ChromeOS Flex and my findings for the security

Posted by Harri Jaakkonen Posted on 19/10/2022 0 Comments on ChromeOS Flex and my findings for the security
Posted in Azure, Azure AD, Conditional access, Entra, Security

What is ChromeOS Flex?

It’s always nice to discover new things in this multi-cloud and multi-OS world of yours.

Google bough Neverware back in 2020 and now there has been some working versions of ChromeOS Flex which is based on CloudReady software.

Google acquires Neverware, a company that turns old PCs into Chromebooks
It’s invested in Neverware in the past.

Requirements and media

For those that haven’t heard about Google’s ChromeOS Flex or maybe you have but haven’t tried it. Either way here’s some tips for you.

When you download the installer and start the install, you need:

  • USB with 8GB free space
  • Chrome extension that will create the USB media
  • Device that has the 4GB of ram, 16GB of HDD, x86 processor

If you don’t have a certified model, you can choose the options seen in this picture.

And if you have a device that is one of the following.

Certified models list – ChromeOS Flex Help
Last updated on: Oct 3, 2022To ensure a consistent and high-quality experience, Google individually certifies and maintains a list of models that you can use with Chrome OS Flex.
Model status

ChromeOS and Flex

Chromebooks have been here for a long time and mostly used in education for the price range they are in. So what is the difference between the old ChromeOS and Flex?

Differences between ChromeOS Flex and ChromeOS – ChromeOS Flex Help
ChromeOS and ChromeOS Flex share underlying technology and management tools. When you install ChromeOS Flex on Windows, Mac, or Linux devices, you get most of the features and benefits of ChromeOS. Ho

You can install Linux to it

Just like on Windows you can install WSL and your own distros to it, you can install Linux to ChromeOS Flex

Linux setup
Instructions to enable Linux, aka Crostini, on ChromeOS for development.

And you can share files between OS and Linux, just like in Windows.

Limitations and my own experience

Here’s some of the limitations:

  • Google Play and Android apps: ChromeOS Flex does not support Android apps or Google Play.
  • Parallels Desktop: ChromeOS Flex does not support running Windows virtual machines (VMs) using Parallels Desktop.
  • Firmware updates: Unlike ChromeOS devices, ChromeOS Flex devices do not manage and automatically update their BIOS or UEFI firmware.

My own experiences:

  • In the installation phase, you can choose a default language and keyboard layout that it has, the no way to change it inside the installer. Once install is done, you can have different display language and your own localized keyboard layout.
  • There isn’t any OVA or ISO files anymore available for download as Flex went out of Beta phase. So no install to Virtual machines.

Security

But there is also stuff to consider security wise, read here about a recent CVE from Microsoft 365 Defender Research Team.

Uncovering a ChromeOS remote memory corruption vulnerability – Microsoft Security Blog
Microsoft discovered a memory corruption vulnerability in a ChromeOS component that could have been triggered remotely, allowing attackers to perform either a denial-of-service (DoS) or, in extreme cases, remote code execution (RCE).

And more on ZDNet

Microsoft: How we unearthed a critical flaw in ChromeOS, and how Google fixed it
Attackers could have remotely exploited this rare ChromeOS flaw by manipulating audio metadata.

Google states that

“ChromeOS Flex provides much needed protection from growing threats, including ransomware, malware, and employee errors.”

But I haven’t found any real articles on what this means, so keep this in mind once doing a refresh to your old hardware with Flex.

Digging a little deeper

Google has a Chronium based security article in their Docs. And for one it states they have security boundaries from built-in Chrome and that it cannot interact with system services directly.

Chromium OS Docs – Security in Chrome OS
This document describes the high-level security architecture of Chrome OS. It enumerates the principles the Chrome OS team uses to think about security, explains how these principles apply to different Chrome OS use cases, and outlines how these principles translate to security features in Chrome OS…

And here the picture of the layered security model as described by Google.

How about Endpoint management?

Limitations

As the limitation in Flex is that it doesn’t support Android apps or Google Play. there an the first issue.

You cannot install Company portal or Defender for Android from Google Play because of it.

How about adding it with Conditional Access policies?

A fellow MVP Thjis Lecomte wrote a blog about MEM and ChromeOS not Flex but it gives some action points.

Can Chromebooks be managed with MEM?
Chromebooks have been hugely popular within the education space these last few years. They are positioned as affordable tablet computers running on Google’s ChromeOS. ChromeOS has a Play Stor…

Let’s see if it works. First from Learn documentation.

Once you create the Conditional access policy, we will select Require app protection.

And we should assign it to to Any device as ChromeOS Flex isn’t an Android.

But we can’t because it can be enabled for Android or iOS only.

Once we select Anroid and iOS and sign-in from ChromeOS Flex we will see it as follows in the Azure logs.

And it’s not working as ChromeOS Flex isn’t seen as an supported Android version.

How enable MFA for ChromeOS?

And exclude mobile devices

And once enforced, we will be asked for MFA on all the unsupported devices. And you will see it inside Azure sign-in logs as follows.

And from details we can see the whole process.

Closure

It think Flex is an excellent release to refresh your old laptop and use it for using Google based apps. The current state of security doesn’t really convince me.

And I also cannot onboard any Defender for the OS nor install any external software from Google Play store. Maybe this will change in the future, I don’t know when.

Maybe you just should go with Windows 11 for now as you can attach more security measures to it. There is more requirements from the hardware and that’s really the only thing that could switch you to see Flex when releases.

Just to summarize, here is the minimum requirements:

  • RAM: 4 GB
  • Storage: 64 GB or larger storage device
  • System Firmware: UEFI (for Unified Extensible Firmware Interface, a modern version of the PC BIOS) and Secure Boot capable
  • TPM: Trusted Platform Module (TPM) version 2.0
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *