About session revocation

Session revocation allows administrators to terminate or revoke the session token if a device is out of compliance and the UEM policy action is blocked or a device is retired. The revocation prevents out of compliance and retired devices from continuing to use a session token on the device to access the cloud service. Session revocation impacts the sessions of the managed applications (service provider) on all the devices that the user uses to access the cloud service. After a session token is revoked, the user has to re-authenticate with the service provider through Access to get a new session token. When the user tries to re-authenticate, Access enforces conditional policies and unblocks the app.

You can update the compliance policies in Ivanti EPMM> Policies & Configs > Compliance Policies.

Compliance policy

  • Support for policy action based Session revocation

  • Ivanti Access Session revocation service (SRS) workflows are improved to consider UEM (Ivanti EPMM) policy action configurations

  • Session revocation is triggered only for those devices which are non compliant and also have a blocking action setup against the corresponding policy

  • Session revocation actions is also triggered for other device states such as quarantine, wipe, and retire

  • For all other cases of violation, if there is a non blocking action (such as email, monitor, notify, etc) no action will be taken by Ivanti Access.

Session revocation is supported for Ivanti Access deployments for Office 365 using the Azure Graph API and G Suite using Google API console. However, the session revocation feature is not supported for Ivanti Access + Standalone Sentry deployments.

  • To start session revocation, Ivanti Access verifies the compliance action configured on UEM when the device goes out of compliance and the actions configured against them. For Ivanti Neurons for MDM or Ivanti EPMM deployments, session revocation is triggered if the device is out of compliance and the compliance action is either block or quarantine. Session revocation is also triggered if the device is Wiped or Retired.

  • To start session revocation, Ivanti Access verifies the compliance action configured on UEM when the device goes out of compliance and the actions configured against them. For Ivanti EPMM deployments, session revocation is triggered if the device is out of compliance and the compliance action is block. Session revocation is not triggered if the action is SendAlert.