Explore Your Options for Managing Chromebooks
Google gives enterprise IT departments different Chrome OS management approaches. Pilot each; don’t just use the most familiar one to you.
To manage a Chromebook, you first need either a Chrome Enterprise or Chrome Education license for that device. With a Chrome Enterprise license, you can then manage the Chrome OS device with:
- Google Admin Console
- Enterprise Mobility Management (EMM) and Unified Endpoint Management (UEM)
- A combination of Google Admin Console and EMM / UEM
- Active Directory and Group Policy
Chromebooks can only be managed via the Google Admin Console with Chrome Education licenses.
Google Admin Console
The Google Admin Console is a central hub for managing G-Suite services, Google Chrome browsers, and Chrome OS devices. It can also be used to manage iOS and Android devices via mobile device management (MDM). The console allows you to set these types of policies for Chromebooks:
- Device-level policies
- User-level / Chrome profile policies
- App and extension policies
You can perform a one-way sync of your Active Directory, LDAP, or Azure Active Directory with your Google domain by using the Google Cloud Directory Sync. The result is a list of Google Accounts in your Google domain that are mapped to accounts in your Active Directory.
EMM and UEM
Google has only sanctioned a subset of EMM and UEM vendors to manage devices running Chrome OS. As of June 28, 2019, these vendors are:
- Cisco Meraki
- Citrix XenMobile
- IBM MaaS360
- ManageEngine Mobile Device Manager Plus
- VMware AirWatch
Chromebooks can be managed with both one of the above and with the Google Admin Console simultaneously. This knowledgebase article explains how conflicting policies are resolved. The following figure from SoftwareReviews shows how many of the above vendors compare in terms of feature satisfaction and vendor capability satisfaction.
Source: SoftwareReviews, Enterprise Mobile Management, Quadrant Published June 28, 2019
Active Directory
Since the launch of Google Chrome Enterprise in 2017, IT departments have been able to manage Chromebooks through Active Directory. Google released improvements to this approach in Chrome Enterprise version 74 – Chromebooks no longer need a separate domain to be managed through AD and Group Policy. However, Chromebooks cannot be simultaneously managed by both Group Policy and by the Google Admin Console. You can download a group policy object template from this Google knowledgebase article.
Selecting the Best Approach for You
The Google Admin Console will satisfy most of your endpoint management needs. Having each device automatically retrieve and install updates from Google enables IT to spend less time on maintenance and more time on strategic projects. Chrome OS’s security features (e.g. sandboxing, automatic updates, verified boot) together with the Google Admin Console will often be enough for most IT groups.
Managing Chromebooks with EMM or UEM allows for more seamless integration of Chrome OS devices into your existing end-user computing environment. For example, if you have already built a digital workspace that integrates your cloud file-shares, ITSM tool, virtual desktops, virtual apps, and SaaS apps, then including your Chromebook in your EMM or UEM solution is preferable. Using a supported UEM tool gives you the added advantage of a single pane of glass for reporting, analytics, and management.
When should you use your existing EMM or UEM tool to manage Chromebooks?
- Google supports your tool for managing Chrome OS
- You are satisfied with your EMM/UEM tool
- Your EMM/UEM tool can add user functionality to Chromebooks
- The UEM tool provides central reporting and helps with software asset management
If your management tool does not add user functionality, and you’re not using any advanced EMM features, then evaluate migrating to the Google Admin Console for enterprise mobility management.
Even if you are planning on sticking with your EMM/UEM vendor, you should run a proof-of-concept with Google Admin Console. You can manage Chromebooks with both the console and with EMM/UEM simultaneously, and you may find that the dual management approach offers additional functionality.
It is somewhat surprising that neither MobileIron nor Intune are approved for managing Chrome OS. Only somewhat, though, because Chromebooks are not widely adopted in the enterprise, and Microsoft is launching a competing product to the Chromebook.
|
Strengths |
Weaknesses |
Google Admin Console |
Low cost Basic MDM for iOS and Android Single pane of glass for all G-Suite services Can sync with AD, AAD, and LDAP via GCDS |
Does not offer device encryption or advanced threat detection |
EMM and UEM |
Single pane of glass for all devices Potentially greater control over endpoint Take advantage of features you’ve already built in your mobile environment Central analytics, reporting, and asset management Can be used in conjunction with the Google Admin Console |
Cost Implementation complexity Not available for Chrome Education |
Active Directory |
Familiar toolset Easier integration with existing management tools, processes, practices, and approach |
Cannot be used in conjunction with Google Admin Console Requires the devices to have access to the network Not available for Chrome Education |
Recommendations
- If you are an Enterprise customer, perform a proof-of-concept of the following management approaches:
- Google Admin Console
- Google Admin Console with EMM/UEM
- Only EMM/UEM
- Active Directory
- If you have an Education license, then perform a proof-of-concept with Google Admin Console and with Google Cloud Directory.
- Perform a proof-of-concept for managing iOS and Android devices with Google Admin Console, especially if:
- You’re not managing mobile devices today, or
- Your EMM doesn’t give end users any additional features and functionality.
Bottom Line
Google Admin Console provides a great deal of management capabilities and may satisfy your requirements. EMM and UEM can provide additional end-user features and management functionality. Active Directory and Group Policy can provide a sense of familiarity to IT. Chrome OS Education customers are limited to Google Admin Console and Google Cloud Directory.
Want to Know More?
Pave the Road to Unified Endpoint Management
Select and Implement Enterprise Mobility Management
SoftwareReviews: Enterprise Mobility Management
SoftwareReviews: Unified Endpoint Management
SoftwareReviews: Enterprise Mobile Management (Small Business)