Chrome Admin Exam
BeyondCorp Enterprise
A zero-trust solution that enables secure access with integrated threat and data protection. It extends DLP protections into browser in helping to prevent malware from getting onto enterprise managed devices
What is the correct order of precedence for chrome policies ?
Device/machine/platform policies, machine level cloud policy, OS user, Cloud user (policies) Chrome profile
Chrome OS
Google's Linux-based operating system designed to work primarily with web apps.
Chrome
Google's browser
Stable Channel
Used by most users with Chrome OS devices. It is updated every 2-3 weeks for minor releases and 4 weeks for major releases.
Parallels Desktop
allows users to access and use microsoft windows applications and files, including microsoft office they need on their ChromeOs devices.
Security Assertion Markup Language (SAML)
allows users to sign into a device with same authentication mechanisms that are used in rest of org. So only needs to sign in once
Chrome browser Cloud management (CBCM)
allows you to manage chrome browser, enforce chrome policies, view reports on chrome browser and block suspicious extensions
Chromium
an open source browser project that aims to build a faster, and more stable way for all internet users to experience the web. Majority of active browsers today use chromium
user certificates
bound to a manages user's session. Can be used for user-;evel authentication to websites, networks, and 3rd party apps
Device Certificate
bound to managed devices. They're exposed in multiple places
Version pinning
can prevent devices from automatically updating beyond the number specified
Mass Enrollment
can use a USB rubber ducky to emulate the keystrokes used to enroll chromebooks. Can also use 3rd party tools like centipede, or hub devices. This is a good recovery solution
long-term support (LTS)
devices automatically update to the next long term suppot version every 6 months.
Sandboxing
each webpage and application runs in a restricted environment called "sandbox". So if one page is infected it can't affect other tabs or apps on the computer or anything else on the machines
Defense in Depth
employing multiple layers of protection, so if any layer is bypassed, others are still in effect.
Verified Access
ensures that a device is connecting to a networks that has been unmodified and is policy compliant. Serves as an access point for network service (VPN gateway, CA, etc) to get a hardware backed cryptographic guarantee of the identity of the device and user that is trying to access it
Verified Boot
every time the chromebook starts up, it does a self-check. If it is detected the system is messed up it will repair itself typically
Microsoft Network Device Enrollment Service (NDES)
is used to allow enrollment and issuance of certificates used to authenticate ChromeOs devices and users to wifi points cia 802.1X to VPN gateways and in other client certificate authentication scenarios.
Zero touch enrollment (ZTE)
pre-provisioning partner (device manufacturer, distributor, or reseller) sends instructions to Google to auto enroll a chrome OS device into a customers domain after a device is turned on and connected to the internet.
Dev Channel
primarily for developers and not 100% stable. Can get 9-12 week preview of what's coming to stable channel.
Scattering
specifies the number of days over which a users device download an automatic update. Should be fewest days possible like 2 or 3
Long-term support candidate (LTSC)
version of stable channel that gets feature updates less frequently, but still recieves security fixes update every 3 months
Cloud-user policies (Chrome profile)
when a user signs in to a cloud-managed user account on Chrome Browser. Are set using the admin console
Google Cloud Certificate Connector (GCCC)
windows service that establishes a connection between SCEP and Google to securely distribute certificates and authentication. Allows ChromeOs devices to request certificates from SCEP servers via Google Cloud. Whenever a device or user matches that profile that signs-in, a SCEP certificate enrollment request is generated, if needed and published to an organization's specific queue where it is picked up and processed by GCCC.
One-app Kiosk
Not a device, but a mode. It allows device to be used for a specific dedicated purpose. (airport check-in, hotel check-in/out)
pre-provisioning token
a unique identifier generated in admin console and used for verification during device enrollment. Can be used for multiple devices and remains active until admin revokes its use
Manage Guest session
allows device to be used for managed guest access (computer labs, library computer, and lobby computers)
Simple Certificate Enrollment Protocol (SCEP)
allows managed devices to automatically obtain user, or device certificates and use them for authentication
Digital signage devices
allows the device to be used for specific dedicated purposes. (digital billboards, traffic signs, and airport depart/arrival boards)
Machine level/cloud policy
apply to all browsers enrolled in chrome browser cloud management. Are set using the admin console
Device/machine/platform policies
apply to all users of a device, no matter which browser they use or whether they're signed in to any account
OS-user policies
apply when user signs into their account on a managed device. Are set using windows group policy or managed preferences on mac
Chrome Flags
are experiments, that are unsupported and conflict with other policies. Chrome://flags
Canary
future version of chrome that is in development. Releases made daily
Extended stable
get feature updates less frequently but still receive security fixes.
Chrome flex
give a device a second chance at productivity. Not a device but free version of chrome. Allows old and new devices to be converted into chromeOS devices
Manual Enrollment
keyboard command that is good for a low number of devices
Beta Channel
only 5% of users should be on here. A 4-6 week preview of whats coming to stable version of chrome
Trusted Platform Module (TPM)
present in every ChromeOs device to enable enterprise network services to cryptographically confirm the identity and status of secure mode and enterprise policy using a google server side API
What 3 things does zero-touch enrollment require?
1. Zero-touch enrollment capable device 2. pre-provisioning token from google admin console and customer ID 3. Pre-provisioning partner who offers zero-touch enrollment service
How many options are their to enroll a chrome device?
3
How many release channels are there and what are they?
5: Stable, Extended stable, beta, dev, and canary
What are the 4 components are involved in setting up ChromeOS certificate enrollment with SCEP?
ChromeOs devices, Google Admin Console, Google Cloud Certificate Connector, SCEP Server (i.e Microsoft NDES)
