요청한 페이지는 현재 사용 중인 언어로 제공되지 않습니다. 페이지 하단에서 다른 언어를 선택하거나 Chrome에서 기본 제공되는 번역 기능을 사용해 웹페이지를 원하는 언어로 바로 번역할 수 있습니다.

Enable Verified Access with Chrome OS devices

What is Verified Access?

Verified Access ensures that a device connecting to your network has been unmodified and is policy- compliant. Verified Access serves as an access point for a network service (such as a VPN gateway, a sensitive server, an enterprise Certificate Authority (CA), or an enterprise Wi-Fi access point) to get a hardware-backed cryptographic guarantee of the identity of the device and user that’s trying to access it. Learn more about how Verified Access works.

How does it work?

Verified Access uses the Trusted Platform Module (TPM) - present in every Chrome OS device - to enable enterprise network services to cryptographically confirm the identity and status of secure mode and enterprise policy using a Google server-side Application Programming Interface (API).

You need to enable the Verified Access feature in the Google Admin console and force-install a Chrome extension on your users’ devices. Once you’ve done this, your network service talks to the Verified Access API to determine the policy compliance and talks to Google to (optionally) determine the identity of the client device. See step 3 below for more about the network service endpoint.

Set up Verified Access for my company

Step 1: Enroll Chrome OS devices

Verified Access only works for the managed enterprise users on the devices enrolled in the domain that you manage. Learn how to enroll a Chrome OS device.

Step 2: Install a Verified Access extension

To use Verified Access in your organization, you need to have a Chrome extension that calls Verified Access API on the client devices. You can get an extension from an independent software vendor (ISV), such as Cloudpath, or use Google Verified Access API Developer Guide to implement your own extension.

Make sure that this extension is deployed to Chrome Web Store or an enterprise Chrome Web Store specific to your organization.

Note: There are two APIs in the chrome.enterprise.platformKeys namespace - challengeUserKey and challengeMachineKey. In step 4, if you’re doing device verification, you need to call “challengeMachineKey”. If you’re doing user verification, you need to call “challengeUserKey”. Consult with your ISV if you have questions.

Step 3: Configure your network service endpoint

You need to have a network service that understands Verified Access protocol and makes authorization decisions based on the results of the Google Verified Access API call. Examples are VPN appliances that support Verified Access, or Certificate Service extensions that let you issue client device certificates to the compliant devices. Similar to the Chrome extension described above, you can obtain these from an ISV or follow the instructions in the Google Verified Access API Developer Guide to implement your own.

Verified Access diagram

You will need to:

  • Know the Google service account used by this endpoint when it talks to Google API (ask your vendor).
  • Grant access to this account in your organization's Admin console in the next steps.

Step 4: Configure Admin console policies

You can choose to configure device or user verification. Security-conscious enterprises typically do user verification because it verifies both the user and device, whereas; only doing device verification means that anyone using the device could access the protected network.

Configure device policies

  1. Set the Verified Mode policy value to require secure mode (or not) for your device checks.
  2. Under Verified Mode, add the service account email used by your network service endpoint to one of these lists:
  •  Service accounts that are allowed to receive device ID 
  • Service accounts that can verify devices but do not receive device ID

Configure user policies

  1. Set the Verified Mode policy value to require secure mode (or not) for your device checks.
  2. Under Verified Mode, add the service account email used by your network service endpoint to one of these lists:
  • Service accounts that are allowed to receive user data
  • Service accounts that can verify users but do not receive user data 

Enable application policies (mandatory)

  1. Enable Force Installation.
  2. Enable Allow access to challenge enterprise keys.

Note: The chrome.enterprise.platformKeys API is only available to extensions that are force-installed by policy.

That’s it! You’ve set up Verified Access. Questions? See the Verified Access API Developer Guide.

도움이 되었나요?

어떻게 하면 개선할 수 있을까요?

도움이 더 필요하신가요?

다음 단계를 시도해 보세요.

Search
Clear search
Close search
Main menu
9651503767408313507
true
도움말 센터 검색
true
true
true
true
true
410864
false
false