The Google for Education Community Platform

Dean_Mantz · ‎01-06-2026

I have a friend in another school district whose superintendent has approached him to lock down each Chromebook to a single user. I am wondering if there is a more straightforward method to this request, rather than accessing each Chromebook device in the Admin Console and providing the assigned username as explained in the following steps.

Sign in to the Google Admin console as a Super Administrator.
Navigate to Devices > Chrome > Settings > Device.
Find the Sign-in settings section.
Set Sign-in restriction to Restrict sign-in to a list of users.
Enter the specific users (e.g., user@example.com) or organizational unit (OU) you want to allow, or use the DeviceUserAllowlist policy for individual devices.
Save your changes.

Thanks in advance for any additional insight!

Olger · ‎01-06-2026

We 'lock down' chromebooks to users. But we've taken a different approach to it. We use GAM to parse all chromebooks every 10 minutes, then compare the assigned user to the recent user. If there's a mismatch, GAM suspends the recent user. We run this script from a Windows server, and have been doing so for about 3 years now I think. Students know this happens, and 'offenders' are far and few between nowadays. Usually new students who forgot, or students who weren't paying attention. They all have to come to IT to get their account unlocked.

The script is a powershell script that invokes GAM for reading and writing to and from Workspace. It's about 100 lines of code (not optimized so could probably be shorter) and uses the device notefield in Workspace to make sure they don't get blocked again on the same day. The script logs incidents in a logfile and students usually go silent when we can specify the exact time when they used the wrong chromebook, and which chromebook 😄

We only use this for our highschool students (about 250) as they have assigned chromebooks.

I can share the script if there's interest.

View solution in original post

Kim_Nilsson · ‎01-07-2026

Jay Lee (creator of GAM) released this Chrome extension which makes using the wrong CB pointless.

oneTwoOne, it's called.

What it does is it checks the currently logged in user against the value of Location and if they don't match, the device will show nothing but a single page, indicating that it's the wrong person trying to use the device.

So all you have to do is populate the editable attribute Location on each device with the email address of the assigned user. GAM works great for that step. Or my easier-to-use Google Sheets script, CB_Inventory, recently updated.

--
https://wheretofind.me/@NoSubstitute

View solution in original post

Justin_W · ‎01-06-2026

I can certainly see the value in it, but I've never heard of any better way to do it.

Which is a bummer. In something like MosyleMDM for our Macs, we can simply set the device to default to a "Limbo" state and then it will auto-assign to the first user that logs into it. (Only that person can log in to it now)

It'd be great if you could do the same for CBs.

llennon · ‎01-06-2026

It is not even that straight forward. Sign in restrictions are an OU setting, To limit a Chromebook to an individual user, you have to have an OU for each individual user.

Many years ago, we found a way to do it with GAM. But it is a tremendous pain and makes life super difficult.

Olger · ‎01-06-2026

We 'lock down' chromebooks to users. But we've taken a different approach to it. We use GAM to parse all chromebooks every 10 minutes, then compare the assigned user to the recent user. If there's a mismatch, GAM suspends the recent user. We run this script from a Windows server, and have been doing so for about 3 years now I think. Students know this happens, and 'offenders' are far and few between nowadays. Usually new students who forgot, or students who weren't paying attention. They all have to come to IT to get their account unlocked.

The script is a powershell script that invokes GAM for reading and writing to and from Workspace. It's about 100 lines of code (not optimized so could probably be shorter) and uses the device notefield in Workspace to make sure they don't get blocked again on the same day. The script logs incidents in a logfile and students usually go silent when we can specify the exact time when they used the wrong chromebook, and which chromebook 😄

We only use this for our highschool students (about 250) as they have assigned chromebooks.

I can share the script if there's interest.

Dean_Mantz · ‎01-06-2026

@Olger Thank you for the offer to share the script! My email address is mantzd@usd376.com

Kim_Nilsson · ‎01-07-2026

That's evil, man. I love it! 🙂

--
https://wheretofind.me/@NoSubstitute

Kim_Nilsson · ‎01-07-2026

I recommend you post it in a public place, like github, so people can both use and suggest improvements to it.

--
https://wheretofind.me/@NoSubstitute

Josh · ‎01-12-2026

@Olger I've been asked this question a couple of times before and never had a good answer. I like your solution, nice and simple.

If it is any help, might make it a bit more efficient. The Chrome Logs record (in near realtime in my experience) all login events from Chromebooks, might be easier to check those for new logins instead of each device individually.

I believe those logs are available to all Workspace editions but to be honest, I found the edition comparison matrix a bit confusing when it came to the logging features.

Olger · ‎01-12-2026

Thanks for that suggestion, I tried extracting the info I need for this purpose, but afaik and have been able to test (together with chatgpt), the logs do not tell me what device a user logged in to. Happy to be corrected though.

Josh · ‎01-19-2026

Not sure what the API exposes exactly, but the investigation tool shows the following columns when I filter for 'ChromeOS login success' events in the 'Chrome log events' datasource.

Date
Description = "<userEmail> has successfully logged into ChromeOS device <chromebookSN>"
Event = ChromeOS login success
Event reason = CHROMEOS_AFFILIATED_LOGIN - I believe this will vary depending on if the device/user is managed or not.
Device name = Chromebook SN
Device user = User email address
Directory API ID = Chromebook API ID

I fully acknowledge that the API doesn't return the same columns as the investigation tool. So these might not be available.

Kim_Nilsson · ‎01-23-2026

Give Google feedback that the API should of course produce at the very least the same info as the admin console can.

--
https://wheretofind.me/@NoSubstitute

Kim_Nilsson · ‎01-07-2026

Jay Lee (creator of GAM) released this Chrome extension which makes using the wrong CB pointless.

oneTwoOne, it's called.

What it does is it checks the currently logged in user against the value of Location and if they don't match, the device will show nothing but a single page, indicating that it's the wrong person trying to use the device.

So all you have to do is populate the editable attribute Location on each device with the email address of the assigned user. GAM works great for that step. Or my easier-to-use Google Sheets script, CB_Inventory, recently updated.

--
https://wheretofind.me/@NoSubstitute

Dean_Mantz · ‎01-07-2026

@Kim_Nilsson I truly appreciate both of these resources. I will pass these along to my friend as well.

llennon · ‎01-07-2026

Tested the extension this morning. No joy here, Will wait till the afternoon and see if it was just one those "it may take a while to propagate" things.

The extension never shows up in the test students list of extensions

Kim_Nilsson · ‎01-23-2026

Give Jay feedback in an issue on github (probably the best place, and/or in the GAM chat).

--
https://wheretofind.me/@NoSubstitute

The Google for Education Community Platform

Restricting Chromebooks to a Single User