Jens' Blog

Managing Chromebooks with VMware Workspace One and Chrome Enterprise

chrome

I just got engaged in a customer project for Workspace ONE. This European customer wants to lower his TCO on mobile devices, as they currently hand out many Notebooks to their employees and Windows Notebook require a lot of management from the customer side. So they raised the question if it is possible to include Chromebooks in their environment and to fully manage them with their MDM solution – VMware Workspace ONE UEM.

With the use of VMware Workspace ONE UEM we have two options of management:

  • Container management (We are only able to manage Settings and Content within a protected Container)
  • Full system management (We are managing the whole System and all Content and Settings on it)

The customer decided to have the full system management so we have to incorporate Google Chrome Enterprise, as this solution combines the management capabilities of Google and VMware to easy and fully manage a Chrome Device.

 Bill of Materials:

  • Google Chrome Enterprise Subscription
  • Google Admin user
  • VMware Workspace One UEM Console / User
  • Chromebook


Important:

The Google Chrome Enterprise Subscription is not free. It will cost you 50$ per Device and per year. Make sure you only subscribe for Chrome Enterprise and not for the full G-Suite, as we do not need the G-Suite for device management.

Let’s get started at the Google Admin Page:

Navigate to Device management -> Chrome Management and select User & browser settings:
In the Android applications section make the following changes:
Android applications on Chrome Devices:  Allow
File System Migration: Force users to migrate
Access to Android applications: Do not allow
At the Chrome Management – Partner Access section change:

Chrome Management - Partner Access:  Enable Chrome Management - Partner Access


Navigate to Device management -> Chrome Management and select Android application settings:
Check Enable Android applications to be managed through the Admin Console and accept the EULA.

Navigate to Device management -> Chrome Management and select Device settings:
In the Sign-in Settings section make the following changes:
Guest Mode: Do not allow guest mode

Now go back to the Google Admin Portal and create a new user (if you not already have a user).

Now it’s time to enroll your new Chromebook.

If you already signed in, wipe your device and start from scratch. (See https://support.google.com/chrome/a/answer/1360534?hl=en)

  1. Turn on the Chrome device and follow the on-screen instructions until you see the sign-in screen. Don't sign in yet. If you see the enrollment screen instead of the sign-in screen, go to Step 4.
  2. If you're enrolling a Chromebook tablet, tap Email or phone. Then, tap More More and then Switch to full layout to open the on-screen keyboard.
  3. Choose an option to get to the enrollment screen:

    Press Ctrl+Alt+E.

    Click More options and then Enterprise enrollment (not available on Chromebook tablets).

  4. Enter the username and password from your Google admin welcome letter or for a Google Account that has eligibility to enroll.
  5. If prompted, enter the asset ID and location and click Next.
  6. When you get a confirmation message that the device is successfully enrolled, click Done.

Users can now sign in to devices and start using them.
Your device is now enrolled into Google Chrome Enterprise.

Now let’s connect Google Chrome with VMware Workspace One UEM to manage this device via the company MDM solution. 
Open your VMware Workspace ONE UEM Console and navigate to Groups & Settings à All Settings à Devices & Users à Chrome OS à Chrome OS EMM Registration
Enter your Google Domain and your Google Admin email address and confirm the management.
Test Connection should give you a successful answer and the Device Sync should display Device Sync Successful.

Now the Chromebook should appear in the Device List view.

Navigate to Devices à List View

Verify you can see your Chromebook here.

Now we can create a Chrome OS Policy and push down configurations and applications to the Chromebook.

Navigate to Devices à Profiles & Resources à Profiles and select Add Profile.

Choose Chrome OS as the Profile Type and User as context.

Enter a Profile Name and an Assignment Group and switch the Assignment Type to Auto.

In this Profile you can configure multiple settings like Wireless and Security. I would like to show you how to push down applications to the Chromebook, as this works different as you are used to with VMware Workspace ONE UEM.

Switch to the Application Control Tab.

Here you can install Chrome as well as Android Apps to the Device and as we disabled the Appstore via Chrome Enterprise Settings, this will be the only way how applications are distributed to the device. 

In this example, we distribute the VMware Horizon Client for Chrome as a Chrome App and the Workspace One App as an Android App.

The App ID of Chrome Apps can simply be found in the URL of the Chrome App Store:

Now you Save and Publish the Profile, wait a few seconds and your prolife should be applied to your Chromebook. If you wait a few moments longer, the applications should pop up as well.


You have now successfully managed your Chromebook with VMware Workspace ONE UEM and Chrome Enterprise!