Has anyone here configured any VPN settings successfully from the Google Admin console for Chromebooks. We are working towards sending our devices home with students and need to ensure the web traffic they are getting is filtered. So far this is what we have setup.
We have a Palo Alto firewall and have configured a always on VPN through by following their documentation.
Example 1
Example 2
The result after getting it setup is the device has the agent installed and once a student logs in for the first and enters there credentials into the agent it will reestablish the connection each time the student logs back in. The draw back are the following
-
Since it is not passing through the credentials we would have to be sure the students are logging in before the device leaves campus.
-
There is that there is a small window of time (45s to 1 min) at boot when the device is building the tunnel back that their is unrestricted internet access
-
The agent is not enforced until the student logs in for the first time. ( So if the student takes the device home and brother or sister log into it and have not been setup to use the VPN agent they will get unfiltered web access. The always on VPN does not work until a user has authenticated to it.
We have tried getting SAML / SSO working but this has prove for be difficult with not so so results. So what I am looking for is a way to from the Google Admin console to block traffic from happening until a VPN connection is established. I am starting to look at configuring the VPN on the Google Admin console instead of installing the local agent. Have you guys and gals had success with this? Are any of you filtering your Chromebooks offsite with a VPN?
An constructive input is appreciated!
to stop the brother / sister thing, why not simply restriction the domain that the users can use to login?
I do this to stop our staff from using one of our work Chromebooks with their personal account
Before you go bananas putting every student device on VPN, can your endpoint handle that sort of traffic? If your organization (like most others) wasn’t prepared for devices to leave campus on the content filtering front, I’d almost guarantee your VPN endpoint isn’t sized for it either.
We currently use Go Guardian chrome extension to filter offsite.
I would be curious what experience people have with VPNs and chromebooks.
We have IBoss on site and just went to web based after we sent home the devices for Covid.
Like Gogardian it is just an extension you push out sure is simple on that end anyways.
Thanks for the comment. We do restrict the domain that they can log onto, but we have some sites with multiple students at a single site. So one household will have multiple kids with accounts under our tenant.
Yes our tunnel can handle the traffic. Bottle necking is not the issues here. Consistency is.
Thanks for the reply. I have brought this up before about having a mobile agent running at all times but have not got much traction since our devices pre Covid never had to leave the school site. This may be the way have to go eventually but I definitely want to see what is available with the Chrome Admin VPN.
How do you like GoGuardian? Currently using Umbrella, but recently had a demo of GoGuardian and liked the interface better than Umbrella.
Thank you for your input. I agree this is the easiest way. Basically what it comes down to right now is I have to use what I got which is the Palo Alto firewall.
Dude, I totally here you on this, but I have to work with what my admins are giving me. I understand the simplicity of a agent /extension running on the devices to handle the filtering and have pitched this but it did not make it to far. We need to try and make the firewall that we have work.
We are already restricting logons to our domainsnto ensure that we are able to consistently target user policies.
For sure! That’s why i’ll be looking here to see what other people do.
Not sure why this district had Go Guardian other than the fact it also does “theft recovery”
In fact I believe our internet is filtered THREE different ways. I think that’s a little extreme but guess it works for them.
-Filtered by our provider, filtered by us, then filtered by go gardian.
Kinda makes it a head ache when someone needs things whitelisted.