Setup for a developer
Enable API suite for cloud project
- Navigate to Cloud Console: https://console.cloud.google.com/.
- Select existing cloud project or create a new one.
- Go to
APIs & Services > Enable APIs and Services
. - Search for “Chrome”.
- Select “Chrome Policy API”.
- Familiarize yourself with Terms of Service;
- Click
Enable
.
Create Credentials
Option 1: OAuth 2.0 Client IDs
- Before you are able to create "OAuth 2.0 Client ID" you need to first configure the OAuth consent screen with information about your application.
In Cloud Console go to
APIs & Services > OAuth consent screen
. In your consent screen config page enter the scopes:
https://www.googleapis.com/auth/chrome.management.policy
orhttps://www.googleapis.com/auth/chrome.management.policy.readonly
Note that added scopes are sensitive, so you may need to submit your app for verification, otherwise users may see a security warning screen (if your app is not internal).
Go to
APIs & Services > Credentials > Create Credentials > OAuth client ID
and follow the steps to create the credentials.Optionally test your app in OAuth Playground (see How to).
Option 2: Service Account
- Go to
APIs & Services > Credentials > Create Credentials > Service account
. - Enter service account name and click
Create
. - Create a key for your service account. Click
Add Key
and create “json” key. Write the file down in a secure location. - Use your service account with proper admin privileges for customer:
Setup for a customer
Depending on which application type the developer created, the customer admin has different setup options.
"OAuth 2.0 Client" Apps
No special setup is needed.
App users require proper admin privileges (see how).
App users need to agree to the app OAuth pop-up consent screen. Optionally you may allow this app for Domain Wide Delegation (see how), which will omit the OAuth pop-up consent screen for the users.
Optionally verify if app isn't blocked or trust the app explicitly (see how).
"Service Account" Apps
Service account needs to be granted proper admin privileges. This can be done in 2 alternative ways:
- Allow Domain Wide Delegation so the Service Account can impersonate an admin who has proper privileges (see how).
- or grant Admin Roles for service account directly (see how).
"How to" guides
How to - Block an app / trust an app
- As customer admin go to Google Admin console (https://admin.google.com/).
- Navigate to
Security > API Controls
. - In
App access control
section click onManage third party app access
. - If you don't see the app in 'Connected apps' list, you may configure a new app.
- You may now block the app or trust the app explicitly.
How to - Domain wide delegation
- As customer admin go to Google Admin console (https://admin.google.com/).
- Navigate to
> Security > API Controls > Domain-wide delegation
. - Click
Add new
. - Enter client ID ("service account unique id" or "app client ID").
- Enter all necessary OAuth scopes. Depending on an app you may need to enter scopes for more than just Chrome Policy API, e.g. the Directory API for managing devices, users, browsers, OUs, groups, etc.
- Click
Authorize
.
How to - Admin privileges
For different portions of the Chrome Policy APIs different admin privileges are needed. See which admin privileges are required for Policy API. To grant privileges:
- As customer admin go to Google Admin console (https://admin.google.com/).
- Navigate to
Admin roles
page. - Find existing role or create a new role with necessary privileges.
- Assign this role to the user email address or the service account email address.
How to - Test your app in OAuth Playground
- In Cloud Console, when creating OAuth client ID for your app (see above OAuth 2.0 Client IDs section) select application type "Web Applications".
- Enter a ‘Name’.
- For the time of testing, add
https://developers.google.com/oauthplayground
to the "Authorized redirect URIs" field. You may remove the redirect URI from your app when done testing. - Click
Create
and copy "client ID" and "client secret". - Go to OAuth Playground.
- Click a gear icon in the right top corner (‘OAuth 2.0 Configuration’) and select
Use your own OAuth credentials
and enter "OAuth Client ID" and "OAuth Client secret". Follow three simple steps in OAuth Playground
"Step 1" Select & authorize APIs.
Add
https://www.googleapis.com/auth/chrome.management.policy
(or other api scope) in the scope input field and click ‘Authorize APIs’. Authorize using a customer admin account. Agree to the terms."Step 2" Exchange authorization code for tokens.
Click
Exchange authorization code for tokens
. Optionally clickAuto-refresh the token before it expires
."Step 3" Configure request to API.
Enter your API URL in ‘Request URI’ text box. Modify ‘HTTP Method’, ‘Enter request body’ etc. as per the API specification. For example put following URL to list policy schemas:
https://chromepolicy.googleapis.com/v1/customers/my_customer/policySchemas?filter=chrome.printers