Turn endpoint verification on or off

As an administrator, you can use endpoint verification to get details about devices running Chrome OS or Chrome Browser that access your organization’s data. For example, you can see information about the OS, device, and user. You can see users’ personal computers and devices owned by your organization. 

Supported computers

  • Apple® Mac® OS X® El Capitan (10.11) and later
  • Devices running Chrome OS
  • Linux® Debian® and Ubuntu®
  • Microsoft® Windows® 7 and 10

Set up endpoint verification

Open all   |   Close all

Step 1: Turn on Endpoint Sync in your Admin console

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

Endpoint Sync is usually on by default. If you turned it off, turn it on again:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    If you don't see Devices on the Home page, at the bottom, click More controls.

  3. On the left, under Mobile, click Setup.
  4. Click Endpoint Sync.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Check the Allow desktop reporting via browser extension box.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Step 2: Install the endpoint verification extension

Option 1: Let users install the extension

For Linux, Mac, and Windows devices, the user can install the extension. For details and user steps, see Allow an admin to monitor your computer.

Option 2: Force-install the extension in the Admin console

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome management.

    If you don't see Devices on the Home page, click More controls at the bottom.

  3. Click Apps & extensions.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Point to Add and click Add by ID Add by ID.
  6. In the Extension ID field, enter callobklhcbilhphinckomhgkigmfocg. Copy the code to avoid errors.
  7. From the menu under the field, select From the Chrome Web Store and click Save.
  8. In the app options panel that opens, in the Certificate management section: 
    1. Next to Allow access to keys, click Turn on Turn on. 
    2. Next to Allow enterprise challenge, click Turn on Turn on.
    3. Close the panel.
  9. In the table of apps, in Endpoint Verification row, click the Down arrow Down arrow and choose an option:
    • To force install and pin the app to the toolbar on devices running Chrome OS, select Force install + pin.
    • To force install the app, select Force install.
  10. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
    Settings typically take effect in minutes. But they might take up to 24 hours to apply for everyone.

Option 3: Use a policy to add the extension to managed devices

Mac, Windows, and Linux devices

See Set Chrome Browser policies on managed PCs.

Step 3: Install the native helper (Mac, Windows, and Linux only)

If users install the Endpoint Verification extension, they’re automatically prompted to install the native helper app. For details, see Set up Endpoint Verification.

If you (as an admin) install the extension, you need to install the native helper app.

  1. Download the native helper app for Mac, Windows, or Linux.
  2. Use a third-party software-management tool to install it.
Step 4: Set up device approvals (optional)
You can review each endpoint verification device that accesses your organization's data. You can tag these devices as approved or blocked. You can use the tag to configure access levels with Context-Aware Access. For details, see Control access to corporate data.

Find users without endpoint verification

You can find a list of users who don't have endpoint verification installed on their device. If you want, you can send an email to ask them to install it.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    If you don't see Devices on the Home page, at the bottom, click More controls.

  3. Click Endpoint Verification.
  4. At the top of the devices list, click Add a filter.
  5. Select Exclude: Endpoint Verification
  6. If you want to email users who don’t have endpoint verification:
    1. Check the box next to each user.
    2. Click Email Users Email.
      A new email window opens with the users you selected in the To field.
    3. Compose your email and click Send.

Turn off endpoint verification

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

Devices added after you turn off endpoint verification aren't shown in your Admin console. You still see devices that were monitored before, but device information isn't updated.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    If you don't see Devices on the Home page, at the bottom, click More controls.

  3. On the left, under Mobile, click Setup.
  4. Click Endpoint Sync.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Uncheck the Allow desktop reporting via browser extension box.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Delete a device

When you delete a device, the device no longer syncs work data, but no information is removed from it.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    If you don't see Devices on the Home page, at the bottom, click More controls.

  3. Click Endpoint Verification.
  4. Select the device you want to remove and click Delete.
Was this helpful?
How can we improve it?