Google Workspace - Allow sign-in only from Work profile or company owned devices

Hi all,
Our Google Workspace domain is setup for only allowing two methods to access corporate data from a mobile device:

  1. Company owned-device
  2. Work profile on BYOD

In Glide, as far as I can understand, the sign-in limit is per domain (Sheet called “whitelist” with just one value “@domainname”). This means that our users would be able to sign into the glide app from any device, as long as they provide an email address with the correct domain (and of course their password and 2SV).
How can we limit it so that they can only sign in using the two methods listed above?

Thanks

Assuming that you’re talking about a Private Pro app, and you’re using the Email Whitelist (Limit Access to emails in sheet) Sign In option, then what controls whether or not any given user can sign into the app is purely whether or not their email address exists in the whitelist.

Note that these are specific email addresses, not an email domain. As far as I am aware, there is no way to restrict access to an app to a specific email domain. But of course, that doesn’t really matter, because if you don’t want users from outside your domain to be able to access the app, then don’t add them to the whitelist.

You also seem to be asking if it is possible to restrict sign in by Google authentication only. Again, I don’t think that is possible. Once a user has access to the app (ie. their email is on the whitelist), they can choose their authentication option. They can use Google (if it’s enabled), or use the email PIN method.

Does that help answer your questions?

1 Like

Hi,
Domain whitelisting seems possible, as detailed here.
Indeed, my question was about a somewhat stricter level of whitelisting. I’d like to make sure we can control the level of security of the device from which they sign in, which brings us to the two methods I listed in my original question. Too bad it’s not supported.
If there’s another way to enhance security, in addition to domain whitelisting, I’d be more than happy to hear about it.
I have now added a feature request in this regard.
Thanks!

1 Like

Well, I stand corrected. I was never aware of that. Whilst I’ve learned to never doubt any advice that comes from Jeff, I’m definitely going to test this.

Okay, so I just tested this and I haven’t been able to get it to work.

I started by testing with an existing app. I reconfigured it as Jeff described and then tried logging in, using Google authentication. After the authentication process, I just got the spinning loading icon and the app never actually loaded.

I tried again by creating a new app from scratch…

  • Configured User Profiles
  • Upgraded the app to Private Pro
  • Set Privacy as Limit to Emails in sheet
  • In the whitelist sheet, I just added a single row in the email column in the form @domain.com
  • Published the app, and tried logging in using an account from that domain

Same result. After authenticating, I just got the spinning loader and the app never finished loading.

So at the very least, I would advise testing this yourself before relying on it.

@Jeff_Hager - any ideas? Have you ever tested/verified this behaviour yourself?

Update: I also tested using the PIN method. After entering the email address, the “Sending Pin” button appears, but it gets stuck there, and the PIN never arrives.

Based on this conversation with @david I don’t know… At the time I observed the ability to whitelist an entire domain and I know it had been available as an option (at least for awhile) and worked just fine, but David said it was not possible. Since then it was never clear to me what was true or not. That was also during the time of the legacy apps and old plans, so who knows. I had conflicting information and if the CEO tells me ‘no’, then I guess I can’t argue that, so I stayed out of it and never suggested one way or another after that.

2 Likes

Thanks @Darren_Murphy and @Jeff_Hager.
I must say, I’m deeply disappointed with myself for not ticking these boxes when I first evaluated Glide as a solution for my corporate clients. It’s clearly not there (yet?).
I’ve piggybacked this feature request with some rather strong words. They’re truly said out of frustration that such a wonderful system is lacking such basic features.

I didn’t say domain whitelisting wasn’t possible, I said it wasn’t supported.

I think it’s technically still available and it actually works. I’ll review with the team to move it into the supported category (documented, etc.)

1 Like

Thanks, that’ll be great.
Any chance to allow external storage, such as Google Drive, as discussed here (and on many other threads)?