Reverse Proxy for Google Chromebook
Reverse Proxy for Google Chromebook
Device policies can be configured for enrolled Google Chromebook devices. This article illustrates prerequisites and steps needed to provision a chromebook device via Netskope SAML proxy.
Prerequisites
- Devices must be enrolled before provisioning.
- Google domain admin access.
- Chromebook Verified Access related service accounts and its keys (JSON).
- Chromebook Enterprise License.
Enrolling Chromebook for Provisioning
Google Chromebooks must be enrolled before they can be provisioned in Netskope tenant. To enroll a device, you will need to do the following:
- Create service accounts and generate JSON keys.
- Enable verified access for the Chromebook.
* Reverse Proxy based steering is not supported for Chromebook devices when the login is via Chromebook Verified Access mode.
* Refer to Google Cloud documentation for detailed configuration steps. For service accounts: https://developers.google.com/identity/protocols/oauth2/service-account
* Refer to Google Cloud documentation for detailed configuration steps. For service accounts: https://developers.google.com/identity/protocols/oauth2/service-account
Creating a Service Account
- Login to https://console.cloud.google.com/
- Create new credentials (Service Account) under API & Services
- Generate JSON keys for the service account.
If you are setting up the account for the first time, enable Chrome Verified Access API
Enabling Verified Access for Chromebook
- Login to https://admin.google.com/
- Under Settings > Devices, locate Chrome Devices
- Enable the following:
- Verified access: Enable for content protectionVerified Mode: Require/Skip Verified mode to boot.Services with full access. Enter your service account emailSinge Sign-on Verified access: Enter the below URL (replace with your tenant name)
https://saml-<tenant-URL>/saml/chromedevice/validate
- Verified access: Enable for content protectionVerified Mode: Require/Skip Verified mode to boot.Services with full access. Enter your service account emailSinge Sign-on Verified access: Enter the below URL (replace with your tenant name)
Enabling Chromebook Device Verification
- Log in to Netskope UI.
- Click Settings > Security Cloud Platform > SAML (under Reverse Proxy).
- Click Add Account.
- In the New Account window, enter a Name for the account.
- On the Setup tab, select and enter these parameters:
- Application: Select Google Workspace from the dropdown list.
- ACS URL: Enter your ACS endpoint URL.
- IDP URL: Enter your IDP URL to send authentication response.
- IDP Certificate: Enter / paste your IDP certificate.
- Alternate User Field: To use a different field for user identification, enter the field name here. By default, Netskope uses the NameID field.
- In the Options tab, select and enter these parameters:
- Select Enable Google Chromebook Verified Access option.
Note
This option is available only if Google Workspace is selected from the Application list in the Setup tab.
- Action: Select traffic flow rules as per authentication status.
- Domain Name: Enter the name of the domain for the device.
- Service Account Credentials: Upload the private key created for the service account as mentioned in the prerequisites.
- Select Enable Google Chromebook Verified Access option.