Distribute the mobile client with Google Workspace Endpoint Management

Before you begin:

  • Confirm that your organization has a Google Workspace Admin account.
  • Make sure that the user who performs this procedure is an account administrator.

Complete these steps to distribute the mobile client to Android, iOS, and ChromeOS devices with Google Workspace Endpoint Management.

To distribute the mobile client:

  1. For ETP Client on Android or iOS, complete these steps:
    1. Add the ETP Client app for Android or iOS to the Google Admin Console
    2. Apply managed configuration settings to the app
  2. For ETP Client on ChromeOS, complete these steps:
    1. Add ETP Client app for ChromeOS to the Google Admin Console
    2. Configure app configuration values for ChromeOS
    3. Configure ETP Client for ChromeOS as an Always-On VPN
  3. Modify your policies:
    1. For Android and ChromeOS devices, block other VPNs. See Block other VPNs.
    2. For ChromeOS devices, prevent users from stopping or terminating the client. See Prevent users from stopping or terminating ETP Client services.
  4. To enforce settings and policies that you configured in the Google Admin Console, you must enroll your devices:
    1. To enroll ChromeOS devices, see Enroll ChromeOS devices in the Chrome Enterprise and Education Help.
    2. To enroll Android devices, see Add company-owned devices to the inventory in the Google Workspace Admin Help.
    3. To enroll iOS devices, see Set up company-owned iOS device management in the Google Workspace Admin Help.
  5. To monitor Android devices, see Monitor forced Android app installs.

To learn more about setting up company-owned devices, see Set up guide: Deploy company-owned devices in the Google Workspace Admin Help.

Add the ETP Client app for Android or iOS to the Google Admin Console

Complete this procedure to add ETP Client for Android or iOS to the list of apps in the Google Admin Console. This procedure automatically installs the app on devices that are already enrolled. You can enroll new devices after adding the app to the Google Admin Console and configuring the necessary policies.

To add ETP Client to the Google Admin Console:

  1. In the Google Admin Console, select Apps > Web and mobile apps.
  2. Click the Add App menu and select Search for apps.
  3. Click Enter app name and enter ETP Client.
  4. After you find the app in the search results, hover over the app and click Select.
  5. Assign the app to all or select specific users, groups, or organizational units.
  6. Click Continue.
  7. In the Access method settings, select Force Install and Use for Always on VPN.
  8. Click Finish.

Next Steps:

Apply managed configuration settings to the app

Apply managed configuration settings to the app

Complete this procedure to apply managed configuration settings to the ETP Client app.

To apply managed configuration settings to ETP Client:

  1. In the navigation panel, select Apps > Web and mobile apps.
  2. Click the ETP Client app that you added.
  3. Under Managed configurations, click Add managed configuration.
  4. Enter a name for the configuration.
  5. For the enrollment code or activation link field, enter the enrollment code.
  6. Click Save.

Next Steps:

To install ETP Client on ChromeOS devices, see Add ETP Client app for ChromeOS to the Google Admin Console.

Add ETP Client app for ChromeOS to the Google Admin Console

Complete this procedure to add ETP Client for ChromeOS to the Google Admin Console. This procedure automatically installs the app on ChromeOS devices that are already enrolled. You can enroll new devices after adding the app to the Google Admin Console and configuring the necessary policies.

To install the client:

  1. In the Google Admin Console navigation menu, select Devices > Chrome > Apps & extensions > Users & browsers.
  2. Click the plus sign icon at the bottom of the page, and then click the Add from Google Play button.
  3. Search for the app that you want to add and select the app.
  4. Accept the permissions that the app uses.
  5. Under Installation Policy, select Force install from the drop-down menu.
  6. Click Save.

Next Steps:

Configure app configuration values for ChromeOS.

Configure app configuration values for ChromeOS

Complete this procedure to set configuration values for the app.

To configure app configuration values for the ETP Client on Chrome:

  1. In the navigation menu, select Devices > Chrome > App & extensions > Users & browsers.

  2. Select ETP Client from the list of the apps.

  3. In the Managed configuration area, enter these key-value pairs in JSON format.

    {
    "entitlementCode": "CODE_ or_ACTIVATION_URL",
    “owner”:  ${USER_EMAIL},
    “deviceName”: "%%DEVICENAME%%-${DEVICE_SERIAL_NUMBER}"
    }
    

    where CODE_or_ACTIVATION_URL is the entitlement code or the activation URL.

    📘

    In this example, the user email identifies the device owner, while the device serial number identifies the device.

  4. If you are configuring the Always-On VPN setting, set “excludedVpnApps”:false in the Managed configuration JSON.

  5. Click Save. This update may take a few minutes to apply to enrolled devices.

Next Steps:

Configure ETP Client for ChromeOS as an Always-On VPN.

Configure ETP Client for ChromeOS as an Always-On VPN

Complete this procedure to configure ETP Client as an always-on VPN. An always-on VPN means that all user traffic passes through the client and the client is always enabled on the device.

Before you begin:

You must set “excludedVpnApps”:false in the JSON configuration file. For instructions, see Configure app configuration values for ChromeOS.

To configure ETP Client as an Always-On VPN:

  1. In the Google Admin Console, select Devices > Chrome > Settings > Users & browsers.
  2. Navigate to the Always on VPN area and click EDIT.
  3. Select the VPN from the drop-down list.
  4. In the drop-down list, select Do not allow user to disconnect from a VPN manually.
  5. Click Save.

Block Other VPNs

Complete this procedure to block VPNs from Chrome extensions and Android apps. This procedure will prevent other VPNs from overriding ETP Client.

To block other VPNs:

  1. To block VPNs from Chrome extensions:
    1. In the Google Admin Console, select Devices > Chrome management.
    2. Click Apps & extensions.

      📘

      Do not modify the top organization unit that is selected.

    3. Click the Users & Browsers tab.
    4. On the right, click the gear icon for Advanced Settings.
    5. In the Permissions and URLs section, select VPN provider.
    6. Click SAVE.
  2. To block VPNs from Android Apps.
    1. In the navigation menu, select Device Management > Chrome Management > Apps & extensions.
    2. Under Allow users to install other apps & extensions, select Block all other apps & extensions from the drop-down list.

Prevent users from stopping or terminating ETP Client

Complete this procedure to prevent users from stopping or terminating services for ETP Client on ChromeOS.

To prevent users from stopping ETP Client:

  1. To prevent users from stopping or ending the VPN service in ChromeOS Task Manager, complete these steps:

    1. In the Google Admin Console, go to Device Management > Chrome Management.
    2. Click User & Browser Settings.
    3. Go to the Apps and extensions settings.
    4. In the Task manager drop-down list, select Block users from ending process with the Chrome Task manager.
  2. To prevent users from stopping the VPN service with the Crosh terminal shell:

    1. In the navigation menu, select Device Management > Chrome Management > App & extensions.
    2. At the bottom of the page, click the plus sign button and then click the Chrome Web Store icon.
    3. Search for crosh and select the Crosh Window app.
    4. In the drop-down menu for the Crosh Window app, change the selection from Allow install to Block.
    5. Click SAVE. As a result of this update, if a user attempts to use this app, a user will see a message that indicates the Crosh Window app was blocked by the administrator.
  3. If you blocked the Crosh Window app, you must also block the built-in Crosh terminal. Complete these steps:

    1. In the navigation menu, select Device Management > Chrome Management > User & browser settings.
    2. In the URL blocking area, enter this URL:
    chrome-extension://nkoccljplnhpfnfiajclkommnmllphnl/html/crosh.html 
    

Next Steps:

Enroll devices:

  1. To enroll ChromeOS devices, see Enroll ChromeOS devices in the Chrome Enterprise and Education Help.
  2. To enroll Android devices, see Add company-owned devices to the inventory in the Google Workspace Admin Help.
  3. To enroll iOS devices, see Set up company-owned iOS device management in the Google Workspace Admin Help.