Users can download and decrypt files from both desktop and mobile devices. Secure Cloud Access provides persistent data protection for each device. However, because of the increasing use of client devices, and the increased exposure to the data stored on them, administrators might want to keep track of information about the devices themselves -- what types are being used, and the locations at which they are being used. This information can provide an added measure of protection through a quick and convenient reference to devices being used to decrypt and view files. Administrators can keep track of the users and locations of client devices, and block access to any devices that could cause a security risk to any data downloaded to them - for example, devices that are lost, stolen, or in the hands of unauthorized users.

Each device registered as a Lookout client device has a profile of either managed (users can download encrypted data to the device) or unmanaged (users must provide authentication before they can download encrypted data to the device).

Administrators can also put each device in a blocked or allowed state. If monitoring reports reveal anomalies, numerous policy violations, or other risks with downloads using a device -- or if a device has been reported lost or stolen -- the administrator can change the status of that device from allowed to blocked. Users cannot decrypt files on a blocked device.

When a client device is used for the first time, the user must provide authentication credentials to register the device. Once registered, the device is assigned the default profile (either managed or unmanaged). If the key cache expiration value is set to zero, the user must provide authentication credentials each time they want to decrypt data on the device.

Administrators can set a default profile or status for all devices when they are registered.