Initial Setup

Setup for a developer

Enable API suite for cloud project

  • Navigate to Cloud Console: https://console.cloud.google.com/.
  • Select existing cloud project or create a new one.
  • Go to APIs & Services > Enable APIs and Services.
  • Search for “Chrome”.
  • Select “Chrome Policy API”.
  • Familiarize yourself with Terms of Service;
  • Click Enable.

Create Credentials

Option 1: OAuth 2.0 Client IDs

  • Before you are able to create "OAuth 2.0 Client ID" you need to first configure the OAuth consent screen with information about your application. In Cloud Console go to APIs & Services > OAuth consent screen.

  • In your consent screen config page enter the scopes: https://www.googleapis.com/auth/chrome.management.policy or https://www.googleapis.com/auth/chrome.management.policy.readonly

    Note that added scopes are sensitive, so you may need to submit your app for verification, otherwise users may see a security warning screen (if your app is not internal).

  • Go to APIs & Services > Credentials > Create Credentials > OAuth client ID and follow the steps to create the credentials.

  • Optionally test your app in OAuth Playground (see How to).

Option 2: Service Account

  • Go to APIs & Services > Credentials > Create Credentials > Service account.
  • Enter service account name and click Create.
  • Create a key for your service account. Click Add Key and create “json” key. Write the file down in a secure location.
  • Use your service account with proper admin privileges for customer:
    • Customer may set up Domain Wide Delegation and then the service account can impersonate a user/admin who has proper privileges (see how)
    • or customer may grant an admin role with proper privileges to the service account directly (see how).

Setup for a customer

Depending on which application type the developer created, the customer admin has different setup options.

"OAuth 2.0 Client" Apps

No special setup is needed.

App users require proper admin privileges (see how).

App users need to agree to the app OAuth pop-up consent screen. Optionally you may allow this app for Domain Wide Delegation (see how), which will omit the OAuth pop-up consent screen for the users.

Optionally verify if app isn't blocked or trust the app explicitly (see how).

"Service Account" Apps

Service account needs to be granted proper admin privileges. This can be done in 2 alternative ways:

  • Allow Domain Wide Delegation so the Service Account can impersonate an admin who has proper privileges (see how).
  • or grant Admin Roles for service account directly (see how).

"How to" guides

How to - Block an app / trust an app

  • As customer admin go to Google Admin console (https://admin.google.com/).
  • Navigate to Security > API Controls.
  • In App access control section click on Manage third party app access.
  • If you don't see the app in 'Connected apps' list, you may configure a new app.
  • You may now block the app or trust the app explicitly.

How to - Domain wide delegation

  • As customer admin go to Google Admin console (https://admin.google.com/).
  • Navigate to > Security > API Controls > Domain-wide delegation.
  • Click Add new.
  • Enter client ID ("service account unique id" or "app client ID").
  • Enter all necessary OAuth scopes. Depending on an app you may need to enter scopes for more than just Chrome Policy API, e.g. the Directory API for managing devices, users, browsers, OUs, groups, etc.
  • Click Authorize.

How to - Admin privileges

For different portions of the Chrome Policy APIs different admin privileges are needed. See which admin privileges are required for Policy API. To grant privileges:

  • As customer admin go to Google Admin console (https://admin.google.com/).
  • Navigate to Admin roles page.
  • Find existing role or create a new role with necessary privileges.
  • Assign this role to the user email address or the service account email address.

How to - Test your app in OAuth Playground

  • In Cloud Console, when creating OAuth client ID for your app (see above OAuth 2.0 Client IDs section) select application type "Web Applications".
  • Enter a ‘Name’.
  • For the time of testing, add https://developers.google.com/oauthplayground to the "Authorized redirect URIs" field. You may remove the redirect URI from your app when done testing.
  • Click Create and copy "client ID" and "client secret".
  • Go to OAuth Playground.
  • Click a gear icon in the right top corner (‘OAuth 2.0 Configuration’) and select Use your own OAuth credentials and enter "OAuth Client ID" and "OAuth Client secret".

  • Follow three simple steps in OAuth Playground

    • "Step 1" Select & authorize APIs.

      Add https://www.googleapis.com/auth/chrome.management.policy (or other api scope) in the scope input field and click ‘Authorize APIs’. Authorize using a customer admin account. Agree to the terms.

    • "Step 2" Exchange authorization code for tokens.

      Click Exchange authorization code for tokens. Optionally click Auto-refresh the token before it expires.

    • "Step 3" Configure request to API.

    Enter your API URL in ‘Request URI’ text box. Modify ‘HTTP Method’, ‘Enter request body’ etc. as per the API specification. For example put following URL to list policy schemas: https://chromepolicy.googleapis.com/v1/customers/my_customer/policySchemas?filter=chrome.printers