Citrix Endpoint Management

Chrome OS

Endpoint Management support for Chrome OS devices includes the ability to run Chrome OS devices in a public session. A public session doesn’t require a user to sign on and doesn’t have permanent data. Public sessions are useful for libraries, public schools, and other situations where session data isn’t permanent. You can also configure a Chrome OS device in kiosk mode. Kiosk mode locks down a device per user.

To manage Chrome OS devices, Endpoint Management uses a Secure Hub extension installed in the Chrome device browser. Before enrolling Chrome OS devices in Endpoint Management, you configure G Suite to install the Secure Hub extension on the device. Then, you connect G Suite to Endpoint Management.

Endpoint Management enrolls Chrome OS devices into MDM. Endpoint Management doesn’t support MAM-only registration for Chrome OS devices. Endpoint Management supports user name and password authentication on Chrome OS devices.

A general workflow for starting Chrome OS device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure G Suite to install Secure Hub on the Chrome OS device.

  4. Connect Endpoint Management to G Suite.

  5. Configure Chrome OS device policies.

  6. Enroll Chrome OS devices in G Suite and then Enroll Chrome devices in Endpoint Management.

For supported operating systems, see Supported device operating systems.

Supported enrollment methods

The following table indicates the enrollment methods that Endpoint Management supports for Chrome OS devices:

Method Supported
Bulk enrollment No
Manual enrollment Yes (user name + password only)
Enrollment invitations No

For more information, see the G Suite configuration sections in this article.

Configure G Suite to install Secure Hub on the Chrome OS device

You configure forced installation of the Secure Hub extension on the Chrome OS device and prevent the extension from being disabled or deleted.

  1. Go to and log in to your G Suite account.

  2. Verify that you have completed the configuration that’s described in Enable partner access for devices and users in your G Suite domain.

  3. In the Google administrator console, click Device Management.

    Google administrator console

  4. Click Chrome management.

    Google administrator console

  5. In the Chrome device management page, click User Settings.

    Google administrator console

  6. In the User settings page, search for Client certificates. Add this pattern:

    {"pattern": "https://[*.]", "filter": {}}

    When you add this pattern to Client certificates, device certificates pushed from Endpoint Management to the device are auto-selected. The user isn’t prompted to select certificates.

    Google administrator console

  7. Click Save.

  8. Search for Force-installed Apps and Extensions and then click Manage force-installed apps.

    Google administrator console

  9. Click Specify a Custom App.

    Google administrator console

  10. Click the ID field, type cnkimbgkdakemjcipljhmoplehfcjban.

  11. Click the URL field, type

  12. Click Add.

  13. Click Save in the Force-installed Apps and Extensions dialog window.

  14. Click Save in the User Settings page.

Connect Endpoint Management to G Suite

  1. In the Endpoint Management console, click the gear icon in the upper-right corner and then click Settings > Google Chrome.

    Endpoint Management console, showing Google Chrome connect screen

  2. Click Connect. A Google account sign-in window appears.

    Google sign-in window

  3. Sign in with your Google account credentials and click Next.

  4. Endpoint Management fills in your G Suite domain and G Suite account administrator name. The Connect button has change to Disconnect. Endpoint Management is connected to G Suite.

    Endpoint Management console, showing Google Chrome connected

Configure Chrome OS device policies

Use these policies to configure how Endpoint Management interacts with devices running Chrome OS. This table lists all device policies available for Chrome OS devices.

App Restrictions Scheduling Content
Control OS Update Kiosk Managed Bookmarks
Power Management Public Session Restrictions
Verified Access VPN Wi-Fi

Enroll Chrome OS devices in G Suite

Device enrollment in your G Suite domain is a pre-requisite for enrolling a Chrome OS device in Endpoint Management. For information on G Suite domain enrollment, see the Google article, Enroll Chrome devices.

Enroll Chrome devices in Endpoint Management

A Citrix PIN must be created when a Chrome OS device is enrolled in Endpoint Management. The Citrix PIN is separate from the Endpoint Management passcode. The Citrix PIN secures a certificate from the Endpoint Management server. This PIN cannot be reset. If a user forgets this PIN, the Chrome OS device must be unenrolled and re-enrolled.

  1. Sign in to your Chrome OS device by using your G Suite credentials.

  2. Click the Secure Hub extension in Chrome. The Secure Hub extension appears next to your browser address bar, is grayed out, and looks like the following image:

    Secure Hub extension

  3. The Secure Hub enrollment window appears. Click Enroll.

    Enrollment window

  4. Type your corporate credentials, such as your Endpoint Management server name, User Principal Name (UPN), or email address. Then, click Next.

    Corporate credentials options

  5. If prompted, type your corporate user name. Type your corporate password. Then, click Sign In.

    Sign In option

  6. Create a Citrix PIN. This PIN must be 6 characters long. It can contain only letters and numbers. Type your Citrix PIN twice and then click Finish.

    Citrix PIN creation screen

    When the enrollment is complete, the Secure Hub extension icon is active.

Sign in to an enrolled Chrome OS device

To sign in to a Chrome OS device that is enrolled in Endpoint Management:

  1. Sign in using your G Suite credentials.

  2. When prompted, enter your Citrix PIN. This PIN was created when the device was enrolled in Endpoint Management.

    If you do not type your Citrix PIN:

    • You are prompted to type your Citrix PIN every minute until you type the PIN.
    • After five minutes, access is blocked to all websites except,,,
    • If you try to access any other website, an error message appears and you are prompted to sign in using your Citrix PIN.

Unenroll and reenroll a Chrome OS device

To unenroll a Chrome OS device from Endpoint Management, users delete their account.

  1. In the Chrome browser, click the Secure Hub extension icon.
  2. In the Secure Hub enrollment window, click Delete.
  3. Click Yes, Delete to confirm the deletion.

    The Secure Hub enrollment window closes and the Secure Hub extension iron is grayed out.

To re-enroll:

  1. Log out of your Chrome OS device and log back in using your G Suite credentials.
  2. Click Enroll and follow the prompts to re-enroll.

Security actions

Chrome OS doesn’t support security actions.