📖 2 mins read


GAT Shield allows admins to set up a rule for the domain users.

It allows the admin to allow users to log in only for a certain period of time.

Login control

In Shield under Configuration, select Login Control

GAT Shield: Login control 1


Time window

Now we can select the Time frame where users will be allowed to log in, the scope outside of the selected time users will not be able to log in.


GAT Shield: Login control 2


Login time window (from): – set the start time 0 0 9 ? * MON-FRI *

Login time window (to): – set the finish time 0 0 18 ? * MON-FRI *

Inside this time window, the users will be allowed to log in.  A time window during which Shield protected devices can log into your domain.

The users will not be allowed to log in outside the selected time window above.

The times are set and build as Cron expressions select your time frame and place in the fields (from) and (to).

In the case above (0 0 9 ? * MON-FRI * (start from 9AM Monday to Friday) and 0 0 17 ? * MON-FRI * (finish on 5PM Monday to Friday)

Setting options

There are many options below to be added on the top of the Time windows selected.

  • Login area – Select an area, outside of which, Shield devices can not log in to your domain.

As an example: Select USA location – the rule will be triggered for users who try to login from a location not equal to the selected USA (any selected location)

  • Idle timeout [s] –  A period of idle time (in seconds) after which Shield will log the user’s device out of your domain.
  • ‘Hard’ logout – If this option is not selected, ‘soft logout’ is the default method. The user will just be logged out of the Google domain sessions on the device.
    If ‘hard logout’ is selected the user is logged out entirely from the device (Google domain sessions, personal sessions, Chrome, etc.)
  • Login Allowlist – If blank GAT Shield will allow all users to log in to your domain from all networks, else only specified.
    Use direct (eg. or network addresses (eg. All network addresses must end with a CIDR. Use a semicolon to separate addresses.
  • Login Allowlist exclusions – User(s) exclusions from the Allowlist. Overrides the above rule. Start typing for suggestions.

When the time window is selected, click Save for the rule to be applied.
By default, all users on your domain will be affected by the rule.
It might take some time for the rule to propagate to all users


If you would like to run a trial of our products please install GAT+ from the Google Workspace Marketplace and contact us at support@gatlabs.com with any questions you may have.

To request a demo please click here and fill the form, we will get back to you in less than 12 hours during weekdays.

If you tried GAT in the past and you would like to run a fresh trial again, please enquire through this form.

Thanks for sharing and spreading the word!