Enterprise access restrictions with corporate proxies is now generally available
Enterprise access restrictions via corporate proxies is now generally available for GitHub Enterprise Cloud accounts with Enterprise Managed Users (EMU).
With this release, enterprise owners may allow only EMU enterprise traffic to github.com via their existing corporate proxies, while blocking any unapproved traffic. This enables highly regulated EMU customers to define a secure network strategy in order to reduce the risk of intentional or accidental data leaks by only allowing access to a strictly governed EMU enterprise.
Enterprise owners can now enable this feature in two steps:
- Select Enable enterprise access restrictions from the enterprise Settings-> Authentication security -> “Enterprise access restrictions” section.
-
Configure your network proxy or firewall to inject a header with a valid EMU enterprise ID in the following format into your users’ web and API requests to github.com:
sec-GitHub-allowed-enterprise: ENTERPRISE-ID.
The presence of this header signals GitHub to allow the request if it is from a valid member of your EMU enterprise, helping ensure that only the accounts you control are used on your corporate network. This network restriction covers API and UI access to github.com and will work in tandem with access rules that enable Copilot traffic to flow properly for enterprise managed users. Copilot access is managed using a different network policy that helps control which version of Copilot (Enterprise, Business, or Individual) is allowed on your network. See Configuring your proxy server or firewall for Copilot for detailed guidance on that feature.
If you’re currently trialing EMU or are early in adopting an existing EMU environment, we recommend exploring GitHub Enterprise Cloud with data residency which offers a unique subdomain of GHE.com. The subdomain is sufficient to differentiate traffic to your enterprise’s resources with a corporate proxy. This is the optimal solution for customers who have data residency needs in addition to applying network controls on public github.com access.
Support for multiple EMU enterprise IDs in the same proxy header is in private preview. If you have multiple enterprises and are looking to extend this feature to restrict traffic to github.com outside any of these enterprises, reach out to your account managers to participate in this private preview.
Learn more about restricting access to github.com using a corporate proxy.
Join the discussion within GitHub Community.