Manage networks

This feature is not available in the legacy free edition of Google Apps.

In the Admin console, you can configure Wi-Fi, Ethernet, and Virtual Private Network (VPN) access as well as network certificates for managed devices enrolled in your domain. When you add a network configuration, you can enforce the same network settings for your entire organization, or enforce specific network settings for different organizational units.

If you configure network settings by user, the settings are applied to all users' mobile devices and Chromebooks in the organizational unit. You can also configure network settings directly for Chromebook and Chromebox for meetings devices by device.

This article describes how to setup and configure networks for mobile devices, tablets, Chromebooks and Chromebox for Meetings devices.

Set up a network

Add a VPN configuration

You can only configure VPN access for Chrome devices.

I am using a 3rd party VPN app. Download the app from the Chrome Web Store, then install and configure it as you would configure any other Chrome App. If the app allows it, you can upload a VPN configuration. See Configure a Chrome app.

I am using the built-in VPN. If you are planning to use one of the VPN types that are natively supported in Chrome OS (Open VPN and L2TP over IPSec), add the VPN configuration by following these steps:

Set general VPN information

  1. Sign in to the Google Admin console.
  2. Click Device management > Network > VPN.
    Where is it?
  3. Choose the appropriate organization from the list on the left.
  4. At the bottom, click Add VPN.
  5. Enter a name for the VPN.
  6. Enter the IP address or the full server hostname of the server that provides access to the VPN in the Remote host box.
  7. (Optional) To automatically connect devices to this VPN, check the Automatically connect box.

Configure VPN settings

  1. Choose a VPN type.
    The Admin console can only push limited OpenVPN configurations. For example, it can't push configurations for OpenVPN networks with TLS authentication.
  2. (Optional) For L2TP over IPsec with Pre-Shared Key:
    1. Enter the pre-shared key needed to connect to the VPN. This value will no longer be visible after you save the configuration.
    2. Enter a username to connect to the VPN. The username supports username variables.
    3. (Optional) Enter password. If you’re using a username variable, don’t enter password. This value will no longer be visible after you save the configuration.
  3. (Optional) For OpenVPN:
    1. (Optional) Enter the port to use when connecting to the remote host.
    2. Choose the protocol to use for VPN traffic.
    3. Choose which authorities to allow when authenticating the certificate provided by the network connection. Choose from your uploaded certificates.
    4. Check the Use client enrollment URL box if the server requires client certificates. If checked, enter one or more values for an Issuer pattern or Subject pattern. Each value you specify must exactly match the respective value in the certificate for the certificate to be used.Your server should provide the certificate with the HTML5 keygen tag.
    5. Enter the OpenVPN username. Supports username variables. Leave this blank to require individual user credentials at login.
    6. Enter the OpenVPN password. Leave this blank to require individual user credentials at login.
  4. Specify the proxy settings for your VPN.

Give VPN access

  1. (Optional) To restrict access to certain devices, uncheck the box next to the device.
  2. Click Add > Save Changes.
Add a Wi-Fi or Ethernet network configuration
You can only configure Ethernet network access for Chrome devices. The Ethernet settings you can configure are a subset of the Wi-Fi settings.

You can automatically add configured Wi-Fi networks to managed devices if they are set up using Mobile Management. Network management settings are available to all Google Apps for Work, Education, Nonprofits, and Government customers. Users need to have the Google Apps Device Policy installed on their Android 2.2 and above devices. Additional 802.1x Wi-Fi networks are supported only on Android 4.3 and later devices. For managed iOS devices, the following extensible authentication protocols (EAPs) are supported: Protected Extensible Authentication Protocol (PEAP), Lightweight Extensible Authentication Protocol (LEAP), Transport Layer Security (TLS), and Tunneled Transport Layer Security (TTLS).

Note: A mobile device always inherits its user's Wi-Fi network settings. Therefore, network settings for mobile devices can only be applied by user.

We recommend you set up at least one wireless network at the top organizational level in your domain and select it to Automatically connect. This ensures that devices can access this Wi-Fi network at the sign in screen.

Set general network information

  1. Sign in to the Google Admin console.
  2. Click Device management > Network > Wi-Fi.
    Where is it?
  3. Choose the appropriate organization from the list on the left.
  4. At the bottom, click Add Wi-Fi.
  5. Enter a name for the Wi-Fi network. The name is for your reference and does not have to match the network's service set identifier (SSID).
  6. Enter the Wi-Fi network's SSID. SSIDs are case-sensitive.
  7. (Optional) If your network does not broadcast its SSID, check the This SSID is not broadcast box.
  8. (Optional) To automatically connect devices to this network when it's available, check the Automatically connect box.

Configure security settings

  1. Choose a security type for the network.
  2. (Optional) For WEP (insecure) and WPA/WPA2 security types, enter a network security passphrase.
  3. (Optional) If your network's security type is WPA/WPA2 Enterprise (802.1x), specify the following:

    Note: For Android tablets used with Google Apps for Education, you can't use WPA/WPA2 Enterprise (802.1x) during student tablet configuration, but it can be implemented manually after the tablets are enrolled.

    1. Choose an EAP for the network.
    2. (Optional) For EAP-TTLS and PEAP, choose the inner protocol to use. Automatic works for most configurations.
    3. (Optional) For EAP-TTLS and PEAP, enter the user identity to present to the network’s outer protocol. The identity supports username variables.
    4. Enter a username for administering the network. The username supports username variables.
    5. (Optional) Enter a username password. A password is not required for EAP-TLS. This value will no longer be visible after you save the configuration.
    6. (Optional) Choose a server certificate authority. This is not required for LEAP or EAP-PWD.
    7. (Optional) For EAP-TLS networks, specify the following:
      • Enter a client enrollment URL.
      • Enter one or more values for an Issuer pattern or Subject pattern. Each value you specify must exactly match the respective value in the certificate for the certificate to be used. Your server should provide the certificate with the HTML5 keygen tag.
  4. Specify the proxy setting for the network.
    Note: Direct Internet Connection is not supported on Android tablets used with Google Apps for Education.

Give network access

  1. (Optional) To restrict access to certain devices, uncheck the box next to the device.
  2. Choose whether to apply the network by user or by device.

    Access by user is only supported on mobile devices and Chromebooks. Access by device is only supported on Chromebooks and Chromebox for meetings devices. For Android tablets used with Google Apps for Education, choose by user.

  3. Click Add > Save Changes.

Additional notes on setting up Wi-Fi networks

  • After you set up a Wi-Fi network and before you change the password, be sure to set up an additional network so that users get the updated Wi-Fi settings on their devices.
  • If you have multiple Wi-Fi networks configured, you should change the password for them one at a time.
  • Hidden networks can take a while to be identified on Android devices.
Specify automatic network connections

For Chrome and Android devices, you can specify that the device automatically tries to connect to a secure network with the username or full email address of a signed-in user. Users only need to provide their password to authenticate.

To use this feature, specify one of the following variables in the Username or Outer identity boxes during Enterprise (802.1x), WPA/WPA2 Enterprise (802.1x), or VPN configuration:

Variable Description
${LOGIN_ID} The current user's username, such as jsmith.
${LOGIN_EMAIL} The current user's full email address, such as jsmith@your_domain.com.

Manage a network

Change or delete an existing configuration

You can change or delete an existing VPN, Wi-Fi, or Ethernet network configuration.

  1. Sign in to the Google Admin console.
  2. Depending on the type of configuration you want to change or delete, do one of the following:
    • Click Device management > Network > Wi-Fi.
    • Click Device management > Network > Ethernet.
    • Click Device management > Network > VPN.
      Where is it?
  3. Choose the appropriate organization from the list on the left.
  4. (Optional) To edit an existing configuration:
    1. To the right of the network, click Edit.
    2. Make any changes and click Apply.
  5. (Optional) To revert a locally applied network from an organization, click Revert to the right of the network.
    • If the network was added to the current organization, it will be permanently deleted.
    • If the network was inherited from the parent organization and then edited, the locally applied changes will be reverted and the parent organization changes will be inherited.
  6. (Optional) To remove an inherited network from a suborganization, click Remove to the right of the network.
  7. Click Save Changes.
Manage network certificates

After you set up a network, you can manage the certificates associated with it. You can add new certificates if they are in X.509 PEM format as well as delete certificates your networks don't use. Some configurations using PEAP, TLS, and TTLS need server-side certificates to ensure accessibility. To configure certificates for an EAP Wi-Fi network, the device must be secured with a password, PIN, or pattern verification. On Android tablets for education, if your school does SSL inspection, add the public Certificate Authority (CA) here.

To see any uploaded certificates:

  1. Sign in to the Google Admin console.
  2. Click Device management > Network.
    Where is it?
  3. Click Certificates.

Android for Education Notes:

  • The certificates must be public.
  • Certificates with pkcs12 and a password are not accepted.
  • Server Certificates are only available for tablets running Android 4.4 or later.

If you deploy a proxy on your web traffic, it may be possible to configure your proxy to append safe=strict to all search requests sent to Google. This parameter enables strict SafeSearch for all searches, regardless of the setting on the Search Settings page. However, the parameter doesn’t work on searches that use SSL search. Learn how to prevent SSL searches from bypassing your content filters.

Additional features

Auto-connect Chromebooks to managed networks

Checking Only allow managed networks to auto-connect means that Chromebooks can only automatically connect to a network that is specified in Device management > Network > Wi-Fi or Device management > Network > Ethernet.

  1. Sign in to the Google Admin console.
  2. Click Device management > Network > General Settings.
    Where is it?
  3. Check the Only allow managed networks to auto-connect box.
  4. Click Save Changes.

Note: Users can still set up their Chromebook to automatically connect to a network they choose when signed in to their device, if the user creates a private network (one that isn't shared with anyone).

How auto-connect works for EAP-TLS networks on devices running Chrome 40+

If you're connecting to an EAP-TLS (client-certificate backed network) on Chrome devices running Chrome 40 and later, your Chromebooks will do the following:

  • Automatically connect to EAP-TLS (client-certificate backed network) after an extension installs client certificates.
  • After first login (even with Ephemeral mode), if there is a device certificate and a EAP-TLS network, again you will automatically switch to the certificate-backed network.
  • If any device-wide managed network has been configured in the Admin console (not necessarily certificate-backed), at the login screen the managed network with 'highest' security will be automatically connected to.

How auto-connect works for non-EAP-TLS networks on devices running Chrome 40+

For an 802.1X network that is not EAP-TLS the auto-connect behavior will be different. Specifically, if your network has unique credentials associated with each user, then that user will have to manually connect to the 802.1X network the first time they log in on that device. This applies even if the auto-connect setting has been set and if they are using variables. Once the user connects manually for the first time, the login credentials are stored within their profile on the device. On future logins, they will be automatically connected to the network.

For more information about deploying WiFi and networking for Chrome devices, including setting up SSL content filters, see Enterprise networking for Chrome devices.

Accessibility: Network management settings are accessible by screen readers. For details, see Google Accessibility and the Google Apps Administrator guide to accessibility. To report issues, see Google Accessibility Feedback.