Enforce: Integration with Google Workspace for Education

Table of Contents

Prerequisites ...... 1 Current Restrictions ...... 2 Assumptions ...... 2 Overview of Steps ...... 2 Configure Google Workspace for Education ...... 2 Create a Project ...... 3 Create the JSON File ...... 3 Enable Domain-wide Delegation ...... 4 Enable APIs and Services ...... 5 Manage API Client Access ...... 6 Enroll a Chromebook ...... 6 Secure WLAN ...... 8 Configure a Role ...... 8 Configure the SSID ...... 10 Validate ...... 10 Conclusion ...... 11 References ...... 11 Enforce: Integration with Google Workspace for Education (Applicable to software release 8.9.0 and higher)

Google Workspace for Education is a collection of tools like Classroom, Gmail, Drive, Calendar, Docs, Sheets, Slides, Sites, and Hangouts, allowing teachers to:

Effectively collaborate with students in and out of the classroom Keep classes organized Improve communication with students.

For more information, visit Google Workspace for Education .

Enforce is the Arista solution that integrates Google Workspace for Education and Wireless Manager. Enforce allows the school to restrict devices allowed on the network by assigning VLANs, firewall rules, bandwidth control, and redirection based on user roles. Enforce has been tested on Android, iOS, and Chromebook devices.

This document walks you through the steps to set up Enforce. It describes a simple use case of setting up Google Workspace for Education for devices, setting up a device, and creating the connector between Google Workspace for Education and Wireless Manager. Once Enforce is set up, the connection workflow of a user proceeds as follows:

A user connects to the wireless network using either the pre-shared key (PSK) or their 802.1x credentials. Neither of these wireless authentication mechanisms restrict which device (e. client MAC address) is used to connect; if the credentials are correct, the user can connect. Once the user is successfully authenticated on the SSID, the access point (AP) compares the client’s MAC address to the MAC list that the AP has downloaded from and synced with the Google device manager. If the MAC address is on the list, the client is allowed on the network. If the MAC address is not on the list, the client can be immediately disconnected or redirected to a web site and restricted as to what it can access.

Prerequisites The following rights and licenses are needed to set up Enforce successfully:

Google Workspace for Education is set up and configured properly. This includes School domain has been validated Users and groups have been created The proper licenses for Google device management have been acquired Access to Google Workspace for Education with administrator rights Access to Wireless Manager with administrator rights

Current Restrictions 1. Role-assignment does not work with SSID profiles in NAT mode. 2. Radio Resource Management (RRM) features are currently not supported with Enforce. 3. Google Organizational Units (OU) is currently not supported.

Assumptions For simplicity, the following assumptions have been made:

Management of school-owned devices only, no BYOD Google Workspace for Education is used for Enterprise Mobility Management (EMM) Google Workspace for Education has been setup, validated, and configured for the school Only Chromebooks are being set up Devices have not yet been set up in Google’s device management.

Overview of Steps Prerequisites:

Google Workspace for Education is set up, the domain verified, and the administrator has logged in. Licenses have been purchased for Google device management. Two SSIDs (onboarding and regular use) have been set

Broadly, the steps to set up Enforce are as follows:

1. Configure Google Workspace for Education

Important: The steps in this section are documented based on the Google implementation at the time this document was created. The steps may change if the Google process workflow changes. Arista will support such changes on a best effort basis. We recommend that you contact Google directly for full support.

2. Enroll a Chromebook 3. Create Roles in WM

Each step is explained in detail in the following sections.

Configure Google Workspace for Education The Google Workspace for Education configuration consists of five parts. The first four parts are to be configured in the Google developer’s console, and the last one in the Google admin console.

In the Google developer’s console:

In the Google admin console:

5. Manage the API client access

The following sections describe each of the previous steps in detail.

Create a Project 1. Log in to the Google developer’s console: https://console.developers.google.com/apis. 2. Click the projects icon as shown in the following figure. Click “New Project” and create a new project.

Create the JSON File 1. Select the project you crated in the previous step. 2. Go to API > Credentials > Create Credentials > Service Account.

© Arista Networks | 3 3. In the “Service account details” section, enter the service account name and description, and click “Create”. 4. In the “Service account permissions (optional)” section, click “Continue” without selecting a role. 5. Leave the “Grant users access to this service account (optional)” portion empty, and in the “Create key (optional)” section, click “Create Key”. 6. Select “JSON” under “Key type” and click “Create”. The key is saved on your computer. 7. Click “Done” on the “Create Service Account” page.

Enable Domain-wide Delegation 1. On the left-hand navigation menu, select “APIs & Services” and “Credentials”. 2. In the Service Accounts section of the Credentials page, select the email for which you want to enable domain-wide delegation, and then click the “pencil” edit icon as shown in the following figure.

Enable APIs and Services 1. On the left-hand navigation menu, select APIs & Services > Dashboard, and then select the “ENABLE APIs AND SERVICES” tab. 2. In the Search bar above the tab, search for “Admin SDK” and select the “Admin SDK” result as shown in the following figure.

Manage API Client Access 1. Log in to the Google admin console: https://admin.google.com/ 2. From the main menu, go to Security > Settings > Advanced Settings > Manage API Client Access. 3. In the Client Name field, add the client ID from the JSON file saved on your computer (from the Create JSON section).

4. In the “One or More API Scopes” field, add the following URLs (comma-separated) and click “Authorize”: https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly, https://www.googleapis.com/auth/admin.directory.device.mobile, https://www.googleapis.com/auth/admin.directory.device.mobile.action, https://www.googleapis.com/auth/admin.directory.device.mobile.readonly, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/admin.directory.device.chromeos

Enroll a Chromebook Important: The steps in this section are documented based on the Google Chromebook implementation at the time this document was created. The steps may change if the Google process workflow changes. Arista will support such changes on a best-effort basis. We recommend that you contact Google directly for full support.

1. Boot your un-provisioned Chromebook that has not previously been logged into. If it has already been

3. When presented with this sign-on screen, DO NOT log in.

4. Press Ctrl-Alt-E to get the Enterprise Enrollment screen.

5. Provide your Google Workspace for Education login credentials 6. You will be presented with confirmation of a successful enrollment. 7. Login to the Google Workspace for Education console and go to Device Management to confirm the device enrollment. 8. Click on Manage Chrome devices to see the device.

Note: By default, devices are enrolled into the top-level organization for your domain. You can change where a device is enrolled with the Device Enrollment user policy (e.g. Change Org Unit by moving the device to Sub Org. locations).

Configure a Role 1. On the CVW UI, go to Configuration > WiFi > Role Profile and click Add Role Profile. 2. Configure the Role Profile: Provide a name for the role that is easily identifiable as a Google device authentication failure. This name will be used later when setting up the SSID. Enter the VLAN ID or VLAN Name of a VLAN isolated from your secure network. Enable Redirection to a registration web site. Provide the URL to where the client should taken Add the URL to the Websites That Can Be Accessed Before Login Add any other URLs to which you want to grant access.

Configure the SSID 1. On the CVW UI, go to Configure > WiFi > SSID and click Add SSID to create an SSID to be used with Google device authentication. 2. Configure the Basic, Security, and Network tabs per your requirements 802.1x. 3. Go to the Access Control tab and enable Client Authentication. 4. Select Google Integration. 5. Under If Client Authentication Fails, select Stay Connected. 6. In the Select Role dropdown, select the role defined in the previous section.

Validate The setup is complete. Validate the configuration by connecting a Chromebook that is not registered with Google device management. After connecting to the WiFi, it should be redirected to the website configured in the redirection section of the role (myschoolname.org).

© Arista Networks | 10 Conclusion Normal wireless LAN security methods can allow unauthorized devices access to your network. Pre-Shared Key (PSK) security is often used because it is easy to deploy and use. It is also easy for users to share the key with unauthorized users or to add unauthorized devices to the network.

802.1x is more secure because each user has their own security credentials instead of one key shared among all users. But 802.1x has the same problem—the credentials can be given to others for unauthorized access and they can be used by multiple devices.

Enforce in conjunction with Google device management provides device authentication for your wireless network. When Enforce is enabled, only authorized devices are allowed access.

References Android for Education Wipe Chromebook Data