Notification

Planning your return to office strategy? See how ChromeOS can help.

Manage Chrome Enterprise device trust connectors

Applies to managed Chrome browsers and ChromeOS devices.

As an admin, you can configure Chrome Enterprise device trust connectors to share context-aware signals from managed Chrome browsers and ChromeOS devices with third-party Identity Providers (IdPs). This integration allows device trust signals as inputs in authentication and authorization policies. This solution provides enhanced security and less dependence on the network as a trust factor.

Device signals include device ID, serial number, secure mode state, OS version, firewall status, and more. For more information, go to Data sent from Chrome to the IdP.

On all supported platforms, signals are shared from the browser in-session. For ChromeOS, signals are shared from both the browser in-session and the sign in page as part of user authentication.

Note: Chrome Enterprise device trust connectors are not supported on ChromeOS Flex.

Before you begin

You can use device trust connectors only for managed devices—Chrome browser and ChromeOS—and not for managed profiles or users.

Chrome browser

  • Sign up for Chrome Browser Cloud Management and enroll devices into the organizational unit where you want to configure the device trust connector. For information about getting started with Chrome Browser Cloud Management, go to Set up Chrome Browser Cloud Management.

ChromeOS

  • Sign up for Chrome Enterprise Upgrade and enroll ChromeOS devices into the organizational unit where you want to configure the device trust connector. For information about getting started with Chrome Enterprise Upgrade, go to About ChromeOS device management.

  • To enable signal sharing for the sign-in page only, add the devices to an organizational unit in which you want to configure the device trust connector.

  • To enable signal sharing for the sign-in page and for the browser in-session, you need to do one of the following:

    • Add the devices and users to the same organizational unit in which you want to configure the device trust connector.

    • If devices and users are not in the same organizational unit, apply the same IdP configuration to all applicable organizational units. See Add new IdP configurations below.

Step 1: Add new IdP configurations

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenConnectors.
  3. At the top, click + New provider configuration.
  4. In the panel that appears on the right, find the IdP that you want.
  5. Click Set up.
  6. Enter the configuration details. For information, see Provider configuration details below.
  7. Click Add configuration.

Configurations are added for your entire organization. Then, you can use them in any organizational unit, as needed.

Step 2: Apply settings to organizational unit

After you add a new (IdP) Identity Provider configuration, it's listed on the Connectors page. You can see the configurations that you added for each provider and the number of organizational units where it’s connected.

To choose which configuration to use:

  1. From the Admin console Home page, go to Devicesand thenChromeand thenConnectors.
  2. Select a child organizational unit.
  3. For Device trust connectors, select the configuration that you want to use.
  4. Click Save.

Provider configuration details

PingOne DaVinci

Field Description

Configuration name

 The name that’s shown on the Connectors page under Device trust connectors.

URL patterns to allow, one per line

 https://auth.pingone.com

Services accounts, one per line

The service account is generated using Google Cloud Platform (GCP).

The steps required to set up a GCP Project and Service Account are detailed in the Integrate Ping Identity with Chrome Enterprise guide below.

Refer to the  guide below for details on setting up the integration between Chrome Device Trust Connector and Ping Identity for DaVinci users.

DOWNLOAD GUIDE (PDF)

PingFederate

Field Description

Configuration name

 The name that’s shown on the Connectors page under Device trust connectors.

URL patterns to allow, one per line

 In the Ping Federate Console, navigate to Systemand thenProtocol Settingsand then Federation to determine the URL.

Services accounts, one per line

The service account is generated using GCP.

The steps required to set up a GCP Project and Service Account are detailed in the Integrate Ping Identity with Chrome Enterprise guide below.

Refer to the  guide below for details on setting up the integration between Chrome Device Trust Connector and PingFederate users.

DOWNLOAD GUIDE (PDF)

Okta (Okta Identity Engine Users)

Field Description

Configuration name

 The name that’s shown on the Connectors page under Device trust connectors.

URL patterns to allow, one per line

 Provided by Okta—Follow instructions in the Okta console.

Services accounts, one per line

 Provided by Okta—Follow instructions in the Okta console.

Refer to the guide below for details on setting up the integration between Chrome Device Trust Connector and Okta Identity Engine users.

DOWNLOAD GUIDE (PDF)

Verify device trust connector configuration

First, make sure that the managed device is enrolled and listed in the Google Admin console in an organizational unit where you configured the connector.

Verify that policies are applied

On a managed device:

  1. Navigate to chrome://policy.
  2. Click Reload policies.
  3. Windows and macOS only:
    1. For BrowserContextAwareAccessSignalsAllowlist, make sure that Status is set to OK.
    2. For BrowserContextAwareAccessSignalsAllowlist, click Show value and make sure that the value field is the same as what you set for URL patterns to allow, one per line.
  4. ChromeOS only:
    1. For DeviceLoginScreenContextAwareAccessSignalsAllowlist, make sure that Status is set to OK.
    2. For DeviceLoginScreenContextAwareAccessSignalsAllowlist, click Show value and make sure that the value field is the same as what you set for URL patterns to allow, one per line.

Check the state of device trust connector

On a managed browser or device:

  1. Navigate to chrome://connectors-internals.
  2. Check for these required values:
    1. Is Enabled: true
    2. Key Manager Initialized: true
    3. Key Sync: Success (200)

The connector can only provide device identity attestation if the key synchronization was successful.

If there is no value next to Key Manager Initialized, refresh the page until a value appears. If Is Enabled: true, it shouldn't take more than a minute.

Note: ChromeOS devices do not have a Key Manager because they use TPM-backed certificates that are native to the OS.

Definition of values on chrome://connectors-internals

You can also verify that the integration is active and the key has been created by going to chrome://connectors-internals on the enrolled device.
  • Is enabled: Verifies that the policy is enabled on the device.
  • Key Manager Initialized: Chrome has loaded the key or created a key if no key was created already.
  • Key Type: RSA or EC (Elliptic Curve).
  • Trust Level: HW or SW.
    • HW (hardware) means that the key is stored in the device's hardware. For example, on Mac with Secure Enclave or Windows when a TPM is present.
    • SW (software) means that the key is stored at the OS level. For example, in a file, like on Linux.
  • SPKI Hash: A hash of the private key.
  • Key Sync: The response status + code from the latest attempted key upload. Chrome tries to re-upload the key every time it starts.
  • Signals: An overview of the signals that can be sent from the device.

Clearing a context-aware access key

Windows and Mac only

Admins with access to the Admin Console can clear a trusted public key for a specific browser. This can help with troubleshooting if a user is experiencing access issues; such as a managed browser no longer having access to the trusted key pair.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenManaged browsers.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenManaged browsers.

  3. Select the organizational unit where the browser is located.
  4. Select the browser with the key to clear.
  5. Under the Managed Browser details box on the left hand side, click Configure Key.
  6. Select Clear Key.

When the key is cleared from the Admin console, the managed browser synchronizes its key on restart and re-establishs trust again.


Note: If you cannot click Configure Key, the key might not exist on the server.

Data sent from Chrome to the IdP

Data sent from Chrome browsers and ChromeOS devices to the IdP is defined here. As an admin, you can decide which of these signals you want to use in the context-aware access rules.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
Search
Clear search
Close search
Main menu
7526572408508435183
true
Search Help Center
true
true
true
true
true
410864
false
false