This KB is relevant to users on versions 9.0 and above.
This KB will demonstrate how to enable Google Apps Domain Restriction
Many Google Web properties, including Gmail, support a custom header which restricts access to the sites to accounts which are members of a specified domain. For instance, if an organization at
myschool.edu used Google Apps for email and document sharing, they could restrict users to accessing those sites only through their
myschool.edu accounts; trying to log in with any other accounts (including "consumer" Gmail accounts) would result in an error. To make use of this feature, select Enable Google Apps Domain Restriction and enter your organization's Google Apps-enabled domain(s) into the Allowed Google Apps Domains field. Then, enable the corresponding option for each desired group on the Group Permissions page.
Note: Google Apps domain restriction requires the use of SSL decryption. For more information, please see Block access to consumer accounts - Google Apps Help.
With SSL decryption enabled, the workarounds used to allow access to certain Google services while preventing access to others will no longer be necessary. If any of these are still on your whitelists or blacklists, they may be interfering with the correct functioning of Google Apps Domain Restriction. If you are experiencing issues with Google Apps Domain restriction, verify that you have not added
accounts.google.com or any other such google domain to your group whitelists, global whitelists, or super whitelist. Also verify that you have not added any Google IP addresses to your list of transparent proxy exceptions (viewable from the advanced tab of the Content Filtering page). Please note that if you are blocking webmail access for a group, you will need to add
mail.google.com to that group's whitelist in order for them to be able to use Gmail services.