Chrome for Business and Education

Chrome Devices

Manage networks

This article is for Chrome for Business and Education administrators only.

The Chrome network settings in the Google administrator control panel configure Wi-Fi and VPN access for Chrome devices enrolled in your domain. To manage network settings:

  1. Sign in to the Admin console.
  2. Select Settings from the menu at the top of the control panel.
  3. Select Chrome from the list of services on the left.
  4. Select the Networks tab.

Adding a Wi-Fi configuration
  1. Choose either For Users or For Devices according to the following:
    • Choose For Users if the Wi-Fi network should be accessible only by the users in your domain, or only by a particular organization in your domain.
    • Choose For Devices if the Wi-Fi network should be accessible by any individual (including guests) who can sign in to either all devices that're enrolled in your domain, or a specific organization in your domain.
  2. Click Add Wi-Fi. The Add Wi-Fi network dialog appears.
  3. Provide the following information:
    Field Description
    Name The name of this Wi-Fi network entry. This field is for your reference and does not have to match the network's SSID.
    Service set identifier (SSID) The Wi-Fi network's SSID. This is the name that a network broadcasts to identify itself, and that computers use to join it. Note that SSIDs are case-sensitive.
    This SSID is not broadcast Check this box if your network does not broadcast its SSID.
    Automatically connect Check this box if Chrome devices should automatically connect to this wireless network when it's available.
    Security type The security method used by your network.
    • If you select WEP (insecure) or WPA, enter your network's security passphrase.
    • If you select WPA Enterprise (802.1X), specify the additional fields described in step 5.
    • Select None if you do not use a security method.
    Passphrase Your network's security passphrase. Required only for WEP (insecure) and WPA security types.
    Proxy settings The proxy configuration for your network.
    • Choose Direct Internet Connection if your network doesn't use a proxy.
    • Choose Automatic Proxy Configuration if your network provides a URL for automatic proxy configuration. Then enter the URL in the appropriate field.
    • Choose Manual Proxy Configuration to enter the proxy information manually.
  4. If your network's security type is WPA Enterprise (802.1X), specify the following additional information:
    Field Description
    Extensible Authentication Protocol Your network's Extensible Authentication Protocol.
    • EAP-TTLS
    • LEAP
    • PEAP
    • EAP-TLS (only available if you select By Organization for the Wi-Fi network)
    Inner Protocol The protocol to use for the secure connection. Automatic works for most setups. Not required for LEAP or EAP-TLS.
    Outer Identity The user identity presented to the network's outer protocol. Supports username variables. Not required for LEAP.
    Username The username for administering the network. Supports username variables.
    Password The password for the given Username. If you're using a username variable, leave this field blank. Not required for EAP-TLS.
    Server Certificate Authority Defines which authorities to allow when authenticating the certificate provided by the network connection. Not required for LEAP.
    • Use any default Certificate Authority allows a certificate only if it has a chain of trust to one of Chrome's default certificate authorities
    • Do not check (insecure) allows any certificate
    Select Add new certificate to upload your own certificate authority in X.509 PEM format, or choose from certificates you've already uploaded (these options are only available if you select By Organization for the Wi-Fi network). Learn more about managing your certificates.
    Client enrollment URL The URL used to fetch a client certificate if no valid certificate information is provided. Required only for EAP-TLS networks.

    Provide one or more of the following values for Issuer pattern and/or Subject pattern:
    • Common name
    • Locality
    • Organization
    • Organizational unit

    Each value you specify must exactly match the respective value in the certificate in order for the certificate to be used. For example, the common name in the issuer pattern field must be the same as the client common name.

    Your server should provide the certificate with the HTML5 keygen tag.
  5. Click Save to close the dialog.
  6. Click Save changes. Your network configuration appears in the list under Settings.

    To delete a network configuration from the list, hover over it and click Revert.

Adding a VPN configuration
  1. Choose For Users. (For security reasons, you cannot choose For Devices when configuring VPN.)
  2. Select the appropriate organization from the provided list.
  3. Click Add VPN. The Add VPN network dialog appears.
  4. In the Name field, create a name for this VPN network entry.
  5. In the Remote host field, enter the IP address or the full server hostname of the server that provides access to the VPN.
  6. Specify the VPN type, either L2TP over IPsec with Pre-Shared Key or OpenVPN.
    The control panel can only push limited OpenVPN configurations. For example, it can't push configurations for OpenVPN networks with TLS authentication.
  7. If the VPN type is L2TP over IPsec with Pre-Shared Key, provide the following:
    Field Description
    Pre-shared key The passphrase or key used to connect to the VPN. Not required for OpenVPN.
    Username Username for connecting to the VPN. Supports username variables.
    Password The password for the given username. If you're using a username variable, leave this field blank.
  8. If the VPN type is OpenVPN, provide the following:
    Field Description
    Remote host port The port to use when connecting to the remote host (optional).
    Protocol The protocol to use for VPN traffic.
    Server certificate authority Defines which authorities to allow when authenticating the certificate provided by the network connection.

    Choose from your uploaded certificates, or select Add new certificate to upload a new certificate authority in X.509 PEM format. Learn more about managing your certificates.
    Use client enrollment URL Check this box if the server requires client certificates. If checked, provide the enrollment URL, along with one or more of the following values for Issuer pattern and/or Subject pattern:
    • Common name
    • Locality
    • Organization
    • Organizational unit

    Each value you specify must exactly match the respective value in the certificate in order for the certificate to be used. For example, the common name in the issuer pattern field must be the same as the client common name.

    Your server should provide the certificate with the HTML5 keygen tag.
    Username The OpenVPN username. Supports username variables. Leave this blank to require individual user credentials at login.
    Password The OpenVPN password. Leave this blank to require individual user credentials at login.
  9. In the Proxy settings field, specify the proxy configuration for your VPN.
    • If your VPN doesn't use a proxy, choose Direct Internet Connection.
    • If your network provides a URL for automatic proxy configuration, choose Automatic Proxy Configuration and provide the URL.
    • To provide the proxy information manually, choose Manual Proxy Configuration.
  10. Click Save to close the dialog.
  11. Click Save changes. Your VPN configuration appears in the list under Settings.

    You can delete a VPN configuration from the list by mousing over it and clicking Revert. Then click Save changes.

Username variables
Your Chrome devices can automatically try to connect to a secure network with the username or full email address of the currently logged-in user. Your users then only need to provide their password to authenticate. To use this feature, specify one of the following variables in the Username and/or Outer identity fields during configuration:
Variable Description
${LOGIN_ID} Expands to the current user's username, e.g., "jsmith".
${LOGIN_EMAIL} Expands to the current user's full email address, e.g., "jsmith@your_domain.com".

Manage certificates
After you set up a Wi-Fi network or VPN, you can manage certificates associated with the network. From Settings > Chrome > Networks > For Users, click Manage Certificates to see your uploaded certificates. You can add new certificates that are in X.509 PEM format, and delete certificates your networks don't use.

Special setup for networks with SSL content filters

Domains that have network filtering devices doing SSL inspection generally require a custom Root certificate to be added to the Authorities tab. While this works for most user-driven web requests, some system-level requests do not use this certificate to protect the user against certain kinds of security risks.

To get Chrome devices to work on a network with SSL inspection, you need to whitelist the following hostnames on your proxy server to let these requests to go through without any SSL interception.

accounts.google.com
accounts.youtube.com
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
cros-omahaproxy.appspot.com
dl.google.com
dl-ssl.google.com
m.google.com
omahaproxy.appspot.com
m safebrowsing-cache.google.com
safebrowsing.google.com
ssl.gstatic.com tools.google.com
pack.google.com
www.gstatic.com
gweb-gettingstartedguide.appspot.com
storage.googleapis.com
commondatastorage.googleapis.com