Google Workspace Session Timeout - Control session timeout in Google Workspace

  • Let me guess, you are here because you are concerned about default Google Workspace session timeout of 14 days, and want to rather control it being a Google Workspace Administrator.
  • Congratulations, Google just rolled it out and now allows you to control session timeout in Google Workspace, watch the video to see how it works.

01. Understanding Session

  • When we login to gmail or other Google Workspace service, there is a relationship created between your browser and Google server.
  • But there might be thousands of users communicating with Google servers at the same time, so how would Google server uniquely identifies us?
  • It places a cookie in our browser, which is then referenced to uniquely identify us to maintain thesession
Session

02. Default Session
Length in Google Workspace

  • By default, Google Workspace automatic session timeout for end users is 14 days , and businesses have been requesting Google to provide control on session length.
  • Google finally launched this feature which allows Google Workspace Admins to control Google Apps Session Timeout .
G-Suite-Default-Session-Times

03. Configure Session Timeout

  • As now we have understanding of what session is, and we also know about Google Workspace's default session, let us configure it.​
  • As this is admin level setting, we will first need to first login toGoogle Workspace Admin Console
Admin console

04. Access Security Settings

  • Once you are in Admin console, click on the "Security" icon to go for security settings.
  • You can also search for security in the top search bar.
Security

05. Google session control

  • When you go in security settings and scroll down a bit, you will see a new feature called "Google Session Control" - set session duration of Google services .
  • Click on it to select the session length that you want to define for your Google Workspace users.
Google session control

06. Making Session Timeout Policy?

  • You can either apply the session length to all of your users by selecting the parent organizational unit.
  • If you want to apply it on a subset of users, or want to enforce different session length on different set of users, then apply it based on the organizational units (e.g select the required OU and then apply session policy).
Different set of users


7. FAQ

Most frequent questions and answers about Google Workspace Session Timeout Control

DOES IT APPLY TO USERS WITH AN ACTIVE SESSION?

No, when you change the session length in Google admin console (as shown above), then settings only apply to new sessions.

All users with an active sessions will “Not” be impacted by it, however once they “logout” OR “their 14 days default session expires”, then the new session length will be enforced.

IS THERE A WORK AROUND TO ENFORCE IT ON USERS WITH CURRENTLY ACTIVE SESSION?

Yes, workaround is to reset required user’s sign in cookies.

You can do that by following-;

  1. Search for the user in admin console
  2. Go to user’s account page
  3. Scroll down to see “Reset Sign In” cookies (as shown in the screenshot below)

Please note -: This will log the user out from all active sessions include the mobile app such as Gmail App on Android or iOS.

So be careful, I recall once I accidentally did it to our client’s CEO’s account and he had to login again to all his 6 devices, that was a tough day for me:).

Cookies

DOES IT APPLY TO MOBILE BROWSERS TOO?

Yes & No

Let me explain

As per Google’s documentation “Chrome Broswer” on Android and iOS works a bit different and these settings will NOT be applied on it, however other browsers such as  Mozilla Firefox are covered by this setting.

DOES IT APPLY ON MOBILE APPS?

No, it does not apply on Google Workspace mobile apps (e.g Gmail or Drive app on Android and iOS).

So, let say, if you configure session to be 8 hours, users on mobile devices with native Google Workspace apps will “NOT” need to enter their password every 8 hours which is good else it’ll be a nightmare:).

DOES THIS APPLY TO SAML BASED AUTHENTICATION TOO?

Yes.

Though at the time of initial launch of session control, it was only supported where Google was acting as IDP,  but just after couple of weeks, Google enhanced its session control and now it applies on SAML based authentication too where Google isn’t acting as authentication provider.

So if you are using a third party IDP (e.g Okta, Ping Identity or ADFS), this setting will now apply to those Google Workspace sessions too.

DO USERS AND ADMIN HAVE SAME 14 DAYS DEFAULT SESSION?

No.

Google Workspace Admin session timeout is “One Hour”, and as its a persistent one, which means closing the browser won’t impact the session but one hour time would.

CAN WE DEFINE OUR OWN CUSTOM SESSION LENGTH IN GOOGLE WORKSPACE?

No.

So far following static options are available to control sessions-:

1 Hour

4 Hours

8 Hours

12 Hours

24 Hours

7 Days

14 Days

30 Days

Session Never Expires

Related Posts

....

....