Best Practices for

using Chrome Browser

Cloud Management
 Best Practices for using Chrome Browser Cloud 2
Management | August 2023

Table of Contents

Access options for Chrome Browser Cloud Management 04

Getting access to an existing Google Admin console
Using your own domain

Guides 06

Setting up your Organizational Units 08

Setting up Role Based Access Control 09

Setting up integration with 3rd party SAML SSO 10

Rolling out Chrome Browser Cloud Management to production 10

Setting up the console in reporting only mode

Supporting Virtual and Physical Machines 12

Non-persistent VMs
Persistent VMs
Supporting Physical Machines

Viewing the reports in Chrome Browser Cloud Management 14

Applying policies 16

API support for Chrome Browser Cloud Management 16

Troubleshooting issues in Chrome Browser Cloud Management 17

Resources 19
 Best Practices for using Chrome Browser Cloud 3
Management | August 2023

Introduction
Welcome to Chrome Browser Cloud Management.
This guide is meant to be a companion to the Chrome
Browser Cloud Management Deployment Guide.

This document will take you through the process of:

● Getting your Google Admin Console setup.

● Setting up an organizational unit structure to

divide up your machines.

● How to enroll and manage your browsers on

various operating systems, including discussing
any known limitations.

● How policies will work if you have existing

GPOs in place.

● Getting reporting enabled on your devices for

extensions and more.

Step 1 Step 3

Get access to the admin console (admin.google.com) Setup your admin accounts

Options are: (detailed steps here)

● Use existing admin console

● Create a new console via the sign up page

Step 2 Step 4

Setup your organizational units Enroll devices

(detailed steps here) (detailed steps here and additional methods via
various deployment tools located here)

Access options for Chrome
Browser Cloud Management
Following this guide for the setup of Chrome
Browser Cloud Management is the best place to
start. It covers all of the initial setup steps. Chrome
Browser Cloud Management itself has no additional
cost. Note that there are two options to get access
to the admin console:
1● Use your own domain (no existing Google
services associated)
● Provides 10 admins accounts total
● Can be associated directly with your
enterprise domain (once you verify your
domain)
2● Use your own domain (Google Services already
associated)
● Admin console is already set up and verified
● Does not have any additional cost or use
any of your Google licenses
● Number of admins accounts allowed will be
dependent on associated Google Service
If it is possible to use your company’s existing
Google admin console, that is the best option. If the
console is already set up, Chrome Browser Cloud
Management is already present. You just need to
visit that section in the console and accept the
terms of service.
Best Practices for using Chrome Browser Cloud 4
Management | August 2023
Getting access to an existing
Google Admin console
Check internally if your company has an existing
Google Admin account before setting up your own.
Many companies have accounts set up for various
Google services like Chrome OS, Google Workspace
or others.
● The Super Admin at your company would need
to set up your admin account to the console
where Chrome Browser Cloud Management is
located.
● They also will be required to add the
Chrome Browser Cloud Management
license to the admin console which can be
enabled through going to the Manage
browser section and click the Get started
button to add the no-cost license to your
Google admin console.
● The console does provide role-based
administration so the Super Admin can provide
you access just to what you need to manage
Chrome Browser.
● Note that a Super Admin account is required
to generate additional admin accounts.
● Consider asking for a Super Admin account
for your team so you can generate your own
in the future if needed.
● If you can’t find the original owner internally
(like that person has left the company) here
is a link for more information on domain
reclamation.
 Best Practices for using Chrome Browser Cloud 5
Management | August 2023

If your company does have an existing account but you are not the Super Admin,
here is the process of gaining access to Chrome Browser Cloud Management:

11. Have a Super Admin first log
into admin.google.com and
add the Chrome Browser
Cloud Management license
to the admin console which
can be enabled through
going to the Manage
browser section and click the
Get started button to add the
no-cost license to your
Google admin console
22. Have the Super Admin either 4● Check the box next to
create an account with super Organizational Units to give
admin rights and assign it to the following rights:
you or if they just want to ● Read, Create,
provide access just to Update, Delete.
Chrome Browser
5● Under Chrome Management,
management, then they can
check the Settings box to
provide the following rights
provide all rights to Chrome
in the admin console:
management.
3 ● Under Account>Admin
roles, click the create new
role button and give it a
name like “Chrome Browser
Management”.

Note: if your super admin wants to limit the rights even more on this admin account, they can create
an organizational unit just for Chrome browser management and assign the custom role there.
They can do this via the following steps:

11. In the admin console, go to 33. Select the Chrome browser 4.

4 Once it is assigned you can

Directory>Users and select
the user account that you
want to assign the Chrome
browser management role to.
22. Scroll down and click on the
Admin roles and privileges
section.
management custom role that
was created in the previous
steps and click on the button
to assign it to the user.
click on the pencil icon on
the button that says “All
organizational units” and
select the organizational
unit(s) that you want to give
the admin access to.

● Once the admin logs in,
they will not see any other
organizational units aside
from the ones that you
have given them access to
but will have full rights to do ● You can also view changes
Chrome management and create made in the console for
new Organizational units under auditing purposes. See Admin
the assigned OU. audit log.
 Best Practices for using Chrome Browser Cloud 6
Management | August 2023

Using your own domain

If you want to use your company’s own domain but

do not currently own any Google services, then you
can sign up via this link and Google will provide you
an admin console at no additional cost.

● When the admin console is first launched, the

initial admin will be the Super Admin with full
rights to the console.

● You will have the ability to invite other users

to be admins (who also will be Super Admins)
as well but you will not be able to create
accounts for them, until you verify your
domain. Here is a link for more information on
verifying your domain.

● It is highly recommended to verify your

domain to create custom roles to limit access
to least rights and have the ability to create
user accounts.
● For more information, check out this link about
email-verified vs domain-verified accounts.
 Best Practices for using Chrome Browser Cloud 7
Management | August 2023

Guides

Chrome Browser cloud management has a great section under

Devices>Chrome>Guides that covers many of the sections in this guide, directly in the
admin console with direct links to the relevant sections in the console. It is highly
recommended that you use this guide in the console as it will take you through all of the
steps you need to get started.

Refer to the section below for Chrome Browser Cloud Management.

 Best Practices for using Chrome Browser Cloud 8
Management | August 2023

Setting up your
Organizational Units

Once you have access to the Google admin console, If you are an existing Workspace or Chrome OS
then the next step would be to set up the customer, it is recommended that you create a
Organizational Units that your devices will be separate Organizational Unit structure so there is
managed in. not any conflict in policies that are applied.

● These are the “buckets” that you will separate ● This is to prevent policies originally intended as
your different enrolled devices into so you set user policies inadvertently being applied to
grainlar policy to just those machines. newly enrolled browsers placed into those
organizational units.
● They are set up in a parent-child structure so
anything that is set at the top level will be applied
to the lower OUs.

● Just note that you can override any top level

policy at the sub OU level. To prevent extra
work, it is recommended to only turn on the
cloud reporting policy at the root OU level.

Before you create a complex OU structure, consider

how you are applying Chrome browser policy today.
Do most of your machines receive the same browser
policy?

● If so, then it is recommended as a best practice,

to just have one OU for production and one for
testing. If you need more for a collection of
machines that need a different policy than the
norm, you can always create a new OU at that
point.

● For more information about managing

organizational units, check out this link.
 Best Practices for using Chrome Browser Cloud
Setting up Role Based
Access Control
Once you have your organizational units setup, then
you can start setting up accounts for your
administrators.
● This way you can delegate access to the
various admins that need access.
● You can create admin accounts with just
access
to Chrome Browser Cloud Management, or to
specific Organizational Units or just provide
read- only access.
● For more information about setting up
different admin accounts, please refer to
this link for more information.
The Chrome Browser Cloud Management role is a
custom role and to create this you would need to do
the following:
11. Go to Account>Admin roles and click on the
create new role link.
2.
2 Give the custom role a name like “Chrome
Browser Cloud Management”.
3.
3 Check the box by Organizational units to give full
rights (read/create/update/delete).
● You can only provide read rights, but that will
limit the management capabilities of your
browser admin(s).
4.
4 Under Chrome Management, check the box next
to “Settings” to give full rights of all of the Chrome
Browser Cloud Management features.
9
Management | August 2023
● This section does have a view reports option,
and when coupled with providing only the
read- only rights of Organizational Units in
step 3, it can provide a read-only
admin role.
● This is useful for admins that only need
to view reports,
not set policies.
5.
5 Hit the continue button and then the create role
button to finish.
6.
6 Assign the role to your desired user account in
the admin console via Directory>Users>Select
the user and scroll down to Admin roles and
privileges.
77. Assign the role that you created in the previous
steps.
● If you want to limit the scope of this role,
select the pencil icon next to the scope of
the role column and limit access to a specific
Organizational unit.
● This way your admin will only have the
rights assigned above on the
Organizational units that you give them
access to.
● This is great for shared environments to
provide least rights to other OUs that
might have other Google services
associated with them.

Setting up
integration with
3rd party SAML SSO
You can set up a single sign-on for your Google Admin
console. For more information, please take a look at this
link. Note that super admin users are the only accounts
that are not supported for SAML.
Rolling out Chrome Browser Cloud
Management to production
For more information about enrolling browsers
please refer to this link that covers all of the steps
to getting your devices enrolled in the console.
It includes steps for Windows, Mac and Linux, and
the various methods and tools that you can use to
deploy the token.
● Refer to this link for deploying the enrollment
token via various other tools like Jamf, Intune
and many more.
Best Practices for using Chrome Browser Cloud 10
Management | August 2023
Setting up the console in reporting-only mode
Many customers roll out the enrollment in the console
in a phased approach starting with reporting- only
mode. Chrome Browser Cloud management has great
reporting on Chrome versions and can also provide
in-depth insights on extensions, including where they
are installed, and what access they have to the
websites that your users are visiting, and/or the
devices that they are browsing from.
The value of this method is that you can take
advantage of the rich reporting in the console without
having to change your current management method.
It allows your machines to report into the console and
you only need to set a few policies.
Your existing policy for Chrome will not be affected. In
this way, you can take advantage of the reporting
while you decide if you want to manage all of your
policies in the cloud, use the console as a reporting
tool, or a hybrid of both.
 Best Practices for using Chrome Browser Cloud
To do this:
11. Turn on cloud reporting
via this method.
22. Create and set up your organizational units.
● No need to over complicate the structure if
your browser policy is flat (where most
devices receive the same browser policy).
● One or two OUs is usually sufficient for most
environments: o. One
for testing and one
for production.
33. Generate an enrollment token from the OU that
you want the browsers to be enrolled into.
4.
4 Deploy the token out to all machines in
production and use the console as a reporting
tool for Chrome versions and installed
extensions until you decide if you want to move
away from your current management method
into setting everything Chrome- related in the
cloud.
11
Management | August 2023
A few things of note for the
enrollment process:
● Chrome will need to be restarted or launched
for policies to
be applied from the console.
● It can take up to 24hrs for an enrolled
browser to show
up in the console.
● Changing the enrollment token in the registry
directly is not a method for moving the
browser from one OU to another. The browser
needs to be moved directly in the console for
the change to take effect, or via the API.
● You can invalidate or delete device tokens
when you delete browsers from the Admin
console via the Device Token Management
policy located in the Other settings section in
the admin console.
● It is recommended to change this from the
default of invalidate token to delete token as it
will allow the enrollment token to remain
behind and if the device was deleted by
mistake, it will re-enroll on next launch of
Chrome.

Supporting Virtual
and Physical Machines
Non-persistent VMs
The admin console does not
support non-persistent VMs
today. You are able to enroll them,
however, since the machine is
frequently rebuilt, it will cause
multiple entries in the console,
which will make your reporting
inaccurate. This is because the
machines are marked as unique
through the machine GUID, which
will change as the machines are
recreated.
Here is a workflow of what that might look like (Windows):
11. Close Chrome.
22. Delete Device Token
located in:
● HKLM\Software\Google\Chrome\
Enrollment
String value name: dmtoken
● Enrollment token can be left
behind unless you want to move
the device to a new OU location.
Best Practices for using Chrome Browser Cloud 12
Management | August 2023
Persistent VMs
The console does support
persistent VMs if each machine
has a unique SID (machine GUID).
This is normally generated by
running sysprep on the machine
during the imaging process. If you
are using a system (like Citrix) that
has the same machine GUID on
every machine, then you would
need to run a script (like a run
once script) to change the
machine GUID. Doing this will
have the machine show up as a
unique machine.
33. Delete Machine-GUID and the new unique
machine guid will be generated as the key
adds itself back in.
● This key is usually located in:
HKLM\Software\
Microsoft\Cryptography\MachineGuid
44. Restart Chrome.
55. Chrome will read the existing enrollment
token (or new one if you pushed one out)
and will push down a new DMtoke
 Best Practices for using Chrome Browser Cloud
Supporting Physical Machines
The console fully supports physical machines,
however, just note that since the uniqueness of the
device is tied to a unique SID (machine GUID), if the
machine is reimaged or if that GUID changes, it will
register as a new machine within the console.
It is recommended if a machine is reimaged, that it is
deleted from the console and then re-enrolled under
the new image to prevent duplicate counts. Another
tool to prevent inactive machines from remaining in
your console is to use the filter feature in the
13
Management | August 2023
managed devices view by the last activity column
or click on the “search or add a filter button” and
select Last activity.
Decide a timeframe of how long you want
machines to remain in the console after being
inactive (like 90 days , a year etc.) and consider
deleting them out. You can also use the API to
remove these machines after a period. Refer to the
API support section for more information.
 Best Practices for using Chrome Browser Cloud
Viewing reports in Chrome Browser
Cloud Management
Once the devices are enrolled and present within
the console, you can start viewing the data that is
coming in.
It is recommended that before you start applying
policies (especially around extensions) that you first
take a look at what is already present.
● You must turn on the cloud reporting feature in
order for data to populate into the console.
14
Management | August 2023
● It is also recommended to set the Managed
browser reporting upload frequency to the
minimum of 3 hours to have reports come up
more frequently than the default 24 hours.
Under the managed browsers section, you can
select one of your enrolled devices and browse the
Applied Browser Policies section to see what
policies are already in effect.
 Best Practices for using Chrome Browser Cloud 15
Management | August 2023

To get a viewpoint on the

extensions that are already
installed on that machine,
you can view the Apps and
Extensions section.

To get a viewpoint of all

your installed extensions,
click on the Apps and
extensions usage Report
link on the right.

This view provides all of the extensions that are
present within your enrolled browsers.
Hitting the export button provides the ability to
export this list to a CSV file.
For a complete list of all extensions and further
details, it is recommended to use the Extension
Takeout API.
Here is a link to instructions on how to set this up
and a link to an instructional video.

Applying policies
Once you have your devices reporting into the
console, any policies that you currently have applied
within Group Policies will work with any policies that
are pushed from the cloud. Local policy will take
precedence over cloud policy by default if there is a
conflict.
● If you want to override this functionality, in the
admin console there is a policy named Policy
precedence where you can change what occurs
in case of a conflict.
API support for Chrome
Browser Cloud Management
Nearly every setting in the console has API support.
For scaled management (like moving machines and
making bulk changes), it is recommended as
a best practice to set up the API to make life easier
for admins in the console.
● For more information on how to setup the API in
Chrome Browser Cloud Management, refer to this
guide.
● The Chrome Enterprise also has a Github repository
that provides tons of different scripts as well as a
C# framework called CBCM-CSharp that you can
use to learn, create, and solve complex use cases
through automation and integration.
Best Practices for using Chrome Browser Cloud 16
Management | August 2023
● If you want to combine policies from multiple
sources (admin console and local machine
policy), you can use the policy mergelist policy to
combine them together: Entering in a * into this
policy will automatically merge all supported
policies together.
● Refer to this link for more information about
policy precedence and policy merging.
● If you set a policy in the console, it will apply to
the machine in near real time.
● Note that reports come up to the console by
default every 24 hours:
You can change it to every 3 hours via the
Managed browser reporting upload
frequency policy.
● It has example augments that can move
browsers, delete out inactive browsers, pull
information, and more.
● It also has some helpful Powershell scripts to
wake the browser and force updates and
other useful Chrome Browser Cloud
Management enrollment related scripts.
 Best Practices for using Chrome Browser Cloud 17
Management | August 2023

Troubleshooting issues
in Chrome Browser
Cloud Management

My machine is present in the admin console, ● Possible solution 3: The console marks
but no information is being populated (like machines as unique on Windows through the
extension, version etc). machine GUID and via serial number on Macs.

● Possible solution: Make sure that Cloud If you do not use sys-prep on your Windows

reporting is turned on in the Organizational images and the machine GUID is the same,

Unit that the device is enrolled in. then if a machine enrolls with the same
Machine GUID, it will replace the one that is
I pushed out the token to my machines already present in the console.
but many of them are not present in the console.
Refer to the section on supporting Persistent VMs
● Possible solution 1: Chrome needs to be
in this guide on how to change the Machine GUID
restarted or launched in order for it to enroll
on your machines to prevent this issue.
into the console. Usually this happens over
time but if you want to speed things along, you
I set a policy in the console and it has applied on
can use this script that will add the enrollment
the machine but it isn’t showing up in the devices
token, launch the browser in a system context
view in the managed browser section of managed
(users will not see the window being
browser.
displayed), wait 15 seconds for the enrollment
to complete, and then close Chrome. ● Possible solution: By default, policies that you
set in the console apply to the machine in a
● Possible solution 2: Google update is required
few moments, but reporting back into the
to be present on the machine for the
console by default is every 24 hours (you can
enrollment to take place. It does not require for
reduce this to every 3 hours via policy).
Autoupdate to be on. Make sure that Google
update is present on the machine and that the
URLs that are needed for its function are not
blocked. For a list of the URLS, check out this
link, but most importantly the URL that is most
used is: https://m.google.com/device
management/data/api

I am seeing multiple instances of the same
machine name in the managed browser
section of the console.
● Possible solution: The console does not
support non-persistent VMs. If you enroll them
into the console, they will show up under the
managed browser section, but once they are
rebuilt they will receive a new Machine GUID
which will have them show up as a duplicate
entry, even if the machine name is the same.
Best Practices for using Chrome Browser Cloud 18
Management | August 2023
I have a lot of machines that are inactive
ue to them being replaced or reimaged.
● Possible solution: Use the filter feature in the
managed devices view by the last activity
column or click on the “search or add a filter
button” and select Last activity and delete
them out.
● Or you can set up the
API and refer to the CBCM-Csharp section
on inactive browser deletion to automate
this.
 Best Practices for using Chrome Browser Cloud 19
Management | August 2023

Resources

Setting up Chrome Browser Cloud Management

Chrome Browser Cloud Management Deployment Guide

Chrome Browser Policy List

Chrome update management strategies

Managing Extensions in your Enterprise Guide

Moving from Shadow IT to Managed Chrome Browser