Set up Chrome Browser Cloud Management

2. Enroll cloud-managed Chrome Browsers

After you have access to your Google Admin console, here's how to enroll the devices where you want to manage Chrome Browsers. You'll then be able to enforce policies for any users who open Chrome Browser on an enrolled device.

Step 1: Generate enrollment token

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    To see Devices, you might have to click More controls at the bottom.

  3. (Optional) To add browsers in the top-level organization in your domain, keep Include all organizational units selected. Alternatively, you can generate a token that will enroll browsers directly to a specific organizational unit by selecting it in the left navigation before moving on to the next step. For more information, see Add an organization unit.
  4. At the bottom, click Add Add to generate an enrollment token.
  5. In the box, click Copy Copy to copy the enrollment token.

Step 2: Enroll browsers with the enrollment token

Enroll browsers on Windows

Option 1: Use the Group Policy Management Editor

Under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome, set CloudManagementEnrollmentToken to the generated token you copied above.

Clear the current enrollment if one exists using:
-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Enrollment

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, set CloudManagementEnrollmentMandatory under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome to true

Notes:

  • The token must be set at a local machine level. It won't work at the user level.
  • If the machines you are enrolling are imaged from the same Windows source, make sure that you have used Microsoft's System Preparation tool (Sysprep) so that each enrolled machine has a unique identifier. It's important that the SIDs are unique across your machines so that Chrome Browser Cloud Management identifies them as individual machines.

Option 2: Download the reg file

Click Download .reg file. The downloaded .reg file automatically adds the token and clears the current enrollment when run.

When you use the reg file, Chrome browser will still respect the CloudManagementEnrollmentMandatory policy in Option 1, blocking launch if enrollment fails. See the note above if you're enrolling machines imaged from the same Windows source.

Enroll browsers on Mac

Option 1: Use a policy

Push the token to your browser as a policy named CloudManagementEnrollmentToken. Setting policies on Mac devices requires the Apple Profile Manager.

Note: If you choose to manually set policies, be aware that Mac OS will delete the policy files on every sign-in. Learn more about setting up policies on Mac in the Quick Start Guide and help center.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, set CloudManagementEnrollmentMandatory to true

Option 2: Download the text file

Click Download file. If needed, create a /Library/Google/Chrome/ folder on your device. Put the file under /Library/Google/Chrome/.  

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /Library/Google/Chrome/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

If a token is pushed using both methods above, Chrome will use the value present in the policy and ignore the file. The token is stored in a directory under the home directory on the user's Mac. Each Mac OS user must enroll separately.

Enroll browsers on Linux machines

The token can be pushed by creating a text file called enrollment_token, under /etc/opt/chrome/policies/enrollment. This file must only contain the token and nothing else. Alternatively, you can click Download file and rename the file to enrollment_token.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /etc/opt/chrome/policies/enrollment/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

Step 3: Launch Chrome Browser and confirm enrollment

  1. After setting the enrollment token using one of the methods in Step 2, quit Chrome Browser (if it's open) and launch Chrome Browser on the managed device.
  2. Sign in to the Google Admin console (admin.google.com).
  3. Go to Device management and then Chrome management and then Managed browsers.  All browsers that have been launched with your enrollment token will appear in the browser list.
  4. (Optional) To see additional details, click a machine's name.

Notes: 

  • If you have multiple installations of Chrome Browser on a single device, they will show up in the browser list as a single managed browser.
  • Enrollment tokens are only used during enrollment. After enrollment, they can be revoked in the Admin console. However, enrolled browsers will still be registered.
  • On Windows, only system installations are supported because Chrome Browser requires admin privileges to register.

Just after registering, not many fields are populated. You need to enable browser reporting to access detailed reporting information. For more information, see Step 4: Enable Chrome Browser reporting.

Unenroll and re-enroll a device

Unenroll a device

If you have devices that are no longer being used in your organization, you should unenroll them from Chrome Browser Cloud Management so that you’re no longer managing Chrome Browser on them. Unenrolling the device removes enrolled browser cloud policies that were on the device. Platform policies and cloud-based user policies are not affected.
On the managed device:
  1. Delete the enrollment token.
    • Windows—Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome and delete CloudManagementEnrollmentToken.
    • Mac—Delete /Library/Google/Chrome/CloudManagementEnrollmentToken. Or, if the token was deployed with a configuration profile, use your preferred mobile device management tool to remove it.
    • Linux—Go to /etc/opt/chrome/policies/enrollment and delete CloudManagementEnrollmentToken.
  2. Delete the device token.
    • Windows—Go to HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Enrollment and delete dmtoken.
    • Mac—Go to  ~/Library/Application Support/Google/Chrome Cloud Enrollment. The device token file name is a hash of the device’s serial number and can sometimes be difficult to identify.
    • Linux—Go to $user_data_dir/policy. The device token file name is the DeviceID, as listed at chrome://policy.​Note: To see the user data directory, which contains the device token, go to chrome://version and find the Profile Path
Unenrolling devices from Chrome Browser Cloud Management does not delete the data that's already uploaded to the Admin console. To delete uploaded data, you also need to delete the corresponding device from the Admin console.

Re-enroll a device

If you accidentally delete a device in the Admin console, you can re-enroll it.

On the managed device:

  1. Close Chrome Browser.
  2. Delete the device token.
    • Windows—Go to HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Enrollment and delete dmtoken.
    • Mac—Go to  ~/Library/Application Support/Google/Chrome Cloud Enrollment. The device token file name is a hash of the device’s serial number and can sometimes be difficult to identify.
    • Linux—Go to $user_data_dir/policy. The device token file name is the DeviceID, as listed at chrome://policy.​Note: To see the user data directory, which contains the device token, go to chrome://version and find the Profile Path
  3. Open Chrome Browser.

Note: Do not delete the enrollment token on the managed device.

  • If you deleted the enrollment token, you need to enroll Chrome Browser using the enrollment token that you already generated. See step 2.
  • If you revoked the enrollment token in the Admin console, you’ll need to generate a new one. See step 1.

Questions

When are enrollment tokens used?

Enrollment tokens are only used during enrollment. They can be revoked after enrollment and enrolled browsers will still be registered. For detailed information on enrollment tokens, see the Chrome Browser Cloud Management whitepaper.

Does this token enrollment process require admin privileges on Windows?

Yes. On Windows, only system installations are supported.

What gets uploaded during the enrollment process?

During the enrollment process, Chrome Browser uploads the following information:

  •   Enrollment token
  •   Device ID
  •   Machine name
  •   OS platform
  •   OS version

Why don't I see a Chrome management section in my Admin console?

If you have the legacy free edition of G Suite, Chrome management isn't currently available in your Admin console. Support for legacy free edition will be rolled out in the future.

Next step

Was this helpful?
How can we improve it?