Integrate Okta with Chrome Enterprise

To secure your Chrome Enterprise environment, configure Chrome Device Trust and managed Chrome profiles.

By setting up the Chrome Device Trust connector, you can use device signals from ChromeOS or Chrome browser to create authentication policies that control access to protected resources.

To ensure a strong security posture, you can secure your browser environment by configuring managed Chrome profiles so users can sign to the Chrome browser with their Okta credentials.

Secure access on ChromeOS and Chrome browser with Chrome Device Trust

Before you set up Chrome Device Trust, ensure that these conditions are met:

Your Okta tenant is Okta Integration Network enabled.
You use Google Chrome Enterprise:
- Chrome device management (ChromeOS)
- Cloud-managed Chrome browser (macOS or Windows)
- Managed Chrome profiles (all platforms)
You configured an app integration for Google Workspace in your Okta org so that users sign in to Google Workspace with their Okta credentials. See Get started with app integrations.
You configured Okta Single Sign-On (SSO) in the Google Admin console. See Set up SSO for your organization.
To receive signals from ChromeOS, you configured device management enrollment in the Google Admin console.
macOS devices have Secure Enclave.
Chrome Device Trust doesn't support incognito mode.

Enable Chrome Device Trust in the Okta Admin Console

In the Okta Admin Console, go to SecurityDevice Integrations.
Select the Endpoint security tab, and then click Add endpoint integration.
Select Chrome Device Trust, and then choose the platforms you want to enable the integration for.
Click Save.
On the Chrome Device Trust integration page, the generated settings are displayed. Copy the values in the Login URL pattern and Service account fields on the integration page. These values are unique to your tenant, and are used to link your Okta and Google Workspace accounts.

Enable Chrome Device Trust in the Google Admin console

Sign in to your Google Admin console.
Go to DevicesChromeConnectors and click New provider configuration. Scroll down to Okta in the provider list and click Set up.
Enter a Configuration name, and then add the URL Pattern and Service account information from the integration that you created in the Okta Admin Console to the provider configuration. Click Add configuration.
Apply the provider configuration to your Organizational unit. To ensure that the configuration is applied to the appropriate org unit, check that the managed browser configuration is mapped to the same org unit.
To avoid authorization and signal errors, ensure the ChromeOS device and user are in the same organizational unit as the Okta provider configuration. For more information, see Manage Chrome Enterprise Device Trust connectors.

Add a device assurance policy for ChromeOS

To configure a policy for ChromeOS, see Add a device assurance policy.

Add a device assurance policy for a managed Chrome browser on macOS or Windows

To configure a policy, see Add a device assurance policy. Define the conditions for macOS or Windows including the ones made available through the Chrome Device Trust integration.

When end users sign in to their ChromeOS devices, they perform SSO for all their Google Workspace apps directly from the sign-in page. This means that a device assurance policy for Google Workspace on ChromeOS is only evaluated during this initial sign-in attempt on the ChromeOS sign-in page. To avoid device lockout, Okta recommends that you assign a baseline device assurance policy for Google Workspace on ChromeOS. You can add security controls for apps that aren't part of Google Workspace.

Add device assurance to an authentication policy

To complete this task, see Add device assurance to an authentication policy.

System Logs

To ensure that Chrome Device Trust signals are collected, view the signals in the System Log. Expand the device option under the Device Integrator key. Look for the following events:

factors user.session.start
user.authentication.verify
policy.evaluate_sign_on
user.authentication.auth_via_mfa This event appears only if your authentication policy requires multifactor authentication. See Device Assurance Policies API documentation.

Secure your Chrome browser

When users sign in to personal Google Chrome profiles on company-managed devices, your org is exposed to security risks:

Credentials leakage: Credentials for corporate apps can be saved to the password manager of a personal Google account. If the personal account is compromised, the corporate credentials are exposed.
Insecure extensions: Browser extensions that aren't approved by corporate IT could have vulnerabilities that can be exploited to access protected data.
Policy breaches: Personal profiles bypass security policies and controls (such as content filtering, download restrictions) enforced on a managed browser.

To mitigate these risks, you can enforce separation between work and personal browser profiles with managed Chrome profiles. By configuring this feature, you create a company-controlled work profile within the Chrome browser on managed or unmanaged devices.

To configure this feature, see the Google documentation.