Skip to content

KB013: Configure Access Device Approval Revocation

Last Updated: July 22, 2025

Applies To: HySecure Gateway 7.1 Service Pack 1 and above

Category: Device Management & Security

Overview

This guide explains how to configure automatic revocation of access device approvals based on an inactivity period. This feature automatically revokes access for manually approved devices that haven't been used for a specified number of days, marking them as "pending for approval" and requiring manual re-approval for continued access.

Prerequisites

  • HySecure Gateway 7.1 Service Pack 1 or higher.
  • Security Officer or Administrator access to the HySecure management console.
  • Device ID Access Control policies are configured with manual approval.
  • Understanding of organizational device lifecycle policies.

Step 1: Access Device ID Access Control

  1. Log in to HySecure Management Console

    • Log in as Security Officer or Administrator.

    • Navigate to Policies > ACL.

  2. Select Device ID Policy

    • Locate the existing Device ID Access Control policy.

    • Click Edit to modify the existing policy or click Create to create a new policy.

    • Ensure policy is configured for manual approval.

Step 2: Configure Revocation Settings

  1. Locate Revocation Configuration

    • Scroll to find the Revoke Device After setting in the ACL policy.

  2. Set Revocation Period

    • Field: "Revoke device after [X] days".

    • Value: Enter the number of days after which inactive device approval will be revoked.

    • Example: Setting to 30 days revokes devices that have not been used for 30 days or more.

  3. Save Configuration

    • Click Submit to save ACL policy changes.

    • Verify that the configuration is applied successfully.

Revocation Process Flow

Automatic Revocation workflow

In the automatic workflow, the system tracks the last login time for each manually approved device, starting from the approval date, and updates it with each successful authentication. Devices are automatically revoked when they attempt to log in after exceeding the inactivity period, with their status changed to Pending for Approval. There are no daily checks—revocation occurs only during login attempts. Users are denied access with an error message, requiring manual re-approval for future access. Administrators are notified of revoked devices, and revocation events are logged in activity logs.

Manual re-approval process

The manual re-approval process starts when users contact administrators to re-approve their devices. The administrator receives an email alert for revoked device approval at the time of user login. Administrators verify the user’s identity and the device’s legitimacy before changing the device status from Pending to Approved by navigating to Devices > Access Devices in the approval workflow.

Use the User ID filter to find devices with a Pending for Approval status for that user. Select the device and click Enable to grant access. The device is then immediately available for user login.

Monitoring and Verification

Tracking Revocation Activities

Log Information Includes:

  • Device revocation events with timestamps.

  • User and device identification details.

  • Revocation reason (inactivity period exceeded).

Accessing Revocation Logs:

  1. Navigate to Reports > Logs > Activity Logs.

  2. Filter logs by using the keyword revoked.

  3. Review revocation patterns and frequencies.

  4. Monitor for unusual revocation activities.

Compliance and Audit

Audit Trail:

  • Complete device approval and revocation history.

  • Timestamps for all device lifecycle events.

  • Administrator actions for device management.

  • User access patterns and device usage.

Compliance Support:

  • Automated device lifecycle management.

  • Regular device access validation.

  • Policy-based device access controls.

Diagnostic Steps

Verify Policy Configuration:

  1. Check that the ACL policy has a revocation period set.

  2. Confirm policy applies to the correct users/groups.

  3. Verify policy is enabled and active.

  4. Test with a specific user account.

Check Device Status:

  1. Navigate to Devices > Access Devices.

  2. Locate the specific device in question.

  3. Review device approval status.

  4. Check the last login time.

Monitor Revocation Process:

  1. Check Admin logs for revocation events.
  2. Review revocation criteria matching.

Note

  • Only applies to manually approved devices.
  • Automatic approval and MDM-approved devices are unaffected.
  • Blocked devices remain blocked regardless of revocation settings.
  • Regular monitoring is recommended to optimize revocation periods.

Contact Support: support@accops.com for configuration assistance.