Smallstep can be deployed to ChromeOS devices using Google Workspace. With our ChromeOS extension, devices can get certificates from Smallstep using ACME Device Attestation. Using Chrome Verified Access APIs, Google will attest the serial number of a ChromeOS device to Smallstep.
To use Smallstep with ChromeOS devices:
You will need:
A Google Workspace tenant, with ability to manage domain-wide delegation
A Google Cloud project, with ability to create service accounts and keys
A ChromeOS device to enroll for management
A Google Workspace Organizational Unit (OU) for testing (optional)
If you intend to use an Organization Unit (OU) for testing or segmentation purposes, ensure that both the user and the device are in the same OU. If a user that logs in onto the device is not part of the OU, it’s possible that not all policies get applied.
⚠️ There are a few steps of this tutorial where an OU can selected. For configuration to apply to the right users and devices, take extra care wherever you see an OU selection view in Google Workspace Admin.
When you enroll a ChromeOS device, the device is placed in the OU that the enrolling user is in. The settings you've applied for that user's OU are applied to the device.
A Google user for testing on the device. You may wish to use a different account than you use for work.
First, follow the instructions in Connect Google Workspace to Smallstep to sync your device inventory from Google Workspace.
The Smallstep ChromeOS extension requires giving Smallstep additional permissions to access the Chrome Verified Access API.
Under Domain wide delegation, select Manage Domain Wide Delegation
Find the API Client identified by your service account Client ID
Add the following to OAuth Scopes:
[<https://www.googleapis.com/auth/verifiedaccess>](<https://www.googleapis.com/auth/verifiedaccess>)