Important: This activity can be carried out by any one who has been granted the rights by the domain administrator.

Users’ Chrome devices need to be enrolled in your domain before you can enforce policies on them. As an administrator, you can enroll devices or let users enroll them. Enrolled devices adhere to the Chrome management policies you set in the Admin console until you wipe or recover them. 

Note: A device must be enrolled before any user signs in to it (including you as the administrator). If a user signs in first, your policies will not apply, and you must wipe the device to restart enrollment.

Manually enroll Chrome devices

  1. Turn on the Chrome device and follow the onscreen instructions until you see the sign-in screen. Don't sign in yet.

  2. Before signing in to the Chrome device, press Ctrl+Alt+E to go to the enrollment screen.

  3. Enter the username and password from your Google admin welcome letter, or the username and password for an existing G Suite user on your account that has eligibility to enroll.

    Note: You can control which users can enroll in your domain with the Enrollment Permissions* user policy.

  4. Click Enroll device. You'll receive a confirmation message that the device has been successfully enrolled.

Once enrolled, you can find the device in your Admin console by clicking Device management > Chrome devices

Note: By default, devices are enrolled into the top-level organization for your domain. You can change where a device is enrolled with the Device Enrollment user policy.

Enrollment Permissions

By default, users in this organization are allowed to enroll a new or re-enroll a deprovisioned device. Enrolling a new device or re-enrolling a deprovisioned device consumes a license. Users can also re-enroll a device that was wiped or factory reset. Re-enrolling a device that was wiped or factory reset doesn't consume a new license because the device is still managed.

Selecting Only allow users in this organization to re-enroll existing devices (cannot enroll new or deprovisioned devices) allows users to only re-enroll devices that were wiped or factory reset, but not deprovisioned. They can’t enroll new or re-enroll deprovisioned devices (anytime a license would be consumed).

Selecting Do not allow users in this organization to enroll new or re-enroll existing devices prevents users from enrolling or re-enrolling any device, which includes re-enrolling through forced re-enrollment.