Logon Settings

Security Level

SessionLimit agent operates at 3 security levels.

Less Secure: At this level, Windows Credential Providers on the computer are used. If there is Windows or another Custom Credential Provider used, it will not be changed. When the username and password are entered on the Windows Logon screen, if the information is correct, the login process takes place. The SessionLimit service communicates with the server and decides whether to terminate the session.

Cons: Logged in and then logged out by the service if necessary.

Pros: The last logged in user account is shown on the Windows Logon screen. (unless otherwise specified by GPO). Cache logon can be used (unless otherwise specified by GPO).

Mid-Secure: In medium level security, both Windows Credential Providers and SessionLimit Credential Provider are actively displayed on the logon screen. The default is again Windows Credential Provider. SessionLimit Credential Provider can be used if desired.

Since both options are active, the user can use whichever Credential Provider they want to use.

Pros: If the computer is offline, cache logon can be executed with Windows Credential Provider, while Sessionlimit Credential Provider can be used when online.

More-Secure: Only SessionLimit Credential Provider can be used. Pin, password etc. Credential Provider services for Windows are turned off.

Cons: The username must be rewritten at each login and unlock process. Access to SessionLimit servers is mandatory. Cache Logon ability does not work.

Pros: Login is not immediate after typing the username and password. SessionLimit Credential Provider checks the session and if it detects any illegal activity, it cancels the login process before it occurs.

Heartbeat Settings

The SessionLimit agent contacts the server once in the period specified in the Heartbeat setting and informs it that it is live.

However, if there is an action assigned to it, it learns it during the heartbeat. During operation, it learns and applies information such as policy changes and 2FA settings related to the active user.

The Missing Heartbeat setting determines how many Heartbeats the server will be marked as closed. The default setting is 3, and when there are no 3 consecutive heartbeats, the computer is marked as off. If there are active sessions, these sessions are marked as closed/to be closed sessions.

Service Protection

SessionLimit service is an important service for tracking sessions, and if it is turned off, situations such as multi-logon and 2FA avoidance may occur.

isProtected: Prevents the SessionLimit Service from being turned off, even by a local administrator. When this option is selected, the agent cannot be terminated via task manager or any other method. If it tries to terminate, the system goes into a blue screen state to protect itself.

isHidden: Allows the SessionLimit Service to be hidden from the Services list (services.msc).

Agent UI Settings