Manage ChromeOS devices with EMM console

For administrators who manage ChromeOS devices for a business.

As an administrator, if you have an approved EMM partner, you can use your enterprise mobility management (EMM) console to manage your ChromeOS devices and policies through an EMM partner.

Note: Your account type determines what Chrome features are available to you. For example, if your organization has an education account and you enroll a ChromeOS device bundled with Chrome Enterprise Upgrade, you can't access Chrome features that are exclusive to enterprise accounts.

Before you begin

You need Chrome Enterprise Upgrade, in addition to any licenses that are required by your EMM provider.
If you purchased devices bundled with Chrome Enterprise Upgrade, enroll at least one device to activate the management service. For details, see Enroll ChromeOS devices.
This feature is not available if your organization has Chrome Education Upgrade or Chrome Nonprofit Upgrade, or if the domain you are using has not been verified.

Approved EMM partners

Approved EMM partners can provide tools to help you manage ChromeOS devices and policies within your organization.

The following are the approved EMM partners:

Approved inventory management partners

You can also use an approved inventory management partner to help you manage your ChromeOS devices (without policy management).

The following are the approved Inventory management partners:

Microsoft Intune

Considerations when using the EMM console

One console usually suits most admins—you can integrate all the devices together and manage them in one place. However, you can use the EMM console and the Google Admin console together. If you do:

EMM console settings take precedence over settings in the Admin console.
Devices and users might belong to different organizational units in each console. In turn, the same device might have a different policy in each console.

Turn on access to the EMM console

Step 1: Set up OAuth 2.0

Before you begin, your EMM provider needs to set up OAuth 2.0 to authenticate and authorize APIs. For details, see Using OAuth 2.0 to Access Google APIs.

To use OAuth 2.0, do one of the following:

Log in to the EMM console and accept the OAuth popup message.
Set up domain wide delegation for the EMM’s service account:
1. Log in to the Admin console.
2. From the Admin console Home page, go to Security API controls.
3. Scroll down to Domain wide delegation and click Manage Domain Wide Delegation.
4. Click Add new and enter https://www.googleapis.com/auth/chromedevicemanagementapi as an API scope.
5. In OAuth Scopes, add each scope that the application can access (should be appropriately narrow). You can use any of the OAuth 2.0 Scopes for Google APIs.
6. Click Authorize. If you get an error, the client ID might not be registered with Google or there might be duplicate or unsupported scopes.

For more details, see Perform Google Workspace Domain-Wide Delegation of Authority.

Step 2: Setup Admin Console privileges for delegated admin

If you use a delegated admin account in your EMM console, you must ensure that the delegated admin has the correct Admin Console privileges.

Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
In the Admin console, go to Menu AccountAdmin roles.
Click Create a new role and enter a name for the role.
Click the Continue.
Enable device management privileges by checking:
1. Admin Console Privileges Chrome Management Manage ChromeOS Devices. This setting lets the admin list devices.
2. Admin Console Privileges Chrome Management Manage ChromeOS Device Settings. This setting lets the admin modify device settings.
Enable user management privileges by checking:
1. Admin Console Privileges Chrome Management Manage User Settings. This setting lets the admin modify user settings.
2. Admin Console Privileges Chrome Management Manage User Settings Manage Application Settings. This setting lets the admin modify user apps.
Scroll down to Admin API Privileges and check Users Read. This setting lets the admin read a list of users.
Click Continue.
Review the privileges and click Create role.
Open the role and under Admins, click Assign role.
Enter the admin’s email address, and click Confirm Assignment.

Step 3: Turn on access to the EMM console for devices

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console Home page, go to DevicesChrome.
Click Settings Device.
(Optional) To customize the management level across organizational units, on the left, select an organizational unit.
Important: By default, devices automatically enroll in the top-level organizational unit. If you are not enabling partner access at the top-level organizational unit, make sure you configure device enrollment for an organizational unit where partner access is enabled. That way, newly enrolled devices are accessible using the EMM partner management console. For more information, see Device Enrollment.
Go to Chrome Management - Partner Access.
From the Allow EMM partners access to device management list, select Enable Chrome Management - Partner Access.
Click OK to agree to enable partner access.
Click Save.

Step 4: Turn on access to the EMM console for users

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console Home page, go to DevicesChrome.
Click Settings Users & browsers.
Go to Chrome Management - Partner Access.
From the Allow EMM partners access to device management list, select Enable Chrome Management - Partner Access.
Click OK to agree to enable partner access.
Click Save.

Step 5: (Optional) Set up Android for your organizational unit

To manage Android apps on ChromeOS devices, you may need to go to the managed Google Play store to accept the Terms of Service.

Step 6: Verify API permissions for your EMM app

To use the EMM app you must ensure that the correct API permissions are enabled.

Go to Admin Console Security API controls App Access Control.
Do one of the following:
- Click Manage Third Party App Access and allowlist your EMM app. Learn more.
- Click Manage Google Services and set Google Workspace Admin access to Unrestricted.

Stop using the EMM console to manage devices

When you stop using the EMM console to manage devices, the policies that you set or have already set in the Admin console are immediately applied to users and devices.

Note: Disabling Chrome management partner access stops you using an EMM console to manage devices and stops you from using a third party to monitor devices.

To quit using the EMM console, follow the steps below or you can revoke OAuth 2.0 authorization. For details, see Revoking a token.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console Home page, go to DevicesChrome.
Click Settings Device.
Go to Chrome Management - Partner Access.
From the Allow EMM partners access to device management list, select Disable Chrome Management - Partner Access.
Click Save.
Click User & browser settings.
Go to Chrome Management - Partner Access.
From the Allow EMM partners access to device management list, select Disable Chrome Management - Partner Access.
Click Save.
If you have set an API scope, from the Admin Console Home page go to Security API controls.
Click Manage Domain Wide Delegation and remove the https://www.googleapis.com/auth/chromedevicemanagementapi API scope.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?