Creating a Locked-down Chrome Admin Account

When enrolling Chromebooks, we often receive requests to modify device information fields and locations within the Google Admin Console. To provide these services, we require the creation of a locked-down admin account. This allows for device enrollment and modification, without providing access to other areas of your Google domain. You may optionally grant us more broad permissions to the enrollment account using a pre-configured admin role.

Creating the Role

1. Go to your Google admin console and sign in with your Super Admin account

2. Select “Admin Roles”

3. Click “Create New Role” at the top

a. Choose a fitting Name and Description for the admin role. For example:

i. Name: Locked-down Admin Account

ii. Description: Limited console access for Whiteglove services

4. Click “Continue”

a. Under “Admin Console Privileges” enable:

i. Organizational Units

1. Read

ii. Services

1. Chrome Management

a. Manage User Settings

2. Chrome OS

a. Settings

i. Manage Devices

b. Under “Admin API Privileges” enable:

i. Organizational Units

1. Read

ii. Schema Management

1. Schema Read

5. Click “Continue"

6. Review your privilege selection

a. Admin console privileges

i. Organizational Units > Read

ii. Services > Chrome Management > Manage User Settings

iii. Services > Chrome Management > Manage User Settings > Manage Application Settings

b. Admin API privileges

i. Organization Units > Read

ii. Schema Management

iii. Schema Management > Schema Read

7. Click “Create Role”

Creating the User

8. Now to create an enrollment user. Return to the Admin Console home screen

9. Select “Users”

10. Click "Add New User" to open the profile page

a. Fill out the required fields.

i. We recommend credentials that are easy to type

11. Click “Add New User” to create

a. Click “Done” to finalize creating the user

12. Locate the user account. Go to the user setting by clicking on the username

a. You may need to refresh (F5) to have the User appear

13. Select “Admin Roles and Privileges”

14. Under Roles go to the new admin role you recently created and assign that role to the new user

15. Click “Save”

Whitelisting add-ons

16. Now we need to install and whitelist an add-on tool. Return to the Admin Console home screen

17. Select "Apps"

18. Within "G Suite Marketplace Apps" click “Manage”

19. Select “Allow users to install only whitelisted applications from G Suite Marketplace”

20. Click “Save”

21. Click “Manage Whitelist”

a. If you already have premium “Gopher for Chrome”, premium “Chromebook Getter”, or free “chromebookinventory” installed, skip to step 28

22. Click “Domain install apps”

23. Click “Add app to Domain install list

a. Search: chromebookinventory

24. Click “Domain install”

25. Agree to TOS

26. Close out on the marketplace tab

27. Click “G Suite Marketplace Whitelist”

28. Click “Add app to Whitelist”

a. Search for your management marketplace add-on, examples:

i. Gopher for Chrome

ii. Chromebook Getter

iii. Chromebookinventory

29. “Add to Whitelist”

30. Optionally you can go back to “Domain install apps” and limit the access to the add-on to only the location that the locked-down admin account is in.

31. Click on the add-on

a. Under Distribution click “View Organizational Unit”

b. In the OU that the enrollment account is in, make sure the service status is set to on

c. In the OUs that the service is not required you can turn the service off

d. By default, the created user is in the base OU.

Enabling API

By default, Google services are set to unrestricted. If you have Google services restricted, we may need some of those services enabled.

32. Return to the Admin Console home, Select “Security”

33. click the "APP Access Control" section

34. Make sure these "Manage Google Services" has been set to Unrestricted:

a. Drive

b. G Suite Admin

c. Apps Script Runtime

d. Apps Script API

Your Locked-down Admin Account is now complete.


Installing Add-ons for Device Management

Google prevents standard enrollment accounts from using add-ons that can view enrolled devices and update OU location, asset information, and other details. In order for us to update this information in your console, we first need you to enable a Google Marketplace add-on:

From within the Admin Console

  1. Click "Apps"
  2. Click "Marketplace Apps"
  3. Click the plus (+)
  4. Search for "Chromebookinventory" marketplace add-on
    1.  If you are already using "Gopher for Chrome," for your console needs, you can whitelist that instead. 
  5. Domain Install the add-on
  6. Refresh the page to make the add-on appear in the list. 
    1. For the add-ons Status, you may set it to "ON for some" and exclude any organizations you with to not  have access to this add-on. Example: Student, or Non-Admin Staff
      1. To change access: click on the organization, click "Override", click the toggle, and apply. 
      2. Make sure the enrollment account provided to FireFly is one that had access to this add-on.


Frequently Requested How-Tos 
for Chrome Deployment

Legal Disclaimer: The procedures outlined above are provided for informational purposes only. We do our best to ensure the accuracy and helpfulness of the information, but please ultimately rely on your own discretion. Under no circumstances shall FireFly Computers, LLC be held liable for any damages resulting from the use, misuse, or failure to use this guide or the information it contains. All trademarks are property of their respective owners. Reproduction, modification, or distribution of this document or the information it contains, in whole or in part, is strictly prohibited without express written permission. Thank you.

Configuring Chromebook Wi-Fi

While we are more than happy to process your order with pre-configured Wi-Fi, we have found that most customers choose pre-configured Wi-Fi simply because they are not aware of the advantages offered by Wi-Fi configured in the Google Admin Console. We want to convince you to reconsider:


  • Once the configuration is set in the Google Admin Console, you will never need to manually connect to Wi-Fi again.
  • If you ever need to change your Wi-Fi credentials, you can change them on all Chromebooks without ever having to physically touch them.
  • Since the Wi-Fi password does not need to be entered manually, security is improved by limiting the number of people who know the password. Additionally, the password can be made more complex to prevent someone from guessing it.
  • Easily control which Chromebooks can connect to a given Wi-Fi. This is especially useful if you have separate networks such as one for staff and one for students.
  • There is support for multiple networks as well as all modern security protocols including WPA/WPA2 Enterprise (802.1x).

Some Considerations

  • When configuring your Wi-Fi SSID and password, double, triple, and quadruple check your spelling. Make sure there are no spaces hiding before or after the text. Also, both the SSID and password are case sensitive. A typo here will push out incorrect credentials to your devices, preventing them from connecting to your network entirely. The only way to fix a mistake such as this is to fix the spelling error in the console, then manually connect each device to the internet to get the updated policy.
  • If devices will be used on a network other than the one(s) you configure in the admin console, be sure to disable the “Restrict Wi-Fi networks” option. This setting can be found in the Google Admin Console by navigating to Devices > Networks > General settings. A common scenario where you would want to disable this setting would be students bringing their Chromebooks home.
  • Policies applied to OUs are always inherited from parent OUs. This means that a network policy applied to your top level OU will be applied to all other OUs in your domain and thus all Chromebooks in your domain. However, this relationship does not work in the opposite direction. If you choose to apply your Wi-Fi policy to any OU other than the top level OU, ensure newly enrolled Chromebooks are automatically placed in an OU that will inherit your Wi-Fi policy. Information on automatically moving Chromebooks to a specific OU when enrolling can be found here under the “Device Enrollment” category. While we offer OU movement services, these can only be performed after an order is finished and repackaged for shipping. The easiest way to prevent any issues related to OU placement is to apply your Wi-Fi policies to your entire domain.
  • If you already have Chrome devices in your domain, it might be good to setup a test OU with a couple test devices to play around with Wi-Fi policies.


Before adding a Wi-Fi configuration, please read all steps thoroughly. Additionally, please read the “Some Considerations” section above. If you would prefer to read Google’s documentation on the setup process, there are articles available on their support site here and here. If you are unsure if a specific setting is needed, consult with your network administrator.

  • Login to the Google Admin Console (https://admin.google.com).
  • Navigate to Devices > Networks (left side).
  • Decide at this time which Chromebooks you would like to add Wi-Fi to by clicking the OU on the left side of the screen. We recommend using the top level or base OU if possible. 
  • Click the “Wi-Fi” section towards the top.
  • Click “ADD WI-FI” towards the top right.
  • Choose “Chromebooks (by device)”. Choosing to apply per user will mean the Chromebook will not have internet at the sign-in screen.
  • The “Name” field is a friendly name for the Wi-Fi configuration.
  • Fill in your SSID, passphrase, and any other special settings.
  • We recommend checking the “Automatically connect” box.
  • Click “Save”

Creating an Enrollment-Only Account in Google Admin

When enrolling Chromebooks, credentials may need to be shared when automated enrollment is not used or available. An enroll-only account ensures an account with no other access/permission can be shared for manual enrollment, which can speed up orders and combines with other security measures to limit unauthorized access. This is not required, but is recommended.

Secured Enrollment-only Account setup. This account will only have enrollment privileges, with no access to the Google Admin Console or services such as Gmail and Drive.

Creating the Organizational Unit (OU)

  1. Go to https://admin.google.com and login with a Super Admin account
  2. Select “Organizational Units”
  3. Hover over the OU tree to reveal the option to [Create new organizational unit]
    1. Look for a, plus (+) symbol at the right
  4. Name the OU
    1. We recommend something identifiable like “FFenroll”
  5. Click “Create”
    1. You may need to refresh (F5) to see the newly created OU

Creating the User

  1. Now to create an enrollment user. Return to the Admin Console home screen
  2. Select “Users”
  3. On the left side select “Users from selected organizational units”
  4. Click your newly created OU from step 5
  5. Click "Add New User" at the top to open the profile page
  6. Fill out the required fields
    1. We recommend credentials that are easy to type
  7. Click “Add New User” to create
  8. Click “Done” to finalize creating the user
    1. You many need to refresh (F5) to see your newly created User
  9. Do not assign a license to this user
    1. License assignment maybe set to automatic based on your “Billing” Settings
    2. You can remove licenses by selecting the user and going to the “More” dropdown at the top
      1. Some licenses are unremovable, you can leave those assigned
  10. Do not assign admin roles or privileges to this user
    1. You can check this by clicking on the user and looking in the roles and privileges section

OU Settings

  1. Now to setup the OU. Return to the Admin Console home screen
  2. Select “Devices”
  3. On the left side Device Settings menu click the “Chrome” dropdown
  4. Click “Settings”
  5. On the left side, OU Tree, click the OU you created in step 5
    1. Scroll down to Enrollment controls > Enrollment permissions
      1. Make sure the setting is on “Allow users in this organization to enroll new or re-enroll existing devices”
      2. This is usually already selected by default, but inherited settings can sometimes change this
  6. Click “Save” at the top if you made changes 

Apps Settings

  1. Now to setup the Apps settings for the OU. Return to the Admin Console home screen
  2. Select “Apps”
  3. Click “G Suite”
  4. On the left side click the OU you created in step 5
  5. Select all checkboxes, then click “Off” on the top right
    1. Confirm any additional pop-up boxes
  6. Go back to the “Apps” settings
  7. Click “Additional Google services”
  8. On the left side click the OU you created in step 5
  9. Select all checkboxes, then click “Off” on the top right
    1. Confirm any additional pop-up boxes