Initial Setup

Setup for a developer

Enable API suite for cloud project

  • Navigate to Cloud Console: https://console.cloud.google.com/.
  • Select existing cloud project or create a new one.
  • Go to APIs & Services > Enable APIs and Services.
  • Search for “Chrome”.
  • Select “Chrome Management API”.
  • Familiarize yourself with Terms of Service.
  • Click Enable.

Create Credentials

Alternative 1: OAuth 2.0 Client IDs

  • Before you are able to create "OAuth 2.0 Client ID" you need to first configure the OAuth consent screen with information about your application. In Cloud Console, go to APIs & Services > OAuth consent screen.

  • In your consent screen config page, enter the scopes:

    • For Reports API add: https://www.googleapis.com/auth/chrome.management.reports.readonly
    • For App Details API add: https://www.googleapis.com/auth/chrome.management.appdetails.readonly
    • For Telemetry API add: https://www.googleapis.com/auth/chrome.management.telemetry.readonly

    Note that added scopes are sensitive, so you may need to submit your app for verification. Otherwise, users may see a security warning screen if your app is not internal.

  • Go to APIs & Services > Credentials > Create Credentials > OAuth client ID and follow the steps to create the credentials.

  • Optionally, test your app in OAuth Playground (see How to).

Alternative 2: Service Account

  • Go to APIs & Services > Credentials > Create Credentials > Service account.
  • Enter service account name and click Create.
  • Create a key for your service account. Click Add Key and create “json” key. Keep track of the file in a secure location.
  • Use your service account with proper admin privileges for customer:
    • Customer may set up Domain-Wide Delegation and then the service account can impersonate a user/admin who has proper privileges (see how)
    • or customer may grant an admin role with proper privileges to the service account directly (see how).

Setup for a customer

Depending on which application type the developer created, the customer admin has different setup options.

"OAuth 2.0 Client" Apps

No special setup is needed.

App users require proper admin privileges (see how).

App users need to agree to the app OAuth pop-up consent screen. Optionally, you can allow this app to use Domain-Wide Delegation (see how), which will omit the OAuth pop-up consent screen for users.

Optionally verify if the app isn't blocked, or trust the app explicitly (see how).

"Service Account" Apps

The service account must be granted proper admin privileges. You can do this in either of two ways:

  • Allow Domain-Wide Delegation so the Service Account can impersonate an admin that has proper privileges (see how).
  • Grant Admin Roles for the service account directly (see how).

"How to" guides

How to block or trust an app

  • As customer admin, go to Admin Console (https://admin.google.com/).
  • Navigate to Security > Access and data control > API controls.
  • In the App access control section, click Manage third party app access.
  • If you don't see the app in the 'Connected apps' list, you can configure a new app.
  • You can now block the app or trust the app explicitly.

How to enable domain-wide delegation

  • As customer admin, go to Admin Console (https://admin.google.com/).
  • Navigate to Security > Access and data control > API controls > Domain-wide delegation.
  • Click Add new.
  • Enter client ID ("service account unique id" or "app client ID").
  • Enter all necessary OAuth scopes. Depending on the app, you may need to enter scopes for more than just Chrome Management API; e.g. the Directory API for managing devices, users, browsers, OUs, groups, etc.
  • Click Authorize.

How to manage admin privileges

For different portions of the Chrome Management APIs, different admin privileges are needed. See which admin privileges are required for Reports API, App Details API, or Telemetry API.

To grant privileges:

  • As customer admin, go to Admin Console (https://admin.google.com/).
  • Navigate to Admin roles page.
  • Find an existing role or create a new role with the necessary privileges.
  • Assign this role to the user email address or the service account email address.

How to test your app in OAuth Playground

  • In Cloud Console, when creating an OAuth client ID for your app (see above OAuth 2.0 Client IDs section) select application type "Web Applications".
  • Enter a ‘Name’.
  • To test your app, add https://developers.google.com/oauthplayground to the "Authorized redirect URIs" field. You can remove the redirect URI from your app when you're done testing.
  • Click Create and copy "client ID" and "client secret".
  • Go to OAuth Playground
  • Click the gear icon in the top right corner (‘OAuth 2.0 Configuration’), select Use your own OAuth credentials, and enter "OAuth Client ID" and "OAuth Client secret".

  • Follow these steps in OAuth Playground

    • Select & authorize APIs.

      Add https://www.googleapis.com/auth/chrome.management.reports.readonly (or other api scope) in the scope input field and click ‘Authorize APIs’. Authorize using a customer admin account. Agree to the terms.

    • Exchange authorization code for tokens.

      Click Exchange authorization code for tokens. Optionally, click Auto-refresh the token before it expires.

    • Configure request to API.

      Enter your API URL in the ‘Request URI’ text box. Modify ‘HTTP Method’, ‘Enter request body’, etc. as per the API specification. For example, use the following URL to count the installed Apps in your organization: https://chromemanagement.googleapis.com/v1alpha1/customers/my_customer/reports:countInstalledApps