Citrix Endpoint Management

Chrome OS

Endpoint Management support for Chrome OS devices includes the ability to run Chrome OS devices in a public session. A public session doesn’t require a user to sign on and doesn’t have permanent data. Public sessions are useful for libraries, public schools, and other situations where session data isn’t permanent. You can also configure a Chrome OS device in kiosk mode. Kiosk mode locks down a device per user.

To manage Chrome OS devices, Endpoint Management uses a Secure Hub extension installed in the Chrome device browser. Before enrolling Chrome OS devices in Endpoint Management, you configure Google Workspace to install the Secure Hub extension on the device. Then, you connect Google Workspace to Endpoint Management.

Endpoint Management enrolls Chrome OS devices into MDM. Endpoint Management doesn’t support MAM-only registration for Chrome OS devices. Endpoint Management supports user name and password authentication on Chrome OS devices.

A general workflow for starting Chrome OS device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure Google Workspace to install Secure Hub on the Chrome OS device.

  4. Connect Endpoint Management to Google Workspace.

  5. Configure Chrome OS device policies.

  6. Enroll Chrome OS devices in Google Workspace and then Enroll Chrome devices in Endpoint Management.

For supported operating systems, see Supported device operating systems.

Supported enrollment methods

The following table indicates the enrollment methods that Endpoint Management supports for Chrome OS devices:

Method Supported
Bulk enrollment No
Manual enrollment Yes (user name + password only)
Enrollment invitations No

For more information, see the Google Workspace configuration sections in this article.

Configure Google Workspace to install Secure Hub on the Chrome OS device

You configure forced installation of the Secure Hub extension on the Chrome OS device and prevent the extension from being disabled or deleted.

  1. Go to the Google Admin site and log in to your Google Workspace account.
  2. Verify that you’ve completed the configuration described in Enable partner access for devices and users in your Google Workspace domain.
  3. In the Google administrator console, select Devices > Chrome > Settings > Users & Browsers.
  4. In the User & Browsers settings page, search for Client certificates. Add this pattern:

    {"pattern": "https://[*.]", "filter": {}}

    When you add this pattern to Client certificates, device certificates pushed from Endpoint Management to the device are selected automatically. The user isn’t prompted to select certificates.

    Client certificate

  5. Click Save.
  6. Click the Device Settings tab (Devices > Chrome > Settings > Device). In the Device settings page:
    1. Search for Verified Access.
    2. Select the option for Enable for content protection.
    3. On the Verified Mode option, select the option for Require verified mode boot for verified access.
    4. Add the following e-mail address for Service with full access.

    When you add the address to Verified Mode, it fulfills the requirement for Citrix Endpoint Management to be able to enable Verified Access for device security.

    Verified mode

  7. Navigate to Devices > Chrome > Apps & Extensions > Users & browsers. Click + and select Add Chrome app or extension by ID, as shown in the figure.

    Add Chrome app

  8. On the Add Chrome app or extension by ID popup, enter cnkimbgkdakemjcipljhmoplehfcjban in the Extension ID field and click Save.
  9. Change the installation policy for the Citrix Secure Hub Extension to Force Install.

    Installation policy

  10. Click the Citrix SecureHub row to open the Secure Hub dialog on the right. Under Certificate management, enable Allow enterprise challenge.

    Allow enterprise challenge

  11. Click Save.

Connect Endpoint Management to Google Workspace

  1. In the Endpoint Management console, click the gear icon in the upper-right corner and then click Settings > Google Chrome.

    Endpoint Management console, showing Google Chrome connect screen

  2. Click Connect. A Google account sign-in window appears.

    Google sign-in window

  3. Sign in with your Google account credentials and click Next.

  4. Endpoint Management fills in your Google Workspace domain and Google Workspace account administrator name. The Connect button has change to Disconnect. Endpoint Management is connected to Google Workspace.

    Endpoint Management console, showing Google Chrome connected

Configure Chrome OS device policies

Use these policies to configure how Endpoint Management interacts with devices running Chrome OS. These device policies are available for Chrome OS devices.

Enroll Chrome OS devices in Google Workspace

Device enrollment in your Google Workspace domain is a prerequisite for enrolling a Chrome OS device in Endpoint Management. For information on Google Workspace domain enrollment, see the Google article, Enroll Chrome devices.

Enroll Chrome devices in Endpoint Management

A Citrix PIN must be created when a Chrome OS device is enrolled in Endpoint Management. The Citrix PIN is separate from the Endpoint Management passcode. The Citrix PIN secures a certificate from the Endpoint Management server. This PIN cannot be reset. If a user forgets this PIN, the Chrome OS device must be unenrolled and re-enrolled.

  1. Sign in to your Chrome OS device by using your Google Workspace credentials.

  2. Click the Secure Hub extension in Chrome. The Secure Hub extension appears next to your browser address bar, is grayed out, and looks like the following image:

    Secure Hub extension

  3. The Secure Hub enrollment window appears. Click Enroll.

  4. Type your corporate credentials, such as your Endpoint Management server name, User Principal Name (UPN), or email address. Then, click Next.

  5. If prompted, type your corporate user name. Type your corporate password. Then, click Sign In.

    Sign In option

  6. Create a Citrix PIN. This PIN must be 6 characters long. It can contain only letters and numbers. Type your Citrix PIN twice and then click Finish.

    When the enrollment is complete, the Secure Hub extension icon is active.

Sign in to an enrolled Chrome OS device

To sign in to a Chrome OS device that is enrolled in Endpoint Management:

  1. Sign in using your Google Workspace credentials.

  2. When prompted, enter your Citrix PIN. This PIN was created when the device was enrolled in Endpoint Management.

    If you do not type your Citrix PIN:

    • You are prompted to type your Citrix PIN every minute until you type the PIN.
    • After five minutes, access is blocked to all websites except,,,
    • If you try to access any other website, an error message appears and you are prompted to sign in using your Citrix PIN.

Unenroll and reenroll a Chrome OS device

To unenroll a Chrome OS device from Endpoint Management, users delete their account.

  1. In the Chrome browser, click the Secure Hub extension icon.
  2. In the Secure Hub enrollment window, click Delete.
  3. Click Yes, Delete to confirm the deletion.

    The Secure Hub enrollment window closes and the Secure Hub extension iron is grayed out.

To re-enroll:

  1. Log out of your Chrome OS device and log back in using your Google Workspace credentials.
  2. Click Enroll and follow the prompts to re-enroll.

Security actions

Chrome OS doesn’t support security actions.