Set session length for Google services

This feature is available with G Suite Business, Education, and Enterprise editions. Compare editions

As an administrator, you can control how long users can access Google services, such as Gmail, without having to sign in again. For example, for users that work remotely or from untrusted locations, you might want to limit the time that they can access sensitive resources by applying a shorter session length. If users want to continue accessing a resource when a session ends, they’re prompted to sign in again and start a new session.

How the settings work on mobile devices vary by device and app (see Considerations below). By default, the session length for Google services is 14 days.

Considerations

When and how users sign in

  • When you change the session length, users need to sign out and in again for settings to take effect. 
  • Users might not sign out for some time. If you want them to sign in again sooner, you can reset users’ sign-in cookies. You have to reset each user one at a time. For details, see Block access to your Google service on a lost device.
  • If you set the session to never expire, users never have to sign in again.
  • If you need some users to sign in more frequently than others, place them in different organizational units. Then, apply different session lengths to them. That way, certain users won’t be interrupted to sign in when it isn’t necessary. 
  • You can also require users to sign in with 2-Step Verification (2SV). To verify trusted devices, you could have users touch their security key. For details, see Set up 2-Step Verification.

Mobile devices

  • You can’t configure session lengths for native mobile apps, such as Gmail or Google Calendar, on Android or Apple® iOS®devices.

For Chrome Browser:

  • You can’t apply session-length settings to Chrome Browser on Android or iOS devices. However, you can apply session-length settings on other mobile browsers, such as Apple® Safari® and Mozilla® Firefox®.
  • If the user is signed in to Chrome Browser on a mobile device, session-length settings won't apply. Settings only apply if the user is not signed in to Chrome Browser.

Third-party identity providers

  • If you’re using a third-party identity provider (IdP), such as Okta® or Ping®, and you set session lengths for your users, you need to set the IdP session length parameter to expire before the Google session expires. That way, your users will be forced to sign in again.
  • For details on how to set the session length on your specific IdP, refer to your IdP's documentation.

Set session durations

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenGoogle session control.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. On the left, select the organizational unit where you want to set session length.
    For all users, select the top-level organizational unit. Otherwise, select another organization to make settings for its users. Initially, an organization inherits the settings of its parent organization.
  4. For Session control, under Web session duration, choose the length of time after which the user has to sign in again.
  5. Click Override to keep the setting the same, even if the parent setting changes.
  6. If the organizational unit's status is already Overridden, choose an option:
    • Inherit—Reverts to the same setting as its parent.
    • Save—Saves your new setting (even if the parent setting changes).
Was this article helpful?
How can we improve it?