In the G Suite Management Console, there is an important setting that allows you to whitelist the apps that have API access to your domain. I'd recommend doing this to safeguard your data and prevent malicious apps doing bad things! Quick video guide below:
You can restrict the use of Chrome to only the accounts you want to use it by enforcing a few group policies. The most recent of these is to force users to sign into Chrome. However, this policy need others to make it effective. Below are the ones I use.
Firstly - force users to sign in to Chrome
Make sure they can only use a domain account
Make sure they cannot use accounts you don't want them using in G Suite services
Disable incognito mode
Disable guest mode
Disable add user (might not want to use this for a staff account as they may need to use more than one account)
With this combination of policies, your users are locked down to their G Suite account and cannot do anything about it. Quick video on what it looks like:
Just a quick follow up to my video from a while ago about using ClearOS at a gateway server. One of the things I did not cover was the Egress Firewall app, which is an important part or securing your network.