Google Workspace setup guide

manifest.json

@@ -45,13 +45,17 @@
               "path": "/platform/smallstep-agent.mdx"
             },
             {
-              "title": "Connect Jamf Pro",
-              "path": "/tutorials/connect-jamf-pro-to-smallstep.mdx"
+              "title": "Connect Google Workspace",
+              "path": "/tutorials/connect-google-workspace-to-smallstep.mdx"
             },
             {
               "title": "Connect Intune",
               "path": "/tutorials/connect-intune-to-smallstep.mdx"
             },
+            {
+              "title": "Connect Jamf Pro",
+              "path": "/tutorials/connect-jamf-pro-to-smallstep.mdx"
+            },
             {
               "title": "Connect Workspace One UEM",
               "path": "/tutorials/connect-workspace-one-to-smallstep.mdx"
@@ -78,14 +82,14 @@
               "title": "Set up Wi-Fi Access Points for EAP-TLS",
               "path": "/tutorials/wifi-setup-guide.mdx"
             },
-            {
-              "title": "Deploy EAP-TLS Wi-Fi with Jamf Pro",
-              "path": "/tutorials/apple-mdm-jamf-setup-guide.mdx"
-            },
             {
               "title": "Deploy EAP-TLS Wi-Fi with Intune",
               "path": "/tutorials/intune-mdm-setup-guide.mdx"
             },
+            {
+              "title": "Deploy EAP-TLS Wi-Fi with Jamf Pro",
+              "path": "/tutorials/apple-mdm-jamf-setup-guide.mdx"
+            },
             {
               "title": "Wi-Fi Authentication Webhooks",
               "path": "/tutorials/wifi-authentication-webhooks.mdx"

step-ca/acme-basics.mdx

@@ -1,5 +1,5 @@
 ---
-updated_at: October 02, 2025
+updated_at: October 20, 2025
 title: ACME Basics
 html_title: ACME Protocol Basics for step-ca Users
 description: Learn ACME protocol fundamentals for step-ca. Implement automated certificate management using industry-standard protocols.
@@ -42,10 +42,23 @@ This tutorial assumes you have initialized and started up a `step-ca` server (se
 With ACME, machines can get certificates from a CA without any human interaction involved.
 It is used by public Web PKI CAs (eg. Let's Encrypt) and by private, internal CAs.
 
-ACME allows the CA to prove that a client controls a set of resources for the purpose of certificate issuance.
-ACME doesn't restrict _who_ can make requests of the CA.
-There is an extension to ACME called External Account Binding (EAB) which adds keys for ACME accounts,
-and this feature is available in Smallstep's commercial CA software.
+ACME allows the CA to prove that a client controls an identifier
+(a domain name, for example)
+for the purpose of authorizing a certificate request.
+However, ACME can't determine whether a client
+is the rightful owner of the identifier,
+or merely an entity currently controlling it.
+
+ACME's security model relies heavily on DNS and network security.
+An ACME administrator must ensure
+that host IP assignment and DNS resolution
+are appropriately secured.
+And in some organizations,
+an additional client credential acts as a useful backstop here.
+There is an extension to ACME called External Account Binding (EAB)
+which adds an authorization layer,
+using pre-registered client credentials.
+This feature is available in Smallstep's commercial CA software.
 
 ## A Typical ACME Flow
 

tutorials/connect-google-workspace-to-smallstep.mdx

@@ -0,0 +1,92 @@
+---
+updated_at: October 21, 2025
+title: Connect Google Workspace to Smallstep
+html_title: Integrate Google Workspace with Smallstep Tutorial
+description: Integrate Google Workspace with Smallstep for Chromebook device security. Complete guide for enforcing device trust in ChromeOS environments.
+---
+
+Smallstep can integrate with Google Workspace to keep your ChromeOS device inventory in sync.
+
+# Prerequisites
+
+You will need:
+
+- A [Smallstep team](https://smallstep.com/signup)
+- A Google Workspace tenant, with ability to manage domain-wide delegation
+- A Google Cloud project, with ability to create service accounts and keys
+
+# Step-by-step instructions
+
+In Google Cloud Console, select a project you will use for Smallstep. This can be any project, as long as you can grant domain-wide delegation to the client in a future step.
+
+Your Google Cloud project must have the Admin SDK API enabled. By default, it is disabled.
+
+### 0. Enable Admin SDK API
+
+1. Go to [Admin SDK API](https://console.cloud.google.com/apis/api/admin.googleapis.com) for your project, and choose **Enable API**
+
+### 1. Create a Service Account for Smallstep
+
+1. In Google Cloud, visit [IAM & Admin → Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts)
+2. Choose **Create service account**
+3. Set a **Service account name**, e.g. `Smallstep Google Workplace Sync` 
+4. Optionally, provide a **Description** for the account
+5. Choose **Done**
+6. Open the details for the Service Account you just created
+7. Copy the **Unique ID** (numeric) and the **Email** shown on the details tab; you’ll need them later
+8. Visit the **Keys** tab, and choose **Add key**, then **Create new key**
+9. Choose **Create** to create a JSON key
+
+A file containing the service account key will be downloaded. Keep this safe and secure!
+
+### 2. Grant device directory API permissions
+
+1. In Google Admin, visit [Security → Access and data control → API controls](https://admin.google.com/ac/owl)
+2. Under Domain wide delegation, select **Manage Domain Wide Delegation**
+3. In the **API Clients** table, select **Add new**
+    1. Enter the **Unique ID** of the service account from Step 1
+    2. For the **OAuth Scopes**, enter the following scope:
+
+        ```
+        https://www.googleapis.com/auth/admin.directory.device.chromeos
+        ```
+
+    3. Choose **Authorize**
+
+### 3. Add Google Workspace to Smallstep
+
+In Smallstep, visit [Settings → Device Management](https://smallstep.com/app/?next=/settings/devices).
+
+Configure a new Google Workspace Integration with the following values:
+
+- The **Customer ID** of your Google Workspace tenant. The Customer ID is a short alphanumeric string. It can be obtained from the Google Workspace Admin [Account Settings](https://admin.google.com/ac/accountsettings/profile) page
+- The **Service Account JSON key** you downloaded earlier
+- An email address of a user in your Google Workspace directory with admin permissions
+
+### 4. Add Smallstep Certificates to Google Workspace
+
+After saving the Google Workspace connection, you will see settings for your integration.
+
+1. Download the following Authority Certificates:
+   - Smallstep Devices Root CA
+   - Smallstep Devices Intermediate CA
+   - Smallstep Agents Root CA
+   - Smallstep Agents Intermediate CA
+
+2. In Google Workspace, visit [Devices → Networks → Certificates](https://admin.google.com/ac/networks/certificates).
+3. Choose an Organizational Unit, if desired
+4. Choose **Add certificate**
+
+    In the modal, configure the following:
+
+    - Provide a descriptive name, e.g. `Smallstep Devices Root`
+    - Upload the PEM file for the Smallstep Devices Root CA
+    - Check ✅ **Enabled for Chromebook**
+    - Choose **Add**
+5. Repeat Step 4 for each of the certificates you downloaded
+
+### Confirmation
+
+Within a few minutes, you should see all of your ChromeOS devices in Smallstep's [Devices](https://smallstep.com/app/?next=/devices/all) tab.
+A full sync is performed every 8 hours, and a partial sync every hour.
+