Cyber Essentials for Chromebook / ChromeOS: configuration guide
How ChromeOS maps to Cyber Essentials v3.3 - automatic updates, Verified Boot, encrypted user data, Google Admin policies, and why Chromebooks are the easiest device class to certify.
Cyber Essentials for Chromebook / ChromeOS: configuration guide
Chromebooks are probably the easiest end-user device to certify under Cyber Essentials v3.3. The architecture enforces Verified Boot, automatic silent updates, encrypted user data, and sandboxed apps by default - most of what the scheme tests is on and not user-disableable. The work is enrolling devices into your Google Workspace domain, pinning Chrome Enterprise policies, and making sure every Chromebook is still within its Auto Update Expiration (AUE) date.
1. Why ChromeOS is Cyber-Essentials-friendly
The scheme tests five controls. ChromeOS handles four of them out of the box:
| Control | ChromeOS behaviour |
|---|---|
| Firewall | Not a configurable firewall; network boundary handled upstream. ChromeOS has no exposed inbound services |
| Secure configuration | Verified Boot, sandboxing, minimal attack surface |
| Security update management | Silent automatic updates every ~4 weeks; you can force faster |
| Malware protection | Apps run in sandboxes; Chrome Safe Browsing on by default; Play Protect for Android apps |
| User access control | Managed via Google Workspace identity with 2SV / security keys |
Only the last requires active configuration; the rest ship correct.
2. Auto Update Expiration (AUE)
Every Chromebook model has an AUE date after which Google stops shipping updates. Devices past AUE are outside the Cyber Essentials supported-OS clause and will fail.
- Check the Auto Update policy list in Google Admin for every device in your fleet
- Replace any Chromebook within 6 months of its AUE
- When buying new, prefer models with 8+ years of AUE remaining (post-2023 ChromeOS Flex-ineligible laptops and newer ChromeOS devices)
3. Enrolment into Google Workspace
- Chrome Enterprise Upgrade (one-time per device licence, usually under £30) lets you manage each Chromebook from Google Admin
- Enrol via powerwash + enterprise enrolment flow at deployment
- Assign devices to Organisational Units (OUs) matching your policy layers
Without enterprise enrolment, Chromebooks look like personal devices and won't satisfy user-access-control or secure-configuration evidence.
4. Mandatory Google Admin device policies
In Devices > Chrome > Settings > Device settings:
- Sign-in restriction: restrict to users within your Workspace domain
- Forced re-enrolment: on
- Guest mode: disabled
- Verified mode: enforced (prevents boot into developer mode)
- Device off hours: disabled or tightly scoped
- Blocked URL list: curated list of known-malicious domains (optional)
In Devices > Chrome > Settings > User & browser settings:
- Password manager: enabled - users should use Google Password Manager or an approved third-party
- Safe Browsing: Enhanced Protection
- Enable Android apps: business decision; if enabled, require Play Protect
- Allow screen lock: required
- Idle time before screen lock: 600 seconds (10 min) or less
- Require password on wake: on
5. Password / user access control
- Google Workspace 2SV enforced for every user. Security-key policy for admins.
- Minimum password length 12 characters (Cyber Essentials v3.3) - configured in Workspace password policy
- No shared Chromebooks signed in as a shared user (defeats user-access-control). Individual user accounts only.
6. Android apps on Chromebook
ChromeOS can run Android apps via Google Play. For Cyber Essentials:
- Push business apps via Managed Google Play only
- Block sideloaded apps at OU level
- Keep Play Protect on
7. Evidence assessors expect
- Google Admin device list export showing serial number, model, OS version, AUE date, last policy sync
- OU policy export showing the mandatory settings above
- Workspace 2SV enrolment report
- Evidence that any device past AUE has been decommissioned
8. Common failure points
1. Chromebooks past AUE. Most common failure. Check every device's AUE, replace those within 6 months of expiry.
2. Chromebooks not enterprise-enrolled. Personal Google accounts logged in on what should be corporate devices. Powerwash and re-enrol with Chrome Enterprise Upgrade.
3. Developer Mode enabled on a couple of engineering Chromebooks. Switch Verified Mode to enforced; narrow exceptions to a specific OU with documented business need.
4. Shared user accounts on a counter / reception Chromebook. Switch to individual named accounts.
5. 2SV not enforced for a couple of contractor accounts. Enforce at Workspace level.
What Fig checks
Our CE readiness scan pulls Google Admin device inventory (read-only) and flags devices past AUE, missing enrolment, and any OU-level policy gaps against v3.3. ChromeOS-heavy organisations pass first-time at >98% once AUE is clean - it's the easiest mobile platform to certify.
Start Cyber Essentials - from £299.99 + VAT | Pricing | CE Plus
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demo