Deploy Endpoint Verification

This document shows how administrators can deploy Endpoint Verification to their organization to assess and monitor the security posture of the devices in their organization. As an administrator, you deploy Endpoint Verification from the Google Admin console.

For more information about Endpoint Verification, see Endpoint Verification overview.

To deploy Endpoint Verification, you complete the following process:

  1. Turn on Endpoint Verification.
  2. Install Endpoint Verification on your devices.
  3. If required for your device type, install the Endpoint Verification helper app.

Before you begin

  1. You must have a Google Workspace administrator account with the Service Settings privilege.

  2. Log in to the Google Admin console by using your Google Workspace administrator account.

    Log in to Google Admin console

  3. You must have an organization unit with at least one device running one of the following operating systems:

    • ChromeOS
    • Apple® Mac® OS X® El Capitan (10.11) or later
    • Microsoft® Windows® 10 and 11
    • Linux® Debian® and Ubuntu®
  4. You must use Chrome 110 or later.

Turn on Endpoint Verification

To collect information about the devices accessing the resources of your organization, Endpoint Verification must be turned on for your organizational unit. By default, Endpoint Verification is turned on.

To confirm if Endpoint Verification is turned on, do the following:

  1. From the Admin console Home page, go to Devices.

    Go to Devices

  2. In the navigation menu, click Mobile & endpoints > Settings > Universal settings.
  3. Click Data Access > Endpoint Verification.
  4. From the Organizational Units pane, select your organization unit.
  5. Ensure that the Monitor which devices access organization data checkbox is selected.
  6. Click Save. If you configured a child organizational unit, you might be able to inherit or override the settings of a parent organizational unit.

Install Endpoint Verification on your devices

  1. From the Admin console Home page, go to Devices.

    Go to Devices

  2. In the navigation menu, click Chrome > Apps & extensions > Users & browsers.
  3. From the Organizational Units pane, select your organization unit for which you want to install the Endpoint Verification extension.

  4. Hold the pointer over Add, and click Add from Chrome Web Store.

  5. In the Search the store field, enter Endpoint Verification.
  6. Click Endpoint Verification and then click Select.
  7. In the Endpoint Verification dialog, ensure that Allow access to keys and Allow enterprise challenge are enabled.
    • Allow access to keys: allows the Endpoint Verification extension to access client certificates and keys on ChromeOS.
    • Allow enterprise challenge: allows the Endpoint Verification extension to use the Verified Access feature on ChromeOS. For more information, see Chrome Verified Access Overview.

  8. Click the Installation policy drop-down for Endpoint Verification, and select Force install.

  9. Click Save.

Install the Endpoint Verification helper app

If you want to do any of the following tasks, install the Endpoint Verification helper app on your organizational unit:

To install the helper app, you can use the device management tools such as Jamf on Apple Mac devices and Active Directory on Microsoft Windows devices.

Jamf

  1. Download the helper.dmg file.
  2. Mount the helper.dmg file and extract EndpointVerification.pkg.
  3. To deploy EndpointVerification.pkg, follow the instructions in Deploying Mac Packages. After the app appears in the Apps page, it's ready for deployment with Blueprint.
  4. To deploy the app to all devices, follow the instructions in Deploying an App to All Devices in a Blueprint.

Active Directory

  1. Download the EndpointVerification.msi file and use this file when creating a distribution point.
  2. Follow the instructions in Use Group Policy to remotely install software.

What's next