This asset was published on April 2023 and may contain out-of-date information.

Please visit
https://techzone.vmware.com/managing-chrome-os-devices-workspace-one-operational-tutorial for the
latest version.

Managing Chrome OS Devices:

Workspace ONE Operational
Tutorial
VMwareWorkspace ONE

Confidential | ©️ VMware, Inc.

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Table of contents

Managing Chrome OS Devices: Workspace ONE Operational Tutorial ............................................................... 3

Overview ................................................................................................................................................... 3

Audience ............................................................................................................................................... 3

Getting Started with Chrome OS Management .............................................................................................. 4

Prerequisites .......................................................................................................................................... 4
Migrate to Newer Version of Chrome OS Management ................................................................................ 4
Enabling Google Chrome Device Management .............................................................................................. 5

Prerequisites .......................................................................................................................................... 5
Enable Chrome Device Management ........................................................................................................ 5

Integrating Google Device Management with Workspace ONE UEM ................................................................. 8

Configure Google integration with Workspace ONE UEM ............................................................................. 8

Enrolling Chrome OS Devices into Workspace ONE UEM ............................................................................... 10

Enroll Chrome OS Devices ..................................................................................................................... 10

Configuring Chrome OS Profiles using Workspace ONE UEM .......................................................................... 11

Understanding Configuration Options for Chrome OS Profiles .................................................................... 11

Configure Chrome OS User Profile .......................................................................................................... 11

Summary and Additional Resources ........................................................................................................... 14

Additional Resources ............................................................................................................................. 14

Changelog ............................................................................................................................................ 14
About the Author and Contributors ......................................................................................................... 14
Feedback ............................................................................................................................................. 14

Confidential | ©️ VMware, Inc.

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Overview
VMware provides this operational tutorial to help you with your Workspace ONE® environment. This exercise introduces you to
Chrome OS management and walks through detailed steps to enroll and manage Chrome OS devices in Workspace ONE® UEM.

Audience
This tutorial is intended for IT administrators and product evaluators who are looking to manage Chrome OS devices in their new or
existing Workspace ONE UEM tenants. Familiarity of Workspace ONE UEM and the Google Admin console along with access to
these individual consoles is assumed. Knowledge of additional technologies such as network, VPN configuration,
VMware Workspace ONE® Intelligence is also helpful.

Confidential | ©️ VMware, Inc. Document | 3

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Getting Started with Chrome OS Management

This section covers the prerequisites including how to migrate to a newer version of Chrome OS management. The procedures are
sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next
procedure.

Prerequisites
Before you can perform this exercise, you must have the following installed and configured.

Workspace ONE UEM tenant version 23.02 and later.

Google Admin Console account enabled with either a Chrome OS Enterprise upgrade or Chrome OS
Education upgrade.
In addition to the Chrome OS Enterprise or Education upgrade, you must also have available licenses in
your Workspace ONE UEM account to manage Chrome OS devices.
Supported Chrome OS device(s) factory reset in out of box mode.
Caution: Do not factory reset your personal device to complete these exercises.
Caution: If you have a pre-existing Chrome OS registration linked to a previous version of Workspace ONE UEM, then follow the
steps to migrate from the older version of Chrome OS management to the newer version.

Migrate to Newer Version of Chrome OS Management

1. Log in to your Workspace ONE UEM console.
2. Navigate to Groups & Settings > All Settings.
3. From All Settings, navigate to Devices & Users > Chrome OS > Chrome OS EMM Registration.
4. Select Clear Settings.

5. Next, login into your Google Workspace Administrator console by navigating to https:// admin.google.com.
6. Navigate to Directory > Users.
7. Scroll to find the admin user account which was previously used for Workspace ONE EMM registration. Select the admin
user account.
8. Expand Security.
9. Scroll to Connected Applications and select the edit icon.
10. Remove Workspace ONE as connected application for this user.

11. Click Done.

Note: Any past Chrome OS profiles must be recreated, as these cannot be migrated from prior versions of Workspace ONE UEM.

Confidential | ©️ VMware, Inc. Document | 4

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Enabling Google Chrome Device Management

In this exercise, you enable partner access to device management from the Google Workspace Admin Console.

Prerequisites
Before performing this exercise, ensure that you have your Google Admin Console credentials.
You also need a Chrome Enterprise upgrade or Chrome Education upgrade enabled for your account.

Enable Chrome Device Management

1. Navigate to https://admin.google.com.
2. Sign in using your Google Admin credentials.
3. From the Homepage, navigate to Devices > Chrome > Settings > Users & Browsers.

4. Next, navigate to User & Browser Settings.

5. Scroll to and select Allow EMM partners access to device management.

6. Select Enable Chrome management – partner access from the drop-down next to Configuration.

Confidential | ©️ VMware, Inc. Document | 5

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Note: EMM Partner access in User & Browser settings must be enabled at the parent organizational unit (OU) level in the Google
Admin console. This setting cannot be enabled at a child OU level, and a child OU will always inherit partner access properties from
the parent OU.
7. Click Save.
8. Next, navigate to Device Settings tab and scroll to Chrome management – partner access.

9. Select Enable Chrome management – partner access from the drop-down.

10. Click OK.

Confidential | ©️ VMware, Inc. Document | 6

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Note: EMM Partner access in Device settings can be enabled at the parent OU level as well as individual child OU levels in the
Google Workspace Admin console.

Confidential | ©️ VMware, Inc. Document | 7

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Integrating Google Device Management with Workspace ONE UEM

In this exercise, you integrate Workspace ONE UEM with Google’s cloud-based APIs for device management using your Google
Admin email account. The procedures are sequential and build upon one another, so make sure that you complete each procedure
in this section before going to the next procedure.

Configure Google integration with Workspace ONE UEM

Begin by entering your Google Workspace email account on the Workspace ONE Console Chrome OS registration setup page. This
redirects you to a Google authorization page to grant permissions to complete setup.
1. Log in to your Workspace ONE UEM console.
2. Navigate to Groups & Settings > All Settings.
3. From All Settings, navigate to Devices & Users > Chrome OS > Chrome OS EMM Registration.

4. Enter your Google Admin Email Address (the same credentials used to log in to the Google Admin Console earlier) and
click Sign in with Google.

Caution: Make sure you have pop-ups enabled in your browser otherwise the Google authorization page will not open.
5. Allow the permissions prompt that follows in the pop-up window.

Confidential | ©️ VMware, Inc. Document | 8

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

6. Copy the Authorization code from the next window and paste the copied code into the Google Authorization Code field in
your Workspace ONE UEM console. Then select Authorize.

7. Click Test Connection to ensure the connection between Workspace ONE UEM and Google is established. If successful, a
green Test Connection Successful message is displayed.
Tip: Click Device Sync to manually sync new Chrome OS enrollments into the Workspace ONE UEM Console. Workspace ONE UEM
will then sync with your Google Admin console to enroll newly registered devices. This sync is by default automatic and happens
periodically once every hour.
Note: Workspace ONE Extension will automatically download on your enrolled Chrome OS devices. This is a mandatory extension
that is necessary for Chrome OS device management.

Confidential | ©️ VMware, Inc. Document | 9

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Enrolling Chrome OS Devices into Workspace ONE UEM

Device enrollment establishes the device’s communication with the Workspace ONE UEM console and facilitates management. In
this exercise, you enroll your Chrome OS device using the Google admin credentials. The procedures are sequential and build upon
one another, so make sure that you complete each procedure in this section before going to the next procedure.

Enroll Chrome OS Devices

Enrollment is facilitated on a Chrome OS device by using the Google admin credentials. The steps to enroll a supported Chrome OS
device into Workspace ONE UEM is as follows:
1. Boot up a factory-reset Chrome OS device in out-of-box mode.
2. Select Get Started.
3. Next, connect your Chromebook to a Wi-Fi network.
4. On the User setup page, click Enterprise Enrollment or press CTRL + ALT + E.
5. Enter your Google Workspace administrator email account, then click Next.
6. Enter your Google Workspace administrator account’s password. Then click Next.
7. Upon successful enrollment, a success message marking the completion of Enterprise Enrollment is displayed.
8. Click Done.
Your Chromebook is now successfully enrolled into Workspace ONE UEM.
Note: Workspace ONE UEM will sync with your Google Admin console to enroll newly registered devices. This sync is by default
automatic and happens periodically once every hour. You can also navigate back to Workspace ONE UEM > Groups & Settings >
All Settings > Devices & Users > Chrome OS > Chrome OS EMM Registration > Device Sync to sync device on-demand.

Confidential | ©️ VMware, Inc. Document | 10

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Configuring Chrome OS Profiles using Workspace ONE UEM

In this exercise, you explore how to set up and configure a restrictions profile in Workspace ONE UEM to see how enterprise profile
settings apply on a Chrome OS device. The procedures are sequential and build upon one another, so make sure that you
complete each procedure in this section before going to the next procedure.

Understanding Configuration Options for Chrome OS Profiles

Profiles are the mechanism by which Workspace ONE UEM manages settings on a device. All profiles are broken down into two
basic sections: the General section and the Payload section.

The General section defines the profile's name and description.

The Payload sections define actions to be taken on the device.
Every profile must have all the required fields in the General section properly filled out and at least one payload configured.
In Workspace ONE UEM, Chrome OS profiles can apply at the device level or the enrollment-user level.

Device Profiles - Apply to Chrome OS devices regardless of the user logged into the device.
User Profiles - Apply to Chrome OS devices at the user level, and do not apply to users signed in as guest
or with a Google Account outside of your organization (such as a personal Gmail account).
Profiles on Chrome OS devices are assigned based on the organizational unit (OU) of the Google Workspace Admin console. During
the creation of a Chrome OS profile, you select the OU(s) that will receive the profile assignment.
For User Profiles, all user accounts in the selected OU and below will receive the profile payload.
For Device Profiles, all devices in the selected OU and below will receive the profile payload.
There could be cases where the User and Device are in different OUs. In such cases, both the profiles will need to be
assigned appropriately.
Tip: Refer to Add an organizational unit for help creating OU(s) in the Google Workspace Admin console.

Configure Chrome OS User Profile

In this procedure, you configure a Security & Privacy User Profile for Chrome OS to deactivate incognito mode.
1. Login into your Workspace ONE UEM console.
2. Select Resources > Profiles & Baselines > Profiles.
3. Select Add > Add Profile.
4. Select Chrome OS as Platform.
5. Select User Profile in Profile Context.
6. Define the General Settings such as Profile name and add an optional Description in the respective text boxes.
7. Expand the Security & Privacy payload from the payload's menu.
8. Click ADD.

Confidential | ©️ VMware, Inc. Document | 11

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

9. Configure the Security & Privacy settings payload as desired. For the purposes of this tutorial, select Disallow
incognito mode to keep the users from browsing the web without storing local data.

10. Click Next.

11. Select the desired Google Workspace OU(s) to assign the profile.

Note: You can select one or more OU(s) to receive the profile assignment.
12. Select Save & Publish.
13. Test to see if the profile was successfully assigned by launching a new tab in incognito mode for your user account on a
Chrome browser. Notice how the option for New incognito window is disabled.

14. Profile deployment can also be verified by navigating to Chrome://Policy on a Chrome Browser. Policies listed in
Chrome://Policy should match the configuration pushed using Profiles from Workspace ONE UEM for that user or device
in their respective OU.
15. Another way to verify a successful profile deployment is by confirming the configuration in the Google Workspace Admin

Confidential | ©️ VMware, Inc. Document | 12

Managing Chrome OS Devices: Workspace ONE Operational Tutorial

console. Start by navigating to Chrome > Settings > Users & browsers (for User profiles) and select the OU to which
received the Profile assignment from Workspace ONE UEM. Policies listed in this section should match the configuration
pushed from Workspace ONE UEM for that user or device OU.

Confidential | ©️ VMware, Inc. Document | 13

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

Summary and Additional Resources

This operational tutorial provided steps to enroll and manage Chrome OS devices in Workspace ONE UEM.
Procedures included:

Enabling Google’s Chrome Device Management.

Integrating Google device management with Workspace ONE UEM.
Enrolling Chrome OS devices into Workspace ONE UEM.
Configuring Chrome OS profiles using Workspace ONE UEM.
For more tutorials on Workspace ONE UEM, see Operational Tutorials on Workspace ONE UEM.

Additional Resources
For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-
step guidance to help you level up your Workspace ONE knowledge. You will find everything from beginner to advanced curated
assets in the form of articles, videos, and labs.

Changelog
The following updates were made to this guide:

Date Description of Changes

2023/04/14
published
was
Guide
•
About the Author and Contributors
Wasif Syed is one of our passionate and innovative Solutions Engineers on the VMware End User Computing (EUC) Subject Matter
Experts (SME) team. With a strong background in Android, iOS, and Chrome OS technologies, Wasif seeks to solve mobility
challenges that face today’s Anywhere Workforce.
Eric Stillman - Product Manager for Android and Chrome OS at VMware End-User Computing.

Feedback
Your feedback is valuable.
To comment on this paper, contact VMware End-User-Computing Technical Marketing at
euc_tech_content_feedback@vmware.com.

Confidential | ©️ VMware, Inc. Document | 14


Confidential | ©️ VMware, Inc.
Copyright © 2023 VMware, Inc. All rights reserved. VMware, Inc. 3401 Hillview Avenue Palo Alto CA
94304 USA Tel 877-486-9273 Fax 650-427-5001
VMware and the VMware logo are registered trademarks or trademarks of VMware, Inc. and its subsidiaries in the United States and other
jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. VMware products are covered by
one or more patents listed at http://www.vmware.com/go/patents. Item No: vmw-wp-tech-temp-uslet-word-2021 8/21