GAT Shield allows admins to set up Login Control rule for users of their domain. By setting up this rule admins can control whether users can log in to their domain or not.
It works by disabling users from logging into your domain at certain times (Login time window from/to) and log in area.
This type of Login control can be set up from the GAT Shield console.
1. Login control #
Navigate to Shield → Configuration → Login Control
2.Select Filters #
In the Login Control settings pick the Time window or Login Area, from where users will not be able to log in to your domain.
3. Time window #
Fill in the details and select times at which the users will be allowed to log in to the domain (using domain credentials)
- Login time window (from) – pick the start time from which users will be allowed to log in
- Login time window (to) – pick the end time after which the users will not be allowed to log in
By selecting the TIME FRAME where users will be ALLOWED to log in, users will not be able to log in outside the scope of the selected time.
- The daytime selector can be used to select any day and anytime in the day when users can be allowed log in.
- Select the ‘arrow‘ button to add more intervals on that particular day.
- The option to check against the user’s timezone can also be toggled to apply the rule according to the local user’s timezone.
There is also an option for time window configuration using a Cron expression.
- Login time window (from): – set the start time 0 0 9 ? * MON-FRI *
- Login time window (to): – set the finish time 0 0 17 ? * MON-FRI *
Users will not be allowed to log in outside the selected time window above.
The times are set and build as Cron expressions. Select your time frame and place in the fields (from) and (to).
An example of cron settings: 0 0 9 ? * MON-FRI * (start from 9AM Monday to Friday), 0 0 17 ? * MON-FRI * (finish on 5 PM Monday to Friday).
Login Area #
Select an area, outside of which, Shield devices cannot log in to your domain.
Clicking on the “select area” button will show a Map, there you can pick the location you need.
*Note: Users from OUTSIDE the selected Area will not be able to Log in to the domain
Idle timeout (s) #
A period of idle time (in seconds) after which Shield will log the user’s device out of your domain. Maximum value is 15 minutes / 900 [s].
Setting options #
- ‘Hard’ logout -If this option is not selected, ‘soft logout’ is the default method. The user will just be logged out of the Google domain sessions on the device. If ‘hard logout’ is selected the user will be logged out entirely from the device (Google domain sessions, personal sessions, Chrome, etc.).
- Login Allowlist – If blank GAT Shield allows all users to log into your domain from all networks, else only specified, use direct (eg. 188.8.131.52) or network addresses (eg. 184.108.40.206/8). All network addresses must end with a CIDR. Use a semicolon to separate addresses.
- Login Allowlist exclusions – User(s) exclusions from the allow list. Overrides above rule. Start typing for suggestions.
Scope – users affected #
- Scope – Rule recipients. If no value is specified, all domain users are affected. If any value is specified, any user who meets the criteria is affected.
These settings allow you to enforce policies to prevent or allow access to your Google Workspace domain by clients with Shield devices, using a number of criteria.
It may take a while for settings to propagate to all GAT Shield Chrome extensions.
When the Login control is enabled, for Time-frame, Login Area the users will not be able to login using their Domain credential, they will receive the message as below.
Login to Google services has been blocked at this time.