Chromebook SCEP Configuration

Chromebook Enterprise License

  • Buy the Chromebook Enterprise license as required via your Google Workspace here
  • Configure the license for the user you want to give access to the Chromebook

Add SCEP Profile

  • Download CA from the Client Certificate Authorities and active Server CA from the Server Certificate Authorities section on the SCEP page in Foxpass Console
Foxpass Client CA

Foxpass Client CA

Foxpass Server CA

Foxpass Server CA

  • Add Client CA in your Google Workspace here Networks > Certificates. Click Add Certificate. Give a name to your certificate. Click Upload. Upload the client CA downloaded earlier. Click Add.
Add certificate

Add certificate

Add details for Foxpass Client CA

Add details for Foxpass Client CA

  • Add Server CA in your Google Workspace here Networks > Certificates. Click Add Certificate. Give a name to your certificate. Click Upload. Upload the server CA downloaded earlier. Click Add.
  • Configure your SCEP profile here Networks > SCEP
    • Device Platforms - Chromebook User
    • SCEP profile name - Foxpass SCEP
    • Subject Name Format
      • Select Fully Distinguished Name option with Common Name set to ${USER_EMAIL} and other fields set as per your company information
    • Subject Alternative Name
      • RFC822 - ${USER_EMAIL}
    • Key Usage
      • Key encipherment - Yes
      • Signing - Yes
    • Key size - 2048
    • Security - Strict
    • SCEP server attributes
      • SCEP Server URL - Copy your Unique endpoint URL from the SCEP page in Foxpass Console
      • Extended key usage - Both Client Authentication and Server Authentication to Yes
      • Challenge type - Static - Paste here your Challenge password from the SCEP page in Foxpass Console
      • Certificate Authority - Select the Client CA that you configured earlier
      • Network type this profile applies to - Wi-Fi
Sample SCEP profile

Sample SCEP profile

Add Wi-Fi Profile

  • Add a WiFi Profile by going to Networks > Wi-Fi.
    • Add Wi-Fi.
    • Select Chromebooks(by user).
    • Name - "Your SSID" (It's mentioned on the Wi-Fi networks page of Foxpass)
    • SSID - "Your SSID"
    • Check Automatically connect.
    • Security Type - WPA/WPA2 Enterprise(802.1X)
    • Extensible Authentication protocol - EAP-TLS
    • Username - anonymous
    • Server Certificate Authority - Select the active Server CA from the dropdown.
    • SCEP Profile - Select the SCEP profile from the dropdown.
    • Name Servers - Select Automatic name Servers. Click Save.
Wi-Fi Profile

Sample Wi-Fi Profile

Setup Google Cloud Certificate Connector

  • Click on the Download connector button for in the Secure SCEP section of the Google Workspace here
  • Download all 3 files from the 3 steps i.e. Google Cloud certificate connector file, Connector configuration file (config.json), Service account key file (key.son)
  • On any Windows server machine, run the setup file Google Cloud certificate connector file as Administator
    • For the Logon as User step, use “.\Administrator” as User with the password / confirm password as the actual Windows password of the Administrator
    • Post installation, copy the Connector configuration file (config.json) and Service account key file (key.json) to C:\Program Files\Google Cloud Certificate Connector\
    • Goto Start > Services > Find Google cloud certificate connector > Start service. Make sure the service starts properly.
Start GCCC on Windows

Start GCCC on Windows

GCCC running

GCCC running

Chromebook login

  • Open your Chromebook. ChromeOS devices bundled with Chrome Enterprise Upgrade or Chrome Education Upgrade automatically prompt users to enroll after they accept the end-user license agreement. After enrollment, users can sign in and start using the device. If they’re not prompted to enroll, users should press Ctrl+Alt+E or select Enterprise enrollment before anyone signs in. Otherwise, wipe the Chromebook as described here.
  • Login using the user who you assigned a license earlier.
  • Goto chrome://certificate-manager in Google Chrome.
    • Next to the request that contains the name of the SCEP profile that you just set up, click More . You can visually see the progress of getting the certificate, if it hasn’t already completed.
    • The new issued Certificate will also show up under Client certificates section of the SCEP page in Foxpass Console.
  • If the settings and configuration of the profiles are correct, you will be automatically connected to your Wi-Fi.
Chromebook connected to Wi-Fi

Chromebook connected to Wi-Fi