Configure inactive session suspension

Configure inactive session suspension

When you log in to a device or an account, you're authenticating your access. This creates what's called a "session," which refers to your current use of the device or account. For example, if you log in to your bank's website, you create a session with that website. Your activity is contained within the session, and the session is terminated when you log out or disconnect from the website.

In the event that you don't manually terminate the session, but aren't using it anymore, there needs to be a way to terminate the session automatically to prevent others from using it in your absence. Otherwise, someone could use your session to gain access to your files and perform actions, and the device or account would think you're responsible for them because you're still logged in.

In general, you should configure your devices to automatically lock themselves after a period of inactivity. This will help protect them if you have to walk away from them for a while.

Requirements

Faculty and staff are required to configure session suspension on any computers or mobile devices either owned by the University or used to process University information as part of their job responsibilities. This requirement can be automated through the University's computer management service.

  • Require a strong password or passcode to log in to your device whenever you start or resume use.
  • Configure computers to automatically suspend an authenticated session after 15 minutes of inactivity. The session must only resume after reauthentication.
  • Configure mobile devices to automatically suspend an authenticated session after 5 minutes of inactivity. The session must only resume after reauthentication.
  • Use the University's computer management service to manage computer session suspension and other security-related processes.

General guidelines

  • Configure your computers and mobile devices to automatically suspend an authenticated session after a period of inactivity. The settings should require you to reauthenticate (re-enter your password) to resume use.
  • Lock your devices with strong passwords or passcodes.
  • If you need to walk away from your computer for more than a couple of minutes, lock your computer so nobody else can use it while you're away.
  • Make sure your device is physically secure before you walk away from it.