Managing Chrome OS Devices

Managing Chrome OS Devices


This exercise introduces you to managing Chrome OS devices in Workspace ONE. This exercise walks through creating a profile and enrolling your device to test the results. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.


Before you can perform the procedures in this exercise, you must complete the following tutorials:

This exercise requires an admin user to authenticate into G-Suite and enroll device into Workspace ONE UEM. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information

User name
Password VMware1!

You must also satisfy the following requirements:

  • Chrome Enterprise license
  • Google Admin Console Service Account
  • Google Cloud Directory Sync Enabled
  • Supported Chrome OS device
  • Factory reset device in out of the box mode

Caution: Do not factory reset your personal device to complete these exercises. 

Logging into the Google Admin Console

To perform most of the steps in this exercise, you must first log in to the Google Admin Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate

  1. Enter your email address or phone number. For example,
  2. Click Next.
  3. Enter your Password. For example, VMware1!.
  4. Click Next.

Creating Google User Accounts

Enterprise users on Chrome OS devices require a Google account to connect to their devices. In this procedure, enable Workspace ONE to create a Google account during Chrome OS enrollment.

Note: Enrollment based account creation relies on SAML. For environments that do not use SAML, the following alternatives are available for creating a Google account:  

1. Open the Setup Wizard

2. Enable Enrollment-Based User Creation

Select Yes when prompted to Create accounts during enrollment based on users' emails.  

3. Upload a Directory Access Certificate

4. Provide Directory Access Certificate Credentials

  1. Enter your Service Account Email Address.
  2. Enter your Admin Email Address.

5. Enable SAML Authentication

Select Yes when prompted to Use SAML endpoint to authenticate accounts.

If you have not setup SAML, the wizard will prompt you to configure SAML authentication settings.

6. Complete Setup

Click Finish.

Enabling Chrome Device Management

1. Open Device Management Settings

From the home page of the Google Admin Console, click Device Management.

2. Open Chrome Management Settings

Click Chrome management.

3. Open User Settings

Click User Settings.

4. Enable Partner Access

  1. Scroll to the Chrome Management - Partner Access section.
  2. Select the Enable Chrome Management-Partner Access checkbox.
  3. Click Save.

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username. This is the name provided in the activation email.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password. This is the password provided in the activation email.
  2. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Integrating Google with Workspace ONE UEM

Begin integrating Workspace ONE with Google by entering your Chrome admin email on the Workspace ONE Console setup page. This redirects you to a Google authorization page to grant permissions.

3. Initiate Google Registration

  1. Enter the Google Admin Email Address. For example,
  2. Select Register with Google which redirects you to Google.

Caution: Please make sure you have pop-ups enabled otherwise the Google authorization page will not open.

4. Log Into Google

  1. Enter your email address or phone number. For example,
  2. Click Next.
  3. Enter your Password. For example, VMware1!.
  4. Click Next.

5. Allow Workspace One to Access Your Google Account

Review the screen and click Allow.

6. Copy the Google Authorization Code

Copy the Google Authorization Code.

7. Register Google with Workspace ONE

  1. Return to the Workspace ONE Console and paste the code copied from Google into the Google Authorization Code field.
  2. Select Authorize.

8. Verify Connectivity & Save

  1. Click Test Connection to ensure the connection between AirWatch and Google is established. If successful, a green 'Test Connection Successful' message displays.
  2. Click Device Sync to manually sync new Chrome OS enrollments into the Workspace ONE UEM Console.
  3. Click Save.

Enrolling the Chrome OS Device

Enrollment is facilitated from the Chrome OS device using the Google admin credentials or existing G Suite user credentials. After you select done, the Chromebook automatically applies any pre-configured device policies and is ready for a user to sign in. Once a user signs in, all applicable user profiles are pushed to the Chrome device. Once devices are enrolled, they display in the Device List View in the Workspace ONE UEM console.

1. Power On the Device

Boot up a factory-reset Chrome OS device that's connected to the internet.

2. Go to Enterprise Enrollment

At the Sign into the Chromebook page, press CTRL+ALT+E to bypass the sign-in screen and go straight to enterprise enrollment.

3. Authenticate

Enter the user name and password from your Google Admin welcome letter or use your existing G Suite user credentials, and click Next.

4. Finish Enrollment

Click Done.

Configuring a User Profile for Chrome OS

In this procedure, configure a Security & Privacy user profile for Chrome OS to disable incognito mode.

While all Workspace ONE UEM profiles manage device settings, Chrome OS profiles can apply at the device level or the enrollment-user level.

  • Device Profiles - Apply to Chrome OS devices regardless of the user logged into the device. Device polices are applied through Smart Groups.
  • User Profiles - Apply to Chrome OS devices at the user level, and do not apply to users signed in as guest or with a Google Account outside of your organization (such as a personal Gmail account). User polices are applied through User Groups.

2. Define the General Settings

Define the General Settings
  1. Select General if it is not already selected.
  2. Enter a profile name such as Chrome User Security & Privacy in the Name text box.
  3. Copy the profile name into the Description field.
  4. If necessary, scroll down to Assigned Groups. Click the field and select All Devices from the list of Assignment Groups that populate.

Note: Do not click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

3. Open the Security & Privacy Payload

  1. Select the Security & Privacy payload from the menu on the left.
  2. Click the Configure button to begin configuring payload settings.

4. Configure Security & Privacy Settings

  1. Disable Incognito Mode to keep users from browsing the web without storing local data.
  2. Click Save and Publish.

5. Publish the Profile

Click Publish.

6. Verify the Profile Applied

Profiles for Chrome OS are deployed using API calls, which are a different solution than is used with other platforms, in which the profile is sent directly to the Workspace ONE Intelligent Hub on the device. For Chrome OS devices, the Workspace ONE UEM console relies on API responses to the Google Cloud to push new polices. The console displays a green check mark to show that the policy has been updated to the Google cloud.

7. Test the Incognito Mode Restriction

Try to open a tab in incognito mode. Notice how the option is disabled.