Turn endpoint verification on or off

As an administrator, you can use endpoint verification to see details about devices running Chrome OS or Chrome Browser that access your organization’s data. For example, you can see information about the OS, device, and user. You can see users’ personal computers as well as those that are owned by your organization. 

Supported computers

  • Apple® Mac® OS X® El Capitan (10.11) and later
  • Devices running Chrome OS
  • Linux® Debian® and Ubuntu®
  • Microsoft® Windows® 7 and 10

Set up endpoint verification

Open all   |   Close all

Step 1: Turn on Endpoint Sync in your Admin console

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

To see computers in your organization, Endpoint Sync needs to be turned on in your Admin console. It’s usually on by default. If you turned it off, follow these steps to turn it on again:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    To see Devices, you might have to click More controls at the bottom.

  3. On the left, under Mobile, click Setup.
  4. Click Endpoint Sync.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Check the Allow desktop reporting via browser extension box.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Step 2: Install the endpoint verification extension

Option 1: Let users install the extension

For Linux, Mac, and Windows devices, the user can install the extension. For details and user steps, see Allow an admin to monitor your computer.

Option 2: Force-install the extension in the Admin console

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome management.

    If you don't see Devices on the Home page, click More controls at the bottom.

  3. Click Apps & extensions.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Under Users & Browsers, click Endpoint Verification.
  6. Point to Add and click Add by ID Add by ID.
  7. In the Extension ID field, enter callobklhcbilhphinckomhgkigmfocg. Copy the code to avoid errors.
  8. From the menu under the field, select From the Chrome Web Store and click Save.
  9. On the right, under Certificate management, next to Allow access to keys and Allow enterprise challenge, click Turn on Turn on.
  10. Next to Endpoint Verification, click the Down arrow Down Arrow and choose an option:
    • To force install and pin the app to the toolbar on devices running Chrome OS, select Force install + pin.
    • To force install the app, select Force install.
  11. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
    Settings typically take effect in minutes. But they might take up to 24 hours to apply for everyone.

Option 3: Use a policy to add the extension to managed devices

Mac, Windows, and Linux devices

See Set Chrome Browser policies on managed PCs.

Step 3: Install the native helper (Mac, Windows, and Linux only)

If users install the Endpoint Verification extension, they’re automatically prompted to install the native helper app. For details, see Set up Endpoint Verification.

If you (as an admin) install the extension, you need to install the native helper app.

  1. Download the native helper app for Mac, Windows, or Linux.
  2. Use a third-party software-management tool to install it.
Step 4: Set up device approvals (optional)
As an administrator, you can individually review each endpoint verification device that accesses corporate data. You can tag these devices as approved or blocked. You can use the tag to configure access levels in Access Context Manager. For details, see Control access to corporate data.

Find users without endpoint verification

You can find a list of users who do not have endpoint verification installed on their device. If you want, you can send an email to ask them to install it.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    To see Devices, you might have to click More controls at the bottom.

  3. Click Endpoints.
  4. At the top of the devices list, click Add a filter.
  5. Select Exclude: Endpoint Verification
  6. If you want to email users who don’t have endpoint verification:
    1. Check the box next to each user.
    2. Click Email Users Email.
      A new email window opens with the users you selected in the To field.
    3. Compose your email and click Send.

Turn off endpoint verification

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

If you turn off endpoint verification, you will not see any computers added after that in your Admin console. You will still see computers that were monitored before, but device information is not updated.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    To see Devices, you might have to click More controls at the bottom.

  3. On the left, under Mobile, click Setup.
  4. Click Endpoint Sync.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Uncheck the Allow desktop reporting via browser extension box.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Delete a device

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    To see Devices, you might have to click More controls at the bottom.

  3. Click Endpoint Verification.
  4. Select the device you want to remove and click Delete.
Was this helpful?
How can we improve it?