Summary
YouTube provide a 'Restricted Mode' which can be enforced on your network, providing you with a locked down, and safer, YouTube experience. When 'Restricted Mode' is enforced, comments are hidden, live videos cannot be watched, and only "appropriate" content is accessible.
Note that the video content which is deemed as appropriate is decided upon by Google/YouTube and not Smoothwall, however it is possible - with the correct setup - to individually allow or block specific videos when 'Restricted Mode' is enforced.
Problem
YouTube's 'Restricted Mode' can be enforced via Google Workspace for Education, however this approach has some major drawbacks. Firstly, it requires that you are using Google Workspace for Education, and secondly, it only restricts YouTube if users are signed in to their Google Workspace account.
To work around these issues, Smoothwall has developed their own content modification policies which we recommend as the easiest way of implementing and managing restricted access to YouTube.
The table below provides a brief overview of the different methods of enforcing 'Restricted Mode', and the pros and cons of each approach.
| Method | Requires HTTPS Inspection | Can allow specific videos | Restricted access when not signed in | Works in Cloud Filter |
| CONNECT Header | No | No | Yes | No |
| HTTP Header | Yes | Yes | Yes | No |
| SafetyMode Cookie | Yes | No | Yes | Yes |
| Google Workspace | No | Yes* | No | Yes |
* Specific videos can be allowed, but require the user to be signed in to their Google Workspace account.
Solution
There are four ways in which 'Restricted Mode' can be enforced on YouTube. Three of these methods are content modifications provided by Smoothwall, and the fourth method is via the Google Admin console.
Which method is best for me?
Cloud Filter
If you are using Cloud Filter with Chromebooks, and you are also using Google Workspace for Education, then 'Restricted Mode' should be enforced via the Google Admin console, and not via the Smoothwall web filter. As users will be required to login to the Chromebook with their Google Workspace account they will always have 'Restricted Mode' enforced, and administrators can allow access to individual videos. See this knowledge base article on the Google Workspace Admin Help pages for more information.
If you are using Cloud Filter on devices other than Chromebooks, or if are using Cloud Filter but you do not use Google Workspace for Education, then 'Restricted Mode' should be enforced via the 'YouTube SafetyMode Cookie' content modification provided by Smoothwall.
On-Premise web filter
If you are using our on-premise web filter and do not have a Decrypt and Inspect policy in place which covers the 'YouTube' category then you should enforce 'Restricted Mode' by using the 'YouTube: Restricted Mode via CONNECT Header' content modification provided by Smoothwall.
If you are using our on-premise web filter and do have a Decrypt and Inspect policy in place, then you should use the 'YouTube: Restricted Mode via HTTP Header' content modification.
Note
If you have Google Workspace for Education, and you have enabled 'Restricted Mode' via the Google Admin console, you should still apply one of the content modifications mentioned above. Enforcing 'Restricted Mode' via the Google Admin console alone will mean that only users who are signed into their Google Workspace account will have 'Restricted Mode' enabled on YouTube. By applying one of our content modifications as well, 'Restricted Mode' will always be enforced, even if users are not logged into their Google Workspace accounts.
Content Modifications
YouTube SafetyMode Cookie
This content modification works by inserting a cookie that enforces Restricted YouTube. With this method is not possible to allow access to individual YouTube videos.
If your implementing this content modification in our on-premise web filter, then HTTPS Decrypt and Inspect will need to be enabled, see our help topic, Managing HTTPS inspection policies.
From the Smoothwall administration user interface, create a new content modification policy under Guardian > Content Modifications > Policy Wizard:
- Who: Everyone
- What: YouTube
- Where: Everywhere
- Action: Apply - “YouTube SafetyMode Cookie”
Using this method will force all users on your network to use YouTube's 'Restricted Mode', regardless of whether they are logged in to their Google Workspace account or not.
YouTube: Restricted Mode via CONNECT Header
This content modification exists in two flavours, 'YouTube: Restricted Mode (Moderate) via CONNECT Header' and 'YouTube: Restricted Mode (Strict) via CONNECT Header'.
These content modification policies work by rewriting the HTTPS CONNECT header for a number of YouTube domains to 'restrictmoderate.youtube.com' or 'restrict.youtube.com' respectively, and do not require an HTTPS inspection policy in order to work.
From the Smoothwall administration user interface, create a new content modification policy under Guardian > Content Modifications > Policy Wizard:
- Who: Everyone
- What: YouTube
- Where: Everywhere
- Action: Apply - “YouTube: Restricted Mode (Moderate) via CONNECT Header”
Using this method will force all users on your network to use YouTube's 'Restricted Mode', regardless of whether they are logged in to their Google Workspace account or not.
If you are also using Google Workspace for Education, and have enabled 'Restricted Mode' via the Google Admin console, then logged in administrators will have unrestricted access to YouTube, and logged in users will be able to access videos that have been allowed via the Google Admin console.
It is not possible to allow access to specific videos via the Smoothwall web filter when using this method.
YouTube: Restricted Mode via HTTP Header
This content modification exists in two flavours, 'YouTube: Restricted Mode (Moderate) via HTTP Header' and 'YouTube: Restricted Mode (Strict) via HTTP Header'.
These content modification policies work by inserting a 'YouTube-Restrict: Moderate' or 'YouTube-Restrict: Strict' HTTP header into each network request, and requires an HTTPS Decrypt and Inspect policy in order to work, see our help topic, Managing HTTPS inspection policies.
From the Smoothwall administration user interface, create a new content modification policy under Guardian > Content Modifications > Policy Wizard:
- Who: Everyone
- What: YouTube
- Where: Everywhere
- Action: Apply - “YouTube: Restricted Mode (Moderate) via HTTP Header”
Using this method will force all users on your network to use YouTube's 'Restricted Mode', regardless of whether they are logged in to their Google Workspace account or not.
If you are also using Google Workspace for Education, and have enabled 'Restricted Mode' via the Google Admin console, then logged in administrators will have unrestricted access to YouTube, and logged in users will be able to access videos that have been allowed via the Google Admin console.
Additionally, when using this method it is possible to allow access to specific videos via the Smoothwall administration user interface. To do so, create a new custom category under Guardian > Policy Objects > Categories:
- Name: Allowed YouTube videos
- Domain/URL filtering: Enter YouTube video URLs
Then, use that newly created custom category in a content modification policy under Guardian > Content Modifications > Policy Wizard:
- Who: Everyone
- What: Allowed YouTube videos
- Where: Everywhere
- Action: Ignore - “YouTube: Restricted Mode (Moderate) via HTTP Header”
Note that the action should be set to 'Ignore' and the content modification policy must be the same as the one created above (e.g. If you applied 'YouTube: Restricted Mode (Moderate) via HTTP Header' above, this must also use 'YouTube: Restricted Mode (Moderate) via HTTP Header')
Finally, ensure that the order of your policies are set up correctly, the content modification policy that ignores the content modification must be placed before the one that applies it, as shown in the screenshot below.
Google Admin Console
YouTube 'Restricted Mode' can be enforced for all users on your domain by changing the appropriate settings on the Google admin console. This only applies to users logged into your domain, Restricted YouTube will not be applied to signed out users.
The highlighted checkbox below must be enabled for the system to work. Other permissions granted via the Google admin console take precedent (for example, domain administrators).
