Manage Chromebooks with Intune
At Ignite last year, Microsoft announced support for Google Chrome OS in Intune or more commonly known as Chromebooks. Google Chrome OS is a more lightweight OS that can run on cheep and low performing hardware with acceptable experience. This makes Chromebook interesting for many organizations looking for a cheaper desktop solution for their users. But Google Chrome OS is also limited in functionality. There is for example no Microsoft 365 apps available, you need to use the Microsoft 365 app from app store instead. But in some use cases Chromebook fit like a glove!
Now that we have support for Chromebooks in Intune, what can we really do? Can we really enroll them and manage them like any other device? What management features are available after enrollment? That´s the topic for today!
Connect Chrome Enterprise to Microsoft Intune
The first thing you need to do is connect Chrome Enterprise to Microsoft Intune. You need to have a Chrome Workspace subscription to connect Microsoft Intune to that subscription. This is the collaboration platform delivered by Google like Microsoft 365 from Microsoft. So you need to pay for the workspace services.
But hey, I want to use Microsoft 365 and not Google Workspace! This is a caveat, with Chromebooks, you actually don´t enroll devices to Microsoft Intune. You only sync devices to Intune and get some remote management actions. Essentially, what this means is that unlike other platforms like Android, iOS, macOS, Windows, and Linux, you still cannot enroll a Chrome OS device to Intune, only sync the objects. Thereby, you still need to pay for the services used in Google Workspace and also enroll your devices to that environment. Nothing stops you from using Microsoft 365 as a collaboration service though.
- Open Intune Portal on https://intune.microsoft.com
- Select Tenant Administration
- Select Connectors and Tokens
- Select Chrome Enterprise
- Select Connect to setup the connector to Chrome Enterprise
You will now be presented with a Client ID and an OAuth Scope
- Select the link to Google Admin Console
- Sign in with an existing or create a new Google Workspace account.
(You cannot use a personal account, you need to use a Google work or school account. You can signup here)
- Go to Security > Access and data control > API Controls
- Select MANAGE DOMAIN WIDE DELEGATION
- Select Add new to create the API client for your connection.
- In the Microsoft Intune admin center, copy the Client ID and OAuth Scopes over to the Google Admin Console
- Select Authorize to save all changes
- Return to the Microsoft Intune admin center and select Launch Google to connect now
- When prompted to authenticate with your organization’s Google Enterprise domain, use your Google Admin account
After you authenticate, the connection is established and your organization’s enrolled Chrome OS devices begin syncing from the Google Admin console. If you have ChromeOS devices already enrolled in your Google Workspace prior to establishing this connection, those devices will start to sync into Intune. The status changes to Active when syncing is complete.
- Go back to Google Admin Console
- Navigate to Devices / Overview and select Chrome Devices / Manage Chrome Devices
- If this is the first time you open this management page, you need to accept the Chrome Online Agreements to be able to manage devices. Otherwise you are ready to enroll devices
Enroll Chrome OS to Google Enterprise (to Intune?)
As I explained before, Chrome OS MDM in Intune is not like other devices. We do not enroll the device to Intune, we enroll to Google Enterprise and then sync the device to Intune. This enrollment model will result in lots of limitations when it comes to Microsoft Intune Management features.
- Power on the new Chromebook to be enrolled.
- Connect your network
- Accept Google terms of service
- At the Enterprise Enrollment Page. Enter your google workspace account and Next
ChromeOS devices bundled with Chrome Enterprise or Chrome Education automatically prompt users to enroll after they accept the end-user license agreement. After enrollment, users can sign in and start using the device.
If they’re not prompted to enroll, users can press Ctrl+Alt+E or select Enterprise enrollment before anyone signs in.
- Enter your password to login and use MFA if requested
- When Enterprise Enrollment is finished, Sign in to the Chromebook with your workspace account
- select to sync your Chromebook for a better experience when shifting devices
- In the Google Admin console, verify that your device is registered as a Chrome Device
This means that your device is Enrolled with Google Enterprise. Now we need to wait to get it into Intune.
- If you select the device, you can see the asset properties registered with the object and some of the management features in Google Enterprise
- In the Microsoft Intune Portal, navigate to Tenent administration / connectors and tokens and select Chrome Enterprise
- You can monitor when the device is synced to Intune by click refresh and keep an eye on the Chrome devices synced number
The connector sync cannot be triggered manually, so you just need to wait for it to happen.
- When the device is synced from Google Enterprise to Microsoft Intune it will appear as a Chrome OS device in the Devices list
Chrome OS Management from Intune
- Open Intune Portal on https://intune.microsoft.com
- Select Devices
- Select Chrome OS
Here you can see your Chrome OS devices and their compliance status
- Select a Chrome OS device from the list of devices to manage it
- Here you can use the following remote actions:
- Select Properties to enter additional information needed for inventory
- Select System Info to view other collected asset management properties
All Chrome OS devices turn up as non compliant devices, this is because there is no compliance policies for Chrome OS in Microsoft Intune. I really hope we will get support for this. That´s one of the main reasons for enrolling (syncing) them to Intune.
There is no configuration profiles for Chrome OS. Also something that I hope for in the future. At the moment, you need to do the configuration from Google Enterprise admin console.
We cannot deploy software from Intune. Also something we need to do from the Google Admin Console.
We just have a basic synced device, with an asset management and 4 remote actions. But sometimes this is enough! Just to have them under the umbrella. And I would be surprised if there wasn´t more features in development. So why not start syncing devices and wait for more to come!