Deploying the Chromebook extension

To deploy the Absolute for Chromebooks extension (Chromebook extension) to your Chromebook™ devices, you need to add your Google account to the Secure Endpoint Console and make changes to some settings in the Google Admin console. If you are licensed for Investigations support, you also need to configure a "Stolen" organizational unit (OU) to help the Investigations team track and recover Chromebooks that your organization has reported stolen.

To ensure the proper deployment of the Chromebook extension, you must complete the following three tasks:

You only need to configure the Stolen OU if you are licensed for Investigations support.

To add your Chromebooks to your Absolute account, you need to add your Google account in the Secure Endpoint Console and select the OUs containing the devices that you want to add. This process enables Absolute to sync data from Google. The data is used to activate the Chromebook extension and supplement data reported by the Chromebook extension.

You do not need hands-on contact with each target device, but each device must have an active connection to the Internet to receive the extension.

To add your Google account to Absolute:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Policies.
  2. On the navigation bar, click Settings > Chromebook settings.
  3. Click Add Google account. Alternatively, if there are no Google account in the Secure Endpoint Console, you can click Add Google account in the work area.

  4. Select your Google account. You are redirected to Google's authentication page. Follow the prompts provided by Google to sign in to your account and allow Absolute access.

    Google describes the OAuth 2.0 scopes that Absolute must request to access your Google account information using the Google APIs. These scopes are the minimum required to sync Google data into Absolute.

    Your Google account and its OUs show in the work area on the Chromebook settings page.

  5. After returning to the Secure Endpoint Console, select the checkbox next to each OU containing the Chromebooks you want to sync. Selecting a parent OU also selects its children. To remove a selection, click the fully selected checkbox.

    Use one of the following methods to find the OUs you want to select:

    • To search for an OU, enter all or part of the OU name in the Filter Chromebook OU field. The results update dynamically as you type once you have entered at least two characters. The OU structure is maintained in the search and matching selections are highlighted.
    • To navigate the organizational structure to find the OU, scroll the page to find the item. Each account shows with the top level OUs. Click to expand an OU and see its children.

After two seconds, your changes are automatically saved.

Absolute schedules a sync with your Google account in 20 minutes time. The sync should take no longer than an hour. After the initial sync, Absolute schedules an automatic sync every 24 hours.

When the sync process is complete, the last updated time is populated below the Google account on the Chromebook settings page. Each OU has a count of the number of devices in it that are synced with the Secure Endpoint Console. The count for a parent OU doesn't include the devices that belong to its children.

To ensure that your Chromebooks fully support the Chromebook extension, you must configure both Device Settings and User & Browser Settings in the Google Admin console. There are additional settings that only need to be updated if they are no longer set to their default values. Occasionally, review all settings to ensure they haven't been changed accidentally.

Editing Device Settings

If all of your devices are in OUs under a parent OU, complete the following steps once with the parent OU selected. If they are not under a parent OU, make sure you complete these steps for each OU that contains Chromebooks that you want to synchronize with the Secure Endpoint Console.

To edit Device Settings:

  1. Log in to the Google Admin console using the credentials for the account that you use to manage your devices.

  2. Navigate to Device Settings:

    1. From the Google Admin console home page, click Devices.
    2. On the navigation bar, expand Chrome.
    3. On the navigation bar under Chrome, expand Settings.
    4. On the navigation bar under Chrome > Settings, click Device.

  3. On the navigation bar, search for and select the OU containing the Chromebooks you want to add to Absolute and edit its Device Settings as follows:

    1. In the Enrollment and access section, set the Forced re-enrollment field to Force device to automatically re-enroll after wiping.

    2. In the Sign-in settings section:

      1. set the Guest mode field to Disable guest mode.
      2. set the Sign-in restriction field to Restrict sign-in to a list of users and enter *@<YourDomain.com> in User whitelist.
    3. In the User and device reporting section, set the second Device reporting field to Enable tracking recent device users.
  4. Click SAVE.

Reviewing Device Settings

If you haven't changed the default values for the following settings, no action is required. If you are unsure, you can verify these settings and update them if they differ.

  • In the Device update settings section:

    • the Auto-update settings > Device updates field should be set to Allow updates, which enables updates to the Chromebook extension to be deployed automatically to the device.
    • the Release channel field should be set to Stable channel.
  • In the Kiosk settings section, set Managed guest session to Do not allow managed guest sessions.

Editing User & Browser Settings

If all of your users are in OUs under a parent OU, complete the following steps once with the parent OU selected. If they are not under a parent OU, make sure you complete these steps for each OU that contains users that you want to deploy the Chromebook extension to.

To edit User & Browser Settings:

  1. Log in to the Google Admin console using the credentials that you use to manage your users.

  2. Navigate to User & Browser Settings:

    1. From the Google Admin console home page, click Devices.
    2. On the navigation bar, expand Chrome.
    3. On the navigation bar under Chrome, expand Settings.
    4. On the navigation bar under Chrome > Settings, click Users & browsers.

  3. On the navigation bar, search for and select the OU containing the users you want to deploy the Chromebook extension to and edit its User & Browser Settings as follows:

    1. In the Security section, set the Geolocation field to Allow sites to detect users' geolocation.

      If the Geolocation field is set to Do not allow sites to detect users' geolocation, no location data is sent to Absolute. If the Geolocation field is set to Allow the user to decide or to Always ask the user if a site wants to detect their geolocation, and the user turns off geolocation, no location data is sent to Absolute.

    2. In the Content section, set the URL blocking field by adding chrome://serviceworker-internals, chrome://kill, and chrome://hang to Blocked URLs.
    3. In the User experience section, set the Developer tools field to either Allow use of built-in developer tools except for force-installed extensions or Never allow use of built-in developer tools.
  4. Click SAVE.
  5. Scroll up to the Apps and extensions section and click application settings page.
  6. In the Additional applications settings section, select all the apps and extensions in Allowed types of apps and extensions.
  7. Click SAVE.

Reviewing User & Browser Settings

If you haven't changed the defaults for the following settings, no action is required. If you are unsure, you can verify these settings and update them if they differ.

  • In the Enrollment controls section:

    • the Device enrollment field should be set to Keep Chrome device in current location.
    • the Enrollment permissions field should be set to Allow users in this organization to enroll new or re-enroll existing devices.
  • In the Connected devices section, the Smart Lock field should be set to Do not allow Smart Lock.

Go to Deploying the Chromebook extension to users to complete the next step in the configuration.

Absolute distributes the Chromebook extension through the Chrome Web Store. This section describes how to use the Extension ID to find the extension and configure it as a force-installed app in the Google Admin console. The extension only loads and operates properly on Chromebooks that are active in the Secure Endpoint Console.

If all of your users are in OUs under a parent OU, complete the following steps once with the parent OU selected. If they are not under a parent OU, make sure you complete these steps for each OU that contains users that you want to deploy the Chromebook extension to.

To deploy the Chromebook extension:

  1. Log in to the Secure Endpoint Console as an Administrator.

  2. Do one of the following:

    1. On the navigation bar, click Settings > Chromebook settings.
    2. On the quick access toolbar, click (Absolute for Chromebooks extension).
    1. On the navigation bar, click Settings > Agent Management.
    2. Click Absolute for Chromebooks extension. Alternatively, you can click (Absolute for Chromebooks extension) on the quick action toolbar.
  3. Click Copy ID. The extension ID is copied to your clipboard.
  4. Click Download the Chromebook policy file.
  5. Follow the on-screen instructions to download the AbsoluteChromebookPolicy.txt file. Depending on your browser and operating system, you may need to click through several dialogs to download the file.
  6. Log in to the Google Admin console using the credentials for the account that you use to manage your users.

  7. Navigate to Users & Browsers:

    1. From the Google Admin console home page, click Devices.
    2. On the navigation bar, expand Chrome.
    3. On the navigation bar under Chrome, expand Apps & extensions.
    4. On the navigation bar under Chrome > Apps & extensions, click Users & browsers.
  8. On the navigation bar, search for and select the OU containing the users you want to deploy the Chromebook extension to.
  9. Hover over and click (Add Chrome app or extension by ID).
  10. Paste the extension ID you copied from the Secure Endpoint Console into the Extension ID field, and click SAVE.
  11. Next to the Absolute for Chromebooks app, select Force Install on the Installation policy drop-down.
  12. In the Policy for extensions section, click (Upload from file).
  13. Navigate to and select the AbsoluteChromebookPolicy.txt you downloaded from the Secure Endpoint Console.
  14. Click SAVE.

The Chromebook extension is saved to the list of force-installed apps for your device. When an authorized user logs in to the Chromebook, the extension is deployed to the device.

After the Chromebook extension is deployed to your Chromebooks, it is activated with its first secure connection to the Absolute Monitoring Center. The extension then makes regularly scheduled connections to the Absolute Monitoring Center on a daily basis. During these connections, the extension sends the latest device data to the Absolute Monitoring Center and instructions for any pending security operations, such as Device Freeze, are sent to the device. Data from the Chromebook extension is periodically synchronized into Absolute reports.

If a user without the Chromebook extension associated with their organizational unit (OU) logs into a device that is synced with Absolute, the device doesn't call in to Absolute. Unless a user with the Chromebook extension logs into the device, the device appears as a dark device in the Secure Endpoint Console.

If your license includes the Investigations feature, go to Configuring the Stolen OU to complete the configuration.

If your license doesn't include the investigations feature, you have successfully deployed the Chromebook extension.

This task is only required if your license includes the Investigation feature.

For the Absolute Investigations team to track and recover a Chromebook you've reported stolen, you need to create a "Stolen" OU, associate a Managed guest session with it, and configure Device Settings for it.

If you haven't set up a Stolen OU, complete the following tasks:

If you have previously set up the Stolen OU with the Kiosk app, change the Stolen OU to use a Managed guest session. To switch to a Managed guest session, you need to complete both the following tasks:

For more information about the Managed guest session, see What effect does a Managed guest session have on a stolen Chromebook?

Creating the Stolen OU

To create the Stolen OU:

  1. Log in to the Google Admin console using the credentials for the account that you use to manage your devices.

  2. Under your domain in your Google account, create an OU and name it Stolen. Ensure that you create the OU at the root of your domain. The Stolen OU needs to be in place before the Absolute Investigations team can track and recover a Chromebook if it is stolen.

    You must name the OU Stolen with no variation. If you don't use the exact name, the Investigations team can't track and recover a stolen Chromebook.

    For more information about creating OUs, see the Google Admin console documentation.

To finish setting up the Stolen OU, complete Editing the Stolen OU settings.

Deleting the Kiosk app

Only complete this step if you have previously set up the Stolen OU to use the Kiosk app.

To delete the Kiosk app:

  1. Log in to the Google Admin console using the credentials for the account that you use to manage your devices.

  2. Navigate to Kiosks:

    1. From the Google Admin console home page, click Devices.
    2. On the navigation bar, expand Chrome.
    3. On the navigation bar under Chrome, expand Apps & extensions.
    4. On the navigation bar under Chrome > Apps & extensions, click Kiosks.
  3. On the navigation bar, search for and select the Stolen OU.
  4. Click the Browser app and click .
  5. Click SAVE.

To configure a Managed guest session, complete Editing the Stolen OU settings.

Editing the Stolen OU settings

To configure the Stolen OU

  1. Log in to the Secure Endpoint Console as an Administrator.

  2. Download the Absolute for Chromebooks extension:

    1. Do one of the following:

      1. On the navigation bar, click Settings > Chromebook settings.
      2. On the quick access toolbar, click (Absolute for Chromebooks extension).
      1. On the navigation bar, click Settings > Agent Management.
      2. Click Absolute for Chromebooks extension. Alternatively, you can click (Absolute for Chromebooks extension) on the quick action toolbar.
    2. Click Copy ID. The extension ID is copied to your clipboard.
    3. Click Download the Chromebook policy file.
    4. Follow the on-screen instructions to download the AbsoluteChromebookPolicy.txt file. Depending on your browser and operating system, you may need to click through several dialogs to download the file.
  3. Log in to the Google Admin console using the credentials for the account that you use to manage your devices.

  4. Navigate to Managed Guest Sessions Settings:

    1. From the Google Admin console home page, click Devices.
    2. On the navigation bar, expand Chrome.
    3. On the navigation bar under Chrome, expand Settings.
    4. On the navigation bar under Chrome > Settings, click Managed guest sessions.

  5. On the navigation bar, search for and select the Stolen OU and edit its Managed Guest Session Settings as follows:

    1. In the General section:

      1. set the Managed guest session field to Auto-launch managed guest session.
      2. enter the name you want your users to see for the Managed guest session in Session name to display on the login screen. For example, "Guest mode" or "School Name Chromebook".
    2. In the Security section, set the Incognito mode field to Disallow incognito mode.
  6. Click SAVE.

  7. Deploy the Absolute for Chromebooks extension:

    1. In the Apps and extensions section, click apps & extensions page.
    2. With the MANAGE GUEST SESSIONS tab selected, hover over and click (Add Chrome app or extension by ID).
    3. Paste the extension ID you copied from the Secure Endpoint Console into the Extension ID field, and click SAVE.
    4. Next to the Absolute for Chromebooks app, select Force Install on the Installation policy drop-down.
    5. In the Policy for extensions section, click (Upload from file).
    6. Navigate to and select the AbsoluteChromebookPolicy.txt you downloaded from the Secure Endpoint Console.
    7. Click SAVE.

    The Chromebook extension is saved to the list of force-installed apps for your device for the Stolen OU.

  8. Navigate to Device Settings:

    1. From the Google Admin console home page, click Devices.
    2. On the navigation bar, expand Chrome.
    3. On the navigation bar under Chrome, expand Settings.
    4. On the navigation bar under Chrome > Settings, click Device.

  9. Edit the Device Settings as follows:

    1. In the Enrollment and access section, set the Forced re-enrollment field to Force device to automatically re-enroll after wiping.

    2. In the Sign-in settings section:

      1. set the Guest mode field to Disable guest mode.
      2. set the Sign-in restriction field to Restrict sign-in to a list of users and enter *@<YourDomain.com> in the User whitelist field.
    3. In the Kiosk settings section, set Managed guest session to Auto-launch managed guest session.

    4. In the User and device reporting section:

      1. set the Report device hardware information field to Enable all hardware information reporting.
      2. set the Report device telemetry field to Enable all telemetry reporting.
      3. set the Report device user tracking field to Enable tracking recent users.
  10. Click SAVE.

  11. Navigate to User & Browser Settings:

    1. From the Google Admin console home page, click Devices.
    2. On the navigation bar, expand Chrome.
    3. On the navigation bar under Chrome, expand Settings.
    4. On the navigation bar under Settings, click Users & browsers.
  12. In the Security section, set the Geolocation field to Allow sites to detect users' location.
  13. Click SAVE.

In the future, when you report a Chromebook stolen, the Absolute Investigations Team moves the device to the Stolen OU, which forces the device to open in a Managed guest session. Depending on the polling time period set for your Google account, it may take up to 24 hours for the Chromebook to open in a Managed guest session. If the device is restarted, it opens in a Managed guest session immediately. Using a Managed guest session helps the Investigations Team track and recover the Chromebook.

What effect does a Managed guest session have on a stolen Chromebook?

After the Managed guest session is running on the Chromebook, device and geolocation information is sent to the Absolute Monitoring Center where it is made available to the Absolute Investigations Team to assist in the device’s recovery.

From a user’s perspective, stolen devices in a Managed guest session have the following characteristics:

  • The user sees a message that their activity is being monitored when the device is restarted.
  • The user is automatically logged in to guest mode when they reach the Chrome OS login screen.
  • The user can configure settings local to their session.
  • The user cannot add new users.

When the device is recovered and the Absolute Investigations team closes the Investigation Report:

  • The device is moved back to its original OU in your Google account.
  • The device is no longer run as a Managed guest session.
  • Full Chrome device functionality is restored.