Manage Chrome devices with Active Directory

If your organization has Chrome Education licenses, use Google Cloud Directory Sync instead.

You can integrate your devices running Chrome OS with a Microsoft® Active Directory® server. Integrating joins devices to your domain so you can see them in your domain controllers. You can also manage sessions and push policies to users and devices. You don’t need to synchronize usernames to Google servers. Users sign in to devices using their Active Directory credentials. Using devices as kiosks or digital signage with Active Directory integration isn’t supported at this time.

Before you begin

  • Confirm your device is supported. To use Active Directory to manage Chrome devices you need Chrome OS version 61 or later and your Chromebooks must run on an Intel®-based platform. Chromebooks with ARM chipsets, such as the Samsung® Chromebook Plus, aren’t supported. To confirm that your device is supported, go to chrome://system and scroll to the CPU row. If you see Intel in that row, your device is supported.
  • Already have an account with Admin console access? You can’t use an existing Admin console account to integrate Chrome OS devices with Active Directory. You have to create a new Chrome Enterprise Active Directory account, as shown in step 1. This account can only be used for Active Directory integration. 
  • This feature integrates devices running Chrome OS with servers that are governed by different terms of service. Any data processing conducted by these servers falls outside the terms governing the use of Chrome Enterprise.

Set up your domain and devices

To manage integrated devices, you create a Chrome Enterprise Active Directory integration account. This type of account can only be used to manage devices with Active Directory. You can’t use it to manage devices from the Admin console.

Step 1: Set up a Chrome Enterprise Active Directory trial

To set up the domain and administrator account, you need a name, email address, phone number, business name, and account name (domain prefix).

  1. Sign up for a Chrome Enterprise Active Directory domain.
    1. Click Identity & Managementand then Use Chrome Enterprise Active Directory Integration.
    2. Enter details for the trial.
      The email address that you enter in the sign-up process is automatically set as the recovery email for your administrator account.
  2. Click the link in the verification email to configure your account password.
  3. Using your Chrome Enterprise account name and password, sign in to the Google Admin console.
  4. Add a user and assign them an administrator role so that you have a backup.
Step 2: Enroll Chrome devices

Important: Enrolling a Chrome device is a two-step process. First, you enroll the device to Google servers, and then you join the device to your Active Directory domain. These 2 steps must be completed without the device being restarted. This means you have to perform both steps before you can deploy a device to a user.

When you set up a Chrome Enterprise domain, you automatically get 10 trial Chrome Enterprise licenses. Each Chrome device that you want to integrate with Active Directory uses one of these licenses.

  1. Using your Chrome Enterprise domain account, sign in to the Google Admin console.
  2. Click Device management and then Chrome devices.
  3. Verify that you have 10 licenses available.
  4. For each device you have, follow the steps in Enroll Chrome devices to enroll your devices with the Google server.
Step 3: Join Chrome devices to the domain

After you enroll a device to the Google server, you’ll be prompted to join the device to the Active Directory domain.

Note: Administrators and users need to be on line of sight of a domain controller to join the Chrome device to a domain and to authenticate to it initially.

  1. Enter a device name for your device to identify it in the Active Directory server.
  2. Enter your Active Directory username and password.
  3. On your Microsoft® Windows Server® machine:
    1. Open Active Directory Users and Computers.
    2. Confirm that the Chrome device is listed in the Chrome domain.
    3. Move the device to the correct organization to ensure that the correct settings are applied to the device.

On each device you should now see a sign in screen that allows users to sign in directly with their Active Directory username and password.

Configure your domain and devices for users

Step 4: Configure Group Policy Objects to manage users and devices

To see the policies you can use with Chrome devices, see the policy list documentation.

  1. Download the Chrome OS ADMX templates.
  2. Open the Group Policy Management console.
  3. Create any Group Policy Objects and push them to the relevant organizations and groups for your users and devices.
Step 5: Configure your domain to access the managed Google Play store
  1. Enable Android apps for your domain:
    1. Sign in to the Google Admin console.
    2. Go to Device management and then Chrome management and then Android application settings.
    3. Check the Enable Android applications to be managed through the Admin Console box.
  2. Configure relying party trust on your Microsoft Windows Server.

    Note: Before you begin this step, ensure that an Active Directory Federation Services (AD FS) server has been set up.

    1. In the AD FS Management console, go to AD FS and then Trust Relationships and then Relying Party Trust.
    2. Select Add Relying Party Trust and cick Start.
    3. Select Import data about the relying party published online or on local network.
    4. Set the Federation metadata address to

    5. Click Next as needed and then click Close.
    6. In the Edit Claim Rules box, click Add Rule.
    7. Make sure Send LDAP Attributes as Claims is selected and click Next.
    8. Under Attribute Store, select Active Directory.
    9. Under LDAP Attribute, enterobjectGUID.
    10. Under Outgoing Claim Type, select Name ID.
    11. Click Finish and then click OK.

      For more information on setting up relying party trust, see the Microsoft website.

  3. Configure SAML settings in the Google Admin console:
    1. Download the AD FS metadatafile (federationmetadata.xml) from your server. The file is located on your server, at this location: 
    2. Sign in to the Google Admin console.
    3. Go to Device management and then Chrome management and then Microsoft Active Directory integration settings.
    4. Click Upload Identity Provider Metadata to upload the AD FS metadata file.

    Before users can start using the managed Google Play store on Chrome devices, they'll be authenticated on the SAML endpoint.

Step 6: Configure Android apps for users

All apps you approve for the domain will automatically show up for all your users when they open the managed Google Play store.

To approve and configure apps for your users:

  1. Sign in to managed Google Play.
  2. Approve apps for your users. For details, see Manage apps on mobile devices.
  3. Set the Enable ARC (ArcEnabled) policy to true to turn on Google Play store access for your users.
  4. Set up the Configure ARC (ArcPolicy) policy to force the installation of apps to your users and apply managed configurations to them.
  5. Use the Pinned apps (PinnedLauncherApps) policy to pin Android apps (as well as Chrome apps) to the launcher.

After your trial

Step 7: Convert from a trial to a paid subscription

To continue using an integrated system after your trial period, you must buy Chrome Enterprise annual licenses from a Chrome partner.

  1. Go to the Partner Directory and find a partner that suits your organization.
  2. Decide how many devices you want to manage and buy that number of annual licenses from your partner. Chrome Enterprise annual licenses are the only license type available for Chrome Enterprise Active Directory integration.
  3. Your partner will associate the licenses with the domain that you used for your trial.

Related topics

Was this article helpful?
How can we improve it?