Supported editions for this feature: Frontline Starter and Frontline Standard; Business Starter, Business Standard, and Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, Education Plus, and Endpoint Education Upgrade; Essentials, Enterprise Essentials, and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Free and Cloud Identity Premium. Compare your edition
As an administrator, you can control user access to networks and apps with digital certificates. For example, to manage network access by mobile devices, set up a SCEP profile with a certificate, assign the profile to users, then require the SCEP profile for network access. As another example, to manage app access by computers, you can assign a certificate to computers with endpoint verification, then set up Context-Aware Access to require the certificate for app access.
Certificates can be set up for the following devices and apps:
- Android devices (Requires advanced mobile management)
- iPhones and iPads (Requires advanced mobile management)
- ChromeOS devices
- Imprivata app on ChromeOS devices
- Computers with endpoint verification
Important considerations for certificates:
- On Chrome OS versions 61–72, certificates added to an organizational unit are available to both network settings and kiosk apps on devices. On earlier versions, certificates are only available to the network settings on a device.
- On Chrome OS version 73 and later, certificates added to an organizational unit are available to network settings, kiosk apps, and managed guest sessions on devices.
- Some configurations using PEAP, TLS, and TTLS need server-side certificates to ensure accessibility.
- To use certificates for an EAP Wi-Fi network, the device must be secured with a password, PIN, or pattern verification.
- Don't upload certificates that contain private keys.
- You can add up to 50 certificates in each organizational unit.
Add a digital certificate
Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesNetworks.
- Click Certificates.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Click Add Certificate.
- Enter a name for the certificate.
- Click Upload, select the PEM file, and click Open.
- Select the platforms that the certificate is a Certificate Authority for.
- Click Add.
Remove a digital certificate
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesNetworks.
- Click Certificates.
- Select the organizational unit you want to remove the certificate for. If you remove a certificate from the top organizational unit, the certificate is removed for your entire organization.
- Point to the row, and click Delete.
Related topics
- Set up certificates for managed mobile and ChromeOS devices
- Set up networks for managed devices (Wi-Fi, Ethernet, VPN, cellular)
- Context-Aware Access examples for Advanced mode
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.