LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
      • Scenarios
        • Certificate-based Network Authentication
        • Certificate-based Authentication for Entra ID
        • Certificate-based Authentication for RDP
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • TLS Inspection (Sub CA) Certificate
      • Code Signing Certificate
      • Device Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
      • cleverbridge
    • FAQs
      • General
      • Certificate Connector
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Root Certificate
  • Add a SCEP Profile

Was this helpful?

  1. Certificate Management
  2. Other MDM Solutions
  3. Google Workspace

ChromeOS

This document describes deploying a device and/or user certificates for ChromeOS devices. The deployment of the SCEPman Root Certificate is mandatory.

Last updated 2 months ago

Was this helpful?

Root Certificate

As a first step, you must deploy SCEPman's root certificate. Therefore, follow these steps:

  1. Download the root CA certificate from your SCEPman website by clicking on the Get CA Certificate link.

  1. Now upload your SCEPmen root CA to your Google Workplace. In your Google Admin console (admin.google.com) navigate to Menu > Devices > Networks > Certificates > ADD CERTIFICATE

Be aware that the Google Admin console only accepts certificates in PEM format. You will need to convert SCEPman root CA (which is downloaded in DER by default) using openssl or by importing it in Windows and exporting it again in Base-64 format.

Add a SCEP Profile

The SCEP profile defines the certificate that lets users access your WiFi. Assign the profile to specific users by adding it to an organisational unit. Set up multiple SCEP profiles to manage access by device type. The following configuration example

  1. In your Google Admin console (admin.google.com) navigate to Menu > Devices > Network

  2. Click Create SCEP Profile.

  3. Click Add Secure SCEP Profile.

  4. Enter the configuration details for the profile.

Attribute
Value (Device)
Value (User)

Device platforms

Chromebook (device)

Chromebook (user)

Attribute

SCEP profile name

Provide a name for your SCEP profile.

Attribute
Value (Device)
Value (User)

Subject name format

Fully distinguished name

Fully distinguished name

Common name: ${DEVICE_SERIAL_NUMBER}

Common name: ${USER_EMAIL}

Company name: Your company name.

Company name: Your company name.

Organisation unit: Your organizational unit. This is optional.

Organisation unit: Your organizational unit. This is optional.

Locality: Your organisation unit's location. This is optional.

Locality: Your organisation unit's location. This is optional.

State: Your organisation unit's state. This is optional.

State: Your organisation unit's state. This is optional.

Country / region: Your organisation unit's country. This is optional.

Country / region: Your organisation unit's country. This is optional.

Subject alternative name

Default: None This can be set to Custom when the SAN shall be used, e.g. as outer identity when authenticating to a WiFi using EAP-TLS.

Custom

User Principal: ${USER_EMAIL_NAME}

Attribute
Value

Signing algorithm

SHA256withRSA

Key usage

Key encipherment, Signing

Key size (bits)

3072

Security

Strict (only supported by managed devices)

Attribute
Value

SCEP server attributes

Certificate validity period (years): 1

Renew within days: 42

Extended key usage: Client authentication

Challenge type: Static

Network type this profile applies to: Wi-Fi

  1. The SCEP profile is automatically distributed to users in the organisational unit.

  2. To check for this certificate, in your Chromebook navigate to chrome://certificate.manager > Your certificates.

SCEP server URL:

Challenge: Provide the challenge value you have configured when integration.

Certificate Authority: Reference here the certificate profile containing your .

http://scepman.yourdomain.net/static
SCEPman Root CA
enabling the SCEPman Google Workspace