Pulse Secure Client for Chrome OS Quick Start Guide Published March, 2018 Release 5.2r1 Version 1.6 2018 by Pulse Secure, LLC. All rights reserved 1
Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net 2018 by Pulse Secure, LLC. All rights reserved Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Pulse Secure Client for Chrome OS Quick Start Guide The information in this document is current as of the date on the title page. END USER LICENSE AGREEMENT The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. 2018 by Pulse Secure, LLC. All rights reserved 2
Revision History Revision Date Description 1.6 March 2018 5.2 R1 1.5 June 2016 5.2.1.17 1.4 April 2016 5.2.1.15 1.3 February 2016 5.2.1.14 1.2 November 2015 5.2.1.9 1.1 October 2015 5.2.1.8 1.0 September 2015 5.2.1.7 2018 by Pulse Secure, LLC. All rights reserved 3
Table of Contents Revision History... 3 Introduction... 5 Overview... 5 Supported Platforms... 5 Supported Features... 6 Limitations... 7 Diagnostics and Status... 7 Configuring Server VPN Policy... 11 Configuring Manual Connections... 13 Modifying VPN Connection... 16 Deleting VPN Connection... 17 Starting and Stopping VPN Connections with Chrome OS... 18 Appendix A... 19 Chromebook Advanced Sync Settings... 19 Appendix B... 21 Managing Certificates on Chromebook... 21 Importing Client Certificates... 21 Importing Public Key Certificate of the Issuer of the PCS Gateway... 23 Appendix C... 24 Google Management Console... 24 Managing Connection Policy... 26 Index... 30 2018 by Pulse Secure, LLC. All rights reserved 4
Introduction Overview Pulse Secure client for Chrome OS provides secure connectivity between a device running Chrome OS and Pulse Connect Secure. Pulse Secure client for Chrome OS is available from the Chrome Web Store. After installing the Pulse Secure client app on a Chrome OS device, the user can configure a connection and establish Layer 3 VPN (SSL) communications. Configuration on the Pulse Connect Secure gateway to support Pulse Secure clients for Chrome OS is the same as that of Pulse for Windows and Mac OSX. Use the sign-in policies, authentication realms, roles and VPN tunnel policies to define authentication and access permissions. A typical Pulse server configuration for Chrome OS access is to create a realm, a role and a remediation role that are designed for Chrome OS users. Figure 1: Pulse Secure Client for Chrome Web Store App Page Supported Platforms Pulse Secure client for Chrome OS is supported on devices running version 43.0.2357.19 or later of Chrome OS. 2018 by Pulse Secure, LLC. All rights reserved 5
Pulse Secure client for Chrome OS is supported on Pulse Connect Secure version 8.1 and later. Supported Features The following features are supported by the Pulse Secure client for Chrome OS: VPN (SSL) connections to Pulse Connect Secure v8.1 and later Manual end-user connection and disconnection Authentication types: o o o o o o Username and password Username and RSA token code (User PIN and system PIN are supported.) Client certificate and smart card Radius challenge/response Secondary authentication SAML (Security Assertion Markup Language) Authentication server prompts for retry, change password, create PIN, change PIN and next-token code Realm and role selection Pre- and post-authentication sign-in notification messages IPv4 Split tunneling enabled and disabled Note: Pulse for Chrome OS connections always have local subnet access enabled. Split tunneling policies: IPv4 inclusion and exclusion routes (In split-tunneled mode, the Pulse Connect Secure DNS search-order configuration settings do not apply to Pulse for Chrome OS.) Host Checker (OS-Check only) Graceful handling of sleep/wakeup transitions, including session resumption and termination App download from Google s Chrome Web Store Tunnel proxy settings 2018 by Pulse Secure, LLC. All rights reserved 6
Limitations The following features are not available with Pulse Secure client for Chrome OS: Connections to Pulse Policy Secure gateways or gateways from third parties (Only connections to Pulse Connect Secure gateways are supported.) Host Checker (only the Host Checker OS-Check is supported) Machine authentication Location awareness rules Logon and logoff scripts WINS server tunnel parameter UDP-ESP tunnel (only SSL mode is supported) Certificate trust override prompt RSA soft-token integration Session extension Manual suspend/resume tunnel Diagnostics and Status After installing the Pulse app on a Google Chrome device, you can see the Pulse Secure icon by clicking on the launcher icon available in the lower left-hand corner of the Google Chrome desktop screen. 2018 by Pulse Secure, LLC. All rights reserved 7
Figure 2: Chrome OS Apps List Pulse Secure icon When you click on the Pulse Secure icon, a screen appears that has Status, Pulse Log and About tabs, and Refresh and Clear Credentials buttons. 2018 by Pulse Secure, LLC. All rights reserved 8
Figure 3: Diagnostics and Status screen Pulse Log tab A brief description about these items is given in the table below. Table 1: Diagnostics and Status Item Status tab Description Provides the version of the Pulse client and information about the number of connections attempted (including failures) and packets transmitted. The status is used to verify if connections are being created correctly and if data is being transmitted through the secured tunnel. Pulse Log tab About tab Displays detailed diagnostics logs and debug information. If you need help diagnosing a connectivity issue, you may be asked to provide these logs to an authorized support representative. Displays the Pulse app version, copyright and trademark information. Refresh button Clear Credentials button Updates the Status and Pulse Log tabs. Clears any connection s automatically saved credentials such as the user password or client certificate selection. To clear any other information, use the Edit Connections dialog. Note: The Status and Pulse Log tabs are static, which means that they will display only the state of the Pulse app at the time the Pulse app was started. The screen will not 2018 by Pulse Secure, LLC. All rights reserved 9
dynamically update as additional data is transmitted. To update Status or Pulse Log, click the Refresh button. 2018 by Pulse Secure, LLC. All rights reserved 10
Configuring Server VPN Policy The Pulse Secure client enables you to secure your company resources using authentication realms, user roles and resource policies. For complete information on the Pulse Connect Secure gateway, see the Pulse Connect Secure documentation. The Pulse Connect Secure gateway checks the authentication policy defined for the authentication realm. The user must meet the security requirements that are defined for a realm's authentication policy. At the realm level, you can specify security requirements based on various elements, such as the user's source IP address or the possession of a client-side certificate. If the user meets the requirements specified by the realm's authentication policy, the gateway forwards the user's credentials to the appropriate authentication server. If this server successfully authenticates the user, then the gateway evaluates the role-mapping rules defined for the realm to determine which roles to assign to the user. The following is a generalized example of configuring a Pulse Connect Secure gateway for the Pulse for Chrome OS app. Click Users > User Roles and then either select an existing role (preferred) or create a new role. If creating a new role, specify a name and optional description for the role, for example: Chrome OS Role, Chrome OS VPN Role. To use certificate authentication at the role level, click Restrictions > Certificate on the role s General tab, and add the required certificate information. To sign in, enable certificate authentication by clicking Only allow users with a client-side certificate signed by Certification Authority. Note: One typical method of installing the client certificate on a Chrome OS device is to send the certificate as an attachment to the Chrome OS user. The certificate must be installed on the Chrome OS device before the user can connect. The user is prompted to select the certificate during the initial Pulse Secure client connection process. There are other mechanisms for transferring the certificate to the client, including MDM systems and Google Drive. Define the trusted client certificate authorities. For complete information on certificate authentication, see Understanding Digital Certificate Security. Note: Due to limitations, you must specify the set of client certificate issuer certificate authorities. The Chromebook does not support the specification of root or intermediate certificate authorities in certificate authority hierarchies greater than 2. Set the options on the role s Web and Files tabs as required. Click Users > User Realms and then create a new realm or select an existing realm. Configure and 2018 by Pulse Secure, LLC. All rights reserved 11
save your options on the General and Authentication Policy tabs. On the Role Mapping tab, click New Rule to create a new role-mapping rule. One option for a role-mapping rule is to create a custom expression that uses the user agent string to identify a Chrome OS device. The Pulse Secure client for Chrome OS user agent string has a form like this: Pulse-Secure/8.1.0.0 (ChromeOS; ARM) PulseVpn/5.2.1.0 You can use all or part of the string in a custom expression that uses the useragent variable. For example: useragent = '*ChromeOS*' Select the role that you created earlier for the Chrome OS users, add it to the Selected Roles list, and then click Save Changes. 2018 by Pulse Secure, LLC. All rights reserved 12
Configuring Manual Connections Pulse Secure client for Chrome OS is available from the Chrome Web Store. After the user installs the app, the user can create Pulse Secure client connections. Figure 4 shows the Pulse Secure client after it has been installed on a Chrome OS device. Figure 4: Chrome OS Apps List The Pulse Secure icon in the apps list is used primarily to view connection, versioning and diagnostic information. To configure a VPN connection or to initiate a manual VPN connection, click on the system tray in the lower-right-hand corner of the main Chrome OS screen, then select the VPN option in the popup-menu. Pulse Connect Secure connections will appear in the resulting VPN dialog. Note: If you use client certificate authentication, the client certificate must be installed on the Chrome OS device before the Pulse Secure client can connect. To create a Pulse Secure client connection on a Chrome OS device: 2018 by Pulse Secure, LLC. All rights reserved 13
Go to the system tray, open the popup menu and select the VPN disconnected option. Figure 5: VPN disconnected Option Tap the Pulse Secure option. Figure 6: Pulse Secure Option To create a new connection, tap the Pulse Secure option. The Add Connection screen appears. 2018 by Pulse Secure, LLC. All rights reserved 14
Figure 7: Add Connection screen In the URL field, specify the URL for the Pulse Connect Secure gateway. You can identify the server using the server IP address, the hostname, or a URL that optionally specifies the port the connection uses and the specific sign-in page. To specify an URL, use the following format: https://hostname[:port][/][sign-in page] The brackets indicate options. If you specify a specific sign-in page, make sure that the name you specify matches what is defined on the Pulse Connect Secure gateway. (Authentication > Signing in > Sign-in pages.) Specify the optional parameters. If you specify a username, future connection prompts will be seeded with this user name. After the user saves the new connection, it appears in the VPN list. The user can tap the connection to initiate a VPN connection. The VPN connection state is indicated in the VPN popup menu. Note: The connection Save identity and password option controls whether credentials will be automatically saved or not. Saved credentials are not stored persistently and will be removed on logout, uninstallation and restarting the computer. 2018 by Pulse Secure, LLC. All rights reserved 15
Modifying VPN Connection To modify a Pulse Secure client connection on a Chrome OS device: Open the Chrome Settings page. Under Private network settings, select the connection you want to modify. Click Configure. The Pulse Secure client connection configuration screen is displayed. Figure 8: Modify Connection screen Click Configure to launch the Pulse Secure Edit Connection dialog. 2018 by Pulse Secure, LLC. All rights reserved 16
Deleting VPN Connection To delete a Pulse Secure client connection on a Chrome OS device: Open the Chrome Settings page. Under Private network settings, select the Preferred networks. Figure 9: Delete Connection screen Select the delete symbol x corresponding to the connection you want to remove. Click Done. 2018 by Pulse Secure, LLC. All rights reserved 17
Starting and Stopping VPN Connections with Chrome OS To start Pulse Secure client connection, in the Chrome OS System menu, click the Pulse Secure connection that you want to start. Figure 10: Start Pulse Secure Client Connection To stop Pulse Secure client connection, in the Chrome OS System menu, select the Pulse Secure connection that you want to stop and click Disconnect. Figure 11: Stop Pulse Secure Client Connection 2018 by Pulse Secure, LLC. All rights reserved 18
Appendix A Chromebook Advanced Sync Settings The Advanced Sync Settings option provides the access to apps, extensions, bookmarks and other information across Chromebooks. You can sync: Apps and extensions from the Chrome Web Store (except extensions containing plug-ins) Chrome browser settings Custom wallpapers Language preferences Prediction of network actions To set up sync: On the Settings page, in the Users section, click Advanced sync settings. The Advanced sync settings window is displayed. Figure 12: Advanced sync settings window From the drop-down list, select Sync everything and click OK. 2018 by Pulse Secure, LLC. All rights reserved 19
The Pulse Secure client extension would be synced to all Chromebook devices with the default settings. You will be able to access apps, extensions, bookmarks and other information across Chromebooks. 2018 by Pulse Secure, LLC. All rights reserved 20
Appendix B Managing Certificates on Chromebook If you are not using certificates from one of the existing public certificate authorities, you must import the public key certificate of the issuer of the Pulse Connect Secure (PCS) gateway. This will allow the Chromebook to trust the PCS. If you are using client certificate authentication, you must import the client certificates into the Chromebook certificate store. Importing Client Certificates To import the client certificates: Go to the chrome tab chrome://certificate-manager. In the Your Certificates tab, import user certificates. Figure 13: Certificate Manager Your Certificates tab 2018 by Pulse Secure, LLC. All rights reserved 21
Note: For managed accounts: Only the certificates, imported by the chrome.enterprise.platformkeys API will qualify for corporate usage. If the certificate is generated or imported by other means, such as manually then it is not available for the API. For more information please refer: https://support.google.com/chrome/a/answer/6080885?hl=en&ref_topic=6330253 2018 by Pulse Secure, LLC. All rights reserved 22
Importing Public Key Certificate of the Issuer of the PCS Gateway To import the public key certificate: Go to the chrome tab chrome://certificate-manager. In the Authorities tab, import the public key certificate of the issuer of the PCS gateway. Figure 14: Certificate Manager Authorities tab To test your certificates: Open the Chrome browser. Enter your PCS URL and see if you get an HTTPS certificate error. 2018 by Pulse Secure, LLC. All rights reserved 23
Appendix C Google Management Console To manage the Pulse Secure VPN with the Google Management Console, do the following steps: Add the Pulse Secure app to either the Force-installed or Allowed Apps and Extensions from the Chrome->User Settings. Add the Pulse Secure VPN from the Device management->network->vpn. Choose the appropriate organizational unit. 2018 by Pulse Secure, LLC. All rights reserved 24
Hover over the Pulse Secure VPN item and depress the EDIT button. Configure the policies and settings for the Pulse Secure VPN app. 2018 by Pulse Secure, LLC. All rights reserved 25
Select the Allow access to client certificates and keys if you are using client certificates. Managing Connection Policy From within Google Management Console you can manage the Pulse Secure application and import a connection policy. 2018 by Pulse Secure, LLC. All rights reserved 26
The Pulse Secure connection policy implements these policy options. Policy Description AllowLocal AllowAutoSave If set to true, then enable add, edit and delete of local connections. Default: true If set to true, then enable the auto-save option on local connections. If set to false, this option disables auto-save for all connections. Default: true Connections Attribute Description name Connection Name. url Server URL. check If set to true, then identity and password credential information will be automatically saved and used transparently in subsequent authentication attempts. Default: true username If primary username is set, then primary username prompts will default to this value. The following substitution symbols are supported: Variable Description ${LOGIN_ID} The current user's username, 2018 by Pulse Secure, LLC. All rights reserved 27
Policy Description such as mscarlet. The current user's full email ${LOGIN_EMAIL} address, such as mscarlet@your_domain.com. username2 realm role If secondary username is set, then secondary username prompts will default to this value. The following substitution symbols are supported: Variable Description The current user's username, ${LOGIN_ID} such as mscarlet. The current user's full email ${LOGIN_EMAIL} address, such as mscarlet@your_domain.com. If realm is set, then this realm preference will be automatically selected during authentication. If role is set, then this preferred role will be automatically selected during authentication. A configuration conforming to the specification above can be placed in a configuration file in JSON format and uploaded in the Google Management Console. Below is a sample Pulse Secure connection policy in JSON format showing a locked-down policy useful for a kiosk application. { } "AllowLocal": { "Value": false }, "AllowAutoSave": { "Value": false }, "Connections": { "Value": [ {"name": "test", "url": "10.17.1.222", "check": true, "username": "${LOGIN_ID}", "username2": "${LOGIN_EMAIL}"}, {"name": "vpn", "url": "vpn.psecure.net", "realm": "Users", "role": "Users"} ] } Note: The policy is case sensitive. 2018 by Pulse Secure, LLC. All rights reserved 28
The policy attributes and Connections array must not have a trailing, after the last element. Not all Connections attributes have to be specified; only name and url are required. AllowLocal and AllowAutoSave are optional The Google Management Console doesn t validate configuration and fails silently on malformed policies. Once you make your configuration file, use the UPLOAD CONFIGURATION FILE button in the Google Management Console to upload the configuration. To see the downloaded policy on a managed Chromebook device, navigate the browser to chrome://policy page. For information on managing chrome devices, see: https://support.google.com/chrome/a/answer/1289314?hl=en For instructions for enrolling chrome devices, see: https://support.google.com/chrome/a/answer/1360534?hl=en 2018 by Pulse Secure, LLC. All rights reserved 29
Index A apps and extensions 18 authentication realms 4 authentication types 5 C certificate authentication 10 certificate manager 19, 20 Chrome Web Store 4, 5, 12 client certificate authentication 19 client certificate authorities 10 custom wallpapers 18 D delete VPN connection 16 diagnostics 7 DNS 5 H host checker 5 I IPv4 5 L Layer 3 VPN(SSL) communication 4 local awareness 6 logs 7 M machine authentication 5 modify VPN connection 15 P Pulse Secure icon 12 R Radius challenge/response 5 RSA soft token 6 RSA token code 5 S secondary authentication 5 session extension 6 sign-in notification messages 5 sleep/wakeup transitions 5 smart card 5 split tunneling 5 start VPN connection 17 status 7 stop VPN connection 17 supported features 5 supported platforms 4 sync settings 18 U UDP-ESP tunnel 6 user agent string 11 2018 by Pulse Secure, LLC. All rights reserved 30