Versions Compared

Version Old Version 6 New Version Current
Changes made by

Gary Leicht

Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This guide provides the steps to deploy the Infoblox Chromebook Client with DNS-over-HTTPS (DoH) for your organization’s Chromebook devices. After completing this process, devices will register in the Infoblox Portal (http://csp.infoblox.com) and DNS activities will be visible for registered devices.

To Deploy the Infoblox Chromebook Client with DOH to your organization’s Chromebook devices, complete the following process. 

Prerequisites

Ensure the following prerequisites are met before starting the deployment:

  • You must have a Google Workspace (formerly G Suite) admin account to log in to admin.google.com.

  • You must have valid Infoblox Portal login credentials.

  • Chromebook devices must be running Chrome OS version 88 or later.

Deployment Steps

The deployment process includes the following main steps:

  1. Download the Chrome Config File from the Infoblox Portal.

  2. Configure and Install the Infoblox Chromebook Extension App.

  3. Configure the DoH URL in Google Admin Console.

Step 1: Download the Chrome Config File from the Infoblox Portal

  1. Log in to the Infoblox Portal: http://csp.infoblox.com

  2. Navigate to Configure > Security > Endpoints > Endpoint Groups.

  3. Click Download MDM Configuration > Chrome Config File.

  4. Save the file: Save the Chrome-config.json file to your local machine or a local location where it can be easily accessed during installation.

To assign an endpoint to a specific endpoint group:

  1. Go to Configure > Security > Endpoints > Endpoint Groups.

  2. Click the three horizontal bars icon next to the endpoint group’s name.

  3. Select Download MDM Configuration > Chrome Config File.

  4. Save the file: Save the file to a location from which it can be easily retrieved during the installation of the client app. You will copy the configuration from this file during the installation of the client app.

 Step 2: Configure and install the Infoblox Chromebook Extension App 

  1. Log in to https://admin.google.com

  2. Go to devices > Chrome > Apps and extensions

  3. Under Users and Browsers, select the user groups on Organization Unit. 

  4. Click + Search or add a filter to add the Chrome app or extension by ID. 

The Apps and Extensions section of the Google Admin Console currently displaying no apps or extensions listed that match the filters applied.

  1. Enter the Extension ID:

    • gllkkgmieokcbgbpfobmdlfkijcodbcm

The Add the Chrome app or extension by ID dialog in the Google Admin Console.

  1. Click Save.

Installation Policy:

  1. Under the Installation policy, select Force install + pin to browser toolbar

ch3.png

  1. Add the Downloaded Chrome Config Data:

    • Copy the content from the Chrome-config.json file into Policy for Extensions.

    • Use the following JSON configuration (example):

Code Block
 {
    "allowServiceControl": { 
        "Value": true 
    }, 
    "customerId": { 
        "Value": "" 
    }, 
    "groupName": { 
        "Value": "All BloxOne Endpoints (Default)" 
    }, 
    "cspUrl": { 
        "Value": "http://csp.infoblox.com" 
    }, 
    "jointToken": { 
        "Value": "<JoinToken>" 
    }, 
    "salt": { 
        "Value": "<32-bit-charters>" 
    } 
} 
The Apps and Extensions section of the Google Admin Console. The extension is configured with the installation policy set to Force install plus pin to browser toolbar.

Configuration Field Requirements:

  • customerId: Keep this field blank.

  • cspUrl:

    • Use http://csp.infoblox.com unless the device is registering to http://csp.eu.infoblox.com, in which case cspUrl is mandatory.

  • jointToken: This field is mandatory.

  • salt: This field is mandatory. Use a unique 32-bit hexadecimal character per user, such as:

    • Example: e8f6060b927ad5f24da3b70c7c588734

  • Keep customerId blank. 

    • Keep the same Unique 32-Bit Hexadecimal character in DNS-over-HTTPS and in the above configuration field. 

  1. After adding the above configurations. Click SAVE to apply the configuration. 

Step 3: Configuring the DOH URL in Google Admin Console

  1. Use the following DoH URL in the Google Admin Console:

    • URL: https://doh.threatdefense.infoblox.com/{variable_name}/dns-query

  2. Replace {variable_name} with one of the following attributes based on the user's Chrome admin plan. 

  • USER_EMAIL

    • Example: https://doh.threatdefense.infoblox.com/hash/${USER_EMAIL}/dns-query 

  • DEVICE_SERIAL_NUMBER 

    • Example: https://doh.threatdefense.infoblox.com//hash/${DEVICE_SERIAL_NUMBER}/dns-query

Chrome Enterprise Upgrade or higher plans

  • Customers with Chrome Enterprise Upgrade or higher plan must use DEVICE_SERIAL_NUMBER.

  • Customers with Chrome Enterprise Core must use USER_EMAIL.

3. Navigate to Devices > Chrome > Settings.

4. Under User and Browser Settings, select respective User Groups.

5. Scroll down to Network Tab for DNS-over-HTTPS, DNS-over-HTTPS with identifiers, and DNS-over-HTTPS with exclude domains settings. 

The Settings page of the Google Admin Console. The focus is on the Network section, where three DNS-over-HTTPS (DoH) settings are listed.

  • DNS-over-HTTPS:

    • Select Require DNS-over-HTTPS.

    • Add the DoH URL in the DNS-over-HTTPS templates field.

    • Click Save.

The DNS-over-HTTPS configuration requires DNS-over-HTTPS for all DNS queries using the template URL. This setup ensures that DNS queries are securely encrypted, preventing unauthorized observation of web activity.

  • DNS-over-HTTPS without fallback:

    • Select Require DNS-over-HTTPS.

    • Add the DoH URL in the DNS-over-HTTPS templates field.

    • Click Save.

The Google Admin Console where DNS-over-HTTPS (without fallback) settings are configured.

  • DNS-over-HTTPS with identifiers:

    • Add the same DoH URL as in the previous step.

    • Enter the same 32-bit hexadecimal character as the Salt for hashing identifiers in URI Templates and the Extensions field.

    • Click Save.

cb-C.pngThe DNS-over-HTTPS with identifiers configuration which includes the device serial number as an identifier. The salt value used for hashing user and device identifiers ensurie that identifiers in the URL template are securely hashed.The DNS-over-HTTPS (DoH) with identifiers configuration specifies a DoH template URL that includes the device serial number and a salt value, ensuring privacy and security.

Note: Ensure the same 32-bit hexadecimal character is used in both DNS-over-HTTPS and Apps and Extensions fields.

Info

Exclude Domains:
Add the following domains under Exclude domains:

  • *.google.com

  • *.infoblox.com

  • *.googleapis.com

These settings ensure that the configuration is synchronized with Google APIs and Infoblox Server. when it is saved.

The DNS-over-HTTPS configuration. The DNS-over-HTTPS excluded domains field is configured to bypass DoH and use standard DNS resolution.Image RemovedThe DNS-over-HTTPS configuration.Image Added

URL Blocking

To prevent users from accessing chrome://policy/ (which displays configuration and policies assigned by Google Admin Console):

  1. Navigate to Devices > Chrome > Settings > Users and Browsers > URL Blocking.

  2. Block the following URL:

    • chrome://policy/

The Google Admin Console's URL blocking settings configuration.

Completing the Deployment

After completing the above configurations:

  • Chromebook devices will register in the Infoblox Portal.

  • Configurations and assigned policies will apply according to their endpoint groups.

  • You will be able to monitor DNS activities for registered Chrome devices in the Infoblox Portal.