With a Chrome Security policy you configure settings for the Sophos Chrome Security extension when it’s enrolled with Sophos Mobile. Learn how to configure Sophos Firewall to sign in Chromebook users to Sophos Firewall at the time they sign in to their Chromebook. Objectives When you complete this unit, you'll know how to do the following: Configure an Active Directory server in Sophos Firewall for use with Google Chrome Enterprise.; Configure a Chromebook for use with Sophos Firewall.
Sophos Chrome Security is a security extension for Chrome devices.
Sophos Chromebook User Id
When you enroll Sophos Chrome Security with Sophos Mobile, you can perform the following tasks:
- Find the device.
- Send a message to the device.
- Configure websites that users are allowed to access.
Enrollment types
Manual enrollment:
You can enroll a Chrome device with Sophos Mobile using the Add device assistant or the Sophos Mobile Self Service Portal. The user must install Sophos Chrome Security on their device and enter an enrollment token.
Automatic enrollment:
If you’re using Google Workspace (formerly G Suite), you can configure Sophos Chrome Security to automatically enroll with Sophos Mobile when a Google Workspace user signs in to a Chrome device.
- Applies to: Sophos Home Premium and Free (Mac/Windows). Chrome steps: Reset Chrome settings to default. 2.a) MacOS: The steps to reset browser and homepage may need to be performed in Safe Mode or using the Terminal if unable to perform the above listed. Ensure Google Chrome is closed. Then, enter each one of these commands.
- 1 - Open the Sophos Home application and click on My Activity or Manage Devices button 2 -If applicable, enter your Sophos Home account email and password 3- If desired, check the box for “Allow the current user on this computer to access your dashboard without signing in”.
Learn how to configure Sophos Firewall to sign in Chromebook users to Sophos Firewall at the time they sign in to their Chromebook.
Objectives
When you complete this unit, you'll know how to do the following:- Configure an Active Directory server in Sophos Firewall for use with Google Chrome Enterprise.
- Configure a Chromebook for use with Sophos Firewall.
- Configure Google Chrome Enterprise for use with Sophos Firewall.
Sophos Chromebook User Id App
Sophos Chrome Extension
Configure Chromebook SSO with Active Directory
First configure Sophos Firewall.
Sophos Chrome Intruder
- Your Active Directory server is already configured for use with G Suite and synchronization has taken place.
- You know how to configure an Active Directory server in Sophos Firewall.
- You know how to create or import certificates.
- You know how to create firewall rules.
- Chromebooks can connect to the network controlled by Sophos Firewall, for example, LAN or Wi-Fi.
Sophos Chrome Extension
- Create an Active Directory server.The Chromebook users in the AD must have email addresses that use the domain registered with G Suite. For example, if your registered domain is example.com, AD Chromebook users must have an email address like user@example.com.
- Change device access to allow Chromebook SSO.Go to Administration > Device access and select Chromebook SSO for the zone where the Chromebook users are allowed to connect from, for example, LAN and Wi-Fi.
- Create or import a valid certificate.Note The CN must match the zone/network where the Chromebook users are, for example, gateway.example.com.The certificate is used for SSL-encrypted communication with the Chromebooks.
The certificate must not be protected by a passphrase.
- Go to Authentication > Services > Chromebook SSO, enable the Chromebook SSO feature and specify the following settings:
Option
Description Domain The domain as registered with G Suite, that is, the domain suffix of the email addresses used in G Suite, for example, example.com. This can be different from your Active Directory domain. Port 65123 Certificate The certificate created/imported above Logging level Select the amount of logging - Click Download G Suite app config.This will download a JSON file that you need to upload later to G Suite.
- Open the file with a text editor, enter a value for serverAddress (LAN or DNS IP address of Sophos Firewall), and save.Server address must match the certificate’s CN, for example, 10.1.1.1.
- Create firewall rules.
- Create a User/Network rule to allow Google API and Chrome Web Store communication for all devices. This is necessary to push the app to the Chromebooks:
- Source zones, for example: LAN, Wi-Fi
- Destination zones, for example: WAN
- Destination networks: Select the predefined FQDN host groups Google API Hosts and Google Chrome Web Store.
- Create a User/Network rule to match known users and to show the captive portal to unknown users to allow internet access to Chromebooks:
- Source zones, for example: LAN, Wi-Fi
- Destination zones, for example: WAN
- Identity: Select the following options: Match known users, Show captive portal to unknown users
Sort both rules so that rule a) is applied before rule b).
If you don’t select Show captive portal to unknown users in rule b), we recommend that you create another network rule c) to avoid possible waiting time when contacting the Chrome Web Store.
- Create a User/Network rule with the following settings:
- Rule type: Reject
- Source zones, for example: LAN, Wi-Fi
- Destination zones: WAN
Place the rule at the bottom of the list so that the rule is applied last.
- Create a User/Network rule to allow Google API and Chrome Web Store communication for all devices. This is necessary to push the app to the Chromebooks: