Netskope Help

Reverse Proxy for Google Chromebook

Device policies can be configured for enrolled Google Chromebook devices. This article illustrates prerequisites and steps needed to provision a chromebook device via Netskope SAML proxy.

Prerequisites
  • Devices must be enrolled before provisioning.

  • Google domain admin access.

  • Chromebook Verified Access related service accounts and its keys (JSON).

  • Chromebook Enterprise License.

Enrolling Chromebook for Provisioning

Google Chromebooks must be enrolled before they can be provisioned in Netskope tenant. To enroll a device, you will need to do the following:

  • Create service accounts and generate JSON keys.

  • Enable verified access for the Chromebook.

Note

Refer to Google Cloud documentation for detailed configuration steps.

For service accounts: https://developers.google.com/identity/protocols/oauth2/service-account

Creating a Service Account
  1. Login to https://console.cloud.google.com/

  2. Create new credentials (Service Account) under API & Services

  3. Generate JSON keys for the service account.

Note

If you are setting up the account for the first time, enable Chrome Verified Access API

Enabling Verified Access for Chromebook
  1. Login to https://admin.google.com/

  2. Under Settings > Devices, locate Chrome Devices

  3. Enable the following:

    • Verified access: Enable for content protection

    • Verified Mode: Require/Skip Verified mode to boot.

    • Services with full access. Enter your service account email

    • Singe Sign-on Verified access: Enter the below URL (replace with your tenant name)

      • https://saml-<your-tenant-name>.goskope.com/saml/chromedevice/validate

Enabling Chromebook Device Verification
  1. Log in to Netskope UI.

  2. Click Settings > Security Cloud Platform > SAML (under Reverse Proxy).

    01.png
  3. Click Add Account.

    2.png
  4. In the New Account window, enter a Name for the account.

  5. On the Setup tab, select and enter these parameters:

    3.png
    • Application: Select Google Workspace from the dropdown list.

    • ACS URL: Enter your ACS endpoint URL.

    • IDP URL: Enter your IDP URL to send authentication response.

    • IDP Certificate: Enter / paste your IDP certificate.

    • Alternate User Field: To use a different field for user identification, enter the field name here. By default, Netskope uses the NameID field.

  6. In the Options tab, select and enter these parameters:

    4.png
    • Select Enable Google Chromebook Verified Access option.

      Note

      This option is available only if Google Workspace  is selected from the Application list in the Setup tab.

    • Action: Select traffic flow rules as per authentication status.

    • Domain Name: Enter the name of the domain for the device.

    • Service Account Credentials: Upload the private key created for the service account as mentioned in the prerequisites.