Block access to consumer accounts

Short answer:

To block access to some Google accounts and services while allowing access to your Google Apps accounts, you need a web proxy server that can perform SSL interception and insert HTTP headers.

As an administrator, you may want to prevent users from signing in to Google services using any accounts other than the accounts you provided them with. For example, you may not want them to use their personal Gmail accounts or a Google Apps account from another domain.

A common means of blocking access to web services is using a web proxy server to filter traffic directed at particular URLs. This approach won’t work in this case, because legitimate traffic from a user’s Google Apps account goes to the same URL as the traffic you want to block.

To only allow users to access Google services using specific Google accounts from your domain, you need the web proxy server to add a header to all traffic directed to google.com; the header identifies the domains whose users can access Google services. Since most Google Apps traffic is encrypted, your proxy server also needs to support SSL interception. (See below for a list of proxy servers known to support both SSL interception and HTTP header insertion.)

To prevent users from signing in to Google services using Google accounts other than those you explicitly specify:

  1. Route all traffic outbound to google.com through your web proxy server(s).

  2. Enable SSL interception on the proxy server.

    Since you will be intercepting SSL requests, you will need to configure every client device to trust your SSL proxy by deploying the Internal Root Certificate Authority used by the proxy and marking it as trusted.

  3. For each google.com request:

    a. Intercept the request.

    b. Add the HTTP header X-GoogApps-Allowed-Domains, whose value is a comma-separated list with allowed domain name(s). Include the domain you registered with Google Apps and any secondary domains you might have added.

    For example, to allow users to sign in using accounts ending @altostrat.com and tenorstrat.com, create a header with the name X-GoogApps-Allowed-Domains and this value:
    altostrat.com, tenorstrat.com

    You may also want to create a proxy policy to prevent users from inserting their own headers.


Users attempting to access Google services from an unauthorized account will see this web page:

Note: This approach blocks sign-in access to Google consumer services other than Google Search, but does not necessarily prohibit anonymous access.

Specific configuration instructions provided by proxy server providers