As you go through this guide, you may find that you already have some of these prequisites in place, like a G Suite account for your company. If this is the case, you can skip to the next relevant step.
-
Get a G Suite account for your company
Logging into a loaner Chromebook requires a Google G Suite account, standard Gmail accounts won't work.
GnG runs on Google App Engine, an automatically scaling, sandboxed computing environment that runs on Google Cloud.
-
Create a Google Cloud Platform Project.
Name the project something you will remember, such as loaner.
-
Create a billing account and enable billing for the project that you created.
-
Create an OAuth2 Client ID within your App Engine Project (make sure to select the Web Client instructons tab).
For secure authentication, the GnG application uses OAuth2. When you create the OAuth2 Client ID, for:
-
Authorized JavaScript Origins URL, use either:
-
Your GCP project ID (found in the project dropdown) followed by appspot.com
For example, if your GCP project ID is "example-123456" then the default URL will be https://example-123456.appspot.com
-
Application type: Select Public
-
-
Create a service account its credentials on your G Suite Domain (You can leave Role blank).
This is required in order to access the G Suite APIs to move devices to and from organizational units, maintain permissions based on Google Groups, etc.
When you get the JSON file containing the client secrets for the service account, save it somewhere that you'll be able to find and don't share it as it allows access to your G Suite domain user data.
-
Delegate domain-wide authority to the service account you created.
In the One or More API Scopes field, copy and paste the following list of scopes required by GNG:
https://www.googleapis.com/auth/admin.directory.device.chromeos, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.orgunit, https://www.googleapis.com/auth/admin.directory.user.readonly -
Enable the Admin SDK API through Google Cloud Console.
GnG requires the Directory API to manage devices in your G Suite Domain. To access the Directory API you need to enable the Admin SDK API.
In order to give the GnG app domain privileges, you must set up a G Suite role account for the app to use. This account won't require an additional G Suite license and will act only as a proxy for the application.
- Visit Google Admin
- Name it something memorable like [email protected]
- Set the password to something highly complex (a human should never log into this account)
- It is highly recommended that you also use 2FA on this account to reduce risk
- Give the account the following Admin roles:
- Directory Admin
- Services Admin
- User Management Admin
Note: It's recommended that you put this account in an Organizational Unit that has all G Suite and additional services disabled.
In order to set up the GnG application, you'll need to create a superadmin group, which will have all permissions by default.
-
Add yourself to the superadmin group. This is required for you to be able to set up the GnG application.
-
If you have people in your organization that need to manage GnG loaner devices and shelves, add them to the superadmin group.
Remember the name of this group, as you'll need this later on in the setup.
Additional roles can be created by calling the role API with a custom set of permissions, depending on what access you'd like to give. You can provide different Google Groups to manage the users in these roles and they will sync automatically. You can also manually add users to roles if you do not provide a group. Just add the appropriate users to each group.
You must enterprise enroll each of your Chromebook loaners.
This computer will be the device that you'll modify the code, and build and upload GnG from.
Note: This deployment has only been tested on Linux and macOS.
Install the following software: