Skip navigation
Documentation

Trusted Endpoints - Google Verified Access for Chromebooks

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

Google's Verified Access is hardware-backed method of device identity and status confirmation. When a user authenticates via the Duo Prompt using a Chromebook, Google Verified Access attests that the Chromebook is enrolled in enterprise device management and is thus compliant with all enterprise policies.

Prerequisites

Create the Google Verified Access for Chromebooks Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Select Management Tools Integration" page, locate Google Verified Access for Chromebooks in the listed integrations and click the Select this integration link to the right.

The new Google Verified Access for Chromebooks integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Google Verified Access management integration page to complete the G Suite configuration steps.

Configure Duo Verified Access in G Suite

Turn on Verified Access

  1. Log on to the G Suite Admin console as an administrator and navigate to Device ManagementChrome Management (under "Device Settings" on the left) → Device Settings.

  2. In the "Enrollment & Access" section, locate the "Verified Access" setting and select Enable for Enterprise Extensions.

  3. Change the "Verified Mode" setting to Require verified mode boot for Verified Access.

  4. Copy the account string duo-verified-access@duo-verified-access.iam.gserviceaccount.com from the Admin Panel and paste it in "Service accounts which are allowed to receive device ID" box.

  5. Click Save.

Deploy the Duo Verified Access Extension

  1. While still logged in to the G Suite Admin console as an administrator, navigate to Device ManagementChrome Management (under Device Settings)User Settings.

  2. In the "Apps and Extensions" section, locate the "Force-installed Apps and Extensions" setting and click Manage force-installed apps.

  3. Search the Chrome Web Store for Google Verified Access by Duo. Select it and click Add, and click Save.

  4. Click Save again on the "User Settings" page.

Allow Access to Challenge Enterprise Keys

  1. While still logged in to the G Suite Admin console as an administrator, navigate to Device ManagementChrome Management (under Device Settings)App Management.

  2. Click on the Google Verified Access by Duo extension.

  3. Navigate to User Settings.

  4. Click on your G Suite domain name and enable the Allow access to challenge enterprise keys setting.

Add Google Domains to Duo

  1. Return to your Google Verified Access for Chromebooks management integration page in the Duo Admin Panel.

  2. Enter a comma separated list of your G Suite domains under the step 3 "Enter G Suite Domains" and click Save. Most organizations will only need to specify one G Suite domain.

Finish Trusted Endpoints Deployment

After creating the Duo Mobile management integration, set the Trusted Endpoints policy to start checking for Chromebook enrollment as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Google Verified Access trusted endpoint management integration in the Admin Panel and enable it by clicking the Change link at the top of the page next to "Integration is disabled". You can choose to either activate this management integration for just members of a specified test group or groups, or activate for all users.

Enable Trusted Endpoints Management Integration

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed and enrolled in Duo Mobile.

Verify Your Setup

Authenticate to a protect application using an enrolled Chromebook.

When the trusted endpoints policy is set to just check access devices, users receive access to the application (assuming the Chromebook passes all other policy verification), and Duo records the trusted or untrusted status of that device.

If the trusted endpoints policy blocks access from unmanaged devices and Duo successfully verifies the Chromebook's management status and configuration against the required policy settings then the user receives access to the protected application.

If the Chromebook fails the configuration and policy checks then Duo denies application access.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free