Integrate Chrome devices with Active Directory

You can only use Microsoft® Active Directory® to manage Chrome devices if you have Chrome Enterprise licenses. If your organization has Chrome Education licenses, use Google Cloud Directory Sync instead.

You can integrate your organization’s Chrome devices with an Active Directory server to easily join devices to your domain and see them in your domain controllers. You can also manage sessions and push policies to users and devices. Your users can use their Active Directory credentials to sign in to devices. And, you don’t need to synchronize their usernames to Google device-management servers.

Before you begin

  • Already have an account with Admin console access? You can’t use your existing Chrome Enterprise, Chrome Education, or G Suite account to integrate Chrome devices with Active Directory. If you want to to set up and manage integrated devices, you need to create a new (separate) Chrome Enterprise domain and account (steps below).
  • To use Active Directory to manage your Chrome devices, you need Chrome OS version 61 or later, and your Chromebooks must run on x86 platforms. Chromebooks with ARM chipsets, such as Samsung® Chromebook Plus, aren’t supported.
  • Enrolling a Chrome device is a two-step process. First, you enroll the device with your Google server, and then you join the device to your domain. These 2 steps must be completed without the device being restarted. This means you have to perform both steps before you can deploy a device to a user.
  • Administrators and users need to be on line of sight of a domain controller to join the Chrome device to a domain and to authenticate to it initially.
  • This feature integrates Chrome devices with servers that are governed by different terms of service. Any data processing conducted by these servers falls outside the terms governing the use of Chrome Enterprise.

Set up your domain and devices

Step 1: Set up a Chrome Enterprise domain

To set up the domain and administrator account, you need a name, email address, phone number, business name, and account name (domain prefix). 

  1. Sign up for a Chrome Enterprise domain.

    The email address you enter in the sign-up process is automatically set as the recovery email for your administrator account.

  2. Click the link in the verification email to configure your account password.
  3. Using your Chrome Enterprise account name and password, sign in to the Google Admin console.
  4. Add a user and assign them an administrator role so that you have a backup.
Step 2: Enroll Chrome devices

When you set up a Chrome Enterprise domain, you automatically get 10 trial Chrome Enterprise licenses. Each Chrome device that you want to integrate with Active Directory uses one of these licenses.

  1. Using your Chrome Enterprise domain account, sign in to the Google Admin console.
  2. Click Device management and then Chrome devices.
  3. Verify that you have 10 licenses available.
  4. For each device you have, follow the steps in Enroll Chrome devices to enroll your devices with the Google server.

If you want to continue using an integrated system after your trial period, you need to buy Chrome Enterprise annual licenses from a Chrome partner.

Step 3: Join Chrome devices to the domain

After you enroll a device with the Google server, you’ll be prompted to join the device to the Chrome domain.

  1. Enter a device name for your device to identify it in the Active Directory server.
  2. Enter your Active Directory username and password.
  3. On your Microsoft® Windows Server® machine:
    1. Open Active Directory Users and Computers.
    2. Confirm that the Chrome device is listed in the Chrome domain.
    3. Move the device to the correct organization to ensure that the correct settings are applied to the device.

On each now you should now see a sign in screen that allows users to sign in directly with their Active Directory username and password.

Configure your domain and devices for users

Step 4: Configure Group Policy Objects to manage users and devices

To see the policies you can use with Chrome devices, see the policy list documentation.

  1. Download the Chrome OS ADMX templates.
  2. Open the Group Policy Management console.
  3. Create any Group Policy Objects and push them to the relevant organizations and groups for your users and devices.
Step 5: Configure your domain to access the managed Google Play store
  1. Enable Android apps for your domain:
    1. Sign in to the Google Admin console.
    2. Go to Device management and then Chrome management and then Android application settings.
    3. Check the Enable Android applications to be managed through the Admin Console box.
  2. Configure relying party trust on your Microsoft Windows Server.

    Note: Before you begin this step, ensure that an Active Directory Federation Services (AD FS) server has been set up.

    1. In the AD FS Management console, go to AD FS and then Trust Relationships and then Relying Party Trust.
    2. Select Add Relying Trust Party and cick Start.
    3. Select Import data about the relying party published online or on local network.
    4. Set the Federation metadata address to

    5. Click Next as needed and then click Close.
    6. In the Edit Claim Rules box, click Add Rule.
    7. Make sure Send LDAP Attributes as Claims is selected and click Next.
    8. Under Attribute Store, select Active Directory.
    9. Under LDAP Attribute, enterobjectGUID.
    10. Under Outgoing Claim Type, select Name ID.
    11. Click Finish and then click OK.

      For more information on setting up relying party trust, see the Microsoft website.

  3. Configure SAML settings in the Google Admin console:
    1. Download the AD FS metadatafile (federationmetadata.xml) from your server. The file is located on your server, at this location: 
    2. Sign in to the Google Admin console.
    3. Go to Device management and then Chrome management and then Microsoft Active Directory integration settings.
    4. Click Upload Identity Provider Metadata to upload the AD FS metadata file.

    Before users can start using the managed Google Play store on Chrome devices, they'll be authenticated on the SAML endpoint.

Step 6: Configure Android apps for users

All apps you approve for the domain will automatically show up for all your users when they open the managed Google Play store.

To approve and configure apps for your users:

  1. Sign in to managed Google Play.
  2. Approve apps for your users. For details, see Manage apps on mobile devices.
  3. Set the Enable ARC (ArcEnabled) policy to true to turn on Google Play store access for your users.
  4. Set up the Configure ARC (ArcPolicy) policy to force the installation of apps to your users and apply managed configurations to them.
  5. Use the Pinned apps (PinnedLauncherApps) policy to pin Android apps (as well as Chrome apps) to the launcher.

Related topics

Was this article helpful?
How can we improve it?