- You have to push your CA cert out to your chrome devices first. Follow the wiki on pushing certs to Chrome.
- As of March 2019 you still cant AUTOMATICALLY trust certs you push via the google console TO SUBDOMAINS. You cant push and trust a cert to student.domain.com. You can push it but it wont trust. The user must trust manually. Not an option/not feasible.
Exempt Google login and services sites from deep scanning
- Certificates and trusts are USER SETTINGS.
- When the device boots it has to connect to google services api's. Those are ssl protected. They BREAK with deep scanning since the certificate is not and can not be trusted at the device level.
- You must exempt ALL the google services sites in the deep scanning profile.
- The list is here under "setup ssl inspection on chrome devices": https://support.google.com/chrome/a/answer/6334001?hl=en&ref_topic=3504941
- The fortigate WILL NOT do wildcard fqdn address entries like they have them there. You must expand them manually.
- As of Mar 2019 there are 24 altx.google.com sites. So I made alt1 through alt24.google.com entries along with all the others.
- Here is a script to auto-gen address entries in the right format from a carriage returned list of FQDN's
Put your FQDNs in a carriage returned list into fortiaddress file then run that against it on linux/osx/bsd (anything with a bash shell) It prefixes each entry with Chromedev- for easy searching/sorting so you know what its for too.