Limiting Users’ Access to Google Personal Accounts

This article is for IT support.

Custom Headers

Important

This function applies when the user's device is running Connect for macOS, Connect for iOS, Connect for Chrome and Connect for Windows (Companion Mode).

You can use Custom Headers to stop students from signing in to their personal Google accounts during school time while allowing them access to your school’s Google Workspace. Custom Headers work through devices running Linewize Connect by using Man In The Middle (MITM) to inject your school’s domain(s) into Google Workspace URLs. Google receives your injected string and only allows users to sign in with their school account.

To get started, add or update one of your Google filtering policies to include the “Custom Headers” function. Save the filtering policy, then add the Google domains to your MITM configuration in the Mobile Agent menu. Anytime Linewize Connect opens a Google Workspace app (like Gmail, Google Drive, Google Sheets or YouTube), your sign in instructions are sent to Google.

If the user signs in to their school account or pre-approved domains, Google will allow the user to complete the sign in. However, if they try to sign in with a personal account, Google will stop the sign in and display a message to your user, "This account is not allowed to sign in within this network."

Before You Start

Important

Contact Linewize Support if you already have multiple filtering policies for blocking Google products. Our support team can help you set up your Custom Headers so it will not conflict with the other Google filtering policies.  

  1. Ensure Linewize Connect is installed on your students’ devices (Linewize Connect is not available on Android devices).
  2. Note your Google domain and subdomains as displayed in your school's Gmail or Google Workspace.
  3. Be familiar with any of your existing content filtering policies that Allow your users to access your school’s or district’s Google domain and subdomains.

Enabling Custom Headers

Enabling Custom Headers is a two-step process:

  1. Create a Custom Headers Policy
  2. Enable Man In The Middle (MITM)

1. Create a Custom Headers Policy

In this example, you’ll stop all users from accessing personal Google accounts on your school’s network and only let them access your school’s Google account. You’ll do this by creating a new Allow policy with a Custom Header.

Tip

If you already have a policy allowing your school’s Google domain, skip to steps 6 through 12.

  1. Go to Filtering > Content Filtering and select Create Policy.

  2. Enter a descriptive Name.

  3. Enter accounts.google.com in Type. Select Website accounts.google.com when it is displayed.

  4. Select Allow.

  5. (Optional) Select Locked if:

    • You do not want other policies to override this policy.

    • You want to stop teachers from giving students Bypass Codes to access personal emails and files.

    • You need to separate education and personal sign-ins before other Locked policies take effect.

  6. Enter X-GoogApps-Allowed-Domains in Header Name, then type your school’s domain or subdomain as it appears in your school's Google Workspace accounts into Header Value.

    Caution

    Make sure to spell your domain names exactly as configured in your Google Administrator settings. Any misspelling will lock all users out of their Gmail and Google Workspace apps until you fix the policy. See Access your Google Workspace domain settings
    • Do not add a leading dot before the domain name. Start with the characters.

    • If you have multiple domains, add the domains separated by a comma and space. 

    • Do not add a trailing comma after the last domain.

  7. Select the plus icon (+).

  8. Verify your Custom Header is displayed under the Name and Value columns.

  9. Select Save Policy.
  10. Find your policy. An unlocked new policy will be displayed at the bottom of the list. A Locked new policy will be displayed as the last item in Locked policies. Drag your policy:

    • Below the Locked policies, unless your policy is also Locked and should be filtered before another Locked policy.

    • Below any Block policies applying to Google products, for example, below a policy blocking YouTube.

    • Above any Allow policies granting users access to any Google apps.

  11. Toggle Enable for your Policy. The toggle will appear in green when the policy is enabled.

  12. Continue to the next section to enable the Linewize Connect Mobile Agent and configure Man In The Middle (MITM) to inspect the Google web apps.

(Optional) Filtering Multiple Google Domains

Different groups in your school may need access to different school Google domains. You can add multiple Google Workspace applications to the Allow > Website in a Filter Policy as long as the Custom Header Value is the same. Your policy needs to allow the subdomain for the Google product. Replace the example domains, “school.edu” and “district.edu”, with your actual domain name.

Caution

Make sure to spell your domain names exactly as configured in your Google Administrator settings. Any misspelling will lock all users out of their Gmail and Google Workspace apps until you fix the policy. See the Google help article Access your Google Workspace domain settings.

If your school uses more than one domain, use a Website Filter. Separate the domains by a comma and space.

Filter > Allow > Website

Custom Header Name

Example Value

google.com

X-GoogApps-Allowed-Domains

yourschool.edu, yourdistrict.edu

If your Gmail has a different domain from your Google Workspace, add another Custom Header for the Google Apps.

Filter > Allow > Website

Custom Header Name

Example Value

docs.google.com, sheets.google.com

X-GoogApps-Allowed-Domains

schoolapps.edu 

If your school uses subdomains to limit access by type of user to specific Google Apps, add a Custom Header for the subdomain. For example, you allow your staff and teachers to sign in to personal accounts in Google Groups but want your other Google filtering to apply.

Filter > Allow > Website

Custom Header Name

Example Value

groups.google.com

X-GoogApps-Allowed-Domains

staff.yourschool.edu 

For more specifics on how to work with Google to block access to consumer accounts, see https://support.google.com/a/answer/1668854

 

2. Enabling MITM for Mobile Agents

After creating the filtering policy, you need to tell Linewize Connect to monitor your users’ devices for attempts to access Google accounts.

  1. Go to Configuration > Mobile Agent
  2. Ensure the MITM Enabled checkbox is selected for “On School Manager Network”.
  3. In the Inspected field, type “accounts.google.com”. Then, select Website accounts.google.com from the list.
  4. (Optional) If you need to block access to personal Google accounts outside of school hours, including when the student is at home, go to Off School Manager Network. Select the MITM Enabled checkbox. Type “accounts.google.com” in Inspected.
  5. Go to the bottom-right of the window and select Save.

Removing a Custom Header

You can remove the Customer Header without deleting the filtering policy.

  1. Go to Filtering > Content Filtering and select the Edit icon (pencil).
  2. Select the Delete icon (bin) at the bottom of the Edit Policy window.
  3. Select Save Policy.  

Frequently Asked Questions

Which Google Apps does Custom Header work for?

When you filter and inspect the “google.com” domain, all of the Google Workspace Apps (including Gmail, Drive, Docs, Sheets, Slides, Forms, Sites) will be limited to users signing in with their school accounts. 

Do Custom Headers work with other Google sites that don’t have the Google domain?

Google does not apply your Custom Header to all their extended apps. For example, the Blogger sign in will return a user to the home page without displaying the message when the user tries to sign in with their personal account. Instead, we recommend you use your Google Workspace Administrator functions to turn off access to any additional Google apps or services. See https://support.google.com/a/answer/9050643

Was this article helpful?
2 out of 3 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.