP address).
  3. The device enters Pending status.
  4. The member sees a waiting screen with a device reference code.
  5. Admins receive a notification in the Admin Console and optionally via email.

Approving or Rejecting a Device

  1. Go to Admin Console > Devices > Pending.
  2. Review the device details: member email, device type, OS version, IP address, and timestamp.
  3. Click Approve to grant access or Reject to deny it.

Approved devices are moved to the active devices list. Rejected devices are logged and the member is notified that their device was not approved. They can try again or contact their admin.

Revoking an Approved Device

If a device is lost or compromised:

  1. Go to Admin Console > Devices > Active.
  2. Find the device and click Revoke.
  3. The device's session is terminated immediately and the device must go through the approval process again to regain access.

How It Works with SSO

When SSO is configured, the device approval step occurs after SAML/OIDC authentication completes. The flow is:

  1. Member authenticates through the identity provider.
  2. SyVault validates the SAML assertion or OIDC token.
  3. If the device is unrecognized, it enters the pending approval queue.
  4. The member cannot decrypt their vault until the device is approved.

This means SSO alone is not sufficient to access vault data on a new device -- admin approval is still required.

Notifications

Admins can configure device approval notifications under Admin Console > Settings > Notifications:

  • Email: Receive an email for each pending device.
  • Slack/Webhook: Send pending device events to a webhook URL for integration with Slack, Microsoft Teams, or PagerDuty.

Best Practices

  • Enable device approvals for organizations with strict compliance requirements (SOC 2, HIPAA).
  • Combine with trusted networks to auto-approve devices on corporate networks while requiring approval for external access.
  • Review pending devices daily to avoid blocking members from working.
  • Use the compliance report device inventory to audit approved devices periodically.