Chrome Enterprise and Education

Planning your return to office strategy? See how Chrome OS can help.

Set up Chrome Browser Cloud Management

2. Enroll cloud-managed Chrome browsers

After you have access to your Google Admin console, here's how to enroll the devices where you want to manage Chrome browsers. You'll then be able to enforce policies for any users who open Chrome browser on an enrolled device.

Step 1: Generate enrollment token

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Managed browsers.
  4. (Optional) To add browsers in the top-level organization in your domain, keep Include all organizational units selected. Alternatively, you can generate a token that will enroll browsers directly to a specific organizational unit by selecting it in the left navigation before moving on to the next step. For more information, see Add an organization unit.
  5. At the bottom, click Enroll browsers Add question to generate an enrollment token.
    Note: If this is your first browser enrollment, you are prompted to accept the Chrome Browser Cloud Management (CBCM) Terms of Service.
  6. In the box, click Copy Make a copy to copy the enrollment token.

Step 2: Enroll browsers with the enrollment token

CBCM currently has a limit on the number of browsers that can be enrolled simultaneously. We recommend that you enroll no more than 150 browsers per minute. We are working on significantly increasing the limit in a future release.

Enroll browsers on Windows

Option 1: Use the Group Policy Management Editor

Using Windows Server Management to access the Group Policy Management Editor, add the value of the enrollment token that you copied above to the CloudManagementEnrollmentToken policy in:

  • Administrative templatesand thenGoogleand thenGoogle Chromeand thenThe enrollment token of cloud policy on desktop

For details about how to install and configure policy templates, go to Set Chrome Browser policies on managed PCs.

Option 2: Edit the registry file

Under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome, set CloudManagementEnrollmentToken to the generated token you copied above.

Clear the current enrollment if one exists using:
-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Enrollment
-HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Enrollment

(Optional) By default, if enrollment fails, for example if the enrollment token is invalid or revoked, Chrome will start in an unmanaged state. Instead, if you want to prevent Chrome browser from starting if enrollment fails, set CloudManagementEnrollmentMandatory under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome to true

Notes:

  • The token must be set at a local machine level. It won't work at the user level. If you are repurposing an existing machine that has already been enrolled in CBCM, you need to remove management tokens from it. For details, read Stop managing Chrome browser.
  • If the machines you are enrolling are imaged from the same Microsoft Windows source, make sure that you have used Microsoft's System Preparation tool (Sysprep) with the /generalize option so that each enrolled machine has a unique identifier. Make sure that the MachineGUID is unique so that CBCM identifies each device as an individual machine.
    You can check the value of MachineGuid in the registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Option 3: Download the reg file

Click Download .reg file. The downloaded .reg file automatically adds the token and clears the current enrollment when run.

When you use the reg file, Chrome browser will still respect the CloudManagementEnrollmentMandatorypolicy in Option 1, blocking launch if enrollment fails. See the note above if you're enrolling machines imaged from the same Windows source.

Option 4: Deploy an enrollment token in VMware Workspace One

You can use VMware Workspace ONE to generate a CBCM enrollment token and enroll your Chrome browsers. See Enroll browsers with VMware Workspace One (Windows and macOS).

Enroll browsers on macOS

Option 1: Use a policy

Push the token to your browser as a policy named CloudManagementEnrollmentToken. To set policies on Apple Mac devices, you must use mobile management software, such as, Apple Profile Manager, Jamf, Workspace ONE, and so on.

Note: If you choose to manually set policies, be aware that macOS will delete the policy files on every sign-in. Learn more about setting up policies on Mac in the Quick Start Guide and help center.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, set CloudManagementEnrollmentMandatory to true

Option 2: Download the text file

Click Download file. If needed, create a /Library/Google/Chrome/ folder on your device. Put the file under /Library/Google/Chrome/. You need to add the text file at device level. It won't work if you add it at user level.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /Library/Google/Chrome/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

If a token is pushed using both methods above, Chrome will use the value present in the policy and ignore the file. The token is stored in a directory under the home directory on the user's Mac. Each macOS user must enroll separately.

Option 3: Deploy an enrollment token in Jamf Pro

You can use Jamf Pro version 10.19 or later to generate a CBCM enrollment token and enroll your Chrome browsers. See Enroll browsers with Jamf Pro (macOS).

Option 4: Deploy an enrollment token in VMware Workspace One

You can use VMware Workspace ONE to generate a CBCM enrollment token and enroll your Chrome browsers. See Enroll browsers with VMware Workspace One (Windows and macOS).

Enroll browsers on Linux

The token can be pushed by creating a text file called CloudManagementEnrollmentToken, under /etc/opt/chrome/policies/enrollment. This file must only contain the token and nothing else. Alternatively, you can click Download file (Mac & Linux).

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /etc/opt/chrome/policies/enrollment/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

Note: To ensure that enrollment and reporting work correctly, /etc/machine-id should be unique per machine.

Enroll browsers on Android

For details on how to manage Chrome browser on Android devices, see Set up Chrome Browser Cloud Management for Android.

Enroll browsers on iOS

For details on how to manage Chrome browser on iOS devices, see Set up Chrome Browser Cloud Management for iOS.

Step 3: Launch Chrome browser and confirm enrollment

  1. After setting the enrollment token using one of the methods in Step 2, quit Chrome browser (if it's open) and launch Chrome browser on the managed device.
  2. Sign in to the Google Admin console (admin.google.com).
  3. From the Admin console Home page, go to Devicesand thenChromeand thenManaged browsers.
  4. To show all managed browsers, check the Include all organizational units box. Otherwise, select a child organizational unit.
  5. (Optional) To see additional details, click a machine's name.

Notes:

  • If you have multiple installations of Chrome browser on a single device, they will show up in the browser list as a single managed browser.
  • Enrollment tokens are only used during enrollment. After enrollment, they can be revoked in the Admin console. However, enrolled browsers will still be registered.
  • On Windows, only system installations are supported because Chrome browser requires admin privileges to register.

Just after registering, not many fields are populated. You need to enable browser reporting to access detailed reporting information. For more information, see Step 4: Enable Chrome browser reporting.

Manage tokens and devices

Revoke and regenerate enrollment token

For each organizational unit, there can only be one active enrollment token. If you need to pause enrollment, you can permanently revoke the token for a specific organizational unit and regenerate a new one. You’ll use the new token to enroll new browsers. Devices that you already enrolled with the revoked token remain active and enrolled.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Managed browsers.
  4. To show all managed browsers, check the Include all organizational units box. Otherwise, select a child organizational unit.
  5. At the bottom, click Enroll browsers Add question.
  6. Click Revoke and regenerate token.
  7. Click Copy Make a copy to copy the new enrollment token.
  8. Click Done.
View enrollment token history
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Managed browsers.
  4. To show all managed browsers, check the Include all organizational units box. Otherwise, select a child organizational unit.
  5. At the bottom, click Enroll browsers Add question.
  6. Click View token history.
Unenroll a device

Unenrolling a browser from CBCM removes the cloud policies that were on the device, and sets its device token as invalid the next time Chrome is opened, or the next time Chrome tries to contact CBCM. Platform policies and cloud-based user policies are not affected. Unenrolling devices from CBCM also deletes the data that's already uploaded to the Admin console.

To unenroll a Chrome browser:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Managed browsers.
  4. To show all managed browsers, check the Include all organizational units box. Otherwise, select a child organizational unit.
  5. Check the box next to the browser that you want to delete.
  6. At the top, click Delete selected browsers "".
  7. Click Delete.
Enrollment and device tokens locations

If you need to read or modify the enrollment token of a Chrome browser manually, it can be found at this location:

  • Windows—Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome and check CloudManagementEnrollmentToken.
  • Mac—Go to /Library/Google/Chrome/CloudManagementEnrollmentToken. Or, if the token was deployed with a configuration profile, use your preferred mobile device management tool to access it.
  • Linux—Go to /etc/opt/chrome/policies/enrollment and check CloudManagementEnrollmentToken.

If you need to read or modify the device token of a Chrome browser manually, it can be found at this location:

  • Windows—The device token is written to two locations, which should match. To check the value, go to HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Enrollment or HKEY_LOCAL_MACHINE\Software\Google\Chrome\Enrollment and check dmtoken.
  • Mac—Go to ~/Library/Application Support/Google/Chrome Cloud Enrollment or /Library/Application Support/Google/CloudManagement. The device token file name is a hash of the device’s serial number and can sometimes be difficult to identify.
  • Linux—Go to $user_data_dir/policy/Enrollment. The device token file name is the DeviceID, as listed at chrome://policy.
    Note: To see the user data directory ($user_data_dir), which contains the device token, go to chrome://version, find the Profile Path, and remove the last path component. For example, the user data directory for a profile in ~/.config/google-chrome/Default is ~/.config/google-chrome.

Note: Deleting the device token while keeping the enrollment token will result in the Chrome browser re-enrolling itself on its next restart.

Re-enroll a device

If you accidentally delete a device in the Admin console, you can re-enroll it.

On the managed device:

  1. Close Chrome browser.
  2. Delete the device token.
    • Windows—Go to HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Enrollment and delete dmtoken. Then, go to HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Enrollment and delete dmtoken.
    • Mac—Go to ~/Library/Application Support/Google/Chrome Cloud Enrollment and /Library/Application Support/Google/CloudManagement. The device token file name is a hash of the device’s serial number and can sometimes be difficult to identify.
    • Linux—Go to $user_data_dir/policy/Enrollment. The device token file name is the DeviceID, as listed at chrome://policy.
      Note: To see the user data directory ($user_data_dir), which contains the device token, go to chrome://version, find the Profile Path, and remove the last path component. For example, the user data directory for a profile in ~/.config/google-chrome/Default is ~/.config/google-chrome.
  3. Open Chrome browser.

Note: Do not delete the enrollment token on the managed device.

  • If you deleted the enrollment token, you need to enroll Chrome browser using the enrollment token that you already generated. See step 2.
  • If you revoked the enrollment token in the Admin console, you’ll need to generate a new one. See step 1.

Questions

When are enrollment tokens used?

Enrollment tokens are only used during enrollment. They can be revoked after enrollment and enrolled browsers will still be registered. For detailed information on enrollment tokens, see the Chrome Browser Cloud Management whitepaper.

Does this token enrollment process require admin privileges on Windows?

Yes. On Windows, only system installations are supported.

What gets uploaded during the enrollment process?

During the enrollment process, Chrome browser uploads the following information:

  • Device ID
  • Enrollment token
  • Machine name
  • OS platform
  • OS version
  • Windows BIOS serial number

Why don't I see a Chrome management section in my Admin console?

If you have the legacy free edition of G Suite, Chrome management isn't currently available in your Admin console. Support for legacy free edition will be rolled out in the future.

Should a system image include a device token?

No. Each device you set up must use a unique device token. If you use a system image to deploy Chrome browser, make sure that the image does not include a device token. Otherwise, every device will try to use the value from the image and your deployment will fail.

Next step

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?
true
Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
410864
false