Chromebook Zero-Touch Enrollment

Ever wonder how large Schools and Enterprises setup Chromebooks for their students and employees ? Gone are the days when the IT team would have to “image” every single device before giving it to the end-users.

With Chromebooks, “enrolling the device” is usually the critical first step for the device to receive its “device policies”. Without these policies the device may not have sufficient protection to keep the user and the data secure. While Chromebook IT admins do not have to “image” the Chromebooks anymore, they do generally have to “sign in” using School/Enterprise login credentials, into the device to pull the policies for the first time. This process takes a lot of time, and requires the devices to be repackaged before shipping to the end-user.

Zero-touch enrollment is here to help. If you manage a very large and distributed workforce, you may want to ship the devices directly from the OEM or the distributor to the end-user. That is not only cheaper for the organization, but its also faster.

Zero-touch enrollment


To setup Zero-touch enrollment there are a few requirements which I’ll list below

  • A supported Chromebook – Not all Chromebooks support this, but if you are buying a recent device, chances are that it would support it. However, please do verify before you place the order.
  • As the customer of the domain where it needs to be provisioned, you need to generate a “pre-provisioning” token. This is fairly simple to do, but its critical for the reseller/OEM to assign the devices to your organization.
  • Next you need to identify which Reseller/Partner/OEM you are going to work with. I recommend picking a larger partner if possible who understands this process well.
  • And of course you will need a Google Workspace domain and CEU (Chrome Enterprise Upgrade) licenses.

How it works

Preparing the data

  • The IT Admin creates “pre-provisioning” tokens and send it with the domain name to the Partners.
    • Since there is a unique token for every OU (organizational units) , the IT Admin may have to give a list of tokens and a count of how many devices go to each one of them
    • If the devices need to be shipped to the end-user, they would also potentially send details of the shipment with the requirements to the partner
  • Partners will identify the S/N (Serial numbers) for every device which needs to be provisioned this way
    • They will ensure they are mapped to the OU which the customers want.
  • Next they will use the APIs Google provides the partners to upload the S/N and Tokens to Google’s servers
Zero-Touch Enrollment process

The first boot up – where all the fun happens

The best part of this whole process is that the Partner involved in preparing this data never has to physically have the device. They could just have the OEM and distributor ship the device directly from the factory floor to the end-user. The only thing they really need to ensure is that the S/N is the right one.

The first bootup of the device is special in many ways and goes through a series of steps which it won’t have to worry about in subsequent bootups

  • Step 1: Ask the user for Language and WiFi credentials
  • Step 2: Automatically update device time from the network
    • Chromebook uses a service called “tlsdate” to do this
    • This is an important step, because it would be using HTTPS/SSL to do rest of the communication. Validation of certificates and signatures requires the device to have the right time.
  • Step 3: The device does a quick check to see if it requires any critical updates
    • If there is a critical update available which cannot be skipped, the device will spend a few minutes to download and reboot the device
    • This step is critical because if Google identifies a critical bug after the device was manufactured, this process will fix it before the user uses the device for the first time.
  • Step 4: Next the device will do some form of “Hash dance” to identify if the device is targeted by any organization to be Enrolled into any domain.
    • To do this, the device will send partial hashes of the device identifier which are sufficient for the server to rule a device in or out from this process. The goal of this process is to avoid sending the full S/N to the server.
    • Using this process, Google can send a signal back to the device on whether the device needs to be enrolled and to which domain.
      • And if the device is part of the 0-touch enrollment, it will complete the enrollment process automatically and pull the device policies for the first time.
    • Important: This is also the step which Google uses to enforce “Forced Re-enrollment” which is typically used to block stolen devices from being usable by folks outside of the organization.
  • Step 5: The final step is the user logging in for the first time. By this time, the device has all the device policies, and it will then proceed to download user policies which may include instructions on what apps/extensions to install, what bookmarks to set etc. Some organizations are also using it to deploy Windows using Parallels to the end-user.


The Chromebook may look like a very simple device. It’s just a browser after all. But behind the scenes, features like Zero-Touch enrollment shows that its designed to be one of the most scalable, secure and manageable devices.





Leave a Reply

Your email address will not be published. Required fields are marked *

Exit mobile version