The configurations in this document do not cover how to enroll devices in Google Workspace. It will cover how to create the required policy that distributes the proxy configuration and the root CA certificate.

SurePath AI distributes its proxy information via a Proxy Auto-Config (PAC) file. This PAC file contains all the information needed to direct only generative AI traffic to the SurePath AI proxy service while sending other traffic via their normal route.

The use of a PAC file also allows SurePath AI to update the list of generative AI domains. Most operating systems and browsers will request the PAC file every 1-2 hours and if a new file can’t be retrieved the current one will continue to be used.

Just like other network security and SASE vendors, certificate trust allows SurePath AI to intercept and apply policy to connections to generative AI website. The SurePath AI root CA certificate needs to be trusted by all devices that need to be governed by SurePath AI.

All configuration in this section takes place within the Google Workspace admin portal located at https://admin.google.com and unless otherwise stated, all instructions start from this URL.

The proxy PAC URL policy is applied within Google Workspace at the user level, not at the device level. For the policy to apply, it must be applied in the directory structure where the targeted users exist. If multiple Organizational Units (OU) need the policy, simply replicate the policy for the different OUs.

The proxy PAC URL and certificate needed for these steps can be found at https://admin.surepath.ai in the Configure menu in Organization under the Integrations tab. The Certificate is available in the File Downloads section (download using the CER option) and the proxy PAC URL is available in the Proxy and Provider URLs section.

SurePath AI provides a tool for verifying that an endpoint is configured to properly integrate with SurePath AI's platform. After completing the steps above and verifying the configuration has been deployed to the desired devices administrators can verify the integration by visiting https://ready.surepath.ai.

A test will be run as soon as the page is loaded. If both tests show green Valid results, the endpoint is properly integrated and GenAI traffic originating from that endpoint will be processed by SurePath AI.

If the Certificate Trust test shows a red Invalid result, it means that the SurePath AI root certificate is not trusted by the device or browser. This could be the result of certificate not being deployed to the device yet. Please check the device's local certificate trust store for the SurePath AI Root CA certificate. If the certificate has been deployed (and/or verified installed), it's possible the device might need to be restarted for the browser to read the newly added SurePath AI root CA certificate.

If the Network Configuration test shows a red Invalid result, it means that the SurePath AI platform is not receiving traffic from the endpoint. This is most likely due to the network configuration not being pushed to the device. Some browsers or applications, like Firefox, ignore system-level proxy settings and have internal proxy settings that will need to be configured separately from the system-level settings that are configured in this document.