Authored by santosh.kushwah@ibm.com ,co-authored by ambadwa1@in.ibm.com,anok.angadi@ibm.com and dshiva27@in.ibm.com

Enabling the "Restrict Concurrent Logins" Setting in MaaS360

Restricting concurrent logins is a critical security measure that prevents users/admins from accessing MaaS360 portal from multiple locations simultaneously. This practice is particularly important in sensitive environments such as banking, where security and compliance are paramount. By limiting concurrent logins, organizations can enhance security, prevent unauthorized access, and ensure compliance with regulatory requirements.Enabling a "Restrict Concurrent Logins" feature within the product delivers significant security, compliance, and operational advantages. By allowing only one active session per user account, it effectively prevents unauthorized access through credential sharing or session hijacking.

This not only safeguards sensitive data but also reinforces user accountability and discourages misuse of licensed accounts. From a compliance standpoint, it helps organizations enforce user-based licensing agreements and meet regulatory requirements related to access control. Operationally, it simplifies session tracking, improves audit trails, and reduces system load from unnecessary simultaneous sessions. Overall, this feature promotes a more secure, efficient, and policy-compliant user environment.

MaaS360 provides an option to restrict concurrent logins for enhanced security and user accountability. To enable the Restrict Concurrent Logins setting, follow the steps below:

1. Log in to your MaaS360 account using valid credentials.

2. Navigate to the Setup section.

3. Under Services & Settings, click on Settings to open the main settings page. 

4. Locate the Administrator Settings section, then click on Advanced to access the advanced settings.

5. Within the Login Settings page, find the option labeled Disable Multiple Logins.  

6. Enable this option to restrict concurrent logins, and click Save to apply the changes

   Note:
   After enabling the Restrict Concurrent Logins setting, the current active session will remain unaffected. For the restriction to take effect, the user or admin must either log out manually or be automatically logged out due to session timeout. The setting will be enforced during the next login attempt from a new browser or device.

   If the user/admin does not log out from existing sessions, the restriction will only take effect when they attempt to log in from a third browser or session. At that point, the system will block the login as per the configured concurrent session policy.

Behavior After Enabling Restrict Concurrent Logins:

Once the Restrict Concurrent Logins setting is enabled, if a user or admin attempts to log in while another session is already active, they will be redirected to a "Multiple Logins Detected" screen.

On this screen, two options are provided: Continue and Reset Password.

• If the user/admin clicks Continue, they will be logged into the new session. The previously active session will remain accessible until either an action is performed or the session becomes idle, at which point it will be automatically logged out

• if the user/admin click on Reset password , they will be navigated to reset password page where they can set new password if any suspicious login detected

• if the user/admin click on Close and Logout, the current session will be logged out and old session will continue active.

Important Note:
Both the Multiple Logins Detected screen and the Reset Password screen function as lock screens. Once a user or admin is redirected to either of these screens, the session is considered locked, and the screen will not change or redirect automatically. The user must take an explicit action (e.g., click Continue or Reset Password) to proceed. Until then, access to the portal remains restricted.

Reset Password Enforcement:
Once a user or admin is redirected to the Reset Password page, they are required to update their password in order to regain access to the portal. Until the password is successfully updated, any login attempt will continue to redirect the user back to the Reset Password page. This ensures that the password reset process is completed before access is restored.

Conclusion:

This mechanism ensures secure session handling while allowing the user to maintain control over their access.By enabling the Restrict Concurrent Logins feature, organizations can significantly enhance the security, accountability, and compliance of user sessions within the MaaS360 platform. The enforcement of session limits, combined with lock screens like Multiple Logins Detected and Reset Password, ensures that only authorized and verified sessions remain active.

Users are required to take explicit actions—such as updating their password or confirming their session—to continue access, thereby reducing the risk of unauthorized use. This feature not only strengthens access control but also reinforces responsible usage and adherence to security policies across the organization.