Integrating Chromebook Management


Configuring the Google Service Account


Log into google Accounts https://console.developers.google.com/


Click Enable API’s and Services at the top





Click on GSuite from the left-hand menu, then click on Admin SDK


Click Enable (If not already enabled), then click Manage to view this page




Click Credentials on left menu then click Create Credentials on top menu


Select Credentials in APIs and Services





Click Credentials – select Service Account Key




Select new service account and enter the Service Account Name


Select P12 and press create




Select Role as Project Owner – click Create


Save the P12 file on your system as you will load this into SyAM.


Scroll down the Credentials page and Click on Manage Service Accoutns





Find the serivce accont you have just created and click on the three dots on the right side and selct Edit






Within the Service Account Details Page Click to enable the G Suite Domain-wide Delegation


Copy the email and unique ID as these are entered into the SyAM MDM along with the P12 file.


Press Save


You can now Log Out of the Google Developers Console


Update the Google Admin Console


Login to your Google Apps Admin console. https://admin.google.com

Select Security from the list of controls

Select Show more and then Advanced settings from the list of options.

Select Manage API client access in the Authentication section. In the Client Name field enter the service account's Client ID.  113528650269504670471 (This is the Unique ID from the Service Account Details Page)


Paste in the following for the URLS

https://www.googleapis.com/auth/admin.directory.device.chromeos, https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.orgunit, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/apps.licensing, https://www.googleapis.com/auth/chromewebstore.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.userschema,https://www.googleapis.com/auth/classroom.courses, https://www.googleapis.com/auth/classroom.rosters


Press the Authorize button






Log into the SyAM MDM Interface


Click on the left menu Managed Devices – select ChromeOS


Upload the P12 file and paste in the ID and email from your Service Account Details


Press Next


Enter the following key for Static Maps - AIzaSyDeLdJqAgsJH87S1yT0WhgdMPo0BHiUk1U


Press Next




Enter the domain and user email that was used to Authorize the Service API in Google Admin Console


Press Save








If you have not already authorized the service API in GAC follow these steps before pressing Sync


If the service account has been authorized Press Sync



Once the Sync Completes you will see the Last Updated date



You can now set the Polling Interval for the GAC Sync and the Site Manager Asset Update



Possible reasons why the error Authorization Status 401 Unauthorized can occur


Incorrect Role chose for the service account – it must be set to Project – Service Account Actor

  • To resolve, delete the two sets of settings in the Chrome OS page in Management Utilities, delete the service account and start the process again, creating a new service account and then add the new service account into Google Admin Console with the URLs.


Incorrect Google Apps Email Address, possibly a typo or the email account used was not the account used when logging into Google Admin Console to add in the URL’s to the Service account.

  •  To resolve delete the Google Apps Domain information in the Chrome OS page in Management Utilities, then enter the correct email address and press save.



Possible reason why the error Authorization Status 403 Unauthorized can occur


API SDK access has not been enabled in the Google Developer Console https://console.developers.google.com/