Integrating Chromebook Management
Integrating Chromebook Management
Configuring the Google Service Account
Log into google Accounts https://console.developers.google.com/
Click Enable API’s and Services at the top
Click on GSuite from the left-hand menu, then click on Admin SDK
Click Enable (If not already enabled), then click Manage to view this page
Click Credentials on left menu then click Create Credentials on top menu
Select Credentials in APIs and Services
Click Credentials – select Service Account Key
Select new service account and enter the Service Account Name
Select P12 and press create
Select Role as Project Owner – click Create
Save the P12 file on your system as you will load this into SyAM.
Scroll down the Credentials page and Click on Manage Service Accoutns
Find the serivce accont you have just created and click on the three dots on the right side and selct Edit
Within the Service Account Details Page Click to enable the G Suite Domain-wide Delegation
Copy the email and unique ID as these are entered into the SyAM MDM along with the P12 file.
You can now Log Out of the Google Developers Console
Update the Google Admin Console
Login to your Google Apps Admin console. https://admin.google.com
Select Security from the list of controls
Select Show more and then Advanced settings from the list of options.
Select Manage API client access in the Authentication section. In the Client Name field enter the service account's Client ID. 113528650269504670471 (This is the Unique ID from the Service Account Details Page)
Paste in the following for the URLS
https://www.googleapis.com/auth/admin.directory.device.chromeos, https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.orgunit, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/apps.licensing, https://www.googleapis.com/auth/chromewebstore.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.userschema,https://www.googleapis.com/auth/classroom.courses, https://www.googleapis.com/auth/classroom.rosters
Press the Authorize button
Log into the SyAM MDM Interface
Click on the left menu Managed Devices – select ChromeOS
Upload the P12 file and paste in the ID and email from your Service Account Details
Enter the following key for Static Maps - AIzaSyDeLdJqAgsJH87S1yT0WhgdMPo0BHiUk1U
Enter the domain and user email that was used to Authorize the Service API in Google Admin Console
If you have not already authorized the service API in GAC follow these steps before pressing Sync
If the service account has been authorized Press Sync
Once the Sync Completes you will see the Last Updated date
You can now set the Polling Interval for the GAC Sync and the Site Manager Asset Update
Possible reasons why the error Authorization Status 401 Unauthorized can occur
Incorrect Role chose for the service account – it must be set to Project – Service Account Actor
- To resolve, delete the two sets of settings in the Chrome OS page in Management Utilities, delete the service account and start the process again, creating a new service account and then add the new service account into Google Admin Console with the URLs.
Incorrect Google Apps Email Address, possibly a typo or the email account used was not the account used when logging into Google Admin Console to add in the URL’s to the Service account.
- To resolve delete the Google Apps Domain information in the Chrome OS page in Management Utilities, then enter the correct email address and press save.
Possible reason why the error Authorization Status 403 Unauthorized can occur
API SDK access has not been enabled in the Google Developer Console https://console.developers.google.com/