Configuring GAC with Service Account
Configuring Google Admin Console with the Service Account
Next we need to enable this new service account in Google Admin Console.
Login to your Google Apps Admin console. https://admin.google.com
Expand Security – Access and data control from the left menu and select API controls
Scroll down the page and select Manage Domain Wide Delegation
Click Add New
Select Manage API client access in the Authentication section. In the Client Name field enter the service account's Client ID. (This is the Unique ID from the Service Account Details we had pasted into notepad)
Paste in the following under OAuth scopes
https://www.googleapis.com/auth/admin.directory.device.chromeos, https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.orgunit, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/apps.licensing, https://www.googleapis.com/auth/chromewebstore.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.userschema,https://www.googleapis.com/auth/classroom.courses, https://www.googleapis.com/auth/classroom.rosters
Then Click Authorize
Log out of Google Admin Console
Log into the SyAM MDM Interface
Click on the left menu Managed Devices – select ChromeOS
Upload the P12 file and paste in the ID and email from your Service Account Details
Skip the key for Static Maps by pressing Next
Enter the domain and the user email address that was used to Authorize the Service API in Google Admin Console and press Save
After it completes the Sync, it will present that data retrieved from Google.
You can now set the Polling Interval for the GAC Sync and the Site Manager Asset Update
Possible reasons why the error Authorization Status 401 Unauthorized can occur
Incorrect Role chose for the service account – it must be set to Project – Service Account Actor
- To resolve, delete the two sets of settings in the Chrome OS page in Management Utilities, delete the service account and start the process again, creating a new service account and then add the new service account into Google Admin Console with the URLs.
Incorrect Google Apps Email Address, possibly a typo or the email account used was not the account used when logging into Google Admin Console to add in the URLs to the Service account.
- To resolve delete the Google Apps Domain information in the Chrome OS page in Management Utilities, then enter the correct email address and press save.
Likely reason the error Authorization Status 403 Unauthorized can occur
Service Account Created but the API was not enabled
To resolve, log back into the Google Cloud, https://console.cloud.google.com/ select your project and click to enable APIs