Contents x
    Enrollment Settings
    • 01 Oct 2024
    • 7 Minutes to read
    • Print
    • PDF
    Contents

    Enrollment Settings

    • Updated on 01 Oct 2024
    • 7 Minutes to read
    • Print
    • PDF
    Article summary

    Enrollment & Sign-In Settings allow IT Admins to control various aspects of device enrollment, re-enrollment, and security.

    Configuring Enrollment policies

    1. On Scalefusion Dashboard, navigate to Device Profiles & Policies > Device Profiles.

    2. Create a new profile for ChromeOS or edit the existing profile.

    3. On the left panel, expand Enrollment & Sign-In by clicking on the down arrow next to it.

    4. There are three main sub-sections:

      1. Enrollment Settings

      2. Sign-In Settings

      3. Accessibility

    5. Click on Enrollment Settings

    Enrollment Settings

    Enrollment Settings can be configured at Device Level and User Level.

    Device Level

    This section provides detailed information on the configuration options available under the Device tab within the Enrollment Setting. These settings control various aspects of device enrollment, re-enrollment, and security.

    1. Re-enrollment after Wipe/Factory Reset: Determine whether the device should be automatically re-enrolled after a wipe or factory reset. Choose one of the following options from the drop-down:

      1. Force device re-enrollment: The device will be automatically re-enrolled without user intervention.

      2. Force device re-enrollment with user credentials: The device will be re-enrolled, but the user will need to provide their credentials.

      3. Don't force re-enrollment: The device will not be automatically re-enrolled after a wipe or factory reset.

    2. Allow users to enter Asset ID and location during Zero-Touch enrollment: Enable or disable managed users' ability to add or update the Asset ID and location during zero-touch enrollment.

    3. Allow users to Powerwash/Factory Reset: Enable or disable users' ability to restore their devices to factory state.

    4. Configure Boot Mode check for Verified access: Specify whether devices must be running in verified boot mode for device verification to succeed.

    5. Service Accounts with full access to Verified Access API: Enter the email addresses of service accounts that have full access to the Google Verified Access API.

    6. Service Accounts with limited access to Verified Access API: Enter the email addresses of service accounts that have limited access to the Google Verified Access API.

    7. Configure Verified Access for 3rd party Web Services: Enable or disable 3rd party web services from requesting the verified access state and checking for device compliance.

    8. Configure Lost/Disabled mode return instructions: Set a message that will be displayed when the device is marked as lost or disabled.

    9. Configure Integrated FIDO second factor usage: Enable or disable the use of 2-Factor Authentication (2FA) on devices with a Titan M security chip.

    User Level

    This section provides detailed information on the configuration options available under the User tab within the Enrollment Setting. These settings control various aspects of user enrollment and permissions.

    1. Allow users to enter Asset ID and location during enrollment: Enable or disable managed users' ability to add or update the Asset ID and location during enrollment.

    2. Enrollment Permissions for Managed Users: Configure whether managed users are allowed to enroll new devices, re-enroll existing devices, or both. Following are the options to choose from the drop-down:

      1. Enroll new or Re-Enroll existing devices: Users can both enroll new devices and re-enroll existing devices.

      2. Only Re-Enroll existing devices: Users can only re-enroll existing devices.

      3. Block Enroll new or Re-Enroll existing devices: Users are not allowed to enroll or re-enroll devices.

    3. Allow Sign In to Chromebooks without Enrollment: Enable or disable managed users' ability to sign in to the device without enrollment. If disabled, users will be required to enroll the device before signing in.

    Sign-In Settings

    Sign-In Settings can be configured for Device level, User level, and Managed Guest Mode

    Device Level

    This section provides detailed information on the configuration options available under the Devices tab within the Sign-In Settings. These settings control various aspects of user sign-in experience on Chromebooks.

    1. Allow Guest Mode: Enable or disable guest access to the Chromebook.

    2. Allow Managed Guest session: From here you can allow or block guest sessions. Following are the options to choose from:

      • Allow: Allows managed guest sessions (default for migration purposes).

      • Don't Allow: Disables managed guest sessions.

      • Auto-Launch: Automatically launches a managed guest session when the device is idle.

      • Auto-Launch Delay (in minutes): Sets the delay in minutes before a managed guest session is automatically launched. Must be between 1 and 90 minutes. This setting is enabled only when "Auto-Launch" is selected.

      • Device Health Monitoring: Enables or disables device health monitoring for managed guest sessions.

      • Adjust Display Rotation (degrees): Configures the display rotation for managed guest sessions.

      • Display name (gets enabled only if auto-launch or allow is selected): Sets the display name for managed guest sessions. Allows maximum length of 40 characters.

    3. Configure Sign-In restrictions: Restrict which users can sign in to the device. Following are the options to choose from:

      1. Allow All: No restrictions, any user can sign in. (Default)

      2. Restrict All: Only authorized users can sign in.

      3. Allow Only Selected: Allows sign-in only for a specific list of users or a domain.

        1. Enter user email addresses or a domain name (e.g., acmeinc.com) to restrict access. Domain names will be automatically appended with *@ when sent to Google.

    4. Configure auto complete domain name: Set a default domain name that appears on the sign-in screen for user convenience. Please note this accepts a single string that matches a valid domain name format.

    5. Show user name and photos on sign-in screen: Enable or disable display of user names and photos on the sign-in screen.

    6. Erase all user data on sign-out: Enable erasing all locally stored user settings and data upon sign-out.

    7. System Info on sign-in screen: Control whether device information like ChromeOS version and/or serial number is shown on the sign-in screen. Choose one of the following options from the drop-down:

      1. User Control: Users can choose to display or hide system info.

      2. Enforce: System info is always displayed.

      3. Disable: System info is never displayed.

    8. Privacy screen settings on sign-in screen: Controls whether the privacy screen is always on during sign-in or left for user selection. Choose one of the following options from the drop-down:

      1. User Control: Users can choose to enable or disable the privacy screen.

      2. Enforce: Privacy screen is always enabled.

      3. Disable: Privacy screen is always disabled.

    9. Allow users to go directly to SAML SSO IdP Page: Enables skipping Google sign-in and taking users directly to the SAML SSO page.

    10. Allow SAML SSO Cookie transfer into user session on sign-in: Enables transferring the SAML SSO cookie to the user session for subsequent sign-ins.

    11. Configure URLs with access to camera during SAML SSO: List URLs that can access the camera directly during the SAML SSO flow. This accepts comma-separated valid URLs.

    12. Configure query parameter to auto fill username on SAML SSO Page: Configure a query parameter that automatically populates the username field on the SAML SSO page.

    13. Configure SAML SSO URLs with access to device attestation data: Configure URLs that receive a header with the response to device attestation challenge during SAML SSO.

    14. Show numeric keyboard for password entry by default: Enables displaying a numeric keyboard by default on the sign-in and lock screens.

    15. Manifest v2 extension availability on sign-in screen: Controls whether users can access Manifest v2 extensions on the sign-in screen. Choose one of the following options from the drop-down:

      1. Default: Users can access extensions based on individual permissions.

      2. Disable extensions: No extensions are available on the sign-in screen.

      3. Enable all extensions: All extensions are available on the sign-in screen.

      4. Enable only force-installed extensions: Only extensions forcefully installed on the device are available.

    16. Configure URL allow/block list on sign-in & lock screen: Configure URLs to be allowed or blocked on the sign-in and lock screens.

      1. Blocklist URLs: Provide list of URLs to block access to (comma-separated).

      2. Blocklist URL exceptions: URLs exempted from

    17. Sign-In Language: Select the language for sign-in screen

    User Level

    This section provides detailed information on the configuration options available under the User tab within the Sign-In Settings. These settings control various aspects of user sign-in experience and user account management.

    1. Allow Managed Account to be used as Secondary Account: Enable or disable managed accounts from being used as secondary accounts in a browser session. (Available for Chrome Enterprise only)

    2. Allow View password on login and lock screen: Enable or disable the Display password option on the login and lock screens.

    3. Show Touchpad scroll direction selection during Sign In: Displays or hides the option for users to configure touchpad scroll direction during sign-in.

    4. Show Display size selection during Sign In: Displays or hides the option for users to configure display size during sign-in.

    5. Allow Avatar customization from camera and/or local or Google profile image: Enables or disables users' ability to customize their avatar using the device camera, local files, or Google profile image.

    6. Allow Wallpaper selection from Google Photos: Enables or disables access to Google Photos from the personalization app to set a wallpaper.

    7. Display Sign-Out button in the tray: Enables or disables the display of the Sign-out button for quick access.

    Managed Guest

    This section provides detailed information on the configuration options available under the Managed Guest tab within the Sign-In Settings. These settings control various aspects of guest mode behavior.

    1. Display logout button in the tray: Enables or disables the display of the Sign-out button for quick access in guest mode.

    2. Display logout dialog on last window close: Enables or disables the display of a logout dialog when the last window is closed in guest mode. If disabled, users will be automatically logged out.

    Accessibility

    Configure various accessibility settings (For eg. accessing shortcuts) at Device, User and Managed Guest level. For every setting at each level, choose one of the following options from the drop-down:

    1. User Control: Users can choose to allow or disallow the setting.

    2. Allowed: The respective setting is always allowed.

    3. Disabled: The respective setting is disabled.

    Was this article helpful?
    What's Next
    Ambitious companies around the world trust Scalefusion to secure and manage endpoints including smartphones, tablets, laptops, rugged devices, POS, and digital signages. Our mission is to make Device Management simple and effortless along with providing world class customer support.
    By Business Initiative
    Top Features
    Existing Users
    Connect With Us
    Sales and Support
    Copyright © 2023 Scalefusion. All rights reserved.