Force wiped Chrome devices to re-enroll

Chrome version 35 and later.

For administrators who manage Chrome devices for a business or school.

By default, wiped or recovered Chrome devices are forced to re-enroll into your domain after they've been wiped. This ensures that those devices remain managed, and that policies you set are enforced on the device.

How it works

When the Forced Re-Enrollment device policy in your Admin console is turned on and you wipe or recover a device, the enrollment screen is the first thing a user sees when they restart the device. This means that the user has to re-enroll the device into your domain before they can use it. If they don't re-enroll the device, they can't sign in to it, browse in guest mode or see the consumer sign-in screen.

Important: If a device is no longer going to be managed by your domain, deprovision the device. This removes all device policies, so the device won't be forced to re-enroll after it's wiped. You might want to do this if you're returning a device, submitting it for repair or selling it.

Turn Forced Re-enrollment on or off

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click Device settings.
  4. Select the organization where you want forced re-enrollment to apply.
    Note: By default, an organization inherits the settings of its parent in the organizational tree. However, you can override the inherited setting by explicitly changing the setting for the child organization unit. The new setting applies to devices in that organization unit, and any children of that organization unit.
  5. Configure the Forced Re-enrollment setting:
    • To turn it on, select Force device to re-enroll into this domain after wiping.
    • To turn it off, select Device is not forced to re-enroll after wiping.
  6. At the bottom, click Save. Settings typically take effect within minutes, but it might take up to an hour to propagate through your organization.


  • You can turn on this policy for your entire domain, or by organization unit to include only devices in specific sub-organizations. If you don't want this policy to be applied to specific devices, move those devices into a sub-organization that has the policy disabled.
  • To let the user enter into developer mode on the Chrome device, turn off forced re-enrollment for their device's organizational unit.


Was this article helpful?
How can we improve it?