Applies to Windows users who sign in to a managed account on Chrome browser.
As an administrator, you can use Microsoft Intune to apply a Chrome Enterprise Core enrollment token and enroll your Chrome browsers. You can then use your Google Admin console to enforce policies for any users who open Chrome browser on an enrolled Microsoft Windows device.
Before you begin
- Make sure you have access to the Admin console to generate an enrollment token for the machines that you want to enroll. For details, see Enroll cloud-managed Chrome browsers.
Option 1: Ingest Chrome ADMX via a Custom OMA-URI setting to deploy enrollment token
Step 1: Import Chrome ADMX policies into Intune
- Download the Chrome ADMX templates.
- Sign in to the Microsoft Endpoint Manager admin center.
- Go to Intune Devices Configuration profiles.
- Next to Devices – Configuration profiles, click Create profile.
- From Platform, select Windows 10 or later.
- Next to Profile type as Templates – Custom, click Create.
- Enter the following text in these fields:
- Name
Windows 10 – Chrome configuration (or use any descriptive name) - Description
Enter a description (optional)
- Name
- Click Next.
- Selecting Custom in the step above opens a new menu for OMA-URI settings. Click Add to add specific policies you can configure and enter the following text:
- Name
Chrome ADMX Ingestion - Description
Enter a description (optional) - OMA-URI
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx - Data type
String (select from drop-down list)
- Name
- When you select String, a Value text field opens. On your computer, go to template\windows\admx\chrome.admx and copy the text from chrome.admx.
- In the Value field, paste the chrome.admx text.
- Click Save to save the Custom OMA-URI settings.
- Click Next.
- Add the groups, users or devices that you want to apply the policy to.
Step 2: Setup Custom OMA-URI settings for applying the enrollment token
- Sign in to the Microsoft Endpoint Manager admin center.
- Go to Intune Devices Configuration profiles.
- Click the Windows 10 – Chrome configuration profile you created in step 1.
- Select PropertiesConfiguration SettingsEdit to open the Custom OMA-URI settings.
- Click Add to add a row.
- Enter text into the fields, following the examples below for the type of policy you’re implementing.
Note: Listing a description is optional, but the other fields are required.- Name
Chrome Enterprise Core Enrollment Token - Description (optional)
Enroll Chrome browsers in Chrome Enterprise Core - OMA-URI ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/CloudManagementEnrollmentToken
- Data type
String (select from drop-down list) - Value
<enabled/> <data id="CloudManagementEnrollmentToken" value="insert enrollment GUID here"/>
- Name
- After you’ve set the policies you want to configure, click Save to save the Custom OMA-URI settings.
- Click ReviewSave when you have added all of your configuration settings.
- At the top, click Save to save the Windows 10 – Chrome configuration settings. You will see a Profile saved notification when successful.
Option 2: Deploy Powershell script to add a registry entry for the enrollment token
- Generate a token GUID from the Admin console for the organizational unit that you want your targeted devices to be enrolled in.
- Use the following command in powershell, replacing tokenvaluefromadminconsole in the example below with the GUID generated from the Admin console in step 1.
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Google\Chrome -Name "CloudManagementEnrollmentToken" -Value "tokenvaluefromadminconsole" - Save the file as a PS1 and place it in a location where Intune can access.
- Sign in to the Microsoft Endpoint Manager admin center.
- Go to IntuneDevicesScripts and click Add and select Windows 10.
- Give the script a name like Chrome Enterprise Core Enrollment Script and optionally enter in a description and click Next.
- For the script location, browse to the script you created in step 3 above. Leave the defaults at No for the rest of the settings, unless you have additional requirements for running scripts within your environment.
- Click Next.
- Select the group or groups that you want to target the script to and click Next.
- Review the summary and click Add . The policy is deployed to your selected groups.
- You can monitor the success rate of the deployment under DevicesScripts and click on the script name that you created in the previous steps.
Note: Chrome needs to be restarted in order for the enrollment to take effect.
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.