Skip to main content

Google Admin Console MDM Integration

Deploy WPA-Enterprise WiFi profiles and EAP-TLS certificates to managed Chrome OS, Android Enterprise, and iOS devices using Google Admin Console with certificate distribution.

Overview

The Google Admin Console MDM integration enables:

  • WiFi profile deployment to Chrome OS and Android devices
  • Certificate-based authentication (EAP-TLS)
  • Centralized management through Google Workspace
  • Automatic provisioning for enrolled devices
  • Policy enforcement for secure connectivity

Supported Platforms

PlatformWiFi ProfilesCertificatesManagement Level
Chrome OS✓ Full support✓ SCEP/ManualEnterprise enrollment
Android Enterprise✓ Full support✓ SCEP/ManualFully managed, Work profile
iOS/iPadOS✓ Limited✓ ManualBasic MDM
Windows/macOS✗ Not supportedUse alternative MDM

Prerequisites

  • IronWifi account with WPA-Enterprise configured
  • Google Workspace Enterprise or Education edition
  • Google Admin Console access (Super Admin)
  • Devices enrolled in Google Admin management
  • IronWifi SCEP service enabled (for certificate-based auth)

Architecture Overview

Managed Device → Google Admin Console → WiFi Policy → IronWifi RADIUS

                    Certificate → IronWifi CA → Authentication

IronWifi SCEP Configuration

Step 1: Enable SCEP Service

  1. Log in to IronWifi Console
  2. Navigate to Account > PKI Infrastructure
  3. Enable SCEP service
  4. Configure certificate settings:
    • Key Size: 2048-bit (minimum)
    • Validity Period: 365 days
    • Subject Format: CN=%USERNAME% or CN=%DEVICE_ID%
  5. Note your SCEP URL: https://scep.ironwifi.com/your-org

Step 2: Download Root Certificate

  1. In PKI settings, download the Root CA certificate
  2. Save as .pem or .der format
  3. You'll upload this to Google Admin Console

Step 3: Generate Challenge Password

  1. Create a SCEP challenge password
  2. Store securely for Google Admin configuration
  3. Can use same challenge for all enrollments or unique per device

Chrome OS Configuration

Step 1: Upload Root Certificate

  1. Open Google Admin Console (admin.google.com)
  2. Navigate to Devices > Networks > Certificates
  3. Click Add Certificate
  4. Upload IronWifi root CA certificate
  5. Set Name: IronWifi Root CA
  6. Set Type: Server CA
  7. Click Save

Step 2: Configure WiFi Network

  1. Go to Devices > Networks > Wi-Fi
  2. Click Add Wi-Fi
  3. Configure network settings:

Basic Settings:

  • SSID: Your secure network name
  • Security: WPA/WPA2 Enterprise (802.1X)
  • Automatically connect: Enable
  • EAP method: EAP-TLS or PEAP-MSCHAPv2

For EAP-TLS (Certificate-based):

  • Server CA certificate: Select IronWifi Root CA
  • Identity: Client certificate (configured below)
  • Anonymize identity: Optional (use anonymous@ironwifi.com)

For PEAP-MSCHAPv2 (Username/Password):

  • Server CA certificate: Select IronWifi Root CA
  • Identity: %USERNAME%@your-domain.com
  • Password: Use stored password or prompt

Step 3: Configure Client Certificate (EAP-TLS)

Option A: Manual Certificate Upload

  1. Generate certificates in IronWifi for each user
  2. Download certificate + private key
  3. In Admin Console > Devices > Networks > Certificates
  4. Click Add Certificate
  5. Upload user certificate
  6. Assign to organizational units or groups

Option B: SCEP Enrollment (Chrome OS 90+)

  1. In Admin Console > Devices > Networks > Certificates
  2. Click Add SCEP Profile
  3. Configure SCEP settings:
    • SCEP URL: https://scep.ironwifi.com/your-org/pkiclient.exe
    • Challenge password: From IronWifi
    • Subject: CN=%DEVICE_SERIAL_NUMBER% or CN=%EMAIL%
    • Key size: 2048
    • Certificate validity: 365 days
  4. Save profile

Step 4: Assign WiFi Policy

  1. Go to Devices > Chrome > Settings
  2. Select organizational unit or group
  3. Navigate to Device Settings > Network
  4. Under Wi-Fi networks, click Manage
  5. Add your configured WiFi network
  6. Set policy:
    • Allow: Users can use this network
    • Mandatory: Auto-connect to this network
  7. Click Save

Android Enterprise Configuration

Step 1: Configure WiFi Policy

  1. In Admin Console > Devices > Mobile & endpoints > Settings
  2. Select organizational unit
  3. Go to Wi-Fi
  4. Click Configure Wi-Fi

Network Configuration:

  • SSID: Your network name
  • Security type: Enterprise (802.1X)
  • EAP method: TLS or PEAP
  • Phase 2 authentication: MSCHAPv2 (for PEAP)
  • CA certificate: Upload IronWifi root CA
  • Anonymous identity: anonymous (optional)
  • Domain: your-radius-server.com (optional)

Step 2: Certificate Distribution

For Fully Managed Devices:

  1. Go to Apps > Mobile apps
  2. Add certificate distribution app (if needed)
  3. Or use built-in certificate management:
    • Navigate to Devices > Mobile & endpoints > Settings
    • Select organizational unit
    • Go to Security > Credentials
    • Upload certificates

For Work Profile Devices:

  1. Certificates can be installed in work profile
  2. Configure WiFi policy for work profile
  3. Personal profile uses separate WiFi settings

Step 3: Deploy Configuration

  1. Ensure devices are enrolled in Android Enterprise
  2. Policies push automatically on next sync
  3. Monitor deployment status in Admin Console

Platform Versions

Android VersionManagement TypeWiFi Support
Android 5.0+Fully ManagedFull support
Android 5.1+Work ProfileWork profile only
Android 9.0+Dedicated DevicesFull support

iOS Device Configuration

Google Admin Console provides basic MDM for iOS devices:

Step 1: Enroll iOS Devices

  1. Users install Google Device Policy app
  2. Follow enrollment process
  3. Accept MDM profile

Step 2: Configure WiFi

warning

iOS WiFi management via Google Admin Console is limited. Consider using Apple Configurator or dedicated MDM solution for full iOS support.

Basic WiFi Configuration:

  1. In Admin Console > Devices > Mobile & endpoints
  2. Limited WiFi policies available for iOS
  3. May require manual configuration on devices

Alternative Approaches:

  • Use Apple Configurator for WiFi profiles
  • Deploy via Apple Business Manager with dedicated MDM
  • Consider Jamf Pro or similar for comprehensive iOS management

Certificate Management

Certificate Lifecycle

Enrollment:

  1. Device receives WiFi policy from Admin Console
  2. SCEP enrollment initiates (if configured)
  3. Certificate issued by IronWifi CA
  4. Stored in device secure storage

Renewal:

  1. Chrome OS: Automatic renewal before expiration
  2. Android: Manual renewal or re-enrollment may be needed
  3. Monitor expiration dates in IronWifi console

Revocation:

  1. When device is unenrolled or wiped
  2. Revoke certificate in IronWifi console
  3. Prevents further authentication

Certificate Deployment Methods

1. SCEP (Recommended for Chrome OS)

  • Automatic enrollment
  • Scalable for large deployments
  • Built-in renewal support

2. Manual Distribution

  • Upload certificates individually
  • Good for small deployments
  • More management overhead

3. PKCS#12 Files

  • Bundle certificate + private key
  • Distribute via file management
  • Requires secure distribution channel

User Authentication Options

Option 1: Certificate-Only (EAP-TLS)

Best for:

  • High security environments
  • Devices without user login
  • Shared devices

Configuration:

  • Deploy device certificates
  • No password required
  • Device-based authentication

Option 2: Username + Password (PEAP-MSCHAPv2)

Best for:

  • User-specific authentication
  • Integration with Google Workspace
  • Easier troubleshooting

Configuration:

  • Enable Google Workspace sync in IronWifi
  • Use Google credentials for WiFi
  • Password authentication

Option 3: Certificate + Username (PEAP-TLS)

Best for:

  • Enhanced security
  • User and device verification
  • Audit requirements

Configuration:

  • Deploy certificates
  • Require username entry
  • Dual-factor authentication

Google Workspace Integration

Sync Users from Google Workspace

  1. In IronWifi Console > Connectors
  2. Add Google Workspace connector
  3. Authorize with Google admin account
  4. Configure sync settings:
    • Organizational units to sync
    • User attributes to import
    • Group mappings
  5. Run initial sync

User Provisioning

Automatic provisioning:

  1. User logs into Chrome OS with Google account
  2. WiFi policy applies automatically
  3. Certificate enrollment happens transparently
  4. User authenticated via RADIUS

Group-Based Policies

  1. Create groups in Google Admin Console
  2. Apply different WiFi policies per group:
    • Students: Basic access
    • Staff: Full access
    • Guests: Captive portal

Organizational Unit Strategy

OU Structure Example

Your Organization
├── Chrome OS Devices
│   ├── Students
│   ├── Faculty
│   └── Staff
├── Android Devices
│   ├── Fully Managed
│   └── Work Profile
└── iOS Devices
    └── BYOD

Policy Inheritance

  • Policies inherit from parent OUs
  • Override at child OU level as needed
  • Test policies on pilot OU first

Deployment Strategies

1. Phased Rollout

Phase 1: Pilot

  • Deploy to IT team (10-20 devices)
  • Test all scenarios
  • Gather feedback

Phase 2: Department

  • Roll out to one department
  • Monitor for issues
  • Refine policies

Phase 3: Organization-wide

  • Deploy to all OUs
  • Provide user support
  • Monitor compliance

2. Zero-Touch Enrollment

For Chrome OS:

  1. Purchase devices through approved reseller
  2. Assign to organizational unit during purchase
  3. Device configures automatically on first boot
  4. User signs in with Google account
  5. WiFi profile applied immediately

3. Self-Service Enrollment

For BYOD scenarios:

  1. User installs Google Device Policy app
  2. Enrolls device with work email
  3. Accepts management profile
  4. WiFi profile deploys automatically

Monitoring and Reporting

Google Admin Console Reports

Device Status:

  1. Go to Reports > Device reports
  2. View enrolled devices
  3. Check policy compliance
  4. Monitor WiFi connectivity status

Network Usage:

  1. View connected devices
  2. Track WiFi usage
  3. Identify connection issues

IronWifi Monitoring

Authentication Logs:

  1. Monitor successful authentications
  2. Track failed attempts
  3. View by device, user, location
  4. Generate compliance reports

Certificate Status:

  1. View issued certificates
  2. Check expiration dates
  3. Monitor renewal status
  4. Identify revoked certificates

Troubleshooting

Chrome OS Issues

WiFi Not Connecting:

  1. Check device is in correct OU
  2. Verify WiFi policy applied (chrome://policy)
  3. Review certificate installation
  4. Check RADIUS server reachability
  5. Review IronWifi authentication logs

Certificate Not Installing:

  1. Verify SCEP URL is correct
  2. Check challenge password
  3. Review device logs (chrome://network)
  4. Test SCEP endpoint manually
  5. Ensure Chrome OS version supports SCEP

Policy Not Applying:

  1. Force device policy refresh
  2. Check OU assignment
  3. Verify policy inheritance
  4. Review policy conflicts
  5. Try device unenroll/re-enroll

Android Enterprise Issues

WiFi Configuration Not Deploying:

  1. Verify device enrollment status
  2. Check organizational unit settings
  3. Force policy sync on device
  4. Review management mode (fully managed vs work profile)
  5. Check Android version compatibility

Certificate Installation Failed:

  1. Verify certificate format (PEM/DER)
  2. Check certificate validity dates
  3. Ensure private key is included (if applicable)
  4. Review device storage limitations
  5. Check admin permissions on device

Work Profile Issues:

  1. Verify work profile is active
  2. Check if WiFi is work-enabled
  3. Review profile certificate access
  4. Try recreating work profile

iOS Issues

Limited Management:

  • iOS management via Google Admin is basic
  • Complex WiFi setups may not be supported
  • Consider alternative MDM for iOS-heavy environments

Profile Installation:

  1. Ensure Google Device Policy app installed
  2. Check MDM profile acceptance
  3. Manual WiFi configuration may be needed
  4. Review profile conflicts

Security Best Practices

1. Certificate Security

  • Use 2048-bit or higher key size
  • Set appropriate certificate validity (365 days)
  • Enable certificate revocation checking
  • Monitor expiration dates proactively
  • Rotate CA certificates periodically

2. Network Security

  • Use WPA2 or WPA3-Enterprise
  • Enable 802.1X authentication
  • Configure server certificate validation
  • Use unique RADIUS shared secrets per location
  • Implement RADIUS accounting

3. Access Control

  • Apply least privilege principle
  • Use organizational units for segmentation
  • Implement VLAN assignment per group
  • Configure bandwidth limits where needed
  • Monitor for unauthorized access

4. Audit and Compliance

  • Enable authentication logging
  • Review access logs regularly
  • Generate compliance reports
  • Track device enrollment/unenrollment
  • Maintain configuration documentation

5. Admin Console Security

  • Enable 2-factor authentication for admins
  • Use least privileged admin roles
  • Review admin activity logs
  • Implement admin session timeouts
  • Backup policies regularly

Education-Specific Features

Google Workspace for Education

Student Management:

  1. Separate OUs for students and staff
  2. Different WiFi policies per grade level
  3. Content filtering integration
  4. Usage time restrictions

Chrome Education Upgrade:

  • Required for advanced device management
  • Enables detailed policy control
  • Provides usage analytics
  • Supports classroom management apps

Classroom Integration

Chromebook Management:

  1. Assign Chromebooks to students
  2. Auto-configure WiFi on device assignment
  3. Reset device between school terms
  4. Track device location and usage

Enterprise-Specific Features

Android Enterprise

BYOD (Work Profile):

  • Separate work and personal data
  • WiFi policy applies to work apps only
  • User privacy maintained
  • Corporate data protected

Corporate Owned:

  • Full device management
  • WiFi applies system-wide
  • Enhanced security policies
  • Complete MDM control

Chrome OS for Business

Kiosk Mode:

  • Lock device to specific apps
  • Auto-configure WiFi
  • Prevent user changes
  • Ideal for single-purpose devices

Managed Guest Sessions:

  • Temporary user accounts
  • Auto-connect to WiFi
  • No data persistence
  • Good for shared workspaces

Cost Considerations

Google Workspace Editions

EditionDevice ManagementCost
Business StarterLimitedLower
Business StandardBasicMedium
Business PlusAdvancedHigher
EnterpriseFull MDMHighest
EducationChrome Education UpgradeVaries

IronWifi Requirements

  • SCEP service may require add-on subscription
  • Consider certificate volume for pricing
  • API access included in standard plans
  • Custom CA certificates may have additional cost

Migration Strategies

From Manual Configuration

  1. Document current WiFi settings
  2. Create matching policies in Admin Console
  3. Deploy to test group
  4. Gradually migrate users
  5. Remove manual configurations

From Another MDM

  1. Export device inventory
  2. Enroll devices in Google Admin
  3. Deploy WiFi policies in parallel
  4. Switch users during maintenance window
  5. Decommission old MDM

New Deployment

  1. Plan organizational structure
  2. Create policies before device enrollment
  3. Configure zero-touch where possible
  4. Prepare support documentation
  5. Train support staff

Support Resources