Block access to consumer accounts
As an administrator, you might want to prevent users from signing in to Google services using any accounts other than those you provided them with. For example, you might not want them to use their personal Gmail accounts or a managed Google Account from another domain.
Use Chrome policies to block accounts
To only allow users from specific domains to access Google services on Chromebooks and through other managed Chrome browsers:
From the Admin console Home page, go to Device managementChrome management.
If you don't see Device management on the Home page, click More controls at the bottom.
- Click User settings.
- On the left, select the organization that contains the users you want to make settings for.
- For all users, select the top-level organization.
- Otherwise, select a child organization.
Learn about How the organizational structure works.
- Go to User Experience Sign-in Within the Browser.
- Select Allow users to sign-in only to the G Suite domains set below.
- (Optional) To see a list of your domains, click organization’s domains under the domain list box.
- Enter the list of all of your organization’s domains.
(If you don’t, your users might not have access to Google services.)
- (Optional) To include other types of accounts, enter the following text in the list:
- For consumer Google Accounts, such as @gmail.com and @googlemail.com, add consumer_accounts.
- For authenticated service accounts, add gserviceaccounts.com.
- (Optional) To prevent users from browsing in Incognito mode, go to Incognito Mode Disallow incognito mode.
For details, see Incognito Mode.
- At the bottom, click Save.
Settings typically take effect in minutes. But they might take up to an hour to apply for everyone.
- (Optional) Consider setting the following device policies:
Use a web proxy server to block accounts
Step 1: Choose a web proxy server
- Add a header to all traffic directed to google.com—The header identifies the domains from which users can access Google services.
- Support SSL interception—Since most traffic through your Google service is encrypted, your proxy server also needs to support SSL interception.
Read specific instructions on how to block Google services from the following proxy service providers, selecting a server that meets your needs.
Step 2: Configure the network to block certain accounts
- Route all traffic outbound to google.com through your web proxy servers.
- Enable SSL interception on the proxy server.
- Configure every client device to trust your SSL proxy:
- Deploy the Internal Root Certificate Authority used by the proxy.
- Mark it as trusted.
- For each google.com request:
- Intercept the request.
- Add the HTTP header X-GoogApps-Allowed-Domains: followed by a comma-separated list with allowed domain names.
Make sure that the list includes the domain you registered with G Suite and any secondary domains you added.
X-GoogApps-Allowed-Domains: mydomain1.com, mydomain2.com
- To allow users to sign in to specific accounts, add the following values to the header:
- domain_name for accounts on specific domains, such as altostrat.com and tenorstrat.com for accounts ending in @altostrat.com and tenorstrat.com
- consumer_accounts for consumer Google Accounts, such as @gmail.com and @googlemail.com
- gserviceaccounts.com for authenticated service accounts
- (Optional) Create a proxy policy to prevent users from inserting their own headers.
Note: This approach blocks sign-in access to Google consumer services other than Google Search, but doesn’t necessarily prohibit anonymous access.
What happens if unauthorized accounts try to access services?
- Describes the unavailable service
- Shows the unauthorized account they're using
- Lists the domains where the service is unavailable
- Suggests that they contact a network administrator for more information and sign out of their unauthorized account and sign in with an authorized account