cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 3
‎08-15-2018 11:51 AM

How Do You Implement GSuite Tenant Restrictions?

Jump to solution

Google has published an article here: Google Support Article on Implementing Tenant Restrictions that states you need a proxy that can:

  1. Decrypt SSL
  2. Insert headers

McAfee Web Gateway supports both of these features.

From the above article:

"As an administrator, you may want to prevent users from signing in to Google services using any accounts other than the accounts you provided them with. For example, you may not want them to use their personal Gmail accounts or a managed Google account from another domain.

A common means of blocking access to web services is using a web proxy server to filter traffic directed at particular URLs. This approach won’t work in this case, because legitimate traffic from a user’s managed Google account goes to the same URL as the traffic you want to block.

To only allow users to access Google services using specific Google accounts from your domain, you need the web proxy server to add a header to all traffic directed to google.com; the header identifies the domains whose users can access Google services. Since most traffic through your Google service is encrypted, your proxy server also needs to support SSL interception. (See below for a list of proxy servers known to support both SSL interception and HTTP header insertion.)"

McAfee Web Gateway (MWG) is on the list and by extension McAfee Web Gateway Cloud Service (WGCS) also supports the necessary features if operated in a hybrid mode where WGCS policy is managed by MWG.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
0 Kudos
Reply
1 Solution

Accepted Solutions
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3
‎08-16-2018 07:10 AM

Re: How Do You Implement GSuite Tenant Restrictions?

Jump to solution

Please see KB article 72538

SSL scanning must be enabled at least for the google login sites.

This is available with all currently supported versions of MWG and is supported in the cloud via WGCS if policy is managed by MWG.

The KB article references Google mail but covers all google services that require login.

From the Google support article:

"Users attempting to access Google services from an unauthorized account will see a web page describing the unavailable service, the unauthorized account they're using, the domains where the service is unavailable, and a suggestion that they contact a network administrator for more information and sign out of their unauthorized account and sign in with an authorized account.

Note: This approach blocks sign-in access to Google consumer services other than Google Search, but does not necessarily prohibit anonymous access.

Google does not maintain a list of blocked services. If a particular service requires login, access will be blocked. Services which do not require authentication, such as Google Search and YouTube will not be blocked."

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

0 Kudos
Reply
2 Replies
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3
‎08-16-2018 07:10 AM

Re: How Do You Implement GSuite Tenant Restrictions?

Jump to solution

Please see KB article 72538

SSL scanning must be enabled at least for the google login sites.

This is available with all currently supported versions of MWG and is supported in the cloud via WGCS if policy is managed by MWG.

The KB article references Google mail but covers all google services that require login.

From the Google support article:

"Users attempting to access Google services from an unauthorized account will see a web page describing the unavailable service, the unauthorized account they're using, the domains where the service is unavailable, and a suggestion that they contact a network administrator for more information and sign out of their unauthorized account and sign in with an authorized account.

Note: This approach blocks sign-in access to Google consumer services other than Google Search, but does not necessarily prohibit anonymous access.

Google does not maintain a list of blocked services. If a particular service requires login, access will be blocked. Services which do not require authentication, such as Google Search and YouTube will not be blocked."

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

0 Kudos
Reply
Tom-Watson
Level 8
Report Inappropriate Content
Message 3 of 3
‎01-09-2020 08:22 AM

Re: How Do You Implement GSuite Tenant Restrictions?

Jump to solution

That KB article seems to have been removed. We only referred to it last month and implemented its recommendations successfully. I was showing a colleague as part of some knowledge transfer though 😞

Do you know if it will be re-instated? Seems crazy to be missing.

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC