Description:
On a chromebook, under Settings, Internet Connection, + Add Connection...a student has the ability to add a OpenVPN/L2TP connection.  There currently is no way in Google Admin Console to prevent a user from adding this type of connection.  Currently, the only way to block this is to prevent the user from adding any network connections.  In a 1:1 Chromebook Takehome program where students take chromebooks home, they must have the ability to add additional wifi networks.

The second way to block this is to put the Chrome://settings URL's in the URL Block list, which blocks them from almost all settings.  I am currently using this as a workaround.

Use case:
Add the ability for administrators to prevent users from adding OpenVPN/L2TP connections on their chromebooks via a setting in the Google Admin Console. Administrators should be able to check a setting in the console to block "Add Connection...OpenVPN/L2TP".   If a student has already filled this in, we need to clear this out so the settings don't allow continued use.  This feature will allow the user access to their all their settings including keyboard settings, add new wifi, etc settings on their chromebook.  

We go to great lengths to block VPN/Proxy apps from being installed by students on their student chromebooks and this current chromebook setting as it exists today allows the students to very easily connect to a VPN and bypass our firewall.  

Motivation:
Our firewall rules are required/mandated by the Children's Internet Protection Act (CIPA).  We have caught students on chromebooks visiting sites during the school day from school that are EXTREMELY inappropriate or communicating with individuals from other areas via "video chat" sites, etc. by using VPN/Proxy.

Existing workarounds:
The only viable workaround is blocking these URL's: 
chrome://settings
chrome://chrome/settings
chrome://settings-frame
chrome://chrome/settings-frame

in the URL Blocking User Settings.  This however, does not do anything for anyone who may have already added a OpenVPN/L2TP connection to their chromebook.