Manage Chrome OS devices with EMM console

For administrators who manage Chrome OS devices for a business.

As an administrator, if you have an approved EMM partner, you can use your enterprise mobility management (EMM) console to manage your Chrome OS devices and policies. To manage Chrome OS devices through an EMM partner, you need Chrome Enterprise Upgrade, in addition to any licenses that are required by your EMM provider. This feature is not available if your organization has Chrome Education Upgrade or Chrome Nonprofit Upgrade.

Note: Your account type determines what Chrome features are available to you. For example, if your organization has an education account and you enroll a Chrome OS device bundled with Chrome Enterprise Upgrade, you can't access Chrome features that are exclusive to enterprise accounts.

Approved EMM partners

Approved EMM partners can provide tools to help you manage Chrome OS devices and policies within your organization. There are 5 approved partners:

  • Cisco© Meraki©
  • Citrix© XenMobile©
  • IBM© MaaS360©
  • ManageEngine© Mobile Device Manager Plus©

  • VMware Workspace ONE®

Considerations when using the EMM console

One console usually suits most admins—you can integrate all the devices together and manage them in one place. However, you can use the EMM console and the Google Admin console together. If you do:

  • EMM console settings take precedence over settings in the Admin console.
  • Devices and users might belong to different organizational units in each console. In turn, the same device might have a different policy in each console.

Turn on access to the EMM console

Step 1: Set up OAuth 2.0

Before you begin, your EMM provider needs to set up OAuth 2.0 to authenticate and authorize APIs. For details, see Using OAuth 2.0 to Access Google APIs.

To use OAuth 2.0, do one of the following: 

  • Log in to the EMM console and accept the OAuth popup message.
  • Set up domain wide delegation for the EMM’s service account:
    1. Log in to the Admin console.
    2. From the Admin console Home page, go to Security and then Advanced settings and then Manage API client access.
    3. Enter https://www.googleapis.com/auth/chromedevicemanagementapi as an API scope and click Authorize.
      Learn more.

Step 2: Setup Admin Console privileges for delegated admin

If you use a delegated admin account in your EMM console, you must ensure that the delegated admin has the correct Admin Console privileges.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Admin roles.
  3. Click Create a New Role and enter a name for the role.
  4. Click the Privileges tab.
  5. Enable device management privileges:
    1. Admin Console Privileges and then Chrome Management and then Manage Devices. This setting lets the admin list devices.
    2. Admin Console Privileges and then Chrome Management and then Manage Device Settings. This setting lets the admin modify device settings.
  6. Enable user management privileges:
    1. Admin Console Privileges and then Chrome Management and then Manage User Settings. This setting lets the admin modify user settings
    2. Admin Console Privileges and then Chrome Management and then Manage User Settings and then Manage Application Settings. This setting lets the admin modify user apps.
  7. Enable Admin API Privileges and then Users and then Read. This setting lets the admin read a list of users.
  8. Click Save.
  9. Click the Admins tab.
  10. Click Assign Admins, enter the admin’s email address, and click Confirm Assignment.

Step 3: Turn on access to the EMM console for devices

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Device settings.
  4. (Optional) To customize the management level across organizational units, on the left, select an organizational unit.
    Important: By default, devices automatically enroll in the top-level organizational unit. If you are not enabling partner access at the top-level organizational unit, make sure you configure device enrollment for an organizational unit where partner access is enabled. That way, newly enrolled devices are accessible using the EMM partner management console. For more information, see Device Enrollment.
  5. Go to Chrome Management - Partner Access
  6. Select Enable Chrome Management - Partner Access from the Allow EMM partners access to device management list.
  7. Click OK to agree to enable partner access.
  8. Click Save.

Step 4: Turn on access to the EMM console for users

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click User & browser settings.
  4. Go to Chrome Management - Partner Access
  5. Select Enable Chrome Management - Partner Access from the Allow EMM partners access to device management list.
  6. Click OK to agree to enable partner access.
  7. Click Save.

Step 5: (Optional) Set up Android for your organizational unit

To manage Android apps on Chrome OS devices, you may need to go to the managed Google Play store to accept the Terms of Service.

Step 6: Verify API permissions for your EMM app

To use the EMM app you must ensure that the correct API permissions are enabled.
  1. Go to Admin Console and then Security and then API controls and then App Access Control. Do one of the following:
    • Click Manage Third Party App Access and allowlist your EMM app. Learn more.
    • Click Manage Google Services and set Google Workspace Admin access to Unrestricted.

Stop using the EMM console to manage devices

When you stop using the EMM console to manage devices, the policies that you set (or have already set) in the Admin console are immediately applied to users and devices.

Note: Disabling Chrome management partner access stops you using an EMM console to manage devices and stops you from using a third party to monitor devices.

To quit using the EMM console, follow the steps below or you can revoke OAuth 2.0 authorization. For details, see Revoking a token

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Device Settings.
  4. Go to Chrome Management - Partner Access
  5. Select Disable Chrome Management - Partner Access from the Allow EMM partners access to device management list.
  6. Click Save.
  7. Click User & browser settings.
  8. Go to Chrome Management - Partner Access
  9. Select Disable Chrome Management - Partner Access from the Allow EMM partners access to device management list.
  10. Click Save.
  11. If you have set an API scope, from the Admin Console Home Page go to Security and then Advanced settingsand then Manage API client access and remove the  https://www.googleapis.com/auth/chromedevicemanagementapi  API scope.
Was this helpful?
How can we improve it?