Chromebook enrollment

Chromebooks are managed using Google Apps APIs, since administrators cannot install an agent on the device. When you manage Chromebooks through Endpoint Manager, the devices appear in the inventory, and you can view the device details. However, there is no additional functionality for Chromebooks from the Ivanti management console.

In order to manage Chromebooks, you must have a Google Apps for Work account that is bound to your domain name. You must also purchase Chromebook licenses in order to manage the devices. When you have purchased licenses and associated them with the Google Apps account, they appear in the Google Apps account under Device management.

NOTE: The steps for setting up a Chromebook for management through Google may change at Google's discretion. If that is the case, we recommend you find instructions from Google to perform these actions.

To manage Chromebooks, perform the following steps:

Closed1. Enroll the devices in Google Apps for Work

If you do not have a Google Apps account already, you must create one in order to manage Chromebooks. Cost is based on the number of users and device licenses.

You must have Chromebook licenses in order to manage the devices.

If the device has already been used, you may need to perform a factory reset on the Chromebook before it can be enrolled.

Follow the instructions from Google to enroll devices: https://support.google.com/chrome/a/answer/1360534

Closed2. Enable API access and create a unique ID

1.Log in to your Google Apps account (https://admin.google.com).

2.Navigate to Security > API reference.

3.Enable the Enable API access option.

4.Log in to your Google Developers Console (https://console.developers.google.com).

5.Create a new project and click on it to open it.

6.Click Enable APIs and Services.

7.Search for and enable Admin SDK.

8.In the navigation menu, select APIs & Services > Credentials.

9.Click Create credentials.

10.Click Service account key.

11.Select New service account.

12.Enter a name for the service account.

13.Use the drop down menu to set the role to Project > Owner.

14.Select the key type P12.

15.Click the Create button. The .p12 certificate file is downloaded. Save the file in a safe place.

16.Close the private key information box to return to the credentials page.

17.Click Manage Service Accounts.

18.Make a note of the Email address value shown for the service account.

19.Click the Actions menu, then select Edit.

20.Make a note of the Unique ID value.

21.Select Enable G Suite Domain-wide Delegation.

22.Click Save.

Closed3. Test the API on Google servers (optional)

1.Go to the Google API Reference page (https://developers.google.com/admin-sdk/directory/v1/reference/).

2.In the navigation menu on the left, click Chromeosdevices > list.

3.Click Try it now.

4.Enable Authorize requests using OAuth 2.0.

5.Select Authorize. The switch should turn from red to blue.

6.In the customerId field, enter my_customer.

7.Click Execute. You should see some or all of your Chromebook devices listed in JSON format at the bottom of the page.

Closed4. Configure external access to the domain

Some additional configuration is necessary for Ivanti to be able to access Chromebook device information.

1.In your Google Apps account (https://admin.google.com), go to the Dashboard home and select Security.

2.Click Show more.

3.Click Advanced settings > Manage API client access. Here you can restrict Endpoint Manager or other external apps from potentially accessing sensitive data. Ivanti only requests Chromebook device information from Google Apps accounts.

4.In the Client Name field, enter the unique ID you saved earlier.

5.Enter the following API scope string: https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly

6.Click Save.

Closed5. Provision Ivanti with the ID

1.Log in to the Endpoint Manager console.

2.Click Tools > Modern Device Management > MDM configurations > Additional Device Discovery > Chromebook Discovery.

3.Click the Add button.

4.Provide the Admin email associated with the Google Apps account, the service account email (the email address that you noted when creating the Unique ID), and the .p12 certificate file.

5.Click Test Credentials to verify the information.

6.Use a scheduled task to retrieve inventory information from Google.