Smallstep can integrate with Google Workspace to keep your ChromeOS device inventory in sync.

You will need:

• A Smallstep team
• A Google Workspace tenant, with ability to manage domain-wide delegation
• A Google Cloud project, with ability to create service accounts and keys

In Google Cloud Console, select a project you will use for Smallstep. This can be any project, as long as you can grant domain-wide delegation to the client in a future step.

Your Google Cloud project must have the Admin SDK API enabled. By default, it is disabled.

1. Go to Admin SDK API for your project, and choose Enable API

1. In Google Cloud, visit IAM & Admin → Service Accounts
2. Choose Create service account
3. Set a Service account name, e.g. Smallstep Google Workplace Sync
4. Optionally, provide a Description for the account
5. Choose Done
6. Open the details for the Service Account you just created
7. Copy the Unique ID (numeric) and the Email shown on the details tab; you’ll need them later
8. Visit the Keys tab, and choose Add key, then Create new key
9. Choose Create to create a JSON key

A file containing the service account key will be downloaded. Keep this safe and secure!

1. In Google Admin, visit Security → Access and data control → API controls
2. Under Domain wide delegation, select Manage Domain Wide Delegation
3. In the API Clients table, select Add new

   1. Enter the Unique ID of the service account from Step 1

   2. For the OAuth Scopes, enter the following scope:

      https://www.googleapis.com/auth/admin.directory.device.chromeos
      

   3. Choose Authorize

In Smallstep, visit Settings → Device Management.

Configure a new Google Workspace Integration with the following values:

• The Customer ID of your Google Workspace tenant. The Customer ID is a short alphanumeric string. It can be obtained from the Google Workspace Admin Account Settings page
• The Service Account JSON key you downloaded earlier
• An email address of a user in your Google Workspace directory with admin permissions

After saving the Google Workspace connection, you will see settings for your integration.

1. Download the following Authority Certificates:

   • Smallstep Devices Root CA
   • Smallstep Devices Intermediate CA
   • Smallstep Agents Root CA
   • Smallstep Agents Intermediate CA

2. In Google Workspace, visit Devices → Networks → Certificates.

3. Choose an Organizational Unit, if desired

4. Choose Add certificate

   In the modal, configure the following:

   • Provide a descriptive name, e.g. Smallstep Devices Root
   • Upload the PEM file for the Smallstep Devices Root CA
   • Check ✅ Enabled for Chromebook
   • Choose Add

5. Repeat Step 4 for each of the certificates you downloaded

Within a few minutes, you should see all of your ChromeOS devices in Smallstep's Devices tab. A full sync is performed every 8 hours, and a partial sync every hour.