Deployment best practices

As an admin, you can deploy ChromeOS Flex to a fleet of devices. Be aware that each model's specific BIOS/UEFI settings impact ChromeOS Flex installation and device security after installation.

Enable Secure Boot

ChromeOS Flex images are signed and verified so that the built-in Secure Boot system in recent UEFI-enabled models can verify a ChromeOS Flex image during startup. Secure Boot checks that the ChromeOS Flex image is from a known source—Google.

Before you install ChromeOS Flex, Google recommends that you enable UEFI and Secure Boot, if supported. This can help prevent unsigned third-party operating systems from running on devices.

You should disable Secure Boot only if the detailed notes for your particular model in our Certified models list say you should, or if it is otherwise necessary for installation. See the Certified models list.

Clear and enable TPM (if supported)

Some ChromeOS Flex certified models include TPM security hardware. When properly set up, TPM can provide a secure storage location for cryptographic secrets that are used for unlocking user accounts and so on.

If TPM is supported on your certified models, clear and enable TPM before you install ChromeOS Flex. That way, you can enroll devices immediately after installing ChromeOS Flex on them. ChromeOS Flex shows a message if you try to enroll your device and TPM is not yet ready.

See Use TPM with ChromeOS Flex.

Restrict bootable media and BIOS or UEFI access

ChromeOS Flex installation often requires you to make changes to BIOS or UEFI settings, such as turning on USB boot. Ideally, devices only allow administrators to make changes to BIOS or UEFI settings during deployment.

To maximize the security and speed of your ChromeOS Flex device after deployment, Google recommends that you:

  • Prevent boot from external media—If devices continue to be able to boot external media, a less secure and unwanted OS might be installed later.
    Note: The option name differs, depending on the OEM. Look out for USB boot, Boot from external media, or similar settings.
  • Set a secure BIOS or UEFI administrator password—Only share the password to IT admins and tech support staff that really need it. That way, users can’t make changes or boot another OS.

Only deploy official ChromeOS Flex images

Make sure that you, and everyone who is helping you with your ChromeOS Flex deployment, know where installation images come from.

Related topics

Clear search
Close search
Google apps
Main menu
Search Help Center