Enroll Chrome devices
You need to first enroll your Chrome devices to enforce policies on them set in your Admin console. Each device you enroll adheres to the Chrome settings you set in the Admin console until you wipe or recover the device. If you need to reset the device, do not "powerwash" a managed Chrome device, but instead follow the instructions in Wipe device data.
New devices should always be manually enrolled. Devices that have been previously enrolled, deprovisioned, wiped and placed back into pending are eligible for automatic enrollment if the policy is enabled. Enrollment is allowed via this user policy. Note that enrollment only works for the primary domain and won't apply to the secondary domain or sub-domains.
Manually enroll the device before anyone (including administrators) signs in to the Chrome device. If a user signs in before you enroll the device, the device ignores the Admin console settings, and you must wipe the device and restart the enrollment process.
Turn on the Chrome device and follow the onscreen instructions until you see the sign on screen. Do not sign in yet.
Before signing in to the Chrome device, press the key combination Ctrl-Alt-E. The enrollment screen appears.
Enter the username and password from your Google admin welcome letter, or the username and password for an existing Google Apps user on your account that has eligibility to enroll.You can control which users can enroll in your domain through this policy.
- Click Enroll device. You will receive a confirmation message that the device has been successfully enrolled.
With the release of Chrome version 35, we’ve updated the device re-enrollment process with a new Forced Re-Enrollment device policy. This new feature is on by default, and it’s a more robust way to ensure that wiped or recovered devices remain managed when they’re distributed to users.
Learn more about Forced re-enrollment
How does it work on different versions of Chrome?
Any device enrolled while on Chrome 35+ are eligible for this feature. Once the device has been enrolled, any time it’s factory reset (wiped), a user will be presented with an enrollment screen to the domain it was previously managed by during setup.
Existing devices that were enrolled prior to 35, are now eligible to use this feature once updated to Chrome version 36. However, a device can be manually re-enrolled once updated to version 35 to use this feature.
Benefits of this feature
- If you wipe or recover a device, this setting will make sure that the enrollment screen is the first thing a user sees when restarting the device. This ensures that the user re-enrolls in your domain.
- The user can’t sign in to the device without enrolling the device in your domain.
- Developer mode is blocked in Chrome versions 37 and later. To allow the user enter into developer mode on the Chrome device, you need to turn off Forced re-enrollment for their device's organizational unit.
- The user cannot browse in guest mode or see the consumer sign-in screen. With this feature, you can make sure that the user will only see the enterprise enrollment screen.
- This feature can be set domain-wide or by organizational unit to include only devices in specific sub-organizations.
Who should I contact if I run into issues?
If you run into issues or if forced re-enrollment isn’t working, then please contact Google for Work and Education Support.
I get an "invalid parameters" error when first trying to enroll my Samsung Chromebook
This is a known issue with the Samsung Chromebook 303. You may need to wait at least 90 seconds at the Terms of Service screen when first starting a Chromebook before continuing with enrollment. If you're still experiencing issues, please contact support.
I get an error saying I do not have enough software licenses to enroll this device.
You’ll see this error if you have used all available licenses on previous device enrollments. Please see the Licenses article to learn more about device management license functionality and how to purchase more.
I see the message "This user account is not eligible for the service" when attempting to manually enroll a device.
Double check that the organizational unit in which the enrolled user resides has enrollment permissions enabled.
I get an error saying: “This user account is not eligible for the service”.
You’ll see this error if you are attempting to enroll a device using a user account that isn’t allowed to enroll new or deprovisioned devices. This is controlled by the ‘Enrollment Permissions’ policy and can be changed through the Admin console.