For more information and example values, see Set Chrome policies for users or browsers. You can set the AutoSelectCertificateForUrls policy to remove that step by pre-matching users’ certificates to certain URL patterns. In the default case, users are presented with a list of certificates that match a certain website. You can configure Chrome OS to automatically select certain certificates for certain URLs. Step 5 (Optional): Configure Chrome OS to auto-select certificates for URLs Make sure you have the appropriate notification and consent flows with users for collecting and sharing their personal information. Important: Adding these apps to an allowlist potentially provides third parties access to users' personal information such as certificates on a smart card. For example, to allowlist the Drivelock app, add the following configuration to the connector app:įor information on installing custom policies for apps and extensions, see Policy for extensions. You can auto-grant permissions in the Admin console. As cards and readers contain sensitive user information, the connector app show users a permission dialog before granting access to any app. Step 4: Configure the Smart Card Connector app to auto-allow communicationĪpps like Citrix and DriveLock need to contact the Smart Card Connector app to communicate with users’ cards and readers.
Make sure you only install root certificates you obtained and verified from sources you trust. Important: Installing a root certificate on a device is a sensitive operation.
Identify those certificates and push them to users’ profiles.įor details, see Set up an HTTPS Certificate Authority. Step 3: Push all necessary root and intermediate certificatesĭepending on the sites users try to access, you might need to install trust roots and intermediaries on their devices. To deploy a different middleware, contact support. The connector app provides a public API that other middleware apps can also use. You can find the DriveLock middleware provider on the Chrome Web Store.
Google has partnered with DriveLock to provide support on Chrome OS for a wide range of cards and profiles, including CAC (Common Access Card) and PIV (Personal Identity Verification Card) cards. Middleware apps can communicate with smart cards and provide client certificates to authenticate users to HTTPS websites. Note: CACkey only supports CAC cards, PKCS #11 cards, and Yubikeys in PIV mode. Note: You can test whether a card is supported by starting the Chrome App and clicking Test now. There are two main middleware apps available:
For information about how to force-install specific apps, see Automatically install apps and extensions. Next you need to install the middleware app.
Step 2: Force Install a smart card middleware app Readers in the supported and should work categories are expected to work reliably.įor details, see a list of supported smart card readers here. Google only supports smart card readers which are supported by libccid. Note: The Smart Card Connector app tries to automatically detect and work with smart card readers but not all smart card readers are supported. This PCSC API can then be used by other applications such as smart card middleware and Citrix to allow your users to use their smart cards inside a Citrix-provided Microsoft Windows session for example, with browser integration and virtual session redirection. Using the Smart Card Connector app you can provide Chromebooks with PCSC support. You need to automatically install the Smart Card Connector app for users in your organizational unit.
Step 1: Force Install the Smart Card Connector app
For details, see Using smart cards and hardware tokens with Secure Shell.