Block access to consumer accounts

As an administrator, you might want to prevent users from signing in to Google services using any accounts other than those you provided them with. For example, you might not want them to use their personal Gmail accounts or a managed Google Account from another domain.

Use Chrome policies to block accounts

To only allow users from specific domains to access Google services on Chromebooks and through other managed Chrome browsers:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click User settings.
  4. On the left, select the organization that contains the users you want to make settings for. Important: To apply policies for Chrome Browser users on Windows, Mac, or Linux computers, make sure Chrome Management is turned on for this organization.
  5. Go to User Experience and then Sign-in Within the Browser.
  6. Select Allow users to sign-in only to the G Suite domains set below.
  7. (Optional) To see a list of your domains, click organization’s domains under the domain list box.
  8. Enter the list of all of your organization’s domains.
    (If you don’t, your users might not have access to Google services.)
  9. (Optional) To include other types of accounts, enter the following text in the list:
    • For consumer Google Accounts, such as @gmail.com and @googlemail.com, add consumer_accounts.
    • For authenticated service accounts, add gserviceaccounts.com.
  10. (Optional) To prevent users from browsing in Incognito mode, go to Incognito Mode and then Disallow incognito mode.
    For details, see Incognito Mode.
  11. At the bottom, click Save.
    Settings typically take effect in minutes. But they might take up to an hour to apply for everyone.
  12. (Optional) Consider setting the following device policies:
    • Set a sign-in restriction so that only users in your organization can sign in to devices running Chrome OS. For details, see Sign-in Restriction.
    • Turn off guest browsing on devices. For details, see Guest mode.

Use a web proxy server to block accounts

Step 1: Choose a web proxy server

To only allow users on your network to access Google services using specific Google Accounts from your domain, you need a web proxy server that can:
  • Add a header to all traffic directed to google.com—The header identifies the domains from which users can access Google services.
  • Support SSL interception—Since most traffic through your Google service is encrypted, your proxy server also needs to support SSL interception.

Read specific instructions on how to block Google services from the following proxy service providers, selecting a server that meets your needs.

Step 2: Configure the network to block certain accounts

To prevent users from signing in to Google services using Google Accounts other than those you explicitly specify:
  1. Route all traffic outbound to google.com through your web proxy servers.
  2. Enable SSL interception on the proxy server.
  3. Configure every client device to trust your SSL proxy:
    1. Deploy the Internal Root Certificate Authority used by the proxy.
    2. Mark it as trusted.
  4. For each google.com request:
    1. Intercept the request.
    2. Add the HTTP header X-GoogApps-Allowed-Domains.
      The header’s value is a comma-separated list with allowed domain names. Make sure that the list includes the domain you registered with G Suite and any secondary domains you might’ve added.
  5. To allow users to sign in to specific accounts, add the following values to the header:
    • domain_name for accounts on specific domains, such as altostrat.com and tenorstrat.com for accounts ending in @altostrat.com and tenorstrat.com
    • consumer_accounts for consumer Google Accounts, such as @gmail.com and @googlemail.com
    • gserviceaccounts.com for authenticated service accounts
  6. (Optional) Create a proxy policy to prevent users from inserting their own headers.

Note: This approach blocks sign-in access to Google consumer services other than Google Search, but doesn’t necessarily prohibit anonymous access.

Common Questions

What happens if unauthorized accounts try to access services?

If a user tries to access Google services from an unauthorized account, they see a web page that:
  • Describes the unavailable service
  • Shows the unauthorized account they're using
  • Lists the domains where the service is unavailable
  • Suggests that they contact a network administrator for more information and sign out of their unauthorized account and sign in with an authorized account

What happens with services that don’t need authentication?

Google doesn’t maintain a list of blocked services. If a particular service requires sign-in, access gets blocked. Services that don’t require authentication, such as Google Search and YouTube, won’t be blocked.

Why can’t I just filter the traffic instead?

A common means of blocking access to web services is using a web proxy server to filter traffic directed at particular URLs. This approach won’t work in this case because legitimate traffic from a user’s managed Google Account goes to the same URL as the traffic you want to block.
Was this article helpful?
How can we improve it?