Chromebook SCEP Configuration

Chromebook Enterprise License

Buy the Chromebook Enterprise license as required via your Google Workspace here
Configure the license for the user you want to give access to the Chromebook

Add SCEP Profile

Download CA from the Client Certificate Authorities and active Server CA from the Server Certificate Authorities section on the SCEP page in Foxpass Console

Add Client CA in your Google Workspace here Networks > Certificates. Click Add Certificate. Give a name to your certificate. Click Upload. Upload the client CA downloaded earlier. Click Add.

Add Server CA in your Google Workspace here Networks > Certificates. Click Add Certificate. Give a name to your certificate. Click Upload. Upload the server CA downloaded earlier. Click Add.
Configure your SCEP profile here Networks > SCEP
- Device Platforms - Chromebook User
- SCEP profile name - Foxpass SCEP
- Subject Name Format
  - Select Fully Distinguished Name option with Common Name set to ${USER_EMAIL} and other fields set as per your company information
- Subject Alternative Name
  - RFC822 - ${USER_EMAIL}
- Key Usage
  - Key encipherment - Yes
  - Signing - Yes
- Key size - 2048
- Security - Strict
- SCEP server attributes
  - SCEP Server URL - Copy your Unique endpoint URL from the SCEP page in Foxpass Console
  - Extended key usage - Both Client Authentication and Server Authentication to Yes
  - Challenge type - Static - Paste here your Challenge password from the SCEP page in Foxpass Console
  - Certificate Authority - Select the Client CA that you configured earlier
  - Network type this profile applies to - Wi-Fi

Sample SCEP profile

Add Wi-Fi Profile

Sample Wi-Fi Profile

Setup Google Cloud Certificate Connector

Click on the Download connector button for in the Secure SCEP section of the Google Workspace here
Download all 3 files from the 3 steps i.e. Google Cloud certificate connector file, Connector configuration file (config.json), Service account key file (key.son)
On any Windows server machine, run the setup file Google Cloud certificate connector file as Administator
- For the Logon as User step, use “.\Administrator” as User with the password / confirm password as the actual Windows password of the Administrator
- Post installation, copy the Connector configuration file (config.json) and Service account key file (key.json) to C:\Program Files\Google Cloud Certificate Connector\
- Goto Start > Services > Find Google cloud certificate connector > Start service. Make sure the service starts properly.

Chromebook login

Open your Chromebook. ChromeOS devices bundled with Chrome Enterprise Upgrade or Chrome Education Upgrade automatically prompt users to enroll after they accept the end-user license agreement. After enrollment, users can sign in and start using the device. If they’re not prompted to enroll, users should press Ctrl+Alt+E or select Enterprise enrollment before anyone signs in. Otherwise, wipe the Chromebook as described here.
Login using the user who you assigned a license earlier.
Goto chrome://certificate-manager in Google Chrome.
- Next to the request that contains the name of the SCEP profile that you just set up, click More . You can visually see the progress of getting the certificate, if it hasn’t already completed.
- The new issued Certificate will also show up under Client certificates section of the SCEP page in Foxpass Console.
If the settings and configuration of the profiles are correct, you will be automatically connected to your Wi-Fi.