Device Pinning Behavior

👋 Hi ​@jorowi, thanks for posting! I’m glad to assist.

1. If we limit the number of allowed devices, does an admin need to remove an old pinned device in order for a user to connect a new one?
   • Yes, you’d need to remove (un-pin) it if you need to connect a new one.
2. Can we expire pinned devices after a specific time period or does that token remain active until the account is marked inactive or the device is removed?
   • It's not really an auth token so it doesn’t expire. To pin the device, Box tracks the device ID, so it’s the device as a whole, not a token.

   • The association remains until an admin removes the pin or the user is automatically logged out due to an out-of-date OS or app version.

3. Will disabling device pinning enterprise-wide force all devices to reauthenticate?
   • Disabling device pinning doesn’t force users to re-authenticate — it simply removes the limit on how many devices they can use to log in.
   • Device pinning itself doesn’t handle authentication. Authentication happens separately through login methods. Pinning only restricts the number of devices a user can authenticate on at one time.
   • When you disable pinning, users won’t need to re-enter credentials. They’ll just no longer be restricted in how many devices they can access their account from.
4. If we do not allow device pinning how often will users have to reauthenticate? Is this controlled by “Security » Session Duration for All Users”?
   • You’re correct on session duration but with the caveat that Session duration settings apply only to the Box web application.
   • Any session duration limits set here do not apply to users accessing Box through any other Box endpoints (for example, Box mobile applications, Box desktop applications, Box Notes, etc.). — we don't have a limitation on those durations.

• Side-quest: Is there a way to block Box Sync since it’s no longer supported?
  • Right now, Box doesn’t actually have Sync available to download anywhere. But no, you can’t force block Sync as an admin at this time.

Learn more about device pinning and session duration:

• Device Pinning
• Understanding Mobile Security Settings
• Enterprise Settings: Security Tab > Session Duration for All Users

Thank you responding, Jey. This is very helpful. 

Does resetting the account password force the devices to log in again?

You’re most welcome!

It really depends on what you're referring to since there are a few ways to require a password reset. If you’re talking about to perform a global password reset now setting, then yes, that kicks everyone out including admins and will require to change password.

Most other settings would just happen upon the users next login. Also, while some password reset requirement blocks further access until the password is changed at the next login attempt, it does not always immediately terminate an active session. You may combine it with a “Forget App” action or device un-pinning where the system logs the user out on specific device/s.