Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Overview

VMware provides this operational tutorial to help you with your Workspace ONE® environment. This exercise introduces you to Chrome OS management and walks through detailed steps to enroll and manage Chrome OS devices in Workspace ONE® UEM. 

Audience

This tutorial is intended for IT administrators and product evaluators who are looking to manage Chrome OS devices in their new or existing Workspace ONE UEM tenants. Familiarity of Workspace ONE UEM and the Google Admin console along with access to these individual consoles is assumed. Knowledge of additional technologies such as network, VPN configuration,  VMware Workspace ONE® Intelligence is also helpful.

Getting Started with Chrome OS Management

This section covers the prerequisites including how to migrate to a newer version of Chrome OS management. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Prerequisites

Before you can perform this exercise, you must have the following installed and configured.

• Workspace ONE UEM tenant version 23.02 and later.
• Google Admin Console account enabled with either a Chrome OS Enterprise upgrade or Chrome OS Education upgrade.
• In addition to the Chrome OS Enterprise or Education upgrade, you must also have available licenses in your Workspace ONE UEM account to manage Chrome OS devices.
• Supported Chrome OS device(s) factory reset in out of box mode.
  Caution: Do not factory reset your personal device to complete these exercises. 

Caution: If you have a pre-existing Chrome OS registration linked to a previous version of Workspace ONE UEM, then follow the steps to migrate from the older version of Chrome OS management to the newer version.

Migrate to Newer Version of Chrome OS Management

1. Log in to your Workspace ONE UEM console.
2. Navigate to Groups & Settings > All Settings.
3. From All Settings, navigate to Devices & Users > Chrome OS > Chrome OS EMM Registration.
4. Select Clear Settings.
   
    
5. Next, login into your Google Workspace Administrator console by navigating to https:// admin.google.com.
6. Navigate to Directory > Users.
7. Scroll to find the admin user account which was previously used for Workspace ONE EMM registration. Select the admin user account.
8. Expand Security.
9. Scroll to Connected Applications and select the edit icon.
10. Remove Workspace ONE as connected application for this user.
    
     
11. Click Done.

Note: Any past Chrome OS profiles must be recreated, as these cannot be migrated from prior versions of Workspace ONE UEM.

Enabling Google Chrome Device Management

In this exercise, you enable partner access to device management from the Google Workspace Admin Console.

Prerequisites

Before performing this exercise, ensure that you have your Google Admin Console credentials.

You also need a Chrome Enterprise upgrade or Chrome Education upgrade enabled for your account.

Enable Chrome Device Management

1. Navigate to https://admin.google.com.
2. Sign in using your Google Admin credentials.
3. From the Homepage, navigate to Devices > Chrome > Settings > Users & Browsers.
   
    
4. Next, navigate to User & Browser Settings.
5. Scroll to and select Allow EMM partners access to device management.
   
    
6. Select Enable Chrome management – partner access from the drop-down next to Configuration.
   
    

Note: EMM Partner access in User & Browser settings must be enabled at the parent organizational unit (OU) level in the Google Admin console. This setting cannot be enabled at a child OU level, and a child OU will always inherit partner access properties from the parent OU.

7. Click Save.
8. Next, navigate to Device Settings tab and scroll to Chrome management – partner access.
   
    
9. Select Enable Chrome management – partner access from the drop-down.
   
    
10. Click OK.
    
     

Note: EMM Partner access in Device settings can be enabled at the parent OU level as well as individual child OU levels in the Google Workspace Admin console.

Integrating Google Device Management with Workspace ONE UEM

In this exercise, you integrate Workspace ONE UEM with Google’s cloud-based APIs for device management using your Google Admin email account. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Configure Google integration with Workspace ONE UEM

Begin by entering your Google Workspace email account on the Workspace ONE Console Chrome OS registration setup page. This redirects you to a Google authorization page to grant permissions to complete setup.

1. Log in to your Workspace ONE UEM console.
2. Navigate to Groups & Settings > All Settings.
3. From All Settings, navigate to Devices & Users > Chrome OS > Chrome OS EMM Registration.
   
    
4. Enter your Google Admin Email Address (the same credentials used to log in to the Google Admin Console earlier) and click Sign in with Google.
   
    

Caution: Make sure you have pop-ups enabled in your browser otherwise the Google authorization page will not open.

5. Allow the permissions prompt that follows in the pop-up window.
   
    
6. Copy the Authorization code from the next window and paste the copied code into the Google Authorization Code field in your Workspace ONE UEM console. Then select Authorize.
   
    
7. Click Test Connection to ensure the connection between Workspace ONE UEM and Google is established. If successful, a green Test Connection Successful message is displayed.

Tip: Click Device Sync to manually sync new Chrome OS enrollments into the Workspace ONE UEM Console. Workspace ONE UEM will then sync with your Google Admin console to enroll newly registered devices. This sync is by default automatic and happens periodically once every hour.

Note: Workspace ONE Extension will automatically download on your enrolled Chrome OS devices. This is a mandatory extension that is necessary for Chrome OS device management.

Enrolling Chrome OS Devices into Workspace ONE UEM

Device enrollment establishes the device’s communication with the Workspace ONE UEM console and facilitates management. In this exercise, you enroll your Chrome OS device using the Google admin credentials. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Enroll Chrome OS Devices

Enrollment is facilitated on a Chrome OS device by using the Google admin credentials. The steps to enroll a supported Chrome OS device into Workspace ONE UEM is as follows:

1. Boot up a factory-reset Chrome OS device in out-of-box mode.
2. Select Get Started.
3. Next, connect your Chromebook to a Wi-Fi network.
4. On the User setup page, click Enterprise Enrollment or press CTRL + ALT + E.
5. Enter your Google Workspace administrator email account, then click Next.
6. Enter your Google Workspace administrator account’s password. Then click Next.
7. Upon successful enrollment, a success message marking the completion of Enterprise Enrollment is displayed.
8. Click Done.

Your Chromebook is now successfully enrolled into Workspace ONE UEM.

Note: Workspace ONE UEM will sync with your Google Admin console to enroll newly registered devices. This sync is by default automatic and happens periodically once every hour. You can also navigate back to Workspace ONE UEM > Groups & Settings > All Settings > Devices & Users > Chrome OS > Chrome OS EMM Registration > Device Sync to sync device on-demand.

Configuring Chrome OS Profiles using Workspace ONE UEM

In this exercise, you explore how to set up and configure a restrictions profile in Workspace ONE UEM to see how enterprise profile settings apply on a Chrome OS device. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Understanding Configuration Options for Chrome OS Profiles

Profiles are the mechanism by which Workspace ONE UEM manages settings on a device. All profiles are broken down into two basic sections: the General section and the Payload section.

• The General section defines the profile's name and description.
• The Payload sections define actions to be taken on the device.

Every profile must have all the required fields in the General section properly filled out and at least one payload configured.

In Workspace ONE UEM, Chrome OS profiles can apply at the device level or the enrollment-user level.

• Device Profiles - Apply to Chrome OS devices regardless of the user logged into the device.
• User Profiles - Apply to Chrome OS devices at the user level, and do not apply to users signed in as guest or with a Google Account outside of your organization (such as a personal Gmail account).

Profiles on Chrome OS devices are assigned based on the organizational unit (OU) of the Google Workspace Admin console. During the creation of a Chrome OS profile, you select the OU(s) that will receive the profile assignment. 

• For User Profiles, all user accounts in the selected OU and below will receive the profile payload. 
• For Device Profiles, all devices in the selected OU and below will receive the profile payload. 
• There could be cases where the User and Device are in different OUs. In such cases, both the profiles will need to be assigned appropriately.

Tip: Refer to Add an organizational unit for help creating OU(s) in the Google Workspace Admin console.

Configure Chrome OS User Profile

In this procedure, you configure a Security & Privacy User Profile for Chrome OS to deactivate incognito mode.

1. Login into your Workspace ONE UEM console.
2. Select Resources > Profiles & Baselines > Profiles.
3. Select Add > Add Profile.
4. Select Chrome OS as Platform.
5. Select User Profile in Profile Context.
6. Define the General Settings such as Profile name and add an optional Description in the respective text boxes.
7. Expand the Security & Privacy payload from the payload's menu.
8. Click ADD.
   
    
9. Configure the Security & Privacy settings payload as desired. For the purposes of this tutorial, select Disallow incognito mode to keep the users from browsing the web without storing local data.
   
    
10. Click Next.
11. Select the desired Google Workspace OU(s) to assign the profile.
    
     

Note: You can select one or more OU(s) to receive the profile assignment.

12. Select Save & Publish.
13. Test to see if the profile was successfully assigned by launching a new tab in incognito mode for your user account on a Chrome browser. Notice how the option for New incognito window is disabled.
    
     
14. Profile deployment can also be verified by navigating to Chrome://Policy on a Chrome Browser. Policies listed in Chrome://Policy should match the configuration pushed using Profiles from Workspace ONE UEM for that user or device in their respective OU.
15. Another way to verify a successful profile deployment is by confirming the configuration in the Google Workspace Admin console. Start by navigating to Chrome > Settings > Users & browsers (for User profiles) and select the OU to which received the Profile assignment from Workspace ONE UEM. Policies listed in this section should match the configuration pushed from Workspace ONE UEM for that user or device OU.
    
     

Summary and Additional Resources

This operational tutorial provided steps to enroll and manage Chrome OS devices in Workspace ONE UEM.

Procedures included:

• Enabling Google’s Chrome Device Management.
• Integrating Google device management with Workspace ONE UEM.
• Enrolling Chrome OS devices into Workspace ONE UEM.
• Configuring Chrome OS profiles using Workspace ONE UEM.

For more tutorials on Workspace ONE UEM, see Operational Tutorials on Workspace ONE UEM.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Changelog

The following updates were made to this guide:

About the Author and Contributors

Wasif Syed is one of our passionate and innovative Solutions Engineers on the VMware End User Computing (EUC) Subject Matter Experts (SME) team. With a strong background in Android, iOS, and Chrome OS technologies, Wasif seeks to solve mobility challenges that face today’s Anywhere Workforce.

• Eric Stillman - Product Manager for Android and Chrome OS at VMware End-User Computing.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.