The ChromeOS Management Partner Access API is the first generation of cloud-based device management solution for ChromeOS devices. The version supports Chrome enterprise use cases.

User Setup

Workspace ONE UEM needs access to the same list of users that are present in the Google Admin Console that is facilitated through Directory Integration. For more information on Directory Integration, see the Directory Services Integration guide. For more information on syncing users in the Google Admin console, see the Google Cloud Directory Sync documentation from Google.

Requirements for Deploying ChromeOS

Consider the requirements from the Vmware team before deploying ChromeOS devices with Partner API Access:

  • Register for you Chrome Enterprise license
  • Setup a Google Admin Console Service Account
  • Make sure Google Cloud Directory Sync is turned on
  • Use a Factory reset ChromeOS device in out of the box mode

Meeting these requirements helps prepare you for a successful deployment of devices.

Supported Devices

Refer the ChromeOS website for the most up-to-date list of supported devices.

Chrome Enterprise Licensing

Since ChromeOS devices are managed directly by Google, you will need access to the Google Admin console. You can set this up by creating a Google business or Workspace account. You can find instructions on how to do this at https://support.google.com/accounts/answer/27441. Once you have access to the admin console, you can configure the below:

  • User and admin accounts – these can be created in the admin console, or they can be imported from an identity provider
  • Organizational Units (OUs) – this is to organize devices and users. Each OU can receive a different policy/profile.
  • Chrome management
  • 3rd party EMM management for Chrome

To get started with Chrome management, you will need Chrome Enterprise or Chrome Education licensing. Licenses are purchased through Google or a supporting reseller, or as part of a device purchase. You can also set up a free trial license for testing. You can find more information on Chrome licensing and upgrades at https://support.google.com/chrome/a/topic/7613713?hl=en&ref_topic=4386913.

Once Chrome management licenses have been added, navigate to Devices>Chrome > Settings > Users & Browsers > Chrome management - partner access and turn on this setting. Next, go to Devices > Chrome > Settings > Devices > Chrome management - partner access and turn on this setting.

Setup Google Admin Console

The Google Admin console is where administrators manage Google services for users in an organization. Workspace ONE UEM uses the Google Admin console for integration with Android and ChromeOS.

The Manage API client access page allows you to control custom internal application and third-party application access to supported Google APIs (scopes).

  1. Navigate to Security>Advanced Settings>Manage API Client Access and complete the following fields:
    Table 1.
    Setting Description
    Client Name Enter the Client ID generated when creating your Google Service Account.
    One or More API Scopes

    Copy and paste the following Google API scopes for Android:

    Android:

    https://www.googleapis.com/auth/admin.directory.user
  2. Select Authorize.

Setup ChromeOS Configuration Settings

The setup page from the Workspace ONE console facilitates the integration between Workspace ONE UEM and Google for ChromeOS management. Simply enter your Google admin account and you are redirected to Google authorization page to grant permissions.
  1. Enable Chrome Device Management (CDM) API Partner Access for device and user policies under from the Google Admin console by navigating to Device Management> Chrome Management>Device Settings and Device Management> Chrome Management>User Settings and select the checkbox under the Chrome Management-Partner Access section.
  2. Navigate to Devices> Device Settings> Devices & Users> ChromeOS> ChromeOS EMM Registration in the Workspace ONE console. Make sure there is a Group ID assigned to the Organization Group or registration will fail.
  3. Enter the Google Admin Email Address.
  4. Select Register with Google. You are redirected to the Google login page to enter your Google admin email address. Ensure you have pop-ups enabled otherwise the Google authorization page will not open.
  5. Select Allow to grant permissions.
  6. Copy Google Authorization Code from Google and paste it into the Google Authorization Code field in the Workspace ONE UEM console.
  7. Select Authorize.
  8. Select Test Connection to ensure the connection between Workspace ONE UEM and Google is established.
    1. If successful, a green 'Test Connection Successful' message displays.
  9. Select Device Sync which manually syncs new ChromeOS enrollments into them Workspace ONE UEM console.
    1. Clear Settings appears after registration is complete. If you click this button, ChromeOS device records are cleared. Certificates pushed to Chrome Users or Devices from the console are revoked. The Workspace ONE UEM Extension is removed from your devices..