Chromebook Management

Suggested audience: school staff, school administrators, local authority administrators, education partnership administrators.

Overview

The Google Admin console is where you can manage your Chromebooks and other managed devices. You can use it to set device settings and restrictions, deploy apps and extension, configure network connections, and more.

The Google Admin console can be accessed by navigating to: https://admin.google.com

Who has access

User allocated the Google Admin role, in the UMP, have access to the Google Admin console, but are scoped to only see appropriate organisational units.

The role can only be assigned to a user, by an existing Google Admin. For example, a Google Admin in a school, will only see the organisational units for their school. Whereas a Google Admin in a local authority will see all school organisational units as well as any organisational units at an LA level.

Note: A user with a Google Admin role will have admin rights for a school or the whole LA and can remotely control ChromeOS devices. Ensure that only those that need this level of access, have this role applied.

Organisational units

Devices and users are organised into Organisational Units. There are 4 organisational units (OU), each then divided into a hierarchy of regions, local authorities and schools.

Devices
Governors
Staff
Students

Additional OUs can be created on the Devices, Staff and Students branches. This can allow different device policies and apps to be applied to different devices and users.

Add device organisational units (OUs)

Navigate to Organisational Units
Search for the OU to create the child OU in
Click on the + on the OU row under the Devices branch
Enter a name and description for that OU
Click Create

Add User Organisational units (OUs)

Navigate to Organisational Units
Search for the Learner or Staff Organisational Unit for your school
Select the Learner or Staff OU to create the child OU in
Click on the + on the OU row under the Learner or Staff OU branch
Enter a name and description for that OU
Click Create

Information

Once OUs are created, they can only be edited or deleted by the Hwb team.
Please contact the Hwb Service Desk for support.

Moving users to a newly created OU

Once you’ve created an OU within the Staff or Learners OU for your school, Google administrators can move users to the that OU.

Navigate to Users
Search for the OU the users you wish to move reside in
Select the users you wish to move
Choose the “More” dropdown at the top of the page and select “Change organisational unit”
Select the new OU you wish those users to reside in and click continue
Select Confirm to confirm the move

Information

If the OU is created outside of the Staff or Learner OU branch, any users moved into those OUs will be moved back to their original location by the provisioning service.

Information

Google admin users have delegated access to perform the appropriate tasks. Some settings, such as those that affect the whole tenant, are only available to the Hwb team.

Chromebook enrolment

A Chromebook is a device which runs Google’s Chrome operating system instead of Windows or MacOS. Chromebooks are designed to be used primarily while connected to the internet, with most applications and documents being in the cloud.

We recommend that all schools enrol their Chromebooks.

Chromebooks can be enrolled and managed via the hwbcymru.net domain.

Benefits of this include:

allowing users to sign directly into the Chromebooks with Hwb credentials (meaning they are signed into the browser and Hwb applications immediately).
gaining the ability to manage and enforce device policies which are set in the Google admin console, giving enhanced security controls.

Schools can work with local authorities and Google partners to purchase device management licences and enrol Chromebooks on the hwbcymru.net domain.

There are three enrolment options for maintained schools in Wales:

Purchasing and enrolling new Chromebooks
Schools purchase Chromebooks and device management licences from a Google partner for enrolment on the hwbcymru.net domain.
Process for schools:
1. School procures Chromebooks and device management licences.
2. Google partner enrols the Chromebooks.
3. Chromebooks shipped to school ready to use.
Enrolling unmanaged Chromebooks
Schools who have unmanaged Chromebooks and wish to have them managed on the hwbcymru.net domain need to purchase device management licences from a Google partner.
Process for schools:
1. School procures device management licences.
2. School arranges for proof of purchase to be sent to the Hwb Service Desk
3. Hwb Service Desk provides an enrolment account
4. Devices are enrolled into Hwb using the provided account
Devices must be reset before being enrolled with Hwb.
Transferring Chromebook device management licences
Schools with Chromebooks currently enrolled on a non hwbcymru.net domain who wish to transfer.
Process for schools:
1. Google admin in non hwbcymru.net domain logs a support request with Google to transfer licenses
2. School arranges for proof of transfer to be sent to the Hwb Service Desk
3. Hwb Service Desk provides an enrolment account
4. Devices are enrolled into Hwb using the provided account
Devices must be de-provisioned from the non hwbcymru.net domain and reset before being enrolled with Hwb.

Managing Chromebooks

When a Chromebook is enrolled into the Google Admin console, it is automatically placed in the correct OU for the school or local authority. This is governed by the enrolment account used.

These devices can be moved to a different device OU to have different policies applied, or have other actions performed on them such as disabling, de-provisioning or resetting.

1. Navigate to Devices > Chrome > Devices
2. Search for OU containing the device(s)
3. Search or filter further if necessary
1. Navigate the device list as above
2. Select the checkbox next to the device(s)
3. Select the Move icon in the top right
4. Search for the target OU
5. Click MOVE
De-provision is required to remove the device from the Google Admin console. Without de-provisioning first, the device will still be enrolled even after a reset.
1. Navigate the device list as above
2. Select the checkbox next to the device(s)
3. Click the Deprovision Selected devices icon in the top right
4. Select the appropriate options
5. Click DEPROVISION

Information

Individual Chromebooks can be managed by clicking on them on the device list or by searching for them in the Google Admin search bar. Additional information can be viewed and/or edited on an individual device such as asset ID or location.

Chrome remote desktop

As Google Admins, the Chrome Remote Desktop feature has been enabled for use.

Chrome Remote Desktop allows you as administrators to give remote support to your ChromeOS users. If the device is managed in the Hwb tenant, you can use your Hwb account to provide remote support as well as collaborate in a share screen format.

The feature and supporting documentation are available at the following site: https://remotedesktop.google.com

Settings

Policies can be created at any organisation unit level to configure settings or restrictions on the devices or users within the OU, and are inherited by the child OUs.

For user-based settings, you need to create a policy on the user OUs that you want to receive those settings. For example, if you want all users in the school to be assigned a certificate you need to add it to both the Staff OU and the Students OU.

Device settings

Chrome device policies can be used to control settings that apply to a Chromebook or Flex device. Device settings apply for anyone who uses that device.

Warning

Chrome device policies must be configured on an organisational unit in the Devices branch.

Multiple device policies can be created on separate device OUs to provide a different set of configurations. Devices will receive the policy assigned to whichever OU it is in, so can be moved to another OU to receive a different policy.

Settings that are not explicitly specified within a policy are inherited from the policy above them.

To view, amend or create a device policy:

Via the main menu, navigate to Devices > Chrome > Settings > Device
Search for and select the relevant OU to which you want to apply the policy
Configure the settings, you can search for a specific setting using the Search or add a filter option
Click SAVE

For more information on settings available in a Chrome device policy please see the Google support article

User settings

Chrome policies for users are applied when a user logs into a Chromebook or Flex device, or a Chrome browser, the policy is applied regardless of the management of the device.

Some common user settings are homepages, managed bookmarks or wallpaper for managed devices.

Information

User policies are not available for Google Admins. A request to the Hwb Service Desk can be made to change any user settings.
Please contact the Hwb Service Desk for support:

Managed guest sessions

Chromebooks and Flex devices can be configured to allow managed guest sessions, which means that a user can log onto the device without an account while still having some policies and restrictions applied.

Settings configured in a managed guest session are very similar to user settings, but only apply to the ‘guest’ account using the device.

Warning

Managed guest sessions must be configured on an organisational unit in the Devices branch.

To enable, disable or configure managed guest sessions

Navigate to Devices > Chrome > Settings > Managed Guest Sessions
Select the OU containing the devices
Change the setting for Managed guest session
Configure any additional settings
Click SAVE

No data is saved to the device during a managed guest sessions. The user can still log into Hwb and save work to their Google Drive or OneDrive through the Chrome web browser.

Warning

Apps end extensions must be assigned to the device OU to be accessible in the managed guest session. Some apps or extensions may not function properly as they require a user account to be signed in.

For more information on using the managed guest session refer to the Google support article

Printers

Local and network printers can be made available on Chromebooks or Flex devices. These can be deployed to users or devices.

1. Navigate to Devices > Chrome > Printers
2. Search for the OU containing the users or devices
3. Click on the + button
4. Click on Add printer
5. Enter the details of the printer
6. Printers must be shared to a device or user before they become available
7. Click on the added printer in the list
8. Select the appropriate option, depending on whether the printer is assigned to a user or device OU
9. Click SAVE
Printers can also be added in bulk by selecting Upload Printers in step 4 and uploading a CSV file.
1. Navigate to Devices > Chrome > Printers
2. Search for the OU with the assigned printer
3. Select the checkbox next to the printer(s) to be removed
4. Click on the bin icon in the top left, then DELETE to confirm
1. Navigate to Devices > Chrome > Printers
2. Search for the OU with the assigned printer
3. Click on the printer to edit
4. Amend the details as required

Networks

Network policies can be used to push out Wi-Fi profiles to a user or device. You can also specify other restrictions on Chromebooks such as only allowing connections to a configured Wi-Fi networks.

Wi-Fi profiles can be applied to user or device OUs, and are inherited by the child OUs.

1. Navigate to Devices > Networks
2. Search for the OU container the devices or users
3. Select CREATE WI-FI NETWORK
4. Select the checkbox for Chromebooks (by user) if assigning the profile to a user OU, or Chromebooks (by device) if assigning the profile to a device OU
5. Enter the details of the Wi-Fi network
6. Click SAVE
1. Navigate to Devices > Networks
2. Search for the OU container the devices or users
3. Click on Wi-Fi
4. Click on the desired Wi-Fi profile
5. Edit the Wi-Fi details, or click REMOVE to delete it

Information

You can create a separate Wi-Fi profile for the device and user. This way, the device would connect to one network while the user would connect to a different one once logged in.

Certificates

Certificates can be assigned to users for use on Chromebooks, Flex devices or Chrome browsers. Since certificates are user assigned they are only applicable when the user logs on and independent of the device used.

Warning

Certificates are user based and must be applied to a user OU

1. Navigate to Devices > Networks
2. Search for the OU containing the users
3. Select CREATE CERTIFICATE
4. Name the certificate and upload it
5. Select the checkbox next to Chromebook under Certificate Authority if appropriate, this is commonly used for SSL inspection on a web filter
1. Navigate to Devices > Networks
2. Search for the OU containing the users
3. Click on Certificates
4. Hover over the target certificate and click Delete
To replace a certificate you need to remove the existing one and add a new one.

Apps and extensions

Before an app or extension can be installed, a Google Admin will need to approve it for use. An app can also be force assigned by a Google Admin and it will then install automatically in your Chrome browser or managed Chromebook. Please refer to the Hwb Privacy Policy before using or deploying any applications.

Information

Apps and extensions, including Android apps, are user based so must be applied to a user OU.

Learners do not have access to the Chrome Web Store so apps and extensions must be force assigned.

Warning

Force assigning a Google app will give it permission to access information on the device it’s installed on, such as user’s bookmarks or location, without allowing the end user to review it or even disable it.

1. Navigate to Devices > Chrome > Apps and extensions
2. Expand the branch for staff and select the OU you wish to apply the app to
  Tip: If you select the school OU (named with the DfES number) it will apply to all sub-OUs
3. Click on the yellow + in the bottom left corner, and choose Add from Chrome Web Store
4. Using the search bar, search for the desired extension in the Chrome Web Store.
5. Click Select next to the relevant extension.
6. Confirm the Installation Policy is set to Allow Install
7. Click the toggle to enable Include in Chrome Web Store collection
8. Click SAVE
1. Approve an app or extension, following the steps outlined above
2. With the relevant app selected, change the installation policy by clicking the down arrow and selecting Force Install
3. Click SAVE
1. Navigate to Devices > Chrome > Apps and extensions > Users and Browsers
2. Expand the branch for staff or students and select the OU you wish to remove the app from
3. Select to highlight the relevant app or extension
4. Click the 'bin' icon in the right hand
5. Click SAVE
1. Navigate to https://chrome.google.com/webstore and sign in with your Hwb username and password
2. Search for the approved extension using the search bar (in the top left hand corner)
3. On the relevant extension, click Add to Chrome
4. A pop up will then appear outlining what this extension will be able to do in your browser. To continue, click Add extension. Alternatively you can click Cancel
5. An icon for that extension will then appear at the top of your browser. Click on the icon to use the extension
Removing an extension
1. Right click on the icon for the relevant extension in your Chrome browser toolbar > Click Remove from Chrome
2. Click Remove
Turning an extension off
To temporarily stop using an extension:
1. Right click on the icon for the relevant extension in your Chrome browser toolbar > Click Manage extensions
2. You will see a blue ‘toggle’ towards the top of the page with the word ‘On’ in line with it. Click on this ‘toggle’ to turn the extension off
Note: Force installed extensions cannot be turned off or removed by the end user. This must be done by a Digital Champion or Hwb administrator through the Google admin portal.
If you are a digital champion in your school or local authority Hwb administrator you can enable android applications for your devices.
Follow these steps to enable Android apps for your organisation.
1. Go to Devices > Chrome > Apps & extensions > Users and browsers
2. Expand the branch for staff or students and select the OU you wish to apply the app to
  Tip: If you select the school OU (named with the DfES number) it will apply to all sub-OUs
3. On the far right, click the settings cog for Additional settings
4. For Android applications on Chrome Devices, select Allow
5. Click Save.
Note: By default, Android apps are downloaded and installed every time a user logs onto the device.
To change this behaviour, set the configuration of Sign-in settings: User data = Do not erase local user data, instructions for this can be found under Device Settings. This will allow the installation file (APK) to be cached so it only gets installed when a new user logs on and not re-downloaded. However, be aware that this will also consume storage as user profiles are kept on the device.
Before installing Android apps on Chrome devices you must first follow the guide on how to Enable Android apps and managed Google Play.
Once enabled follow these steps to install Android apps.
1. Go to Devices > Chrome > Apps & extensions > Users and browsers
2. Expand the branch for staff or students and select the OU you wish to apply the app to
  Tip: If you select the school OU (named with the DfES number) it will apply to all sub-OUs
3. Click Add + in the bottom right hand corner then Add from Google Play
4. Search for and click the app you’d like to manage
5. Click Select to accept the app permissions on behalf of your organization, click Accept

Further support

For further support please contact the Hwb Service Desk:

email: support@hwbcymru.net
telephone: 03000 25 25 25

Chromebook Management

Overview

Who has access

Organisational units

Add device organisational units (OUs)

Add User Organisational units (OUs)

Moving users to a newly created OU

Chromebook enrolment

White glove service

Enrolment service

Transfer service

Managing Chromebooks

View enrolled Chromebooks

To move a Chromebook to another OU

To de-provision a Chromebook

Chrome remote desktop

Settings

Device settings

User settings

Managed guest sessions

Printers

Add a printer

Remove a printer

Amend a printer

Networks

Create a new Wi-Fi Network

Amend or remove a Wi-Fi Network

Certificates

Assign a certificate

Remove a certificate

Apps and extensions

Approving an app or extension from the Chrome Web Store

Force assigning an app or extension

Removing an app or extension approval

Installing an approved extension in Chrome

Enable Android apps and managed Google Play

Install Android apps on Chrome Devices

Further support