ChromeOS Management with Intune

Talk of The Town

In the last few days, ChromeOS & Chrome Enterprise have become the buzzwords for the Mobile Device Management world. Microsoft Ignite – more than two weeks now, it seems Microsoft still has many more secrets to reveal in the crazy world of device management.

Like you, I was also super excited to test the new feature. In fact, still excited, as there is so much to explore into it. Let’s get started, then.

What is Chrome Enterprise

Google Chrome Enterprise, introduced by Google in 2017, is a business-based workplace solution for deploying and managing Chrome devices, Chrome browser and Chrome OS. Chrome Enterprise provides quality, easy-to-access and navigate cloud-based administrative tools and integrations with third-party services and offers 24/7 support for IT decision-makers and operators.

Chrome Enterprise offers the general Chrome OS features with its automatic updates, multi-layered security, remote desktop, application virtualization support, preference syncing and cloud or native printing.

Chrome Enterprise is offered under a yearly subscription service with a price charged per device.

Among Chrome Enterprise, added management features are:

Google Play Store apps
Chrome OS extensions
Chrome web browser
Microsoft Active Directory
Printer management
Flexible fleet management

As an administrator, the Google Admin console is where you manage all your Google Workspace services. Google Workspace (formerly known as Google Apps and later G Suite) is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google. You can relate it to the Azure admin portal, where you add or remove users, manage billing, set up mobile devices, and more. The Admin console can be accessed at admin.google.com

Intune & Google Enterprise – Some Facts

Before you start managing your trendy Chromebooks or ChromeOS, you need to configure a connection between Intune & Google Workspace, and for that, you will need a connector – and for that, you will need a Google Workspace Subscription. 😃😎

In this article, I will help sign up for a Google Workspace subscription and set up and monitor a connection between the Google Admin console and Microsoft Intune.

This connector will help you to:

Sync device information between the Google Admin console and Microsoft Intune.

View device information in your device inventory lists in the Microsoft Endpoint Manager admin center.

Apply remote actions, such as deprovision, restart, lost mode, and wipe in the admin center.

ChromeOS or Chrome Enterprise devices are enrolled through Google Admin Center not Intune!

Set-Up Google Admin / Google Workspace

As a first step, we need to have an active subscription to Google Workspace. In the Basic plan, you get the following:

The complete set of G Suite apps with full enterprise-level functionality.
30 GB of cloud storage per person.
Basic admin-level controls let you add/remove users, enable security and more.

You’ll have to subscribe to the Business plan if you want more features with additional functionality as:

Cloud Search to search through all G Suite apps to get you the desired results.
The ability to recover company data from ex-employees’ accounts.
Advanced admin features let you set how long emails and chats are retained, where your data is stored, and more.

If you want even more security and control over your data in G Suite, the Enterprise plan:

An advanced console from where you can manage all users, apps, and devices on G Suite.
Control sharing of sensitive information.
Get advanced enterprise-grade security and reports on how your data is being used.

You can start with a 14-day free trial to use Google Workspace. The steps are as below:

To start, fire up your favourite browser and navigate to workspace.google.com. On this page, click on the blue ‘Get Started button.

The next page will be the sign-up page. Enter your business name, the number of employees and the country in which your business is located. After typing this info, click ‘Next’.

Next, click on ‘I have one I can use to enter your domain name. If you don’t have one, click on ‘I don’t have one.

Click ‘Next’ and on the next page where you’ll have to enter the exact address of your business. This is required to register your domain.

The next page will ask you to create your first Google Admin username.

Create a secure password and remember it. Once you sign in, you’ll be asked to review your Google Workspace plan. Click Next to confirm.

The next part is exactly the same steps you do while setting up the M365 tenant. i.e. adding & verifying your custom domain, adding new users and assigning them roles and services. This is how your new Google Workspace Admin Center will look like once you are done with all these configurations:

Looks cool 😎👩‍💻🏆

Connect Intune with Google Workspace

Now, we have to make our Intune tenant talk to your Google Workspace Admin Console. For this, you need to follow the steps as shown:

Go to Tenant administration > Connectors and tokens.

Select Chrome Enterprise (preview) > Connect.

On the Connect to Chrome Enterprise page, select Google Admin console, and then:

Go to Security > Access and data control > API Controls.

Select MANAGE DOMAIN WIDE DELEGATION.

Select Add new to create the API client for your connection.

Copy the Client ID and OAuth Scopes in the Microsoft Endpoint Manager admin center.

Return to the Google Admin console and paste each value in the Client ID and OAutho scopes (comma-delimited) spaces. Intune requires the following scopes:
- https://www.googleapis.com/auth/admin.directory.device.chromeos
- https://www.googleapis.com/auth/admin.directory.user.readonly
- https://www.googleapis.com/auth/admin.directory.orgunit.readonly

Select Authorize to save all changes.

Return to the Microsoft Endpoint Manager admin center and select Launch Google to connect now.

Use your Google Admin account when prompted to authenticate with your organization’s Google Enterprise domain.

After you authenticate, the connection is established, and your organization’s enrolled Chrome OS devices begin syncing from the Google Admin console. The status changes to Active when syncing is complete.

Monitor connection status

Go to Chrome Enterprise (preview) in the Intune admin portal to check the overall health of your connection. Chrome OS devices should appear shortly after the initial connection. Devices will continue to sync periodically and receive updates.

Available details include:

Status: Syncing is shown when devices are still being synced. The status changes to Active when syncing is complete.
Last check-in: This shows the last time new devices, device details, or remote actions were synced between Microsoft Intune and the Google Admin console.
Chrome devices synced: Shows the number of Chrome OS devices synced with Intune.
Connected account: This shows the Google Admin account connected to Microsoft Intune.

Summary

For now, I will end it here and give you some time to play around with your all-new Google Workspace Admin Console. In the next part, I will help you provision a Chrome Enterprise device and get it synced to Intune. Till then, stay In(tuned) and be #intuneinspired.