Before you begin
- Users need to sign in with an account in the domain that the device is enrolled in. For example, if the device is enrolled in the school.edu domain, the user needs to sign in with an account that uses the domain, such as user@school.edu.
- If you have secondary Google Workspace domain that is managed under a primary domain and the user account is in the secondary domain, you need to enroll the device in the secondary domain. The device’s enrollment domain and signed-in user’s domain must match for the pushed certificate to work.
Verify TLS (or SSL) inspection is working
- Sign in to a ChromeOS device with a user account in the domain where the certificate was applied.
- Go to a site where TLS inspection is applied by your web filter.
-
Verify the building icon is in the address bar. Click it to see details about permissions and the connection.
-
(Optional) To see details about the certificate, click Certificate information.
TLS inspection isn't working
If TLS inspection isn't working, check if any certificates were manually installed on the device. Manually installed certificates might conflict with certificates that are deployed from your Admin console. Contact your web filter provider for advice on an alternative setup.
Verify hostname allowlist is working
1) Boot up and sign in to your Chromebook or login as guest.
2) Use the keyboard shortcut Ctrl + Alt + T to open the Crosh terminal in your browser.
3) Type:
network_diag --hosts
or, if you use a HTTP proxy:
network_diag --hosts --proxy http://192.168.1.1:8888
where http://192.168.1.1:8888 is the hostname and port of your HTTP proxy.
4) The command will attempt a TLS connection to each of the hosts in the allowlist and report PASS / FAIL. If all hosts are not passing, check your firewall / proxy to confirm the host is on the allowlist.
Sample command and output:
crosh> network_diag --hosts
checking accounts.google.com... PASS
checking accounts.gstatic.com... PASS
checking accounts.youtube.com... PASS