Understanding ChromeOS policies Flashcards
Forced re-enrollment
ecifies whether ChromeOS devices are forced to re-enroll into your account after they’ve been wiped. By default, wiped devices automatically re-enroll into your account without users having to enter their username and password.
To stop automatic re-enrollment becoming the default behavior for your wiped devices, choose an option:
Device is not forced to re-enroll after wiping—Users can use the device without re-enrolling it into your account. Force device to re-enroll with user credentials after wiping—Users are prompted to to re-enroll the device into your account.
If forced re-enrollment is turned on and you don’t want a specific device to re-enroll in your account, you need to deprovision the device.
For details on forced re-enrollment, see Force wiped ChromeOS devices to re-enroll
Verified access
This setting enables a web service to request proof that its client is running an unmodified ChromeOS device that’s policy-compliant (running in verified mode if required by the administrator). The setting includes the following controls:
Enable for content protection–Ensures that ChromeOS devices in your organization will verify their identity to content providers using a unique key (Trusted Platform Module). Also ensures that Chromebooks can attest to content providers that they’re running in Verified Boot mode. Disable for content protection–If this control is disabled, some premium content may be unavailable to your users.
For more details for admins, go to Enable Verified Access with ChromeOS devices. For developers, go to the Google Verified Access API Developer Guide.
Enrollment controls
To enforce the device policies you set in your Google Admin console, you need to enroll ChromeOS devices. If you’re a Chrome Enterprise Upgrade, Chrome Education Upgrade, or Kiosk & Signage Upgrade customer, you can let users enroll them. Each enrolled device complies with the policies you set until you wipe or deprovision it.
Note: Your account type determines what Chrome features are available to you. For example, if your organization has an education account and you enroll a ChromeOS device bundled with Chrome Enterprise Upgrade, you can’t access Chrome features that are exclusive to enterprise accounts.
ChromeOS devices bundled with Chrome Enterprise Upgrade or Chrome Education Upgrade automatically prompt users to enroll after they accept the end-user license agreement. After enrollment, users can sign in and start using the device. If they’re not prompted to enroll, users should press Ctrl+Alt+E or select Enterprise enrollment before anyone signs in.
You must enroll devices before anyone signs in to them. If you don’t, you need to wipe the device and restart enrollment. For details, see Wipe ChromeOS device data.
If you want to control which users can enroll devices in your domain, see the Enrollment permissions user policy.
By default, devices automatically enroll in the top-level organizational unit. If you want devices to automatically enroll in the organizational unit that the user belongs to, see the Device enrollment user policy.
