For those who may stumble across this same issue/question, I will go ahead and answer this question for myself (and hopefully) the benefit of others.
We are currently in a Direct Proxy (w WCCP) config.
Unfortunately the Google infrastructure doesnt mesh with MWG/IWG authentication so basically the 'workaround' is to look at the User-Agent headers being generated from the DEVICES that you are looking to filter.
Create a rule based on User-Agent Header *CrOS* (Chrome OS - not necessarily the browser) to bypass authentication (and some SSL scanning) while assigning it a username or grouping that will allow access.
Fortunately, WCCP will catch anything that is not being pushed to the device/browser via .pac file and (should) apply the username/auth based on the rule(s) you create.