Initial Setup
Stay organized with collections
Save and categorize content based on your preferences.
Setup for a developer
Enable API suite for cloud project
- Navigate to Cloud Console: https://console.cloud.google.com/.
- Select existing cloud project or create a new one.
- Go to
APIs & Services > Enable APIs and Services.
- Search for “Chrome”.
- Select “Chrome Management API”.
- Familiarize yourself with Terms of Service.
- Click
Enable.
Create Credentials
Alternative 1: OAuth 2.0 Client IDs
- Before you are able to create "OAuth 2.0 Client ID" you need to first configure the OAuth consent screen with information about your application.
In Cloud Console, go to
APIs & Services > OAuth consent screen.
In your consent screen config page, enter the scopes:
- For Reports API add:
https://www.googleapis.com/auth/chrome.management.reports.readonly
- For App Details API add:
https://www.googleapis.com/auth/chrome.management.appdetails.readonly
- For Telemetry API add:
https://www.googleapis.com/auth/chrome.management.telemetry.readonly
Note that added scopes are sensitive, so you may need to submit your app for verification. Otherwise, users may see a security warning screen if your app is not internal.
Go to APIs & Services > Credentials > Create Credentials > OAuth client ID and follow the steps to create the credentials.
Optionally, test your app in OAuth Playground (see How to).
Alternative 2: Service Account
- Go to
APIs & Services > Credentials > Create Credentials > Service account.
- Enter service account name and click
Create.
- Create a key for your service account. Click
Add Key and create “json” key. Keep track of the file in a secure location.
- Use your service account with proper admin privileges for customer:
- Customer may set up Domain-Wide Delegation and then the service account can impersonate a user/admin who has proper privileges (see how)
- or customer may grant an admin role with proper privileges to the service account directly (see how).
Setup for a customer
Depending on which application type the developer created, the customer admin has different setup options.
"OAuth 2.0 Client" Apps
No special setup is needed.
App users require proper admin privileges (see how).
App users need to agree to the app OAuth pop-up consent screen.
Optionally, you can allow this app to use Domain-Wide Delegation (see how), which will omit the OAuth pop-up consent screen for users.
Optionally verify if the app isn't blocked, or trust the app explicitly (see how).
"Service Account" Apps
The service account must be granted proper admin privileges.
You can do this in either of two ways:
- Allow Domain-Wide Delegation so the Service Account can impersonate an admin that has proper privileges (see how).
- Grant Admin Roles for the service account directly (see how).
"How to" guides
How to block or trust an app
- As customer admin, go to Admin Console (https://admin.google.com/).
- Navigate to
Security > Access and data control > API controls.
- In the
App access control section, click Manage third party app access.
- If you don't see the app in the 'Connected apps' list, you can configure a new app.
- You can now block the app or trust the app explicitly.
How to enable domain-wide delegation
- As customer admin, go to Admin Console (https://admin.google.com/).
- Navigate to
Security > Access and data control > API controls > Domain-wide delegation.
- Click
Add new.
- Enter client ID ("service account unique id" or "app client ID").
- Enter all necessary OAuth scopes. Depending on the app, you may need to enter scopes for more than just Chrome Management API; e.g. the Directory API for managing devices, users, browsers, OUs, groups, etc.
- Click
Authorize.
How to manage admin privileges
For different portions of the Chrome Management APIs, different admin privileges
are needed. See which admin privileges are required for
Reports API,
App Details API, or
Telemetry API.
To grant privileges:
- As customer admin, go to Admin Console (https://admin.google.com/).
- Navigate to
Admin roles page.
- Find an existing role or create a new role with the necessary privileges.
- Assign this role to the user email address or the service account email address.
How to test your app in OAuth Playground
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-16 UTC.
[null,null,["Last updated 2024-10-16 UTC."],[[["\u003cp\u003eDevelopers need to enable the Chrome Management API, create credentials (OAuth or Service Account), and understand setup options for customer admins.\u003c/p\u003e\n"],["\u003cp\u003eCustomer admins need to configure settings based on the developer's application type, potentially granting privileges or enabling domain-wide delegation.\u003c/p\u003e\n"],["\u003cp\u003e"How to" guides provide detailed instructions for blocking/trusting apps, enabling domain-wide delegation, managing admin privileges, and testing in OAuth Playground.\u003c/p\u003e\n"],["\u003cp\u003eDifferent Chrome Management APIs require specific admin privileges, and detailed information is available in their respective guides.\u003c/p\u003e\n"],["\u003cp\u003eOAuth 2.0 Client apps need user consent or Domain-Wide Delegation, while Service Account apps require explicit admin privilege grants.\u003c/p\u003e\n"]]],[],null,["# Initial Setup\n\nSetup for a developer\n---------------------\n\n### Enable API suite for cloud project\n\n- Navigate to Cloud Console: \u003chttps://console.cloud.google.com/\u003e.\n- Select existing cloud project or create a new one.\n- Go to `APIs & Services \u003e Enable APIs and Services`.\n- Search for \"Chrome\".\n- Select \"Chrome Management API\".\n- Familiarize yourself with Terms of Service.\n- Click `Enable`.\n\n### Create Credentials\n\n#### Alternative 1: OAuth 2.0 Client IDs\n\n- Before you are able to create \"OAuth 2.0 Client ID\" you need to first configure the OAuth consent screen with information about your application. In Cloud Console, go to `APIs & Services \u003e OAuth consent screen`.\n- In your consent screen config page, enter the scopes:\n\n - For Reports API add: `https://www.googleapis.com/auth/chrome.management.reports.readonly`\n - For App Details API add: `https://www.googleapis.com/auth/chrome.management.appdetails.readonly`\n - For Telemetry API add: `https://www.googleapis.com/auth/chrome.management.telemetry.readonly`\n\n Note that added scopes are sensitive, so you may need to submit your app for verification. Otherwise, users may see a security warning screen if your app is not internal.\n- Go to `APIs & Services \u003e Credentials \u003e Create Credentials \u003e OAuth client ID` and follow the steps to create the credentials.\n\n- Optionally, test your app in OAuth Playground (see [How to](#how_to_test_your_app_in_oauth_playground)).\n\n#### Alternative 2: Service Account\n\n- Go to `APIs & Services \u003e Credentials \u003e Create Credentials \u003e Service account`.\n- Enter service account name and click `Create`.\n- Create a key for your service account. Click `Add Key` and create \"json\" key. Keep track of the file in a secure location.\n- Use your service account with proper admin privileges for customer:\n - Customer may set up Domain-Wide Delegation and then the service account can impersonate a user/admin who has proper privileges (see [how](#how_to_enable_domain-wide_delegation))\n - or customer may grant an admin role with proper privileges to the service account directly (see [how](#how_to_manage_admin_privileges)).\n\nSetup for a customer\n--------------------\n\nDepending on which application type the developer created, the customer admin has different setup options.\n\n#### \"OAuth 2.0 Client\" Apps\n\nNo special setup is needed.\n\nApp users require proper admin privileges (see [how](#how_to_manage_admin_privileges)).\n\nApp users need to agree to the app OAuth pop-up consent screen.\nOptionally, you can allow this app to use Domain-Wide Delegation (see [how](#how_to_enable_domain-wide_delegation)), which will omit the OAuth pop-up consent screen for users.\n\nOptionally verify if the app isn't blocked, or trust the app explicitly (see [how](#how_to_block_or_trust_an_app)).\n\n#### \"Service Account\" Apps\n\nThe service account must be granted proper admin privileges.\nYou can do this in either of two ways:\n\n- Allow Domain-Wide Delegation so the Service Account can impersonate an admin that has proper privileges (see [how](#how_to_enable_domain-wide_delegation)).\n- Grant Admin Roles for the service account directly (see [how](#how_to_manage_admin_privileges)).\n\n\"How to\" guides\n---------------\n\n### How to block or trust an app\n\n- As customer admin, go to Admin Console (https://admin.google.com/).\n- Navigate to `Security \u003e Access and data control \u003e API controls`.\n- In the `App access control` section, click `Manage third party app access`.\n- If you don't see the app in the 'Connected apps' list, you can configure a new app.\n- You can now block the app or trust the app explicitly.\n\n### How to enable domain-wide delegation\n\n- As customer admin, go to Admin Console (https://admin.google.com/).\n- Navigate to `Security \u003e Access and data control \u003e API controls \u003e Domain-wide delegation`.\n- Click `Add new`.\n- Enter client ID (\"service account unique id\" or \"app client ID\").\n- Enter all necessary OAuth scopes. Depending on the app, you may need to enter scopes for more than just Chrome Management API; e.g. the Directory API for managing devices, users, browsers, OUs, groups, etc.\n- Click `Authorize`.\n\n### How to manage admin privileges\n\nFor different portions of the Chrome Management APIs, different admin privileges\nare needed. See which admin privileges are required for\n[Reports API](/chrome/management/guides/reports_api),\n[App Details API](/chrome/management/guides/app_details_api), or\n[Telemetry API](/chrome/management/guides/telemetry_api).\n\nTo grant privileges:\n\n- As customer admin, go to Admin Console (https://admin.google.com/).\n- Navigate to `Admin roles` page.\n- Find an existing role or create a new role with the necessary privileges.\n- Assign this role to the user email address or the service account email address.\n\n### How to test your app in OAuth Playground\n\n- In Cloud Console, when creating an OAuth client ID for your app (see above [OAuth 2.0 Client IDs](/chrome/management/guides/setup#alternative_1_oauth_20_client_ids) section) select application type \"Web Applications\".\n- Enter a 'Name'.\n- To test your app, add `https://developers.google.com/oauthplayground` to the \"Authorized redirect URIs\" field. You can remove the redirect URI from your app when you're done testing.\n- Click `Create` and copy \"client ID\" and \"client secret\".\n- Go to [OAuth Playground](https://developers.google.com/oauthplayground/)\n- Click the gear icon in the top right corner ('OAuth 2.0 Configuration'), select `Use your own OAuth credentials`, and enter \"OAuth Client ID\" and \"OAuth Client secret\".\n- Follow these steps in OAuth Playground\n\n - Select \\& authorize APIs.\n\n Add `https://www.googleapis.com/auth/chrome.management.reports.readonly` (or other api scope) in the scope input field and click 'Authorize APIs'.\n Authorize using a customer admin account. Agree to the terms.\n - Exchange authorization code for tokens.\n\n Click `Exchange authorization code for tokens`. Optionally, click `Auto-refresh the token before it expires`.\n - Configure request to API.\n\n Enter your API URL in the 'Request URI' text box. Modify 'HTTP Method', 'Enter request body', etc. as per the API specification.\n For example, use the following URL to count the installed Apps in your organization: `https://chromemanagement.googleapis.com/v1alpha1/customers/my_customer/reports:countInstalledApps`"]]
