I'm not a fan of Canvas anyway but this week has been extremely testing / embarrasing for me and a colleague due to basic functionality not being available in this VLE.
Basically, we have had some students whom we wanted to just disable access to the VLE. Not delete, just disable. So we created changed their username and email account info on the login section of their account and changed the passpwords.
However we were still seeing them accessing Canvas. After a support ticket was raised, it appeas that if a student is using an app to access their account, then that will stay connected and the only way to stop this is deleting them from the system.
This was after we had told the Deputy Head of the school that we have scrambled the login info so there's no way they can access. How embarrassing!
Does anyone else find is strange, unreal, frustrating that you cannot simply disable the user from within their account details?
We ran into this too. There is a workaround that admin can use to delete the tokens for mobile app and the student is automatically signed out.
You will need to add a login to the student's account so that you can log in because you can not change/delete/update tokens on an account when you masquerade. It sounds like you have updated the login already, so just login with the new password and follow How do I manage API access tokens as a student? to remove the tokens.
Unfortunately, in a district with close to 60,000 students, I cannot go in and manually delete the app tokens each time a student is withdrawn. There needs to be a better process here. The main issue for us is with the Canvas Inbox, where students can still reply to threads in old courses.