30 Minute Timeout for Office 365 Beginning 8/10

Posted July 26th, 2017 at 1:28 pm.

Beginning Thursday, August 10th Office 365 (webmail) will time out after 30 minutes of inactivity. This means that if you have your email or calendar open in a web browser and haven’t used it in 30 minutes, it will log you out and you will need to log in again before using them.

Over the past year, LITS has been aligning session timeouts for core College systems to recommended practice for responsible risk management. Office 365 is the final system to change. This enhancement helps to safeguard your privacy and sensitive College data if you forget to log out of your account on a public computer.

This 30 minute timeout does not affect local clients (i.e. the Outlook desktop client), sync clients (i.e Mail and Calendar on iOS), or Skype sessions.

Contact the Help Desk with questions: help@brynmawr.edu, 610-527-7440, lits.brynmawr.edu.

A few FAQs

What do I need to know?

  • This timeout applies to Outlook for Web.
  • It is an idle timeout, meaning it signs out after 30 minutes of no activity in Outlook for Web.
  • Emails and other items in 365 autosave frequently so work is not lost.
  • We get that this is a challenging change, and protecting College and student data is everyone’s responsibility.
  • If this impacts your work, there are options (see below).

What’s an idle timeout?

Session timeouts take effect after a set amount of inactivity by the person logged in to the system.Ideally from the perspective of our auditors, all significant systems where people log in would be set to a session timeout triggered by 30 minutes or less of inactivity.

Microsoft tech documentation explains it this way:

“When users authenticate in any of the Office 365 web apps or mobile apps, a session is established. For the duration of the session, users won’t need to re-authenticate. Sessions can expire when users are inactive, when they close the browser or tab, or when their authentication token expires for other reasons such as when their password has been reset. The Office 365 services have different session timeouts to correspond with the typical use of each service.”

We have set our Outlook Web Apps token to expire after 30 minutes of inactivity.

Why has this change been made?

Almost every person with an email account has some sensitive data in email.  We have placed session timeouts on significant systems to mitigate against the risk of a BMC login being hijacked.

A Web-based application has no way of knowing whether users are here on campus on managed machines, or elsewhere around the world at a business center, library, or Internet cafe.  The risk of an information breach because someone is left logged in for multiple hours in a place they should not be is substantial.  Our policies remain more generous than those of many businesses and other institutions.

This is part of a larger College information security initiative.

What are my options if I find this change impacts my work?

  • If your issue is staying logged into email on a College machine, you might consider using the local Outlook 2016 application on your College machine.  Instructions can be found at http://techdocs.blogs.brynmawr.edu/1069. You should already have it installed, and if you don’t (or if you have trouble setting it up), a quick call or email to the Help Desk can help you get set up.
  • If you find that you are missing meetings or notifications, Outlook 2016 will also address this, however another option is to set up either the Outlook Mobile App or a mobile sync (see http://techdocs.blogs.brynmawr.edu/346) for phone-based alerts.
  • If you are currently using the OWA App on your mobile device and are having trouble with timeouts, try switching to the Outlook App.

If the Outlook client doesn’t time out, how is that safer than if the Web didn’t time out?

We recommend the Outlook client on your College computer (which has a 30 minute computer inactive lock), or on your mobile device (which the Data Handling Policy requires to have a locking passcode). These mechanisms provide similar protection to the Web-based timeout.

What about convenience?

We understand that timeouts can be inconvenient for people, and we’re balancing that understanding with industry best practices and the recommendations of our auditors. Most peer institutions currently have session timeouts set to between 10 and 30 minutes of inactivity.

Is this the only timeout?

No, it is the last in a series, including College computers, PeopleSoft (Bionic), etc to have 30 minute inactive timeouts.  Certain environments such as Moodle and computers in classrooms have longer timeouts due to the specific nature of their use. Other systems such as kiosks and lab computers have shorter lock, logout, and reset windows.

Does this only apply to [my constituency]?

These timeouts apply across the board, and are not limited to only staff, only faculty, or any other particular group.



Filed under: Announcements Tags: by Melissa Cresswell

Comments are closed.