For administrators who manage Chrome devices for a business or enterprise.
As a Chrome administrator, if you have an approved EMM partner, you can use your enterprise mobility management (EMM) console to manage your Chrome devices and policies.
Note: To manage Chrome devices through an EMM partner, you need Chromebook Enterprise devices or standalone devices with Chrome Enterprise Upgrade, in addition to any licenses that are required by your EMM provider. This feature is not available if your organization has Chrome Education Upgrade or Chrome Nonprofit Upgrade.
Approved EMM partners
Approved EMM partners can provide tools to help you manage Chrome devices and policies within your organization. There are 5 approved partners:
- Cisco© Meraki©
- Citrix© XenMobile©
- IBM© MaaS360©
- ManageEngine© Mobile Device Manager Plus©
-
VMware Workspace ONE®
Considerations when using the EMM console
One console usually suits most admins—you can integrate all the devices together and manage them in one place. However, you can use the EMM console and the Google Admin console together. If you do:
- EMM console settings take precedence over settings in the Admin console.
- Devices and users might belong to different organizational units in each console. In turn, the same device might have a different policy in each console.
Turn on access to the EMM console
Step 1: Set up OAuth 2.0
Before you begin, your EMM provider needs to set up OAuth 2.0 to authenticate and authorize APIs. For details, see Using OAuth 2.0 to Access Google APIs.
To use OAuth 2.0, do one of the following:
- Log in to the EMM console and accept the OAuth popup message.
- Set up domain wide delegation for the EMM’s service account:
- Log in to the Admin console.
- From the Admin console Home page, go to Security
Advanced settings
Manage API client access.
- Enter https://www.googleapis.com/auth/chromedevicemanagementapi as an API scope and click Authorize.
Learn more.
Step 2: Setup Admin Console privileges for delegated admin
If you use a delegated admin account in your EMM console, you must ensure that the delegated admin has the correct Admin Console privileges.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
From the Admin console Home page, go to Admin roles.
- Click Create a New Role and enter a name for the role.
- Click the Privileges tab.
- Enable device management privileges:
- Admin Console Privileges
Chrome Management
Manage Devices. This setting lets the admin list devices.
- Admin Console Privileges
Chrome Management
Manage Device Settings. This setting lets the admin modify device settings.
- Admin Console Privileges
- Enable user management privileges:
- Admin Console Privileges
Chrome Management
Manage User Settings. This setting lets the admin modify user settings
- Admin Console Privileges
Chrome Management
Manage User Settings
Manage Application Settings. This setting lets the admin modify user apps.
- Admin Console Privileges
- Enable Admin API Privileges
Users
Read. This setting lets the admin read a list of users.
- Click Save.
- Click the Admins tab.
- Click Assign Admins, enter the admin’s email address, and click Confirm Assignment.
Step 3: Turn on access to the EMM console for devices
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Devices
Chrome.
- Click Device settings.
- (Optional) To customize the management level across organizational units, on the left, select an organizational unit.
Important: By default, devices automatically enroll in the top-level organizational unit. If you are not enabling partner access at the top-level organizational unit, make sure you configure device enrollment for an organizational unit where partner access is enabled. That way, newly enrolled devices are accessible using the EMM partner management console. For more information, see Device Enrollment. - Go to Chrome Management - Partner Access.
- Select Enable Chrome Management - Partner Access from the Allow EMM partners access to device management list.
- Click OK to agree to enable partner access.
- Click Save.
Step 4: Turn on access to the EMM console for users
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Devices
Chrome.
- Click User & browser settings.
- Go to Chrome Management - Partner Access.
- Select Enable Chrome Management - Partner Access from the Allow EMM partners access to device management list.
- Click OK to agree to enable partner access.
- Click Save.
Step 5: (Optional) Set up Android for your organizational unit
Step 6: Verify API permissions for your EMM app
- Go to Admin Console
Security
API controls
App Access Control. Do one of the following:
- Click Manage Third Party App Access and allowlist your EMM app. Learn more.
- Click Manage Google Services and set Google Workspace Admin access to Unrestricted.
Stop using the EMM console to manage devices
When you stop using the EMM console to manage devices, the policies that you set (or have already set) in the Admin console are immediately applied to users and devices.
Note: Disabling Chrome management partner access stops you using an EMM console to manage devices and stops you from using a third party to monitor devices.
To quit using the EMM console, follow the steps below or you can revoke OAuth 2.0 authorization. For details, see Revoking a token.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Devices
Chrome.
- Click Device Settings.
- Go to Chrome Management - Partner Access.
- Select Disable Chrome Management - Partner Access from the Allow EMM partners access to device management list.
- Click Save.
- Click User & browser settings.
- Go to Chrome Management - Partner Access.
- Select Disable Chrome Management - Partner Access from the Allow EMM partners access to device management list.
- Click Save.
- If you have set an API scope, from the Admin Console Home Page go to Security
Advanced settings
Manage API client access and remove the https://www.googleapis.com/auth/chromedevicemanagementapi API scope.