FireFly Knowledge Library

Creating a Locked-Down Chromebook
Enrollment Account

When enrolling Chromebooks, we often receive requests to modify device information fields or locations within the Google Admin Console. In order to efficiently and accurately provide this service, we recommend the creation of a locked down enrollment account. This allows for the explicit function of device enrollment and modification, without giving access to anything else in your Google domain. Alternatively, you may also opt to give more broad permissions to the enrollment account using a pre-configured admin role.

  1. Login to with a Super Admin account
  2. Select the “Admin Roles” tile
  3. Click “Create A New Role” in the top left
  4. Choose a fitting title and description for the admin role. For example, “Enrollment Admin”
  5. Click the Privileges tab, choose the following Privileges
    1. Under “Admin Console Privileges”
      1. Organizational Units
        1. Read
      2. Chrome Management
        1. Settings
          1. Manage Devices
          2. Manage Device Settings
    2. Admin API Privileges
      1. Organizational Units
        1. Read
      2. Schema Management
        1. Schema Read
  6. Click “Save” to create the admin role
  7. Next, enable API access at the domain level. Return to the Admin Console home by clicking “Google Admin” on the top left
  8. Click the “Security” tile
  9. Expand the “API Reference” section
  10. Check the box for “Enable API Access”
  11. Now to create an enrollment user. Return to the Admin Console home by clicking “Google Admin” on the top left
  12. Click the “Users” tile
  13. If you already have an enrollment account shared with FireFly, select it and skip to step 17, otherwise
  14. Click the + icon on the bottom right to add a new user. We recommend credentials that are easy to type
  15. Click “Create” on the bottom right to create the user
  16. Locate the new user account, then select the user by clicking on the username
  17. Select “Admin Roles and Privileges” Click on Roles
  18. Click the toggle next to our new admin role to assign that role to the new user
  19. Click “Save”
  20. Thank You!


Google has recently added security that prevents us from using addons that permit us to view enrolled devices and update OU location, asset information, and other details. In order for us to update information in your console, we also need to have a Google Marketplace addon enabled:

From within the Admin Console:

1. Click Apps

2. Click Marketplace Apps

3. Use the Vertical Dots to Manage Apps:

4. Select Manage access to apps

5. If currently set to ‘Do not allow users to install any application from G Suite Marketplace’, choose ‘Allow users to install only whitelisted applications’, and save.

6. Now, choose ‘manage whitelist’

7. Click ‘Add apps to whitelist’

8. Search for chromebook getter

9. Tick the box next to the result, and click Whitelist

10. Confirm the change if prompted

Legal Information: The information in this document is provided on an “as is” and “as available” basis. FireFly Computers makes no representations or warranties as to the accuracy, reliability, or quality of the information and in no circumstances shall FireFly Computers be held liable for any damages resulting from the use, misuse, or failure to use this document or the information it contains. All trademarks are the property of their respective owners. Reproduction, modification, or distribution of this document or the information it contains, in whole or in part, is strictly prohibited without the express written permission of FireFly Computers, LLC.

Phone: 612-564-4088
Toll Free: 1-866-950-8868