A medium-effort workaround for this issue would be to have different subdomains for each user group.

For example, let's say you wanted to limit sign-in to users at a school.  Your domain is "example.edu."  You have a school named "High School" and a school named "Middle School."  Set up subdomains "hs.example.edu" and "ms.example.edu," and rename users to match these domains respectively (this can be done quickly via the API or third party tools).  

Now, you would limit the devices at the High School to allow sign-in for "*@hs.example.edu" and only the high school students will be able to log in.

Hope this can help in the meantime before a fix can be put in place.

The other benefit of this setup is you can setup email routing rules so students cannot email students at other schools, just their own.

Thank you for the suggestion.  I'm actually looking to be able to restrict a single student if needed.  More along the lines of losing a privilege for a period of time.

I'm trying to understand your use case.  Are you saying that you'll have your students in a Group called "Students" and remove one student to remove their login privileges?

You could also either suspend their account (so they cannot login anywhere), or disable the Chrome device (assuming a 1:1 deployment).  

I've personally had success using our web filter extension to whitelist a student or completely remove browsing privileges.

That all said, for the "Restrict Sign-in to list of users:" field, you can use wildcards.  So if your domain is example.org, you can restrict sign in to "*@example.org" and that will allow all users on your domain to sign in, so you don't have to enter each user in manually.

We're not 1:1.  Only used in school.

Student misuses Chromebook.  Student loses privilege to use Chromebook.  Don't want to rely on a list teachers have to look at to make sure who can and cannot use a Chromebook. Don't want students to lose use of email.

We have other workstations that students are less than thrilled to use so this forces them to only use those.

Assigning to Drew to find somebody to check this.

Max, reassigning to you as a feature request - they would like to be able to restrict signin to a group of users, rather than relying on our regex.

bulk-edit of Unconfirmed feature requests

I'd also like to see this feature.

This feature would be useful for my district because we want to allow only 1:1 students to use 1:1 chromebooks. We don't want a sibling to log into a 1:1 student's chromebook at home and be possibly unfiltered. Defining this with groups or OUs would be the best way to do this for us.

Hello Team,

Good day! I also have a customer (domain name: rimsd.k12.ca.us; case no: 18057731) with the similar situation wherein he needs to block access to a single user based on a specified OU on a device level setting. This would be really beneficial if we can organize certain groups for Sign-in Restrictions instead. Just wanted to know if there are there any ETAs for this? Thanks!