Time restrictions
Time restrictions policies control when and how long users can stay connected to the network. They are divided into two types: Hour restrictions and Time quotas.
Useful resources
Hour restrictions define specific timeframes where users can or cannot log on.
Allow logon only during business hours.
Block access on nights and weekends.
Automatically disconnect inactive or long-running sessions.
You can configure timeframes as Authorized (only those hours allowed) or Denied (only those hours blocked).
In case of overtime, you can either do nothing, force logoff, or lock the session. Forced logoff is disruptive (unsaved work lost), while lock is less intrusive.
When the Maximum session length is reached, the session is automatically logged off after the delay set in Logoff notification timeout. Users can log on again immediately after being logged off.
The Logoff notification timeout controls how long before forced logoff the Time restriction logoff message appears. Default is 1 minute. Best practice: allow enough time for users to save their work.
Maximum locked time requires a password-protected screensaver and the setting Consider screen saver time as locked time enabled.
A list of all hour restriction policies is available in the Access Policies section, under the Hour restrictions page.
Time quotas limit the total connection time a user can consume over a recurring period (day, week, month, etc.).
Limit daily VPN usage to a fixed number of hours.
Apply different quotas per session type (e.g., workstation vs remote access).
Restrict monthly logon time for temporary or contract staff.
You can define multiple quotas within the same policy by using different time periods or session types.
When the quota is reached, users receive a notification and are logged off after the Logoff notification timeout global setting (configured in Server settings → General → Time).
The Time quota logoff period message can be customized.
The notification period does not count against the quota.
Daily quotas reset at midnight → sessions that run past midnight can unexpectedly consume the next day’s quota. To avoid this, combine with a Maximum session length or Maximum locked time.
Quota consumption is visible in the user dashboard → Working Hours tab.
Admins can reset or decrease consumed time manually.
Quota usage can be displayed in the Welcome message (requires an Alerts & notifications policy).
A daily quota of 8 hours is set.
Alice doesn’t work in the morning and logs on at 4:30 PM.
She forgets to log off.
At midnight, the counter resets to 0.
By 8:00 AM, 8 hours are consumed (from previous day’s session), so the session is automatically logged off.
At 8:30 AM, Alice tries to log on again but is denied, since the time quota is already consumed.
To prevent this scenario, consider configuring a Maximum session length or Maximum locked time (e.g., 8 hours) in the Hours restriction policy.
A list of all time quota policies is available in the Access Policies section, under the Time quotas page.
