Search
Clear search
Close search
Google apps
Main menu

Enable Verified Access with Chrome devices

What is Verified Access?

Verified Access is the means by which a network service, such as a VPN gateway, a sensitive server, an Enterprise certificate authority (CA) or an Enterprise Wi-Fi access point can get a hardware-backed cryptographic guarantee of the identity of the device and user that’s trying to access it. Verified Access ensures that a device connecting to your network has been unmodified and is policy compliant. For more about how Verified Access works, see the Verified Access API Developer Guide.

How does it work?

Verified Access uses the Trusted Platform Module (TPM) present in every Chrome OS device to enable enterprise network services to cryptographically confirm the identity and status of verified boot and enterprise policy using a Google server-side API.

You need to enable the Verified Access feature in the Google Admin console and force-install a Chrome extension on your users’ Chrome devices. Once you’ve done this, your network service talks to the Verified Access API to determine the policy compliance and talks to Google to (optionally) determine the identity of the client device. See step 3 below for more about the network service endpoint.

Set up Verified Access for my company

Step 1: Enroll Chrome devices

Verified access only works for the managed enterprise users on the devices enrolled into the domain that you manage. Learn how to enroll a Chrome device.

Step 2: Install a Verified Access extension

In order to use Verified Access in your organization, you need to have a Chrome extension which calls Verified Access API on the client devices. You can get an extension from an independent software vendor (ISV) such as Cloudpath or use Google Verified Access API Developer Guide in order to implement your own extension.

Make sure that this extension is deployed to Chrome Web Store or an enterprise Chrome Web Store specific to your organization.

Note: There are two APIs in the chrome.enterprise.platformKeys namespace, challengeUserKey and challengeMachineKey. In step 4, if you’re doing device verification, you need to call “challengeMachineKey” and if you’re doing user verification, you need to call “challengeUserKey”. Consult with your ISV if you have questions.

Step 3: Configure your network service endpoint

You need to have a network service which understands Verified Access protocol and makes authorization decisions based on the results of Google Verified Access API call. Examples are VPN appliances that support Verified Access, or Certificate Service extensions which let you issue client device certificates to the compliant devices. Similar to the Chrome extension described above, you can obtain these from an ISV or follow the instructions in the Google Verified Access API Developer Guide to implement your own.

Verified Access diagram

You will need to know the Google service account used by this endpoint when it talks to Google API (ask your vendor). You will also need to grant access to this account in your organization's Admin console in the next steps.

Step 4: Configure Admin console policies

You can choose to do either device and/or user verification. Security-conscious enterprises typically do user verification because it verifies both the user and device, whereas, only doing device verification means that anyone using the device could access the protected network.

Device policies

To do device verification:

  • Set Verified Access policy to Enable for Enterprise Extensions.
  • Set Verified Mode policy value to require verified boot mode or not for your device checks.
  • Under Verified Mode, add the service account email used by your network service endpoint to either Service accounts that are allowed to receive device ID or Service accounts that can verify devices but do not receive device ID list.

User policies

To do user verification:

  • Set Verified Access policy to Enable for Enterprise Extensions.
  • Set Verified Mode policy value to require verified boot mode or not for your device checks.
  • Under Verified Mode, add the service account email used by your network service endpoint to either Service accounts that are allowed to receive user data or Service accounts that can verify users but do not receive user data list.

Application policies (mandatory)

You have to enable two settings for the Verified Access extension to work:

That’s it! You’ve set up Verified Access. Questions? See the Verified Access API Developer Guide.

Was this article helpful?
How can we improve it?