Set up TLS (or SSL) inspection on Chrome devices

Set up a hostname allowlist

For ChromeOS and Chrome Enterprise Core devices to work on a domain with TLS inspection (also known as SSL inspection), some hostnames need to be exempt from inspection. This is because certificates can only be imported at the user level and are only honored for user-level traffic. Some device-level traffic doesn’t use the TLS or SSL certificate to protect users against certain kinds of security risks.

Updates to the hostname allowlist

Dec 19, 2024: Changed http://www.play.googleapis.com/generate_204 to http://play.googleapis.com/generate_204

Expand the list to view previous updates.

Previous updates

Oct 29, 2024: Added additional hostname, aratea-pa.googleapis.com, to allowlist for all devices
August 20, 2024: Added additional hostnames, www.gstatic.com and ssl.gstatic.com, to allowlist for ChromeOS sign-in
May 10, 2024: Added additional hostname, edgedl.me.gvt1.com, to allowlist for all devices. Also provided further details for these hostnames:

    accounts.google.com
    accounts.google.[country]
    chromeos-ca.gstatic.com
    clients3.google.com
    connectivitycheck.gstatic.com
    dl.google.com
    m.google.com
    tools.google.comaccounts.google.com

March 12, 2024: Added additional hostname, alkalichromeosflexhwis2-pa.googleapis.com, to allowlist for all devices
August 17, 2023: Added additional hostname, youtubeeducation.com, to allowlist for all devices
January 16, 2023: Added additional hostname to allowlist for Feedback App search functionality
July 20, 2022: Added additional hostnames to allowlist for Safe Browsing endpoints
February 1, 2022: Added additional hostnames to allowlist for all devices
July 26, 2021: Added additional hostnames to allowlist for devices using Chrome extensions and apps (Chrome Web Store)
April 21, 2021: Added additional hostnames to allowlist for all devices
February 20, 2021: Added additional hostnames to allowlist for all devices
August 11, 2020: Added additional hostname to allowlist for all devices
March 3, 2020: Added additional hostnames to allowlist for Google Play
December 16, 2019: Added cloudsearch.googleapis.com to return Google Drive results when searching from the Chrome address bar
June 25, 2019: Changed *gvt1.com to *.gvt1.com and added *.1e100.net
September 25, 2018: Added chromeos-ca.gstatic.com
July 20, 2018: Added *gvt1.com
March 15, 2018: Added policies.google.com
December 22, 2017: Added alt*.gstatic.com
July 13, 2017: Added accounts.google.[country]
March 1, 2017: Added hostname to allowlist for devices using Android apps
January 19, 2017: Removed cache.pack.google.com
September 28, 2016: Added mtalk.google.com
December 2, 2015: Added hostnames to allowlist for single-app kiosk devices
August 5, 2015: Added accounts.gstatic.com

Hostname allowlist for all ChromeOS and Chrome Enterprise Core devices

To ensure that devices work with TLS inspection or networks restricting external traffic, you need to allow the following hostnames on your proxy server. For details on how to allow hostnames, check with your network administrator.

Open all | Close all

Auto-updates

Google endpoints	Description
tools.google.com	Omaha URL that returns the update configuration (including a list of payload URLs).
edgedl.me.gvt1.com	URLs to download update payloads.
dl.google.com

Enrollment

Google endpoints	Description
m.google.com	The device management server used for enrollment and enterprise policy fetches.
clients3.google.com	Used to sync the system clock. This is required to generate a key, based on the current time, used by the device management server backend.
www.googleapis.com	OAuth scope for server management. The full path is www.googleapis.com/auth/chromeosdevicemanagement, but filtering by path is not supported.

ChromeOS sign-in

Google endpoints	Description
accounts.google.com accounts.google.[country]	Google sign-in page. For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for the United Kingdom use accounts.google.co.uk.
www.google.com	OAuth2 scope for login. The full path is www.google.com/accounts/OAuthLogin, but filtering by path is not supported.
www.googleapis.com	OAuth2 scope for access for Google APIs.
www.gstatic.com ssl.gstatic.com	Required for downloading sign-in page contents such as Javascript and CSS assets.

Zero-touch Enrollment/Forced re-enrollment

Google endpoints	Description
chromeos-ca.gstatic.com	Google Attestation Certificate Authority (ACA) server. Used to verify the identity of the device and retrieve enrollment certificates.
clients3.google.com	Used to sync the system clock. This is required to verify the certificate and determine enrollment status.
m.google.com	The device management server used for enrollment and enterprise policy fetches.
www.gstatic.com	Used to check the enrollment status.

Captive portal detector

Google endpoints	Description
http://connectivitycheck.gstatic.com	ChromeOS default HTTP probe URL. Alternatives: http://play.googleapis.com/generate_204 http://www.gstatic.com/generate_204 http://safebrowsing.google.com/generate_204 http://www.googleapis.com/generate_204
https://www.google.com	ChromeOS default HTTPS probe URL. Alternatives: https://www.gstatic.com/generate_204 https://accounts.google.com/generate_204 https://www.googleapis.com/generate_204
http://www.gstatic.com	Chrome browser captive portal check. Note the HTTP protocol.

Other recommended hostname allowlists

Additional hosts to allow

You need to allow the additional hostnames for TLS inspection to work correctly if you're using:

Chrome extensions or apps from the Chrome Web Store on devices, including single-app kiosk devices.
Android apps from the Google Play Store on devices

Hostname allowlist for ChromeOS and Chrome Enterprise Core devices using Chrome extensions and apps (Chrome Web Store)

Hostname allowlist for ChromeOS and Chrome Enterprise Core devices using Android apps (Google Play Store)

Hostname allowlist for ChromeOS and Chrome Enterprise Core devices with Chrome Education Upgrade

Choose a section to give feedback on

Was this helpful?

How can we improve it?