Notification

Duet AI is now Gemini for Google Workspace. Learn more

Pyytämäsi sivu ei ole tällä hetkellä saatavilla kielelläsi. Voit valita toisen kielen sivun alaosasta tai pikakääntää minkä tahansa verkkosivun haluamallesi kielelle Google Chromen sisäänrakennetun käännösominaisuuden avulla.

Turn endpoint verification on or off

Supported editions for this feature: Frontline Starter and Frontline Standard; Business Starter, Business Standard, and Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, Education Plus, and Endpoint Education Upgrade; Essentials, Enterprise Essentials, and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Free and Cloud Identity Premium. Compare your edition

As an administrator, you can use endpoint verification to get details about devices running ChromeOS or Chrome browser that access your organization’s data. For example, you can get information about the OS, device, and user for personal devices and devices owned by your organization. You can also use Context-Aware Access (CAA) to control device access to data based on the device's location, security status, or other attributes. For example, you can require device approval, then create a CAA policy that blocks data access if the device status is Pending approval or Blocked.

Supported computers

  • Apple Mac OS X El Capitan (10.11) and later
  • Devices running ChromeOS 110 and later
  • Linux Debian and Ubuntu
    Note: CPU must support AES instructions.
  • Microsoft Windows 10 and 11

Set up endpoint verification

Open all   |   Close all

Step 1: Turn on endpoint verification in your Admin console

Endpoint verification is usually on by default. If you turned it off, turn it on again.

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand thenUniversal.
  3. Click Data accessand thenEndpoint verification.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Check the Monitor which devices access organization data box.
  6. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Step 2: Install the endpoint verification extension

Option 1: Let users install the extension

For Linux, Mac, and Windows devices, the user can install the extension. For details and user steps, see Set up endpoint verification on your computer.

Option 2: Force-install the extension in the Admin console

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenUsers & browsers.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensionsand thenUsers & browsers.

  3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Click Add and thenAdd Chrome app or extension by ID .
  5. In the Extension ID field, enter callobklhcbilhphinckomhgkigmfocg. Copy the code to avoid errors.
  6. Leave From the Chrome Web Store selected and click Save.
  7. In the app options panel that opens, in the Certificate management section:
    1. Next to Allow access to keys, click Turn on .
    2. Next to Allow enterprise challenge, click Turn on .
    3. Close the panel.
  8. In the list of apps, in Endpoint Verification row, click the Down arrow and choose an installation policy:
    • To force install and pin the extension to the browser toolbar on devices running ChromeOS, select Force install + pin to browser toolbar.
    • To force install the extension, select Force install.
    • To have the extension available for users to install themselves, select Allow install.
  9. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Option 3: Use a policy to add the extension to managed devices

Mac, Windows, and Linux devices

Learn how to set Chrome browser policies on managed PCs.

Step 3: If necessary, install the helper app (Mac, Windows, and Linux only)

Endpoint verification has a helper app that's required for the following systems:

  • Windows and Mac with Chrome browser 79 and earlier. To report the password status for Mac devices, the helper app is required, but users aren't prompted to install it if they have Chrome 80 or later.
  • Linux with any version of Chrome browser

If users install the Endpoint Verification extension and the helper app is required, they’re automatically prompted to install the app. For details, see Set up endpoint verification on your computer.

Important:

  • Except for Mac devices, don't install the helper app if the device is already enrolled in endpoint verification and didn't require the helper app. This setup can prevent the device from reporting to the server. If a device isn't reporting, uninstall the helper app.
  • If you’re using client certificate authentication, make sure devices use the correct certificate to connect to secured services, such as internal websites. The endpoint verification helper app creates a self-signed certificate for internal use with Chrome browser. If the self-signed certificate is used for a client certificate request, the connection is refused. Use one or both of the following methods:
    1. On the server, set a list of valid CA names for the client certificate request.
    2. Set the AutoSelectCertificateForUrls Chrome policy to select the trusted certificate.

Install the helper app

To install the helper app on your own or someone else's computer:

  1. Download the helper app for Mac, Windows, or Linux.
  2. Use a third-party software-management tool to install it.
Step 4: (Optional) Set up device approvals
To review each endpoint verification device that accesses your organization's data, require admin approval for device access. You can tag the devices as approved or blocked. You can use the tag as a condition in CAA levels. Note: If you don't set up CAA levels, devices that are pending approval or blocked can still access work data.

Troubleshoot endpoint verification

If users have trouble, they might be able to resolve their issue. For details, see Troubleshoot endpoint verification for users.

If a Mac device doesn’t report password status in the Admin console, make sure the endpoint verification helper app is installed.

If devices with the helper app can’t access secured sites in Chrome browser, make sure that they use the correct certificate to connect. Use one or both of the following methods:

  • On the server, set a list of valid CA names for the client certificate request.
  • Set the AutoSelectCertificateForUrls Chrome policy to select the trusted certificate.

If these solutions don't work, you can contact Google Support. Before you contact support, we recommend you have the user download the endpoint verification logs so that a support specialist can help them resolve their issue faster.

Find users without endpoint verification

You can get a list of users who don't have endpoint verification installed on their device. If you want, you can send an email to ask them to install it.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Menu and then Devicesand thenOverview.
  3. Click Endpoints.
  4. At the top of the devices list, click Add a filter.
  5. Select Exclude: Endpoint Verification.
  6. To email users who don’t have endpoint verification:
    1. Check the box next to each device.
    2. Click Email Users .

      A new email window opens with the users you selected in the To field.

    3. Compose your email and click Send.

Turn off endpoint verification

Devices added after you turn off endpoint verification aren't shown in your Admin console. You still see devices that were monitored before, but device information isn't updated.

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand thenUniversal.
  3. Click Data accessand thenEndpoint verification.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Uncheck the Monitor which devices access organization data box.
  6. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Delete a device

When you delete a device, the device no longer syncs work data, but no information is removed from it. The device is added back to the list after the next sync unless a Context-Aware Access policy blocks access. In this case, the device might require approval to sync data again.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Menu and then Devicesand thenOverview.
  3. Click Endpoints.
  4. Select the device you want to remove and click Delete.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
14897365828356548433
true
Search Help Center
true
true
true
true
true
73010
false
false