Manage Chrome devices with Active Directory

If your organization has Chrome Education Upgrades, use Google Cloud Directory Sync instead. 

You can integrate your devices running Chrome OS with a Microsoft® Active Directory® server. Integrating joins devices to your domain so you can see them in your domain controllers. You can also manage sessions and push policies to users and devices. You don’t need to synchronize usernames to Google servers. Users sign in to devices using their Active Directory credentials. Using devices as kiosks, managed guest sessions, or digital signage with Active Directory integration isn’t supported at this time.

Before you begin

  • Confirm your device is supported. To use Active Directory to manage Chrome devices you need Chrome OS version 61 or later and your Chromebooks must run on an Intel®-based or AMD-based platform. Chromebooks with ARM chipsets, such as the Samsung® Chromebook Plus, aren’t supported. To confirm that your device is supported, go to chrome://system and scroll to the CPU row. If you see Intel or AMD in that row, your device is supported.
  • This feature integrates devices running Chrome OS with servers that are governed by different terms of service. Any data processing conducted by these servers falls outside the terms governing the use of Chrome Enterprise.
  • You must have an account with access to Google Admin console on a managed domain with Chrome Enterprise licenses, to start the setup steps below.
  • You need a subscription to Chrome Enterprise Upgrade for each standalone Chrome device that you want to manage, or you need to use Chromebook Enterprise devices. Active Directory integration is not supported for devices with Chrome Education Upgrade or Chrome Nonprofit Upgrade.

Set up your domain and devices

To manage integrated devices, you set the policy to enable Chrome Enterprise Active Directory integration in the Google Admin console.

After you enable Active Directory integration, you can only manage devices using Active Directory. You can no longer use the Google Admin console to manage Chrome devices. And, you will no longer see the Device settings page in the Google Admin console. 

Before you can manage devices with Active Directory, you must wipe and re-enroll all existing devices in the domain (see step 2 below). Enabling Active Directory turns off forced re-enrollment to facilitate this process.

Step 1: Set up devices for Active Directory

Requires super admin privileges

  1. Using your Chrome Enterprise domain account, sign in to the Google Admin console.
  2. Click Device management and then Chrome management.
  3. Click Microsoft Active Directory integration settings.
  4. Select Enable Chromebooks to be managed through the Active Directory Service.
  5. Read the note and click Enable Active Directory Integration
Step 2: Enroll Chrome devices

Important: Enrolling a Chrome device is a 2-step process. First, you enroll the device to Google servers, and then you join the device to your Active Directory domain. These 2 steps must be completed without the device being restarted. This means you have to perform both steps before you can deploy a device to a user.

  1. Using your Chrome Enterprise domain account, sign in to the Google Admin console.
  2. Click Device management and then Chrome devices.
  3. Verify that you have upgrades available for standalone devices.
  4. For each device you have, follow the steps in Enroll Chrome devices to enroll your devices with the Google server.
Step 3: Join Chrome devices to the domain

After you enroll a device to the Google server, you’ll be prompted to join the device to the Active Directory domain.

Note: Administrators and users need to be on line of sight of a domain controller to join the Chrome device to a domain and to authenticate to it initially.

  1. Enter a device name for your device to identify it in the Active Directory server.
  2. Enter your Active Directory username and password.
  3. On your Microsoft® Windows Server® machine:
    1. Open Active Directory Users and Computers.
    2. Confirm that the Chrome device is listed in the Chrome domain.
    3. Move the device to the correct organization to ensure that the correct settings are applied to the device.

On each device you should now see a sign in screen that allows users to sign in directly with their Active Directory username and password.

Configure your domain and devices for users

Step 4: Configure Group Policy Objects to manage users and devices

To see the policies you can use with Chrome devices, see the policy list documentation.

  1. Download the Chrome OS ADMX templates.
  2. Open the Group Policy Management console.
  3. Create any Group Policy Objects and push them to the relevant organizations and groups for your users and devices.
Step 5: Configure your domain to access the managed Google Play store
  1. Enable Android apps for your domain:
    1. Sign in to the Google Admin console.
    2. Go to Device management and then Chrome management and then Android application settings.
    3. Check the Enable Android applications to be managed through the Admin Console box.
  2. Configure relying party trust on your Microsoft Windows Server.

    Note: Before you begin this step, ensure that an Active Directory Federation Services (AD FS) server has been set up.

    1. In the AD FS Management console, go to AD FS and then Trust Relationships and then Relying Party Trust.
    2. Select Add Relying Party Trust and click Start.
    3. Select Import data about the relying party published online or on local network.
    4. Set the Federation metadata address to https://m.google.com/devicemanagement/data/api/SAML2.

    5. Click Next as needed and then click Close.
    6. In the Edit Claim Rules box, click Add Rule.
    7. Make sure Send LDAP Attributes as Claims is selected and click Next.
    8. Under Attribute Store, select Active Directory.
    9. Under LDAP Attribute, enter objectGUID.
    10. Under Outgoing Claim Type, select Name ID.
    11. Click Finish and then click OK.

      For more information on setting up relying party trust, see the Microsoft website.

  3. Configure SAML settings in the Google Admin console:
    1. Download the AD FS metadata file (federationmetadata.xml) from your server. The file is located on your server, at this location: 
      https://your_ADFS_server_name/federationmetadata/2007-06/federationmetadata.xml.
    2. Sign in to the Google Admin console.
    3. Go to Device management and then Chrome management and then Microsoft Active Directory integration settings.
    4. Click Upload Identity Provider Metadata to upload the AD FS metadata file.

    Before users can start using the managed Google Play store on Chrome devices, they'll be authenticated on the SAML endpoint.

Step 6: Configure Android apps for users

All apps you approve for the domain will automatically show up for all your users when they open the managed Google Play store.

To approve and configure apps for your users:

  1. Sign in to managed Google Play.
  2. Approve apps for your users. For details, see Manage apps on mobile devices.
  3. Set the Enable ARC (ArcEnabled) policy to true to turn on Google Play store access for your users.
  4. Set up the Configure ARC (ArcPolicy) policy to force the installation of apps to your users and apply managed configurations to them.
  5. Use the Pinned apps (PinnedLauncherApps) policy to pin Android apps (as well as Chrome apps) to the launcher.

Related topics

Was this helpful?
How can we improve it?