Manage networks

This article is for Chrome for Work and Education administrators.

You can configure Wi-Fi and Virtual Private Network (VPN) access for Chrome devices enrolled in your domain as well as Wi-Fi access for mobile devices.

Add a VPN configuration

  1. Sign in to the Admin console.
  2. Click Device management > Network > VPN.
  3. Choose the appropriate organization from the list.
  4. Click Add VPN.
  5. In the Name field, create a name for this VPN network entry.
  6. In the Remote host field, enter the IP address or the full server hostname of the server that provides access to the VPN.
  7. (Optional) To automatically connect devices to this VPN, check the Automatically connect box.
  8. Specify the VPN type, either L2TP over IPsec with Pre-Shared Key or OpenVPN.
    The Admin console can only push limited OpenVPN configurations. For example, it can't push configurations for OpenVPN networks with TLS authentication.
  9. (Optional) If the VPN type is L2TP over IPsec with Pre-Shared Key, provide the following:
    Field Description
    Pre-shared key The passphrase or key used to connect to the VPN.
    Username Username for connecting to the VPN. Supports username variables.
    Password The password for the given username. If you're using a username variable, leave this field blank.
  10. (Optional) If the VPN type is OpenVPN, provide the following:
    Field Description
    Remote host port The port to use when connecting to the remote host (optional).
    Protocol The protocol to use for VPN traffic.
    Server certificate authority Defines which authorities to allow when authenticating the certificate provided by the network connection.

    Choose from your uploaded certificates, or select Add new certificate to upload a new certificate authority in X.509 PEM format. Learn more about managing your certificates.
    Use client enrollment URL Check this box if the server requires client certificates. If checked, provide the enrollment URL, along with one or more of the following values for Issuer pattern and/or Subject pattern:
    • Common name
    • Locality
    • Organization
    • Organizational unit

    Each value you specify must exactly match the respective value in the certificate in order for the certificate to be used. For example, the common name in the issuer pattern field must be the same as the client common name.

    Your server should provide the certificate with the HTML5 keygen tag.

    Username The OpenVPN username. Supports username variables. Leave this blank to require individual user credentials at login.
    Password The OpenVPN password. Leave this blank to require individual user credentials at login.
  11. In the Proxy settings field, specify the proxy configuration for your VPN.
    • If your VPN doesn't use a proxy, choose Direct Internet Connection.
    • If your network provides a URL for automatic proxy configuration, choose Automatic Proxy Configuration and provide the URL.
    • To provide the proxy information manually, choose Manual Proxy Configuration.
  12. In the Restrict access to this Wi-Fi network by platform field, choose the types of device that are allowed to access this network.
    • Mobile devices (not supported)
    • Chromebooks
    • Chromebox for meetings devices
  13. Click Add to close the dialog.
  14. Click Save Changes.

Add a Wi-Fi configuration

We recommend you set up at least one wireless network at the top organizational level in your domain and select it to Automatically connect. This ensures that the Chrome device can access this Wi-Fi network at the sign in screen.
  1. Sign in to the Admin console.
  2. Click Device management > Network > Wi-Fi.
  3. Choose the appropriate organization from the list.
  4. At the bottom, click Add Wi-Fi.
  5. Enter a name for the Wi-Fi network. The name is for your reference and does not have to match the network's service set identifier (SSID).
  6. Enter the Wi-Fi network's SSID. SSIDs are case-sensitive.
  7. (Optional) If your network does not broadcast its SSID, check the This SSID is not broadcast box.
  8. (Optional) To automatically connect devices to this network when it's available, check the Automatically connect box.
  9. Choose a security type for the network.
  10. (Optional) For WEP (insecure) and WPA/WPA2 security types, enter a network security passphrase.
  11. (Optional) If your network's security type is WPA/WPA2 Enterprise (802.1x), specify the following:
    1. Choose an extensible authentication protocol (EAP) for the network.
    2. (Optional) For EAP-TTLS and PEAP, choose the inner protocol to use. Automatic works for most configurations.
    3. (Optional) For EAP-TTLS and PEAP, enter the user identity to present to the network’s outer protocol. The identity supports username variables.
    4. Enter a username for administering the network. The username supports username variables.
    5. (Optional) Enter a username password. A password is not required for EAP-TLS.
    6. (Optional) Choose a server certificate authority. This is not required for LEAP or EAP-PWD.
    7. (Optional) For EAP-TLS networks, enter a client enrollment URL.
    8. (Optional) For EAP-TLS networks, enter one or more values for an Issuer pattern or Subject pattern. Each value you specify must exactly match the respective value in the certificate for the certificate to be used. Your server should provide the certificate with the HTML5 keygen tag.
  12. Enter a proxy setting for the network.
    • Choose Direct Internet Connection if your network doesn't use a proxy.
    • Choose Automatic Proxy Configuration if your network provides a URL for automatic proxy configuration. Then enter the URL in the appropriate field.
    • Choose Manual Proxy Configuration to enter the proxy information manually.
  13. (Optional) To restrict access to certain devices, uncheck the box next to the device.
  14. Choose whether to apply the network by user or by device.
    Access by user is only supported on mobile devices and Chromebooks. Access by device is only supported on Chromebooks and Chromebox for meetings devices.
  15. Click Add.
  16. Click Save Changes.

Add an Ethernet configuration

The ethernet settings you can configure are a subset of the Wi-Fi settings above. See Add a Wi-Fi configuration for details on how to configure ethernet.

Change or delete an existing configuration

You can change or delete an existing Wi-Fi, Ethernet, or VPN configuration.

  1. Sign in to the Google Admin console.
  2. Depending on the type of configuration you want to change or delete, do one of the following:
    • Click Device management > Network > Wi-Fi.
    • Click Device management > Network > Ethernet.
    • Click Device management > Network > VPN.
  3. Choose the appropriate organization from the list on the left.
  4. (Optional) To edit an existing configuration:
    1. To the right of the network, click Edit.
    2. Make any changes and click Apply.
  5. (Optional) To delete a locally applied Wi-Fi network from an organization, click Revert to the right of the network.
  6. (Optional) To remove an inherited network from a suborganization, click Remove to the right of the network.
  7. (Optional) To add an inherited network to a suborganization, click Revert to the right of the network.

Username variables

For Chrome devices, you can specify that the device automatically tries to connect to a secure network with the username or full email address of a signed-in user. Users only need to provide their password to authenticate.

To use this feature, specify one of the following variables in the Username or Outer identity boxes during WPA/WPA2 Enterprise (802.1x) configuration:

Variable Description
${LOGIN_ID} The current user's username, such as jsmith.
${LOGIN_EMAIL} The current user's full email address, such as jsmith@your_domain.com.

Manage certificates

After you set up a Wi-Fi network or VPN, you can manage certificates associated with the network.

To see any uploaded certificates:

  1. Sign in to the Google Admin console.
  2. Click Device management > Network.
    Where is it?
  3. Click Certificates.
  4. You can add new certificates if they are in X.509 PEM format as well as delete certificates your networks don't use.

General Settings: Auto-connect

Checking Only allow managed networks to auto-connect means that a Chromebook will not automatically connect to any network unless the network is specified in the Admin console under Device management > Network > Wi-Fi or Device management > Network > Ethernet. This setting applies to Chromebooks only.

Note that users can still set up their Chromebook to automatically connect to a network they choose when signed in to their device, if the user creates a private network (one that isn't shared with anyone).

For more information about deploying WiFi and networking for Chrome devices, including setting up SSL content filters, see Enterprise networking for Chrome devices.

Accessibility: Network management settings are accessible by screen readers. For details, see Google Accessibility. To report issues in Google products, see Google Accessibility Feedback.

How helpful is this article:

Feedback recorded. Thanks!
  • Not at all helpful
  • Not very helpful
  • Somewhat helpful
  • Very helpful
  • Extremely helpful