With the release of Workspace ONE UEM 2306 an updated registration process for ChromeOS has been added due to changes at Google.
This new registration flow is being introduced because the previous flow with signing into Google and copy/pasting the OAuth token is being deprecated for security reasons. This new flow is introduced in Workspace ONE UEM 2306. The previous method using the OAuth token will cease to function beginning in August 2023 and is not working anymore with UEM 2303 and earlier.
So how does it work now?
There is an updated KB article for this called ChromeOS EMM Registration Updates (92439) and a new guide: Using ChromeOS Devices with Chrome Policy API (Default Management Method) However, these guides are missing two essential steps for success. If you follow the normal guides you will end up with a registration failure. (This is already identified, reported and guides will be updated, in the meantime, follow this guide)
Registration of ChromeOS Management in Workspace ONE UEM
- In the Google Cloud Console, navigate to APIs & Services > Credentials> Create Credentials > Service Account.
- Give the service account a name and leave the remaining options blank. Make a note of the service account email address and client ID.
- In the Service Account Details page, go to the Keys tab.
- Select Add Key > Create New Key > P12. Download the P12 certificate file and note down the auto-generated password (typically “notasecret”). Optionally, you can upload your own certificate for added security.
- This is where the guide is incomplete. In the Google Cloud Console, We need to enable two Marketplace apps. Admin SDK API & Chrome Policy API. Search for these apps the search bar and just enable them.
- In the Google Admin Console, navigate to Security > API Controls > Domain Wide Delegation.
- Select Add New and enter the Client ID of the new service account created.
- Under “OAuth Scopes” add the following lines:
- In the Workspace ONE UEM Console, navigate to Settings > Devices & Users > ChromeOS > Chrome OS EMM Registration.
- Enter the email address of the Google Admin account and the email address of the Service Account.
- Upload the certificate you downloaded from the Cloud console. Save the settings.
- Once the settings are saved, click Test Connection and Device Sync to ensure the registration was successful.
So until the manuals are updated, hope you had success enabling ChromeOS in WorkspaceONE UEM! Thanks and credits also to Wasif Syed and Eric Stillman. This was one fun cookie to bite in!