The VMware Workspace ONE UEM Extension for Chrome OS is an extension created to handle certificate management on Chrome OS devices. This extension provides direct communication with the UEM console and supports certificates for Wi-Fi, VPN, web authentication and more.

Chrome OS Extension Deployment

The deployment of the Chrome OS extension is silent for the end user and no prompts are displayed on the user's device. The extension deploys automatically to known user accounts (AD sync or users added manually to the UEM console) once a user logs in. The extension contacts the Workspace ONE UEM console directly to notify of the new device enrollment. The device and user policies are assigned and pushed once the UEM console syncs the device record with Google.

Thing to consider:

  • The extension only functions on managed Chrome OS devices. If the device is unmanaged, then the extension does not run.

  • The extension is hosted on the Chrome Web Store as an unlisted application which means users are unable to search for and download it. It can only be installed through a direct download link, which the UEM console provides in the user policy.

Certificate Types

The Workspace ONE UEM Extension offers flexible options for any use case.

  • User Certificates

    • For use by only a single user.

    • Not shared with other user accounts.

  • Device Certificates

    • Shared across all device users.

    • Includes login users, guest users, kiosk, and managed guest sessions.

Supported Certificate Authorities

  • Microsoft ADCS

  • Generic Scep

Certificate Management Through the Chrome OS Extension

A Network profile is configured under User or Device policy. The Network payload contains wi-fi information, while the Credentials payload contains certificate information. Network settings is sent through Google cloud, while certificate details is queued up for the extension.

The extension is notified of a new certificate policy through Firebase Cloud Messaging (FCM). The extension will retrieve certificate request instructions from the UEM console. The extension creates the CSR (certificate request) and send it to the UEM console. The UEM console then forwards the request to the certificate authority, which returns a certificate. The certificate is forwarded back down to the extension which installs the certificate onto the device.

Any network using certificate based authentication is configured automatically. Certificates being used for other forms of authentication may need to be selected by the user during the authentication process.

Certificate details are viewable in the console under Devices > Certificates.

Certificates configured via User Policy are user-based and only accessible to that user. Certificates configured through Device Policy will be installed at the device level, accessible by any user or guest user/kiosk.

Device Actions

There are some device actions in the UEM console that will affects the extension. Consider the following:

  • When 'Clear User Data on Logout' is enabled, the extension and any user certificates are deleted on logout.

  • If you clear registration from the Chrome OS EMM Registration, the UEM Extension is removed from your devices.

Certificate Renewal and Revocation

Certificates for the Chrome OS Extension follow the renewal and revocation settings in the Certificate Authority configuration. When a certificate expires, it will be revoked by the Certificate Authority. The UEM console notifies the extension, and a new certificate is generated.

When a device is enterprise wiped or the registration is cleared, any assigned certificates are revoked.

Admins can also manually revoke and renew certificates from the UEM console.