Cymraeg
Hwb

Chromebook Management

Suggested audience: school digital champions, local authority Hwb administrators, regional education consortia Hwb administrators.

Overview

The Google Admin console is where you can manage your Chromebooks and other managed devices.  You can use it to set device settings and restrictions, deploy apps and extension, configure network connections, and more.

The Google Admin console can be accessed by navigating to: https://admin.google.com

Organisational units

Devices and users are organised into Organisational Units.  There are 4 organisational units (OU), each then divided into a hierarchy of regions, local authorities and schools.

  • Devices
  • Governors
  • Staff
  • Students

Additional OUs can be created on the Devices, Staff and Students branches. This can allow different device policies and apps to be applied to different devices and users.

Add device organisational units (OUs)

  1. Navigate to Organisational Units
  2. Search for the OU to create the child OU in
  3. Click on the + on the OU row under the Devices branch
  4. Enter a name and description for that OU
  5. Click Create

Add User Organisational units (OUs)

  1. Navigate to Organisational Units
  2. Search for the Learner or Staff Organisational Unit for your school
  3. Select the Learner or Staff OU to create the child OU in
  4. Click on the + on the OU row under the Learner or Staff OU branch
  5. Enter a name and description for that OU
  6. Click Create
Information

Once OUs are created, they can only be edited or deleted by the Hwb team. Please contact the Hwb Service Desk for support with this hwb@gov.wales / 03000 25 25 25.

Moving users to a newly created OU

Once you’ve created an OU within the Staff or Learners OU for your school, Digital Champions can move users to the that OU. 

  1. Navigate to Users
  2. Search for the OU the users you wish to move reside in
  3. Select the users you wish to move
  4. Choose the “More” dropdown at the top of the page and select “Change organisational unit
  5. Select the new OU you wish those users to reside in and click continue
  6. Select Confirm to confirm the move.
Information

If the OU is created outside of the Staff or Learner OU branch, any users moved into those OUs will be moved back to their original location by the provisioning service.

Who has access

Consortia Hwb admin, LA Hwb admins and school digital champions have access to the Google Admin console with the same permissions, but are scoped to only see the appropriate organisational units.

For example, a school digital champion will only see the OUs for their school, whereas a local authority admin will see a higher level that contains all the schools in that local authority.

Information

Google admin users have delegated access to perform the appropriate tasks. Some settings, such as those that affect the whole tenant, are only available to the Hwb team.

Chromebook enrolment

A Chromebook is a device which runs Google’s Chrome operating system instead of Windows or MacOS. Chromebooks are designed to be used primarily while connected to the internet, with most applications and documents being in the cloud.

Chromebooks can work in ‘kiosk mode’ where they are not part of a domain and are unmanaged, but this is not recommended. We recommend that all schools enrol their Chromebooks.

Chromebooks can be enrolled and managed via the hwbcymru.net domain. Benefits of this include:

  • allowing users to sign directly into the Chromebooks with Hwb credentials (meaning they are signed into the browser and Hwb applications immediately).
  • gaining the ability to manage and enforce device policies which are set in the Google admin console, giving enhanced security controls.

Schools can work with local authorities and Google partners to purchase device management licences and enrol Chromebooks on the hwbcymru.net domain.

There are three enrolment options for maintained schools in Wales:

  • Purchasing and enrolling new Chromebooks

    Schools purchase Chromebooks and device management licences from a Google partner for enrolment on the hwbcymru.net domain.

    Process for schools:

    1. School procures Chromebooks and device management licences.
    2. Google partner enrols the Chromebooks.
    3. Chromebooks shipped to school ready to use.

  • Enrolling unmanaged Chromebooks

    Schools who have unmanaged Chromebooks and wish to have them managed on the hwbcymru.net domain need to purchase device management licences from a Google partner.

    Process for schools:

    1. School procures device management licences.
    2. School arranges for proof of purchase to be sent to the Hwb Service Desk (hwb@gov.wales).
    3. Hwb Service Desk provides an enrolment account
    4. Devices are enrolled into Hwb using the provided account

    Devices must be reset before being enrolled with Hwb.

  • Transferring Chromebook device management licences

    Schools with Chromebooks currently enrolled on a non hwbcymru.net domain who wish to transfer.

    Process for schools:

    1. Google admin in non hwbcymru.net domain logs a support request with Google to transfer licenses
    2. School arranges for proof of transfer to be sent to the Hwb Service Desk (hwb@gov.wales).
    3. Hwb Service Desk provides an enrolment account
    4. Devices are enrolled into Hwb using the provided account

    Devices must be de-provisioned from the non hwbcymru.net domain and reset before being enrolled with Hwb.

Managing Chromebooks

When a Chromebook is enrolled into the Google Admin console, it is automatically placed in the correct OU for the school or local authority.  This is governed by the enrolment account used.

These devices can be moved to a different device OU to have different policies applied, or have other actions performed on them such as disabling, de-provisioning or resetting.

    1. Navigate to Devices > Chrome > Devices
    2. Search for OU containing the device(s)
    3. Search or filter further if necessary

     

    1. Navigate the device list as above
    2. Select the checkbox next to the device(s)
    3. Select the Move icon in the top right
    4. Search for the target OU
    5. Click MOVE

     

  • De-provision is required to remove the device from the Google Admin console.  Without de-provisioning first, the device will still be enrolled even after a reset.

    1. Navigate the device list as above
    2. Select the checkbox next to the device(s)
    3. Click the Deprovision Selected devices icon in the top right
    4. Select the appropriate options
    5. Click DEPROVISION
Information

Individual Chromebooks can be managed by clicking on them on the device list or by searching for them in the Google Admin search bar.  Additional information can be viewed and/or edited on an individual device such as asset ID or location.

Settings

Policies can be created at any organisation unit level to configure settings or restrictions on the devices or users within the OU, and are inherited by the child OUs.

For user-based settings, you need to create a policy on the user OUs that you want to receive those settings. For example, if you want all users in the school to be assigned a certificate you need to add it to both the Staff OU and the Students OU.

Device settings

Chrome device policies can be used to control settings that apply to a Chromebook or Neverware device. Device settings apply for anyone who uses that device.

Warning

Chrome device policies must be configured on an organisational unit in the Devices branch.

Multiple device policies can be created on separate device OUs to provide a different set of configurations. Devices will receive the policy assigned to whichever OU it is in, so can be moved to another OU to receive a different policy.

For example, you could create a ‘Kiosk mode’ policy on a ‘Kiosk device’ OU, so that any device placed in that OU is locked down as a kiosk device.

Settings that are not explicitly specified within a policy are inherited from the policy above them.

To view, amend or create a device policy:

  1. Via the main menu, navigate to Devices > Chrome > Settings > Device
  2. Search for and select the relevant OU to which you want to apply the policy
  3. Configure the settings – you can search for a specific setting using the Search or add a filter option
  4. Click SAVE

For more information on settings available in a Chrome device policy please see the Google support article - https://support.google.com/chrome/a/answer/1375678?hl=en-GB

User settings

Chrome policies for users are applied when a user logs into a Chromebook or Neverware device, or a Chrome browser – the policy is applied regardless of the management of the device.

Some common user settings are homepages, managed bookmarks or wallpaper for managed devices.

Information

User policies are not available for Google Admins. A request to the Hwb Service Desk can be made to change any user settings. Please contact the Hwb Service Desk for support with this hwb@gov.wales / 03000 25 25 25.

Managed guest sessions

Chromebooks and Neverware devices can be configured to allow managed guest sessions, which means that a user can log onto the device without an account while still having some policies and restrictions applied.

Settings configured in a managed guest session are very similar to user settings, but only apply to the ‘guest’ account using the device.

Warning

Managed guest sessions must be configured on an organisational unit in the Devices branch.

To enable, disable or configure managed guest sessions

  1. Navigate to Devices > Chrome > Settings > Managed Guest Sessions
  2. Select the OU containing the devices
  3. Change the setting for Managed guest session
  4. Configure any additional settings
  5. Click SAVE

No data is saved to the device during a managed guest sessions. The user can still log into Hwb and save work to their Google Drive or OneDrive through the Chrome web browser.

Warning

Apps end extensions must be assigned to the device OU to be accessible in the managed guest session. Some apps or extensions may not function properly as they require a user account to be signed in.

For more information on using the managed guest session refer to the Google support article - https://support.google.com/chrome/a/answer/3017014?hl=en-GB

Printers

Local and network printers can be made available on Chromebooks or Neverware devices without the need for Google Cloud Print. These can be deployed to users or devices.

    1. Navigate to Devices > Chrome > Printers
    2. Search for the OU containing the users or devices
    3. Click on the + button
    4. Click on Add printer
    5. Enter the details of the printer - use 631 for the port and ipp/print for the path, although this may vary with printer manufacturers
    6. Click ADD PRINTER

    Printers must be shared to a device or user before they become available.

    1. Click on the added printer in the list
    2. Select the appropriate option, depending on whether the printer is assigned to a user or device OU
    3. Click SAVE

    Printers can also be added in bulk by selecting Upload Printers in step 4 and uploading a CSV file.

     

    1. Navigate to Devices > Chrome > Printers
    2. Search for the OU with the assigned printer
    3. Select the checkbox next to the printer(s) to be removed
    4. Click on the bin icon in the top left, then DELETE to confirm

     

    1. Navigate to Devices > Chrome > Printers
    2. Search for the OU with the assigned printer
    3. Click on the printer to edit
    4. Amend the details as required

Networks

Network policies can be used to push out Wi-Fi profiles to a user or device.  You can also specify other restrictions on Chromebooks such as only allowing connections to a configured Wi-Fi networks.

Wi-Fi profiles can be applied to user or device OUs, and are inherited by the child OUs.

    1. Navigate to Devices > Networks
    2. Search for the OU container the devices or users
    3. Select CREATE WI-FI NETWORK
    4. Select the checkbox for Chromebooks (by user) if assigning the profile to a user OU, or Chromebooks (by device) if assigning the profile to a device OU
    5. Enter the details of the Wi-Fi network
    6. Click SAVE

     

    1. Navigate to Devices > Networks
    2. Search for the OU container the devices or users
    3. Click on Wi-Fi
    4. Click on the desired Wi-Fi profile
    5. Edit the Wi-Fi details, or click REMOVE to delete it
Information

You can create a separate Wi-Fi profile for the device and user.  This way, the device would connect to one network while the user would connect to a different one once logged in.

Certificates

Certificates can be assigned to users for use on Chromebooks, Neverware devices or Chrome browsers.  Since certificates are user assigned they are only applicable when the user logs on and independent of the device used.

Warning

Certificates are user based and must be applied to a user OU

    1. Navigate to Devices > Networks
    2. Search for the OU containing the users
    3. Select CREATE CERTIFICATE
    4. Name the certificate and upload it
    5. Select the checkbox next to Chromebook under Certificate Authority if appropriate – this is commonly used for SSL inspection on a web filter

     

    1. Navigate to Devices > Networks
    2. Search for the OU containing the users
    3. Click on Certificates
    4. Hover over the target certificate and click Delete

    To replace a certificate you need to remove the existing one and add a new one.

Apps and extensions

Before an app or extension can be installed, a Digital Champion will need to approve it for use. An app can also be force assigned by a Digital Champion or Hwb administrator and it will then install automatically in your Chrome browser or managed Chromebook.  Please refer to the Hwb Privacy Policy before using or deploying any applications.

Warning

Apps and extensions, including Android apps, are user based so must be applied to a user OU

Warning

Force assigning a Google app will give it permission to access information on the device it’s installed on, such as user’s bookmarks or location, without allowing the end user to review it or even disable it.

    1. Navigate to Devices > Chrome > Apps and extensions
    2. Expand the branch for staff or students and select the OU you wish to apply the app to
      Tip: If you select the school OU (named with the DfES number) it will apply to all sub-OUs
    3. Click on the yellow + in the bottom left corner, and choose Add from Chrome Web Store
    4. Using the search bar, search for the desired extension in the?Chrome Web Store.
    5. Click?Select next to the relevant extension.
    6. Confirm the Installation Policy is set to Allow Install
    7. Click the toggle to enable Include in Chrome Web Store collection
    8. Click SAVE

    1. Approve an app or extension, following the steps outlined above.
    2. With the relevant app selected, change the installation policy by clicking the down arrow and selecting Force Install
    3. Click SAVE

    1. Navigate to Devices > Chrome > Apps and extensions > Users and Browsers
    2. Expand the branch for staff or students and select the OU you wish to remove the app from
    3. Select to highlight the relevant app or extension.
    4. Click the 'bin' icon in the right hand
    5. Click?SAVE

    1. Navigate to https://chrome.google.com/webstore and sign in with your Hwb username and password.
    2. Search for the approved extension using the search bar (in the top left hand corner).
    3. On the relevant extension, click Add to Chrome.
    4. A pop up will then appear outlining what this extension will be able to do in your browser. To continue, click Add extension. Alternatively you can click Cancel.
    5. An icon for that extension will then appear at the top of your browser. Click on the icon to use the extension.

    Removing an extension

    1. Right click on the icon for the relevant extension in your Chrome browser toolbar > Click Remove from Chrome.
    2. Click Remove.

    Turning an extension off

    To temporarily stop using an extension:

    1. Right click on the icon for the relevant extension in your Chrome browser toolbar > Click Manage extensions.
    2. You will see a blue ‘toggle’ towards the top of the page with the word ‘On’ in line with it. Click on this ‘toggle’ to turn the extension off.

    Note: Force installed extensions cannot be turned off or removed by the end user. This must be done by a Digital Champion or Hwb administrator through the Google admin portal.

  • If you are a digital champion in your school or local authority Hwb administrator you can enable android applications for your devices.

    Follow these steps to enable Android apps for your organisation.

    1. Go to Devices > Chrome > Apps & extensions > Users and browsers
    2. Expand the branch for staff or students and select the OU you wish to apply the app to
      Tip: If you select the school OU (named with the DfES number) it will apply to all sub-OUs
    3. On the far right, click the settings cog for Additional settings
    4. For Android applications on Chrome Devices, select Allow
    5. Click Save.

    Note: By default, Android apps are downloaded and installed every time a user logs onto the device.

    To change this behaviour, set the configuration of Sign-in settings : User data = Do not erase local user data – instructions for this can be found under Device Settings. This will allow the installation file (APK) to be cached so it only gets installed when a new user logs on and not re-downloaded.  However, be aware that this will also consume storage as user profiles are kept on the device.

     

  • Before installing Android apps on Chrome devices you must first follow the guide on how to Enable Android apps and managed Google Play.

    Once enabled follow these steps to install Android apps.

    1. Go to Devices > Chrome > Apps & extensions > Users and browsers
    2. Expand the branch for staff or students and select the OU you wish to apply the app to
      Tip: If you select the school OU (named with the DfES number) it will apply to all sub-OUs
    3. Click Add in the bottom right hand corner then Add from Google Play
    4. Search for and click the app you’d like to manage.
    5. Click Select to accept the app permissions on behalf of your organization, click Accept.

     

Further support

For further support please contact the Hwb Service Desk: Hwb@gov.wales | 03000 25 25 25.