ChromeOS Device Enrollment Essentials

This guide summarizes the mandatory steps to enroll devices, allowing your organization to enforce all device and user policies set in the Google Admin Console.

 

1.  Prerequisites: Don't skip these

Before enrollment, ensure you have:

 

• • Administrator access: You must use an administrator account with the necessary privileges.

  • Valid license/Upgrade: Enrollment consumes a valid Chrome Enterprise Upgrade, a bundled Chromebook Enterprise device, or Kiosk & Signage Upgrade license.

  • Terms of Service (TOS) Acceptance: You must accept the TOS in the Admin Console (Devices > Chrome > Devices).

Note: You must enroll the device before any end-user signs in. If a user signs in first, you must wipe the device and restart the process.

 

2. Enrollment methods [See video]

 

A. Manual enrollment (The Ctrl+Alt+E Method)

Use this for individual device setup or if zero-touch isn't configured.

1. 1. Stop at the sign-in screen: Power on the device but do not sign in.
   2. Initiate enrollment: Press the Ctrl + Alt + E shortcut (or select "Enterprise enrollment").
   3. Sign in: Use an eligible admin or user account.
   4. Choose license: Select the correct license type (Enterprise or Kiosk & Signage) to ensure the right features are applied.

B. Automatic enrollment

This method significantly speeds up large-scale deployments:

• • Zero-Touch Enrollment: For new ChromeOS devices purchased through an authorized reseller, the devices automatically enroll upon connecting to the internet.
  • Flex Remote Deployment: The ChromeOS Flex Remote Deployment (FRD) is a solution that enables IT administrators to perform a zero-touch remote installation of ChromeOS Flex onto large fleets of compatible devices running Windows, followed by automatic enrollment.

3. Key admin controls & Best practices

 

These policies, managed in the Admin Console, give you granular control over the process:

 

• • Enrollment permissions: Control who can enroll a device. It's a good idea to restrict this to IT staff, or only allow re-enrollment of wiped devices to prevent unauthorized new devices from being added to your domain.

  • Asset tracking: Set the Asset identifier during enrollment policy to allow the technician or user to enter the Asset ID and Location during setup. This is critical for accurate inventory management.

  • Enforced enrollment: Use the Initial sign-in (Enrollment controls) policy to Require users to enroll device. This blocks a user from signing in to a non-enrolled device if they are eligible to enroll it, enforcing compliance.

4. Real-world deployment examples

 

• • Manual setup (New staff): An IT technician uses Ctrl + Alt + E and enters the Asset ID and Location before confirming the enrollment, ensuring the device is correctly tagged and placed in the appropriate Organizational Unit (OU) from day one.

  • Mass deployment (New office): Devices purchased with Zero-Touch automatically enroll upon network connection. Policies are instantly enforced, and the device is ready for the first sign-in without any manual IT intervention.

  • Kiosk/Signage: When setting up a lobby display, the admin selects Enroll kiosk or signage device during the manual enrollment steps. This locks the device down for Kiosk Mode, preventing general user sign-ins as required by the license type.

 

For more information check out the article in the Help Center: Enroll ChromeOS Devices

 

And continue on through our Getting Started User Guides to the left.