Skip to end of metadata
Go to start of metadata

clientchromelogo



The following processes and steps will walk you through getting your FileWave server setup to manage Chromebooks. Current functionality will allow you to pull/query inventory data and utilize our location tracking feature in FileWave. Some steps can be skipped if certain accounts and projects were made beforehand.


If you are unsure whether or not you are able to use Chromebooks with FileWave you can use the resources below:

  • List of countries where Chrome OS Management licenses are sold directly by Google to end customers:
    Go to https://eduproducts.withgoogle.com/, click 'contact sales', and then look at the drop-down menu 'Country' - if the country is in the list, it's supported.
  • Even if the country is not listed under list above, a local google partner might be able to help :
    https://www.google.com/a/partnersearch

Required Items

  • Google Domain

    • Admin rights within the Google Domain
    • At least one Chromebook

    • Chromebooks Enterprise enrolled
    • Pre-existing Google Organizational Unit structure (RECOMMENDED)

  • Running FileWave Server

Setup


JSON File

Before we can begin we need to create the .json file needed to configure the OAuth token section in the FileWave Admin.

  1. Go to the below address to start the process:
    https://console.developers.google.com/flows/enableapi?apiid=admin,calendar,classroom,drive,driveactivity.googleapis.com,gmail,groupssettings,licensing,plus,contacts
  2. Once there, keep the selection "Create a project" and select Continue (we'll rename the project later)



  3. Agree to terms and select your Country of Residence – Agree and Continue

  4. Click Go to credentials 

    CB-smallAPIenabled

  5. Now we'll edit the project name before making the credentials, click the hamburger icon on the top right corner and choose Project Settings



  6. Rename your new project and Save

  7. Now a service account has to be created, click the hamburger icon in the top left corner and select Credentials under APIs & Services



  8. Select Create Credentials > Help Me Choose at the top of the page



  9. Fill out the form as seen below:
    Which API are you using? > Admin SDK
    What data will you be accessing? Application data
    Are you planning to use this API with App Engine or Compute Engine? > No, I'm not using them
    Click NEXT to continue



  10. Click What credentials do I need?
  11. Enter a name for the service account. Remember this name for later
    Click CREATE to continue



  12. For the role make it Owner which is in the sub menu Project
    Click CONTINUE to move on

  13. On the Grant users access to this service account just click DONE to continue and you will return to the Credentials screen that now shows the Service Account
  14. Click Manage Service accounts
  15. Click the hamburger on the right side of the Service Account and then click Manage keys


  16. Click ADD KEY > Create new key here to create the JSON file that will be used by the FileWave server
  17. Click CREATE to create the file and then save the file when prompted
  18. You will now have the needed JSON file that will be used later

Enable Google Apps Domain-wide delegation

  1. On the top left corner select IAM & Admin > Service Accounts
  2. After you are in service accounts you will need to find the account name you created in the previous steps
  3. Select the Actions menu and click Manage details



  4. Once you hit Manage details you need to Show Domain-Wide Delegation at the bottom of the DETAILS tab and then check Enable Google Workspace Domain-wide Delegation, and then give it a Product name for the consent screen before then saving

Authorize API scopes

  1. From the top left hamburger go to the Credentials section under APIs & Services
  2. Once there copy the Client ID you created in the earlier steps under the OAuth 2.0 client ID section.



  3. In your browser, open another tab and go to the Google Admin console
    admin.google.com

  4. Once there select Security



  5. Scroll down and select API Controls 
  6. Click Manage Domain Wide Delegation
  7. Select Add new
  8. Paste the copied Client ID from step 2 in this section into the Client Name field
  9. Copy and paste the following into the One or More API Scopes field all at once then hit Authorize

    https://www.googleapis.com/auth/admin.directory.device.chromeos,
    https://www.googleapis.com/auth/admin.directory.customer,
    https://www.googleapis.com/auth/admin.directory.orgunit
  10. After you Authorize you should see the new entry below (your Client ID will be different)



The Chrome API requires a user to be used in conjunction with a "delegated user".

Any Google user with correct privileges can be used. Make sure whatever Google user you use has a role with the minimum privileges below:

  • Admin Console Privileges / Organization Units (Note that this will automatically give corresponding Admin API Privileges)
  • Admin Console Privileges / Services / Chrome OS / Manage Devices

Once you have your Google user with the proper role setup, get back to the APIs & ServicesCredentials section of Google Cloud Platform so we can tie the Google user with the service account created. https://console.developers.google.com/apis/credentials

  1. Select Manage service accounts by the Service Accounts section
  2. Check the checkbox to the left of your service account
  3. Click MANAGE ACCESS at the top of the page
  4. Then click ADD MEMBER on the dialog that appears
  5. Add the Google User and give it the Service Account User and Service Account Token Creator roles



Sync Google with FileWave

  1. Be sure you have already set up Google Cloud Messaging (GCM/Firebase) Setup
  2. Open your FileWave Admin Preferences and select the Chromebooks/Google Tab (name depends on version)
  3. Once there click the Configure OAuth token button at the top
  4. You will be prompted for the superuser credentials
  5. After authenticating simply type in the Google Account you associated to the service account
  6. Last step will be to import the .json file you saved at the beginning of this document



  7. After you press OK FileWave will sync automatically with Google



  8. Now if you go into the Clients section in FileWave you will see a Chromebooks group with the same structure and devices you have in your Google Admin. This may take some time.




Deploying the MDM Certificate

 Click here to expand...

If you would like to use FileWave Engage with Chromebooks you will need to follow the instructions below but open the Engage tab in step 2 and 4.

  1. In the FileWave Admin, open the Preferences
  2. Go to the General tab
  3. In the SSL Certificate Management section, make sure you have a valid root trusted certificate with a valid Common Name that matches your FileWave Server name (FQDN)
  4. Go to the Google/Chromebooks tab
  5. Click Export Certificate
  6. Save the certificate locally



  7. Follow the instruction listed in the following URL from Google to upload your certificate to Google
    Please Note: Make sure the checkbox "Use this certificate as an HTTPS certificate authority." is checked for the MDM certificate
    https://support.google.com/chrome/a/answer/6342302?hl=e

Deploying the FileWave Inventory Extension

  1. Open admin.google.com

  2. Click Devices
  3. On the left sidebar, click Chrome > Apps & Extensions > Users & Browsers



  4. On the left sidebar, select the OU you want to assign the extensions too
  5. click the yellow Plus Sign + on the bottom right of the page and then the icon that looks like a grid of squares


     
  6. Add Chrome app or extension by ID

  7. You can add the Apps/Extensions using the extension IDs listed below:

    App IDs

    FileWave Inventory: ldhgnmkjehdokljjhcpkbhcmhoficdio

    FileWave Engage for Chromebooks: ohphobhpnpphfbdifmhjhcjbdecgbmhn

    FileWave Engage Extension: lajmdphbfjlbhgibfifhjcblodepejnj

  8. Hit Save at the top


Deploy configuration for the Inventory Extension

  1. In FileWave Admin open the Preferences

  2. Go to the Google/Chromebooks tab
  3. Click Export Policy for Extension and save the file


  4. Open the Google Admin Console 
    admin.google.com
  5. Click Devices
  6. On the left sidebar, click Chrome > Apps & Extensions > Users & Browsers
  7. In the list, find the FileWave Inventory extension and click it on it
  8. Scroll down to Policy for extension
  9. Paste in the contents of the JSON you downloaded in step 3 of this section
  10. Save your changes above
  11. At his point you will want to consider the Installation policy for the FileWave extensions. You will either want to Force install or to Force install + pin to browser toolbar to ensure the extensions are active. If you have several Organizational Units you may want to consider if you are going to set this at the domain level and if all the OUs will inherit the setting.

    It is important that the OUs that you enable this on either be all of them or at a minimum you need to enable it for both the User and Device OUs that you will be using with FileWave.

Location Tracking Permissions

If you're wanting to use Location Tracking, you will need to "Allow sites to detect Users' geolocation" in Google Admin. You will find this option in Devices > Chrome > Managed browsers, on the page that loads it will be under Security > Geolocation. For this setting you want to ensure that you set it at the level in the organization that it should apply to. In the image below we only enabled it for Foundry Chromebooks but did not set it for all. If you would like to enable Geolocation for all devices then make sure you set it at the domain level and also make sure that none of your OUs are set to ignore inheritance of this setting. Simply check the setting on each OU and you will see what it is set to. 

Just like with the Extensions, it is important that the OUs that you enable this on either be all of them or at a minimum you need to enable it for both the User and Device OUs that you will be using with FileWave.





Congratulations, you can now manage your Chromebooks with FileWave!


Troubeshooting

If for any reason you experience issues seeing your ChromeOS devices in FileWave or issues with reporting then see the notes in our Chrome Troubleshooting Guide