Manage Chrome devices with Active Directory

For managed Chromebooks and other devices running Chrome OS.

You can integrate your devices running Chrome OS with a Microsoft® Active Directory® server. Integrating joins devices to your domain so that you can see them in your domain controllers and cloud-based Google Admin console. You use Windows Group Policy, not your Admin console, to manage integrated devices and push policies to users and devices. Users sign in to devices using their Active Directory credentials. You don’t need to synchronize usernames to Google servers.

You can continue to use your Admin console to configure policies and manage devices that aren’t integrated with Active Directory. Users can’t sign in to cloud-managed devices using their Active Directory credentials. So, you need to synchronize the data in your Google domain with your Active Directory.

Before you begin

  • This feature is not available if your organization has Chrome Education Upgrade. Instead, you use Google Cloud Directory Sync to synchronize users from Active Directory and (optionally) you can use G Suite Password Sync to sync user passwords. Then, you use the cloud-based Google Admin console to manage Chrome device policies. Learn more.
  • You cannot use devices managed with Active Directory as kiosks, managed guest sessions, or digital signage. Instead, use your Admin console to configure policies and manage devices.
  • Confirm your device is supported. To use Active Directory to manage Chrome devices you need Chrome OS version 61 or later and your Chromebooks must run on an Intel®-based or AMD-based platform. Chromebooks with ARM chipsets aren’t supported. To confirm that your device is supported, go to chrome://system and scroll to the CPU row. If you see Intel or AMD in that row, your device is supported.
  • Devices running Chrome OS integrate with servers that are governed by different terms of service. Any data processing conducted by these servers falls outside the terms governing the use of Chrome Enterprise.
  • You need a subscription to Chrome Enterprise Upgrade for each standalone Chrome device that you want to manage, or you need to use Chromebook Enterprise devices. Active Directory integration is not supported for devices with Chrome Education Upgrade or Chrome Nonprofit Upgrade.

Set up and configure your domain

Step 1: Turn on Active Directory integration

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Settingsand thenUsers & browsers.
  4. Select the top-level organizational unit.
  5. Go to Enrollment controls.
  6. Next to Microsoft® Active Directory®, select Enable Active Directory Management.
  7. Click Save.
Step 2: (Optional) Configure your domain to access the managed Google Play store

You must be signed in as a super administrator for this task.

  1. Configure relying party trust on your Microsoft® Windows Server®.
    Note: Before you begin this step, ensure that an Active Directory Federation Services (AD FS) server has been set up.
    1. In the AD FS Management console, go to AD FSand thenTrust Relationshipsand thenRelying Party Trust.
    2. Select Add Relying Party Trust and click Start.
    3. Select Import data about the relying party published online or on local network.
    4. Set the Federation metadata address to https://m.google.com/devicemanagement/data/api/SAML2.
    5. Click Nextand thenClose.
    6. In the Edit Claim Rules box, click Add Rule.
    7. Make sure Send LDAP Attributes as Claims is selected and click Next.
    8. Under Attribute Store, select Active Directory.
    9. Under LDAP Attribute, enter objectGUID.
    10. Under Outgoing Claim Type, select Name ID.
    11. Click Finishand thenOK.
      For more information on setting up relying party trust, see the Microsoft website.
  2. Download the AD FS metadata file (federationmetadata.xml) from your server. The file is located on your server, at this location:
    https://your_ADFS_server_name/federationmetadata/2007-06/federationmetadata.xml.
  3. Configure SAML settings in the Admin console:
    1. Sign in to your Google Admin console.

      Sign in using an account with super administrator privileges (does not end in @gmail.com).

    2. From the Admin console Home page, go to Devicesand thenChrome.
    3. Click Settingsand thenUsers & browsers.
    4. Select the top-level organizational unit.
    5. Go to Enrollment controlsand thenMicrosoft Active Directory.
    6. Under Identity Provider Metadata, click Upload.
    7. Browse to the AD FS metadata file and click Open.
    8. Click Save.

Before users can start using the managed Google Play store on Chrome devices, they'll be authenticated on the SAML endpoint.

Step 3: (Optional) Add domain configuration template

You can use a configuration template to minimize the amount of information that users need to enter when they’re joining their devices to the Active Directory domain. That way, enrolling users are prompted to enter only the Chromebook machine name and choose their configuration, such as sales or engineering.

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Settingsand thenUsers & browsers.
  4. Select the top-level organizational unit.
  5. Go to Enrollment controlsand thenMicrosoft Active Directory.
  6. Under Domain Join Configuration, click Upload.
  7. Browse to the configuration file and click Open.
  8. Click Save.

Download an example configuration template file here. You can edit it using a text editor. The configuration template file contains sensitive data, so make sure you encrypt it with a password using this Microsoft PowerShell script. Be sure to change the extension of the output file to .base64, otherwise you may run into issues uploading the file. Enrolling users will need to enter this password when they join Chromebooks to the AD domain.

The example configuration template file includes:

  • Device name—required string
  • Active Directory username—optional string
  • Active Directory password—optional string
  • Organizational unit—optional string
  • Encryption types—optional string, with values strong, all, or legacy
  • Computer name validation regex–optional string
Step 4: Join devices to the Active Directory domain
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Settingsand thenUsers & browsers.
  4. To apply the setting to all users, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Go to Enrollment controls.
  6. For Device Management Mode, select Active Directory.
  7. (Optional) To control which users can enroll devices in your domain, scroll to Enrollment permissions and choose an option:
    • Allow users in this organization to enroll new or re-enroll existing devices—Users can enroll a new device or re-enroll a deprovisioned device. Users can also re-enroll a device that was wiped or factory reset.
    • Only allow users in this organization to re-enroll existing devices (cannot enroll new or deprovisioned devices)—Users can only re-enroll devices that were wiped or factory reset. They can’t enroll new or re-enroll deprovisioned devices.
    • Do not allow users in this organization to enroll new or re-enroll existing devices—Users can not enroll or re-enroll any device, including re-enrolling through forced re-enrollment.
  8. Click Save.
Step 5: Configure Group Policy Objects to manage users and devices

You use Group Policy to apply policies to Chrome devices that are integrated with Active Directory. Settings that you configure in the Admin console don’t apply to devices, except Forced re-enrollment.

Before you begin

  • By default, devices running Chrome OS require Strong encryption (Advanced Encryption Standard), which might not be supported in your environment. If you have issues signing in with Active Directory credentials, go to the DeviceKerberosEncryptionTypes policy, review the supported encryption types, and if RC4 encryption is required, change the encryption type& to All or Legacy.
  • To see the policies that you can use with Chrome devices, see the policy list documentation.

Configure Group Policy Objects

  1. Download the Chrome OS ADMX templates.
  2. Open the Group Policy Management console.
  3. Create any Group Policy Objects and push them to the relevant organizational units and groups for your users and devices.
Step 6: (Optional) Export current cloud policies to Active Directory

You can use your Admin console to export user and device cloud policies as PowerShell script files. Then, you can apply those policies to Chrome devices that you manage using Active Directory.

In your Admin console:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Settings.
  4. Choose a settings page, Users & browsers or Device.
  5. To export the settings that are configured for all users or devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. On the far right, click Export settings"".
  7. (Optional) If you have access to the Users & browsers and Device settings pages, select whether you want to export user settings, device settings, or both.
  8. Click Export. A PowerShell script automatically downloads to your device.

On your Microsoft® Windows Server® machine:

  1. Open a PowerShell session.
  2. Disable signature verification. Type:
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
    For details, see Microsoft documentation.
  3. Run the PowerShell script that you downloaded.
Step 7: (Optional) Configure Android apps for users

All apps you approve for the domain will automatically show up for all your users when they open the managed Google Play store.

To approve and configure apps for your users:

  1. Sign in to managed Google Play.
  2. Approve apps for your users. For details, see Set up managed apps for Android devices.
  3. Set the Enable ARC (ArcEnabled) policy to true to turn on Google Play store access for your users.
  4. Set up the Configure ARC (ArcPolicy) policy to force the installation of apps to your users and apply managed configurations to them.
  5. Use the Pinned apps (PinnedLauncherApps) policy to pin Android apps (as well as Chrome apps) to the launcher.

Set up your devices

Step 8: (Optional) Enroll Chrome devices and join them to Active Directory domain

Integrating a Chrome device with Active Directory is a 2-step process. First, you enroll the device to Google servers, and then you join it to your Active Directory domain. These 2 steps must be completed without restarting the device. This means that you have to perform both steps before you can deploy a device to a user.

Enroll Chrome devices

Before you start enrolling devices, make sure that the users enrolling them belong to an organizational unit that joins devices to the Active Directory domain (see Step 4 above). If you want to change how a currently enrolled device is managed, you need to wipe and re-enroll it.

Follow the steps in Enroll Chrome devices to enroll your devices with the Google server.

Join devices to the Active Directory domain

Before you begin

  • Admin and users need to be in line of sight of a domain controller to join the Chrome device to a domain and to initially authenticate to it.
  • By default, devices running Chrome OS require Strong encryption (Advanced Encryption Standard), which might not be supported in your environment. If you can't connect to Active Directory when joining the device to a domain, go to Advanced Settings, review the supported encryption types, and if RC4 encryption is required, change the encryption type to All or Legacy.

On each device that you enrolled:

  1. Enter a device name to identify it in the Active Directory server.
  2. If you’re using a domain configuration template:
    1. Enter the password that was used to encrypt the configuration template file (Step 3 above).
    2. Choose a configuration.
  3. If you’re not using a domain configuration template, manually enter the requested information.

On each device you should see a sign-in screen that lets users sign in directly with their Active Directory username and password.

Step 9: Verify that devices are enrolled

On your Microsoft® Windows Server® machine:

  1. Open Active Directory Users and Computers.
  2. Confirm that the Chrome device is listed in the Chrome domain.
  3. Move the device to the desired organization to ensure that the correct settings are applied to the device.

In your Admin console:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Devices.
  4. On the left, click the organizational unit the device is in.
  5. Find the device.
    Tip: Use the Management Mode filter to list devices that are integrated with Active Directory.
  6. Check to make sure that Management mode is Microsoft Active Directory.
  7. (Optional) Move the device to the organizational unit where you want to manage it. For details, see Move a Chrome device to an organizational unit.

Related topics

Was this helpful?
How can we improve it?