User's Manual
528 | Chromebook in Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
l Users, groups, and other details can be provisioned in Google Apps from an existing directory using the
Google Apps Directory Sync tool.
l W-ClearPass Onboard provides device provisioning and certificate enrollment services.
l The Chrome Extension provides support for Onboard device provisioning for Chromebook devices.
Caveats and Recommendations
This section describes requirements related to licenses, extensions, deployment, versions, certificates,
provisioning, and authentication sources.
Google Admin Chromebook License is Required
Chromebook management is only available in the Google Admin console (https://admin.google.com) if a
suitable license has been added for the domain under management.
Managed Chromebook Deployment is Required
Chromebook is a managed device, not a “BYOD” device. The support for Onboard is limited to device
provisioning and enrollment in an administrator-managed network. Non-managed Chromebook devices
cannot be enrolled using W-ClearPass Onboard.
Chrome Extension is Required
Chromebook does not natively support device enrollment with products such as W-ClearPass Onboard. For
this, a Chrome extension is required.
Additionally, because of the software security model used by Chromebook, “normal” Chrome extensions (for
example, those installed from the Chrome Web Store) do not have permissions to alter the certificate store on
the device. To do this requires an administratively configured extension, which is why Chromebook must be
managed for Onboard enrollment to work.
For details of how to configure the Google Admin console to automatically install this extension when a user
logs into Chromebook, refer to the Configure Chrome Extension section in "Google Admin Configuration for
Chromebook" on page 531 .
Chromebook Release 37 or Later is Required
The Onboard extension requires Chrome version 37 or later. As of the time of this writing (July 2014) this
version of Chrome is only available in the development channel.
To provision Chromebook devices with the development channel, create an organizational unit within your
organization. For that organizational unit, configure Device Settings and set the Release Channel to Move to
Development Channel. Then move one or more devices into this organizational unit to enable the
development channel.
When the stable release catches up with the development channel, no special configuration will be required to
enable Onboard for Chromebook.
For more information on the Chromebook stable, beta and development channels, refer to this article:
https://support.google.com/chromebook/answer/1086915
Chromebook Supports Only “Created by Device” Certificates
Chromebook includes a trusted platform module (TPM) for protection of cryptographic private keys, including
the private key for the TLS client certificate issued to the device by Onboard.