This article was written by a team of Devoteam’s engineers: Brando Chiminelli, Fredrik Magnusson and Tomislav Orlovac.
Have you ever urgently needed a new work computer but didn’t want to wait hours (or days) for a new properly configured device? If so, you’re not alone. This is a common problem for businesses of all sizes. To address it, we developed our own solution, based on Google Workspace. Our goal was to be able to quickly and safely provide employees with access to company devices. In this article, we will discuss the challenges that inspired us, our process, and our final fix. Join us on this journey that took us from a latte incident to a new solution!
The Coffee Spill and Other Challenges
Imagine a scenario where one of your team members spills coffee on their laptop, forgets it on the bus, or experiences a sudden malfunction. What happens next? They might have to wait days for a replacement device, or they might consume valuable internal resources, such as your IT department’s time, to resolve the issue. It results in diminished productivity and financial losses, especially for large-scale operations.
Another (real-life) scenario – imagine clients or partners visiting your office, needing a computer for a brief presentation or note-taking. Having a readily accessible, pre-configured device linked to company resources would be advantageous. Another issue is data security: ideally, after every usage session, all data would be wiped out and the device would be ready for another user.
If only there was an easy solution. And there is, sort of.
Google rolled out a seamless solution for their team members, enabling them to quickly return to work by simply grabbing a Chromebook and logging in with their password. This innovation is known as “Grab&Go” (white paper, GitHub). However, the challenge with Grab&Go is that Google has not made any updates or improvements to this solution for over three years. This is where we came in, with our ambition to find a better way.
Brewing Our Solution in Google Workspace
We started by defining 3 key requirements:
- Chromebooks should automatically remove user data upon logout.
- The solution should be easily replicable in various environments.
- The organization should be able to centrally manage all Chromebooks.
Our first step involved exploring potential solutions within the GitHub repository. Initially, we considered rewriting part of the Python code it relied on. However, it became clear that it needed extensive modifications, and success was uncertain.
Upon further investigation, we discovered that Google Workspace’s “Ephemeral mode” offered a potential solution aligned with our requirements. It ensured data was wiped upon user logout, enabling a fresh start for the next person.
Delving deeper into the Google Workspace admin console, we identified various rules and policies resembling the original Google Grab&Go project. Our task was now to select and configure the rules and policies best suited for our implementation.
Creating the Perfect Blend of Policies
Eventually, we managed to create an alternative to Grab&Go based on Google Workspace, making the most of Chromebooks in the process, and meeting our key requirements. Below you will find the outline of our final solution.
What do we need
- Google Admin console access
- ChromeOS device
- A new Organizational Unit (OU), for example Grab&Go
Every Chromebook we enrolled has two stickers:
- A number: to easily identify the Chromebooks. The numbers correspond to the “Asset ID” under Google Admin Console > Devices > Chrome > Devices > “Your OU”.
- Input Keyboard: this indicates if the computer has an “SE” (Swedish, since we are based in Stockholm) keyboard or “US” (American) keyboard.
Policies used in Admin Console
We utilized the policies from the original Grab&Go project, described in Part 4 of the Setup Documentation. Additionally, we have introduced some new policies tailored to meet specific requirements. You can find these settings under the ‘Device settings’ tab, rather than the ‘User & browser settings’ tab, as shown in the image below. By doing so, we ensure that the policy applies exclusively to the individual device, regardless of the user logging in.
Below you will find a handy table with all the policies that we applied:
|Forces Re-enrollment||To prevent device theft, set this configuration to Force the device to re-enroll into this domain after wiping. Use a key combination to easily wipe a Chrome device. When a device is wiped, force the user to re-enroll the device to the domain so that you can reset any custom policies. If not, a user could wipe the device and use it at will.|
|Verified Access||Require verified mode boot for verified access – devices must be running in verified boot mode for device verification to succeed. Devices in Dev mode will always fail the verified access check.|
|User Data||Set to Erase all local user data. Related to the note above, since this will be a loaner device, you do not want to leave users’ data behind, even if that data is encrypted.|
|Sign-In Language||Set to company primary language. This is to prevent a user from changing language and then the next user struggling with it.|
|Auto-update settings||Set Auto Update Settings to Allow auto-updates. For security reasons, perform all updates on the device and set Auto Reboot After Updates to Allow auto-reboots. Chrome OS requires a reboot to apply the latest downloaded update. Auto-reboot helps you to install the updates without human intervention. When Allow auto-reboots is selected, after a successful Auto Update, the Chrome device will reboot when the user next signs out. Release Channel Set to Move to Stable Channel. For optimal stability, all devices must be set to Move to Stable Channel.|
|Power & Shutdown||Power Management Set to Allow the device to sleep/shut down when idle on the sign-in screen. When the device is not in use, allowing it to sleep/shutdown maximizes battery life.|
|Sign-in keyboard||Depending on the keyboard layout of the actual Chromebook, we have assigned a separate group within the “Grab&Go” organizational unit called “Swedish Keyboard.” Computers not in this sub-unit will have their “Sign-in Keyboard” setting configured to “US Keyboard.“|
|Scheduled reboot||Enable scheduled reboots. Set daily to midnight.|
For security purposes, we decided to add the Chromebook computers to the Guest network. To achieve this, we configured the Wi-Fi settings using the following settings:
Google Admin console > Devices > Networks > “Your OU” > WiFi > Add WIFI > Enter WiFi information
We thought it would be useful to add configuration for the local printer, so users can easily connect to it if needed. This is how we did it:
Google Admin console > Devices > Chrome > Printers > “Your OU”
Live demo and Feedback
After double-checking if everything was working properly on our Chromebooks, we presented our Workspace solution to our colleagues. During the live demonstration for Devoteamers from different departments, we aimed to ensure that every aspect of our alternative to Grab&Go performed flawlessly. It was also important for us that our fellow employees could benefit from our alternative to Grab&Go. The feedback we gathered during the demo provided us with valuable insights into potential use cases, expansion opportunities, and limitations of our solution.
Enjoying a Coffee Break with a Peace of Mind
After navigating through some challenges, we have crafted an alternative to Google’s Grab&Go, using the Workspace admin console. Our solution checks all the essential boxes, including automatic user data removal upon logout, central management, and replicability across diverse environments. Additionally, our policies offer room for customization, allowing companies to tailor them to their unique needs.
We believe that our solution can benefit many organizations that are using Google Workspace and are looking for a more robust way to manage their Chromebooks. Since our live demo, we had numerous occasions to see our fix in action. It was especially handy when our colleagues from other locations visited our Stockholm office and needed quick access to our resources. With our solution, IT teams can breathe easier, knowing their fleet of Chromebooks is secure, efficient, and ready to be used.