ChromeOS Flex Remote Deployment

Overview

ChromeOS Flex Remote Deployment (FRD) enables zero-touch remote deployment of ChromeOS Flex to devices running Microsoft Windows. It can help IT administrators migrate large fleets of geographically dispersed devices to ChromeOS Flex.

Features

  • Remote installation of ChromeOS Flex to any compatible device running Windows.
    • Physical access to the device is only needed in case of failures.
    • Device compatibility is currently not checked automatically.
  • Automatic enrollment into the organizational unit associated with an enrollment token, if one is provided.
  • Logging capabilities for monitoring the deployment process on Windows.
  • Option to dry run the deployment, to detect and prevent common issues.

Minimum device requirements

  • A compatible device with Unified Extensible Firmware Interface (UEFI) firmware, and not in legacy or BIOS boot mode. For details, see the Certified models list.
  • Microsoft Windows 10 or 11, running on a 32 GB or larger GPT-formatted disk with at least 5 GB of free space.

    Note: Due to a known issue, some devices might require 9 GB of free space. If they don't have the space, the process will stop after checking the device but before it makes any irreversible changes.

  • Internet access—Ethernet or Wi-Fi—for enterprise enrollment.
  • Option to transfer files to the device and remotely execute a Windows binary with admin privileges.
  • On some devices, a clear Trusted Platform Module (TPM) is also required. Otherwise, the deployment won’t start.
    Google recommends clearing the TPM on all devices before installing ChromeOS Flex. However, it's not mandatory. For details, see Devices that require clearing the TPM.

How FRD works

FRD works in nearly any IT setup. It doesn't depend on your network type, Windows management platform, or monitoring system.

These are the main steps to remotely deploying with FRD:

  1. Download FRD and customize its configuration files, as needed.
  2. Transfer the configuration files to the devices to be migrated to ChromeOS Flex.

    Note: Alternatively, you can place the configuration files in a shared SMB folder, readable by all devices, but for large deployments this approach might not scale well.

  3. Remotely execute the FRD Windows binary, with Administrator privileges, on each device.
  4. Monitor the deployments.
  5. Verify all devices enrolled successfully.

This is how the deployment process works locally on each device:

  1. The device's Trusted Platform Module (TPM) is cleared automatically, if possible. Failure is a warning, not an error.
  2. The primary disk is repartitioned and a new FAT32 partition is created.
  3. Flexor, a Linux-based environment for installing ChromeOS Flex, is installed on the new partition.
  4. The Windows Boot Manager is configured to boot Flexor, and the device is rebooted.
  5. Flexor boots, formats the disk, installs ChromeOS Flex, and sets up some configs automatically.
  6. ChromeOS Flex boots, reads the FRD configs, and goes through all first-boot setup and enrollment steps automatically.

Warnings and disclaimers

  • Risk of data loss—Make sure you have backed up all data before starting a deployment. FRD will wipe all data stored on devices as part of the deployment.
  • Make sure your devices can run ChromeOS Flex before deployment. Hardware compatibility is not currently checked before deployment. Incompatible devices might fail to boot or malfunction.
  • Configurations such as the enrollment token and network settings—which might include credentials and certificates—will be stored on disk, in plain text, during a deployment until ChromeOS Flex boots for the first time. If a deployment fails for any reason, these values might remain on disk indefinitely, and could be read by third-parties with access to the device.

Concepts

  • Bundle—FRD is released as a zip file (~1 GB) containing several binaries, a ChromeOS Flex image, and other files versioned together. We refer to the contents of this zip file as the FRD bundle.
  • Agentagent.exe, in the FRD bundle. The Windows binary that is remotely executed on a device to perform or dry run a deployment. The Agent emits logs that can be processed by another tool, such as Vector.
  • Dry Run—A boolean option in the Agent that, if enabled, prevents destructive operations. The Agent performs preflight checks and emits logs, but doesn’t actually change the system. Dry runs can be used to detect failing preflight checks, or to test your monitoring setup.
  • Enrollment Token—A unique identifier, created in the Google Admin console and tied to an organizational unit, that allows devices to automatically enroll to this organizational unit.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
Search
Clear search
Close search
Google apps
Main menu
16687044413204158385
true
Search Help Center
false
true
true
true
false
false
false
false