Deploy the Chromebook Client

The Cisco Security for Chromebook client allows you to enable DNS layer protection for Chromebook users.

Table of Contents

DNS Layer Protection

For DNS layer protection, DoH (DNS over HTTPS) is used to send DNS queries to Secure Access resolvers. These DNS queries are sent using DoH templates, which capture the Chromebook identities. The Chromebook identities are hashed using a Salt value that you configure. Once the Salt is configured on the Secure Access console, you can copy the DoH templates, configure the Enterprise Policy on Google Admin Console and propagate the DoH templates to the Chromebooks.

Deploy Cisco Security for Chromebook Client

The Cisco Security for Chromebook client is deployed using the Secure Access dashboard and the Google Admin Console. Use the Secure Access Dashboard to configure the Salt value, get the URL for the DoH templates, and download the JSON file. Use the Google Admin Console to deploy the Cisco Security for Chromebook client. The configuration and deployment procedures take, approximately, 30 minutes.

Secure Access Dashboard

  1. From Secure Access, navigate to Connect > End User Connectivity.
  2. On the End User Connectivity page, click the Internet Security tab.
  1. In the Deployment options section, click the ChromeOS tab.
  1. In the Configure Chromebooks window, follow the onscreen instructions

i. Define a salt value.

  • A salt is a piece of random data that is added to a password before the password is hashed and stored. Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them from the database.
  • Important: Copy and save the salt value. You will need it when you deploy the Cisco Security for Chromebook client in the Google Admin console.

    📘

    Note

    The Salt value cannot be changed once it is saved and confirmed. You will need to raise a support ticket with Umbrella to change the Salt value.

  • Result: After you define the salt value, two DoH templates are created:
    • The default DoH template, which is used for all managed Chromebooks.
    • The managed session DoH template, which is used only for managed guest-session devices.
    • Important: Copy and save the URLs for the DoH templates. You will need them when you deploy the Cisco Security for Chromebook client in the Google Admin console.

ii. Download the Chromebook configuration file.

iii. Recommended: Sync Google Workspace identities with Secure Access. You need superadmin-level access to Google Workspace.

Google Admin Console

You can configure the default and the managed guest session DoH templates using the Google Admin console.

Configure Default Template

  1. Log into the Google Admin console.
  2. Navigate to Devices > Chrome > Settings > Users & browser settings.
  3. Cisco Security for Chromebook is in the process of transitioning from Manifest V2 to Manifest V3 for Chrome Extensions. In the meantime, Google recommends that you use the Manifest V2 Extensions Availability policy to ensure continued functioning of Manifest V2 extensions.
    To enable availability of Manifest V2 extensions:
    Filter settings for Manifest. The Manifest V2 Extension Availability setting is displayed.
  1. Select the parent organizational unit on which you want to enable the Manifest V2 extension availability policy. Click Manifest V2 extension availability.
  2. In the Configuration drop-down list, choose Enable manifest V2 extensions.
  1. Filter settings for DNS. The DNS settings are displayed.
  1. Select DNS-over-HTTPS and configure it to Enable DNS-over-HTTPS with insecure fallback.
  1. Return to the Users & Browser Settings page. Select DNS-over-HTTPS with Identifiers.
  1. Enter the URL of the Default DoH template and the Salt value copied from the Secure Access Dashboard in the earlier steps. Click Save.

📘

Note

The Salt value entered here should be the same as the Salt value entered in the Secure Access dashboard.

  1. From Apps & Extensions, navigate to Users & browsers > Organizational Units.
  2. Expand Organizational Units and choose the organization into which you want to deploy the Chromebook client.
  3. Click the + (Expand) icon and choose Add from Chrome Web Store.
  1. In the Chrome Web Store, navigate to Extensions and search for the Cisco Security for Chromebook extension using the ID jgnjaoilojahgagddnkeankieagghabk.
  1. Click Select. The extension is added to the selected organization unit.
  2. Copy the JSON file that you downloaded and paste it into the Policy for Extensions section.

📘

Note

The JSON configuration parameters, googleDirectoryService and vaIPs apply only to the Cisco Umbrella Chromebook client and not to the Cisco Security for Chromebook client.

📘

Important

If you have deployed the Cisco Umbrella Chromebook client, Block or Uninstall the Umbrella Chromebook App and Extension before you deploy the Cisco Security for Chromebook client.

  1. Choose Force Install and then click Save.
    The Cisco Security for Chromebook client extension is installed. Force Install ensures that Chromebook users in the selected Organization Unit cannot remove or disable the extension.
  1. Check if the Cisco Security for Chromebook Client is installed on the Chromebooks and if the old Umbrella Chromebook Client (App and Extension) is blocked.
  1. Open the URL https://policy-debug.checkumbrella.com and verify if the device is being protected by Secure Access. For DNS customers, the message displayed is “You are protected by Cisco Secure Access!”

It may take Google up to eight hours to push the Chrome extension to all your Chromebooks. After the client is installed in a Chromebook, allow a few hours for Chromebook traffic to begin appearing in the Secure Access dashboard.

📘

Note

Chromebooks must be connected and logged in.

Configure Managed Guest Session Template

  1. Log into the Google Admin console.
  2. Navigate to Devices > Chrome > Settings > Managed guest session settings.
  3. Cisco Security for Chromebook is in the process of transitioning from Manifest V2 to Manifest V3 for Chrome Extensions. In the meantime, Google recommends that you use the Manifest V2 Extensions Availability policy to ensure continued functioning of Manifest V2 extensions.
    To enable availability of Manifest V2 extensions:
    Filter settings for Manifest. The Manifest V2 Extension Availability setting is displayed.
  1. Select the parent organizational unit on which you want to enable the Manifest V2 extension availability policy. From the Configuration drop-down menu, select Enable Manifest V2 extensions.
  1. Filter settings for DNS. The DNS settings are displayed.
  1. Select DNS-over-HTTPS and configure it to Enable DNS-over-HTTPS with insecure fallback.
  1. Return to the Managed guest session settings. Select DNS-over-HTTPS with Identifiers.
  1. Enter the URL of the Managed Guest Session DoH template and the Salt value copied from the Secure Access Dashboard. Click Save.
  1. From Apps & Extensions navigate to Managed Guest Session > Organizational Units.
  2. Expand Organizational Units and choose the organization into which you want to deploy the Cisco Security for Chromebook client.
  3. Click the + (Expand) icon and choose Add from Chrome Web Store.
  1. In the Chrome Web Store, navigate to Extensions and search for the Cisco Security for Chromebook client extension using the ID jgnjaoilojahgagddnkeankieagghabk.
  1. Click Select. The extension is added to the selected organization unit.
  2. Change the publicSession value to true in the JSON file that you downloaded. Copy the JSON file and paste it into the Policy for Extensions section.

📘

Important

Ensure that you set the value of publicSession to true before copying the JSON file to the Policy for Extensions section.

  1. Choose Force Install and then click Save.
    The Cisco Security for Chromebook client extension is installed. Force Install ensures that Chromebook users in the selected Organization Unit cannot remove or disable the extension.

📘

Important

If you have deployed the Cisco Umbrella Chromebook client, Block or Uninstall the Umbrella Chromebook App and Extension before you deploy the Cisco Security for Chromebook client.

  1. Check if the Cisco Security for Chromebook client is installed on the Chromebooks and if the old Umbrella Chromebook Client (App and Extension) is blocked.
  2. Open the URL https://policy-debug.checkumbrella.com and verify if the device is being protected by Umbrella. For DNS customers, the message displayed is “You are protected by Cisco Umbrella DNS!”

It may take Google up to eight hours to push the Chrome extension to all your Chromebooks. After the client is installed in a Chromebook, allow a few hours for Chromebook traffic to begin appearing in the Secure Access dashboard.

📘

Note

Chromebooks must be connected and logged in.


Integrate Google Workspace Identities > Deploy the Chromebook Client > Enable Reporting for Private IP Address of Chromebook Device