📖 3 mins read

GAT Shield Login Control

GAT Shield allows admins to set up Login Control rule for the users of the domain. The Admin can set up a rule that allows users to log in to your domain or not.

It works by disabling the users to log in to your domain at certain times (Login time window from/to) and log in area

This type of Login control can be set up from the GAT Shield console

Login control

Navigate to Shield → Configuration → Login Control 

GAT Shield | Login control 1

Select Filters

In the Login Control settings pick the Time window or Login Area, from where users will not be able to log in to your domain.

Time window

Fill in the details and select times at which the users will be allowed to log in to the domain (using domain credentials)

  • Login time window (from) –  pick the start time from which the users will be allowed to log in
  • Login time window (to) – pick the end time after which the users will not be allowed to log in

Thus selecting the TIME FRAME where the users will be ALLOWED to log in,  the scope outside of the selected time users will not be able to log in.

A time window during which Shield-protected devices can log into your domain. Build custom cron expressions.

GAT Shield | Login control 2



  • Login time window (from): – set the start time 0 0 9 ? * MON-FRI *
  • Login time window (to): – set the finish time 0 0 17 ? * MON-FRI *

The users will not be allowed to log in outside the selected time window above. The times are set and build as Cron expressions select your time frame and place in the fields (from) and (to).

An example cron settings: 0 0 9 ? * MON-FRI * (start from 9AM Monday to Friday), 0 0 17 ? * MON-FRI * (finish on 5 PM Monday to Friday).

Login Area

Select an area, outside of which, Shield devices can not log in to your domain.  Clicking on the “select area” button will show Map, pick the location you need.

Note: Users from OUTSIDE the selected Area will not be able to Log in to the domain

Idle timeout (s)

A period of idle time (in seconds) after which Shield will log the user’s device out of your domain. Maximum value is 15 minutes / 900 [s].

Setting options

  • ‘Hard’ logout -If this option is not selected, ‘soft logout’ is the default method. The user will just be logged out of the Google domain sessions on the device. If ‘hard logout’ is selected the user is logged out entirely from the device (Google domain sessions, personal sessions, Chrome, etc.).
  • Login Allowlist – If blank GAT Shield will allow all users to log in to your domain from all networks, else only specified. Use direct (eg. or network addresses (eg. All network addresses must end with a CIDR. Use a semicolon to separate addresses.
  • Login Allowlist exclusions – User(s) exclusions from the allow list. Overrides above rule. Start typing for suggestions.

Scope – users affected

  • Scope – Rule recipients. If no value is specified, all domain users are affected. If any value is specified, any user who meets the criteria is affected.

GAT Shield | Login control 3

These settings allow you to enforce policies to prevent or allow access to your Google Workspace domain by clients with Shield devices, using a number of criteria.
Note that it may take a while for settings to propagate to all GAT Shield Chrome extensions.


When the Login control is enabled, for Time-frame, Login Area the users will not be able to login using their Domain credential, they will receive the message as below.

Login to Google services has been blocked at this time.

GAT Shield | Login control 4

If you would like to run a trial of our products please install GAT+ from the Google Workspace Marketplace and contact us at support@gatlabs.com with any questions you may have.

To request a demo please click here and fill the form, we will get back to you in less than 12 hours during weekdays.

If you tried GAT in the past and you would like to run a fresh trial again, please enquire through this form.

Thanks for sharing and spreading the word!