Block access to consumer accounts and services while allowing access to Google Apps for your organization

653 views
Skip to first unread message

Michael T. Bendorf

unread,
Feb 13, 2012, 12:56:05 PM2/13/12
to google-ed...@googlegroups.com, k12ap...@googlegroups.com
Sorry for the cross-post but I tend to get great engagement from the google apps lists when asking google-related questions: imagine that!!




Is anyone doing this?

I did block access to standard GMail accounts when it was a simpler proccess, but with the Google Plusification of Everything, this has become a bit tricker (in short, they took the "/a" out of the URL for apps domains.) 

I was asked if we could block persona GMail accounts primarily as we have decided to remove Chat for all of our students and so they have been signing into their personal GMail accounts to chat during class. This is some of the response I sent to the inquiring teacher:

======

In short: we used to be able to, but not any more.

As Google has been rolling out new services and the way they integrate into each other, the old method no longer works.

There is a potential solution that exists, but it requires a lot of over-head and maintenance to implement. I have read briefly about it, but I have not mastered the procedure nor do we have the personnel to locally manage client security certificates on every device using the proxy.

If this becomes such an issue that classroom management, policies, and enforcement are insufficient to maintaining a quality learning environment, then it will become necessary to implement a technological solution. I hope to be able to implement one over the summer in any case. But as it stands right now, this is not as simple as it used to be.

If you are interested in learning more, google search is your friend. Be sure to consider information posted most recently (posted since the removal of the "/a" from the url of apps accounts.) Here is a good place to start:

http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 


======

Here is the referenced article (not sure how formatting will come through email):

Block access to consumer accounts and services while allowing access to Google Apps for your organization

Short answer: To block access to some Google accounts and services while allowing access to your Google Apps accounts, you need a web proxy server that can perform SSL interception and insert HTTP headers.

As an administrator, you may want to prevent users from signing in to Google services using any accounts other than the accounts you provided them with. For example, you may not want them to use their personal Gmail accounts or a Google Apps account from another domain.

A common means of blocking access to web services is using a web proxy server to filter traffic directed at particular URLs. This approach won’t work in this case, because legitimate traffic from a user’s Google Apps account goes to the same URL as the traffic you want to block.

To only allow users to access Google services using specific Google accounts from your domain, you need the web proxy server to add a header to all traffic directed to google.com; the header identifies the domains whose users can access Google services. Since most Google Apps traffic is encrypted, your proxy server also needs to support SSL interception. (See below for a list of proxy servers known to support both SSL interception and HTTP header insertion.)

To prevent users from signing in to Google services using Google accounts other than those you explicitly specify:

  1. Route all traffic outbound to google.com through your web proxy server(s).

  2. Enable SSL interception on the proxy server.

    Since you will be intercepting SSL requests, you will probably want to manage client certificates on every device using the proxy, so that the user’s browser does not issue warnings for the requests.

  3. For each google.com request:

    a. Intercept the request. 

    b. Add the HTTP header X-GoogApps-Allowed-Domains, whose value is a comma-separated list with allowed domain name(s). Include the domain you registered with Google Apps and any secondary domains you might have added.

    For example, to allow users to sign in using accounts ending @altostrat.com and tenorstrat.com, create a header with the name X-GoogApps-Allowed-Domains and this value:
    altostrat.com, tenorstrat.com

    You may also want to create a proxy policy to prevent users from inserting their own headers.


Users attempting to access Google services from an unauthorized account will see this web page:

Notes

  • This approach blocks sign-in access to Google consumer services other than Google Search, but does not necessarily prohibit anonymous access.

  • With this header present you will be unable to explicitly allow access for any accounts that are consumer based (@gmail.com) or a Google Apps Team Edition domain.  When using the header you are only able to specify verified Google Apps domains in the list of allowable domains.

Specific configuration instructions provided by proxy server providers




I like to leave things as open as possible but I need some opinions on this.


--Michael T. Bendorf--
Technology Administrator
A-C Central C.U.S.D. #262
http://www.a-ccentral.com
Google Voice: 217.408.0043
Skype Name: bendorfm


Reply all
Reply to author
Forward
0 new messages