Netskope Global Technical Success (GTS)

Managing Access for Google Gemini Enterprise Instance

Netskope Cloud Version - 130

Objective

Managing Access for Google Gemini in the Enterprise

Prerequisite

Netskope CASB Inline & SWG license is required

Context

Google, as a major cloud service provider, has introduced a generative AI chatbot platform called Google Gemini. While many other generative AI applications are often considered unsanctioned within enterprise environments, organizations that use Google Workspace (formerly G Suite) may wish to enable access to Google Gemini in a controlled, corporate context—while simultaneously blocking personal Gemini access and restricting other third-party AI tools.

This article explores an approach to enabling secure access to Google Gemini for corporate users.

Do You Know?

• Netskope introduced support for Google Gemini; however, it did not initially differentiate between personal and corporate instances.
• With the release of version R127 on June 10, 2025, the App Connector for the Google Gemini application was enhanced to support features available in the Google Gemini for Google Workspace Business and Enterprise editions.
• Since both the corporate and personal editions of Google Gemini use the same domain, creating separate connectors is not feasible. However, customers can distinguish between the two by using the Application Instance ID.

Configuration

To implement this use case, three distinct policy sets are required:

Given that Netskope enforces policies in a top-down order, the policies should be configured in the following sequence:

• Policy 1: Allow or monitor activity specific to the corporate instance of Google Gemini.
   
• Policy 2: Block access to personal Google Accounts, as authentication for all Google applications including Gemini is handled through Google Accounts.
   
• Policy 3: Block access to the broader Generative AI category, while making an exception for the corporate Google Gemini URL (gemini.google.com).

Let’s start Configuring Real Time Policies

Policy 1:

Step 1 - Instance Mapping for Google GeminiCorporate account:

As Google Gemini does not support login activity yet. Instance Mapping can be done through the ‘Post’ activity.

Step 2 - Real-time protection policy

Path - Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy

Policy 2: This Policy can be created through Instance or Constraint Based

Instance Based:

Step 1 - Instance Mapping for Google Accounts App.

The Google Account App Instance can be found through the Login Activity.

Step 2 - Real-time protection policy

Path - Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy

OR

Constraint Based: This will specifically allow access only within the corporate domain.

Step 1 - Create a User Constraint Profile 

Path: Netskope Tenant UI >>> Policies >>> Profile - - - Constraint

Step 2 - Real-time protection policy

Path - Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy

Policy 3:

Step 1 - Create a custom URL category 

Path: Netskope Tenant UI >>> Policies >>> Profile - - - URL Lists

Path: Netskope Tenant UI >>> Policies >>> Profile - - - Custom Categories

Step 2 - Real-time protection policy

Path - Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy

Policy Order:

With Constraint:

With App Instance:

Verification

Try accessing Google Gemini using Personal Account: 

Logging in to Google Gemini will redirect the user to accounts.google.com

Through App Instance Policy:

Path: Netskope Tenant UI >>> Skope IT >>> Alerts

Through Constraint Based Policy:

Path: Netskope Tenant UI >>> Skope IT >>> Alerts

Try accessing Google Gemini using Sanctioned Account: 

Path: Netskope Tenant UI >>> Skope IT >>> Alerts

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.