Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.
Google's Verified Access is hardware-backed method of device identity and status confirmation. When a user authenticates via the Duo Prompt using a Chromebook, Google Verified Access attests that the Chromebook is enrolled in enterprise device management and is thus compliant with all enterprise policies.
The new Google Verified Access for Chromebooks integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Google Verified Access management integration page to complete the G Suite configuration steps.
Log on to the G Suite Admin console as an administrator and navigate to Device Management → Chrome Management (under "Device Settings" on the left) → Device Settings.
In the "Enrollment & Access" section, locate the "Verified Access" setting and select Enable for Enterprise Extensions.
Change the "Verified Mode" setting to Require verified mode boot for Verified Access.
Copy the account string firstname.lastname@example.org from the Admin Panel and paste it in "Service accounts which are allowed to receive device ID" box.
While still logged in to the G Suite Admin console as an administrator, navigate to Device Management → Chrome Management (under Device Settings) → User Settings.
In the "Apps and Extensions" section, locate the "Force-installed Apps and Extensions" setting and click Manage force-installed apps.
Search the Chrome Web Store for Google Verified Access by Duo. Select it and click Add, and click Save.
Click Save again on the "User Settings" page.
While still logged in to the G Suite Admin console as an administrator, navigate to Device Management → Chrome Management (under Device Settings) → App Management.
Click on the Google Verified Access by Duo extension.
Navigate to User Settings.
Click on your G Suite domain name and enable the Allow access to challenge enterprise keys setting.
Return to your Google Verified Access for Chromebooks management integration page in the Duo Admin Panel.
Enter a comma separated list of your G Suite domains under the step 3 "Enter G Suite Domains" and click Save. Most organizations will only need to specify one G Suite domain.
After creating the Duo Mobile management integration, set the Trusted Endpoints policy to start checking for Chromebook enrollment as users authenticate to Duo-protected services and applications.
When your trusted endpoints policy is applied to your Duo applications, return to the Google Verified Access trusted endpoint management integration in the Admin Panel and enable it by clicking the Change link at the top of the page next to "Integration is disabled". You can choose to either activate this management integration for just members of a specified test group or groups, or activate for all users.
Authenticate to a protect application using an enrolled Chromebook.
When the trusted endpoints policy is set to just check access devices, users receive access to the application (assuming the Chromebook passes all other policy verification), and Duo records the trusted or untrusted status of that device.
If the trusted endpoints policy blocks access from unmanaged devices and Duo successfully verifies the Chromebook's management status and configuration against the required policy settings then the user receives access to the protected application.
If the Chromebook fails the configuration and policy checks then Duo denies application access.