Installing Theft Recovery

Theft Recovery is new and improved in Admin 2.0! This article will cover:

• How to configure an OU for your missing or stolen devices
• Install the Theft Recovery app
• Authorize GoGuardian to sync with Google Admin Console
• Sync your device information with Google Admin Console

Note for users of the "Classic View" version of Theft Recovery: Theft Recovery 2.0 requires a slightly different setup and the installation of a new kiosk app. Please follow this guide to ensure a successful migration. 

If you would prefer to watch the video, you can find it below.

Step 1: Create a Theft Recovery OU for missing devices

A new, custom OU must be created with specific Device Settings in order to use Theft Recovery 2.0. When a device is placed into this OU using the Theft Recovery UI, Theft Recovery Mode will activate.

1. Sign in to Google Admin Console
2. Click Devices
3. Navigate to Chrome > Devices
4. The sidebar on the left will contain your OU structure. Click Manage Organizational Units at the bottom.
5. Click the yellow "+" icon and create a new sub-OU in the location of your choice. The name of this OU must contain the words "stolen devices." Your OU structure can contain multiple Theft Recovery OUs as long as they contain the words "stolen devices" and are configured appropriately.
   
   Note: If you have previously configured a stolen devices OU for the "Classic View" version of Theft Recovery, the existing OU can be reused, but make sure that your device settings match the configuration in Step 2 and the new Theft Recovery App is installed.

Step 2: Configure your Theft Recovery OU 

Configure your Theft Recovery OU to launch the GoGuardian kiosk App. The App will record geolocation data and take screenshots as the device is used while Theft Recovery mode is active.

1. Sign in to Google Admin Console
2. Click Devices
3. Navigate to Chrome > Settings > Device
4. Select your newly created Stolen Devices OU from the sidebar to modify the OU's Device Settings.
   
   VERY IMPORTANT! Ensure that your Stolen Devices OU is selected on the OU sidebar before making these changes! 
   
   ***If you configure Theft Recovery at your domain level or any typical OU that contains your devices, it will put every device in that OU into Theft Recovery mode and generate a Theft Recovery session for every device in that OU! Please exercise caution.***
   
   Protip: Use CTRL+F or COMMAND+F to easily find the following settings
5. Set Guest Mode to Do not allow guest mode
   
6. Set Sign-In Restriction to Do not allow any user to sign-in
7. Set Scheduled Reboot to 1
   Note: Once placed in the Theft Recovery OU, a device must be rebooted at least once to launch the App. This setting will force the device to reboot once per day. 
8. Save the settings by clicking the Save button in the top right corner 

Step 3: Install the Kiosk App

1. Navigate back to the Chrome Management page under Devices > Chrome
2. Navigate to Apps & extensions > Kiosks
3. Select your Stolen Devices OU from the list of Organizational Units
4. Click the yellow "+" icon on the bottom right, then choose the "waffle" icon at the top of the list to Add an App by Extension ID
   
5. Add the App ID alaoimaeafbgfglpffgcidfgbjnekifp
6. Choose From a custom URL from the drop-down menu
   
7. Add the App URL https://clients2.google.com/service/update2/crx
8. Click Save
   Note: If the Classic View Theft Recovery App, titled Loading, is already installed, remove it from the Kiosk Apps list and replace it with the Welcome App. 
9. Under Auto Launch App, select the Welcome App from the drop-down menu
   
10. Save the settings by clicking the Save button in the top right corner 

Step 4: Authorize GoGuardian to sync with Google Admin Console

This will authorize GoGuardian to sync with your Google Admin Console so we can track your stolen devices.

1. Sign in to GoGuardian and navigate to the Theft Recovery Dashboard
2. Click the triple-dot stack icon in the top right corner of the Theft Recovery Dashboard
3. Click Authorize With Google to open the authorization tool
4. Click the green Authorize button when prompted
5. Select your Google Admin Super User account, if signed into multiple Google accounts
6. Click the blue Allow button to complete the authorization process

Note: Your Google Admin Account must have the following permissions. 

• Provision and delete users on your domain: View and modify details (e.g., name, address, and phone number) and metadata (e.g., login details) of users on your domain
• View metadata (e.g., name and description) of organization units
• View all your Chrome OS devices' metadata (e.g., mac address, model, and OS version) View and update a specific Chrome OS device's metadata

If you're unsure if your account has these permissions, please verify with Google. Otherwise, you may receive an authorization error. 

Step 5: Sync Devices from Google Admin Console 

This will import all device information from Google Admin Console.

1. Sign in to GoGuardian and navigate to the Theft Recovery Dashboard
2. Click the triple-dot stack icon in the top right corner of the Theft Recovery Dashboard
3. Click Sync Devices 
4. Click the green Sync button