GSP1205

Overview

The Google Admin console is a cloud-based platform that simplifies the task of managing users, devices, browser policies, and settings from a single location. By purchasing Chrome Enterprise Upgrade or Chrome Education Upgrade, you gain access to the Admin console for end-to-end device management. In this lab, you are provided access to the Admin console, enabling you to practice management tasks within a temporary test organization.

Objectives

In this lab, use the following using the Google Admin console to:

• Create an organizational unit structure (OUs, sub OUs, and users)
• Create a WiFi network for users
• Set ChromeOS device policies
• Set Chrome policies for users and browsers
• View and configure apps and extensions
• Enforce password requirements for users

Prerequisites

To get the most from this lab, familiarity with Google Admin console terminology is recommended.

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access the Google Admin console for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab---remember, once you start, you cannot pause a lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

Start your lab

When you are ready, click Start Lab in the upper left.

Sign in to the Google Admin Console

To access the Google Admin Console, you must find your credentials and then sign in.

Find your lab's User Email and Password

To access the resources and console for this lab, locate the User Email and Password in the Lab Details panel. This panel is on the left or at the top, depending on the width of the browser window. Use these credentials to log in to the Google Admin Console.

If your lab requires other resource identifiers or connection-related information, they will appear on this panel as well.

Sign in to the Admin Console

1. Click Open Google Admin Console.

Tip: Open the tabs in separate windows, side-by-side.

Note: If you see the Verify your account dialog:

• Click Next.
• Click the prefilled user.
• Click Use another account.

2. Enter the User Email and Password.

3. Accept all terms and conditions as prompted.

The Admin Console opens.

4. Click VERIFY DOMAIN in either the yellow box at the top or the red box in the Domains card.

5. Click Next.

6. In the Welcome, let's set up Google Workspace dialog, click Next for all the pop-up guides and then click Finish.

7. Click Protect.

8. Click I’m ready to protect my domain. Google verifies your training domain. Ignore step 2, Create new users and step 3, Activate Gmail sections.

9. Click Admin in the top left to open the Google Admin Console home page.

Start Trial for Chrome Enterprise Upgrade

To manage Chrome devices from the admin console you need a Chrome Enterprise or Education Upgrade, follow these steps to start a trial in your test environment.

1. In the Admin console, from the Navigation menu (), select Devices > Chrome > Devices.

2. In the Terms of Service (TOS) pop-up pop-up, click I Accept.

3. Click Start Trial for Chrome Enterprise Upgrade. It allows you to manage any number of devices.

4. Then, click Next and leave the Trial Plan selected.

5. Click Checkout, then Place Order.

6. Click X to close the Thanks for your purchase pop-up.

Note: To test the application of device policies you set in your Google Admin console, you can enroll ChromeOS devices in your test environment. Alternatively you can install ChromeOS Flex on Windows, Mac, or Linux devices.

Task 1. Create an organizational unit (OU) structure

Initially in your Google Admin console, all users and devices are placed in a single organizational unit (OU), called the top-level OU. Any changes you make to settings within the Admin console will apply to this top-level OU and consequently, all users and devices in your account. Any child OUs created under the top-level OU inherit those settings.

To apply different settings to some users or devices, place them in a child OU, below the top level. You then customize the inherited settings of the child OU, and therefore the members of the child OU.

In this task, you create OUs, child OUs, and users.

Create OUs

1. In the Admin console, from the Navigation menu (), select Directory > Organizational units.

2. Click Create organizational unit to create a new OU.

3. For Name of organizational unit, enter Knowledge Worker.

4. (Optional) For Description, enter The Knowledge Worker Team.

5. Click CREATE.

Create child OUs for Knowledge Worker

1. Make sure you’re on the Organizational units page.

2. Hover over the Knowledge Worker organization unit and click Create new organizational unit icon (+).

3. For Name of organizational unit, enter IT Department.

4. (Optional) For Description, enter IT Team.

5. Click CREATE.

6. Repeat steps 2-5 and create the Employees OU.

Create users in OUs

Next, create three new users and place each of them into their own OU.

1. From the Navigation menu (), select Directory > Users.

2. Click Add new user, then specify the following values:.

   • For First name, enter User.

   • For Last name, enter 1.

   • For Primary email, enter user1.

3. Click Manage user's password, organizational unit, and profile photo.

4. For Organizational unit, click the Edit icon.

5. Under Google Workspace Labs, select Knowledge Worker.

6. Click Done.

7. Click ADD NEW USER.

8. Click DONE, then click DONE again, there is no need to copy the password. You may need to refresh the browser tab to see the new user in the list of users in Workspace.

9. Repeat steps 2-11 to create two more users and assign them to an OU as described below:

   First name	Last name	Primary email	Child OU
   User	2	user2	IT Department
   User	3	user3	Employees

Click Check my progress to verify the objective. Create an organizational unit (OU) structure

Task 2. Create a WiFi network for users in the Knowledge Worker OU

As an administrator, you can configure the networks that manage mobile devices, ChromeOS devices, and Google meeting room hardware used for work or school. You can control WiFi, Ethernet, and Virtual Private Network (VPN) access, and set up network certificates.

When you create a network configuration, you can either apply the same network settings for your entire organization, or set different network settings for different organizational units. Wireless networks can enhance productivity and collaboration.

In this task, you’ll set up a WiFi network for the users in Knowledge Worker OU.

1. From the Navigation menu (), select Devices > Networks.

2. Select the Knowledge Worker OU from the navigation pane.

3. In the WiFi section, click Create WiFi network.

4. In the Platform access section, select the Chromebooks (by user) and Chromebooks (by device) checkboxes to enable the access.

5. In the Details category, set the following values:

   Field	Value
   Name	Corporate
   SSID	Company
   Automatically Connect	Enable
   Security Type	WPA/WPA2
   Passphrase	CC

Here you can examine the following WiFi network details:

• Name: A name for the Wi-Fi that is used to reference it in the Admin console.
• SSID: The Wi-Fi network's SSID. SSIDs are case-sensitive.
• Automatically Connect: To automatically connect devices to this network when it's available, select the Automatically connect box.
• Security Type: Choose a security type for the network. Dynamic WEP (802.1x) is supported only on ChromeOS devices. For Android tablets used with an Education edition, you can't use WPA/WPA2/WPA3 Enterprise (802.1x) during student tablet configuration, but you can set it up manually after you enroll the tablets.

6. Click Save.

After you add the configuration, it's listed in the Wi-Fi section with its name, SSID, and the platforms it's enabled on.

Click Check my progress to verify the objective. Create WiFi network for users in the Knowledge Worker OU

Task 3. Set ChromeOS device policies

As a ChromeOS administrator, you can manage settings that apply to managed ChromeOS devices, such as Chromebooks. These device-level settings apply to all device users, regardless of whether they sign in as a guest or with a personal Gmail account.

Set Release channel for the IT department OU

By default, ChromeOS follows updates on the Stable channel. You can test the latest features of the Chrome operating system (OS) by switching to a more experimental release channel. ChromeOS has five different release channels: Stable, Beta, Long-term support, Long-term support candidate, and Dev channels.

• Stable channel: This channel is thoroughly tested by the ChromeOS team, and is the best choice to avoid crashes and other problems. It receives minor updates every 2-3 weeks and major updates every 4 weeks.

• Beta channel: To easily and safely preview upcoming changes and improvements, use the Beta channel. It's updated every week, with major updates coming every four weeks, over a month before the Stable channel.

• Long-term support channel: The Stable channel updates every four weeks, while long-term support channels receive feature updates every six months, but still get frequent security fixes.

• Long-term support candidate channel: It is used as a basis for the next LTS version and is cut from Stable three months before LTS, giving admins a preview to prepare with.

• Dev channel: It is used to explore the latest features of ChromeOS. You can switch to the Dev channel which receives updates once or twice a week. However, it is important to note that although this build is tested, it may contain bugs as it is released quickly for users to experience the new features as soon as possible.

In this task, you’ll set the Chrome release channel to Beta channel for the IT department.

1. From the Navigation menu (), select Devices > Chrome > Settings > Device Settings.

2. Select IT department OU.

3. Scroll down to Device update settings, and click Auto-update settings.

4. Scroll down to Release channel, click Stable channel, and select Beta channel from the drop-down list.

5. Click Save.

Pin ChromeOS version for Knowledge Worker OU

ChromeOS devices automatically update to the latest version of the channel, unless they are locked to a specific version. However, sometimes it may be necessary to specify which version the device should run on.

In this task, you’ll pin the ChromeOS version for Knowledge Worker OU users.

1. If you are already in the Device settings section, skip the following step. In the Admin console, from the Navigation menu (), select Devices > Chrome > Settings > Device Settings.

2. Select Knowledge Worker OU.

3. Scroll down to Device update settings, and click Auto-update settings.

4. From the Target version, select a ChromeOS version prior to the current stable version. For example, if the current version is 119.* then select its prior version i.e 118.*.

5. From Roll back to target version, select Roll back OS. Click Roll back OS in the pop-up. This specifies whether devices should roll back to the version that you specify in the Target version, if they're already running a later version.

6. Click Save.

Disable guest mode

This setting controls the option to allow guest browsing on managed ChromeOS devices. Enabling the guest mode provides a guest sign-in option on the main screen. However, if you disable the guest mode, users are required to sign in using either a Google Account or a Google Workspace account. It is important to note that when a user signs in as a guest, the organization's policies are not applied.

1. If you are already in the Device settings section, skip the following step. In the Admin console, the Navigation menu (), select Devices > Chrome > Settings > Device Settings.

2. Select Knowledge Worker OU.

3. Scroll down to Sign-in Settings, and select Guest mode.

4. From the Configuration drop-down, select Disable guest mode.

5. Click Save.

   This prevents users from signing into Chromebooks as guests, adding an extra layer of security.

Follow the below steps to get the primary domain name:

1. In the Admin console, the Navigation menu (), select Account > Domains > Manage domains.
2. Copy the Primary Domain name and save it somewhere on your machine. You'll need it in later steps.

Enable autocomplete domain name

This policy allows you to select a domain name that is displayed to users on their sign-in page. This eliminates the need for users to manually enter the @domain.com part of their username during sign-in. If this policy is set to a blank string or left unconfigured, ChromeOS does not display an autocomplete option during the user sign-in process.

1. If you are already in the Device settings section, skip the following step. In the Admin console, from the Navigation menu (), select Devices > Chrome > Settings > Device Settings.

2. Select the Knowledge Worker OU.

3. Scroll down to Sign-in Settings, select Autocomplete domain.

4. From the Configuration drop-down, select Use the domain name, set below, for autocomplete at sign-in and enter the domain name prefix saved in a previous step.

5. Click Save.

Click Check my progress to verify the objective. Set ChromeOS device policies

Task 4. Set Chrome policies for users and browsers

You can enforce Chrome policies from your Admin console that apply to:

• User accounts, syncing their policies and preferences across all their devices. Settings apply whenever the user signs in to Chrome browser with their managed account on any device.

• Enrolled browsers to enforce policies when users open Chrome browser on managed Microsoft Windows, Apple Mac, or Linux computers. Signing in is not required.

Block a Site

As an administrator, you can limit the websites users can visit by blocking or allowing certain URLs. This can enhance productivity and protect your organization from malicious content and viruses present on certain websites.

Setting the URLBlocklist policy stops web pages with prohibited URLs from loading. Administrators can specify the list of URL patterns to be blocked.

1. In the Admin console, from the Navigation menu (), select Devices > Chrome > Settings > Users & browsers setting.

2. Select the Knowledge Worker OU.

3. Go to the Content section, then add the https://www.youtube.com URL to the Blocked URLs list within the URL blocking category.

4. Click Save.

Set the Startup Page

This specifies which pages to load when users start their ChromeOS devices.

“Full restore” refers to a user’s applications being restored after shutting down their Chromebook. Enabling the flag creates a new sub-menu in the ChromeOS settings menu labeled “on startup”, and as it implies, it gives you the option of what you’d like to do when you start your device.

If you have set the startup page on ChromeOS and disabled the Full restore setting, your Chromebook no longer restores your applications and browser tabs after your Chromebook shuts down abruptly.

See how you can have an employee's Chromebook automatically open a designated website as they log in.

Disable Full Restore

1. In the Admin console, from the Navigation menu (), select Devices > Chrome > Apps & extensions > Users & browsers.

2. Select the Knowledge Worker OU from the navigation pane.

3. Click Additional Settings.

4. In the Restore apps on startup, select Only restore Chrome browser from the drop-down.

5. Click Save.

Set startup page

1. In the Admin console, from the Navigation menu (), select Devices > Chrome > Settings > Users & browsers setting.

2. Select Knowledge Worker OU from the navigation pane.

3. Scroll down to the Startup section, and select Pages to load on startup.

4. From the Configuration drop-down, select Startup action as Open a list of URLs.

5. Enter the https://www.google.com URL in the Startup pages.

6. Click Save.

   After saving your settings, designated websites automatically open for the employee the next time they sign into their Chromebook in the selected OU.

Click Check my progress to verify the objective. Set Chrome policies for users or browsers

Task 5. View and configure apps and extensions

As an administrator, you can use your Admin console to set policies for a specific web app, Chrome app or extension, or supported Android app. For example, you might force-install an app and pin it to users' Chrome taskbar.

In this task, you’ll configure Android apps, extensions, and Progressive Web Apps (PWA) for users.

Force Install and pin an app

You can automatically install (force-install) specific Chrome apps and extensions for users in your organization. Users then see these apps and extensions when using Chrome on managed devices or accounts.

1. In the Admin console, from the Navigation menu (), select Devices > Chrome > Apps & extensions. The Overview page opens by default.

2. Click Users & browsers.

3. Select Knowledge Worker OU.

4. Hover over the Add app icon (+) and select Add from Chrome Web Store.

5. Search for Google Keep - Notes and Lists app, then scroll down and select Apps.

6. Click Select and then Accept if asked.

7. In the panel that opens on the right (if the panel is not opened then click on the app you just added), under Installation policy, choose Force install + pin to ChromeOS taskbar.

8. Click Save.

Force install Android app

If you are already on the Users & browsers tab, skip the following two steps.

1. In the Admin console, from the Navigation menu (), select Devices > Chrome > Apps & extensions. The Overview page opens by default.

2. Click Users & browsers.

3. Select IT Department OU.

4. Hover over the Add app icon (+) and select Add from Google Play.

5. From Google Play store, search for Google Calendar app and click on it.

6. Click Select and Accept. The Recommendation pop-up opens. Click OK.

7. In the panel that opens on the right (if panel is not opened then click on the app you just added), under Installation policy, choose Force install + pin to ChromeOS taskbar.

8. Click Save.

Add Progressive Web App (PWA)

A Progressive Web App (PWA) is an app built for the web that provides an experience similar to a mobile app. PWAs are fast and offer many of the features available on mobile devices.

As an administrator, you can automatically install web apps for users in your organization. Users can then quickly get to the apps from the launcher on ChromeOS devices or in Chrome browser on other devices.

1. If you are already on the Users & browsers tab, skip the following two steps.

2. In the Admin console, from the Navigation menu (), select Devices > Chrome > Apps & extensions. The Overview page opens by default.

3. Click Users & browsers.

4. Select Knowledge Worker OU.

5. Hover over the Add app icon (+) and select Add by URL.

6. Enter the https://mail.google.com URL and click Save.

7. In the panel that opens on the right (if panel is not opened then click on the app you just added), under Installation policy, choose Force install + pin to ChromeOS taskbar.

8. Click Save.

Add an Extension

You can automatically install (force-install) specific extensions for users in your organization. Users then see these extensions when using Chrome on managed devices or accounts.

1. In the Admin console, from the Navigation menu (), select Devices > Chrome > Apps & extensions. The Overview page opens by default.

2. At the top, click Users & browsers.

3. Select Knowledge Worker OU.

4. Hover over the Add app icon (+) and select Add from Chrome Web Store.

5. From the store, search for the Google Keep Chrome Extension and click on it within the search results.

6. Click Select.

7. In the panel that opens on the right (if panel is not opened then click on the app you just added), under Installation policy, choose Force install + pin to browser toolbar.

8. Click Save.

Click Check my progress to verify the objective. View and configure apps and extensions

Task 6. Enforce password requirements for users

Security is extremely important within the organization. By setting a password policy, you ensure that your users choose strong and secure passwords, which helps to protect your business data and customer information from cyber threats.

In this task, you’ll set a minimum user password length for the entire organization.

1. In the Admin console, from the Navigation menu (), select Security > Authentication > Password management. You may have to scroll down and select Show more at the bottom to see the Security section.

2. Select the parent organizational unit Google Workspace Labs to set the password policies for all users.

3. In the Strength section, check the Enforce strong password box to ensure that users create strong passwords.

4. In the Length section, set the minimum password length to 10.

5. Click Save.

Click Check my progress to verify the objective. Enforce password requirements for users

Congratulations!

In this lab you've gotten practice as a ChromeOS Administrator, using the tools to set up an organizational unit, and add users for a new organization. You also learned how to configure device management and users & bowsers management settings, and add apps and extensions.

Next steps / Learn more

• Manage policies for ChromeOS devices
• Cloud-managed Chrome Browser

ChromeOS training and certification

...helps you make the most of ChromeOS technologies. Our classes include sale and technical skills to help you get up to speed quickly and continue your learning journey. The Professional ChromeOS Administrator Certification helps you demonstrate your expertise and validate your ability to transform businesses and schools with ChromeOS.

Manual Last Updated February 09, 2024

Lab Last Tested February 07, 2024

Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.