Turn endpoint verification on or off

As an administrator, you can use endpoint verification to get details about devices running Chrome OS or Chrome Browser that access your organization’s data. For example, you can see information about the OS, device, and user for personal devices and devices owned by your organization. You can also use Context-Aware Access to control device access to apps based on a device's location, security status, or other attributes.

Supported computers

  • Apple Mac OS X El Capitan (10.11) and later
  • Devices running Chrome OS
  • Linux Debian and Ubuntu
  • Microsoft Windows 7 and 10

Set up endpoint verification

Open all   |   Close all

Step 1: Turn on endpoint verification in your Admin console

Endpoint verification is usually on by default. If you turned it off, turn it on again.

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. On the left, click Settingsand thenSetup.
  4. Click Endpoint Sync.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Check the Allow desktop reporting via browser extension box.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Step 2: Install the endpoint verification extension

Option 1: Let users install the extension

For Linux, Mac, and Windows devices, the user can install the extension. For details and user steps, see Allow an admin to monitor your computer.

Option 2: Force-install the extension in the Admin console

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Chromeand thenAppsand thenApps & extensions.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Point to Add and click Add by ID "".
  6. In the Extension ID field, enter callobklhcbilhphinckomhgkigmfocg. Copy the code to avoid errors.
  7. From the menu under the field, select From the Chrome Web Store and click Save.
  8. In the app options panel that opens, in the Certificate management section: 
    1. Next to Allow access to keys, click Turn on Turn on. 
    2. Next to Allow enterprise challenge, click Turn on Turn on.
    3. Close the panel.
  9. In the table of apps, in Endpoint Verification row, click the Down arrow Down arrow and choose an option:
    • To force install and pin the app to the toolbar on devices running Chrome OS, select Force install + pin.
    • To force install the app, select Force install.
  10. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Changes typically take effect in minutes, but can take up to 24 hours. For details, see How changes propagate to Google services.  

Option 3: Use a policy to add the extension to managed devices

Mac, Windows, and Linux devices

See Set Chrome Browser policies on managed PCs.

Step 3: If required, install the native helper (Mac, Windows, and Linux only)

Endpoint verification has a native helper app that's required for the following systems:

  • Windows and Mac with Chrome 79 and earlier
  • Linux with any version of Chrome Browser

If users install the Endpoint Verification extension and the native helper app is required, they’re automatically prompted to install the app. For details, see Set up endpoint verification on your computer.

Note: Don't install the native helper app if the device is already enrolled in endpoint verification and didn't require the helper app. This setup can prevent the device from reporting to the server. If a device isn't reporting, uninstall the native helper app.

To install the native helper app on your own or someone else's computer:

  1. Download the native helper app for Mac, Windows, or Linux.
  2. Use a third-party software-management tool to install it.
Step 4: (Optional) Set up device approvals
You can review each endpoint verification device that accesses your organization's data. You can tag these devices as approved or blocked. You can use the tag to configure access levels with Context-Aware Access. For details, see Control access to corporate data.

Find users without endpoint verification

You can get a list of users who don't have endpoint verification installed on their device. If you want, you can send an email to ask them to install it.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Endpoints.
  4. At the top of the devices list, click Add a filter.
  5. Select Exclude: Endpoint Verification
  6. To email users who don’t have endpoint verification:
    1. Check the box next to each device.
    2. Click Email Users .

      A new email window opens with the users you selected in the To field.

    3. Compose your email and click Send.

Turn off endpoint verification

Devices added after you turn off endpoint verification aren't shown in your Admin console. You still see devices that were monitored before, but device information isn't updated.

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. On the left, click  Settingsand thenSetup.
  4. Click Endpoint Sync.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Uncheck the Allow desktop reporting via browser extension box.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Delete a device

When you delete a device, the device no longer syncs work data, but no information is removed from it.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Endpoints.
  4. Select the device you want to remove and click Delete.

 

Google, G Suite, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?