How to Setup Google as a Directory with Connect for Chromebooks

Article #:

Product:

Version:

#

Connect for Chromebooks

Glamis onwards

Summary:

This article aims to provide extra guidance when using Google as a Directory service with Connect for Chromebooks.

Full Description:

Connect for Chromebooks is a Chrome™ extension custom utility that can be deployed to all Chromebooks on your network. Once the user is logged into the Chromebook, Connect for Chromebooks handles any subsequent authentication requests.

The Chromebook authentication feature allows internal users to authenticate themselves using their Google credentials, whilst enforcing organizational web filtering policies wherever they are located.

You can setup the Connect for Chromebooks extension to trust the user-supplied G Suite domain credentials. This involves:

Creating and authorizing a Google Service Account
Configuring a Google directory connection from the Smoothwall to your G Suite domain
Configuring the Smoothwall to Connect for Chromebooks communication
Distributing the HTTPS certificate from the Smoothwall to all Chromebooks
Deploying the Connect for Chromebooks extension to all Chromebooks
Creating filtering and access policies on your Smoothwall

An alternative method, which prevents user credential spoofing, is available here.

Solution:

1. From the Google API console, create a Google Service Account, and download the private key as a JSON format file — see How do I create a Google Service Account?.
2. From the Google Admin console, authorize the Google Service account — see How do I authorize the Google Service Account?.
3. From the Smoothwall administration user interface, go to Services > Authentication > Directories, and configure a Google directory connection — see Configuring Google as a Directory Service.
This where you upload the Service Account private key.
Ensure you synchronize the Smoothwall with your G Suite domain
4. From the Smoothwall administration user interface, go to Services > Authentication > Google, and configure Connect for Chromebooks to trust G Suite domain credentials — go to the Using Connect for Chromebooks help page, and complete the following sections:
a. Enabling Connect for Chromebooks
b. Validating the HTTPS certificate
c. Determining domain behavior
d. Ensuring user identity is not validated
5. From the Smoothwall administration user interface, create filtering and access policies in Guardian — see How do I allow Google services through my Smoothwall?
6. From the Google Admin console, distribute the HTTPS certificate you downloaded in step 4b to all Chromebooks — see How do I distribute the HTTPS certificate to all my Chromebooks?
7. Still in the Google Admin console, add the proxy details for the Smoothwall appliance that filters Chromebook web traffic — see How do I roll out proxy settings to all my Chromebooks? .
8. Still in the Google Admin console, deploy the Connect for Chromebooks extension to all Chromebooks — see How do I deploy the Connect for Chromebooks Extension to all devices?
9. If your Chromebooks are taken and used off-site, you can still apply the same filtering policies applied to users that are on your network, such as, blocking all gaming and gambling websites to all students. For a detailed description of how to do this, see How do I filter my Google devices when external to the network?
10. Log into a Chromebook using valid user credentials.

If your Chromebooks use a common startup page, you may find your users see a block page instead of the startup page. This is because Google prioritizes user authentication over the launching of third party apps, and therefore the Connect for Chromebooks extension does not know the user is authenticated and blocks access. In this scenario, the Connect for Chromebooks icon is gray but only for a matter of seconds before everything is started normally.

a. Open a Chrome browser. You should see the Connect for Chromebooks icon in the browser's icon tray in the top right.
b. If the icon is a green shield, the extension is connected and functioning.
c. Go to a web site that is allowed for that particular user. This should be successful.
d. Now, try going to a website that is blocked for that users. You should see the block page now.

If the shield is red, Connect for Chromebooks is in an error state — see Troubleshooting Connect for Chromebooks.

Tip: To stop users from bypassing the web filter when using their Chromebooks, you should enroll all devices. We also recommend blocking apps and extensions that are not licensed by your organization — see How do I deploy the Connect for Chromebooks Extension to all devices?.

Attribution:

Last updated:

Author:

Contributions by:

23rd November 2016

Samantha Nair

Martin Pritchard

Richard Bulger

Tanja Ehrhardt

 

Copyright © 2000-2016 Smoothwall All rights reserved.