Configuring expire session login policy

Administrator can configure expire session login policy to force the user to re-authenticate a session after a certain period of inactivity.

1. Navigate to Protect > Policies page.
2. On the Login Policy tile, click the Add Action drop-down and then select the Expire Session action.
   
   
   

   A default policy gets created for the Multi-Factor Authentication Login.

   
   
   

   You can either Save the policy or you can edit the default policy variables.

3. To specify which Groups the action applies to:
   Groups can be locally defined groups, security groups and OUs pulled from active directory.

   Note: By default, Any is selected which means policy is applicable to all groups.

   Available options are:

   • Any
   • Selected
   1. Click the Any value to open the Select Groups dialog box.
   2. To limit the policy to selected groups, click Selected option.
      
      
      
   3. To add a group, click the green plus icon and then select the group from the drop-down you wish the action to apply to.
      You can add as many groups as needed for the policy.
   4. Select the Negate checkbox to apply policy line to every group except the group you selected.
   5. To save the selected group(s), click Ok.
4. To specify which Device the action applies to:
   Note: By default, Any is selected which means policy is applicable to all devices including unmanaged devices.

   Available options are:

   • Any
   • OS & User-Agent
   • Device Profile
   If you want to select common operating systems and/or User-Agent Strings:
   1. Click the Any value to open the Device dialog box.
   2. Select OS & User-Agent option.
   3. Select the applicable operating systems.
      
      
      Available options are Apple iOS, Apple Mac OS X, Google Android, Google Chrome OS, Microsoft Windows Phone, Microsoft Windows PC and Other OS.
   4. To limit the policy to matches of selected operating systems along with any user-agent strings, click the green plus icon and then enter the string(s).
      You can add as many user-agent strings as needed for the policy.
   5. Select the Negate checkbox to apply policy line to every device except the device you selected.
   6. To save the selected device(s), click Ok.
   If you want to select device profile:
   1. Click the Any value to open the Device dialog box.
   2. To limit the policy to selected device profiles, click Device Profile option.
      
      
      
   3. To add a device profile, click the green plus icon and then select the device profile from the drop-down you wish the action to apply to.
      You can add as many device profiles as needed for the policy.
   4. Select the Negate checkbox to apply policy line to every device profile except the device profile you selected.
   5. To save the selected device profile(s), click Ok.
5. Apply specific actions when a user is accessing from certain Location:
   Available options are:
   • Any
   • Selected
   1. Click the Any value to open the Select Locations dialog box.
   2. To apply specific actions when a user is accessing from certain locations, click Selected option.
      
      
      

      You can restrict or block users entirely from unsafe or untrusted locations and restrict or control where a user is accessing the cloud application from (either geographic location or IP).

   3. To select a location, click the green plus icon and then select the location from the drop-down you wish the action to apply to.
      You can add as many locations as needed for the policy.
   4. Select the Negate checkbox to apply policy line to every location except the location you selected.
   5. To save the selected location(s), click Ok.
6. Select a Trigger when a session will expire.
   Available options are:
   • Inactivity timeout
   • Time range
   To automatically expire a user's session whenever they are inactive in an application for the specified amount of time:
   1. Click on the default trigger to open Trigger dialog box.
   2. Select the Inactivity timeout option and then enter the duration in minutes (max 2 weeks) after when session should be expire.
      
      
      
   3. To save selected details, click OK.
   To automatically expire a user session once they meet the time range criteria (expiring a session once they are outside of the work hour range):
   1. Click on the default trigger to open Trigger dialog box.
   2. Select the Time range option to view approved range.
      
      
      
   3. Select the Start time.
   4. Select the End time.
   5. Select the applicable Day(s).
      Available options are Sun, Mon, Tue, Wed, Thu, Fri and Sat.
   6. To save selected details, click OK.
7. Click the default action to open Action dialog box.
   
   
   
   1. To notify about the expire session to user, select the appropriate User Email.
   2. To notify about the expire session to group, select the appropriate Group Email.
   3. To generate a Forcepoint alert, select the Generate Alert checkbox.
      Admin can view Forcepoint alerts from Analyze > Alerts page.
   4. To save selected details, click OK.
8. To save the updated policy, click Save.