Contact UsContact Us

Limiting Users’ Access to Google Personal Accounts using School Manager

This article is intended for IT support.

You can use a Custom Header Injection to stop students from logging into their own personal Google accounts during school time while allowing them access to your school’s Google Workspace. A Custom Header Injection works through devices running Linewize Connect by using Man In The Middle (MITM) to inject your school’s domain(s) into Google Workspace URLs. Google receives your injected string and only allows users to login with their school account.

To get started, add or update one of your Google filtering rules to include the “Custom Header” function. Save the filtering rule, then add the Google domains to your MITM configuration in the Mobile Agents menu. Anytime Linewize Connect opens a Google Workspace app (like Gmail, Google Drive, Google Sheets or YouTube), your login instructions are sent to Google. 

If the user logs in with an account in the school domain(s) you specified, Google will allow the user to complete the login. However, if your user tries to login with an account from a domain you did not specify, like a personal Gmail account, Google instead stops the login and displays a message to your user, "This account is not allowed to sign in within this network.

  

Before You Start

Important

Contact Linewize Support if you already have multiple filtering rules for blocking Google products. Our support team can help you set up your Custom Header Injection so it will not conflict with the other Google filtering rules.  

  1. Ensure Linewize Connect is installed on your students’ devices (Linewize Connect is not available on Android devices) or BYOD with Family Zone Connect installed by a parent.
  2. Note your Google domain and subdomains as displayed in your school's Gmail or Google Workspace.
  3. Be familiar with any of your existing content filtering rules that Allow your users to access your school’s or district’s Google domain and subdomains.

Enabling the Custom Header

Enabling Custom Header Injection is a two-step process:

  1. Creating a Custom Header Rule
  2. Enabling Man In The Middle


1. Creating a Custom Header Rule

In this example, you’ll stop all users from accessing personal Google accounts on your school’s network while letting them access your school’s Google account. You’ll do this by creating a new Allow rule with a Custom Header.

Tip

If you already have a rule Allowing your school’s Google domain, you don’t have to create a new rule. You should edit the existing rule instead, following steps 6 through 12.

  1. Go to Filtering > Content Filtering and select ADD RULE.

  2. Type a descriptive title into Name.

  3. Enter "google.com" in Type. Select "Website google.com" when it is displayed.

  1. Click Action and select Accept.

  2. (Optional) Select Locked Rule if:

    1. You do not want other rules to override this rule.

    2. You want to stop teachers from using Classwize to give students an override code to access personal email and files.

    3. You need to separate education and personal logins before other Locked rules take effect.

  3. Select + Add Custom Header.

  4. Type “X-GoogApps-Allowed-Domains” in Name. Next, type your school’s domain or subdomain as it appears in your school's Google Workspace accounts into Value.

    Caution

    Make sure to spell your domain names exactly as configured in your Google Administrator settings. If you have a misspelling, you will lock all users out of their Gmail and Google Workspace apps until you fix the rule. See the Google help article https://support.google.com/a/answer/54693 

    • Do not add a leading dot before the domain name. Start with the characters.

    • If you have multiple domains, add the domains separated by a comma and space. 

    • Do not add a trailing comma after the last domain.

  5. Select the save icon (disk).

  6. Verify your Custom Header is displayed as saved on a gray row. Select the SAVE button for this rule.

  7. Find your rule. An unlocked new rule will be displayed at the bottom of the list. A Locked new rule will be displayed as the last item in Locked rules. Drag your rule: 

    • Below the Locked rules, unless your rule is also Locked and should be filtered before another Locked rule

    • Below any Block rules applying to Google products, for example, below a rule blocking YouTube

    • Above any Allow rules granting users access to any Google apps

  1. Select the toggle to Enable your Rule. The toggle will be displayed in green when enabled.

  1. Continue to the next section to enable the Mobile Agent (Linewize Connect apps, agents, and extension) to configure Man In The Middle (MITM) to inspect the Google web apps.

  

(Optional) Filtering Multiple Google Domains

Different groups in your school may need access to different school Google domains. You can add multiple Google Workspace applications to the Allow > Website in a Filter Rule as long as the Custom Header Value is the same. Your rule needs to allow the subdomain for the Google product. Replace the example domains, “school.edu” and “district.edu”, with your actual domain name.


Caution

Make sure to spell your domain names exactly as configured in your Google Administrator settings. If you have a misspelling, you will lock all users out of their Gmail and Google Workspace apps. See the Google help article https://support.google.com/a/answer/54693 

If your school uses more than one domain, use a Website Filter. Separate the domains by a comma and space.

Filter > Allow > Website

Custom Header Name

Example Value

google.com

X-GoogApps-Allowed-Domains

yourschool.edu, yourdistrict.edu

If your Gmail has a different domain from your Google Workspace , add another Custom Header for the Google Apps.

Filter > Allow > Website

Custom Header Name

Example Value

docs.google.com, sheets.google.com

X-GoogApps-Allowed-Domains

schoolapps.edu 

If your school uses subdomains to limit access by type of user to specific Google Apps, add a Custom Header for the subdomain. For example, you allow your staff and teachers to login to personal accounts in Google Groups, but want your other Google filtering to apply.

Filter > Allow > Website

Custom Header Name

Example Value

groups.google.com

X-GoogApps-Allowed-Domains

staff.yourschool.edu 

For more specifics on how to work with Google to block access to consumer accounts, see https://support.google.com/a/answer/1668854

  

2. Enabling MITM for Mobile Agents

After you create the filtering rule, you need to tell Linewize Connect to monitor your users’ devices for attempts to access Google accounts.

  1. Go to Configuration > Mobile Agent
  2. Ensure the MITM Enabled box is checked for “On School Manager Network”.
  1. In the Inspected field, type “accounts.google.com”. Then, select Website accounts.google.com from the list.
    Repeat the above step but type “mail.google.com”, then select Website mail.google.com from the list
  1. (Optional) If you need to block access to personal Google accounts outside of school hours, including when the student is at home, go down the page to Off School Manager Network. Select the MITM Enabled checkbox. Type “acounts.google.com” and "mail.google.com" in Inspected.
  1. Go to the bottom-right of the window and select SAVE.

 

Removing a Header Injection

You can remove the Customer Header without deleting the filtering rule.

  1. Go to Filtering > Content Filtering and select the edit icon (pencil).
  1. Select the delete icon (trash can) at the bottom of the Edit Rule window.
  1. Select SAVE.

  

Frequently Asked Questions

Which Google Apps does Custom Header Injection work for?

When you filter and inspect the “google.com” domain, all of the Google Workspace Apps (including Gmail, Drive, Docs, Sheets, Slides, Forms, Sites) will be limited to users logging in with their school accounts. 

Google does not apply your Custom Header Injection function to all of their extended apps. For example, the Blogger login will return a user to the home page without displaying the message when the user tries to sign in with their personal account. Instead, we recommend you use your Google Workspace Administrator functions to turn off access to any additional Google apps or services. See https://support.google.com/a/answer/9050643