Summary
Even with Google Admin configured and a proper Certificate for NSProxy Validation, you can still experience issues when trying to access Chromebooks that are being filtered through the Netsweeper Policy Server through a Proxy.
Root Cause
When the client device tries to communicate with the Google Admin server some requests are hitting as decrypt:// and since they don't have a valid Cert yet (as this applies only after you've logged in) the requests can't complete.
Resolution
To accommodate for this we will need to add a number of decrypt:// Allow Entries. There are two places that you can add these, so depending on your deployment select the one that is most appropriate.
Assumed Configurations:
The NSProxy Server Configuration should have the following rule set:
decrypt_passthrough_if allow
Option 1 - Shared Decryption List
In the WebAdmin, go to Policies > Lists and select the Selective Decryption list.
Select the New Entry button.
Add the following entries:
decrypt://accounts.google.com
decrypt://gstatic.com
decrypt://clients1.google.com
decrypt://clients2.google.com
decrypt://clients3.google.com
decrypt://clients4.google.com
decrypt://googleapis.com
Option 2 - Group Policy Local List
If you don't have access to modify or add Shared List Entries you can still perform the same steps in your Group Policy's Local List.
In the WebAdmin, go to Policies > Policies and select the Policy for the Group your Chromebooks are filtered through. Choose the URL/Keyword Local List Tab.
Select the New Entry button.
Add the above entries into the Local List as Allow URLs and then click the Save Entry button:
Testing
You can validate that this is working by trying to log into the Chromebook again, and/or by reviewing the Logs -> Request Log Files. Decrypt requests coming from the Chromebook attempting to log in should come through as allowed entries.