Summer Maintenance: Chromebook Cleanup

Chromebook Summer Maintenance Graphic

For students and teachers, summer means time off, but school IT departments take this time to perform significant infrastructure changes. Minimal staff and students on site is a chance to do the things that they won’t have the opportunity to accomplish when school is in full swing. Management of end-user devices is often a focus during this time.

One of the common summer tasks IT departments face is refreshing their fleet of devices and re-imaging existing devices.  In the past, reimaging devices could take an excessive amount of time and attention, causing it to fall on a bi-annual occasion.  With the move to Chromebooks and the ease of wiping, this process takes less time now than ever.  But, as easy as it is, there is an even easier, less involved method.

Chromebooks are designed to erase any user data for accounts which have not signed in for 90 days.  This cleanup is automatic and cannot be changed. In addition, there is the option to erase local user data in Device Settings.  Generally it’s recommended not to set this option to erase user data as it prevents tracking who signed into the device from the Admin Console, however it can be helpful at the end of the year to prevent having to touch every device This works best if it’s applied while students are using devices in the last couple weeks of school.  Just remember to change it back before the start of the next school year.

On the topic of device refreshes, understanding what happens to a device license is critical.  A few common questions we see in our support portal are “What is the difference between wiping a Chromebook and Powerwashing?” and “What happens to the license when each happens?” 

There are 2 types of Chromebook Management licenses for Chrome Devices.  The first is an Annual License.  This license starts at $30 MSRP every year and is fully transferable between devices.  If you retire a device from a fleet with one of these licenses, the license is available for the replacement device regardless of make and model.  

The second type of license is a Perpetual License.  This license type is $250 MSRP, however, EDU customers pay $30.  Though this is a one time fee, it is associated with the make and model of the first device to claim the license.  This is the type of license the vast majority of EDU customers use.  A $30 fee once a refresh cycle (between 4 and 5 years) rather than a $30 fee every year is the main driving force behind this decision.

To further answer the questions above, some definitions are needed.

Refresh definitions graphic

The first two definitions are actions that can be done by users.  Powerwashing, as a general rule, can only be done to a device before it has been enrolled in the domain.  There is an exception with a setting within Device Settings that would allow a user to powerwash a device that does not have a firmware update applied, however the option to powerwash a device disappears once the device is successfully enrolled in a managed domain.

Hard Resetting a Chrome device is an extremely easy process and is often done by students attempting to bypass security settings that have been applied by administrators.  Pressing the aforementioned keystroke will cause the device to hard reboot. When the device starts up again, a screen with “Damaged or missing OS” is shown to the user.  If at this point a user reboots again, typically the device is started in normal mode with no data missing or erased. However, pressing “Ctrl+D” at this screen will start the move to Developer (or “Unverified boot”) mode, erasing the local content and setting the device back to factory settings.

With the Force re-enrollment option within Device settings enabled, the move to Developer mode will fail, and the device will move back to Verified Boot mode.  After a device is hard reset, the device will require an authorized user of the domain it was enrolled in to re-enroll it before the device is able to be used. All Wifi networks, managed and unmanaged, will be missing, and will need to be rejoined.  The Chromium team has announced that there is a new feature with Version 76 that will allow admins to configure their devices to automatically re-enroll devices if they’re wiped.  This feature will be available in the Admin Console “in June 2019 (with an incremental rollout)…” After the rollout is completed, this will become the default behavior for new Admin Consoles and anywhere the setting has not been moved away from the default.

Neither of these methods will free up a license, or disassociate one from the device.  If Force re-enrollment is not enabled and a device is Hard Reset, the license is still tied to the device in the Admin Console.  However, the device does not check in with the domain to get any policies unless the user has opted in to enroll the device back onto the domain.  At that point, any user can perform a Hard Reset, and drop the policies and enrollment of the device. The only indicator that this has happened within the Admin Console would be by checking the Device’s “Last Sync” date.  This value is the last time that the device reported it’s activities to Google and the last time that it received any policy from the Admin Console.

You may find this guide on 3 Easy Ways to Refresh Your Chromebooks useful.

The second two definitions are actions that can only be done by Administrators.  Disabling a device is a temporary setting. A display message for each Org Unit is configured in Device Settings that will display when a managed device is set to a disabled state.  While a device is disabled, the license that is associated with the device appears in the Available count in the Admin Console, however, this license will follow the rules of its license type, generally for schools only being available for the same make/model of the device that was disabled.

During the disabled state, all users are logged out, and nothing can be done with the device other than reading the Disabled message.  Google recommends this for Lost/Stolen devices or perhaps for forcing users to logout. If a Device is no longer enrolled as described in the above paragraph, setting the state to Disabled will do nothing since the device is no longer checking into the Admin Console to receive policy updates.

Deprovisioning a device means moving the device to a state where it is no longer managed at all by the domain.  Reasons for deprovisioning a device include returning a device for repair or exchange, replacing the device with a different make/model, or retiring the device from the fleet.  What you select will determine whether the licenses become available for other devices. With the standard Perpetual license, only selecting replacement with the same make/model (RMA or repair) will make the licenses available for the same make and model devices.

Once a device is deprovisioned, it can be Hard Reset and it will become an unmanaged device.  Failure to Hard Reset the device will result in the device retaining its final Policies that were applied to it, minus the Force re-enrollment policy will be set to false.

When devices reach their Auto Update Expiration (formerly known as End of Life), Any licenses associated with that make/model of device will show up in the “No longer available” category.  Existing licenses that are being used to manage enrolled devices will continue to work, but policies that are not compatible with the device’s version will not be applied to the devices.  Be aware that devices that have reached their AUE will not be able to be newly enrolled.  This is especially important to know if you see some devices on sale for a price that is too good to be true.  The #1 most important bit of information when choosing a replacement Chromebook is when is the devices AUE. All can be found on this page.

If your team could use support with managing your Chromebook refresh, book some time in with our support team by reaching out to support@amplifiedit.com

Find this article useful? Share it!

  • Stephen Gale
    Technical Support Analyst

  • About the Author:

    Stephen lives in Utah and enjoys the puzzle of investigating users’ problems and finding potential solutions. A recovering / reformed Gamer, Stephen throws himself into his passion for staying on top of all things Chrome OS and Chromebook related.  Prior to joining Amplified IT, Stephen served as a Network Admin in a Therapeutic Boarding School and an IT director, where he implemented G Suite for Education. Stephen has studied computer science and security at Weber State University, Western Governors University. A self-anointed honor, Stephen likes Chromebooks more than almost anyone else in the world.