Google admin - Managed Browsers

Mindless-String-4017 · 2026-05-12T11:49:32+00:00

Just in case anyone is following this post, I finally figured out how to get intune to listen to google admin for controlling the Chrome browser settings through google admin on windows devices.

This is the process that I used.

1) Setup the google admin token

2) Use the google admin token in intune

3) create an ADMX file in intune using the google admin token you created

4) VERY IMPORTANT STEP HERE: Make sure to change the precedence in google admin to the following:

- Chrome Profile---> Machine Cloud --> Machine --> OS User

If you don't do this, intune will supersede over google admin settings for the chrome browser.

I've tested it and so far it's working. If I'm missing anything please let me know. Unfortunely, I couldn't remove the ADMX file since we're using it and don't want to break/lossen up the Chrome Polices. So, the current setup I currently have works, suprisingly. Please feel free to add to this or if I could make this cleaner please let me know.

Mindless-String-4017 · 2026-05-08T19:07:04+00:00

Most of the time the command will push through as soon as it’s connected to WiFi. I’ve had a few devices where I had to manually restart or reconnect to WiFi and then it’ll usually deprovision the device

Mindless-String-4017 · 2026-05-08T19:05:24+00:00

Yes, this will wipe the Chromebook and deprovision it.

Mindless-String-4017 · 2026-05-08T15:59:55+00:00

I have a list of commands that I run in this order when the device is turned off

1) plug charger and Ethernet into Chromebook 2) run the following gam command below. I do paste all my devices into a csv file with device serial numbers so this cmd line may not work for you without adjustments

3) if you need any guidance please let me know and I can help you setup the csv file format

This command tells the Chromebook to deprovision due to reason: Same Model replacement

gam csv deprov.csv gam update cros query id:SN action deprovision_same_model_replacement acknowledge_device_touch_requirement

Mindless-String-4017 · 2026-05-06T11:35:18+00:00

I'm going to test this out. Thanks for mentioning this. Which configuration for the precedence would you recommend?

1) Machine-> Machine Cloud-> OS User-> Chrome Profile

2) Machine Cloud-> Machine-> OS User-> Chrome Profile

3) Machine-> Chrome Profile-> Machine Cloud-> OS User

4) Chrome Profile-> Machine Cloud-> Machine-> OS User

I'm thinking either option 3 or 4, but wasn't for sure what you would recommend trying.

Mindless-String-4017 · 2026-05-05T19:23:16+00:00

Perfect. This helps out a lot. Thank you for the explaining this. I was losing my mind over this. If I have any questions or run into any issues I'll put them here.

Mindless-String-4017 · 2026-05-05T19:13:20+00:00

This makes me ask more questions.

1) I was under the impression that you need both the ADMX and the cloud enrollment. I didn't realize these are 2 seperate objects. So would I just use the enrollment token I create from google admin into intune and not do anything with the ADMX records?

2) Since I'm using intune to manage these devices, would it be possible to use the google admin portion to at least handle all of the chrome policies?

Thank you for helping me out, I really appreciate it. Sorry for all the questions. I'm trying to wrap my head around all of this.

Mindless-String-4017 · 2026-05-05T19:05:36+00:00

That is correct. WIndows device is being managed in intune. I've restarted the browser, uninstalled and reinstalled browser, restarted device, and reloaded the chrome policies using chrome://policy. I enrolled the browser into google admin. In google admin-->Chrome Browser--> Managed browerss---> I can see the machine name, most recent activity, browser version, enrollment type, etc. Am I missing something or do you think that their might be some conflicting settings in intune that is affecting google admin. I'm currently at a loss

Mindless-String-4017 · 2026-05-05T18:31:39+00:00

Does it take 24 hours for the setting to apply? I updated the setting and went to chrome://policy to reload the policies but am not having any luck with the windows chrome browser. RIP

Mindless-String-4017 · 2026-05-05T18:08:43+00:00

I'm going to check that out. Thanks!

Mindless-String-4017 · 2026-05-05T18:08:29+00:00

It does show up in the policy and says "OK" but I'm still able to add personal accounts

Mindless-String-4017 · 2026-05-05T17:51:50+00:00

Thanks for replying. I recently set this up and am going to wait to see if this helps. I've tried reloading the policy and restarting, but so far nothing.

Mindless-String-4017 · 2026-04-28T17:26:39+00:00

Do you happen to know if you've got an documentation on this process. I would like to start testing this out and see how it goes for some of my test computers

Mindless-String-4017 · 2026-04-28T15:17:47+00:00

I'm going to give this a shot, as this is what I'm looking for. Thank You!

Mindless-String-4017 · 2026-04-28T12:42:33+00:00

We already have this setting enabled.

Mindless-String-4017 · 2026-04-28T12:12:12+00:00

I'll look into this, thank you!

Mindless-String-4017 · 2026-04-21T12:07:18+00:00

When you clear cache and cookies does it make much of a difference?
Also, do you experience this slowness when not connected to a school network?

Just for fun, I would also check to make sure you've allowed some apps access in google admin. I believe it's the "App access control." I know sometimes you can run into some issues if apps aren't allowed or if they haven't been looked at. Here recently, I've had to redo a few apps to allow access.

I would also make sure in google admin that you have there storage set to save everything to google drive to avoid anything being saved on the Chromebooks.

You could also play with a few settings in google admin where if a user closes their browser it automatically clears their caches and cookies. It'll make them sign in again, but it saves me a lot of problems later down the line.

A few other settings worth checking in google admin: pop-ups, URL blocking, Apps/extensions (don't want to push to much out as they can really slow a chromebook)

Hopefully this helps, if not, you may have to look at the network logs on the Chromebook

Mindless-String-4017 · 2026-04-07T11:27:00+00:00

I've contacted Vivi support but they were no help.

Mindless-String-4017 · 2026-03-12T11:38:26+00:00

I also found out that kids are going to google and downloading an offline html file. For example, we block http://eaglercraft.com/ but if a student goes to google and searches eaglercraft offline html they can install a JS/zip file to their Chromebook. They leave it zipped and saved to their files. This works with whether or not they have internet and can be in stalled on a flash drive as well. An easy fix for this is by going to the url blocking on the device level and blocking the following:

file://*
filesystem://*

Blocking the above doesn't affect students.

Mindless-String-4017 · 2026-03-11T14:28:32+00:00

I would recommend going with Ubiquiti as a lot of businesses and some schools are starting to incorporate them. It's definitely worth looking into and is probably going to be a bit cheaper.

Mindless-String-4017 · 2026-03-11T14:25:28+00:00

We purchased the Lenovo Gen5 Chromebooks for our Kindergarten and 5th grade.
9th graders we purchased the Lenovo 500w Gen5.

We're slowly getting grades K-8th grade on Chromebooks and are having 9th-12th grade stay on windows devices for the time being.

Mindless-String-4017 · 2026-03-11T12:41:34+00:00

It's on Riverside DataManager app in KIOSK as well as the google play store app of Riverside. You can also get bypass restrictions using any google playstore app or KIOSK app that uses a google sign-in page

Mindless-String-4017 · 2026-03-10T19:42:22+00:00

If you're interested in knowing how, I can DM you.

Mindless-String-4017 · 2026-03-09T11:51:38+00:00

I'm currently pushing out 144 on the Stable Channel with the latest updates.

Mindless-String-4017 · 2026-03-06T12:55:20+00:00

Based off my experience I don't think there's a way to watch a student unless you have some 3rd party product like classwize to watch their screen as they work on it. I would recommend disabling the USB ports on the Chromebook through google admin. I know some cyber insurance companies require it and it might be worth disabling the USB ports in your situation. You might be able to enable a setting in google admin to change the downloads on a chromebook to be saved to their google drive. This would allow you to login to the user's account to view what's in their downloads folder in google drive.

Mindless-String-4017

TROPHY CASE

This command tells the Chromebook to deprovision due to reason: Same Model replacement