Restrict Apps Sign In
Reported by
weaver.j...@gmail.com,
Apr 3 2017
|
||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce the problem: 1. Open Local Group Policy Editor (gpedit.msc) 2. set the restrict apps sign in policy to gmail.com, @gmail.com, and *@gmail.com (the other two were done for testing purposes) 3. Go to a google app such as Gmail What is the expected behavior? It is supposed to only allow gmail.com accounts to access Google Apps What went wrong? I am the administrator of a non-domain computer and am trying to set a policy only allowing @gmail.com accounts to sign in to be able to use Google Apps. The policy applies but it then turns around and denies all google accounts. I have it set to "@gmail.com" and it throws back the I can't log in error and that it only accepts @gmail.com but I am using @gmail.com. Did this work before? N/A Chrome version: 57.0.2987.133 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: 25.0.0.127
,
Apr 4 2017
,
Apr 6 2017
Tried with below steps - 1. Enabled the policy and provided 'ettestchrome@gmail.com' (any test account) in Citrix server 2. In Client machine, try to login with other gmail ids (eg: testlaab@gmail.com or any other gmail id.) Expected : It should accept and show the gmail inbox for testlaab@gmail.com Actual : It is showing error message 'can't log in error and that it only accepts @gmail.com' Note: Tried with gmail.com, xxxx@gmail.com and *@gmail.com - for all these options it is blocking all the gmail accounts. Env: Chrome Stable # 57.0.2987.133, Win 7 (Client), Citrix server (Server machine) pastarmovj@, could you please check this issue..
,
Apr 7 2017
Blumberg for triage.
,
Sep 29 2017
I was just wondering if there is any update for this just yet. I wanted to add that it still happens with the latest version Chrome version: 61.0.3163.100 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: 27.0.0.130
,
Oct 1 2017
+Owen who is working on this and may be able to offer guidance
,
Oct 3 2017
I just tried "*@gmail.com" and "*@chromium.org" and both worked as intended. Make sure to add the * (star) before the @. I'm closing this, please reopen if it's still not working.
,
Oct 3 2017
If this can be reopened, that would be appreciated.
,
Oct 3 2017
From your screenshot, this is not about signing into Chrome, but into Docs/Drive. What policy are you setting exactly? I'm not aware of how that works, I was testing with RestrictSigninToPattern, which affects Chrome sign in only.
,
Oct 3 2017
That was never the issue. The issue that I reported was for signing into Google Apps not Google Chrome. This is the policy in question since I reported the issue: AllowedDomainsForApps
,
Oct 3 2017
Understood, thanks for the clarification. I was not aware of that policy. Reopening this bug and assigning it to igorcov@, who added this policy.
,
Oct 4 2017
weaver.jarod0312, could you please specify what is showing when you access chrome://policy for the policy name: AllowedDomainsForApps? I just checked with value = managedchrome.com accessing Google docs and had access as expected. Details on how it is expected to work: https://support.google.com/a/answer/1668854?hl=en
,
Oct 4 2017
I also checked the option @managedchrome.com and *@managedchrome.com both being denied. Seems like it needs to be only the domain name without any prefix. georgesak@ Do you know who implemented this on server side? Would like to check if this is working as expected.
,
Oct 4 2017
Not sure, no. Adding rogerta@, as he might know.
,
Oct 4 2017
Agree with comment #14. According to the docs for this policy: http://www.chromium.org/administrators/policy-list-3#AllowedDomainsForApps The value should be a domain name. So you don't need the * or the @ prefix. Looking at the server side code, gmail.com should work. Can you provide a network trace captured from chrome://net-internals ?
,
Oct 4 2017
It seems that only gmail.com doesn't work on this policy for some reason. It looks any other domain works with this policy.
,
Oct 5 2017
Thanks for the trace. This definitely looks like a bug on the server end. I've forwarded this to the right team internally. Will follow up here when I have more news. Thanks.
,
Oct 10 2017
I have confirmation that this is working as intended. That policy is only valid for G-Suite domains, and will not work for gmail.com. I will update the documentation to reflect that.
,
Oct 12 2017
Ok. If one were to request that get changed as a feature request, where would I go to request that feature change to allow it to work for gmail.com?
,
Oct 13 2017
If you don't mind me asking, what's the use case for allowing only gmail accounts to login? I'm trying to understand why this is useful/desirable and then I can relay that feature request to the right team. Thanks.
,
Oct 13 2017
Though I agree with georgesak, I would point out that the example on https://www.chromium.org/administrators/policy-list-3#AllowedDomainsForApps lists gmail.com as an example.
,
Oct 13 2017
Yes, and I'm planning on fixing this documentation error.
,
Oct 13 2017
Personally, I have people complain to me that their google account domain blocks certain google apps and allow certain ones and I tell those people to either request for the app to be unblocked or to just use gmail account. People don't listen and they keep complaining about it which is why I want to turn around and only allow Gmail accounts so that people stop complaining to me about their domains when I tell them to just use Gmail account to not have basic app restrictions.
,
Oct 16 2017
@25 Understood. However, I just validated with the backend folks and this is really working as intended and there are no plans to change the behavior, unfortunately. I'm not closing this yet, as I still need to change the documentation to remove the gmail.com reference.
,
Oct 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4f650e95b5e0526f0aa39800b1fa729af15b002e commit 4f650e95b5e0526f0aa39800b1fa729af15b002e Author: Georges Khalil <georgesak@chromium.org> Date: Wed Oct 18 14:34:27 2017 Fix AllowedDomainsForApps documentation. AllowedDomainsForApps documentation incorrectly stated that this policy would work for gmail.com, which is untrue. Bug: 707825 Change-Id: I1e0d415bd3ff0915628bd211ffa0a1561353b167 Reviewed-on: https://chromium-review.googlesource.com/723127 Commit-Queue: Georges Khalil <georgesak@chromium.org> Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Cr-Commit-Position: refs/heads/master@{#509765} [modify] https://crrev.com/4f650e95b5e0526f0aa39800b1fa729af15b002e/components/policy/resources/policy_templates.json
,
Oct 18 2017
,
Oct 23 2017
georgesak@ Could you please help us the repro steps to verify the fix from TE- end Thank You...
,
Oct 23 2017
crrev.com/4f650e95 is a documentation fix. There is no code behavior change. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by ligim...@chromium.org
, Apr 3 2017