Configuring Google Admin Console with the Service Account



Next we need to enable this new service account in Google Admin Console.



Login to your Google Apps Admin console. https://admin.google.com


Expand Security – Access and data control from the left menu and select API controls





Scroll down the page and select Manage Domain Wide Delegation







Click Add New






Select Manage API client access in the Authentication section. In the Client Name field enter the service account's Client ID. (This is the Unique ID from the Service Account Details we had pasted into notepad)










Paste in the following under OAuth scopes

https://www.googleapis.com/auth/admin.directory.device.chromeos, https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.orgunit, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/apps.licensing, https://www.googleapis.com/auth/chromewebstore.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.userschema,https://www.googleapis.com/auth/classroom.courses, https://www.googleapis.com/auth/classroom.rosters


Then Click Authorize


Log out of Google Admin Console




Log into the SyAM MDM Interface


Click on the left menu Managed Devices – select ChromeOS

Upload the P12 file and paste in the ID and email from your Service Account Details

Press Next

Skip the key for Static Maps by pressing Next

Enter the domain and the user email address that was used to Authorize the Service API in Google Admin Console and press Save


Press Sync

After it completes the Sync, it will present that data retrieved from Google.



You can now set the Polling Interval for the GAC Sync and the Site Manager Asset Update



Possible reasons why the error Authorization Status 401 Unauthorized can occur 


Incorrect Role chose for the service account – it must be set to Project – Service Account Actor

  • To resolve, delete the two sets of settings in the Chrome OS page in Management Utilities, delete the service account and start the process again, creating a new service account and then add the new service account into Google Admin Console with the URLs.


Incorrect Google Apps Email Address, possibly a typo or the email account used was not the account used when logging into Google Admin Console to add in the URLs to the Service account.

  • To resolve delete the Google Apps Domain information in the Chrome OS page in Management Utilities, then enter the correct email address and press save.



Likely reason the error Authorization Status 403 Unauthorized can occur 


Service Account Created but the API was not enabled

To resolve, log back into the Google Cloud, https://console.cloud.google.com/ select your project and click to enable APIs