Limiting Users’ Access to Google Personal Accounts

Custom Header Injections

You can use a Custom Header Injection to stop students from logging into their personal Google accounts during school time while allowing them access to your school’s Google Workspace. A Custom Header Injection works through devices running Linewize Connect by using Man In The Middle (MITM) to inject your school’s domain(s) into Google Workspace URLs. Google receives your injected string and only allows users to login with their school account.

To get started, add or update one of your Google filtering policies to include the “Custom Header” function. Save the filtering policy, then add the Google domains to your MITM configuration in the Mobile Agent menu. Anytime Linewize Connect opens a Google Workspace app (like Gmail, Google Drive, Google Sheets or YouTube), your login instructions are sent to Google.

If the user logs in with an account in the school domain(s) you specified, Google will allow the user to complete the login. However, if your user tries to login with an account from a domain you did not specify, like a personal Gmail account, Google will stop the login and display a message to your user, "This account is not allowed to sign in within this network."

Before You Start

1. Ensure Linewize Connect is installed on your students’ devices (Linewize Connect is not available on Android devices) or BYOD with Family Zone Connect installed by a parent.
2. Note your Google domain and subdomains as displayed in your school's Gmail or Google Workspace.
3. Be familiar with any of your existing content filtering policies that Allow your users to access your school’s or district’s Google domain and subdomains.

Enabling the Custom Header

Enabling Custom Header Injection is a two-step process:

1. Creating a Custom Header Rule
2. Enabling Man In The Middle

1. Creating a Custom Header Rule

In this example, you’ll stop all users from accessing personal Google accounts on your school’s network while letting them access your school’s Google account. You’ll do this by creating a new Allow policy with a Custom Header.

1. Go to Filtering > Content Filtering and select Create Policy.

2. Type a descriptive title into Name.

3. Enter "google.com" in Type. Select "Website google.com" when it is displayed.

4. Click Action and select Accept.

5. (Optional) Select Locked Rule if:

   • You do not want other policies to override this policy.

   • You want to stop teachers from giving students an override code to access personal email and files. See Bypass Code.

   • You need to separate education and personal logins before other Locked policies take effect.

6. Select + Add Custom Header.

7. Type “X-GoogApps-Allowed-Domains” in Name. Next, type your school’s domain or subdomain as it appears in your school's Google Workspace accounts into Value.

   Caution

   Make sure to spell your domain names exactly as configured in your Google Administrator settings. If you have a misspelling, you will lock all users out of their Gmail and Google Workspace apps until you fix the rule. See the Google help article https://support.google.com/a/answer/54693 

   • Do not add a leading dot before the domain name. Start with the characters.

   • If you have multiple domains, add the domains separated by a comma and space. 

   • Do not add a trailing comma after the last domain.

8. Select the save icon (disk).

9. Verify your Custom Header is displayed as saved on a gray row. Select the SAVE button for this policy.

10. Find your policy. An unlocked new policy will be displayed at the bottom of the list. A Locked new policy will be displayed as the last item in Locked policies. Drag your policy:

    • Below the Locked policies, unless your policy is also Locked and should be filtered before another Locked policy

    • Below any Block policies applying to Google products, for example, below a policy blocking YouTube

    • Above any Allow policies granting users access to any Google apps

11. Select the toggle to Enable your Policy. The toggle will be displayed in green when enabled.

12. Continue to the next section to enable the Mobile Agent (Linewize Connect) to configure Man In The Middle (MITM) to inspect the Google web apps.

(Optional) Filtering Multiple Google Domains

Different groups in your school may need access to different school Google domains. You can add multiple Google Workspace applications to the Allow > Website in a Filter Policy as long as the Custom Header Value is the same. Your policy needs to allow the subdomain for the Google product. Replace the example domains, “school.edu” and “district.edu”, with your actual domain name.

If your school uses more than one domain, use a Website Filter. Separate the domains by a comma and space.

If your Gmail has a different domain from your Google Workspace , add another Custom Header for the Google Apps.

If your school uses subdomains to limit access by type of user to specific Google Apps, add a Custom Header for the subdomain. For example, you allow your staff and teachers to login to personal accounts in Google Groups, but want your other Google filtering to apply.

For more specifics on how to work with Google to block access to consumer accounts, see https://support.google.com/a/answer/1668854. 

2. Enabling MITM for Mobile Agents

After you create the filtering policy, you need to tell Linewize Connect to monitor your users’ devices for attempts to access Google accounts.

1. Go to Configuration > Mobile Agent. 
2. Ensure the MITM Enabled checkbox is selected for “On School Manager Network”.
3. In the Inspected field, type “accounts.google.com”. Then, select Website accounts.google.com from the list.
   Repeat the above step but type “mail.google.com”, then select Website mail.google.com from the list.
4. (Optional) If you need to block access to personal Google accounts outside of school hours, including when the student is at home, go down the page to Off School Manager Network. Select the checkbox next to MITM Enabled. Type “accounts.google.com” and "mail.google.com" in Inspected.
5. Go to the bottom-right of the window and select SAVE.

Removing a Header Injection

You can remove the Customer Header without deleting the filtering policy.

1. Go to Filtering > Content Filtering and select the edit icon (pencil).
2. Select the delete icon (trash can) at the bottom of the Edit Policy window.
3. Select Save Policy.  

Frequently Asked Questions

Which Google Apps does Custom Header Injection work for?

When you filter and inspect the “google.com” domain, all of the Google Workspace Apps (including Gmail, Drive, Docs, Sheets, Slides, Forms, Sites) will be limited to users logging in with their school accounts. 

Google does not apply your Custom Header Injection function to all of their extended apps. For example, the Blogger login will return a user to the home page without displaying the message when the user tries to sign in with their personal account. Instead, we recommend you use your Google Workspace Administrator functions to turn off access to any additional Google apps or services. See https://support.google.com/a/answer/9050643