TestNav - ChromeOS Managed Devices
Technical Bulletin
Updated: May 5, 2023; Published: April 20, 2023
What is happening?
Pearson support is aware that students assigned managed ChromeOS devices can bypass security settings by performing a series of processes that include resetting the device to factory settings (powerwashing or wiping) and then reconfiguring the device as unmanaged.
Pearson does not support unmanaged ChromeOS devices for secure testing. To prevent students from testing on unmanaged devices, Pearson recommends using ChromeOS 108 LTS or ChromeOS 111+, disabling developer tools, forcing re-enrollment, and checking each device's managed status on test day.
Customers on ChromeOS 109 or 110 whose devices are not eligible for upgrade to 111+ can roll back ChromeOS to version 108 LTS.
What does this mean?
To prevent students from testing on unmanaged (non-secure) ChromeOS devices, technology personnel should
- Update or roll back ChromeOS to either version 108 LTS or 111+.
- Disable developer tools on each testing device.
- Set each device to force re-enrollment as a managed device after it's powerwashed/wiped and restarted for reuse. This is a best practice.
- Immediately before the start of the test session, check the managed status of each device. Teachers or proctors can also complete this task.
See instructions for processes below.
What do I need to do (and how do I do it?)
To use ChromeOS 108 LTS or ChromeOS 111+:
Use your established practice for updating ChromeOS testing devices.
Customers that need to to roll back ChromeOS, see Roll back ChromeOS to a previous version.
To block Chrome developer tools:
- Sign in to your Google Admin Console and select Chrome > Settings > Users & browsers
- Select or search for the organizational unit for which you want to apply (or verify) these settings. The example below shows Pearson as the intended organization. Your organization will be a district or school
- Search for Developer tools in the User experience section. Then, select Never allow use of built-in developer tools.
To set or verify your organization's forced re-enrollment settings:
- Sign in to your Google Admin Console and select Devices > Chrome > Settings > Device.
- Select or search for the organizational unit for which you want to apply (or verify) these settings. The example below shows Pearson as the intended organization. Your organization will be a district or school
- In the Forced Re-enrollment section, select one of the options below:
- Force device to automatically re-enroll after wiping
- Or, Force device to re-enroll with user credentials after wiping
To check the managed status of each device:
- When the student turns on the ChromeOS device, check the screen where the account icon appears. If the student has signed in to the device, instruct them to sign out to see this screen.
- Below the account icon and the start arrow, a managed device will display the managed device icon () and the domain that manages it. The example below shows Chromebook managed by your-domain_here
You can also see the managed icon at the bottom-right of the screen in the status bar before the student signs in to the device. The status bar includes the time, the managed icon (if managed), and more. Selecting anywhere in the status bar opens its menu, where you can also see that the device is managed. Click to enlarge.
Assign the student a different, managed testing device or re-enroll the device as managed if:
- The managed icon does not appear, indicating that the device is unmanaged.
- More than one account appears on the account icon page, indicating that the device might also contain an unmanaged profile.
Pearson will provide an update on resolution status once one has been reached either by Google or Pearson engineering. Monitor TestNav Online Support's Recently Updated page for the most current information.