I have an interesting problem concerning max session times and wanted to share it here to get people's thoughts.
I have to implement a company policy that states no users in a certain realm should ever be logged out during business hours (8AM - 5PM) due to max hitting the max session time. (Most users don't see the prompt asking them to extend their session.....) We also have to make sure that our ICE license gets disabled as close to 5PM as possible but no later than 5:30PM. Most of our users do not logout at the end of the day so I can't just set the max session to some crazy high number. I also cannot kick out users, they must get the prompt asking them to extend their session. Users also need access 24x7 so I cannot limit the times they can login. Idle time is fixed at 4 hours.
In this realm all users have their own dedicated rule that points to a dedicated role, which then contains Terminal Services or HTML5 resouce profiles that are dedicated that particular user. Since each user has their own role, everyone has an individual max-session time setting.
Given all these factors, this is the solution I've come up with.
The default max-session time for all roles is set to 8 1/2 hours. At 8:31 AM a script runs that uses the REST API to get all the currently open sessions. (API URL is /api/v1/system/active-users?number=A_HIGH_NUMBER)
The script selects all sessions from the realm in question, and using the login time for each session, calculates if the 8 1/2 max session time is enough to get the user to 5:10 PM. If the max session time isn't enough to get them to 5:10 PM, the max-session time is increated using another API call to get the user to 5:10 PM. (The API URL is /api/v1/configuration/users/user-roles/user-role/%ROLE_NAME%/general/session-options/max-timeout).
This is for the most part successful. At 5:10 PM the number of sessions takes a cliff dive, usually enough to disable ICE, and at 5:30 PM there's another cliff dive of sessions that guarantees ICE will be disabled. At midnight, a script runs that sets everyone's max-session time back to 8 1/2 hours via the REST API.
This seems a bit crazy but it works. Has anyone else had to deal with a similar situation? If so how did you approach it? I won't be offended if you tell me I'm nuts for doing this way.