Well the whitelisting should not be for your IP address but for the IP addresses of your clients 
A short explanation:
- your server has the IP 90.90.90.90 for example
- client A has IP 10.10.10.10
- client B has IP 20.20.20.20
Now client A trys to login and enters the wrong password for about 5 times within 30 seconds and therefor the IP address 10.10.10.10 is written to the DB table oc_bruteforce_attempts. So with the 5th login attempt he receives an error message stating that throttling is enabled for him, meaning that he has to wait several seconds before he can enter his login credentials again (default 30s I believe). In case he still has the same IP address 10.10.10.10 the next day, when he connects to your server he again has to wait 30s before he can even enter his login credentials for the very first time that day.
For client B on the other everything is still fine, he can instantly enter his credentials when visiting your server.
As soon as you remove the IP 10.10.10.10 from the DB or add it to the whitelist, the throttling will stop for client A. However, as soon as he restarts his router, his IP will change and in case he enters the wrong credentials too often again, the brute force detection will add the new (not whitelisted) IP to the DB table as well and activate throttling for him again. Therefore the hole network would have to be whitelisted - which is kind of a security flaw.
So he better fixes his sync clients (files, calendar, contacts) to use the correct credentials, you remove his IP from the DB table and everything should be fine again 