In the name of balancing security with ease-of-use, it would be really nice if the app could remember your institution each time your session ends, so you don't have to type that in.  Just click to confirm (like clicking a bookmark on your browser) and off you go to the authentication process.

@rake_9 This is a great point. Introducing these settings will require more frequent login actions from the users, so the login must be as smooth as possible. We are working on the topic. Thank you for the suggestion!

Thanks so much for the information on this and for working to provide this security feature.

I am confused by some of the bullets under What happens if the setting 1 Timer expires?

What do these mean in relation to what happens to the user?

• I am actively using one of the Canvas Mobile apps when the timer expires
• I have already closed the application or just put it into the background, so I am not using it actively

I think what may be causing the confusion for me is that under, "We have two possibilities here" there are 4 bullets.  I understand the first two but am unsure what happens to the user with these other 2.  Thanks for any clarification you can give!

After looking at again, I am going to attempt to answer my own post above.  I think there are some formatting issues that need correcting. Should it be this?

What happens if the Setting 1 timer expires?

We have 2 possibilities here:

1. I am actively using one of the Canvas Mobile apps when the timer expires

• In this case, I will not be logged out because the Setting 2 timer has not yet expired. I can continue using the app until the Setting 2 timer expires (which is not happening since I am actively using the app—see later)

2. I have already closed the application or just put it into the background, so I am not using it actively

• Next time I open the application, the app will check the Setting 2 timer status and if the timer has expired, it will ask me to log in (select school and provide credentials)
• If the timer has not expired, it will let me open the application without logging in and will continue allowing access until I become inactive for the Setting 2 duration

And does this fix the formatting issues for the Setting 2 expiration explanation?

What happens if the Setting 2 timer expires?

We have 2 possibilities here:

1. Setting 1 timer is not yet expired → the user remains logged in regardless of setting 2

• In this case, I will not be logged out because the app will detect that Setting 1 timer is not expired and it will just reset the Setting 2 timer. I will not even notice that the Setting 2 timer expired. I can continue using the app until the Setting 2 timer expires (which is not happening until I am actively using the app).

2. Setting 1 timer has also expired → the user is logged out

• This can happen only if I am idle;  I did not interact with the application recently. In this case, since I am not using the app, I will not notice anything.
• Next time when I start the application (or bring the app into the foreground) it will ask me to log in (select school and provide credentials).

Is there any documentation out there on how admins would go about enabling these settings, if we wanted to?

Thanks!

Evan

Hi @ewest. Once the feature gets released we'll have documentation, but it is still under development.
 

We were looking for something like this for a while. Can I just confirm where you are with this in terms of usage and testing. When will you be testing it and when can we expect this to be something we can use? If we ask our CSM to support this, will this be something we need to test, how can we ensure it works on our end before we release the changes? 

Any news on this feature? Is this something we can request from our CSM? @jozsefdavid suggested in February there might be documentation or other information available soon.

Hi @rake_9 . The necessary changes are not yet implemented on the server side yet. That is a different team not mine, so I can't promise anything in their name, but maybe my colleague will update you here. I'll ping him now.

Great to see this... two additional features that would be fantastic would be "kick this user now" and "kick all users now" from the back end...

The use case for this (that's not listed above) is that many colleges (and we K-12 institutions) use external authentication methods (in our case, LDAPS via AD). When we have a kid that withdraws from the school, we disable their account in Active Directory. Regrettably, that student still has access to their Canvas courses via the App. We currently have to contact Support to force expire all tokens to kick them from the app.

Typically, we would use this option at password change time when we *really* want students to update their passwords... we can communicate a time for this to happen and not worry about students that may be doing something because they've been warned. 

thanks,

Jamie

Thank you for posting - we would really love these features as well!

@jozsefdavid Do we have any updates on the implementation of this "feature"?

@jozsefdavid I would really be interested in this as well.  It's been a year since the intial posting -- do we know when this feature might be released?

My primary concern is shared iPads in classrooms.  In addition to whatever timeouts we could set with the Canvas platform, it would be useful if there were a configuration profile for the iPads to allow institutions with MDM solutions (e.g. jamf) to control the behavior of the Canvas Student and Teacher apps re: signin duration.

Thanks!

Hi @AHauerwas. 

Thank you for the comment and followup. The feature got postponed for various reasons, but it is not forgotten, we are aligning it on a quarterly basis. On the other hand this feature would not solve the shared iPad problem, because the minimal length of the token will be much longer than the length of a class. I will bring up this use case at our next alignment meeting as a concern. Sorry for not being more concrete here. The priority of this feature is not fixed and therefore I cannot give you a time estimate at the moment.

@jozsefdavid, thanks for the quick response!  I understand how development priorities can change, and appreciate that Instructure is still working on this.

As I mentioned in my comment, it is the shared iPad situation that is our primary concern -- and in fact, it was your own first bullet point in your post from February, 2022!  If there were a way to modify the actual devices that make use of the app (e.g. through a configuration profile), that would be ideal -- because then the institution could control the behavior of the app on the devices that they themselves own.

Just $0.02 for Development.  And thanks again!

@AHauerwas Great point... I'd love to be able to push a config like that via Mosyle for our loaner iPads.

Regrettably, Instructure isn't interested in this "super not very sexy" fix for a security hole that has existed for WAY too long... I've been asking for something like this for over 7 years and *oops* it got put off again

We look forward to the delivery of this feature. At our institution, we would like to be able to set session times separately for the Teacher and Student apps. Is this something that is being worked on as well?

Hi,

I was checking on the status of a solution for auto-expiration of mobile access sessions and if there is a tentative release schedule for this feature?

Thanks,
Ed

@jozsefdavid 

I would like to add that it is great to see that this feature is coming soon. Just to add to the list of reasons why this feature (or a default token expiration of 90, 180, etc. days) is needed. When SIS rollover occurs every summer, we don't want students to see their upcoming scheduled info (Future enrollments) before it is finalized and we are close to the start of the school year. Students that are already signed into the mobile app are able to see this info, and it creates a lot of noise between the student and their school. We disable access to Canvas via our SSO authentication, but students that were already signed into the mobile app can continue to see this information.

Looking forward to when this feature is available in the product. Thank you.

@pscanlan Excellent point... we have the same issue (although ours is a bit muddled by summer "stuff" that some classes are required to complete... so we can't kill SSO access altogether)... the noise is a HUGE issue for a private school like ours.

Now... on that whole "coming soon" issue... @jozsefdavid Do we have any updates?

When this feature finally ships, I'd like to suggest someone create a flowchart to document the logout logic. Far easier to understand than bullet points.

I am also looking forward to this.

I am guessing that it is not something that we should except for the beginning of the 2023-2024 academic year.

Would something like this be released in the middle of the academic year?  Released in January?

Does this exist somewhere (honestly I have only quickly looked) on the https://community.canvaslms.com/t5/Instructure-Roadmap/ct-p/instructure-roadmap?

Hi @dbrace and welcome to the nightmare...

I've been waiting almost 8 years for this specific functionality... or some way to do the same thing from the Admin side (really, I'd be 100% completely satisfied with a button on the Authentication page that expired all tokens, but I digress)... If I was you, I don't think I'd be holding my breath for a quick resolution. Closest thing for now is to contact support and specifically request that they expire all mobile tokens on a certain date... Instructure will pick a time and will knock it out for you.

Note that there hasn't been any comment from the Canvas side since December... presumably there have been at least two (possibly 3) "quarterly reviews" on this request and *still* no love for us.

As with all things Canvasy, YMMV.

smiles,

Jamie

@jpruden / Jamie,

I asked the question(s) to continue the conversation and show that future feature notices from a vendor and customer requests should not be ignored.

We have been a customer since February 2018, of which the first few months was our own admin training, followed by training and use by a first group of pilots in Fall 2018, an expanded group in Spring 2019, full adoption in Summer 2019, and a complete roll-out in Fall 2019.  Our timing was lucky considering everything that happened in mid-Spring 2020.

I get it.  The Canvas LMS is a huge platform.  A lot of organizations use it.  Each with its own needs and all of them have their own reasons for why they do what they do.

Thank you for the tip for what we can do.  It is something that I will bring up internally and then take the appropriate steps.

I hope that you have a great academic year!

Doug

We'd also appreciate an update on this development. Is it still being progressed and on the roadmap? When was it last reviewed and is there any more information available @jozsefdavid?

I see that an update was mentioned in the main post but I did not receive a notification when the post was updated and normally I do.

I am really hoping that this does not continue to get tabled.

+++++

@jozsefdavid, can you please post updates in the comments when this is reviewed on a quarterly basis?

Hi @dbrace, @hmcneill ,

Thank you for the follow up. The feature improvement and the requests are not forgotten. It is a cross-team issue and requires extensive collaboration. Unfortunately, we couldn't align with the right timing yet, but we are working on continuously. Thank you for your patience. We now how pressing the issue is.  

Hi @jozsefdavid ,

What is it going to take to change the alignment? This security hole has existed as long as there's been an iPad app... I'm certainly not the "finder of the issue" on this one, but it's been long overdue for  a solution.

Unlike @dbrace and @hmcneill , I've been waiting for over 8 years for this... Seriously... how tough is it to engineer a button to expire all tokens and put it in the admin interface?

Literally, this should not affect ANYTHING except for the expiration of tokens. How does that become a "cross-team" issue?

sigh.

Jamie