Configuring Managed Chromebooks for Certificate Auto-Enrollment through EAP-TLS

802.1x certificates are a vast improvement over credentials and eliminate many of the vulnerabilities of pre-shared keys. They improve the user experience by streamlining network access and eliminating password-related disconnects due to password change policies. Certificates also tie identities to devices and allow the administration to decrypt SSL and monitor device activity.

But manually configuring every managed Google Chromebook for secure network authentication is incredibly labor-intensive. To simplify the process, SecureW2 has created a solution that enables Chromebooks to automatically enroll themselves for certificates without  requiring any end-user interaction.

For organizations interested in Chromebook MDM, SecureW2’s Managed Device Gateway is a versatile tool that integrates with practically any existing infrastructure. It works with  any major Wi-Fi vendor, and hooks in seamlessly to your current RADIUS server. If you don’t have a RADIUS server (or other necessary infrastructure), SecureW2 offers its own Cloud RADIUS Server built for EAP-TLS.

Tech Overview

  1. Configure Managed Device Gateway in SecureW2
    • With SecureW2, you can easily setup Gateway APIs so your managed devices can automatically enroll themselves for certificates.
    • You’ll need to grant Google Chrome verified access permission to the SecureW2 service account so we can configure the settings for you.
  2. Configure Google Admin for Chromebook Certificate Enrollment
    • Our Support team will work with you to create a custom JSON Policy file to push to your Managed Chromebooks so they can enroll themselves for a Wi-Fi Certificate.
    • We provide you with the extension ID to install and push the JoinNow Chrome extension for certificate auto-enrollment.
    • Lastly, configure and push the appropriate Wi-Fi settings so your devices will use the newly enrolled certificate for certificate-based Wi-Fi authentication. SecureW2 works with any Wi-Fi infrastructure to provide EAP-TLS authentication. Click here to learn more.

Table of Contents

Setting up the SecureW2 Management Portal

First, reach out to SecureW2 support so they can create an Identity Provider in the management portal for Google Verified Access. After they’ve done so, you can begin in the SecureW2 Management Portal and begin the process of configuring your network profile and finalizing tasks such as configuring the TLS enrollment process, enrollment policies, group policies, and more. To begin, proceed with the following steps:

  1. Create a Network Profile from the SecureW2 Management Portal
    • Navigate to Device Onboarding → Getting Started
      • Configure Settings as per the Image Below

configuring the network profile

  • Note: You will be creating an SSID name, even though it will not be used.
  • Note: Select your Wireless and RADIUS providers under Wireless and RADIUS Vendor
  • Click Create and your Network Profile will be generated
  1. Click Edit on your newly created Network Profile
  2. Click Edit on Network Settings
  3. Under TLS Enrollment, configure per image below

configuring the TLS enrollment type

  • Note for Generate Certificate For setting:
  • If you are enrolling individual users for certificates, select User
  • If you are enrolling systems for certificates, select System
  1. Remaining in Network Settings, click the Advanced section at the top of the screen
  2. Navigate to Workflows and uncheck the following workflows
    • Wireless Configuration
    • Wireless Connect

choosing the correct workflows

  1. Update the Network Settings
  2. Update the Network Profile
  3. Re-publish the Network Profile
  4. Navigate to Policy Management
    • Navigate to Profile
    • Click edit
    • Map the IDP that SecureW2 support created in the profile policies, similarly create a new user-role policy and we can use the default device policy.
  5. Create a new enrollment policy with the newly created user-role policy and the default-device policy.


Configure Google Admin Console for Device Certificate Enrollment

The Google Admin Console allows admins to manage all their G-Suite services in a central location. Here you will configure access for device certificate enrollment. Once configured, Chromebooks with verified access tokens will be able to enroll for certificates with no interaction from the end user.

Granting Permission for the SecureW2 Service Account for Google Chrome Verified Access

This service account is used for validating the verified access token (sent by the Chromebooks during enrollment) against Google to confirm if the identity matches the token and based on the results it proceeds to the next step in enrollment.

  1. To provide access to the service account for device certificate enrollment, navigate to Device Management -> Chrome -> Management -> Device Settings -> Enrollment & Access -> Verified Access
  2. Select Enable for Content Protection
  3. In the Verified Mode section, select Require Verified Mode Boot for Verified Access
    • Contact SecureW2 support for the service account email required
  4. To provide access to the service account for user certificate enrollment, navigate to Device Management -> Chrome Management -> User & Browser Settings -> User Verification
  5. In the Verified Mode section, select Require Verified Mode Boot for Verified Access
    • Under Service Account, enter in the following email: Contact SecureW2 support for the service account email required


Create JSON Certificate Enrollment Config

In the next section below, you will need to upload a JSON configuration file to the Google Admin Console. Please reach out to SecureW2 support during this stage, and they will provide you with the JSON file required.

Sample File:

   "EnrollmentURL": {
       "Value": "<WORKFLOW_ID>"
   "DeviceCertificate": {
       "Value": true
   "RenewWindowDays": {
       "Value": 30
   "MetaConfigInfo": {
       "Value": {
           "organizationId": "<ORG_ID>",
    "profileId": “<PROFILE_UUID> “

Configuring the JoinNow MultiOS Extension from the Google Admin Console

The SecureW2 JoinNow MultiOS extension needs to be installed on our Chromebooks so they can enroll for certificates. Here we will configure our Google Admin Console to install the extension on to our Chromebooks.

  1. In the Google Admin console, navigate to the JoinNow MultiOS extension by clicking Chrome management -> User & browser settings -> Apps and Extensions -> Force-installed Apps and Extensions -> Manage Force-Installed Apps -> Chrome Web Store
  2. Search by extension ID (which will be provided by the SecureW2 support team)


SecureW2 Certificate Auto-Enrollment Extension for Google Admin Console

With the JoinNow MultiOS extension configured on Chromebooks, the device settings can be configured for auto-enrollment. We will configure the devices to allow a seamless enrollment process with no end user interaction.

  1. Navigate to Device Management -> Chrome Management -> App Management -> SecureW2 Certificate Autoenrollment Extension -> User Settings
  2. Select the “OU” and click Enable
  3. Configure the following settings
    • Allow Installation
    • Force Installation
    • Allow Access to challenge enterprise keys
  4. Now click Configure -> Upload Configuration File
  5. Upload the JSON file shared by support

configuring for auto-enrollment extension


Configuring the RADIUS Server Issuer CA Chain from Google Admin Console

WPA2-Enterprise requires installing and configuring the trusted RADIUS Server issuer CA chain to allow the device to securely connect to the Wi-Fi network. This is also handled by the Google Admin Console. The uploaded CA can later be selected as the trusted CA in the configured Wi-Fi Network.

  1. Login to the Google Admin Console
  2. Click on Device Management
  3. Click on Network
  4. Click on Certificates
  5. Upload your RADIUS Server issuer CA chain using Add Certificate
  6. Click on Save at the end of the page


Configure 802.1X Wi-Fi for Certificate-Based Authentication on Chromebook

The last thing we need to do is configure the network settings that will be pushed to our Chromebooks, so that they will authenticate to our SSID using SecureW2 for certificate-based Wi-Fi authentication.

  1. Go to the Google Admin Console
  2. Click Device Management -> Network -> Wi-Fi -> Add Wi-Fi
  3. Configure the Name and SSID of your Wi-Fi Network
  4. Select the option to Automatically Connect
  5. Set the Security type to WPA/WPA2-Enterprise (802.1X)
  6. Set the Extensible Authentication Protocol to EAP-TLS
  7. Set an Outer username
    • eg:- (${CERT_SAN_EMAIL} or ${CERT_SAN_UPN})
  8. Under Server Certificate Authority, select a RADIUS Server Issuer CA chain you uploaded earlier
  9. Under Client Enrollment URL, use: chrome-extension: (extension ID will be provided by the SecureW2 support team)
  10. Under Issuer Pattern, enter the matching variables of the CA that will be using the Client Certificate (NOT the RADIUS Server Issuing CA)
    • Currently have tested setting the Organization Name
  11. Under Apply Network, select By Device or By User depending on the use case
  12. Click Add -> Save at the end of the page

Note: When moving the Chromebooks to the specific “OU” for enrollment of certificates, make sure the user also belongs to that specific “OU”.


Superior Chromebook Management with EAP-TLS Auto-Enrollment

And with the final save, your network is configured for certificates. The organization can finalize any network settings to be pushed to the managed Chromebooks and then initiate the enrollment process. Managed Chromebooks will enroll for certificates and all the devices will be properly configured for secure 802.1X network access.

Ready to get started onboarding your own managed Chromebooks? SecureW2 is more affordable than you might think. Check out our pricing form to see for yourself.

Chromebook is either registered trademark or trademark of Google LLC in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.