Applicable to:

• Chrome/Chromium 142 with Local Network Access enabled
• Mac, Windows, Linux

Overview

Starting in version 142 of Chrome, Local Network Access (LNA) is enabled by default:

• https://developer.chrome.com/release-notes/142

This means that Twingate Resources accessed via the browser are treated as local since we route via CGNAT over loopback to the virtual Twingate interface, treating them as local sites, prompting an Allow or Block dialog pop up.

Symptoms

• Endusers may not be able to access their Twingate Resources if they've clicked Block on the latest Chrome/chromium browser.
• CORS errors may be elevated
• Images may be blocked
• Twingate Resources may show as being Not secure.

Workaround

Solutions will depend on whether managed browser profiles are applied to endusers and if admins are on Enterprise tier Google Workspace accounts.

Narrowing the scope of Twingate Resources that typically end up hitting public CDN services like Amazon, Cloudflare, or Azure:

• *.amazonaws.com
• *.microsoftonline.com, azureedge.net , or *.azure.com, etc.

Admins can narrow Resource definitions to not include these endpoints in their Resource definitions if they are not explicitly required and can be resolved privately.

Unmanaged browser profiles

End users may be able to self serve by:

• Click Not secure

• Toggle Local Network Access

• OR, click Site settings and scroll to Local network access and click the drop down and select Allow:

End users who can manage their own browser can also disable via flag:

chrome://flags/#local-network-access-check

Enterprise Admin Controls

Google Enterprise administrators can pre-allow URLS that are defined as Twingate Resources in two ways, or choose to disable or opt out from LNA via custom profiles.

Disable or opt out of LNA

Administrators have the option of disabling LNA in custom profiles:

• https://chromeenterprise.google/policies/#LocalNetworkAccessRestrictionsEnabled
• https://chromeenterprise.google/policies/#LocalNetworkAccessRestrictionsTemporaryOptOut

Configure Chrome using Google Workspace

Managed Profiles need to be configured:

• Manage user profiles on Chrome browser

In the Google Admin Console, define LocalNetworkAccessAllowedForUrls (spec here)

1. In the Workspace admin console, go to Chrome Browser > Custom Configurations.
2. Select the target organizational unit.
3. In Configurations, add the following JSON configuration ( replace with your own URLs ):

{
    "LocalNetworkAccessAllowedForUrls": [
        "https://your-internal-domain.int",
    ]
}

4. Click Save.
5. Open chrome://policy and click Reload policies to confirm values are applied.

Learn more about configuring custom Chrome policies in Workspace - link

Configure Chrome via MDM

You can use your Mobile Device Management (MDM) solution to deploy a policy that pre-grants LNA permission for your Okta sign-in URLs on managed devices. This prevents users from ever seeing the prompt. The configuration varies slightly by operating system.

Windows (via Intune)

1. In the Intune console, create a custom device configuration profile:
   • Navigate to: Devices > Configuration > Create profile
     1. Platform: Windows 10 and later
     2. Profile type: Template
     3. Template name: Custom
2. Add OMA-URI rows
   • Enter the LNA URI in the OMA-URI property:
     1. ./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Google/Chrome/LocalNetworkAccessAllowedForUrls
   • Enter the URL you want to allowlist to the Value property
   • If you are entering more than one URL, create a unique row for each URL, and number the OMA-URI
     1. E.g. ./Device/Vendor/MSFT…LocalNetworkAccessAllowedForUrls/1
3. Assign the profile to the desired groups and proceed to test.

MacOS

For macOS devices managed by an MDM, you'll deploy a configuration profile (.mobileconfig) with a custom payload for Chrome. The payload should contain the following keys and values in the com.google.Chrome preference domain.

Here is an example .plist snippet:

XML

<key>LocalNetworkAccessAllowedForUrls</key>
<array>
    <string>https://[*.]yourdomain.com</string>
</array>
<key>LocalNetworkAccessRestrictionsEnabled</key>
<true/>

Android (via Managed App Configuration)

For managed Android devices, you can push the policy using your MDM's managed app configuration capabilities for the Google Chrome app.

1. In your MDM console, navigate to the app configuration settings for Google Chrome.
2. Add a new configuration using the following keys and values. The format will be a JSON block similar to the one used for Google Workspace.

JSON

{
  "LocalNetworkAccessAllowedForUrls": [
    "https://[*.]yourdomain.com"
  ],
  "LocalNetworkAccessRestrictionsEnabled": true
}

See this link to learn more about the Local Network Access setting - link