Device Owner Enrollment Error: “Organization Has Reached Its Usage Limits” Even With Zero Devices
Hi everyone, I’m trying to enroll a fully managed Android device using the Android Management API. I generate an enrollment token, create the QR code, factory reset the device, and start the QR-based provisioning process. Everything works until the Android Device Policy step, where I get the following error: “Since your organization has reached its usage limits, this device can’t be set up.” I am unable to get past this point. Here is what I have already checked: Listing devices through the API returns an empty list. There are no enrolled devices at all. Billing is active on the cloud project and the Android Management API is enabled. Enterprise creation works, policies return correctly, and I can generate enrollment tokens without any issues. The device is correctly factory reset and the QR scan is working as expected. I tested with both a Workspace-based enterprise and a Gmail-based enterprise. The same limit error appears on both, even though both enterprises have zero devices. I moved the cloud project under my organization in Google Cloud to avoid any project-level quota problems. Based on everything I have checked, it appears that the enterprise (or account) has been automatically restricted to a device quota of zero, and the restriction has not lifted even after several days. I would like to understand the following: Is this quota lock normal for new enterprises, and how long does it usually take to lift? Is this quota tied to AMAPI commercial approval? Is it expected that zero devices can be enrolled before approval? Is there any way to request a quota review so that at least one test device can be enrolled? I am building a commercial EMM solution and simply need to test device-owner provisioning on a physical device, but I am currently blocked by this limit. Any guidance from the community or anyone who has dealt with the same situation would be greatly appreciated. Thank you.
The "Enable ADB Debugging" Maze: A Call for Architectural Clarity, Unified Nomenclature, and UI Improvements
Hello Chrome OS Enterprise Community and Google Product Team, I am an administrator and developer using a managed Chromebook for Android development. For over a month, I have been unable to toggle "Enable ADB debugging" in the Linux (Crostini) settings because it remains grayed out, despite my having full admin access. After weeks of back-and-forth with Google Workspace Support, it has become clear that this is not just a bug, but a profound architectural issue regarding how managed Chrome OS handles policy dependencies and how we navigate the Admin Console. Technical Environment & Stability Context It is important to note that my development environment is not a fresh install, but a long-running, stable workspace. I have been using the same Crostini container for over a year, and recently performed a successful dist-upgrade from Debian 12 (Bookworm) to Debian 13 (Trixie), which is the current Stable release. The fact that Crostini handled this major OS upgrade without requiring a reinstall demonstrates the high quality and robustness of the Chrome OS platform. However, this longevity raises a diagnostic question: Is the ADB toggle logic failing specifically on containers that have migrated through major versions? The Current Situation: A Maze of Hidden Dependencies Support has provided numerous potential fixes, suggesting that the "ADB" feature is not controlled by one switch, but is the result of a complex calculation involving multiple policies scattered across different menus. I have re-checked all the following solutions proposed by Support between Nov 7 and Dec 11, 2025. None have solved the issue: Date Policy Name Exact Admin Console Path Action Taken Nov 7 Developer tools Devices > Chrome > Settings > Users & browsers > Content > Developer tools Set to "Always allow use of built-in developer tools." Nov 21 Linux virtual machines Devices > Chrome > Settings > Users & browsers > Virtual Machines > Linux virtual machines Set to "Allow usage for virtual machines needed to support Linux apps for users." Nov 24 Untrusted sources Devices > Chrome > Settings > Users & browsers > Android applications > Android apps from untrusted sources Set to "Allow" (Required for sideloading). Dec 3 Developer Tools (Refined) Devices > Chrome > Settings > Users & browsers > Content > Developer tools Set to "Allow use of built-in developer tools, except force-installed extensions..." Dec 10 ADB Sideloading Devices > Chrome > Settings > Device settings > Virtual Machines > ADB sideloading Set to "Allow affiliated users of this device to use ADB sideloading." Dec 11 Unaffiliated VMs Devices > Chrome > Settings > Device settings > Virtual Machines > Linux virtual machines for unaffiliated users Set to "Allow usage for virtual machines needed to support Linux apps for unaffiliated users." The Architectural Problem Administrators are currently guessing which combination of "User Settings" and "Device Settings" will result in the feature unlocking. There is no visibility into which specific policy is overriding the others. Furthermore, the UI itself makes locating these settings inefficient. Proposal 1: A "Computed Policy View" We need a diagnostic view in the console. When an Admin looks at a locked setting (like ADB Debugging), the console should display: Status: LOCKED Blocked By: Device Policy > ADB Sideloading OR User Affiliation Check Failed. Proposal 2: A Standardized Nomenclature for Admin Options The Google Admin Console contains thousands of options. Support tickets often fail because describing the path to an option is tedious and prone to error. I propose implementing a Unique Identifier System: Menus/Tabs: assigned a 3-letter nickname. Sections/Options: assigned a numerical ID. Example: Instead of describing a long path, we could simply reference ID: DEV-CHR-DEV-VMS-042 DEV: Menu (Devices) CHR: Product (Chrome) DEV: Tab (Device Settings) VMS: Section (Virtual Machines) 042: Option (ADB Sideloading) Entering this ID into the search bar should take the admin directly to the specific toggle. Proposal 3: Collapsible Sections (Fold/Unfold UI) Currently, settings pages (like Users & browsers) are massive vertical lists. To reach a section near the bottom, an admin must scroll past hundreds of irrelevant options in previous sections. Even when using the "search on page" function, the visual clutter is overwhelming. I propose adding a Fold/Unfold feature: A "Collapse All / Expand All" button at the top of the settings page. Clickable section headers that allow us to hide large blocks of settings we are not currently editing. Conclusion We cannot manage what we cannot find or understand. The current "trial and error" approach to enabling standard developer features is hindering adoption in the enterprise sector. We need better mapping, a precise language (nomenclature), and a more efficient UI to navigate this complex environment. Best regards, Christophe RouxChrome OS + Crostini: The Missing Bridge to Android Development
Hello Community, I recently read an article about connecting a Windows PC to an Android phone, which got me thinking: we need a similar focus on connecting Chrome OS (via Crostini) to Android devices. Since both Android and Chrome OS are Google products, the integration should be seamless. If Google wants to grow Chrome OS adoption, developers are the ideal first target. However, making it easy for developers to build Android apps on Chrome OS must be a priority, and currently, there are significant friction points. The Technical Blockers My Android development on Chrome OS has been halted for over a month due to persistent issues: ADB Debugging on Managed Devices: My managed Chromebook (I am the admin) has the "Enable ADB debugging" toggle locked. Despite a month of searching, I haven't found a fix. Connection Instability: Both USB and Wi-Fi debugging work intermittently and then fail. I have tested this with a modern Android 15 phone and an older Lollipop tablet; the connection fails on both, pointing to an issue on the Chromebook side. USB File Transfer: There is a known issue transferring files from Crostini to USB devices (requiring a workaround of copying to the Chrome OS files app first). The Strategic Picture Google should not depend on Microsoft Windows for Android development. Chrome OS is already a high-quality product—I use it daily. For example, upgrading my Crostini VM from Debian 12 (Bookworm) to Debian 13 (Trixie) was a pleasure and required no reinstallation. This stability proves Chrome OS is a serious development platform, not just a "cheap" alternative. Addressing the "Aluminum OS" Rumors There is a current campaign discrediting Chrome OS, citing rumors about a new "Aluminum OS." I believe these rumors are misinterpreted. Rather than dropping Chrome OS, it appears Google is aiming for the high-quality device segment. Regardless of naming conventions, Google is walking securely, step-by-step, from a browser to a full OS. Conclusion I strongly advise Google to continue its efforts in making Chrome OS a high-end development platform. The community is involved and patient (a major quality of developers!), but we need these bridge issues—specifically ADB debugging and USB file transfers—solved to fully unlock the potential of the ecosystem.Google Play Protect's new policy for custom DPC
Apparently, Google has a new policy that only approved DPCs can be installed through QR Provisioning; otherwise, their installation will be blocked. Link: https://developers.google.com/android/play-protect/warning-dev-guidance#android_enterprise_dpc_enrollment The problem is that I am not able to understand how to apply for DPC approval. I found this page, but still not able to find out where to apply. Your help is appreciated. Thanks
Common identifier between AMAPI & Require for setup app for validation
We are enrolling devices using AMAPI by generating a QR code with an assigned policy either for work profile or fully managed enrollment. During enrollment, the device prompts for a require for setup app, which, after configuration, returns RESULT_OK, marking the setup as complete and finalizing the device enrollment. Before returning RESULT_OK, To identify the enrolling device, the backend gets the device ID and enterprise ID from the Pub/Sub provisioning notification. The device ID (which matches the GSF ID) is then sent by the require for setup app to the backend for validation. This identifier is also used to enforce enrollment limits based on the enterprise license count. The Issue: Up to Android 14, retrieving the GSF ID was possible. However, in Android 15, it now returns null. Question: Is there an alternative identifier that can be used to identify the enrolling device—one that the backend can retrieve and that the setup app can also access during enrollment? Below is the information we receive from Pub/Sub when a device is enrolled: { "name": [*Hidden for privacy reasons] "managementMode": "PROFILE_OWNER", "state": "PROVISIONING", "enrollmentTime": "2025-04-04T06:17:02.751Z", "lastPolicySyncTime": "2025-04-04T06:17:02.817Z", "softwareInfo": { "androidVersion": "15", "androidDevicePolicyVersionCode": 10323580, "androidDevicePolicyVersionName": "128.32.3 (10323580)", "androidBuildNumber": "AP3A.240905.015.A2", "deviceKernelVersion": "5.15.149-android13-8-00010-gc2e0ba41ba85-ab12040008", "bootloaderVersion": "unknown", "androidBuildTime": "2025-03-11T13:26:50Z", "securityPatchLevel": "2025-03-01", "primaryLanguageCode": "en-IN", "deviceBuildSignature": "c9009d01ebf9f5d0302bc71b2fe9aa9a47a432bba17308a3111b75d7b2143456", "systemUpdateInfo": { "updateStatus": "UP_TO_DATE" } }, "hardwareInfo": { "brand": "Redmi", "hardware": "mt6835", "deviceBasebandVersion": "MOLY.NR17.R1.TC8.PR2.SP.V1.P51,MOLY.NR17.R1.TC8.PR2.SP.V1.P51", "manufacturer": "Xiaomi", "serialNumber": [*Hidden for privacy reasons] "model": "23124RN87I", "enterpriseSpecificId": [*Hidden for privacy reasons] }, "policyName": [*Hidden for privacy reasons] "memoryInfo": { "totalRam": "5865836544", "totalInternalStorage": "806965248" }, "userName": [*Hidden for privacy reasons] "enrollmentTokenName": [*Hidden for privacy reasons] "securityPosture": { }, "ownership": "PERSONALLY_OWNED" } *Updated by Community admin - removed due to privacy reasons 4 AprilEnable ADB debugging is grayed out - This setting is managed by your administrator
This issue was documented in 2021 but with no solution. My Chromebook is managed by my company and I am the manager. But Google tries to find the managed option to unlock for this to work in the administration interface for more than 15 days without success. By the way there are thousands of options in the admin interface it could be a clever feature to number them. If you are in front of the same issue please add your comments to this post. I hope that Google support will succeed to solve the issue soon because I developed my first app for Android on my Chromebook with Android Studio and I was able to download it to my phone before these 15 days.[Feedback] App installs: share your experiences & suggestions
Hello everyone, Our team is always interested to hear your insights around the current employee experience on managed Android devices and profiles (Work Profile). One specific area of focus is the application installation experience, particularly for apps installs that happen while the device is in use (not part of initial setup). The installation experience can vary depending on a variety of factors - the device model and Android version, configuration of your EMM’s DPC client, management mode of the device (fully managed vs. Work Profile), the permissions required by the app, the source of installation, permission policies, etc. Based on your setup, it would be fantastic to hear some of your user experiences and what improvements you’d potentially like to see? I know this is an interesting topic for many of you, so I'm looking forward to hearing your thoughts, feedback and having a good conversation. Massive thanks in advance, Lizzie
