Success Enrolling cloud-managed Chrome Browsers on Mac?

Maxb
New Contributor III

https://support.google.com/chrome/a/answer/9301891

I've tried the "CloudManagementEnrollmentToken" file placed in the directory through JAMF as described above with no luck. Reinstalled chrome, signed existing users out and back in, but nothing seems to trigger enrollment or show as enrolled within google admin's "managed browsers" The token itself is a simple text string and nothing more.

Example value:
"37185d02-e055-11e7-80c1-9a214cf093ae"

Below is the limited instruction on setting up this feature of chrome/g-suite

**
Option 1: Use a policy
Push the token to your browser as a policy named CloudManagementEnrollmentToken. Setting policies on Mac devices requires the Apple Profile Manager.

Option 2: Use a text file
Push the token in a text file called CloudManagementEnrollmentToken, under /Library/Google/Chrome/. This file must only contain the token and be encoded as a .txt file, but should not have the .txt filename extension.
**

Just curious if anyone has had success remotely pushing out the token in order to enroll the chrome browser and was willing to share best practices. Either through its txt file or as a profile.

Thanks!

2 ACCEPTED SOLUTIONS

Maxb
New Contributor III

Was able to utilize ProfileCreator from GitHub , to build a profile that accomplished the above tasks. I've listed a screenshot for reference. ce042be8d1794de68aff82c50a974b03

View solution in original post

Maxb
New Contributor III

Hey All,

I recently had a child and was off the grid for a bit so I apologize for my lack of response. Using profile creator as I mentioned above I was able to successfully create and distribute a config profile to Macs via upload to JAMF that accomplished what I was looking for. It was simpler than editing the plist myself.

Using that config profile, the device sets Chrome as the default (not needed just ideal for our environment) registered the chrome browser in Gsuite and only allowed our domain as an acceptable login credential. Whatever works @mm.tim.baker but this was deployed successfully using the method I mentioned above.

View solution in original post

22 REPLIES 22

Maxb
New Contributor III

Was able to utilize ProfileCreator from GitHub , to build a profile that accomplished the above tasks. I've listed a screenshot for reference. ce042be8d1794de68aff82c50a974b03

goanuj
New Contributor

Hi Maxb,

The Google team has updated Admin Console to make it more clear which file to download for Mac.

b3285251596845fca9f7562d8131099e

In addition, we have updated the instructions for "Enroll browsers on Mac" section in this Help Center Article: https://support.google.com/chrome/a/answer/9301891

Finally, we're working with the JAMF team on better documenting the instructions for how to push the token out via JAMF - please stay tuned!

Anuj Goyal
Product Manager - Chrome Browser Enterprise

It's still not clear. As an Enterprise version admin, it has cost me so much time to solve the problem. Very disappointing. 

MatG
Contributor III

Tried this using the Download file method for Mac, added the file to Library/Google/Chrome, quit chrome etc no browser is registered

Any ideas?

amorse
New Contributor II

Were you able to figure this out?

@Maxb

zachary_fisher
New Contributor III

Hey All,
I've had success with this. I am currently using a Config Profile pushed from JAMF. Here is an example of the plist I uploaded to custom settings payload.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CloudManagementEnrollmentToken</key>
    <string>ENROLLMENTKEYHERE</string>
    <key>BrowserSignin</key>
    <integer>2</integer>
    <key>RestrictSigninToPattern</key>
    <string>.*@(domain1.com|domain2.com|domain3.com)</string>
</dict>
</plist>

The other keys Browser Sign in = 2 just forces user to log into chrome before it will even launch and the last key restircts it to a domain of my choosing.

I also ran into issue where browser wasn't enrolling and I had purge Chrome completely. This included any folders in /Library/ + ~/Library folders as well. Hope this helps!

achristoforatos
Contributor II

Tried Profile Creator. Nothing seems to upload to JAMF. Should it be a .mobileconfig file if used in MacOS?

achristoforatos
Contributor II

There is no folder called /Library/Google/Chrome as suggested in the google post for steps.

zachary_fisher
New Contributor III

I found this otu as well hence why I suggest using a Plist Configuration Profile Custom Settings payload to accomplish this. In my testing, I was able to create the directory and drop in the enrollment token file, but it did not enroll very often. I would try the Config Profile method and see if that works.

achristoforatos
Contributor II

@zachary.fisher I created a profile in profile creator. I tried it as signed and unsigned. Still no luck.

zachary_fisher
New Contributor III

I have not used ProfileCreator. I would suggest try using the Plist I linked and editing the key and such and see if you can upload that to a Configuration Profile via Custom Settings Payload. You can then either push it out to your test Machine or just download and install manually to see if that works.

achristoforatos
Contributor II

Trying to upload however it is not in xml and I am told to convert. Upon converting I get an error.
"Property List error: Unexpected character { at line 1 / JSON error: No string key for value in object around character 1."

achristoforatos
Contributor II

@goanuj Your instructions do not work as there is no chrome folder for that file to be placed into...

zachary_fisher
New Contributor III

Hey All,
So this is the exact .plist I use with my Configuration Profile for the Custom Payload. The only key that is included is the Enrollment Token which you will have to copy from the Google Admin Console. As I said earlier, I have found that putting the file in the /Library/Google/Chrome location did not have the most favorable results.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CloudManagementEnrollmentToken</key> <string>ENROLLMENTKEY</string> </dict> </plist>

Save this as a .plist file. JAMF will most likely ask you to convert it so that it can read it properly when you try to upload. I just tested this and I was able to upload it and push it to my VM and I was able to see it as enrolled.

mm_tim_baker
New Contributor

Just in case anyone is unsure like I was, here are slightly more verbose instructions to zachary.fisher's response.

  1. Create the plist file - calling it com-google-chrome.plist and replacing ENROLLMENTKEY with your key
  2. Create a new Configuration Profile, naming it as you wish
  3. Add a "Custom Settings" plist to it
  4. Name the "Preference Domain" as "com.google.chrome" and upload the plist file you just created
  5. Set the scope as you wish
  6. Google Chrome must be restarted for this to take effect

Worth noting that the answer by Maxb is wrong I think - that would only apply to mobiles.

Maxb
New Contributor III

Hey All,

I recently had a child and was off the grid for a bit so I apologize for my lack of response. Using profile creator as I mentioned above I was able to successfully create and distribute a config profile to Macs via upload to JAMF that accomplished what I was looking for. It was simpler than editing the plist myself.

Using that config profile, the device sets Chrome as the default (not needed just ideal for our environment) registered the chrome browser in Gsuite and only allowed our domain as an acceptable login credential. Whatever works @mm.tim.baker but this was deployed successfully using the method I mentioned above.

nimitz
New Contributor II

I feel like a dumb dumb, but I cannot figure out how to set enforced login or make chrome the default browser in profile creator. Can someone point it out for me?

BK74
New Contributor II

FYI I have ChromeCloudManagementEnrollmentToken as a .pkg in my PreStage and it works. Chrome and File Stream are also part of this PreStage.

All I have to do is set Chrome as default but I will do that in a Plist.

BK74
New Contributor II

Sorry, "Policy" not "PreStage".

austin_nill
New Contributor II

@nimitz

I took over for MaxB in our environment. The profile we deploy:
Forces Login

<key>ForceBrowserSignin</key>
            <true/>

Sets Chrome as the Default Browser

<key>DefaultBrowserSettingEnabled</key>
            <true/>

Restricts sign in to a particular domain

<key>RestrictSigninToPattern</key>
            <string>EMAIL DOMAIN HERE</string>

I tried to recreate it in Profile Creator, but it honestly is a pain with no search function. If you use the markup editor as opposed to the GUI option Profile Creator you can drop those anywhere between in the PayloadContent <dict> </dict>

Maxb
New Contributor III

@austin_nill Hey Austin!

GetCart3r
New Contributor III

What if you do not have access to "GSuite"?
I went to setup Chrome Enterprise using the direction here https://support.google.com/chrome/a/answer/9923111?hl=en but I then go to login with our purpose created google account and get the message "admin.google.com is used for G Suite accounts only. Regular Gmail accounts cannot be used to sign in to admin.google.com"

Does this mean we need to signup for G Suite just to manage the browser?

TY