Home Compliance & Certification Idle Session Timeout Screenshot Guide

Idle Session Timeout Screenshot Guide

Last updated on Sep 25, 2025

1. Purpose of this Guide

This artefact demonstrates that your company enforces automatic log-off after a set idle period. Cyber Essentials requires this because if staff leave their laptops or web apps unlocked, attackers can waltz in. An enforced timeout slams the gate shut after a few minutes of inactivity.

2. What You Will Submit

You will need:

  • screenshot showing idle session timeout settings.

  • The screenshot should clearly display:

    • The platform (Windows, macOS, Google Workspace, Microsoft 365, AWS, etc.).

    • The timeout duration (e.g. 5, 10, or 15 minutes).

    • Confirmation that automatic lock or log-off is enabled.

3. How to Collect / Obtain / Generate This Evidence

Windows 10/11:

  1. Open Group Policy Editor → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options.

  2. Find Interactive logon: Machine inactivity limit.

  3. Screenshot showing the value (e.g. 900 seconds = 15 mins).

macOS:

  1. Open System Settings → Lock Screen.

  2. Under Turn display off on battery/power, set to ≤ 10–15 minutes.

  3. Ensure Require password after sleep or screen saver begins is enabled.

  4. Screenshot this panel.

Google Workspace (Admin Console):

  1. Log into Admin Console → Devices → Chrome → Settings → User & Browser Settings.

  2. Find Idle Settings / Sign-out policy.

  3. Screenshot showing automatic sign-out after idle period.

Microsoft 365 (Entra / Office web apps):

  1. Open Microsoft Entra Admin Center → Conditional Access → Session controls.

  2. Check Sign-in frequency and Idle timeout policy.

  3. Screenshot showing policy applied to users.

AWS Console (example for cloud services):

  1. Open IAM → Account Settings → Console session timeout.

  2. Screenshot showing the timeout duration.

4. Evidence Format

  • Accepted file types: PNG, JPG, PDF.

  • Suggested naming format:
    YourCompanyName_IdleSessionTimeout_YYYY-MM-DD.png
    Example: AcmeCorp_IdleSessionTimeout_2025-07-01.png

5. What “Good” Looks Like

  • Screenshot shows timeout enabled (not “Never”).

  • Timeout duration is reasonable (≤ 15 minutes).

  • Platform name visible (to prove authenticity).

  • Date/version visible where possible.

Why it matters: auditors want to see that unattended sessions won’t sit open for hours, giving attackers easy access.

6. Tips

  • If you apply timeout via MDM (Intune, Jamf, Workspace ONE), grab a screenshot of the policy setting.

  • Redact personal names or device IDs if they appear.

  • Use consistent timeout values across systems for simplicity.