Chrome OS

To manage Chrome OS devices, Endpoint Management uses a Secure Hub extension installed in the Chrome device browser. Before enrolling Chrome OS devices in Endpoint Management, you configure G Suite to install the Secure Hub extension on the device. Then, you connect G Suite to Endpoint Management.

Endpoint Management enrolls Chrome OS devices into MDM. Endpoint Management doesn’t support MAM-only registration for Chrome OS devices. Endpoint Management supports user name and password authentication on Chrome OS devices.

A general workflow for starting Chrome OS device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure G Suite to install Secure Hub on the Chrome OS device.

  4. Connect Endpoint Management to G Suite.

  5. Configure Chrome OS device policies.

  6. Enroll Chrome OS devices in G Suite and then Enroll Chrome OS devices.

  7. Set up device and app security actions. See Security actions.

For supported Chrome OS devices, see Supported device operating systems.

Supported enrollment methods

The following table indicates the enrollment methods that Endpoint Management supports for Chrome OS devices:

Method Supported
Bulk enrollment No
Manual enrollment No
Enrollment invitations No

For more information, see the G Suite configuration sections in this article.

Configure G Suite to install Secure Hub on the Chrome OS device

You configure forced installation of the Secure Hub extension on the Chrome OS device and prevent the extension from being disabled or deleted.

  1. Go to and log in to your G Suite account.

  2. Verify that you have completed the configuration that’s described in Enable partner access for devices and users in your G Suite domain.

  3. In the Google administrator console, click Device Management.

    Image of Google administrator console

  4. Click Chrome management.

    Image of Google administrator console

  5. In the Chrome device management page, click User Settings.

    Image of Google administrator console

  6. In the User settings page, search for Client certificates. Add this pattern:

    {"pattern": "https://[*.]", "filter": {}}

    Adding this pattern to Client certificates ensures device certificates pushed from Endpoint Management to the device are auto-selected without prompting for the user to select.

    Image of Google administrator console

  7. Click Save.

  8. Search for Force-installed Apps and Extensions and then click Manage force-installed apps.

    Image of Google administrator console

  9. Click Specify a Custom App.

    Image of Google administrator console

  10. Click the ID field, type cnkimbgkdakemjcipljhmoplehfcjban.

  11. Click the URL field, type

  12. Click Add.

  13. Click Save in the Force-installed Apps and Extensions dialog window.

  14. Click Save in the User Settings page.

Connect Endpoint Management to G Suite

  1. In the Endpoint Management console, click the gear icon in the upper-right corner and then click Settings > Google Chrome.

    Image of Endpoint Management console, showing Google Chrome connect screen

  2. Click Connect. A Google account sign-in window appears.

    Image of Google sign-in window

  3. Sign in with your Google account credentials and click Next.

  4. Endpoint Management fills in your G Suite domain and G Suite account administrator name. The Connect button has change to Disconnect. Endpoint Management is connected to G Suite.

    Image of Endpoint Management console, showing Google Chrome connected

Configure Chrome OS device policies

Use these policies to configure how Endpoint Management interacts with devices running Chrome OS. This table lists all device policies available for Chrome OS devices.

App restrictions Connection scheduling Content
Control OS update Managed bookmarks Power management
Restrictions VPN WiFi
Verified Access    

Enroll Chrome OS devices in G Suite

Device enrollment in the G Suite domain of your enterprise is a pre-requisite for enrolling a Chrome OS device in Endpoint Management. For information on G Suite domain enrollment, see the Google article Enroll Chrome devices.

Enroll Chrome devices in Endpoint Management

A Citrix PIN must be created when a Chrome OS device is enrolled in Endpoint Management. The Citrix PIN is separate from the Endpoint Management passcode. The Citrix PIN secures a certificate from the Endpoint Management server. This PIN cannot be reset. If a user forgets this PIN, the Chrome OS device must be unenrolled and re-enrolled.

  1. Sign in to your Chrome OS device by using your G Suite credentials.

  2. Click the Secure Hub extension in Chrome. The Secure Hub extension appears next to your browser address bar, is grayed out, and looks like the following image:

    Image of Secure Hub extension

  3. The Secure Hub enrollment window appears. Click Enroll.

    Image of enrollment window

  4. Type your corporate credentials, such as your Endpoint Management server name, User Principal Name (UPN), or email address. Then, click Next.

    Image of corporate credentials options

  5. If prompted, type your corporate user name. Type your corporate password. Then, click Sign In.

    Image of Sign In option

  6. Create a Citrix PIN. This PIN must be 6 characters long. It can contain only letters and numbers. Type your Citrix PIN twice and then click Finish.

    Image of Citrix PIN creation screen

    When the enrollment is complete, the Secure Hub extension icon is active.

Sign in to an enrolled Chrome OS device

To sign in to a Chrome OS device that is enrolled in Endpoint Management:

  1. Sign in using your G Suite credentials.

  2. When prompted, enter your Citrix PIN. This PIN was created when the device was enrolled in Endpoint Management.

    If you do not type your Citrix PIN:

    • You are prompted to type your Citrix PIN every minute until you type the PIN.
    • After five minutes, access is blocked to all websites except,,,
    • If you try to access any other website, an error message appears and you are prompted to sign in using your Citrix PIN.

Unenroll and reenroll a Chrome OS device

To unenroll a Chrome OS device from Endpoint Management, users delete their account.

  1. In the Chrome browser, click the Secure Hub extension icon.
  2. In the Secure Hub enrollment window, click Delete.
  3. Click Yes, Delete to confirm the deletion.

    The Secure Hub enrollment window closes and the Secure Hub extension iron is grayed out.

To re-enroll:

  1. Log out of your Chrome OS device and log back in using your G Suite credentials.
  2. Click Enroll and follow the prompts to re-enroll.

Security actions

Chrome OS does not support security actions.