If you have more than a few devices in your Enterprise or School fleet, you are the proud owner of a headache every IT admin has to deal with. Protecting your devices against theft.
Unlike desktops, Chromebooks are one of the lightest devices and are often the victims of theft. Here are some recommendations on how you can protect your devices and your users against theft related incidents.
Always Enroll the devices
If you are a Google Workspace customer, please buy Chromebook licenses and enroll your devices into your domain. Some of the newer Enterprise Chromebooks already come with a license in which case you may not have to buy the licenses before you do the enrollment.
Rest of the article below is only applicable to Enrolled devices. You won’t get any of this without a ChromeOS Enterprise enrollment,.
Setup policies for your devices
Once you have the devices enrolled, you are ready to start pushing some important policies to your devices which will save your bacon when you need it the most.
Enable Forced re-enrollment
Enrolling the device gives you some critical functionality which could be lost if someone was able to unenroll the device. To protect against this, Google provides a policy called “Forced Re-enrollment” which will make it impossible for the device to be used without Re-enrolling the device to the domain.
Setup Sign-in restrictions
Add the list of users (wild cards are allowed) of who all can use the devices. For example if your organization is called chromedevice.com, you can set it up to only allow the organization users to use if you add “*@chromedevice.com” in the sign-in whitelist.
Disable Guest mode
Once you control who all can login, its important to disable Guest mode to disallow anyone to use the device without having credentials to an account on the domain.
Monitoring the device
You can remotely view status of all devices in the fleet from a single management console. Here are some of the attributes you can monitor remotely
- Make / Model / Serial number / CPU model/ Wifi Mac address
- OS, Chrome. Firmware, TPM version
- Verified Boot status
- Last OS update
- Last device online time
- Enrollment date
- Auto-update expiration date
- Channel used for updates
- Recent users on the device
- Memory usage
- CPU utilization
- Disk space utilization
- CPU temperature
- Wifi signal strength
You can additionally add custom attributes for example “Asset ID”, “Location”.
Disable the device remotely
If your device is stolen, you can remotely disable the unit and add custom text on the device with information on how to return the device using “Disabled device return instructions“
Note that all this is just touching the tip of the iceberg. There is a lot more you can do with Enterprise licenses on Chromebooks. And if you are not sure what device type of Chromebooks are available today, you can start by looking here.