Deploy smart cards on ChromeOS

As an admin, you can deploy smart card support on ChromeOS on managed devices across your organizational unit. If you want your users to use smart cards for sign in on the Login screen, see Set up sign in using smart cards on managed ChromeOS devices.

You can also install smart card apps on your personal, unmanaged device. For more details, see Use Smart Cards on ChromeOS.

Before you begin

  • ChromeOS supports only a limited set of smart card scenarios:
  • ChromeOS does not support:
    • Other cryptographic operations based on smart cards, for example sign mail within office 365, read encrypted mails and Java applications.
    • Smart cards in Android on ChromeOS.

Step 1: Force Install the Smart Card Connector app

You need to automatically install the Smart Card Connector app for users in your organizational unit. For information about how to force-install specific apps, see Automatically install apps and extensions.

Using the Smart Card Connector app you can provide Chromebooks with PC/SC support. This PC/SC API can then be used by other applications such as smart card middleware and Citrix to allow your users to use their smart cards inside a Citrix-provided Microsoft Windows session for example, with browser integration and virtual session redirection.

Note: The Smart Card Connector app tries to automatically detect and work with smart card readers but not all smart card readers are supported. Google only supports smart card readers which are supported by libccid. Readers in the supported and should work categories are expected to work reliably.

For details, see a list of supported smart card readers here.

Step 2: Force Install a smart card middleware app

Next you need to install the middleware app. For information about how to force-install specific apps, see Automatically install apps and extensions.

There are two main middleware apps available:

  • CSSI, which is supported by Google.
    Note: You can test whether a card is supported by starting the Chrome App and clicking Test now.
  • CACKey
    Note: CACkey only supports CAC cards, PKCS #11 cards, and Yubikeys in PIV mode.

Middleware apps can communicate with smart cards and provide client certificates to authenticate users to HTTPS websites. Google has partnered with DriveLock to provide support on ChromeOS for a wide range of cards and profiles, including CAC (Common Access Card) and PIV (Personal Identity Verification Card) cards.

You can find the DriveLock middleware provider on the Chrome Web Store. See CSSI Smart Card Middleware.

The connector app provides a public API that other middleware apps can also use. To deploy a different middleware, contact support.

Step 3: Push all necessary root and intermediate certificates

Depending on the sites users try to access, you might need to install trust roots and intermediaries on their devices. Identify those certificates and push them to users’ profiles.

For details, see Set up an HTTPS Certificate Authority.

Important: Installing a root certificate on a device is a sensitive operation. Make sure you only install root certificates you obtained and verified from sources you trust.

Step 4: Configure the Smart Card Connector app to auto-allow communication

Apps like Citrix and DriveLock need to contact the Smart Card Connector app to communicate with users’ cards and readers. As cards and readers contain sensitive user information, the connector app show users a permission dialog before granting access to any app.

You can auto-grant permissions in the Admin console. For example, to allowlist the Drivelock app, add the following configuration to the connector app:
{"force_allowed_client_app_ids":{"Value":["haeblkpifdemlfnkogkipmghfcbonief"]}}

For information on installing custom policies for apps and extensions, see Policy for extensions.

Important: Adding these apps to an allowlist potentially provides third parties access to users' personal information such as certificates on a smart card. Make sure you have the appropriate notification and consent flows with users for collecting and sharing their personal information.

Step 5 (Optional): Configure ChromeOS to auto-select certificates for URLs

You can configure ChromeOS to automatically select certain certificates for certain URLs. In the default case, users are presented with a list of certificates that match a certain website.

You can set the Auto Select Certificate For Urls policy to remove that step by pre-matching users’ certificates to certain URL patterns. For more information and example values, see Set Chrome policies for users or browsers.

Users can sign in from any Chromebook with their Google username and password to start using their smart cards. The settings you configured are downloaded and applied. Users can navigate to HTTPS websites and they are prompted to use certificates detected on their smart cards to authenticate them into their remote systems.

Step 6 (Optional): Configure Virtual Desktop Environment

If you're using a virtual desktop environment such as Citrix or VMware, you must configure them to allow smart card access as well as smart card redirection into the virtualized session.

For full configuration instructions see the various vendor sites.

Additional information

Send feedback

If you choose to give us feedback, such as suggestions to improve features, we can act on your feedback.

To send feedback, fill out this ChromeOS smart card feedback form.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
16265701175409366574
true
Search Help Center
true
true
true
true
true
410864
Search
Clear search
Close search
Main menu
false
false
false