Deploy the Chromebook Client
The Cisco Security for Chromebook client allows you to enable DNS layer protection for Chromebook users.
Table of Contents
DNS Layer Protection
For DNS layer protection, DoH (DNS over HTTPS) is used to send DNS queries to Umbrella resolvers. These DNS queries are sent using DoH templates, which capture the Chromebook identities. The Chromebook identities are hashed using a Salt value that you configure. Once the Salt is configured on the Umbrella console, you can copy the DoH templates, configure the Enterprise Policy on Google Admin Console and propagate the DoH templates to the Chromebooks.
Deploy Cisco Security for Chromebook Client
The Cisco Security for Chromebook client is deployed using the Umbrella dashboard and the Google Admin Console. Use the Umbrella Dashboard to configure the Salt value, get the URL for the DoH templates, and download the JSON file. Use the Google Admin Console to deploy the Cisco Security for Chromebook client. The configuration and deployment procedures take, approximately, 30 minutes.
Umbrella Dashboard
- Navigate to Deployments > Core Identities > Chromebook Users and click Configure.
- To enable DoH protection you need to configure the Salt value. To configure the Salt value, click Configure in the Define Salt row.
-
- Enter the Salt value. The Salt value can be between 8 and 32 characters and can be a combination of letters and/or numbers. Special characters are not allowed.
Note
The Salt value cannot be changed once it is saved and confirmed. You will need to raise a support ticket with Umbrella to change the Salt value.
- Once the Salt value is configured, two DoH templates are created. The first template is the default template, which is used for all Managed Chromebooks. The second template is the Managed guest session template, which is used only for Managed guest session devices. Copy and save the configured Salt value and the DoH template URLs. They will be required later when deploying the Cisco Security for Chromebook client from the Google Admin console.
- Click Configure and download the Chromebook Client Configuration JSON file. Save this file to a known location.
Google Admin Console
You can configure the default and the managed guest session DoH templates using the Google Admin console.
Configure Default Template
- Log into the Google Admin console.
- Navigate to Devices > Chrome > Settings > Users & browser settings.
- Cisco Security for Chromebook is in the process of transitioning from Manifest V2 to Manifest V3 for Chrome Extensions. In the meantime, Google recommends that you use the Manifest V2 Extensions Availability policy to ensure continued functioning of Manifest V2 extensions.
To enable availability of Manifest V2 extensions:
Filter settings for Manifest. The Manifest V2 Extension Availability setting is displayed.
- Select the parent organizational unit on which you want to enable the Manifest V2 extension availability policy. Click Manifest V2 extension availability.
- In the Configuration drop-down list, choose Enable manifest V2 extensions.
- Filter settings for DNS. The DNS settings are displayed.
- Select DNS-over-HTTPS and configure it to Enable DNS-over-HTTPS with insecure fallback.
- Return to the Users & Browser Settings page. Select DNS-over-HTTPS with Identifiers.
- Enter the URL of the Default DoH template and the Salt value copied from the Umbrella Dashboard in the earlier steps. Click Save.
Note
The Salt value entered here should be the same as the Salt value entered in the Umbrella dashboard.
- From Apps & Extensions, navigate to Users & browsers > Organizational Units.
- Expand Organizational Units and choose the organization into which you want to deploy the Cisco Umbrella Unified Chromebook client.
- Click the + (Expand) icon and choose Add from Chrome Web Store.
- In the Chrome Web Store, navigate to Extensions and search for the Cisco Security Chromebook client extension using the ID jgnjaoilojahgagddnkeankieagghabk.
- Click Select. The extension is added to the selected organization unit.
- Copy the JSON file that you downloaded and paste it into the Policy for Extensions section.
Note
The JSON configuration parameters, googleDirectoryService and vaIPs apply only to the Cisco Umbrella Chromebook client and not to the Cisco Security for Chromebook client.
Important
If you have deployed the Cisco Umbrella Chromebook client, Block or Uninstall the Umbrella Chromebook App and Extension before you deploy the Cisco Security for Chromebook client.
- Choose Force Install and then click Save.
The Cisco Security for Chromebook client extension is installed. Force Install ensures that Chromebook users in the selected Organization Unit cannot remove or disable the extension.
- Check if the Cisco Security for Chromebook Client is installed on the Chromebooks and if the old Umbrella Chromebook Client (App and Extension) is blocked.
- Open the URL https://policy-debug.checkumbrella.com and verify if the device is being protected by Umbrella. For DNS customers, the message displayed is “You are protected by Cisco Umbrella DNS!”
It may take Google up to eight hours to push the Chrome extension to all your Chromebooks. After the client is installed in a Chromebook, allow a few hours for Chromebook traffic to begin appearing in your Umbrella dashboard.
Note
Chromebooks must be connected and logged in.
Configure Managed Guest Session Template
- Log into the Google Admin console.
- Navigate to Devices > Chrome > Settings > Managed guest session settings.
- Cisco Security for Chromebook is in the process of transitioning from Manifest V2 to Manifest V3 for Chrome Extensions. In the meantime, Google recommends that you use the Manifest V2 Extensions Availability policy to ensure continued functioning of Manifest V2 extensions.
To enable availability of Manifest V2 extensions:
Filter settings for Manifest. The Manifest V2 Extension Availability setting is displayed.
- Select the parent organizational unit on which you want to enable the Manifest V2 extension availability policy. From the Configuration drop-down menu, select Enable Manifest V2 extensions.
- Filter settings for DNS. The DNS settings are displayed.
- Select DNS-over-HTTPS and configure it to Enable DNS-over-HTTPS with insecure fallback.
- Return to the Managed guest session settings. Select DNS-over-HTTPS with Identifiers.
- Enter the URL of the Managed Guest Session DoH template and the Salt value copied from the Umbrella Dashboard. Click Save.
- From Apps & Extensions navigate to Managed Guest Session > Organizational Units.
- Expand Organizational Units and choose the organization into which you want to deploy the Cisco Security for Chromebook client.
- Click the + (Expand) icon and choose Add from Chrome Web Store.
- In the Chrome Web Store, navigate to Extensions and search for the Cisco Security for Chromebook client extension using the ID jgnjaoilojahgagddnkeankieagghabk.
- Click Select. The extension is added to the selected organization unit.
- Change the publicSession value to true in the JSON file that you downloaded. Copy the JSON file and paste it into the Policy for Extensions section.
Important
Ensure that you set the value of publicSession to true before copying the JSON file to the Policy for Extensions section.
- Choose Force Install and then click Save.
The Cisco Security for Chromebook client extension is installed. Force Install ensures that Chromebook users in the selected Organization Unit cannot remove or disable the extension.
Important
If you have deployed the Cisco Umbrella Chromebook client, Block or Uninstall the Umbrella Chromebook App and Extension before you deploy the Cisco Security for Chromebook client.
- Check if the Cisco Security for Chromebook client is installed on the Chromebooks and if the old Umbrella Chromebook Client (App and Extension) is blocked.
- Open the URL https://policy-debug.checkumbrella.com and verify if the device is being protected by Umbrella. For DNS customers, the message displayed is “You are protected by Cisco Umbrella DNS!”
It may take Google up to eight hours to push the Chrome extension to all your Chromebooks. After the client is installed in a Chromebook, allow a few hours for Chromebook traffic to begin appearing in your Umbrella dashboard.
Note
Chromebooks must be connected and logged in.
Integrate Google Workspace Identities > Deploy the Chromebook Client > Verify and Debug
Updated 6 months ago