Turn endpoint verification on or off

As an administrator, you can use endpoint verification to see details about devices running Chrome OS or Chrome Browser that access your organization’s data. For example, you can see information about the OS, device, and user. You can see users’ personal computers as well as those that are owned by your organization. 

Supported computers

  • Apple® Mac® OS X® El Capitan (10.11) and later
  • Devices running Chrome OS
  • Linux® Debian® and Ubuntu®
  • Microsoft® Windows® 7 and 10

Set up endpoint verification

Open all   |   Close all

Step 1: Turn on Endpoint Sync in your Admin console

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

To see computers in your organization, Endpoint Sync needs to be turned on in your Admin console. It’s usually on by default. If you turned it off, follow these steps to turn it on again:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    To see Devices, you might have to click More controls at the bottom.

  3. On the left, under Mobile, click Setup.
  4. Click Endpoint Sync.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Check the Allow desktop reporting via browser extension box.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Step 2: Install the endpoint verification extension

Option 1: Let users install the extension

For Linux, Mac, and Windows devices, the user can install the extension. For details and user steps, see Allow an admin to monitor your computer.

Option 2: Force-install the extension in the Admin console

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome management.

    If you don't see Devices on the Home page, click More controls at the bottom.

  3. Click Apps & extensions.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Under Users & Browsers, click Endpoint Verification.
  6. Point to Add and click Add by ID Add by ID.
  7. In the Extension ID field, enter callobklhcbilhphinckomhgkigmfocg. Copy the code to avoid errors.
  8. From the menu under the field, select From the Chrome Web Store and click Save.
  9. On the right, under Certificate management, next to Allow access to keys and Allow enterprise challenge, click Turn on Turn on.
  10. Next to Endpoint Verification, click the Down arrow Down Arrow and choose an option:
    • To force install and pin the app to the toolbar on devices running Chrome OS, select Force install + pin.
    • To force install the app, select Force install.
  11. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
    Settings typically take effect in minutes. But they might take up to 24 hours to apply for everyone.

Option 3: Use a policy to add the extension to managed devices

Mac, Windows, and Linux devices

See Set Chrome Browser policies on managed PCs.

Step 3: Install the native helper (Mac, Windows, and Linux only)

If users install the Endpoint Verification extension, they’re automatically prompted to install the native helper app. For details, see Set up Endpoint Verification.

If you (as an admin) install the extension, you need to install the native helper app.

  1. Download the native helper app for Mac, Windows, or Linux.
  2. Use a third-party software-management tool to install it.
Step 4: Set up device approvals (optional)
As an administrator, you can individually review each endpoint verification device that accesses corporate data. You can tag these devices as approved or blocked. You can use the tag to configure access levels in Access Context Manager. For details, see Control what devices can access your data.

See or delete monitored computers

Open all   |   Close all

See monitored computers
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    To see Devices, you might have to click More controls at the bottom.

  3. Click Endpoint Verification.
  4. (Optional) To search for devices by operating system, serial number, or user, use the filters on the left.
  5. Click a device ID to see more information about the device. For details, see Information you can monitor.
Information you can monitor

You can see the following information about computers that have endpoint verification installed:

Category Property name Description Supported devices
Device compliance Status Device’s management status: Approved or unknown Chrome OS
Mac
Windows
User details Name User name Chrome OS
Mac
Linux
Windows
Email User email ID and aliases Chrome OS
Mac
Linux
Windows
Policy profile First sync Date and time user first synced corporate data on device Chrome OS
Mac
Linux
Windows
Last sync Date and time of most recent sync Chrome OS
Mac
Linux
Windows
Device password status

If device has screen-lock password

Note: This property doesn’t report whether the device has any other type of password (such as a firmware password for Mac).

Linux (GNOME and Cinnamon desktop environments only)
Mac (managed devices only)
Windows
Encryption status

Whether device is encrypted

Supported third-party encryption providers:
BitLocker for Windows and Filevault for Mac.

Chrome OS
Linux (LUKS encrypted partitions only)
Mac
Windows
Device properties Device ID Unique number associated with user device Chrome OS
Mac
Windows
Serial number Device serial number Chrome OS
Linux
Mac
Windows
Type Make of device

Chrome OS
Linux
Mac
Windows

OS Name of operating system Chrome OS
Linux
Mac
Windows
OS version Version of operating system Chrome OS
Linux (Ubuntu only)
Mac
Windows
Verified Access

Indicates whether Chrome OS follows to your organization’s policies

Related topics:

Chrome OS
Delete a device

If you turn off endpoint verification, you will not see any computers added after that in your Admin console. You will still see computers that were monitored before, but device information is not updated.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    To see Devices, you might have to click More controls at the bottom.

  3. Click Endpoint Verification.
  4. Select the device you want to remove and click Delete.

Turn off endpoint verification

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

If you turn off endpoint verification, you will not see any computers added after that in your Admin console. You will still see computers that were monitored before, but device information is not updated.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    To see Devices, you might have to click More controls at the bottom.

  3. On the left, under Mobile, click Setup.
  4. Click Endpoint Sync.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Uncheck the Allow desktop reporting via browser extension box.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Was this helpful?
How can we improve it?