Log Off all Devices

This idea has been developed and deployed to Canvas

For more information, please read through the  Canvas Deploy Notes (2022-01-05)


In Canvas mobile apps the log in token never expires; much like Facebook's mobile app retains a password.

 

When an institution has their own authentication system, they don't use the internal Canvas authentication. If a user changes their password within the authentication system at the institution, the user is never logged out of the Canvas mobile apps, unless that user intentionally logs out of the Canvas app. This is a potential security risk.

 

In Facebook a user can choose to log out of all devices. This is especially useful if the user's password has been compromised, or a device has been stolen. 

 

I would like to have a similar feature available to users within Canvas. This feature should also be available to admins for any user in the Canvas user database at their institution.  Admins may need to log users out of the mobile apps if they have been terminated or an institution owned device has been stolen.

 

For example Sally has logged into the mobile Canvas app on her IPhone, IPad, and desktop/laptop browser. Sally should be able to log out of any of these connections, or all of them, from within Canvas. A possible location for this feature could exist within the user profile.

 

I have attached a screen shot of the feature in Facebook as reference.

48 Comments
rseilham
Community Champion

You bring up an excellent point in this post. There are quite a few institutions that use their own authentication methods, especially large universities with lots of users. 

The only way to log off remotely for all devices is to delete the Approved Integration for the iOS or Android app(s) in the user settings on the web. 

258921_Screen Shot 2017-11-05 at 1.39.56 PM.png

I'm not sure if an admin can do this on behalf of the user though? Either way, this could be the workaround, but I think something more "official" would be a good feature.

mzucal
Community Contributor

I suppose if the admin was masquerading as the user they could. What I'm reffering to is also being able to do it unmass.

jpruden
Community Participant

I had previously requested that Instructure get off their collective tails and implement a fix for this to match the security of the website, but they've made it very clear that iPads will always be second class citizens on this platform.

Short version:

Website: 15 minutes of no activity = logoff

iPad app: forever tokens = never log off ever for anything even if someone's account is disabled, password changed or other actions.

It's just not acceptable and may be in violation of other regulations that require systems to protect student information by logging out after some timeout period.

I'm going to ask all of our faculty to vote on this one to see if we can get their attention.

BTW You can request an "everyone logout" from your CSM to expire all accounts on some date or time. For now, it has to go through engineering to happen... thus the need for contacting your cheerleader um... CSM for help.

thanks,

Jamie

p_a_hudson
Community Participant

This has caused issues for us. We have tried to remove registrations as a fallback solution. But it's really not acceptable that they can continue to access Canvas after we'll blocked their main University accounts. 

julian_ebeli
Community Participant

Our teachers do not have the rights to delete these tokens from their profile settings. Impersonating them doesn't help

julian_ebeli
Community Participant

We are seeing that retiring teachers are still logged into the Canvas institution via the phone apps. This feature would help manage them as well. (In lieu of deleting their accounts)

MLentini
Community Participant

We just had this come up. Admins can't delete the tokens while masquerading. There are a couple of kludgy ways to do it (create a second login for that user, etc.), but this could certainly be a lot cleaner. 

MLentini
Community Participant

It would be lovely to have an API endpoint for this. We script some of our authentication/de-authentication work, so it would be ideal to automate this for Canvas as well. 

p_a_hudson
Community Participant

Agreed. An API is the only acceptable way forward for us. Everything account related is automated from our Identity system. A 'manual solution' wouldn't work for us. 

blong
Community Participant

We have had issues with this as well.  I had to administratively change an account's password after it appeared the student's account was compromised.  The account was still being accessed through the mobile device.  After consulting with the canvas support call in number, I ended up disabling his access to his courses until I could talk to him to verify the logins.  To protect course and student integrity, it shouldn't take multiple steps to lock a student out of an account.