Configuring Managed Chromebooks for Certificate Auto-Enrollment

Configuring Managed Chromebooks for Certificate Auto-Enrollment

Manually configuring every managed Google Chromebook within an organization for secure network access is incredibly labor-intensive. To simplify the process, SecureW2 has provided a solution to push a configuration profile to each Chromebook that initiates an automatic process to enroll for certificates with no user interaction. Once each MDM is equipped, they can begin the enrollment process and provide secure network access for all.

Setting up the SecureW2 Management Portal

First, reach out to SecureW2 support so they can create an Identity Provider in the management portal for Google Verified Access. After they’ve done so, you can begin in the SecureW2 Management Portal and begin the process of configuring your network profile and finalizing tasks such as configuring the TLS enrollment process, enrollment policies, group policies, and more. To begin, proceed with the following steps:

  1. Create a Network Profile from the SecureW2 Management Portal
    • Navigate to Device Onboarding → Getting Started
      • Configure Settings as per the Image Below

configuring the network profile

  • Note: You will be creating an SSID name, even though it will not be used.
  • Note: Select your Wireless and RADIUS providers under Wireless and RADIUS Vendor
  • Click Create and your Network Profile will be generated
  1. Click Edit on your newly created Network Profile
  2. Click Edit on Network Settings
  3. Under TLS Enrollment, configure per image below

configuring the TLS enrollment type

  • Note for Generate Certificate For setting:
  • If you are enrolling individual users for certificates, select User
  • If you are enrolling systems for certificates, select System
  1. Remaining in Network Settings, click the Advanced section at the top of the screen
  2. Navigate to Workflows and uncheck the following workflows
    • Wireless Configuration
    • Wireless Connect

choosing the correct workflows

  1. Update the Network Settings
  2. Update the Network Profile
  3. Re-publish the Network Profile
  4. Navigate to Policy Management
    • Navigate to Profile
    • Click edit
    • Map the IDP that SecureW2 support created in the profile policies, similarly create a new user-role policy and we can use the default device policy.
  5. Create a new enrollment policy with the newly created user-role policy and the default-device policy.

 

Setting up the Google Admin Console

The Google Admin Console allows admins to manage all their G-Suite services in a central location. Here you will configure access for device certificate enrollment. Once configured, Chromebooks with verified access tokens will be able to enroll for certificates with no interaction from the end user.

Granting Permission for the SecureW2 Service Account for Google Chrome Verified Access

This service account is used for validating the verified access token (sent by the Chromebooks during enrollment) against Google to confirm if the identity matches the token and based on the results it proceeds to the next step in enrollment.

  1. To provide access to the service account for device certificate enrollment, navigate to Device Management -> Chrome -> Management -> Device Settings -> Enrollment & Access -> Verified Access
  2. Select Enable for Content Protection
  3. In the Verified Mode section, select Require Verified Mode Boot for Verified Access
    • Contact SecureW2 support for the service account email required
  4. To provide access to the service account for user certificate enrollment, navigate to Device Management -> Chrome Management -> User & Browser Settings -> User Verification
  5. In the Verified Mode section, select Require Verified Mode Boot for Verified Access
    • Under Service Account, enter in the following email: Contact SecureW2 support for the service account email required

 

JSON Policy File

In the next section below, you will need to upload a JSON configuration file to the Google Admin Console. Please reach out to SecureW2 support during this stage, and they will provide you with the JSON file required.

Sample File:

    {
   "EnrollmentURL": {
       "Value": "https://pki-services.securew2.com/enroll/<WORKFLOW_ID>"
   },
   "DeviceCertificate": {
       "Value": true
   },
   "RenewWindowDays": {
       "Value": 30
   },
   "MetaConfigInfo": {
       "Value": {
           "organizationId": "<ORG_ID>",
    "profileId": “<PROFILE_UUID> “
       }
   }
}

Configuring the JoinNow MultiOS Extension from the Google Admin Console

The SecureW2 JoinNow MultiOS extension needs to be installed on our Chromebooks so they can enroll for certificates. Here we will configure our Google Admin Console to install the extension on to our Chromebooks.

  1. In the Google Admin console, navigate to the JoinNow MultiOS extension by clicking Chrome management -> User & browser settings -> Apps and Extensions -> Force-installed Apps and Extensions -> Manage Force-Installed Apps -> Chrome Web Store
  2. Search by extension ID (which will be provided by the SecureW2 support team)

 

Force SecureW2 Certificate Auto-Enrollment Extension

With the JoinNow MultiOS extension configured on Chromebooks, the device settings can be configured for auto-enrollment. We will configure the devices to allow a seamless enrollment process with no end user interaction.

  1. Navigate to Device Management -> Chrome Management -> App Management -> SecureW2 Certificate Autoenrollment Extension -> User Settings
  2. Select the “OU” and click Enable
  3. Configure the following settings
    • Allow Installation
    • Force Installation
    • Allow Access to challenge enterprise keys
  4. Now click Configure -> Upload Configuration File
  5. Upload the JSON file shared by support

configuring for auto-enrollment extension

 

Configuring the RADIUS Server Issuer CA Chain from Google Admin Console

WPA2-Enterprise requires installing and configuring the trusted RADIUS Server issuer CA chain to allow the device to securely connect to the Wi-Fi network. This is also handled by the Google Admin Console. The uploaded CA can later be selected as the trusted CA in the configured Wi-Fi Network.

  1. Login to the Google Admin Console
  2. Click on Device Management
  3. Click on Network
  4. Click on Certificates
  5. Upload your RADIUS Server issuer CA chain using Add Certificate
  6. Click on Save at the end of the page

 

Configuring the Wi-Fi Network from Google Admin Console

The last thing we need to do is configure the network settings that will be pushed to our Chromebooks, so that they will authenticate to our SSID using SecureW2 for certificate-based Wi-Fi authentication.

  1. Go to the Google Admin Console
  2. Click Device Management -> Network -> Wi-Fi -> Add Wi-Fi
  3. Configure the Name and SSID of your Wi-Fi Network
  4. Select the option to Automatically Connect
  5. Set the Security type to WPA/WPA2-Enterprise (802.1X)
  6. Set the Extensible Authentication Protocol to EAP-TLS
  7. Set an Outer username
    • eg:- (${CERT_SAN_EMAIL} or ${CERT_SAN_UPN})
  8. Under Server Certificate Authority, select a RADIUS Server Issuer CA chain you uploaded earlier
  9. Under Client Enrollment URL, use: chrome-extension: (extension ID will be provided by the SecureW2 support team)
  10. Under Issuer Pattern, enter the matching variables of the CA that will be using the Client Certificate (NOT the RADIUS Server Issuing CA)
    • Currently have tested setting the Organization Name
  11. Under Apply Network, select By Device or By User depending on the use case
  12. Click Add -> Save at the end of the page

Note: When moving the Chromebooks to the specific “OU” for enrollment of certificates, make sure the user also belongs to that specific “OU”.

 

Concluding Thoughts

And with the final save, your network is configured for certificates. The organization can finalize any network settings to be pushed to the managed Chromebooks and then initiate the enrollment process. Managed Chromebooks will enroll for certificates and all the devices will be properly configured for secure network access. If you have any further questions about enrolling managed Chromebooks for certificates, or any other questions, feel free to reach out to us using the form below or through our Contact page.

Chromebook is either registered trademark or trademark of Google LLC in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.