Chrome Enterprise Customer Training Series: Admin Console overview and best practices

Chrome Enterprise Customer Training Series: Admin Console overview and best practices

Chrome Enterprise Customer Training Series: Admin Console overview and best practices

Learn about the primary areas of the Google Admin Console that are used to manage Chrome OS devices, including organizational units, user policies, device policies, network configurations, and application deployment.

Speaker: Pete Nevin, Partner Success Engineer for Chrome Enterprise at Google

For more Chrome Enterprise webinars visit https://chromeonair.withgoogle.com.


Content

1.76 -> welcome everyone my name is pete nevin
3.679 -> and i'm a customer success engineer with
5.12 -> the chrome enterprise team at google
7.04 -> and i'd like to talk to you today about
8.48 -> the admin console and how to manage
10.32 -> chrome devices
11.44 -> and overview best practices of chrome
14.48 -> remember if you're listening live and
16 -> have any questions please submit them
17.6 -> below and we'll be able to answer them
18.96 -> during
19.279 -> live during this session
22.48 -> so a little bit about the agenda i'm
24.32 -> going to start off with some basic
25.519 -> terminology
26.32 -> talk about organizational units or ous
28.8 -> and how policies are inherited by ous
31.679 -> we're going to talk about delegate
32.88 -> administration we're going to talk about
34.88 -> chrome policy management during a live
37.12 -> hands-on demo and we're going to talk
39.12 -> about managing applications and
40.64 -> extensions on chrome
43.2 -> so let's start off with a little bit of
44.64 -> key terminology and concept here
47.44 -> first off is the idea of a policy and
49.44 -> these are the settings
50.48 -> that you can push out as an it admin to
52.64 -> your users and devices
54.399 -> they're defined in the admin console
57.039 -> there are groups as policies that we
58.64 -> refer to as user settings
60.239 -> and device settings second is the admin
63.44 -> console itself or admin.google.com
66 -> and that's a single pane of glass that
67.52 -> you use to manage your users and devices
70.799 -> and it's also shared by other google
72.479 -> services like g suite
74.159 -> and meets hardware the third idea is the
77.36 -> idea of the organizational unit
78.799 -> or ou and this is the container that you
81.52 -> use
82.08 -> to hold devices users and apply settings
85.36 -> to so it allows you that granular
87.28 -> control
88.24 -> over different groups of users and
89.52 -> different groups of devices
91.52 -> and it's a hierarchical structure so
93.28 -> under each organizational unit you can
95.2 -> have sub
95.759 -> ou's that inherit the policies from the
98.159 -> parent
99.04 -> and you can override those policies and
101.6 -> inherited settings below
106.479 -> first off let's talk about some of these
108 -> settings as i said there are two major
109.92 -> groups of the settings
110.88 -> we'll talk about some others as well but
112.799 -> first they're device settings
114.32 -> and device settings control how an up
116.88 -> how a device operates
118.32 -> it controls what the use case is for the
120 -> device it controls who can log in
122.399 -> and how they can access the device it
124.719 -> really controls how the device operates
126.88 -> as opposed to what the user experience
128.64 -> is like on the device
130.239 -> and the second major category is user
131.92 -> settings these control
134.72 -> not how the device works but the user
136.959 -> experience on the device
138.8 -> you can manage apps extensions bookmarks
142.08 -> you can manage the security profile for
143.84 -> a user and those
145.28 -> settings follow the user from device to
147.44 -> device
149.68 -> and generally these two groups of
151.12 -> settings are mutually exclusive
155.2 -> let's talk a little bit about ou's and
157.12 -> policy hierarchy
158.959 -> an ou is a hierarchical structure that
161.04 -> starts at the domain root
162.8 -> underneath the domain root you can
164.16 -> create sub-o-u's and here's a typical
166.16 -> configuration that we see at enterprises
168.239 -> where they might have one ou that
169.84 -> contains all of the devices
171.84 -> and then underneath that ou are
173.76 -> different types of devices or different
175.44 -> use cases
176.239 -> so you have a different set of settings
177.599 -> for your kiosk devices from digital sign
180.159 -> devices
180.879 -> maybe from devices that you manage to
183.28 -> give to employees
184.4 -> and underneath the employees you might
185.84 -> have different groups of ous
188.159 -> for different teams like legal or
190.08 -> finance
192.4 -> and then underneath users again you see
194.4 -> these functional groups
195.599 -> finance might have different set of
196.959 -> settings and different apps from the
198.239 -> engineering team
199.04 -> which might have a different set of apps
200.8 -> and security settings from call center
202.319 -> employee
203.2 -> and often the admins themselves those
205.599 -> user groups are broken off because
207.44 -> they'll get a different set of
208.879 -> apps they'll get a different set of
210.84 -> permissions
214.08 -> so we talked about user settings we
215.68 -> talked about device settings user
217.12 -> settings control apps and extensions
219.519 -> they control security settings like
220.959 -> whether you allow incognito mode on the
222.64 -> browser
223.519 -> whether you force ephemeral mode to wipe
225.28 -> the device after each user sign out
227.599 -> device settings control who can sign
229.519 -> into the device
230.64 -> you can figure whether or not you're
231.84 -> allowing guest mode control power
234.239 -> management on the device
235.599 -> there are also other sets of settings
237.519 -> such as network settings
240 -> there you can an admin can push out a
241.76 -> wi-fi configuration
243.439 -> can push out certificates and manage
245.2 -> those for user devices
246.799 -> and also push out vpn configurations
249.519 -> another couple of sets of settings are
251.04 -> around
251.519 -> two other specific use cases on chrome
253.76 -> one of those is manage
254.799 -> guest where a user can actually open up
257.28 -> a device
257.84 -> start it and start using it without
259.199 -> having to sign in you can control the
261.44 -> length of that managed guest session
263.199 -> you can post the terms of service to the
264.88 -> users or you can manage a url block list
267.6 -> to prevent them getting access to
269.12 -> particular sites
270.72 -> and then finally there's kiosk and kiosk
272.639 -> is really a single app that runs in full
274.56 -> screen mode
275.52 -> you can control which app runs you can
277.52 -> manage power settings
278.72 -> and even decide to auto launch that app
280.479 -> when the device turns on
283.84 -> under user settings some of the key
285.199 -> features that we'll look at
287.12 -> i'll show you how to push apps and
288.479 -> extensions and how to manage those on
289.919 -> devices
291.12 -> i'll show you how to disable enable
292.8 -> hardware such as the camera or usb
294.96 -> storage you can route user network
297.199 -> traffic through a proxy and generally
298.88 -> customize the user experience
301.759 -> under device settings some of the key
303.28 -> settings enrollment and access
305.84 -> to manage how the device is enrolled
307.52 -> into your domain and what users can get
309.36 -> access
310.16 -> you can specify who can sign into that
312.08 -> domain by either
313.68 -> who can sign into that device by the
315.36 -> domain you can even choose to auto
317.28 -> complete the domain it's convenience to
318.639 -> make it easier for users to sign in
320.72 -> and importantly you control how the
322.479 -> device accepts os
324 -> updates from google over time
328.24 -> so now i'm going to launch in do a live
329.84 -> admin console demo and talk through a
331.759 -> lot of these concepts
332.88 -> and show them to you on screen and this
336.16 -> is known as the home screen and the
337.6 -> first thing you'll notice is that there
338.8 -> are a lot of different tiles that give
340.24 -> you
340.479 -> grant you access to different areas of
342.4 -> the admin console
343.759 -> and you'll see that there's specific
344.88 -> tiles for devices for admin roles and
347.12 -> we're going to go into some of these
348.72 -> but the first rule to understand is that
351.199 -> what you see on this home screen and
352.72 -> what you have access to in the admin
354.32 -> console is all
355.44 -> controlled by what permissions and
356.96 -> privileges that your user profile has
359.199 -> as an it admin and so on my domain where
362.8 -> i'm a super admin and i have access to g
364.88 -> suite and
365.52 -> certain other features you may see
367.68 -> something different in your admin
369.039 -> console
370 -> first off we're going to talk about some
371.6 -> of these tiles and we're going to look
373.68 -> at specific settings for devices and for
375.6 -> security
376.56 -> but as you navigate through the admin
378.4 -> console these tiles also note that there
380.319 -> are other ways to navigate around the
381.68 -> admin console as well
383.44 -> first there's a main menu here in the
385.12 -> upper left hand corner sometimes called
386.8 -> the hamburger menu and that gives you
388.319 -> access
389.28 -> all the same areas of the admin console
391.28 -> that you can get through the tiles
393.28 -> if we come here devices and drill into
395.6 -> chrome management you can see there we
397.039 -> can get access to the device list
398.72 -> or look at managed browsers and look at
400.56 -> settings for chrome devices
402.319 -> go to directory you can see users groups
404.88 -> or you can edit your organizational unit
406.88 -> structure
408.4 -> so i'm going to go in and start with
410.8 -> looking at security settings
415.12 -> and the first thing that i'll say about
416.4 -> security is that the security
418.96 -> settings are outside of chrome and so
420.8 -> these apply not just
422.08 -> to devices and not just to chrome but it
424.16 -> also applies to your g suite logins
426.24 -> and other areas of the admin console as
428.08 -> well
429.52 -> so let's take a look at some of the
430.88 -> password management policies that are
432.319 -> available in chrome
433.52 -> and again these apply not just a chrome
435.199 -> but to your g suite login as well if you
436.88 -> choose to do so
438.88 -> so the first thing you'll note on all of
440.639 -> the admin console screens
442.08 -> where you're setting policies and making
443.599 -> changes is this layout
445.36 -> that you see before you which is you
447.44 -> have your organizational unit structure
449.039 -> over here on the left
450.319 -> and you have the policies and settings
452 -> over here on the right so you just get
453.68 -> into a rhythm where you
455.28 -> choose the ou that you want to edit you
458.319 -> come over
459.28 -> make the change that you want to make
461.52 -> and then down at the bottom of the page
462.96 -> you can save it
464.16 -> and so just you get that three-step
466.08 -> process choose the ou
468 -> make your setting and then save the
469.599 -> setting so let's look at a few of the
471.52 -> settings on
472.16 -> password management you can enforce
474.16 -> strong passwords you can define
476 -> a minimum and maximum length of a
477.919 -> password and be aware that
479.84 -> these are policies that apply to the
481.84 -> user that's logging into the device
484.479 -> and so you'll want to choose the proper
486.319 -> ou based on where your users are located
488.4 -> and again
489.199 -> it gives you the granular control to set
491.039 -> different policies for different groups
492.639 -> of users if you need to
495.199 -> we've got the ability to allow password
497.039 -> reuse and then even set an expiration
499.199 -> time for that password so that they'll
500.96 -> have to reset the password and choose a
502.879 -> new password after a certain period of
504.24 -> time
504.8 -> again choose the ou make the policy
507.84 -> change
508.639 -> and then save that change okay now i'm
511.84 -> going to look at another area of
512.959 -> security
518.159 -> and that is to set up single sign-on for
520.8 -> your user settings
522.32 -> and so you can give your users the
525.2 -> ability to manage their password within
526.88 -> chrome
527.6 -> but a lot of enterprises they'll want to
529.839 -> use an existing
531.12 -> identity provider and a single sign-on
532.88 -> solution and you can set that up with
534.24 -> the admin console
535.76 -> i'm going to scroll down and we're going
537.519 -> to go and look at how you would set up
539.04 -> the admin console if you had a
540.399 -> third-party identity provider
542.08 -> something like octa or ping or adfs
545.12 -> so we click in here the first thing you
548.56 -> should understand and see is that
550 -> there's
550.56 -> the ability to configure one id provider
553.2 -> you don't see organizational units here
554.88 -> there's no way to granularly choose
556.72 -> which id provider so
558.32 -> we do restrict you at this point to only
561.04 -> using one identity provider at a time
563.36 -> on your domain you can granularly apply
566.64 -> single sign-on either on or off for
568.48 -> different groups of users but it's going
570 -> to be this one id
571.12 -> provider that you can figure here in
572.48 -> security so if we wanted to set up
574.88 -> single sign-on
576.56 -> to click this on and the primary fields
579.519 -> that you see need to be filled out
581.36 -> sign in page url sign out page url
584.56 -> upload a certificate if necessary apply
587.12 -> network masks
588.24 -> and a change password url so these three
590.64 -> urls are the primary policies
593.12 -> and settings that allow you to integrate
594.8 -> with an existing online
596.32 -> id provider again like octoping and what
599.04 -> you'll see
600 -> is you'll see the actual sign in screen
602.24 -> for that identity provider show up
604.32 -> as the chrome login screen and so when
606.88 -> you sign into that login screen
608.959 -> you'll get access directly to the single
610.72 -> sign-on provider and all the federated
612.64 -> applications
615.44 -> okay so that's what i wanted to point
616.8 -> out in security now we're going to take
618.56 -> a look at delegated admin
621.12 -> i'm going to go back to the home screen
626.72 -> and i'm going to come over here to this
628.079 -> tile indicating admin roles
630.8 -> so when i take a look at the admin roles
632.48 -> page what you'll notice is
634.079 -> there are a number of different roles
636 -> which basically consist of a set of
637.76 -> permissions
638.64 -> or page level access and those
641.839 -> permissions being granted specific
644.079 -> admins on a given area of the ou and
647.2 -> you'll see there's both built-in system
648.72 -> roles
649.44 -> as well as custom roles so let's take a
652.32 -> look at one of these particular
653.519 -> permissions
656.32 -> the user management admin role consists
658.88 -> of a number of admin console privileges
661.36 -> and then admins that are assigned those
663.04 -> privileges you can also copy a rule to
665.36 -> make a new custom role
666.959 -> so we take a look at some of the
668 -> privileges that are enabled in this
669.6 -> particular role
671.92 -> you look and you see that this role is
673.519 -> able to read organizational units
675.839 -> ostensibly so that you can see the
677.44 -> organizational units to create users
680.72 -> you're able to read create update move
683.6 -> users
684.399 -> rename them etc so this is a user
686.64 -> management role
688.16 -> if say your organization was broken into
690.72 -> regional districts say you have an
692.24 -> office in boston
693.2 -> an office in atlanta and an office in
694.959 -> denver you may want to grant access for
697.68 -> your it admits to create
699.44 -> and manage users only within their
701.04 -> office and you can do that with
702.48 -> delegated admin you can create the
704.56 -> boston ou you can grant access
707.76 -> to that specific ou to your it admins in
710.72 -> that office
711.44 -> and then they'll be able to manage just
712.88 -> the username office and not be able to
714.72 -> manage the
715.279 -> users in the other opposite so in
717.839 -> addition to privileges
719.12 -> we can come over here and look at the
720.399 -> admins that are assigned this role
722.639 -> if you want to assign a new user to this
724.48 -> role
726.079 -> click in you type find a name
733.92 -> select the name select where in the
735.92 -> organizational unit you want to grant
737.44 -> this permission
739.519 -> and then assign that role and you'll see
742.56 -> they show up in the list
743.68 -> and so this is a list of all the
745.04 -> different users and all the areas of the
746.88 -> organizational unit
748.24 -> where they have that particular role
752.399 -> now i'm going to go over and look at
754 -> some different settings i'm going to
755.68 -> jump to the home
756.639 -> screen and we're going to talk about
758.32 -> networking
761.12 -> so on the home screen you'll note that
763.76 -> there's a devices tab
765.36 -> and under the devices tab is where you
767.04 -> get networking settings and all the
768.32 -> other policies we're going to look at
770.639 -> okay so the first thing i'm going to do
772.8 -> in showing off the device's settings
775.04 -> is to go over to the devices page and
777.839 -> you'll see here
778.639 -> there's the opportunity to manage a
780 -> number of different types of devices
782 -> of course in this console we're in this
783.92 -> demonstration we're focusing on chrome
785.44 -> devices
786.16 -> but you'll also see there's the emm for
788.079 -> managing mobile devices
789.76 -> google media room hardware jam boards
791.68 -> etc
793.839 -> so the first thing we're going to look
795.04 -> at on this screen is network settings
798 -> and you'll notice that the network
799.12 -> settings is here on this devices tab
802.16 -> outside of chrome it applies to multiple
804.079 -> types of devices so as we create these
805.92 -> network settings
807.04 -> you can see that they might apply to
808.56 -> different types of devices
811.44 -> so i'm going to click into networks and
813.36 -> you'll see here that your
814.72 -> you as the admin have the ability to
816.8 -> push different types
818.32 -> of network configurations to your chrome
820.16 -> devices wi-fi configurations ethernet
822.959 -> configurations
824.399 -> vpns push certificates and then there's
827.76 -> some
828 -> general settings around networks for
830.16 -> chromebooks
831.279 -> whether they auto connect restrict wi-fi
833.199 -> networks or
834.56 -> restrict or allow specific network
836.32 -> interfaces on those chromebooks
839.12 -> and remember this is the way that an
840.72 -> admin can push a network configuration
843.68 -> so
844.16 -> the admin may be pushing out the
845.76 -> corporate wi-fi network
847.279 -> maybe pushing out a corporate ethernet
849.36 -> configuration
850.88 -> but the user can also create these
852.56 -> configurations locally on the device
854.16 -> themselves so if you
855.36 -> give someone a chromebook that they're
856.959 -> that they take into the office and they
858.399 -> make use of the corporate wi-fi within
860.16 -> the office
861.44 -> when they take that same device home and
863.12 -> they're on their home wi-fi they can
864.72 -> just configure that home wi-fi locally
868.399 -> so let's click in and look at a wi-fi
870.88 -> network
872 -> and you'll see here again these these
874.56 -> different network settings can apply to
876.24 -> different types of devices
877.839 -> uh for chromebooks specifically
879.6 -> chromebooks and chromeboxes
881.36 -> you can push these networks by user
884.399 -> or you can push them by device and the
886.8 -> difference there being that if you push
888.639 -> a network configuration by user that
891.199 -> network configuration will follow a user
893.279 -> from device to device and be available
894.959 -> no matter which device
896.48 -> you're managing that they have access to
899.44 -> if you're pushing that wi-fi
900.639 -> configuration by device
903.04 -> then the configuration will reside on
904.399 -> the device and it'll be available to any
906.399 -> user
907.04 -> that uses that device so as an example
910.079 -> click in and talk about a chromebook uh
913.12 -> wi-fi configuration for chromebook by
915.519 -> user
917.12 -> and uh the the details down here below
919.279 -> you you give this a name like this might
920.88 -> be the corp network
922.56 -> and it's uh you indicate the ssid
925.36 -> whether
925.839 -> ssid is broadcast whether you want the
927.68 -> user automatically connect
929.519 -> and then there's a number of security
930.8 -> settings so there's a security type
933.36 -> you see we support a number of different
935.519 -> security settings
936.959 -> web wpa 8021x
940.32 -> you know configurations if you choose
942.8 -> one of these then
944.48 -> it will change the options around
946.48 -> authentication protocols
948 -> you'll see that we have support for a
950.56 -> number of different authentication
951.68 -> protocols
952.8 -> peep tails are two of the common ones
955.199 -> that we see in enterprises
956.72 -> and then you can pass in as part of that
959.04 -> authentication you can pass in
960.8 -> use variables to pass in the username
962.959 -> and password that the user has on the
964.56 -> device
965.44 -> etc just to make the logging in process
968.56 -> much easier
969.92 -> if there's a default certificate
971.199 -> authority that's being used
973.44 -> check for that you can pass in proxy
976.16 -> settings
977.04 -> you want to manually configure proxy
978.639 -> automatically configure proxies
980.72 -> dns settings etc so you can enter these
982.72 -> settings in and push
984.24 -> this to your users as
987.519 -> the network configuration
992.88 -> similarly there's ethernet networks so
995.04 -> you can configure an ethernet
996.16 -> network again by user by device
999.199 -> give it a name and you'll see that it
1002.24 -> has you know
1002.959 -> same thing you're gonna select an
1004.639 -> authentication protocol
1006.079 -> look at it at different types of
1008.48 -> authentication protocols that are
1009.839 -> supported
1010.639 -> and look at different ways to pass in
1012.24 -> information to identify the user and
1014.16 -> identify how they are going to log into
1015.839 -> that network
1018.48 -> okay
1023.04 -> i think the last thing is just to look
1024.4 -> at some of these general configurations
1026.48 -> as i said you can only allow managed
1029.12 -> networks to auto connect
1030.559 -> so the the device will only connect to
1032.48 -> manage configurate network
1033.679 -> configurations
1035.039 -> uh you can enable or disable specific
1037.919 -> network interfaces
1039.439 -> just depends on how you want to manage
1041.12 -> users access to the network
1043.12 -> and again with all of these settings
1044.64 -> we're going to go over here select the
1046.319 -> ou we want to
1047.199 -> impact make this change and then save
1050.16 -> that change
1053.28 -> okay i'm going to go back to device
1055.919 -> management
1057.28 -> and we're going to talk a little bit
1058.64 -> more about specific settings and
1060.559 -> pages for chrome management i'm going to
1063.84 -> click in here to chrome management and
1065.2 -> this gives you the menu that really
1066.64 -> contains
1067.2 -> most of the settings and most of the
1070.72 -> pages that you'll access in managing
1072.48 -> your chrome fleet
1074 -> i'm going to start off by looking at the
1075.919 -> device list and that's on this first
1077.76 -> item devices
1079.2 -> which gives you a list of all the
1080.64 -> devices on the domain
1083.2 -> and you can filter and sort you can
1085.6 -> search for specific devices
1087.28 -> you can look at their status right now
1089.28 -> i'm just looking at all
1090.4 -> organizational units all devices that
1092.559 -> are for provision status
1094 -> and you can change that to look at
1095.6 -> devices that have been de-provisioned
1097.2 -> or you can filter by ou and just look at
1099.84 -> a specific ou
1102.4 -> this gives you a list of all the devices
1104.24 -> that you've selected
1105.84 -> there's also now a an option to export
1109.44 -> that list so you can get a csv
1111.2 -> file containing all the metadata that
1112.88 -> you see if you want to upload that into
1115.2 -> another system or do some analytics on
1117.2 -> it
1119.44 -> if you click in and click in on the
1121.28 -> serial number you'll get get to the
1122.799 -> device
1123.6 -> details page for this particular device
1126.48 -> the first thing you see is there's a lot
1127.76 -> of information about the device at the
1129.2 -> top
1130.24 -> what's the chrome os version serial
1132.72 -> number
1133.679 -> mac address the time of enrollment etc
1137.6 -> in addition has the auto update
1138.88 -> expiration the aoe date which is how
1140.799 -> long before this device
1142.4 -> stops taking updates so important
1145.12 -> information there
1146 -> there are a couple of custom fields here
1147.84 -> these are fields that you can
1149.2 -> fill out either at enrollment time or
1151.12 -> after the fact and help you manage your
1152.64 -> fleet
1153.36 -> you can add asset id add a location
1156.24 -> there's a notes field
1157.44 -> or you can use these custom fields for
1159.12 -> storing other data that's that's helpful
1160.799 -> for managing your fleet
1162.88 -> and then down at the bottom there's a
1164.24 -> little bit of activity data
1166.24 -> some troubleshooting data you might look
1168.16 -> at the last known cpu utilization
1171.12 -> memory usage ip address will show up
1173.84 -> here
1174.559 -> disk space usage so this just helps to
1176.64 -> keep status on specific
1178.08 -> details around specific devices within
1180 -> the fleet
1181.76 -> and then the last thing i want to show
1183.2 -> you on this page are these commands
1185.44 -> you see on the left and here a couple of
1187.36 -> things you can do to a device remotely
1190 -> i'm going to point out two and describe
1191.679 -> those disable and de-provision
1193.76 -> uh which are two different commands you
1195.039 -> can do remotely to your device typically
1196.799 -> it's sorted towards end of life
1198.64 -> or or when the device is lost and stolen
1200.559 -> you will want to disable that device
1202.72 -> essentially that renders the device so
1205.039 -> that it can't be signed into
1206.799 -> and if it's turned on the screen will
1208.72 -> just display a configurable message
1211.28 -> you can put in your address or an email
1213.12 -> address or phone number to contact
1215.6 -> indicating that the device is inoperable
1217.6 -> and they should contact this phone
1219.12 -> number to get instructions to return the
1220.72 -> device
1222 -> deep revision is what you do with a
1223.36 -> device when it's at the ends of life
1224.88 -> maybe after the aue date or if you
1227.2 -> decide you want to
1228.88 -> de-provision the device remove it from
1230.4 -> your enterprise remove the policies and
1233.44 -> perhaps donate to a school
1235.36 -> you would de-provision the device and
1236.72 -> that effectively takes it out of your
1238.24 -> domain
1238.799 -> out of management and allows the device
1241.36 -> to be used
1242.4 -> for for some other purpose all right now
1245.2 -> i'm going to jump back
1246.4 -> to that chrome management menu and we've
1249.12 -> got a couple of more screens to talk
1250.799 -> about
1251.52 -> i want to look at device settings and
1253.679 -> device settings are these policies that
1255.6 -> we talked about earlier in this
1256.64 -> presentation
1257.919 -> these are the settings that you can
1259.6 -> apply as an administrator
1261.36 -> again based on ou structure based on the
1263.919 -> hierarchy you can have these policies
1266.08 -> set at the level of an ou or inherited
1268.4 -> from the parent
1271.28 -> and i really want to like talk about is
1273.039 -> the first policies the first one that
1274.72 -> shows up on the list and that's
1276.32 -> forced re-enrollment enforced
1277.76 -> re-enrollment is a policy
1279.52 -> really is the table stakes policy that
1282 -> indicates that you want this device
1283.36 -> under management because forced
1284.559 -> re-enrollment means that a device
1286.64 -> can't be merely wiped and moved out of
1289.84 -> your domain and re-enrolled in another
1291.679 -> domain so forced re-enrollment is a
1293.28 -> policy that
1294.24 -> makes sure that device stays locked to
1296.08 -> your domain and you'll see there's a few
1298.08 -> different settings a few different
1299.679 -> options around here where
1300.88 -> we're working on a feature to
1302.24 -> automatically re-enroll the device but
1304.24 -> essentially you want to force the device
1306.48 -> to re-enroll with some credentials into
1308.4 -> this domain
1309.28 -> after it's been wiped and again this
1311.679 -> will prevent a user from just taking a
1313.44 -> device wiping it and using it on their
1315.12 -> own or using it under a different domain
1318.08 -> some other device policies i think are
1320.159 -> important to go over
1321.12 -> are os update policies and you'll see
1323.6 -> you have some filtering and searching
1325.28 -> capability up here in this
1326.799 -> uh in the toolbar and
1329.84 -> device update settings as you may know
1332.4 -> chrome has a
1333.919 -> rhythm that every six weeks we have a
1335.76 -> new release a new major milestone
1338 -> and so we may be on version 83 now
1341.52 -> as the latest stable version and 80
1344.799 -> version 84 will be in beta
1346.72 -> version 85 will be in the dev channel
1349.12 -> these are different channels
1350.48 -> release channels stable considered to be
1352.48 -> the most tested and most
1354.64 -> most appropriate for the vast majority
1356.88 -> or fleet
1358.159 -> every six weeks and six weeks 84 will
1360.559 -> become the stable and then six weeks
1362.159 -> later 85
1363.12 -> becomes stable and so there are a number
1365.039 -> of different settings on how you want to
1366.96 -> allow your your fleet to take on these
1369.36 -> updates
1370.48 -> the first is just a general setting
1372.48 -> again bio you as to whether you want to
1374.32 -> allow auto updates
1375.52 -> allow the device to reach out and
1377.12 -> download those updates automatically and
1378.799 -> apply them
1379.6 -> or whether you want to stop auto updates
1381.76 -> and this may be something that you
1383.84 -> implement you may start to take an
1385.6 -> update realize that there's some
1387.039 -> incompatibility or there's a bug in the
1388.88 -> update that impacts some of your users
1390.48 -> so you could stop
1391.36 -> auto updates give time for the app
1394.08 -> developer to work through that
1396 -> incompatibility or give google a chance
1397.919 -> to fix whatever bug it is that's causing
1399.679 -> the problem
1400.799 -> and then you can just allow updates and
1402.559 -> it'll take the take the next update
1405.679 -> uh you see here under a strict google
1407.36 -> chrome version you're able to
1409.6 -> not only take just the latest stable but
1411.679 -> if you want you can
1412.72 -> pin an ou to a specific version
1416.159 -> and and you can pin backwards up to
1418.64 -> three versions
1420.08 -> older than the latest stable as you see
1422.08 -> here and this might again be
1424.24 -> you may have a version that you've
1426.32 -> tested in your enterprise and we have
1428 -> enterprise customers will do this they
1429.44 -> will test
1430.24 -> maybe one version behind stable and just
1433.6 -> stay pinned to that previous version
1435.679 -> rather than risk having a bug come in
1437.6 -> they'll stay on a version that's prior
1439.6 -> to the latest stable
1442.32 -> there's another provision here uh if you
1444.24 -> have a you know a site with a
1446.24 -> you know thousands of chromebooks on you
1448.4 -> may not want all of those devices to
1450.72 -> reach out to the update server and
1452.559 -> download a
1453.52 -> half gigabyte payload os update and so
1456.88 -> you can scatter those updates over a
1458.559 -> certain number of days you can say
1459.919 -> scatter over a week
1461.279 -> and one seventh of your fleet will take
1463.52 -> that update
1464.799 -> each day
1467.919 -> all right in addition to that i want to
1469.36 -> talk about the os
1471.2 -> channels so i'll show you that
1476.24 -> search here and here you can see again
1478.559 -> by ou
1479.84 -> you can select click into a different
1482.32 -> view you can choose
1483.52 -> bio u to set the channel that you want
1486 -> the devices in that ou and here's how
1487.52 -> you would set
1488.4 -> create an ou put maybe your power users
1491.279 -> your stakeholders
1493.2 -> or some some number of users we
1496.08 -> recommend between five and ten percent
1498.32 -> of your fleet on the beta channel so
1500.32 -> they'll actually see the os
1501.76 -> updates prior to them hitting the
1503.44 -> remainder of your fleet
1505.039 -> so we see this is the best practice
1506.48 -> enterprises 90 to 95 percent of your
1509.6 -> fleet you want to be
1510.559 -> on the stable channel but retain you
1512.88 -> know some small number
1513.84 -> five or ten percent on beta channels so
1515.52 -> that if there is gonna be
1517.12 -> you know an incompatibility with a
1518.72 -> critical business app you'll identify
1520.32 -> that prior to it hitting the rest of
1521.84 -> your fleet
1525.6 -> and then uh one last set of policies
1528.88 -> it'll show on the device side is
1530.88 -> we talked about how users can sign in
1533.2 -> and so there's a number of different
1534.32 -> ways
1534.799 -> you can allow a guest mode you can
1536.64 -> disable a guest mode that would enable a
1538.559 -> user to use the device without signing
1540.48 -> in
1541.36 -> you can see that you can apply sign in
1543.279 -> restrictions
1544.48 -> so you can restrict sign in to your
1546.4 -> devices only to
1549.279 -> only to addresses or only to accounts
1551.36 -> that come from your domain or from a
1552.96 -> list of domains
1554.799 -> and then also there's this policy
1556.32 -> autocomplete the domain and so this
1557.76 -> allows
1558.4 -> this will pre-populate a domain onto the
1560.64 -> login screen so the user just has to
1562.4 -> type the prefix so it's a nice little
1563.919 -> convenience
1565.039 -> policy there okay uh you'll see up here
1567.84 -> the tab there's a few different types of
1569.12 -> settings we said we'd talk about device
1570.72 -> settings
1571.44 -> uh i want to want to also talk about
1573.279 -> user browser settings
1574.559 -> so i'll click over there and the first
1576.799 -> thing to note obviously is that it is
1578.64 -> user and browser settings and that means
1580.88 -> that the policies here
1582.08 -> have a lot of overlap with policies that
1584.88 -> control the user experience in chrome os
1587.2 -> as well as policies that apply to
1589.76 -> browser instances
1591.039 -> on chrome os and other platforms like
1593.6 -> mac
1594.159 -> linux and windows and if you're using
1596.72 -> chrome browser cloud management
1598.799 -> cbcm which is a you know the use of the
1600.799 -> admin console to manage your browser
1602.559 -> instances
1603.44 -> you can see that these a lot of these
1605.2 -> same policies overlap
1606.96 -> with policies so this is kind of your
1608.72 -> one-way single pane of glass to
1610.48 -> to manage the user experience across
1613.2 -> multiple platforms across chrome os
1615.039 -> across
1615.76 -> mac across windows um and and be able to
1618.96 -> configure common sets of policies uh
1621.52 -> security policies for those browsers
1625.12 -> all right uh the first thing i'm going
1626.48 -> to talk about is there are some
1627.679 -> enrollment controls that have to do with
1629.84 -> the chrome devices
1631.36 -> and i want to talk about one in
1632.4 -> particular is this device enrollment
1634.159 -> option
1634.96 -> when you're using a user credential to
1636.4 -> enroll a device
1638.159 -> this policy distinguishes between two
1640.159 -> different operations one would be
1642 -> just to keep the device at its current
1643.44 -> location for a new device that would be
1645.12 -> the root of the ou structure
1647.039 -> but alternately you can set the policy
1649.279 -> so that the chrome device
1650.88 -> moves to the same ou as the user where
1653.679 -> the user is in that in that
1655.039 -> organizational unit structure
1656.48 -> and so if you're using a service
1657.919 -> provider white glove service provider to
1659.6 -> enroll your devices
1660.72 -> for you this is a way that you can you
1662.88 -> can give them multiple enrollment
1664.08 -> credentials
1665.039 -> for users across different areas of your
1667.12 -> ou structure
1668.08 -> and have the devices automatically
1669.52 -> enrolled and moved into the proper place
1671.52 -> so they'll get the right set of policies
1673.44 -> right from the beginning
1676.64 -> also you'll see that there's the ability
1678.159 -> to we talked about that asset identifier
1681.039 -> and location information as being custom
1682.96 -> fields
1684.24 -> you can include that as part of the
1687.039 -> enrollment process so again if you have
1688.64 -> your
1689.44 -> white glove service provider rolling
1690.799 -> devices or your it department is rolling
1692.96 -> devices
1693.84 -> as they enroll them you can have them
1695.44 -> enter the asset id right then
1697.12 -> and you'll have an easy way to identify
1698.88 -> those devices in your admin console
1701.039 -> as you manage them
1704.08 -> the last sort of set of settings that
1705.76 -> i'll point out in
1707.919 -> on the user side our security settings
1712.159 -> and and some of the security settings
1713.76 -> you'll see are around chrome safe
1715.12 -> browsing
1716 -> uh you can enable chrome variations
1718.32 -> there are also a few
1719.36 -> security settings related to the user
1721.279 -> experience
1722.559 -> if you scroll down site isolation you
1724.559 -> can turn that on or off for
1726 -> for websites you can choose to allow the
1729.279 -> user to use password manager
1731.44 -> you can allow the user to use incognito
1733.679 -> mode or to block
1735.2 -> access to incognito mode for your users
1738.72 -> and and also to enable this force
1740.88 -> ephemeral mode which is a
1742.799 -> somewhat popular setting which means
1744.72 -> that when a user signs off the device
1747.039 -> it'll erase all the local user data and
1750.08 -> basically wipe the history and things
1751.6 -> like that from the device
1753.44 -> so that you reduce the risk of someone
1756.399 -> else getting access to the personal
1758 -> information on the device
1760.72 -> all right so i think that's all i was
1761.76 -> going to talk about about settings
1764.159 -> and now i'll jump back over to chrome uh
1766.159 -> we'll talk about app management
1769.36 -> okay so to manage apps and extensions
1772.48 -> in chrome in the admin console we're
1774.32 -> going to click down here on apps and
1775.6 -> extensions
1777.12 -> and go over to the screen for app
1778.84 -> management
1780.64 -> and the first thing you'll notice
1781.679 -> there's again multiple tabs up here
1783.6 -> we're going to focus on the users and
1785.2 -> browsers tab
1786.48 -> which is how you manage apps and push
1789.44 -> apps and block apps
1790.88 -> for the for signed in users we've talked
1793.6 -> about these other use cases kiosks and
1795.2 -> managed guest sessions those are
1796.799 -> other use cases that i'm not focused on
1798.64 -> today but that's how you would manage
1800.08 -> apps for those use cases where a user is
1802.799 -> not signing in
1804.72 -> so again these apply to both users and
1806.399 -> browsers so if you have
1808.32 -> browser instances you're managing
1809.84 -> through chrome browser cloud management
1812 -> you can
1812.799 -> install extensions on those browsers
1814.399 -> this way but we're going to focus in on
1816.08 -> this installation of
1817.12 -> apps via the various marketplaces that
1820.08 -> chrome allows
1822.32 -> so the first thing to note is that the
1824 -> applications that we
1825.44 -> do manage they do follow the user's
1828.32 -> profile
1828.96 -> so as a user moves from device to device
1831.52 -> they'll get the same sets of apps
1833.44 -> downloaded from the cloud and have
1835.12 -> access to the same user experience no
1836.88 -> matter which device
1837.919 -> so this is good for a shareability type
1839.6 -> use case the other thing you'll note
1841.679 -> for each ou there's a overall
1845.679 -> setting which controls how applications
1848.32 -> are managed within the soyu
1850.159 -> at a high level and you'll see the
1852 -> choices there that
1853.2 -> you can choose to block all apps and
1855.2 -> extensions in which case the users will
1857.519 -> only be able to access the apps that the
1859.919 -> it admin manages here
1861.519 -> in the management console or you can
1863.6 -> choose to allow
1864.799 -> apps so you can allow users to go and
1866.72 -> discover and install their own apps and
1868.96 -> you can do that
1869.76 -> all apps and extensions other apps from
1872.24 -> the google play store other
1873.84 -> other apps from the chrome web store
1875.44 -> we'll look at that in just a second
1878.159 -> so just important to note that there's
1879.76 -> an overall do you want to
1882 -> choose to block everything and then just
1884.159 -> allow certain applications for users or
1886.159 -> you want to generally
1887.2 -> allow applications and then just block
1889.519 -> specific applications
1891.679 -> so you'll note that over here on the
1893.919 -> yellow plus button this is how we add a
1895.679 -> new application and you'll see that
1897.279 -> there are several different ways to add
1898.96 -> applications
1900 -> the first here is the chrome web store
1902.08 -> that's chrome apps and chrome extensions
1904.72 -> you have the google play store so you
1906.72 -> can add supported android apps
1909.519 -> there's the ability to add an extension
1911.519 -> by id this is
1912.559 -> you have your own custom map that you've
1914 -> built and then finally there is
1916.559 -> add by url which refers to progressive
1918.64 -> web apps and you'll note the difference
1920.559 -> in those
1921.6 -> examples of each here if you see a url
1923.84 -> here it indicates that it is a pwa
1926.64 -> this long id
1929.679 -> associated with the citrix workspace
1931.12 -> that indicates it's a chrome app
1933.2 -> and if you have a android looking
1935.6 -> package name like com.slack that
1937.6 -> indicates it's in the android app
1939.519 -> if it's a private app you'll see this
1941.76 -> this icon over here and
1943.279 -> an id for that private app so let's take
1946.24 -> a quick look at what it looks like to
1947.679 -> configure a new app
1948.88 -> i'm going to come down here and click on
1950.32 -> chrome web store
1953.039 -> and it'll bring up a list of
1954.32 -> applications and you can search for
1955.919 -> applications
1957.039 -> i'm going to go ahead and type in
1960.84 -> netflix
1963.039 -> and you'll see you have you can search
1965.12 -> for apps you can filter apps
1967.12 -> i'm going to select the netflix party
1968.72 -> extension for this
1970.399 -> oh you and you'll see that it now you
1973.519 -> have the choices to
1974.799 -> allow this app you can choose to force
1977.279 -> install the app which means it'll be
1979.519 -> installed on every device within this ou
1981.44 -> and the user can't remove it
1983.12 -> you can also choose to force install the
1985.12 -> app and
1986.159 -> pin it to the taskbar so it's always
1988.159 -> readily available and visible to the
1989.84 -> user
1990.72 -> or if you're allowing all apps you can
1992.32 -> choose to block this so i'm going to go
1993.919 -> ahead and
1994.32 -> force install and pin save that change
1999.679 -> and now when we go back out you'll see
2001.84 -> that netflix party shows up in the list
2005.44 -> similar with an android app basically
2008 -> the same
2008.559 -> order of operations you choose the play
2010.88 -> store
2011.84 -> you get a search area where you can
2013.679 -> search for applications in the play
2015.12 -> store
2015.919 -> you can choose a specific app let's say
2018 -> whatsapp messenger
2020 -> select and again you get those same
2022.399 -> controls you can
2023.6 -> choose to allow the installation of this
2025.2 -> app for your users you can force install
2027.519 -> force a solo pin or block i'll go ahead
2029.6 -> and force install this one
2031.679 -> and save the change
2036.159 -> go back out see what's happened the last
2039.36 -> thing i'll point out you see that there
2040.799 -> are
2041.679 -> configurations over here on the right
2043.6 -> different apps may support
2045.039 -> different configurations and i'm going
2047.44 -> to take work center workspace an example
2049.839 -> there are a few permissions that you can
2051.599 -> change from ou to ou
2053.28 -> and then a number of apps will support
2055.52 -> managed configuration or specific
2057.52 -> configuration that you can change from
2060 -> ou to ou
2061.28 -> and allows you to get more granular with
2063.44 -> which of these managed configurations
2064.96 -> you push out to your users
2066.32 -> citrix for example you may have a
2068 -> different gateway that you want your
2070 -> users in north america to use versus
2072.72 -> your users and emea may use a different
2075.28 -> gateway and so you
2076.399 -> you use the citrix json to specify what
2079.839 -> those gateways are and how you want your
2081.76 -> users to use them
2083.119 -> and it's up to the application
2084.48 -> developers to understand
2086.159 -> support these managed configurations and
2089.359 -> provide the syntax that they need to be
2091.119 -> provided in
2092.399 -> thank you for joining today if you have
2094.079 -> additional questions please email
2095.679 -> chrome on air at google.com
2100.079 -> and don't forget to register for these
2101.68 -> upcoming webinars
2103.2 -> on july 30th we'll be doing a webinar on
2105.44 -> support and troubleshooting on chrome

Source: https://www.youtube.com/watch?v=eau5sUGPJdY