Configuring Managed Chromebooks for Certificate Auto-Enrollment for EAP-TLS

802.1X certificates are a vast improvement over credentials and eliminate many of the vulnerabilities of pre-shared keys. They improve the user experience by streamlining network access and eliminating password-related disconnects due to password change policies. Certificates also tie identities to devices and allow the administration to decrypt SSL and monitor device activity.

But manually configuring every managed Google Chromebook for secure network authentication is incredibly labor-intensive. To simplify the process, SecureW2 has created a solution that enables Chromebooks to automatically enroll themselves for certificates without  requiring any end-user interaction.

For organizations interested in Chromebook MDM, SecureW2’s Managed Device Gateway is a versatile tool that integrates with practically any existing infrastructure. It works with  any major Wi-Fi vendor, and hooks in seamlessly to your current RADIUS server. If you don’t have a RADIUS server (or other necessary infrastructure), SecureW2 offers its own Cloud RADIUS Server built for EAP-TLS.

Tech Overview

  1. Configure Managed Device Gateway in SecureW2
    • With SecureW2, you can easily setup Gateway APIs so your managed devices can automatically enroll themselves for certificates.
    • You’ll need to grant Google Chrome verified access permission to the SecureW2 service account so we can configure the settings for you.
  2. Configure Google Admin for Chromebook Certificate Enrollment
    • Our Support team will work with you to create a custom JSON Policy file to push to your Managed Chromebooks so they can enroll themselves for a Wi-Fi Certificate.
    • We provide you with the extension ID to install and push the JoinNow Chrome extension for certificate auto-enrollment.
    • Lastly, configure and push the appropriate Wi-Fi settings so your devices will use the newly enrolled certificate for certificate-based Wi-Fi authentication. SecureW2 works with any Wi-Fi infrastructure to provide EAP-TLS authentication. Click here to learn more.

Table of Contents

Setting up the SecureW2 Management Portal

First, contact SecureW2 Support to create an Identity Provider (IDP) in the SecureW2 Management Portal for Google Verified Access. Then, log in to the SecureW2 Management Portal and perform the following steps:

  1. Navigate to Device Onboarding > Getting Started. On the Network Profile Generator page, enter values for the given fields to generate a network profile.
    • NOTE: You will be creating an SSID name, even though it will not be used.
    • From the Profile Type drop-down list, select the network profile type.
    • In the SSID text box, type a name for the SSID.
    • From the Security Type drop-down list, select WPA2-Enterprise.
    • From the EAP Method drop-down list, select the authentication framework.
    • From the Policy drop-down list, select DEFAULT.
    • From the Wireless Vendor drop-down list, select a wireless provider.
    • From the Radius Vendor drop-down list, select a RADIUS vendor.
  2. Click Create. Your network profile is generated.
  3. On the Network Profiles page, click the Edit link for the newly created network profile. The Network Profiles page is displayed.
  4. Scroll down to the Networks Settings section and click the Edit link for the newly created network profile.
  5. In the TLS Enrollment section, from the Enrollment Type drop-down list, select Cloud.configuring the TLS enrollment type
  6. From the Generate Certificate For drop-down list, select:
    • System – If you are enrolling systems for certificates.
    • User – If you are enrolling individual users for certificates.
  7. Click Update.
  8. On Network Profile page, click the Advanced tab.
  9. Scroll down to the Workflows section and uncheck the following options.
      • Wireless Configuration
      • Wireless Connectchoosing the correct workflows
    • Click Update and then click the Republish link on the Network Profile page.
    • In the Re-publish Network Profile pop-up, type the name of the network profile and click
  10. Go to Policy Management > Authentication and click the Edit link of the authentication policy.
  11. Map the IDP that SecureW2 Support created in the Profile policy.
  12. Go to Policy Management > User Roles and click Add Role.
  13. Type a name and description, in the respective fields, and click Save.
  14. Click the Conditions tab, ensure that the user role policy is mapped to the IDP.
  15. Go to Policy Management > User Roles and select DEFAULT DEVICE ROLE POLICY.

Configure Google Admin Console for Device Certificate Enrollment

The Google Admin Console allows admins to manage all their G-Suite services in a central location. Here you will configure access for device certificate enrollment. Once configured, Chromebooks with verified access tokens will be able to enroll for certificates with no interaction from the end user.

Granting Permission for the SecureW2 Service Account for Google Chrome Verified Access

The SecureW2 service account is used to validate the verified access token (sent by the Chromebooks during enrollment) against Google to confirm if the identity matches the token; based on the results, it proceeds to the next step in enrollment.

  1. To provide access to the service account for device certificate enrollment, navigate to Device Management -> Chrome -> Management -> Device Settings -> Enrollment & Access -> Verified Access.
  2. For the Verified access field, from the drop-down list, select Enable for content protection.
  3. For the Verified mode field, from the drop-down list, select Require verified mode boot for verified access.
  4. For the Services with full access field, type the following email:
  5. To provide access to the service account for user certificate enrollment, go to Devices > Chrome > Settings > Device > USER & BROWSER SETTINGS > User verification.
  6. For the Verified Mode field, from the drop-down list, select Require verified mode boot for Verified Access.
  7. For the Service accounts field, type the following email:


Create JSON Certificate Enrollment Config

In the next section below, you will need to upload a JSON configuration file to the Google Admin Console. Please reach out to SecureW2 support during this stage, and they will provide you with the JSON file required.

Sample File:

   "EnrollmentURL": {
       "Value": "<WORKFLOW_ID>"
   "DeviceCertificate": {
       "Value": true
   "RenewWindowDays": {
       "Value": 30
   "MetaConfigInfo": {
       "Value": {
           "organizationId": "<ORG_ID>",
    "profileId": “<PROFILE_UUID> “

Configuring the JoinNow MultiOS Extension from the Google Admin Console

The SecureW2 JoinNow MultiOS extension must be installed on the Chromebooks so they can enroll for certificates. Here, we will configure the Google Admin Console to install the extension to the Chromebooks.

  1. In the Google Admin console, navigate to the JoinNow MultiOS extension by clicking Chrome management -> User & browser settings -> Apps and Extensions.
  2. On the left pane, select the organizational unit (OU) and go to USERS & BROWSERS.
  3. Click the + option and in the Add Chrome app or extension by ID pop-up, type the extension ID.
    • NOTE: You can reach out to SecureW2 support for the Certificate Auto-Enrollment Extension ID
  4. Click Save.

Force SecureW2 Certificate Auto-Enrollment Extension

With the JoinNow MultiOS extension configured on the Chromebooks, the device settings can be configured to allow a seamless enrollment process.

  1. Go to Devices > Chrome > Apps & extensions.
  2. Select the OU and go to USERS & BROWSERS > SecureW2 Certificate Auto-Enrollment Extension and select Force install.
  3. In MANAGED GUEST SESSIONS, select SecureW2 Certificate Auto-Enrollment Extension, go to the Certificate management section, and enable Allow enterprise challenge.
  4. In the Policy for extensions section, upload the JSON file shared by the support team.
  5. Click Save.

Trusted Certificate Profile for RADIUS Server CA

You should configure the Trusted Certificate Profile with the certificate of your RADIUS server certificate’s issuing authority. This is to make the devices trust your RADIUS server by validating the RADIUS server certificate. You can achieve this server validation in the profile configuration by adding the Root and/or Intermediate Certificate Authority (CA) certificates that issued the RADIUS server certificate. When you assign this profile, the Chromebooks receive the trusted certificates.

NOTE: For other RADIUS vendors, other than SecureW2 RADIUS server, ensure that you have the Root or Intermediate CA that issues the RADIUS server certificates.

Export Trusted Root and Intermediate CA Certificates

This section lists the steps to export the RADIUS Server Root CA from the SecureW2 Management Portal. To export the SecureW2 RADIUS Server Certificate:

  1. Click Network Profiles.
  2. On the Network Profile you configured earlier, click the Edit link.
  3. In the Certificates section, click Add/Remove Certificate.
  4. Check the checkbox next to DigiCert Global Root CA (Mon Nov 10 00:00:00 UTC 2031) as shown in the following screen.
  5. Click Update.
  6. The CA appears in the Certificates section.
  7. Click Download.

Configuring the RADIUS Server Issuer CA Chain from Google Admin Console

WPA2-Enterprise requires installing and configuring the trusted RADIUS Server issuer CA chain to allow the device to securely connect to the Wi-Fi network. This is also handled by the Google Admin Console. The uploaded CA can later be selected as the trusted CA in the configured Wi-Fi Network.

  1. Login to the Google Admin Console.
  2. Click on Device > Networks.
  3. Click on Certificates.
  4. Click Add Certificate to upload your RADIUS Server issuer CA chain.
  5. Click on Save.


Configure 802.1X Wi-Fi for Certificate-Based Authentication on Chromebook

The last thing we need to do is configure the network settings that will be pushed to our Chromebooks, so that they will authenticate to our SSID using SecureW2 for certificate-based Wi-Fi authentication.

  1. Go to the Google Admin Console
  2. Click Device Management -> Network -> Wi-Fi -> Add Wi-Fi
  3. Configure the Name and SSID of your Wi-Fi Network
  4. Select the option to Automatically Connect.
  5. Set the Security type to WPA/WPA2-Enterprise (802.1X)
  6. Set the Extensible Authentication Protocol to EAP-TLS
  7. For the Username field, type (${CERT_SAN_EMAIL} or ${CERT_SAN_UPN})
  8. Under Server Certificate Authority, select a RADIUS Server Issuer CA chain you uploaded earlier
  9. Under Client Enrollment URL, use: chrome-extension: (extension ID will be provided by the SecureW2 support team)
  10. Under Issuer Pattern, enter the matching variables of the CA that will be using the Client Certificate (NOT the RADIUS Server Issuing CA)
    1. NOTE: Currently, setting the Organization Name is tested.
  11. Under Apply Network, select By Device or By User depending on the use case
  12. Click Add -> Save.

Note: When moving the Chromebooks to the specific “OU” for enrollment of certificates, make sure the user also belongs to that specific “OU”.

Superior Chromebook Management with EAP-TLS Auto-Enrollment

And with the final save, your network is configured for certificates. The organization can finalize any network settings to be pushed to the managed Chromebooks and then initiate the enrollment process. Managed Chromebooks will enroll for certificates and all the devices will be properly configured for secure 802.1X network access.

In SecureW2’s Management Portal, support has been added to uniquely identify and report Chromebook devices. A powerful Chrome Extension with Google-approved communications allows users to auto-enroll for certificates and provide identity and device tracking to each individual network connection.

Ready to get started onboarding your own managed Chromebooks? SecureW2 is more affordable than you might think. Check out our pricing form to see for yourself.

Chromebook is either registered trademark or trademark of Google LLC in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.