Creating a Locked-down Chromebook Enrollment Account

When enrolling Chromebooks, we often receive requests to modify device information fields and locations within the Google Admin Console. In order to provide these services, we require the creation of a locked-down enrollment account. This allows for device enrollment and modification, without providing access to other areas of your Google domain. You may optionally grant us more broad permissions to the enrollment account using a pre-configured admin role.

1. Login to https://admin.google.com with a Super Admin account
2. Select the “Admin Roles” tile
3. Click “Create A New Role” in the top left
4. Choose a fitting title and description for the admin role. For example, “Enrollment Admin"
5. Click the Privileges tab, choose the following Privileges
          a. Under “Admin Console Privileges”
                    i. Organizational Units
                              1. Read
                    ii. Chrome Management
                              1. Settings
                                        a. Manage Devices
                                        b. Manage Device Settings
          b. Admin API Privileges
                     i. Organizational Units
                              1. Read
                    ii. Schema Management
                              1. Schema Read
6. Click “Save” to create the admin role
7. Next, enable API access at the domain level. Return to the Admin Console home by clicking “Google Admin” on the top left.
8. Click the “Security” tile
9. Expand the “API Permissions” section
10. For The “API access” list make sure to enable; Drive, Admin, and Apps Script Runtime.
11. Now to create an enrollment user. Return to the Admin Console home by clicking “Google Admin” on the top left.
12. Click the “Users” tile
13. If you already have an enrollment account shared with FireFly, select it and skip to step 17, otherwise
14. Click the + icon on the bottom right to add a new user. We recommend credentials that are easy to type
15. Click “Create” on the bottom right to create the user
16. Locate the new user account, then select the user by clicking on the username
17. Select “Admin Roles and Privileges” Click on Roles
18. Click the toggle next to our new admin role to assign that role to the new user
19. Click “Save”


Installing Add-ons for Device Management

Google prevents standard enrollment accounts from using add-ons that can view enrolled devices and update OU location, asset information, and other details. In order for us to update this information in your console, we first need you to enable a Google Marketplace add-on:

From within the Admin Console
1. Click "Apps"
2. Click "Marketplace Apps"
3. Click the plus (+)
4. Search for "Chromebookinventory" marketplace add-on
          a. If you are already using "Gopher for Chrome," for your console needs, you can whitelist that instead. 
5. Domain Install the add-on
6. Refresh the page to make the add-on appear in the list. 
          a. For the add-ons Status, you may set it to "ON for some" and exclude any organizations you with to not
              have access to this add-on. Example: Student, or Non-Admin Staff
                    i. To change access: click on the organization, click "Override", click the toggle, and apply. 
          b. Make sure the enrollment account provided to FireFly is one that had access to this add-on. 


Frequently Requested How-Tos 
for Chrome Deployment

Legal Disclaimer: The procedures outlined above are provided for informational purposes only. We do our best to ensure the accuracy and helpfulness of the information, but please ultimately rely on your own discretion. Under no circumstances shall FireFly Computers, LLC be held liable for any damages resulting from the use, misuse, or failure to use this guide or the information it contains. All trademarks are property of their respective owners. Reproduction, modification, or distribution of this document or the information it contains, in whole or in part, is strictly prohibited without express written permission. Thank you.