ChromeOS management with Chrome Policy API is the second generation of cloud-based device management solution for ChromeOS devices. The version supports both Chrome enterprise and Chrome EDU.

This is the default management method for ChromeOS devices starting with Workspace ONE UEM console 2306. If you have registered Chrome EMM prior to Workspace ONE UEM 2306, follow the legacy management method found here.

In this section, you will learn how to:
  • Setup the Google Admin Console and Chrome enterprise/Education licensing
  • Register ChromeOS devices to be managed in the Workspace ONE UEM console
  • Migrate legacy ChromeOS management to Chrome Policy management
  • Enroll ChromeOS devices for Chrome Policy management
  • Configure ChromeOS profiles for Chrome Policy management
  • Troubleshoot issues

Setup of Google Admin Console and Chrome Enterprise/Education Licensing

Since ChromeOS devices are managed directly by Google, you will need access to the Google Admin Console with a Google business, education, or Workspace account. You can find instructions on how to do this here. Once you have access to the admin console, you can configure the below:

  • User and admin accounts – these can be created in the admin console, or they can be imported from an identity provider
  • Organizational Units (OUs) – this is to organize devices and users. Each OU can receive a different policy/profile.
  • Chrome management
  • 3rd party EMM management for Chrome

To get started with Chrome management, you will need Chrome Enterprise or Chrome Education licensing. Licenses are purchased through Google or a supporting reseller, or as part of a device purchase. You can also set up a free trial license for testing. You can find more information on Chrome licensing and upgrades here.

Registration of ChromeOS Management in Workspace ONE UEM

After you gain admin access to both the Google Admin Console (admin.google.com) and the Google Cloud Console (console.cloud.google.com)

  1. In the Google Cloud Console, navigate to APIs & Services > Enabled APIs & services, then click Enable API and Services. Search for and enable the following APIs:
    • Chrome Policy API
    • Admin SDK API
  2. In the Google Cloud Console, navigate to APIs & Services > Credentials> Create Credentials > Service Account.
    1. Give the service account a name and leave the remaining options blank. Make a note of the service account email address and client ID.
  3. In the Service Account Details page, go to the Keys tab.
    1. Select Add Key > Create New Key > P12. Download the P12 certificate file and note down the auto-generated password (typically "notasecret"). Optionally, you can upload your own certificate for added security.
  4. In the Google Admin Console, navigate to Security > API Controls > Domain Wide Delegation.
  5. Select Add New and enter the Client ID of the new service account created.
  6. Under "OAuth Scopes" add the following lines:
    • https://www.googleapis.com/auth/admin.directory.user
    • https://www.googleapis.com/auth/admin.directory.device.chromeos
    • https://www.googleapis.com/auth/admin.directory.orgunit.readonly
    • https://www.googleapis.com/auth/chrome.management.policy
  7. In the Workspace ONE UEM Console, navigate to Settings > Devices & Users > ChromeOS > Chrome OS EMM Registration.
    1. Enter the email address of the Google Admin account and the email address of the Service Account.
    2. Upload the certificate you downloaded from the Cloud console. Save the settings.
  8. Once the settings are saved, click Test Connection and Device Sync to ensure the registration was successful.

Migration of ChromeOS management from previous versions of Workspace ONE UEM

If you have a pre-existing ChromeOS registration from a previous version of Workspace ONE UEM, you can follow the below steps to migrate to the new solution:

  1. In UEM console navigate to Settings > Devices & Users > ChromeOS > ChromeOS EMM Registration and select Clear Settings.
  2. In the Google Admin Console, navigate to Directory > Users and select the previous used user (admin) account that was used for the EMM registration. Under the Security section, scroll down to Connected Applications and delete the Workspace ONE connection from this menu.

    After you have cleared all settings in the UEM console and Google Admin console, return to the UEM console and perform the Chrome EMM Registration again. Any profiles will need to be created again, as these cannot be migrated from prior versions.

Enrollment of ChromeOS devices

There are two ways to enroll ChromeOS device into management, both of which require the device to start from a clean, factory state.

  • Enterprise Enrollment - During initial setup, when the device prompts for a Google account, type Ctrl+Alt+E to enter the Enterprise enrollment flow. Login with your Google administrator account to enroll the device.
  • Zero Touch – Certain devices models support Zero Touch enrollment. The device can be pre-provisioned to your domain by a supporting reseller, and when it connects to the internet for the first time, it will automatically enroll itself into management.

Once devices are enrolled, they will automatically sync into Workspace ONE UEM within one hour. If you would like to sync the devices sooner, use the Device Sync button on the ChromeOS EMM Registration settings page.

Configuration of ChromeOS profiles

There are two types of profiles for ChromeOS:
  • User profiles: User profiles are applied only to the user account which means these settings do not take effect until the user signs into the device. User profile settings are not shared across user accounts.
  • Device profiles: Device profiles are applied to the device as a whole and take effect once the device is enrolled.

Profiles are assigned based on the Organization Unit (OU) of the Google Admin Console. During the creation of a profile, you will select the Google OU(s) that you want to be applied.

For User profiles, all user accounts in the selected OU and below will receive the settings. For Device profiles, all devices in the selected OU and below will receive the settings. There could be cases where the user and device are in different Organization Units, so assign the profiles accordingly.

The Workspace ONE UEM Extension for ChromeOS is automatically assigned to the top-level OU to ensure all devices receive it. This Extension is required for certificate management as well as additional reporting capabilities, such as reporting the current logged-in user. Once a user signs into the ChromeOS device with their corporate account, the Extension will be installed silently and users will see the Workspace ONE icon in their Extensions menu.

As a side effect of how User policies are handled, the Extension and any other User policies are applied to any device or Chrome browser on any OS platform where the user signs in with their corporate account. However, the Extension only functions on a managed ChromeOS device.

ChromeOS Device Management

You can manage all your devices from the UEM console. The dashboard is a searchable, customizable view that you can use to filter and find specific devices which makes it easier to perform administrative functions on a particular set of devices. The Device List View displays all the devices currently enrolled in your Workspace ONE UEM environment and their status. The Device Details page provides device-specific information such as profiles, apps, and which version of any applicable OEM service currently installed on the device. You can also perform remote actions on the device from the Device Details page that are platform-specific.

Device Management Commands

The More Actions drop down on the Device Details page enables you to perform remote actions over-the-air to the selected device. The actions listed vary depending on factors such as device platform, Workspace ONE UEM console settings, and enrollment status:

  • Enterprise Wipe Enterprise Wipe deprovisions selected Chrome OS devices from management in the Workspace ONE UEM console. Devices will continue to show as managed to the end user, but the UEM console shows the device as unenrolled in the device Details page. All device policies are removed and policy updates are not sent to devices after the enterprise wipe. User Policies will remain intact on the device, as these are not dependent on device enrollment. In order to completely wipe device or to reenroll the device, a powerwash (full device wipe) is required.
  • Before the enterprise wipe processes, choose what happens with the Chrome OS license assigned to the device. Select Different Replacement Model, Retiring Device, or Same Model Replacement. The reason is stored in the UEM console Event Log. For annual licences, you can simply reassign to another device. For perpetual licences:
    • Replacement devices will need to be purchased with a perpetural license upgrade.
    • The licence can be transferred to a different device with the same model.
    • If the device is being retired, any new devices purchased will need to be purchased with a Chrome Enterprise license ugprade.
  • Reboot Device – Reboot a device remotely, reproducing the effect of powering it off and on again. Only supported on devices in Kiosk mode.
  • Device Wipe – Allows you to wipe device which removes all apps, data, email, profiles, and MDM capabilities and resets the device to its factory state. This is a restricted action which prompts you for a pin before the action can be completed.
  • Clear User Profiles – In the event a device is lost or stolen, this command remotely log out and delete all users on the device, including any locally saved user data. This is a restricted action which prompts you for a pin before the action can be completed.
  • Enable Lost Mode – Allows you to remotely disable devices that have been lost or stolen. When enabled, you can set a custom message to display on the lock screen through the Chrome OS device profile. While disabled, the device cannot be used for any purpose. Devices can then be re-enabled remotely once they are found.

Troubleshooting

When a profile is published, all settings are applied and visible in the Google Admin Console. You can check the Google Admin Console to verify that the settings match up in the OU where the profile is assigned.

You can view the current policies on the ChromeOS by going to chrome://policy in the Chrome browser. The policies listed here should also align with what is configured for that device and user’s OUs.