Sunday, November 27, 2011

Getting started with Chrome OS Device Policy

One of the nice things about getting a Chrome OS device as part of ChromeBooks for Business is the policy control options.

After the device is enrolled in the domain, you have two device policies:

- allow / disallow guest
- restrict logins to specified accounts.

The latter takes wildcards so you specify * so only members of your domain can log on.

To get device policies you need to enroll the device.

  1. Start the Chromebook.
    Power up your Chromebook by pressing the power button on the top-right corner of the keyboard.
  2. Select your language.
    On the "Let's get started" screen that appears, select the interface language to use by default. If prompted, select a keyboard input method too.
  3. Connect to a network.
    Select a Wi-Fi network from the network menu.
  4. Accept the terms of service.
    The Chromebook downloads any available system updates.
  5. Before signing in to the Chromebook, press the key combination Ctrl-Alt-E.
    The enrollment screen appears.
  6. Enter the user name and password you received in your welcome letter from Google, or the user name and password for your existing Google Apps account if you have one.
  7. Click Enroll device.
    The Chromebook is now enrolled and will follow the organizational policies you define.

If the device has already been setup either for another domain, or already has users configured, then you need to wipe the device and start again. For the Samsung Series 5:

  1. Turn off the Chromebook.
  2. Locate the black cover with a SIM card icon, on the right side of the device next to the USB port.
  3. Open the black cover and gently move the switch underneath it to the right (toward the USB port) using a paper clip or a pen tip.
    Moving the switch to this position puts the Chromebook into Developer mode.
  4. Start the Chromebook.
    The screen displays a sad face icon rather starting up immediately.
  5. Press Ctrl-D to begin the wiping process.
    If you don't press Ctrl-D, the process starts automatically after 20 seconds. The Chromebook begins returning to its initial internal state. The process takes about 5 minutes.
     Do not turn off the Chromebook during the wiping process.
    The sad face icon appears again when the process is complete.
  6. Press Ctrl-D again, or wait for 20 seconds.
    The initial sign on screen appears.
  7. Turn off the Chromebook.
  8. Return the switch from step 3 to its original position (away from the USB port, which is normal mode) and close the black cover.
  9. Start the Chromebook.
  10. Enroll the Chromebook before signing in to it.

There are a heap loads of user settings, of which the most interesting is likely the ability to control extensions.
Policy Description
Extension IDs to allow By default, the user can install any extension that does not appear in the list of Extension IDs to block. You only need to list an extension to this text box if the extension has an Extension ID that falls within the Extension IDs to block but you want to allow it.For example, if the Extension IDs to block is set to the wildcard *, all extensions are blocked except for the specific ones listed in the Extension IDs to allow text box.
Extension IDs to block Specifies extensions that users are not allowed to install. Identify the extension by its Extension ID, with extensions separated by commas. The user can run any extension that does not appear in the list of Extension IDs to block.A value of * means all extensions are blocked unless they are explicitly listed in theExtension IDs to allow text box.
Extension to preinstall Specifies extensions to install automatically. Users cannot uninstall these extensions.You must supply both the Extension ID and the URL where the extension is posted, separated by a semi-colon. For gallery extensions, the URL is For example, to install the Gmail Checker Extension, enter this string in the Extension to preinstall text box:
You can't preinstall any extension whose ID appears among the Extension IDs to block.

I wasn't able to find an easy way to get the ExtensionID and URL. Still working on that.

No comments: