As a Chrome Enterprise administrator, you can remotely connect to and troubleshoot ChromeOS devices, including kiosk devices, by starting a Chrome Remote Desktop session from the Google Admin console.
There are 2 types of remote connections available in the Admin console. How you remotely connect to a device depends on whether or not the device is actively being used.
- Shared session—You can remotely support an active device to troubleshoot, grab logs, or perform maintenance with user consent. Users can see the screen during a shared session.
- Private session—On devices with ChromeOS version 132 or later, you can remotely access a device as long as no user is signed in. Only you, and not users, can see the screen during a private session. Once you're done, users can sign in and use their device as usual.
Choose which session type to use
Selecting the correct Chrome Remote Desktop session type is crucial for effective and secure remote administration.
Shared session
For example, for admins who want to support a user in a specific flow, or when a user shows their admin a specific flow that is not leading to expected results.
- The remote admin has a certain degree of trust in the local user present at the device.
- The remote admin will not be accessing sensitive or critical information, as the local user retains the ability to terminate the session and remove the admin.
- Network instability is a concern, and the presence of a local user can ensure the device is not left unattended and unlocked if the remote connection is lost, mitigating potential security risks.
- Admins should ensure that upon disconnecting a shared Chrome Remote Desktop session, all signed-in accounts on the device are signed out or locked to maintain security.
Private session
For example, for admins who try to reproduce a known issue, where no user interaction is required—technology focus, no interaction with end user.
- The remote admin requires unattended access to the device without local user intervention.
- The remote admin needs to sign in with their private credentials and requires assurance that session disruptions due to network issues will not leave their private user sessions active on the device (as they will be signed out upon disconnection).
- The remote admin needs full control of the device without the risk of being disconnected by a local user or concerns about local users potentially accessing information during the session.
How to
(Private sessions only) Allow admin remote access connections
For private sessions, you need to enable remote access connections from enterprise admins.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Devices > Chrome > Settings > Device settings.
Requires having the Mobile Device Management administrator privilege.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Sign-in settings.
- Click Enterprise remote access connections.
- Select Enable remote access connections from enterprise admins.
- Click Save.
Start a remote session to a device
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
- Click the serial number of the device that you want to remotely access.
- On the left, click Remote Desktop.
Note: For active user or managed guest session devices, the user needs to accept the connection request. - Remotely connect to the device. Click Start shared session or Start private session.
- To open the remote session in a new window, click Start session.
Transfer files
On ChromeOS kiosk devices, you can transfer files to and from the remote host. Thereby, allowing you to download logs and upload required data to devices during troubleshooting.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Requires having the Mobile Device Management administrator privilege.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Kiosk settings.
- Click Allow remote access admins to transfer files to/from the host.
- Select Enable Chrome Remote Desktop File Transfer.
- Click Save.
You can now access file transfer under the File transfer section in the Chrome Remote Desktop options panel.
Additional background
Shared and private sessions
- If you're a Chrome Education Upgrade customer, make sure you turn on Chrome Remote Desktop in your Admin console. For details, see Turn Chrome Remote Desktop on or off for users.
- To connect remotely to a device, it must be online.
- To prevent you from remotely resetting user credentials, password recovery via Chrome Remote Desktop is blocked.
- All remote connection sessions are logged in the Admin audit log under ChromeOS Device Command.
- Delegated admins that have the Start Remote Desktop privilege can remotely connect to a user's device but cannot make changes within the device details. For details, see Delegate administrator roles in Chrome.
Shared sessions
- On a kiosk, when you start a shared support session:
- If there was user activity on the device within the last 5 minutes:
- You see a privacy warning:
Device is in use. - If there’s new user activity while you are connected to the device, your remote session continues and you remain connected to the device.
- You see a privacy warning:
- If there was no user activity on the device within the last 5 minutes:
- You see no privacy warning.
- If there’s new user activity while you are connected to the device, your remote session terminates automatically and you are disconnected from the device.
- If there was user activity on the device within the last 5 minutes:
- For user and managed guest sessions, when you start a shared session, users see a remote connection request. If users take no action, devices that are on a managed network and have had user activity in the last 5 minutes automatically start sharing after 30 seconds. Otherwise, you’ll have to wait until the user accepts the request before the shared session can continue.
- User activity includes mouse or keyboard activity, as well as signing in or unlocking the device.
- Managed networks include managed Wi-fi and Ethernet networks, but excludes VPNs, managed proxies, and managed and unmanaged cellular networks.
Private sessions
- For private sessions on devices without any users signed in:
- If the user returns to the device after the private session has ended—Before the user signs in, they see a message letting them know that their admin remotely connected to their device and performed some maintenance while they were away.
- If the user returns to the device while the private session is in-progress—The user can’t interact with the device and has to wait until the private session ends. They see a message letting them know that their admin is currently remotely connected and performing maintenance. The only action the user can take is to shut down the device using the power button, ending the current private session. When the private session ends, the user has full control of the device and can continue to sign in and use the device as usual.