Set up networks for managed devices (Wi-Fi, Ethernet, VPN, cellular)

To set up networks on your Chromebook, go here instead.

ChromeOS devices that have a Marvell Wi-Fi chipset don't support WPA3.

Supported editions for this feature: Frontline Starter and Frontline Standard; Business Starter, Business Standard, and Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, Education Plus, and Endpoint Education Upgrade; Essentials, Enterprise Essentials, and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Free and Cloud Identity Premium. Compare your edition

As an administrator, you can configure the networks that managed mobile devices, ChromeOS devices, and Google meeting room hardware use for work or school. You can control Wi-Fi, Ethernet, and Virtual Private Network (VPN) access, and set up network certificates.

When you add a network configuration, you can apply the same network settings for your entire organization, or enforce specific network settings for different organizational units.

Supported device platforms for network configurations

Network type Supported platforms
Wi-Fi
  • Android and iOS. Requires the following:
    • Advanced mobile management
    • Multiple 802.1x Wi-Fi networks for Android require Android version 4.3 or later.
    • iOS supports the following extensible authentication protocols (EAPs): Protected Extensible Authentication Protocol (PEAP), Lightweight Extensible Authentication Protocol (LEAP), Transport Layer Security (TLS), and Tunneled Transport Layer Security (TTLS).
  • ChromeOS devices (by user or device)
  • Google meeting room hardware
Ethernet
  • ChromeOS devices (by user or device)
  • Google meeting room hardware
VPN Managed ChromeOS devices

Important considerations for network configuration

  • We recommend that you set up at least one Wi-Fi network for the top organizational unit in your organization and set it to Automatically connect. This setup ensures that devices can access a Wi-Fi network at the sign-in screen.
  • If you leave the password field empty when you set up a network, users can set passwords on their devices. If you specify a password, it's enforced on devices and users can’t edit it.
  • If you need to use static IP addresses on ChromeOS devices in your organization, you can use IP address reservation on your DHCP server. However, DHCP doesn't provide authentication. To track the identity of ChromeOS devices on the network, use a separate authentication mechanism.

Open all   |    Close all

Set up a network

Before you begin: If you want to configure a network with a Certificate Authority, add a certificate before you configure the network.

Add a Wi-Fi network configuration

You can automatically add configured Wi-Fi networks to mobile and ChromeOS devices.

Additional Wi-Fi network requirements for mobile devices:

  • For Android devices, additional 802.1x Wi-Fi networks are supported only on Android 4.3 and later devices.
  • For managed iOS devices, the following extensible authentication protocols (EAPs) are supported: Protected Extensible Authentication Protocol (PEAP), Lightweight Extensible Authentication Protocol (LEAP), Transport Layer Security (TLS), and Tunneled Transport Layer Security (TTLS).

Note: A mobile device always inherits the user's Wi-Fi network settings. Therefore, you can configure network settings for mobile devices only by organizational unit.

Add a Wi-Fi network

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenNetworks.
  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  4. Click Create Wi-Fi network. If you already set up a Wi-Fi network, click Wi-FiAdd Wi-Fi.
  5. In the Platform access section, select the device platforms that can use this network.
  6. In the Details section, enter the following:
    1. Name—A name for the Wi-Fi that is used to reference it in the Admin console. It doesn’t have to match the network's service set identifier (SSID).
    2. SSID—The Wi-Fi network's SSID. SSIDs are case-sensitive.
    3. (Optional) If your network doesn’t broadcast its SSID, check the This SSID is not broadcast box.
    4. (Optional) To automatically connect devices to this network when it's available, check the Automatically connect box.
    5. Security type—Choose a security type for the network.

      Note: Dynamic WEP (802.1x) is supported only on ChromeOS devices. For Android tablets used with an Education edition, you can't use WPA/WPA2/WPA3 Enterprise (802.1x) during student tablet configuration, but you can set it up manually after you enroll the tablets.

      The next steps depend on the security type you choose.

  7. (Optional) For WEP (insecure) and WPA/WPA2/WPA3 security types, enter a network security passphrase.
  8. (Optional) For WPA/WPA2/WPA3 Enterprise (802.1x) and Dynamic WEP (802.1x), choose an EAP for the network and configure the following options:
    1. For PEAP:
      1. (Optional) Choose the inner protocol to use. Automatic works for most configurations.
      2. (Optional) For Outer identity, enter the user identity to present to the network’s outer protocol. The identity supports username variables.
      3. For Username, Enter a username for administering the network. The username supports username variables.
      4. (Optional) Enter a password. The value isn’t visible after you save the configuration.
      5. (Required for Android 13 or later, otherwise optional) Choose a server Certificate Authority.
        Note: For Android 13 or later, System default certificate authorities and Don't check (insecure) are not supported.
      6. (Required for Android 13 or later, otherwise optional but recommended) For Server Certificate Domain Suffix Match, enter one or more suffixes.
        Note: The device only connects to the Wi-Fi network if the authentication server’s certificate Subject CommonName or SubjectAlternativeName’s DNS Name matches one of the suffixes that you specify.
    2. For LEAP:
      1. For Username, enter a username for administering the network. The username supports username variables.
      2. (Optional) Enter a password. The value isn’t visible after you save the configuration.
    3. For EAP-TLS:
      1. For Username, enter a username for administering the network. The username supports username variables.
      2. (Required for Android 13 or later, otherwise optional) Choose a server Certificate Authority.
        Note: For Android 13 or later, System default certificate authorities and Don't check (insecure) are not supported.
      3. (Required for Android 13 or later, otherwise optional but recommended) For Server Certificate Domain Suffix Match, enter one or more suffixes.
        Note: The device only connects to the Wi-Fi network if the authentication server’s certificate Subject CommonName or SubjectAlternativeName’s DNS Name matches one of the suffixes that you specify.
      4. (Optional) Select the SCEP profile you want to apply to this network. Learn more
      5. Enter a client enrollment URL.
      6. Enter one or more values for an Issuer pattern or Subject pattern.
        Each value you specify must exactly match the respective value in the certificate; if they don’t match, the certificate isn’t used. Your server should provide the certificate with the HTML5 keygen tag.
    4. For EAP-TTLS:
      1. (Optional) Choose the inner protocol to use. Automatic works for most configurations.
      2. (Optional) For Outer identity, enter the user identity to present to the network’s outer protocol. The identity supports username variables.
      3. For Username, Enter a username for administering the network. The username supports username variables.
      4. (Optional) Enter a password. The value isn’t visible after you save the configuration.
      5. (Required for Android 13 or later, otherwise optional) Choose a server Certificate Authority.
        Note: For Android 13 or later, System default certificate authorities and Don't check (insecure) are not supported.
      6. (Required for Android 13 or later, otherwise optional but recommended) For Server Certificate Domain Suffix Match, enter one or more suffixes.
        Note: The device only connects to the Wi-Fi network if the authentication server’s certificate Subject CommonName or SubjectAlternativeName’s DNS Name matches one of the suffixes that you specify.
      7. (Optional) Select the SCEP profile you want to apply to this network. Learn more
    5. For EAP-PWD:
      1. For Username, Enter a username for administering the network. The username supports username variables.
      2. (Optional) Enter a password. The value isn’t visible after you save the configuration.
  9. Configure the network proxy settings:
    1. Select a proxy type:
      • Direct Internet connection—Allow direct internet access to all websites without using a proxy server. Note: Direct internet connection isn’t supported on Android tablets used with an Education edition.
      • Manual proxy configuration—Configure a proxy server for all or some of your domains or IP addresses:
        1. Select an HTTP proxy mode. You can configure only the SOCKS host, a single HTTP proxy host for all protocols, or different HTTP proxy hosts for the protocols.
        2. For each host, enter the server host IP address and the port number to use.
        3. To bypass the proxy server (not available for iOS device traffic) and have no proxy for some domains or IP addresses, in the Domains with no proxy field, enter them as a comma-separated list with no spaces.
          You can use wildcard characters with domain names. For example, to add all variations of google.com, enter *google.com*.
          Use CIDR notation, such as 192.168.0.0/16, to specify an IP range. However, combining wildcards and CIDR notation, such as 192.168.1.*/24,  isn't supported. 
          Proxy bypass rules by IP range apply only to IP literals in URLs.
      • Automatic proxy configuration—Use a Proxy Server Auto Configuration (.pac) file to determine the proxy server to use. Enter the PAC file URL.
      • Web proxy autodiscovery (WPAD)—Allow devices to discover which proxy to use.
    2. If you use an authenticated proxy, add all the hostnames on this list to your allowlist.
      Note: ChromeOS supports authenticated proxies for browser traffic only. ChromeOS does not support authenticated proxies for non-user traffic or for traffic coming from Android applications or virtual machines.
  10. (Optional) Under DNS settings, do the following:
    1. Add your static DNS servers.
      Enter one IP address per line. Leave blank to use DNS servers from DHCP.
    2. Configure your custom search domains.
      Enter one domain per line. Leave blank to use values from DHCP.
  11. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

After you add the configuration, it's listed in the Wi-Fi section with its name, SSID, and the platforms it's enabled on. In the Enabled On column, the configuration is enabled for platforms with blue icons and disabled for platforms with gray icons. You can also point to each icon to review its status.

Additional notes on setting up Wi-Fi networks

  • After you set up a Wi-Fi network and before you change the password, set up another network so that users get the updated Wi-Fi settings on their devices.
  • Hidden networks can take a while to be identified on Android devices.
Add an Ethernet network configuration

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenNetworks.
  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  4. Click Create Ethernet network. If you already set up an Ethernet network, click EthernetAdd Ethernet.
  5. In the Platform access section, select the device platforms that can use this network.
  6. In the Details section, enter the following:
    1. Name—A name for the Ethernet network that is used to reference it in the Admin console.
    2. Authentication—Choose the authentication method to use, None or Enterprise (802.1X).
  7. If you chose Enterprise (802.1X), choose an EAP and configure the following options:
    1. For PEAP:
      1. (Optional) Choose the inner protocol to use. Automatic works for most configurations.
      2. (Optional) For Outer identity, enter the user identity to present to the network’s outer protocol. The identity supports username variables.
      3. For Username, enter a username for administering the network. The username supports username variables.
      4. (Optional) Enter a password. The value isn’t visible after you save the configuration.
      5. (Required for Android 13 or later, otherwise optional) Choose a server Certificate Authority.
        Note: For Android 13 or later, System default certificate authorities and Don't check (insecure) are not supported.
      6. (Required for Android 13 or later, otherwise optional but recommended) For Server Certificate Domain Suffix Match, enter one or more suffixes.
        Note: The device only connects to the Ethernet network if the authentication server’s certificate Subject CommonName or SubjectAlternativeName’s DNS Name matches one of the suffixes that you specify.
    2. For LEAP:
      1. For Username, enter a username for administering the network. The username supports username variables.
      2. (Optional) Enter a password. The value isn’t visible after you save the configuration.
    3. For EAP-TLS:
      1. For Username, enter a username for administering the network. The username supports username variables.
      2. (Required for Android 13 or later, otherwise optional) Choose a server Certificate Authority.
        Note: For Android 13 or later, System default certificate authorities and Don't check (insecure) are not supported.
      3. (Required for Android 13 or later, otherwise optional but recommended) For Server Certificate Domain Suffix Match, enter one or more suffixes.
        Note: The device only connects to the Ethernet network if the authentication server’s certificate Subject CommonName or SubjectAlternativeName’s DNS Name matches one of the suffixes that you specify.
      4. Enter a client enrollment URL.
      5. Enter one or more values for an Issuer pattern or Subject pattern.
        Each value you specify must exactly match the respective value in the certificate; if they don’t match, the certificate isn’t used. Your server should provide the certificate with the HTML5 keygen tag.
    4. For EAP-TTLS:
      1. (Optional) Choose the inner protocol to use. Automatic works for most configurations.
      2. (Optional) For Outer identity, enter the user identity to present to the network’s outer protocol. The identity supports username variables.
      3. For Username, Enter a username for administering the network. The username supports username variables.
      4. (Optional) Enter a password. The value isn’t visible after you save the configuration.
      5. (Required for Android 13 or later, otherwise optional) Choose a server Certificate Authority.
        Note: For Android 13 or later, System default certificate authorities and Don't check (insecure) are not supported.
      6. (Required for Android 13 or later, otherwise optional but recommended) For Server Certificate Domain Suffix Match, enter one or more suffixes.
        Note: The device only connects to the Ethernet network if the authentication server’s certificate Subject CommonName or SubjectAlternativeName’s DNS Name matches one of the suffixes that you specify.
    5. For EAP-PWD:
      1. For Username, Enter a username for administering the network. The username supports username variables.
      2. (Optional) Enter a password. The value isn’t visible after you save the configuration.
  8. Configure the network proxy settings:
    1. Select a proxy type:
      • Direct internet connection—Allow direct internet access to all websites without using a proxy server. Note: Direct internet connection isn’t supported on Android tablets used with an Education edition.
      • Manual proxy configuration—Configure a proxy server for all or some of your domains or IP addresses:
        1. Select an HTTP proxy mode. You can configure only the SOCKS host, a single HTTP proxy host for all protocols, or different HTTP proxy hosts for the protocols.
        2. For each host, enter the server host IP address and the port number to use.
        3. To bypass the proxy server (not available for iOS device traffic) and have no proxy for some domains or IP addresses, in the Domains with no proxy field, enter them as a comma-separated list with no spaces. You can use wildcard characters. For example, to add all variations of google.com, enter *google.com*.
      • Automatic proxy configuration—Use a Proxy Server Auto Configuration (.pac) file to determine the proxy server to use. Enter the PAC file URL.
      • Web proxy autodiscovery (WPAD)—Allow devices to discover which proxy to use.
    2. If you use an authenticated proxy, allowlist all the hostnames on this list.
      Note: ChromeOS supports authenticated proxies for browser traffic only. ChromeOS does not support authenticated proxies for non-user traffic or for traffic coming from Android applications or virtual machines.
  9. (Optional) Under DNS settings, do the following:
    1. Add your static DNS servers.
      Enter one IP address per line. Leave blank to use DNS servers from DHCP.
    2. Configure your custom search domains.
      Enter one domain per line. Leave blank to use values from DHCP.
  10. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

After you add the configuration, it's listed in the Ethernet section with its name, SSID, and the platforms it's enabled on. In the Enabled On column, the configuration is enabled for platforms with blue icons and disabled for platforms with gray icons. You can also point to each icon to review its status.

Note: ChromeOS supports only one Ethernet network profile due to configuration limitations.

Use a third-party VPN app

Download the app from the Chrome Web Store. You can install and configure third-party VPN apps like any other Chrome app. For details, see Set Chrome policies for one app.

Add a VPN configuration

For managed ChromeOS devices and other devices running ChromeOS.

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenNetworks.
  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  4. Click Create VPN network.
  5. Choose a platform to allow access to this VPN.
  6. Enter VPN details:
    1. Name—A name for the VPN that is used to reference it in the Admin console.
    2. Remote host—The IP address or the full server hostname of the server that provides access to the VPN in the Remote host box.
    3. (Optional) To automatically connect devices to this VPN, check the Automatically connect box.
    4. VPN type—Choose a VPN type.
      Note: The Admin console can push only certain OpenVPN configurations. For example, it can't push configurations for OpenVPN networks with TLS authentication.
    5. If you chose L2TP over IPsec with Pre-Shared Key:
      1. Enter the pre-shared key needed to connect to the VPN. This value isn't visible after you save the configuration.
      2. Enter a username to connect to the VPN. The username supports username variables.
      3. (Optional) Enter a password. If you’re using a username variable, don’t enter password. Note: This value isn’t visible after you save the configuration.
    6. If you chose OpenVPN:
      1. (Optional) Enter the port to use when connecting to the remote host.
      2. Choose the protocol to use for VPN traffic.
      3. Choose which authorities to allow when authenticating the certificate provided by the network connection.
        Choose from your uploaded certificates.
      4. If the server requires client certificates, check the Use client enrollment URL box and enter one or more values for an Issuer pattern or Subject pattern.
        • The values must exactly match the respective values in the certificate.
        • Configure the server to provide the certificate with the HTML5 keygen tag.
  7. For Username, enter the OpenVPN username (supports username variables) or, to require individual user credentials at sign-in, leave blank.
  8. For Password, enter the OpenVPN password or, to require individual user credentials at sign-in, leave blank.
  9. Configure the network proxy settings:
    1. Select a proxy type:
      • Direct internet connection—Allow direct internet access to all websites without using a proxy server.
      • Manual proxy configuration—Configure a proxy server for all or some of your domains or IP addresses:
        1. Select an HTTP proxy mode. You can configure only the SOCKS host, a single HTTP proxy host for all protocols, or different HTTP proxy hosts for the protocols.
        2. For each host, enter the server host IP address and the port number to use.
        3. To bypass the proxy server (not available for iOS device traffic) and have no proxy for some domains or IP addresses, in the Domains with no proxy field, enter them as a comma-separated list with no spaces. You can use wildcard characters. For example, to add all variations of google.com, enter *google.com*.
      • Automatic proxy configuration—Use a Proxy Server Auto Configuration (.pac) file to determine the proxy server to use. Enter the PAC file URL.
      • Web proxy autodiscovery (WPAD)—Allow devices to discover which proxy to use.
  10. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

After you add the configuration, it's listed in the VPN section with its name, SSID, and the platforms it's enabled on. In the Enabled On column, the configuration is enabled for platforms with blue icons and disabled for platforms with gray icons. You can also point to each icon to review its status.

Add a cellular network

For devices with ChromeOS version 101 or later.

Users can use eSIM on ChromeOS devices instead of a physical SIM card.

Before you begin

  • To apply the setting for certain users, put their accounts in an organizational unit.
  • Enroll ChromeOS devices.
  • Purchase eSIM data plans from your mobile provider.
  • Contact your mobile provider to request the activation URL that you’ll need to enter in the Admin console during setup. If needed or requested, download a list of your ChromeOS devices and send it to them. The CSV file that you download includes the MEID/IMEI and EID details that your provider needs. For details, go to View ChromeOS device details.
  • eSim is supported on ChromeOS devices that are based on Qualcomm 7C or GL-850 platform, as long as the OEM provides a separate plastic eSIM card in the SIM slot.

How to

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenNetworks.
  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  4. Click Create mobile network.
  5. In the Platform access section, for Chromebooks (by device), check the Enabled box.
    • If you uncheck the Enabled box at a later time, existing networks associated with this configuration become unmanaged. Use Reset eSIM to permanently remove eSIM profiles from devices. Learn about ChromeOS device details.
  6. In the Details section, enter the following:
    • Name: A name for the cellular network that is used to reference it in the Admin console.
    • Choose either:
      • SMDP+ URL: The eSIM activation code, SMDP+ URL, to be used to activate a device's eSIM profile. Use format: LPA:1$SMDP_SERVER_ADDRESS$OPTIONAL_MATCHING_ID
      • SMDS URL: The eSIM activation code, SMDS URL, to be used to activate a device's eSIM profile. Use format: LPA:1$SMDS_SERVER_ADDRESS$
  7. Click Save.

Tip: You can’t change SM-DP+ to SM-DS or vice-versa or change the activation code once you save the network.

The SMDP+URL policy is used only for activation and does not identify the cellular profile itself. After a device’s eSIM profile is activated and configured, the only way to remove the profile is to reset the eSIM. Learn about ChromeOS device details.

Configure network credentials by policy

For Chrome and Android devices, you can have the device automatically try to connect to a secure network with username or identity credentials specified by policy. For example, you could specify to use the username or full email address of a signed-in user, so users need only to provide their password to authenticate.

To use this feature on ChromeOS devices, specify one of the following variables in the Username or Outer identity boxes during Enterprise (802.1x), WPA/WPA2/WPA3 Enterprise (802.1x), Dynamic WEP (802.1x) or VPN configuration.

During 802.1x configuration on devices running ChromeOS, if the ${PASSWORD} variable is specified, the user’s current sign-in password is used to sign in. Otherwise, users are prompted to enter their password to sign in.

Enter the text for the variable exactly as shown in the Variable column in the table below. For example, enter ${LOGIN_ID} to prompt the system to replace this variable with its value, jsmith.

Variable Value Supported devices
${LOGIN_ID}

The user's username (example: jsmith).

Note: On ChromeOS devices, this variable is only replaced for networks that apply by user.

Android
Chrome (user & device)
${LOGIN_EMAIL}

The user's full email address (example: jsmith@your_domain.com).

Note: On ChromeOS devices, this variable is only replaced for networks that apply by user.

Android
Chrome (user & device)
${CERT_SAN_EMAIL}

The first rfc822Name Subject Alternate Name field from the client certificate matched to this network based on the Issuer or Subject pattern.
This can be different from ${LOGIN_EMAIL} if a non-Google login is used to connect to wireless networks.

Supported in Chrome 51 and higher.

Chrome (user & device)
${CERT_SAN_UPN}

The first Microsoft User Principal Name otherName field from the client certificate matched to this network based on the Issuer or Subject pattern.

Supported in Chrome 51 and higher.

Chrome (user & device)
${PASSWORD} The user’s password (example: password1234). Chrome (user & device)
${DEVICE_SERIAL_NUMBER} The device’s serial number. Chrome (device)
${DEVICE_ASSET_ID} The asset ID assigned to the device by the administrator. Chrome (device)

Note:

  • ${CERT_SAN_EMAIL} and ${CERT_SAN_UPN} read only the X509v3 Subject Alternate Name from the certificate. Specifically, they don't read any fields from the Subject Name field.
  • If the client certificate is missing the fields indicated for substitution, no substitution occurs and the literal string variable remains in the identity field.
  • Certificate-based substitution only works for Wi-Fi. It does not work for VPN.
  • For Chrome 68 and later, automatic connection and authentication using the ${PASSWORD} variable works on all devices. For Chrome 66 and 67, it works on enrolled devices only.

More network setup options

Set up auto-connect for ChromeOS devices

Auto-connect ChromeOS devices to managed networks

You can configure your ChromeOS devices or other device running ChromeOS to connect to a network automatically. When you enable this option, ChromeOS devices can automatically connect only to Wi-Fi networks that you configure for your organization.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenNetworks.
  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  4. Click General SettingsAuto-connect.
  5. Check the Only allow managed networks to auto-connect box.
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

Note: Even when this setting is enabled, users can still manually connect their ChromeOS devices to an unmanaged network by plugging an Ethernet cable into their device. When an Ethernet cable is plugged in, the device automatically connects to the available network regardless of whether they're signed in to a managed profile or not.

How auto-connect works for EAP-TLS networks on devices running Chrome 40+

If you connect to an EAP-TLS (client-certificate backed network) on ChromeOS devices running Chrome 40 and later, your ChromeOS devices do the following:

  • Automatically connect to EAP-TLS (client-certificate backed network) after an extension installs client certificates.
  • After first login (even with Ephemeral mode), if there is a device certificate and an EAP-TLS network, again you will automatically switch to the certificate-backed network.
  • If any device-wide managed network was configured in the Admin console (not necessarily certificate-backed), at the login screen the managed network with 'highest' security is automatically connected to.

How auto-connect works for non-EAP-TLS networks on devices running Chrome 40+

For an 802.1X network that isn't EAP-TLS and has unique credentials associated with each user, each user must manually connect to the 802.1X network the first time they sign in on that device. This manual setup is required even if you enable auto-connect setting and configure the credentials with variables. After the user connects manually for the first time, the credentials are stored in their profile on the device. On future logins, they are automatically connected to the network.

How auto-connect networks are selected

Applies to Chrome version 72 and later.

If you enable auto-connect and multiple networks are available, your ChromeOS device chooses a network based on the following priorities in this order. If multiple networks satisfy a rule, the device breaks the tie by applying the next rule on the list.

  1. Technology—Devices prefer Ethernet networks over Wi-Fi and Wi-Fi over Cellular networks.
  2. Prefer a network—Devices connect to the preferred WiFi network as set by the user. For details, see Manage Wi-Fi networks > Prefer a network.
  3. Managed—Devices prefer managed networks configured using policies, over unmanaged networks with user/device configurations.
  4. Security level—Devices prefer networks secured through TLS over networks secured through PSK. Devices choose open networks only if no TLS or PSK networks are available.
  5. User configured networks are preferred over device configured networks.

Use safe search with a proxy

If you deploy a proxy on your web traffic, you might be able to enable strict SafeSearch for all searches, regardless of the setting on the Search Settings page. To do this, configure your proxy to append safe=strict to all search requests sent to Google. However, the parameter doesn’t work on searches that use SSL search. Learn how to prevent SSL searches from bypassing your content filters.

Manage network configurations

You can change or delete an existing VPN, Wi-Fi, or Ethernet network configuration.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenNetworks.
  3. Select the organizational unit that the network is configured for.
  4. Click the type of network configuration you want to change or delete.

    The section contains a searchable table of the configurations for that type of network. In the Enabled On column, the configuration is enabled for platforms with blue icons and disabled for platforms with gray icons. You can also point to each icon to review its status.

  5. To edit an existing configuration, click the network, make your changes, and click Save.
  6. To remove a network configuration from an organizational unit, click Remove to the right of the network. This option is available only if the configuration was added directly to the organizational unit.

    To remove a network configuration that a child organizational unit inherited from the parent organizational unit, select the child organizational unit, open the configuration for editing, and uncheck all the platforms. The configuration still appears in the list, but it isn't applied to any devices in the child organizational unit.
  7. Click Save Changes.

Next steps

For more information about deploying WiFi and networking for ChromeOS devices, including setting up TLS or SSL content filters, go to Enterprise networking for Chrome devices.

Accessibility: Network management settings are accessible by screen readers. Learn about Google Accessibility and the Admin guide to accessibility. To report issues, go to Accessibility Feedback.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
8725739540918312230
true
Search Help Center
true
true
true
true
true
73010
false
false