GitHub Enterprise Cloud customers with multiple Enterprise Managed Users (EMU) accounts can now configure a single proxy header to restrict traffic to github.com outside any of these enterprises.

Previously, enterprise access restrictions via corporate proxies supported configuring a single enterprise ID as part of the proxy header to only allow traffic related to the specific EMU account and Copilot from github.com.
We are expanding the feature for customers with multiple GitHub EMU accounts to allow a single proxy header with multiple enterprise IDs. This helps in cases where there are distinct business entities within the same network boundary through acquisitions, data classification strategy, or other business purposes.

To enable proxy-based access restrictions across multiple enterprises, enterprise owners need to follow these steps:

  1. For each enterprise, select the Enable enterprise access restrictions setting in the “Authentication security” -> “Enterprise access restrictions” section.

  2. Configure your network proxy or firewall to inject a single header with a comma-separated list of up to 20 valid EMU enterprise IDs into your users’ web and API requests to github.com. Use the following format for the header: sec-GitHub-allowed-enterprise: ENTERPRISE1-ID, ENTERPRISE2-ID, ENTERPRISE3-ID ... ENTERPRISE20-ID

The presence of this header signals GitHub to allow all API, UI, and git requests sent to github.com via the proxy if it is from a valid member of any of the configured EMU enterprises. This helps ensure that only the accounts you control are used on your corporate network. This network restriction will work in tandem with access rules that enable Copilot traffic to flow properly for enterprise managed users. Copilot access is managed using a different network policy that helps control which version of Copilot (Enterprise, Business, or Individual) is allowed on your network. See Configuring your proxy server or firewall for Copilot for detailed guidance on that feature.

If you’re currently trialing EMU or are early in adopting an existing EMU environment, we recommend exploring GitHub Enterprise Cloud with data residency, which offers a unique subdomain of GHE.com. The subdomain is sufficient to differentiate traffic to your enterprise’s resources with a corporate proxy. This is the optimal solution for customers who have data residency needs in addition to applying network controls on public github.com access.

Learn more about restricting access to github.com using a corporate proxy.
Join the discussion within GitHub Community.