Theft Recovery

This article will cover:

• How to configure an OU for your missing or stolen devices,
• Install the Theft Recovery app,
• Authorize GoGuardian to sync with the Google Admin Console
• Sync your device information with the Google Admin Console

Note for users of the "Classic View" version of Theft Recovery: Theft Recovery 2.0 requires a slightly different setup and the installation of a new kiosk app. Please follow this guide to ensure a successful migration. 

Step 1: Create a Theft Recovery OU for missing devices

A new, custom OU must be created with specific Device Settings in order to use Theft Recovery 2.0. When a device is placed into this OU using the Theft Recovery UI, Theft Recovery Mode will activate.

1. Sign in to Google Admin Console
2. Click Devices
3. Click Chrome
4. Click Settings
5. Click Device
6. The sidebar on the left will contain your OU structure. Click the blue link at the bottom to MANAGE ORGANIZATIONAL UNITS. Create a new sub-OU in the location of your choice. The name of this OU must contain the words "stolen devices." Your OU structure can contain multiple stolen devices OUs as long as they contain the words "stolen devices" and are configured appropriately.
   
   Note: If you have previously configured a stolen devices OU for the "Classic View" version of Theft Recovery, the existing OU can be reused, but make sure that your device settings match the configuration in Step 2 and the new Theft Recovery App is installed.

Step 2: Configure your Stolen Devices OU and Install the Kiosk App

Configure your stolen devices OU to launch the GoGuardian Kiosk App. The App will record geolocation data and take screenshots as the device is used while Theft Recovery mode is active.

1. Sign in to Google Admin Console
2. Click Devices
3. Click Chrome
4. Click Settings
5. Click Device
6. Select your newly created Stolen Devices OU from the sidebar to modify the OU's Device Settings.
   
   VERY IMPORTANT! Ensure that your Stolen Devices OU is selected on the OU sidebar before making these changes! 
   ***If you configure your domain level or any typical OU that contains your devices, it will put every device in that OU into Theft Recovery mode and generate a Theft Recovery session for every device in that OU! Please exercise caution***
   
   Protip: Use CTRL+F or COMMAND+F to easily find the settings
   
   
7. Set Guest Mode to Do not allow guest mode
   
8. Set Sign-In Restriction to Do not allow any user to sign-in
9. Set Scheduled Reboot to 1
   Note: Once placed in the Theft Recovery OU, a device must be rebooted at least once to launch the App. This setting will force the device to reboot once per day. 
10. Find Kiosk Settings and click the Apps & Extensions Page link
11. Click the Yellow + bubble in the bottom right corner and find the add Chrome App or Extension by ID 
12. Add the App ID alaoimaeafbgfglpffgcidfgbjnekifp
13. Select the drop down to change From the Chrome Web Store to From a custom URL
14. Add the App URL https://clients2.google.com/service/update2/crx
15. Click Add
16. Verify that the app, titled Welcome, has been added to the right under Total to Install. 
    Note: If the Classic View Theft Recovery App, titled Loading, is already installed, remove it from the Kiosk Apps list and replace it with the Welcome App. 
17. Click Save to close the dialog box
18. Under Auto Launch Kiosk App, Select the Welcome App from the drop-down menu
19. Save the settings by clicking the Save button in the bottom right corner 

Step 3: Authorize GoGuardian to sync with Google Admin Console

This will authorize GoGuardian to sync with your Google Admin Console so we can track your stolen devices.

Required G Suite Privileges:

1. Admin API Privileges:
   • Domain Management
   • Organizational Units
   • Users
2. Admin Console Privileges
   • Chrome Management 

Configuration Walkthrough

1. Sign in to GoGuardian and navigate to the Theft Recovery Dashboard
2. Click the menu icon found in the top right corner of the Theft Recovery Dashboard
3. Click Authorize With Google to open the authorization tool
4. Click the green Authorize button when prompted
5. Select your Google Admin Super User account, if signed into multiple Google accounts
6. Click the blue Allow button to complete the authorization process

Note: Your Google Admin Account must have the following permissions. 

• Provision and delete users on your domain: View and modify details (e.g. name, address, and phone number) and metadata (e.g. login details) of users on your domain
• View metadata (e.g. name and description) of organizational units
• View all your Chrome OS devices' metadata (e.g. mac address, model, and OS version)
• View and update a specific Chrome OS device's metadata

If you're unsure if your account has these permissions, please verify with Google. Otherwise, you may receive an authorization error.

Step 4: Sync Devices from Google Admin Console 

This will import all device information from the Google Admin Console.

1. Sign in to GoGuardian and navigate to the Theft Recovery Dashboard
2. Click the menu icon found in the top right corner of the Theft Recovery Dashboard
3. Click Sync Devices 
4. Click the blue Sync button

Now that Theft Recovery 2.0 is configured, let's test it out!