ChromeOS Device Enrollment Essentials
This guide summarizes the mandatory steps to enroll devices, allowing your organization to enforce all device and user policies set in the Google Admin Console. 1. Prerequisites: Don't skip these Before enrollment, ensure you have: Administrator access: You must use an administrator account with the necessary privileges. Valid license/Upgrade: Enrollment consumes a valid Chrome Enterprise Upgrade, a bundled Chromebook Enterprise device, or Kiosk & Signage Upgrade license. Terms of Service (TOS) Acceptance: You must accept the TOS in the Admin Console (Devices > Chrome > Devices). Note: You must enroll the device before any end-user signs in. If a user signs in first, you must wipe the device and restart the process. 2. Enrollment methods [See video] A. Manual enrollment (The Ctrl+Alt+E Method) Use this for individual device setup or if zero-touch isn't configured. Stop at the sign-in screen: Power on the device but do not sign in. Initiate enrollment: Press the Ctrl + Alt + E shortcut (or select "Enterprise enrollment"). Sign in: Use an eligible admin or user account. Choose license: Select the correct license type (Enterprise or Kiosk & Signage) to ensure the right features are applied. B. Automatic enrollment This method significantly speeds up large-scale deployments: Zero-Touch Enrollment: For new ChromeOS devices purchased through an authorized reseller, the devices automatically enroll upon connecting to the internet. Flex Remote Deployment: The ChromeOS Flex Remote Deployment (FRD) is a solution that enables IT administrators to perform a zero-touch remote installation of ChromeOS Flex onto large fleets of compatible devices running Windows, followed by automatic enrollment. 3. Key admin controls & Best practices These policies, managed in the Admin Console, give you granular control over the process: Enrollment permissions: Control who can enroll a device. It's a good idea to restrict this to IT staff, or only allow re-enrollment of wiped devices to prevent unauthorized new devices from being added to your domain. Asset tracking: Set the Asset identifier during enrollment policy to allow the technician or user to enter the Asset ID and Location during setup. This is critical for accurate inventory management. Enforced enrollment: Use the Initial sign-in (Enrollment controls) policy to Require users to enroll device. This blocks a user from signing in to a non-enrolled device if they are eligible to enroll it, enforcing compliance. 4. Real-world deployment examples Manual setup (New staff): An IT technician uses Ctrl + Alt + E and enters the Asset ID and Location before confirming the enrollment, ensuring the device is correctly tagged and placed in the appropriate Organizational Unit (OU) from day one. Mass deployment (New office): Devices purchased with Zero-Touch automatically enroll upon network connection. Policies are instantly enforced, and the device is ready for the first sign-in without any manual IT intervention. Kiosk/Signage: When setting up a lobby display, the admin selects Enroll kiosk or signage device during the manual enrollment steps. This locks the device down for Kiosk Mode, preventing general user sign-ins as required by the license type. For more information check out the article in the Help Center: Enroll ChromeOS Devices And continue on through our Getting Started User Guides to the left.ChromeOS Device Management: The Enterprise IT Fast Track
We know you're busy, so let's get straight to the point on managing your ChromeOS fleet in an enterprise environment via the Google Admin Console. The foundation: Licensing and fleet access Centralized management is unlocked by a license. The article clarifies your three primary license options for provisioning a ChromeOS fleet: Chrome Enterprise Upgrade (CEU): This is the standalone license (annual) you purchase separately for any standard ChromeOS device to bring it under enterprise control. Chromebook Enterprise (CBE): These devices come with the CEU license embedded for the life of the hardware. This offers a zero-touch, perpetual management solution right out of the box, streamlining large-scale deployment. Kiosk & Signage Upgrade: This is designed specifically for ChromeOS devices used as single-purpose kiosks (like self-service terminals) or digital signage displays. The licenses can either be purchased separately (annual) or bundled with the device (perpetual). Once the appropriate license is secured, enrollment links the physical device to your domain, granting you the full suite of policy controls. 2. Core control: Policies, security, and networking The power of the Admin Console is the ability to enforce settings based on who is signing in and which device they are using: Security & data protection: Enforce enterprise-grade policies like Forced Re-enrollment (preventing unmanaged use after a wipe), remote device disablement for lost assets, and strict sign-in restrictions (e.g., only allowing users from your corporate domain). Seamless network access: Remotely push necessary Wi-Fi profiles, proxy settings, and VPN certificates directly to devices. This ensures employees connect securely to internal resources immediately upon sign-in, regardless of location. Software distribution: Maintain a secure and standardized environment by force-installing, pinning, or blocking corporate web apps, PWAs, and extensions. 3. Example Enterprise Use Cases ChromeOS devices can excel in a range of environments where the device has a dedicated, shared, or public-facing role: Kiosk mode: Dedicate a Chromebase or Chromebox to run a single, purpose-built application, such as a retail Point-of-Sale (POS) terminal, a corporate visitor sign-in app, or a dedicated inventory scanner in a warehouse. Managed Guest sessions: Control shared-use devices in environments like office reception areas, business centers, or hot-desking stations. Sessions are non-account based, with all user data wiped upon logout, ensuring privacy and a fresh, secure device for the next user. Logged in user: Allow individual employees to sign in with their managed enterprise account (e.g., Google Workspace), providing a personalized, secure, and fully managed desktop experience. User data and settings are synced to the cloud, enabling quick, seamless migration to a replacement device and ensuring all corporate security policies and access controls are enforced. Real-World Application The power of ChromeOS management comes from applying these policies dynamically across your organization: Deployment example: Imagine provisioning new corporate laptops. You use the Admin Console to force-install the VPN extension and push the corporate Wi-Fi profile to the Corporate Devices Organizational Unit (OU). The employee receives the device, signs in, and everything is instantly configured. For more information check out the article in the Help Center: About ChromeOS Device Management And continue on through our Getting Started User Guides to the left.Setting ChromeOS user or browser policies
To manage your fleet of ChromeOS devices, you must be a Google administrator. You can set user policies to control the user experience when the user signs in with their managed Google account on any device. Step 1: Access the Google Admin Console Sign in to the Google Admin console with your administrator account. Step 2: Navigate to User Settings From the Admin console Home page, go to Menu > Devices > Chrome > Settings > User & browser settings Step 3: Select an Organizational Unit On the left, select the organizational unit you want to apply the settings to. If you want to apply the settings to all devices, select the top-level organizational unit. Step 4: Configure the Policy Scroll to the setting you want to configure. Click on it, make your desired changes, and then click Save. The policies will take effect the next time a user signs in with their managed account on a ChromeOS device. Top 10 practical user policies for enterprise While there isn't an official list of the "top 10 most used" user policies, the following 10 are highly valuable for enterprise customers to manage security, user experience, and device performance. Maximum user session length: This policy is critical for security. You can set an automatic sign-out time (e.g., 60 minutes) to ensure that unattended devices are not left signed in, reducing the risk of unauthorized access. Browser sign-in settings: To prevent data leaks and maintain control over user accounts, you can enforce that users can only sign in to Chrome browser with their managed work account. This prevents them from using personal accounts on company devices. High efficiency mode: This policy improves device performance by automatically discarding inactive background tabs after a few hours. For a large enterprise, this can significantly reduce the memory footprint and CPU usage across the fleet, leading to better device responsiveness. Exceptions to tab discarding: You can set a list of mission-critical web pages (e.g., a CRM dashboard or an internal ticketing system) that will never be automatically discarded. This ensures that essential applications remain active in the background. Wake locks: This policy gives you control over whether applications and websites can prevent a device from sleeping or the screen from turning off. This is particularly useful for devices used as kiosks or for digital signage, ensuring the content is always visible. Idle settings: This policy allows you to define what a device does when it's left idle or a user closes the lid. You can configure devices to automatically lock, sign out, or even shut down, which is essential for both power management and security. Spoken feedback (ChromeVox): Enabling this accessibility feature is crucial for creating an inclusive workplace. It provides spoken feedback for visually impaired users, allowing them to navigate the device and use applications effectively. High contrast: For users with low vision, this policy can be configured to change the font and background color scheme to make web pages easier to read. This is a practical and important accessibility feature for a diverse workforce. Custom wallpaper: This policy allows you to set a company-branded wallpaper on all managed devices. This is useful for building a consistent corporate identity and can be used to display important information like IT support contact details. Custom terms of service: Before a user can sign in for the first time, you can present them with a custom terms of service document. This is useful for ensuring all employees acknowledge and agree to company policies, such as an acceptable use policy. For more detailed explanations of the device policies available, check out this article in our help center: Set Chrome policies for users or browsersSetting ChromeOS device policies
To manage your fleet of ChromeOS devices, you must be a Google Admin Console administrator. You can set policies for all devices in your organization or apply them to specific groups of devices using organizational units. Step 1: Access the Google Admin Console Sign in to the Google Admin console with your administrator account. Step 2: Navigate to Device Settings From the Admin console Home page, go to Menu > Devices > Chrome > Settings > Device settings. Step 3: Select an Organizational Unit On the left, select the organizational unit you want to apply the settings to. If you want to apply the settings to all devices, select the top-level organizational unit. Step 4: Configure the Policy Scroll to the setting you want to configure. Click on it, make your desired changes, and then click Save. Changes typically take effect within a few minutes, but it can sometimes take up to 24 hours. Top 10 practical ChromeOS device policies for enterprise While there isn't an official list of the "top 10 most used" devices policies, here are ten highly recommended and commonly used policies for enterprises, with a focus on security, productivity, and management. Forced Re-enrollment: This policy ensures that if a device is wiped, it automatically re-enrolls in your organization's account without a user's manual input. This is critical for device security and inventory management. Allow Guest Mode: Disabling guest mode prevents users from browsing the web without signing in, which can help ensure all user activity is tied to a specific account and is auditable. Sign-In Restriction: This policy allows you to restrict device sign-ins to only users within your organization's domain. For example, by allowlisting *@yourcompany.com, you prevent non-employees from using company devices. Device State Reporting: Enabling this policy allows administrators to collect and monitor real-time data on devices, such as serial number, model, and last time synced. This is crucial for fleet management and troubleshooting. Disabled Device Return Instructions: For lost or stolen devices, you can set a custom message that appears on the disabled device's screen. This message can include contact information, increasing the chances of the device being returned. Screen Lock: Automatically locking the screen on idle after a short period ensures that unattended devices are not left vulnerable. Safe Browsing: Enforcing Safe Browsing helps protect users from malicious sites by displaying a warning before they can access a potentially dangerous URL. Disallow External Storage Devices: This policy can prevent the use of USB drives and other external storage, which helps mitigate the risk of data exfiltration or malware introduction. Application Allowlisting: By setting the "Allowed Apps and Extensions" policy to "Block all apps and extensions except the ones I allow," you can maintain a high level of security and control over what applications users can run. This is a common and effective security measure. Automatic Updates: This policy ensures that the device's operating system and browser automatically receive and apply security patches and feature updates, keeping the devices secure and up to date without manual intervention. For more detailed explanations of the device policies available, check out this article in our help center: Set ChromeOS device policiesOrganizational unit structure
An Organizational Unit (OU) is a container within your Google Admin console that allows you to group users, devices, and other assets. The primary purpose of an OU is to apply policies and settings to specific subsets of your organization. Policy Inheritance: OUs operate on a hierarchy. Policies you set at a parent OU are inherited by all child OUs below it. This is a fundamental concept for simplifying management. For example, you can set a default homepage for all devices at the top-level OU, and it will apply everywhere unless you override it in a specific child OU. Users vs. Devices: A key best practice is to understand that users and devices can be in different OUs. A user's policies follow them regardless of the device they sign into, while a device's policies remain with the device, no matter who signs in. Best Practices for Structuring OUs The goal is to create a structure that is as simple as possible but as complex as necessary. Avoid creating OUs for every small group or purpose, as this can lead to an administrative nightmare. 1. Start with a Simple, Hierarchical Design Your OU structure should be logical and easy to navigate. Common approaches include: By Location: For organizations with multiple offices (e.g., North America > California > Los Angeles). By Department or Role: Useful for corporate environments (e.g., Finance, Marketing, Engineering). By Job Level: Role within the organisation (e.g. Executives > Managers > Individual Contributors (ICs) ). 2. Separate Users and Devices Only When Necessary While you can put users and devices in the same OU, it's often more effective to separate them to apply different policies. User OUs: Structure user OUs based on the policies you need to apply to people. This is for things like app access, content filtering, and user-specific settings. For example, an "ICs" OU might have restricted app access, while a "Exec" OU has full access. Device OUs: Structure device OUs based on the policies you need to apply to the physical hardware. This is for settings like network configuration, sign-in restrictions, and public session behavior. For example, you might have a "Laptops" OU for devices that travel and a "Kiosk" OU for public-facing devices. 3. Leverage Policy Inheritance to Simplify Management Set the most common, organization-wide policies at the top-level OU. Then, only create child OUs to apply exceptions to these inherited policies. Example: If 90% of your devices use the same Wi-Fi settings, configure those settings at the top-level device OU. For a specific set of lab devices that need a different Wi-Fi network, create a "Lab Devices" child OU and override the Wi-Fi policy there. This saves you from re-configuring the same settings repeatedly. 4. Use Groups for Cross-OU Policies While OUs are great for hierarchical policy application, Google Groups provide flexibility for applying policies to a specific set of users who are not in the same OU. When to use Groups: Use groups for temporary projects, special access to applications, or when a few individuals across different OUs need the same policy applied. For example, you could create a "Pilot Program" group and assign an experimental app to its members without moving them from their primary OUs. Key Takeaways Plan first: Before creating any OUs, map out your organizational needs and how they translate to policies. Simplicity is key: Use as few OUs as you can while still meeting your policy requirements. OUs for hierarchy, Groups for flexibility: Remember that OUs manage hierarchy and inheritance, while groups provide a way to apply policies to a dynamic set of users or devices. For more detailed explanations of how OUs and Groups work within the Admin Console, check out these articles in our help center: How the organizational structure works Managing group-based policiesEssential settings and configurations in Chrome Enterprise Upgrade
Let's explore some important settings and configurations to help you manage your ChromeOS devices effectively with Chrome Enterprise Upgrade. Now that you've got the basics down, we'll dive into some key administrative tasks and policies to enhance your experience. If you haven’t yet, check out “Your first steps with Chrome Enterprise Upgrade” article before continuing reading. Setting Device and User/Browser Policies Policies are configured within the Admin Console. There are various device policies and user/browser policies that allow you to control and manage various aspects of your ChromeOS devices and user experiences. Consider applying the following popular, useful policies: Device Policies > Security : Password manager, Lid close action, Power management, Geolocation, and more. Device Policies > Sign-in Settings: Sign-in screen, Device wallpaper, Single sign-on, and more. User Policies > User Experience policies: Download location, Form auto-fill, Payment methods, and More. For more detailed explanations of the policies available, check out these extensive articles on device policies and user policies. Ensuring Devices Remain Managed: Forced Re-enrollment By default, wiped ChromeOS devices automatically re-enroll into the account without requiring user credentials. This feature, known as forced re-enrollment, ensures that devices remain managed and policies are consistently enforced. Guidance is available on how to turn forced re-enrollment on or off. More information on forced re-enrollment is available here. Controlling Device Access with Sign-in Restrictions Sign-in restrictions allow you to manage which users can sign in to your managed devices. The available options are: Restrict sign-in to a list Allow any user to sign in Do not allow any user to sign-in More information on configuring sign-in restrictions is available here. Blocking Websites You can prevent users from accessing specific URLs, domains, and IP addresses. This is done through website blocking configurations. More information and a step-by-step guide can be found here. Managing Device Updates Devices automatically check for and download updates when connected to Wi-Fi or Ethernet. Administrators can manage ChromeOS updates for the organization. Full OS updates are generally released roughly every 4 weeks. Minor updates, such as security fixes, are released every 2–3 weeks. Guidance on configuring and customizing update schedules is available here. Configuring Apps and Extensions Administrators can set policies for specific web apps, Chrome apps, or supported Android apps. For example, you can force-install an app and pin it to users' Chrome taskbar. More information, step-by-step instructions, and a video tutorial are available. By understanding and utilizing these essential settings and configurations, you can effectively manage your ChromeOS environment with Chrome Enterprise Upgrade.Optimizing your ChromeOS deployment
We're excited to share the "Getting Started with ChromeOS Deployment Guide." This comprehensive guide is an invaluable read for anyone looking to successfully deploy and manage ChromeOS within their organization. Whether you're just starting your ChromeOS journey or looking to refine your existing setup, this guide offers practical insights and best practices. It covers everything from initial deployment strategies, including project kick-off and infrastructure configuration, to defining policies and managing apps and extensions. You'll find detailed guidance on: Network and Wi-Fi Setup: Ensuring seamless connectivity for your devices. Device Enrollment: Understanding both manual and zero-touch enrollment methods. Policy Considerations: Key aspects to consider for effective management. App and Extension Management: Streamlining your software ecosystem. User Adoption and Change Management: Strategies to support your users through the transition, including governance, readiness, communications, and training. This guide is packed with detailed checklists and recommendations, providing a structured approach to your ChromeOS deployment. It also offers resources for ongoing support and troubleshooting, making it a go-to resource for a smooth and efficient transition to ChromeOS. Dive in and empower your enterprise with the full potential of ChromeOS! You can access the guide here: Getting Started with ChromeOS Deployment GuideYour first steps with Chrome Enterprise Upgrade
This article will walk you through the initial, straightforward steps of setting up and managing your ChromeOS devices with Chrome Enterprise Upgrade. We'll cover everything from getting started with the Admin console and enrolling your devices to finding helpful support resources and assisting your users with the transition to ChromeOS. Where to begin? Starting with Chrome Enterprise Upgrade is straightforward. Follow these simple steps: Signing up: Begin by signing up for a Trial for Chrome Enterprise Upgrade, either on our website, or directly from the Admin Console if you already have access. Accessing the admin console: The Admin console is your central hub for managing ChromeOS devices. Access it to get started. Using the setup guides: Inside the Admin console, you'll find interactive Setup guides. These guided tutorials will help you navigate the setup process. Locate them by navigating to "Devices > Chrome > Setup Guide" in the left-hand menu. How to start managing ChromeOS devices: Enrollment Enrollment is the key to managing your ChromeOS devices. Helping your users adopt ChromeOS If your users are new to ChromeOS and Chromebooks, here’s the Employee Adoption Kit that you can use to help your users learn more and answer their questions. Getting help and support Need help? But here’s how to find additional support: Contact support: Here’s a quick overview on how to get in touch with support if you’re experiencing any issues. Talk with an expert: If you’re still in the Trial phase and need more support evaluating the solution you can complete this form to Talk with an Expert for more personalized assistance and solution validation.
