SurePath AI Proxy Integration via Google Chrome and ChromeOS
Supported platforms
Proxy PAC URL distribution
Chrome browser on Windows, Mac, Linux, and Android
Chrome browser on iOS is NOT supported
ChromeOS devices such as Chromebooks
Root CA certificate distribution
ChromeOS devices such as Chromebooks
Android and iOS (requires advanced mobile management licensing from Google)
On other platforms such as Windows or macOS, Google Workspace does not control the root certificate store. Another MDM solution would need to be used to distribute the root CA certificate.
About this document
The configurations in this document do not cover how to enroll devices in Google Workspace. It will cover how to create the required policy that distributes the proxy configuration and the root CA certificate.
The SurePath AI PAC file
SurePath AI distributes its proxy information via a Proxy Auto-Config (PAC) file. This PAC file contains all the information needed to direct only generative AI traffic to the SurePath AI proxy service while sending other traffic via their normal route.
The use of a PAC file also allows SurePath AI to update the list of generative AI domains. Most operating systems and browsers will request the PAC file every 1-2 hours and if a new file can’t be retrieved the current one will continue to be used.
The SurePath AI root CA certificate
Just like other network security and SASE vendors, certificate trust allows SurePath AI to intercept and apply policy to connections to generative AI website. The SurePath AI root CA certificate needs to be trusted by all devices that need to be governed by SurePath AI.
Configuring Google Workspace
All configuration in this section takes place within the Google Workspace admin portal located at https://admin.google.com and unless otherwise stated, all instructions start from this URL.
Important note
The proxy PAC URL policy is applied within Google Workspace at the user level, not at the device level. For the policy to apply, it must be applied in the directory structure where the targeted users exist. If multiple Organizational Units (OU) need the policy, simply replicate the policy for the different OUs.
Prerequisites
Acquire the SurePath AI Proxy PAC URL
Login to https://admin.surepath.ai
Navigate to Connectors in the CONFIGURE section and click ADD CONNECTOR
Provide a descriptive name for the connector (for example, "PAC File - Active Directory")
Select Proxy as the connector type
Click SAVE to generate your unique PAC file URL
Copy the PAC file URL from the connector details page
Creating the Google Workspace policy for proxy PAC URL distribution
Navigate to Devices > Chrome > Settings
Select the Organizational Unit (OU) that the policy will be applied to
Under the default tab, User & browser settings
Click into the Search or add a filter and type "proxy"
Click on the Proxy Mode search result
Change the Configuration drop down to Always use the proxy auto-config specified below
Enter the proxy PAC URL acquired in the prerequisites section above
Click SAVE
Creating the Google Workspace policy for root CA distribution for ChromeOS
Navigate to Devices > Networks
Select the Organizational Unit (OU) that the policy will be applied to
On the right side, under the Certificates section, click UPLOAD CERTIFICATE
In the Add certificate window
Enter a name for the certificate such as "SurePath AI root CA certificate"
Click UPLOAD and select the certificate downloaded in the prerequisites section above
Select the platforms you want to distribute the certificate to, like Chromebook
Click on the ADD
Verifying the SurePath AI integration
After completing the deployment, verify that the endpoint is properly integrated using the SurePath AI Ready tool.