Forcing Log Off

By forcing users to log off, ITM On-Prem (ObserveIT) enables you to block users that log in to machines which they are not authorized to access or prevent users from continuing with activities that are risky or malicious.

This feature is supported on Windows, Mac, and Unix operating systems. The Log Off action is available for all the "Did What?" categories, not just Logged In. The OS Type in the alert rule details must be Windows or Unix (i.e., it cannot be Both).

The Log Off action blocks the user's screen with a message asking them to log off or they will be automatically logged off within a specified period of time (by default 30 seconds). You can configure the time before the log off will be implemented. Users have an option to provide an explanation for their activity within this time period.

If an alert is triggered for the rule, the Log Off action will be implemented. On Windows or Mac endpoints, any open applications will be forcibly closed and unsaved data will be discarded. On Unix endpoints, the Log Off will forcibly close the user's Unix/Linux shell.

In the case of multiple messages from configured actions during a user session, the first Log Off action always takes priority.

The following procedures describe how to configure the Log Off action for an alert rule on Windows/Mac and Unix operating systems.

To configure a forced log off action on Windows or Mac operating systems

  1. In the Action area of the Create/Edit Alert Rule page, click the Log Off tab.

    The Log Off action is always available for selection regardless of the "Did What?" conditions.

  2. In the text box, enter the message that you want to display to the user.

    You must enter a message text (up to 2000 characters); otherwise the alert rule cannot be saved. The message must also have a header (by default Logging Off) of up to 64 characters.

  3. By default, the check box Automatically log off user after <sec> seconds is selected, specifying the number of seconds from the time the message is displayed to the user until the log off will be implemented. By default the value is 30 seconds, but you can configure a different value within the range of 5-300 seconds.

    If you deselect the check box Automatically log off user after <sec> seconds, the log off message displayed to the end user will block the user's screen until the Log Me Off button is clicked.

  4. To see how the log off message will appear to the end user, click the Preview button. For example:

    To close the preview, click the X button.

  5. Click Save in the Create/Edit Alert Rule page to save your configured rule.

    The newly configured alert rule will be displayed in the Alert & Prevent Rules page.

To configure a forced log off action on a Unix operating system

  1. In the Action area of the Create/Edit Alert Rule page, click the Log Off tab.

  2. In the text box, enter the message that you want to display to the user.

    You must enter a message text (up to 250 characters); otherwise the alert rule cannot be saved.

  3. By default, the check box Automatically log off user after <sec> seconds is selected, specifying the number of seconds from the time the message is displayed to the user until the log off will be forcibly implemented. By default the value is 30 seconds, but you can configure a different value within the range of 5-300 seconds.

    If you deselect the check box Automatically log off user after <sec> seconds, the log off message displayed to the user will block the screen until the user presses <Enter>. The user has the option to provide an explanation.

  4. To see how the log off message will appear to the end user, click the Preview button. For example:

    To close the Preview, click the X button.

  5. Click Save in the Create/Edit Alert Rule page to save your configured rule.

    The newly configured alert rule will be displayed in the Alert & Prevent Rules page.

Example of how a Log Off action appears to a Windows end user

When an alert with the Log Off action is triggered, the end user receives a message displaying the text configured in the alert rule Action, as shown in the following example:

If configured (see Defining Settings for Rules), a company logo or image can be displayed in the message.

The user is requested to log off (by clicking the Log Me Off button) or they will be automatically logged off within the specified period of time (by default, 30 seconds). The Log Me Off button shows a running countdown of the number of seconds after which the Log Off action will be applied. Users have an option to provide an explanation for their activity within this time period.

Upon clicking the Log Me Off button (or when the time period is exceeded), the user is forcibly logged off from the current session, all open applications are closed, and any unsaved data is discarded.

Any feedback provided by the user before log off is saved and displayed in the Alerts page of the Web Console together with the Log Off action.

Example of alert email notification for a Log Off action

Following is an example of an email notification that a user might receive in the event of an alert generated for a Log Off action: