Even with Google Admin configured and a proper Certificate for NSProxy Validation, you can still experience issues when trying to access Chromebooks that are being filtered through the Netsweeper Policy Server through a Proxy.
What is happening is when the Client tries to communicate with the Google Admin server some requests are hitting as decrypt:// and since they don't have a valid Cert yet (as this applies only after you've logged in) the requests can't complete.
To accommodate for this we will need to add a number of Decrypt=Allow Entries. There are two places that you can add these, so depending on your deployment select the one that is most appropriate.
Assumed Configurations:
nsproxy.conf (NSProxy Server Configurations)
decrypt_passthrough_if allow
Option 1 - Shared Decryption List
In the WebAdmin, go to URL Tools -> URL List Manager, select the Selective Decryption list.
Select the New Entry button.
Add the following entries into the Selective Decryption List as Allow URLs and then click the Save Entry button:
decrypt://accounts.google.com
decrypt://gstatic.com
decrypt://clients1.google.com
decrypt://clients2.google.com
decrypt://clients3.google.com
decrypt://clients4.google.com
decrypt://googleapis.com
Option 2 - Group Policy Local List
If you don't have access to modify or add Shared List Entries you can still perform the same steps in your Group Policy's Local List.
In the WebAdmin, go to Policy Management -> Group Manager (Select the Group your Chromebooks are filtered through). Select the Policies Tab, then the List Tab.
Select the Policy, and finally go to the URL/Keyword Local List tab. NOTE: If you do not have a Local List, click the Create Local List button.
Select the New Entry button.
Add the following entries into the Local List as Allow URLs and then click the Save Entry button:
decrypt://accounts.google.com
decrypt://gstatic.com
decrypt://clients1.google.com
decrypt://clients2.google.com
decrypt://clients3.google.com
decrypt://clients4.google.com
decrypt://googleapis.com
You can validate that this is working by trying to log into the Chromebook again, and/or by reviewing the Logs -> Request Log Files. Decrypt requests coming from the Chromebook attempting to log in should come through as allowed entries.