How does eG Enterprise Monitor Google Chromebooks Group?

eG Enterprise collects metrics from the Google Chromebooks Group in an agentless manner only - i.e., using an eG remote agent deployed on any Windows/Linux host/VM in the environment. This agent makes REST API calls to Chrome Management Telemetry API to monitor the operation and health of devices running ChromeOS within the Google Workspace console. In order to collect the performance metrics, the following pre-requisites should be fulfilled:

  • Ensure that the ChromeOS devices to be monitored are bundled with Chrome Enterprise Upgrade or Chrome Education Upgrade license offered as part of ChromeOS device management.

  • To connect to the Google Workspace, the eG agent should be configured with name of a private key file of a service account. For this purpose, first, you need a service account with the following roles in the target project.

    • Compute Viewer

    • Monitoring Viewer

    • Cloud Asset Viewer

    If the service account with the mentioned roles is already exist in the project, administrators can use the existing service account. If not, administrators should create a service account using the steps explained in the Creating a Service Account section

  • Once the service account is created, download the private key file of the service account. The steps for doing this are given in the Downloading Service Account Key section

  • Determine the Customer ID of the organization to which the target Google Chromebooks Group belongs to. A customer ID is a unique identifier assigned to each organization in the Google Workspace environment when customers sign up for Google Workspace services. The customer ID is a string of characters that uniquely identifies the Google Workspace account and used by Google to distinguish an organization from others. To enable the eG agent to communicate with the devices in the target Google Chromebooks Group and make the REST API calls, the eG tests executed by the eG agent should be configured with the customer ID assigned to the organization to which the Google Chromebooks Group is mapped to. To know how to obtain the customer ID, refer to Obtaining Organization/organizational Unit (OU) ID section

Creating a Service Account

The first step to configure the eG agent to monitor the Google Cloud is to create a service account with the following roles in the target project.

  • Compute Viewer

  • Monitoring Viewer

  • Cloud Asset Viewer

To achieve this, follow the steps below:

  1. Log on to the IAM console by using an Google Cloud account.

  2. If you have multiple projects, select the project where you want to create the service account from the project selector drop down menu (see Figure 1).

    Figure 1 : Selecting a project

  3. Click on the menu icon on the top left corner of the console, then select the Service Accounts option from the IAM & Admin tree in the left-side navigation menu as shown in Figure 2.

    Figure 2 : Selecting the Service Accounts option from the IAM & Admin tree

  4. Selecting the Service Accounts option will invoke the Service Accounts page where you can view the list of service accounts (if any) created for the chosen project. In this page, click on the Create Service Account button as shown in Figure 3.

    Figure 3 : Creating a service account

  5. Enter a name for the service account, and optionally, provide a description in as shown in Figure 4. Next, click the create and continue button to proceed to the next step.

    Figure 4 : Configuring details for the service account

  6. Next, you will be prompted to grant permissions to the service account (see Figure 5) in the Grant this service account access to project section. To the monitor the services in the project, the service account should be created with Compute Viewer, Monitoring Viewer, and Cloud Asset Viewer roles.

    Figure 5 : Setting roles for the service account

    Once you set the required roles, press continue button to proceed to next step. If you want the service account to have access to specific resources (e.g., Cloud Storage buckets, Compute Engine instances), you can specify these permissions in the Grant users access to this service account section.

  7. Finally, click Done button to create the service account. The newly created service account will be listed in the Service Accounts page as shown in Figure 6.

    Figure 6 : The new service account

Downloading Service Account Key

To pull useful metrics related to the services, the eG agent needs to be configured with a JSON key file, also known as a service account key, that contains authentication credentials for a service account created in the project. When you create a service account in any of the projects in GCP, you have an option to create a private key for that service account in the form of a JSON file. The JSON key file includes information such as email address, unique identifier (private key ID), and the private key of the service account. The JSON key file is used to identify and verify a service account. The following sections will explain how to create a service account and generate key file for the same. To download the key associated with the created service account, do the following:

  1. Choose the service account for which you want to download the key in the list of service accounts (see Figure 6). Click on the service account name to open its details. This will invoke Figure 7:

    Figure 7 : The details of selected service account

  2. In the Service account details page, navigate to the Keys tab. Under the Keys tab section, you can see a list of existing keys, if any. To create a new key, click on the Add Key dropdown and select the Create new key option.

  3. Next, select the JSON key type in the prompt that appears and click on the Create button (see Figure 8).

    Figure 8 : Creating the private key

    This will generate the JSON key file for the service account. The key file will be downloaded to your local system automatically as depicted by the following image.

    Figure 9 : Downloading the keyfile to the local system

  4. Once the key file is downloaded, make sure to store it securely since the private key file contains sensitive information that grants access to your Google Cloud resources.

  5. Then, copy the downloaded key file to the <eG_Install_Dir>/agent/lib folder and provide its name against the private keyfile name parameter while configuring the tests for the target component using the Specific Test Configuration page.

Obtaining Organization/organizational Unit (OU) ID

To obtain the organization unit (OU) ID from the Google Workspace Admin console, follow the steps given below:

  1. First, go to the Google Workspace Admin console and sign in using an administrator account.

  2. In the side navigation menu, click on the Devices option provided below the Chrome sub-node under the Devices node.

  3. This will list the organizational units and the Chrome devices managed by those organizational units upon clicking the organizational unit in the right panel.

  4. To know the ID of the organizational unit of your interest, click on the organization unit's name (see fig).

  5. Now, the URL that appears upon clicking on the organizational unit will contain the OU ID at the end.

  6. Once you obtain the OU ID from the URL, copy the ID and use it while adding the Google Chromebooks Group component for monitoring.

Determining the Customer ID

To determine the customer ID that is mapped to the organization to which the target Google Chromebooks Group belongs to, do the following:

  1. Go to the Google Workspace console.

  2. Sign in to the console using administrator privileges.

  3. In the Admin console that appears, click on the hamburger menu icon in the upper-left corner.

  4. Then, navigate to the Account Settings option under the Account node in the menu. This will open the Account Settings page in the right-panel as shown in Figure 10.

    Determining Customer ID

    Figure 10 : Determining the Customer ID

    The Account settings page displays organization's details such as name, primary admin and the customer ID of the organization. Now, obtain the customer ID mapped to the organization displayed in the page (as highlighted in Figure 10). Specify this customer ID against the customer ID when you configure the eG tests.