Home Knowledge Base SecureW2 Documentation Google Chromebook Enrollment via SCEP using SecureW2 Connector

Google Chromebook Enrollment via SCEP using SecureW2 Connector

1. Introduction

SecureW2’s CloudConnector seamlessly integrates with Google MDM services, enabling digital certificate enrollment via the Simple Certificate Enrollment Protocol (SCEP). SecureW2 periodically communicates with Google to check for any certificate requests from devices. Upon collecting these requests from Google, SecureW2 returns the appropriate endpoint certificates, which Google then deploys to the devices. This guide covers the steps to set up Chromebook enrollment via SCEP using SecureW2’s CloudConnector.

2. Prerequisites

The following are the prerequisites to enrolling Chromebooks using SCEP:

  1. An active subscription to the JoinNow Management Portal.
  2. Shared device settings administrator privilege in Google Admin Console.

3. Configure SecureW2

This section describes the following procedures carried out in the JoinNow MultiOS Management Portal:

  • Configuring the required network profiles 
  • Creating an Intermediate CA
  • Creating a Certificate Template
  • Creating Policy Engine Workflows, Enrollment, and Network Policies

NOTE: If you are yet to do the default configurations in the Management Portal, use the Getting Started Wizard.

The Getting Started Wizard will create the default configurations required for 802.1x authentication. For further configurations, refer to the “Getting Started” section in the JoinNow MultiOS Configuration Guide.

NOTE: The Getting Started wizard typically takes 60-90 seconds to create the profile.

3.1 Creating an Intermediate CA for Google SCEP Integration

As a best practice, SecureW2 recommends having a new intermediate CA for SCEP-based enrollments. To create a new intermediate CA:

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Navigate to Dynamic PKI > Certificate Authorities.
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. In the Common Name field, enter a common name for the CA certificate. SecureW2 recommends a name that is easily identifiable for your organization. E.g. “Google SCEP Intermediate CA”.
  8. From the Key Size drop-down list, select a key pair size from below options:
    a. 2048 
    b. 4096
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  10. In the Validity Period (in years) field, enter the validity period of the CA certificate.
  11. Click Save. The new intermediate CA is generated.

3.2 Creating a Certificate Template for Google

Certificate Template helps in configuring the appropriate fields in the client certificates and also, mentions from where should the values of those fields to be sourced from. To create a Certificate Template:

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. Click Add Certificate Template.
  3. In the Basic section, for the Name field, enter an appropriate name of the certificate template for easy identification.
  4. In the Subject field, enter
    CN=${/auth/displayName:/device/identity:/csr/subject/commonname}
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the organization’s requirement).
  7. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  8. In the SAN section:
    a. In the Other Name field, enter
    ${/auth/upn:/device/identity:/csr/san/othername}
    b. In the RFC822 field, enter ${/auth/email:/device/identity:/csr/san/rfc822name}
    c. In the DNS field, enter
    ${/device/computerIdentity:/device/buildModel:/csr/san/dnsname}
  9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  10. Click Save.

4. Trusted Certificate Profiles

To ensure devices trust your RADIUS server, configure the Trusted Certificate Profile with the certificate from your RADIUS server certificate issuing authority – Root and/or Intermediate Certificate that issued the RADIUS server certificate. By assigning this profile, Google-managed devices receive the trusted certificates. During RADIUS authentication, the devices trust your RADIUS server by establishing a trust certificate chain and validating the RADIUS server certificate.

Certificate Profile described in the following section. Though this step is not technically needed, Google Console prompts to configure an Intermediate CA setup here.

4.1 Uploading Intermediate CA in Google Console

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Go to PKI > Certificate Authorities.
  3. In the Certificate Authorities section, click the Download link for the Intermediate CA created earlier (see the Creating an Intermediate CA for Google SCEP Gateway Integration section). This certificate needs to be imported into Google Trusted.
  4. Login to Google Admin Console and navigate to Devices > Networks > Certificates section
  5. Click ADD CERTIFICATE.
  6. In the Name field, enter a name for the Certificate Authority.
  7. Click Upload. Choose the Intermediate CA certificate downloaded earlier in step 3.
  8. Select the Enabled for Chromebook option.
  9. Click ADD.

4.2 Uploading RADIUS Server CA in Google Console

Uploading the Root CA of the RADIUS Server Certificate in Google requires downloading the “Digicert Global Root G3” certificate from the Digicert Root certificate webpage.

Post downloading the above-mentioned certificate, this Root CA must be uploaded to the Google Admin Console to form a chain of trust. To upload the Root CA certificate:

  1. Login to Google Admin Console and navigate to Devices > Networks > Certificates section
  2. Click ADD CERTIFICATE.
  3. In the Name field, enter a name for the certificate authority.
  4. Click Upload.
  5. Choose the Root CA downloaded earlier in this section and upload.
  6. Select the Enabled for Chromebook option.
  7. Click ADD.

4.3 Configuring SCEP for Certificate Enrollment

To configure the SCEP profile for certificate enrollment, create the SCEP URL in the JoinNow Management Portal and configure it in the Google Admin Console. The Google Admin Console will then generate JSON and key files, which must be uploaded to the JoinNow Management Portal. These files contain the necessary information to authenticate SecureW2’s API requests to Google for handling the Certificate Signing Requests (CSRs).

To generate the SCEP enrollment URL from the JoinNow Management portal:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Integrations Hub > Device Management Platforms.
  3. Click Add.
  4. In the Basic section, in the Name field, enter a name for the Google SCEP IDP.
  5. From the Type drop-down, select Google SCEP.
  6. Click Save. The page refreshes with a Configuration tab. Click on the Configuration tab. Click on the copy button for the displayed Enrollment URL for SCEP.
  7. Navigate back to the Google Admin Console. Click Devices > Networks.
  8. Click Create SCEP Profile after selecting the organization.
  9. Click Add Secure SCEP Profile.
  10. In the Device Platforms section, select Chromebook (Device).
  11. In the Subject name format section, click on the Fully distinguished name radio button.
  12. In the Common name field, enter ${DEVICE_SERIAL_NUMBER}
  13. In the Subject alternative name field, choose Custom.
  14. From the Subject alternative name type drop-down, select RFC822. In the adjacent field, enter ${DEVICE_SERIAL_NUMBER}.
  15. In the Key Usage field, select Key Encipherment.
  16. In the Key size (bits), select 2048.
  17. In the Security section, select Strict.
  18. In the SCEP server URL field, copy and paste the Enrollment URL created in the JoinNow portal (Refer to step 6).
  19. In the Extended key usage field, select Client authentication.
  20. In the Template name field, enter a name for the SCEP template.
  21. From the Certificate Authority drop-down, select the certificate authority created for this SCEP organization.
  22. Check the Wi-Fi option for the Network type this profile applies to field.
  23. Click Save.
  24. On the home page, click Download Connector. Click Download in the Download connector configuration file section. The “config.json” file downloads.
  25. Navigate to the Get a Service Account key section, and click on the Generate key. The “key.json” file downloads.
  26. Navigate back to the Configuration tab in the Identity Providers menu (JoinNow Management Portal > Identity Management > Identity Providers).
  27. Click Choose File to upload the Service Account Key File and Configuration File. Click Update.

4.4.1 Configuring a Policy Workflow

To configure a Policy Engine Workflow in the JoinNow Management Portal:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.
  3. In the Basic section, enter the name of the policy engine workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the role policy.
  5. Click Save.4
  6. The page refreshes, and the Conditions tab is displayed. Select the Conditions tab.
  7. From the Identity Provider drop-down list, select the Identity Provider created in 4.3 Configuring SCEP for Certificate Enrollment section.
  8. In the Attributes/Groups section, for the Attribute field, retain ANY.

  9. Click Update.

4.4.2 Creating Enrollment Policy

To add an Enrollment Policy, perform the following steps:

  1. Navigate to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. Under the Basic section, in the Name field, enter the name of the enrollment policy.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Role drop-down list, select the role policy you created earlier (see the Policy Engine Workflow section).
  9. From the Device Role drop-down list, select DEFAULT DEVICE ROLE POLICY.

  10. Select the Settings tab.
  11. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Creating an Intermediate CA for Google SCEP Gateway Integration section).
  12. From the Use Certificate Template drop-down list, select the certificate template created for Google SCEP in 3.2 Creating a Google Certificate Template .
  13. In the other settings, retain the default values.

  14. Click Update.

4.4.3 Configuring Network Policy

To configure network policy:

  1. Go to Policy Management > Network.
  2. Click Add Network Policy.
  3. In the Basic section, enter the name of the network policy in the Name field.
  4. In the Display Description field, enter a suitable description for the network policy.
  5. Click Save.
  6. Select the Conditions tab.
  7. Select Match All or Match Any based on your requirements to set authentication criteria.
  8. Click Add rule.
  9. Expand Identity and click Select adjacent to the Role option.
  10. Click Save.
  11. The Role option appears under the Conditions tab.
  12. From the Role Equals drop-down list, select the role policy you created earlier (see the Configuring a Policy Engine Workflow section).
  13. Select the Settings tab.
  14. Click Add Attribute.
    1. From the Dictionary drop-down list, select Radius: IETF or Custom.
    2. From the Attribute drop-down list, select an option.

    3. In the Value text box, enter a value for the attribute.
  15. Click Save.

4.5 Configure 802.1X Wi-Fi for Certificate-Based Authentication on Chromebook

The last step is to configure the network settings that will be pushed to Chromebooks so that they will authenticate to the secure SSID using SecureW2 for certificate-based Wi-Fi authentication.

  1. Navigate to Devices > Networks > Wi-Fi > Add Wi-Fi
  2. Under Platform access, select Enabled for Chromebooks (by device) option.
  3. In the Name field, enter a name for your Wifi.
  4. In the SSID field, enter a name for your broadcasting SSID.
  5. Enable the Automatically Connect option.
  6. From the Security type drop-down, select WPA/WPA2-Enterprise (802.1X).
  7. Set the Extensible Authentication Protocol to EAP-TLS. Select Maximum TLS Version as 1.2.
  8. For the Username field, enter ${CERT_SAN_EMAIL} or ${CERT_SAN_UPN}.
  9. From the Server Certificate Authority drop-down, select the RADIUS Server Certificate’s Issuer CA chain you uploaded earlier.
  10. From the SCEP profile drop-down, select the SCEP profile created in the earlier step.

  11. Under the DNS settings section, select Automatic name servers.
  12. Click Save. This completes the configuration. 

    Chromebooks for your organization are ready to be enrolled in Google. 

    Now, SecureW2 CloudConnector starts reaching out to Google for any certificate requests from the client devices. If available, CloudConnector validates these requests and returns an appropriate certificate to Google. Google deploys them in the corresponding devices. 

    These successful device enrollments are logged in the Google Admin Console under Devices > Chrome > Devices.

    Similarly, Admins can also check for successful certificate enrollment in JoinNow Management Portal under Data and Monitoring > General Events. A Certificate Issued message would be displayed for the enrolled Chrome devices.

More Google Workspace Explainers