The VMware Workspace ONE UEM Extension for Chrome OS is a extension created to handle certificate management on Chrome OS devices. This extension provides direct communication with the UEM console and supports certificates for Wi-Fi, VPN, web authentication and more.

Chrome OS Extension Deployment

The deployment of the Chrome OS extension is silent for the end user, and there are no prompts that will display on the user's device. The extension is deployed automatically to known user accounts (AD sync or users added manually to the UEM console) once a user logs in. The extension directly contacts the Workspace ONE UEM console to notify of the new device enrollment. Once the UEM console syncs that device record with Google, the device and user policies will be assigned and pushed.

Thing to consider:

  • The extension only functions on managed Chrome OS devices. If the device is detected as unmanaged, then the extension will not run.

  • The extension is hosted on the Chrome Web Store as an unlisted application which means users will not be able to search for and download it. It can only be installed via a direct download link, which the UEM console provides in the user policy.

Certificate Types

The Workspace ONE UEM Extension offers flexible options for any use case.

  • User Certificates

    • For use by only a single user.

    • Not shared with other user accounts.

  • Device Certificates

    • Shared across all device users.

    • Includes login users, guest users, kiosk, and managed guest sessions.

Supported Certificate Authorities

  • Microsoft ADCS

  • Generic Scep

Certificate Management Through the Chrome OS Extension

A Network profile is configured under User or Device policy. The Network payload contains wi-fi information, while the Credentials payload contains certificate information. Network settings will be sent through Google cloud, while certificate details will be queued up for the extension. To get started with the Network profile, see How to Configure Profiles with Chrome OS.

The extension is notified of a new certificate policy through Firebase Cloud Messaging (FCM). The extension will retrieve certificate request instructions from the UEM console. The extension will create the CSR (certificate request) and send it to the UEM console. The UEM console then forwards the request to the certificate authority, which returns a certificate. The certificate is forwarded back down to the extension which will install the certificate onto the device.

Networks using certificate based authentication will be configured automatically. Certificates being used for other forms of authentication may need to be selected by the user during the authentication process.

Certificate details are viewable in the console under Devices > Certificates.

Certificates configured via User Policy are user-based and only accessible to that user. Certificates configured through Device Policy will be installed at the device level, accessible by any user or guest user/kiosk.

Device Actions

There are some device actions in the UEM console that will affects the extension. Consider the following:

  • When 'Clear User Data on Logout' is enabled, the extension and any user certificates are deleted on logout.

  • If you clear registration from the Chrome OS EMM Registration, the UEM Extension is removed from your devices.

Certificate Renewal and Revocation

Certificates for the Chrome OS Extension follow the renewal and revocation settings in the Certificate Authority configuration. When a certificate expires, it will be revoked by the Certificate Authority. The UEM console notifies the extension, and a new certificate is generated.

When a device is enterprise wiped or the registration is cleared, any assigned certificates are revoked.

Admins can also manually revoke and renew certificates from the UEM console.