How do I control access to Google consumer apps?

You can configure the service to allow users to access Gmail and other Google apps from your organization's domains only.  For example, you can allow users to sign in to their Gmail corporate accounts, but block them from signing in to their personal Gmail accounts.

The service intercepts any (or associated Google app) request and adds the HTTP header X-GoogApps-Allowed-Domains, which identifies the domains from which users can access Google services. This prevents users from accessing Gmail and other Google apps from other domains.

This feature does not affect Google apps that do not require users to sign in, such as Google search. But a user who signs in from Google search with an account that is not whitelisted will be blocked.

For additional information from Google, see

Do the following to use this feature:

  1. Enable SSL inspection.
  2. Enable this feature as follows:
    • Go to Policy > URL & Cloud App Control.
    • Go to the Advanced Policy Settings tab.
    • In the Allowed Domains for Google Apps field, type in corporate domains from which your users can access Gmail and other Google apps and click Add Items.
  3. Click Save and activate the change.