ibossconnect™ for chromebook -...
TRANSCRIPT
ibossConnect™
For Chromebook
Installation Guide
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 1
Note: Please refer to the User Manual online for the latest updates at www.iboss.com.
Copyright © by iboss, Inc. All rights reserved. No part of this publication may be reproduced,
transmitted, transcribed, stored in a retrieval system, or translated into any language or
computer language, in chemical, manual or otherwise, without the prior written permission of
iboss, Inc.
iboss Cybersecurity makes no representations or warranties, either expressed or implied, with
respect to the contents hereof and specifically disclaims any warranties, merchantability or
fitness for any particular purpose. Any software described in this manual is sold or licensed "as
is". Should the programs prove defective following their purchase, the buyer (and not this
company, its distributor, or its dealer) assumes the entire cost of all necessary servicing, repair,
and any incidental or consequential damages resulting from any defects. Further, this company
reserves the right to revise this publication and make changes from time to time in the contents
hereof without obligation to notify any person of such revision of changes.
All brand and product names mentioned in this manual are trademarks and/or registered
trademarks of their respective holders.
www.iboss.com
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 2
Overview
ibossConnect for Chromebook allows for managed Chromebook administrators to have
greater ease in providing filtering and identification of their devices both on- and off-
premises. This Chromebook extension allows for off-premises filtering without the use of
proxy scripts, by automatically inspecting individual web requests via standard Chrome
API extensions. When Chromebooks are on-premises, the extension will send iboss
SSO login messages to the local iboss filter, automatically logging the current user into
his correct security group and identifying his IP address for logging. Each of these
features is also available to be used separately or together to provide security and
convenience in both on or off premise use cases. Through the use of the new
Chromebook extension, previous solutions such as “Google SSO” can be discontinued.
This document will describe these new features and their setup in detail.
Security Group Mapping
To correctly filter end-user’s URL requests and provide accurate SSO login messages
the Chromebook extension needs to know what security group to use for the current
end-user; this is accomplished by using a specific “Security Key” setting which then is
mapped to a security group directly in the iboss filter. The “Security Key” as well as
other required settings are sent to each Chromebook extension by the use of the
Google Admin console and its managed settings capabilities for Chromebook
extensions. Inside the Google Admin console, each organizational unit has the ability to
define a particular group of settings; the settings can be inherited from the parent
organizational unit or overridden allowing for easy configuration between organizational
units and iboss security groups.
See the example on next page for more details:
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 3
In this example, any users placed in the Google organizational unit “All Devices” will be
filtered as if they are a part of the iboss security group #1 - “Default Group”. Accordingly,
the Google organizational unit “Grades K -8” has inherited the same Security Key as the
organizational unit “Students” and will be filtered as if they are a part of the iboss
security group #3 - “Young Students”.
Note: It is important to note that the placement of the USER and not the DEVICE in the
Google Admin console is what determines which Security Key gets sent to the iboss
Chromebook extension for logged-in users. In the case of the Chromebook guest mode
feature, it is the placement of the DEVICE and NOT the USER which determines the
Security Key.
All Devices Security Key: 1
Teachers
Security Key: 2
(Overridden)
Students
Security Key: 3
(Overridden)
Grades K - 8
Security Key: 3
(Inherited)
Grades 9 - 12
Security Key: 4
(Overridden)
Google Admin – User Organizational Units
Group #1
“Default Group”
Security Key: 1
Group #2
“Teachers Group”
Security Key: 2
Group #3
“Young Students”
Security Key: 3
Group #4
“Older Students”
Security Key: 4
iboss filter
Security Groups
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 4
Prerequisites
ibossConnect for Chromebook requires an iboss SWG filter with a minimum firmware
version of 8.1.1.5. Certain ports must also be accessible to chromebook devices as
listed below:
• For the Web Security Filtering option
o Port 8025 (HTTP access) should be accessible from IP address ranges that are off-network
o Port 8026 (HTTPS/SSL access) should be accessible from IP address ranges that are off-network
• For the SSO Login Request option
o Port 8015 (HTTP access) should be accessible from IP address ranges that are on-network
o Port 8016 (HTTPS/SSL access) should be accessible from IP address ranges that are on-network
• Create a local zone for “myiboss.net” on your internal DNS servers
o “myiboss.net” should resolve to the internal IP address of your iboss SWG
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 5
Setup
The main steps required to setup ibossConnect for Chromebook is to use the Google
Admin console to force-install the extension on applicable devices, setup the iboss filter
appropriately, and lastly push out the appropriate settings for the Chromebook
extension via each organizational unit (orgUnit).
Google Admin Console Setup
1. Find the top level of the orgUnit hierarchy, this can either be the top unit in the
whole hierarchy, or the topmost unit where all the Chromebooks will be placed in
itself or its descendants. (in the screenshots below, this orgUnit will be
“iboss.com”)
2. Enter into the “User Settings” for this orgUnit; via the homepage this can be
achieved by clicking on “Device Management” -> “Chrome Management” ->
“User Settings” -> then clicking on the orgUnit of choice
a. Under the “Apps and Extensions” sub heading, and in the “Force-installed
Apps and Extensions” settings click the “Manage force-installed apps” link
b. In the resulting pop-up, click the “Chrome Web Store” and put in the
search term “ibossConnect”, then click the “Add” link to force-install it to all
users of this orgUnit.
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 6
c. Under the “Security” sub heading, and in the “Incognito Mode” setting,
make sure the value is set to “Disallow incognito mode” Note: It is important to disallow “Incognito Mode” as the iboss Chromebook extension will not work in an incognito browsing tab and filtering could be lost!
d. Under the “User Experience” sub heading, and in the “Developer Tools”
setting, make sure the value is set to “Never allow use of built-in developer
tools” Note: This is a security measure to restrict the end users from seeing network traffic related to the iboss Chromebook extension, only enable the Developer Tools if absolutely necessary!
e. Under the “User Experience” sub heading, and in the “DNS Pre-fetching”
setting, make sure the value is set to “Never pre-fetch DNS” Note: This setting disables DNS Prefetching, which is a Chromebook feature which can try to pre-fetch certain pages that it believes the end-user will try to request. Disabling it will reduce the number of superfluous calls to the iboss filter
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 7
f. Click the Save button in the lower right to apply the changes to the current
orgUnit
Note: Currently the ibossConnect for Chromebook extension is not compatible
with “Public Session” or “Guest Mode” sessions. This is a restriction imposed
by the Chrome browser itself.
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 8
3. If Chromebook guest mode is not a desired capability, then guest mode should
be disabled. It can be disabled by reaching the “Device Settings” Section by
clicking on “Device Management” -> “Chrome Management” -> “Device Settings”
-> then clicking on the topmost orgUnit of choice
a. Under the “Sign-in Settings” sub heading, and in the “Guest Mode” setting,
make sure the value is set to “Do not allow guest mode”
b. Click the Save button in the lower right to apply the changes to the current
orgUnit
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 9
iboss SWG Filter Setup
The iboss filter requires several steps to properly enable the Web Security and SSO
login capabilities. Each of these two capabilities is independent of each other and can
be setup individually.
1. Web Security Filtering Setup
To enable the Web Security filtering capability of the ibossConnect for Chromebook
extension, start by logging into the filter and then finding the “Agents General Settings”
section by clicking the “Data Redirectors” -> “Agents” -> “General” links
In this section for each security group that should be made available to the Chromebook extension complete the following steps
a. Select the correct security group via the Group selector dropdown box
b. Turn the switch labelled “Enable Security Agent Filtering” to the yes position
c. If you have not previously changed the Security Key for the group, change it
to a randomized value for more security (the default iboss Security Key starts
with the value 29XA3PD)
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 10
d. If you would like the final security group that the user will be assigned to be
retrieved from your LDAP directory, make sure the setting “Extract Group
From LDAP” has the proper LDAP Entry Name chosen, otherwise leave this
setting at “None”.
Note: If the “Extract Group From LDAP” is left at “None” then all users assigned to this security group via its Security Key will always remain in the same group
e. Click the green Save button in the upper left and continue steps 1a-2d for
each security group that will be utilized
2. SSO Login Message Setup
To enable the SSO Login Message feature, find the “iboss NetID SSO” section in the
iboss SWG Filter by clicking the “User Single Sign-On” -> “iboss NetID SSO” links
In this section for each security group that should be available to receive SSO Login messages complete the following steps
a. Select the correct security group via the Group selector dropdown box
b. Turn the switch labelled “Enable ibossNetID Agent” to the yes position
c. If you have not previously changed the Group Security Key for the group,
change it to a randomized value for more security
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 11
d. Click the green Save button in the upper left and continue steps 2a-2b for
each security group that will be utilized
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 12
Chromebook Extension Setup File
As previously mentioned, the mechanism used to tie a security group to an end-user is
via a settings file which populates the Chromebook extension’s Security Key. There
needs to be one settings file per security group (to be able to specify a unique Security
Key per file), and each setting file is distributed at the organizational group level via the
Google Admin console. The next step in the setup process is to create these setup files.
1. For each security group that needs to be assigned to an organizational unit
duplicate the following steps
a. Create a file called Settings_X.json, where X is the number/name of the
security group on the iboss filter.
b. The initial contents of the file should be the following block of text:
{ "WebSecurityKey" : { "Value" : "_" }, "WebSecurityHost" : { "Value" : "_" }, "WebSecurityCustomBlockPageURL" : { "Value" : "_" }, "BlockOnUnsuccessfulConnection" : { "Value" : true },
"FilterPerformance" : { "Value" : "HIGH" }, "SSOSecurityKey" : { "Value" : "_" }, "SSOHost" : { "Value" : "_" },
"HTTPPort" : { "Value" : "8025" }, "HTTPSPort" : { "Value" : "8026" },
"SSOBackupHost" : { "Value" : "_" }, "SSOLoginIntervalMinutes" : { "Value" : 2 },
"AllowOffPremUsage" : { "Value" : true }, "FilterWhenOffPrem" : { "Value" : true },
"SendCompleteEmail" : { "Value" : false }, "UseSSL" : { "Value" : false } } c. Change only the part of the block of text above that is highlighted in
yellow, following the instructions below for each line starting with the
specified keyword:
Note: Parameters that are intentionally left empty must use an
underscore (“_”) as its value.
i. Web Security Filtering Setup Parameters
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 13
1. “WebSecurityKey” – This should be changed to the Security
Key of the security group that should be assigned to this
setting file for Web Security Filtering operations. This is the
same Security Key as specified in the section “iboss SWG
Filter Setup” Step 1c
2. “WebSecurityHost” – This should be changed to the
hostname of the iboss SWG filter that will be available for
off-premise Web Security Filtering
3. “WebSecurityCustomBlockPageURL” – This optional value
allows a custom block page to be used in place of the
extension’s internal block page. To use a custom block
page, the complete URL to the block page should be
specified, in a manner similar to the following:
http://my.customBlockPageServer.com/block/restricted.html
4. “HTTPPort” – This allows for the configuration of a
different port for sending the iboss HTTP URLs off-
premise. The default value for this setting is 8025.
5. “HTTPSPort” – This allows for the configuration of a
different port for sending the URLs encrypted which is set
via the “UseSSL” parameter. The default value for this
setting is 8026.
6. “BlockOnUnsuccessfulConnection” – This value should
contain the word “true” or “false”. When the value is set to
true, the Chromebook extension will BLOCK all traffic
when access to the WebSecurityHost is not available from
the Chromebook’s current location for filtering requests. If
set to false, the Chromebook extension will ALLOW all
traffic until a connection to the WebSecurityHost is
available once again
Note: This setting will only be valid if a correct WebSecurityKey and
WebSecurityHost are specified
ii. SSO Login Setup Parameters
1. “SSOSecurityKey” – This should be changed to the Security
Key of the security group that should be assigned to this
setting file for SSO Login request. This is the same Security
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 14
Key as specified in the section “iboss SWG Filter Setup”
Step 2c
2. “SSOHost” – This should be changed to the hostname of the
iboss SWG filter that will be available for receiving SSO login
messages
3. “SSOBackupHost” – This parameter is optional and should
be changed to the hostname of the backup iboss SWG filter
that will be available for receiving SSO login messages in
case the primary iboss SWG filter is not available
4. “SSOLoginIntervalMinutes” – This value should be a positive
integer between 1 and 60. Its value defines how often the
Chromebook extension will send SSO login message (in
minutes); the default value of 5 minutes is applicable in most
cases
iii. General Setup Parameters
1. “AllowOffPremUsage” – This value should contain the word
“true” or “false”. When the value is set to false, the
Chromebook extension will automatically block all traffic
when the device is off-premise. If the value is set to true,
then normal filtering rules will apply (according to the setting
‘FilterWhenOffPrem’). This can be useful for cases when the
Chromebooks are not allowed to be taken off-premise
2. “FilterWhenOffPrem” – This value should contain the word
“true” or “false”. When the value is set to true, the
Chromebook extension will filter traffic when the device is
off-premise. If the value is set to false, all traffic will
automatically be allowed. This can be useful for cases when
on-premise SSO identification of the chromebook is required
but no actions should be taken when off-premise
3. “FilterPerformance” – This value should contain the word
“HIGH”, “MEDIUM, or “LOW”. The FilterPerformance setting
controls what type of web requests the Chrome browser will
send to the SWG for inspection when the device is
offpremise. The three different values each build upon each
other. The value “HIGH” will only send to the SWG for
inspection actual HTML anchor links that have been
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 15
retrieved from the address bar and from inside the fetched
web page (the links found inside the web page usually
include ad and analytics tracking links). The value
“MEDIUM” will send all requests that the “HIGH” setting
sends in addition to all requests for image, video, and other
media/plugin urls. The value “LOW” will send all requests
that the “MEDIUM” setting sends in addition to sending the
urls for all JavaScript files requested by the webpage and all
AJAX type requests. It is recommended that all customers
start with the “HIGH” setting and only increase this if desired
filtering cannot be achieved.
Note: Each lower FilterPerformance setting will adversely affect
page load time, it is highly recommended to test the setting with a
limited number of devices in a test organizational unit before
applying the setting generally. Also, all Google Image Search
requests will be sent regardless of the FilterPerformance setting
4. “SendCompleteEmail” – This value should contain the word
“true” or “false”. When the value is set to true, the
Chromebook extension will send the complete email address
of the current logged-in user. If the value is set to false, the
Chromebook extension will only send the username part of
the logged-in user’s email address. Note: This setting comes into play when the “Extract Group From LDAP” setting is enabled
5. “UseSSL” – This setting controls whether the iboss will
connect to the WebSecurityHost/SSOHost via SSL/HTTPS
or standard HTTP
NOTE: If possible, it is advisable to have both the WebSecurityHost &
SSOHost be the same address and ensure that this address can be accessed
both during On and Off premise Chromebook operations
2. After all the Chromebook extension settings files have been created, they must
be applied to the Google Admin consoles organizational units as needed. A good
strategy to follow is to configure the topmost organizational unit with the most
restrictive settings file (which contains the Security Key pointing to the most
restrictive iboss security group). Then override these settings as required in each
lower level in the hierarchy
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 16
a. Log into the Google Admin Console and navigate to the ibossConnect for
Chromebook app management page. To arrive there, from the home
page, click “Device Management”->“Chrome Management”->“App
Management”, finally clicking on the entry for the ibossConnect for
Chromebook
b. Click on the section “User Settings”, and then click on an organizational
unit which needs to have its settings file configured.
c. At this point the “Force Installation” switch for the organization should be
showing as turned on.
d. Click the button labelled “Upload Configuration File” and choose the
appropriate settings file as created in Step 1 of this section (if needed click
the “override” link below the “Configure” label to enable the configuration
upload button)
Note: After the file has been uploaded and verified, the “View” link can be clicked to view the current contents that the particular orgUnit has configured
e. Click the Save button to save the settings for the orgUnit
f. Repeat steps b – e of this section until all required orgUnits which need to
override the base settings file just uploaded have been configured
correctly
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 17
Note: Currently the ibossConnect for Chromebook extension is not compatible
with “Public Session” or “Guest Mode” sessions. This is a restriction imposed
by the Chrome browser itself.
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 18
ibossConnect for Chromebook Usage
After the extension has been installed the ibossConnect for Chromebook extension
operates in three distinct modes: Error, On-Premise, and Off-Premise modes
• Error Mode
o This mode is activated when the Settings configuration file has either not been received from the Google Admin Console or is incomplete
o This mode can be recognized by a red ibossConnect icon in the browser address bar as shown in the example below
o In this mode all web traffic will be blocked until the correct Settings configuration file has been received
• On-Premise Mode
o This mode is activated when the ibossConnect for Chromebook extension detects that it is in-line with an iboss SWG filter. The on-premise detection logic works in the following manner:
▪ The chromebook will attempt to do a HTTP GET on the url http://myiboss.net
▪ If http://myiboss.net is redirected to and returns the login page of an iboss SWG then the chromebook determines it is on-premise
▪ If http://myiboss.net returns the public iboss website then the chromebook determines it is off-premise
▪ If the url http://myiboss.net cannot be resolved or the operation times out then the chromebook will attempt to do a SSO Login using the default SSOHost
▪ If the SSO Login via the default SSOHost returns correctly, then the chromebook determines it is on-premise
▪ If the SSO Login via the default SSOHost does not return correctly, and the SSOBackupHost exists, then the chromebook will attempt an SSO Login via the backup SSOBackupHost
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 19
▪ If the SSOBackupHost returns correctly, then the chromebook determines it is on-premise
▪ If all the above methods fail, then the chromebook will default to off-premise mode
o On-premise mode can be recognized by a green ibossConnect icon with a
small house in the lower right corner of the icon, in the browser address bar as shown in the example below
o In this mode, the extension will send SSO Login requests to the iboss SWG filter, allowing it to correctly correlate the IP address of the Chromebook to the correct security group
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 20
• Off-Premise Mode
o This mode is activated when the ibossConnect for Chromebook extension detects that it is not currently in-line with an iboss SWG filter
o This mode can be recognized by two variations of the ibossConnect icon. The first variation is when the icon is colored grey, and signifies that the end-user is not operating with an override login in place, while the same icon colored in green signifies than an override login request session is active
o In this mode, the extension will send all web requests to the iboss SWG filter as defined in the Security configuration file
o By clicking on the grey ibossConnect icon, the end-user will be able to start an override login request session, wherein the user will be able to change his security group
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 21
Testing ibossConnect for Chromebook
After the previous setup steps have been completed, the overall system should be
tested to ensure that the current setup works correctly.
1. For testing, a managed chromebook along with a domain user that is assigned to
one of the previously configured orgUnits should be prepared
2. After logging into the Chromebook for the first time, the ibossConnect for
Chromebook extension should automatically be installed after a short delay.
Verify that the ibossConnect for Chromebook extension has been installed by
opening the Chrome browser, then going to the
Settings menu -> More tools -> Extensions, and finding it in the list of installed extensions.
3. The extension in the list should have the “Enabled” checkbox checked and also
greyed-out indicating it can’t be disabled as pictured below
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 22
4. SSO Login testing
a. Make sure the Chromebook is connected to a wireless network that is On-
premise and in-line with the iboss filter
b. After logging into the Chromebook, the ibossConnect for Chromebook
extension should send a SSO Login message to the iboss filter
c. Verify that the IP Address associated with the Chromebook has the same
login as the current Chromebook user and that the correct group has been
assigned to the Chromebook (this can be checked via the Groups menu
item of the iboss filter)
5. Web Security Filtering testing
a. Make sure the Chromebook is connected to a wireless network that is Off-
premise and NOT in-line with the iboss filter
b. After logging into the Chromebook, the ibossConnect for Chromebook
extension will automatically start to filter all http/https URL requests made
by the Chromebook.
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 23
c. Test that the Chromebook has been placed into the proper group by
visiting a page that should be blocked by the assumed security group
d. The block page will display current security group assigned to
Chromebook
e. With the same block page active, test that the URL Exception Request
works correctly (if the current security group allows URL Exception
Requests, otherwise the section will not be visible)
f. With the same block page active, test the Override User functionality by
logging in as an override user into a less restrictive security group. This is
accomplished by clicking the ibossConnect for Chromebook extension
icon (Note: this icon is only responsive when the Chromebook is Off-
premise) and entering the correct login information. After a successful
Override User login, navigate to the same blocked webpage, and verify
that it is no longer blocked
Installation Guide for ibossConnect™ For Chromebook v1.2.12 – 5/2/2017
Page 24
Common troubleshooting
• The ibossConnect for Chromebook icon is displaying in red and all web browsing activity is blocked
o This happens when the ibossConnect extension hasn’t received its Settings Configuration file or an incomplete settings configuration file has been received
o To view the current state of the Setting data received, go to the address “chrome://policy” in the Chromebook’s browser, and scroll to the bottom of the page, any valid entries of the Settings configuration file that have been received will be shown
o A common problem why the Settings configuration data has not been sent is that its format is incorrect. Double check that all the commas, and quotation marks are correct and in-line with the example given in this manual
▪ The settings file should be in standard JSON format, it can be validated online via a website similar to http://jsonlint.com