Skip to end of metadata
Go to start of metadata

clientchromelogo



The following processes and steps will walk you through getting your FileWave server setup to manage Chromebooks. Current functionality will allow you to pull/query inventory data and utilize our location tracking feature in FileWave. Some steps can be skipped if certain accounts and projects were made beforehand.


If you are unsure whether or not you are able to use Chromebooks with FileWave you can use the resources below:

  • List of countries where Chrome OS Management licenses are sold directly by Google to end customers:
    Go to https://eduproducts.withgoogle.com/, click 'contact sales', and then look at the drop-down menu 'Country' - if the country is in the list, it's supported.
  • Even if the country is not listed under list above, a local google partner might be able to help :
    https://www.google.com/a/partnersearch

Required Items

  • Google Domain

    • Admin rights within the Google Domain
    • At least one Chromebook

    • Chromebooks Enterprise enrolled
    • Pre-existing Google Organizational Unit structure (RECOMMENDED)

  • Running FileWave Server

Setup


JSON File

Before we can begin we need to create the .json file needed to configure the OAuth token section in the FileWave Admin.

  1. Go to the below address to start the process:
    https://console.developers.google.com/flows/enableapi?apiid=admin,calendar,classroom,drive,driveactivity.googleapis.com,gmail,groupssettings,licensing,plus,contacts
  2. Once there, keep the selection "Create a project" and select Continue (we'll rename the project later)



  3. Agree to terms and select your Country of Residence – Agree and Continue

  4. Click Go to credentials 

    CB-smallAPIenabled

  5. Now we'll edit the project name before making the credentials, click the hamburger icon on the top right corner and choose Project Settings



  6. Rename your new project and Save

  7. Now a service account has to be created, click the hamburger icon in the top left corner and select Credentials under APIs & Services



  8. Select Create Credentials > Help Me Choose at the top of the page



  9. Fill out the form as seen below:
    Which API are you using? > Admin SDK
    Are you planning to use this API with App Engine or Compute Engine? > No, I'm not using them



  10. Click What credentials do I need?
  11. Enter a name for the service account. Remember this name for later
  12. For the role make it Owner which is in the sub menu Project
  13. Select the JSON option before hitting continue






Enable Google Apps Domain-wide delegation

  1. Click the hamburger icon in the top left corner and select Identity > Service Accounts



  2. After you are in service accounts you will need to find the account name you created in the previous steps
  3. Select the Actions menu and click Edit



  4. Once you hit Edit you need to Show Domain-Wide Delegation, check Enable G Suite Domain-wide Delegation, and then give it a Product name for the consent screen before then saving



Authorize API scopes

  1. Go to the Credentials section under APIs & Services
  2. Once there copy the Client ID you created in the earlier steps under the OAuth 2.0 client ID section.


  3. In your browser, open another tab and go to the Google Admin console
    admin.google.com

  4. Once there select Security


  5. Scroll down and select API Controls 
  6. Click Manage Domain Wide Delegation
  7. Select Add new
  8. Paste the copied Client ID from step 2 in this section into the Client Name field
  9. Copy and paste the following into the One or More API Scopes field all at once then hit Authorize

    https://www.googleapis.com/auth/admin.directory.device.chromeos,
    https://www.googleapis.com/auth/admin.directory.customer,
    https://www.googleapis.com/auth/admin.directory.orgunit
  10. After you Authorize you should see the new entry below (your Client ID will be different)


The Chrome API requires a user to be used in conjunction with a "delegated user".

Any Google user with correct privileges can be used. Make sure whatever Google user you use has a role with the minimum privileges below:

  • Admin Console Privileges / Organization Units (Note that this will automatically give corresponding Admin API Privileges)
  • Admin Console Privileges / Services / Chrome OS / Manage Devices

Once you have your Google user with the proper role setup, get back to the Credentials section so we can tie the Google user with the service account created. https://console.developers.google.com/apis/credentials

  1. Select Manage service accounts by the Service Accounts section
  2. Check your service account
  3. Show Info Panel at the top
  4. Then Add Member 



  5. Add the Google User and give it the Service Account User and Service Account Token Creator roles


Sync Google with FileWave

  1. Be sure you have set up Google Cloud Messaging (GCM/Firebase) Setup
  2. Open your FileWave Preferences and select the Chromebooks/Google Tab (name depends on version)
  3. Once there click the Configure OAuth token button at the top
  4. You will be prompted for the superuser credentials
  5. After authenticating simply type in the Google Account you associated to the service account
  6. Last step will be to import the .json file you saved at the beginning of this document


  7. After you press OK FileWave will sync automatically with Google


  8. Now if you go into the Clients section in FileWave you will see a Chromebooks group with the same structure and devices you have in your Google Admin. This may take some time.



Deploying the MDM Certificate

If you would like to use FileWave Engage with Chromebooks you will need to follow the instructions below but open the Engage tab in step 2 and 4.

  1. In the FileWave Admin, open the Preferences
  2. Go to the General tab
  3. In the SSL Certificate Management section, make sure you have a valid root trusted certificate with a valid Common Name that matches your FileWave Server name (FQDN)
  4. Go to the Google/Chromebooks tab
  5. Click Export Certificate
  6. Save the certificate locally


  7. Follow the instruction listed in the following URL from Google to upload your certificate to Google
    Please Note: Make sure the checkbox "Use this certificate as an HTTPS certificate authority." is checked for the MDM certificate
    https://support.google.com/chrome/a/answer/6342302?hl=e

Deploying the FileWave Inventory Extension

  1. Open admin.google.com

  2. Click Devices
  3. On the left sidebar, click Chrome > Apps & Extensions > Users & Browsers



  4. On the left sidebar, select the OU you want to assign the extensions too
  5. click the Plus Sign +


  6. Add Chrome app or extension by ID

  7. You can add the Apps/Extensions using the extension IDs listed below:

    App IDs

    FileWave Inventory: ldhgnmkjehdokljjhcpkbhcmhoficdio

    FileWave Engage for Chromebooks: ohphobhpnpphfbdifmhjhcjbdecgbmhn

    FileWave Engage Extension: lajmdphbfjlbhgibfifhjcblodepejnj

  8. Hit Save at the top


Deploy configuration for the Inventory Extension

  1. In FileWave Admin open the Preferences

  2. Go to the Google/Chromebooks tab
  3. Click Export Policy for Extension and save the file


  4. Open the Google Admin Console 
    admin.google.com
  5. Click Devices
  6. On the left sidebar, click Chrome > Apps & Extensions > Users & Browsers
  7. In the list, find the FileWave Inventory extension and click it on it
  8. Scroll down to Policy for extension
  9. Paste in the contents of the JSON you downloaded in step 3 of this section
  10. Save your changes above


Congratulations, you can now manage your Chromebooks with FileWave!