Using Workspace ONE UEM to Deploy Chrome Browser Cloud Management Tokens to Windows 10 and macOS

The Chrome Browser can be configured and managed in several ways. But most recently, there have been some significant advancements in the Google Admin console to centrally manage and quickly see the status of Chrome Browser across your business desktop endpoints.

With Chrome Browser Cloud Management, you can see reports on deployed versions, device information, apps, and extensions installed, or management policies applied. From the Google Admin console, you can also take quick action on devices, such as blocking or force-installing a specific extension.

Users don't need to sign in to Google in their browsers to enable Cloud Management. Instead, VMware Workspace ONE^® administrators manage the devices with enrollment tokens that are Globally Unique Identifiers (GUID) randomly generated in the Google Admin console. One or more devices may use a token.

This blog provides a brief overview of how to use Workspace ONE UEM to deploy these tokens to Windows 10 and macOS devices.

Generate an Enrollment Token

Here is a workflow of the enrollment process from the Chrome Browser Cloud Management whitepaper:

Workspace ONE UEM can help you with Step 3 in this process—deploying the enrollment tokens to your Windows and macOS endpoints.

To get to Step 3 in the Token Enrollment Workflow, you need to generate an enrollment token:

Sign in to your Google Admin console.
From the Google Admin console Home page, go to Devices.
If you don’t see Devices on the Home page, scroll to the bottom and click More controls.
(Optional) To add browsers in the top-level organization in your domain, keep Include all organizational units selected. Alternatively, you can generate a token to enroll browsers directly to a specific organizational unit by selecting it in the left navigation before moving on to the next step. For more information, see Add an organizational unit.
At the bottom, click Add to generate an enrollment token.
In the box, click Copy to copy the enrollment token.

(Required) Deploy the token with a key named CloudManagementEnrollmentToken.

(Optional) By default, if enrollment fails (for example, if the enrollment token is invalid or revoked), Chrome starts in an unmanaged state. To prevent Chrome browser from starting if enrollment fails, set CloudManagementEnrollmentMandatory to true.

Deploy Browser Enrollment Token to Windows Devices with Workspace ONE UEM

Using the Custom Settings profile, you can deploy the required keys to configure Cloud Management enrollment to enrolled Windows 10 devices. Ensure Workspace ONE Intelligent Hub is installed for a successful configuration.

Add a new Windows Desktop device profile.
Add Custom Settings payload.
As the target, select Workspace ONE Intelligent Hub
Paste the following "Install Settings XML" in the install settings.
Paste the following "Remove Settings XML" in the remove settings.
Replace the XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX values in the Install Settings and Remove Settings xml with the token value that you want to deploy.
Assign the profile to devices.

Install Settings XML:

<wap-provisioningdoc id="1164DF07-F217-449B-95F8-FB85A34D3CA5" name="customprofile">/

</parm>

</characteristic>

</wap-provisioningdoc>

Note: CloudManagementEnrollmentMandatory prevents the browser from starting if enrollment fails. If you do not want to enable this enhanced security mode, set the value to 0 instead of 1.

Remove Settings XML:

<wap-provisioningdoc id="1164DF07-F217-449B-95F8-FB85A34D3CA6" name="customprofile">/

</parm>

</characteristic>

</wap-provisioningdoc>

Note: If you set CloudManagementEnrollmentMandatory to 0 in the previous step, make sure to also change it in this step.

Deploy Browser Enrollment Token to macOS Devices with Workspace ONE UEM

Using the Custom Settings profile, you can deploy the required keys to configure Cloud Management enrollment to macOS devices.

Add a new macOS device profile.
Add Custom Settings payload.
Paste the following XML (we recommend altering the GUIDs in the PayloadIdentifier and PayloadUUID keys).
Replace the XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX values in the string value for CloudManagementEnrollmentToken with the token value that you want to deploy.
Assign the profile to devices.

<dict>

<key>CloudManagementEnrollmentToken</key>

<string>XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</string>

<key>CloudManagementEnrollmentMandatory</key>

<true/>

<key>PayloadEnabled</key>

<true/>

<key>PayloadDisplayName</key>

<string>Chrome Browser Settings</string>

<key>PayloadIdentifier</key>

<string>com.google.Chrome.4F720473-6832-4CE0-A895-E9C3FC6F8CBD</string>

<key>PayloadUUID</key>

<key>PayloadType</key>

<string>com.google.Chrome</string>

<key>PayloadVersion</key>

</dict>

Note: If you set CloudManagementEnrollmentMandatory to 0 in the previous step, you must change it to false in this step.

For more information on managing Chrome with Workspace ONE UEM, check out our additional guidance on the EUC-Samples Github.

Additional Reading

Contributors

Robert Terakedis, Senior Technical Marketing Manager, End-User Computing, VMware.
Mike Nelson, Senior Solutions Architect, VMware.
Vandana Soundera Raj, VMware Workspace ONE Product Manager, End-User Computing, VMware.