Frontline Asset Management integrates with Google Workspace Mobile Device Management (MDM) to keep Chromebook and mobile device data aligned with asset records. This Google Workspace integration pulls device data from Google Admin Console each night, displays synced MDM fields in asset records and reports, and can optionally disable or re-enable devices in Google based on asset tag status changes in Asset Management.
- Pulls key device properties from Google Admin Console
- Displays those properties in asset records, grids, reports, and exports
- Optionally disables or re-enables devices in Google based on asset tag status changes in Asset Management
Synced Data Fields
| Asset Management MDM Field | Chrome OS Device (Google API) | Google Mobile Device (Google API) |
|---|---|---|
| Device Name | deviceId | deviceId |
| External IP | wanIpAddress | — |
| Internal IP | ipAddress | — |
| Last Login Date | activeTimeRanges | — |
| Last Login User | recentUsers | — |
| Last Seen Date | lastSync | lastSync |
| Latitude/Longitude | — | — |
| MAC Address | macAddress | wifiMacAddress |
| MDM Status | status | status |
| Operating System | osVersion | os |
Accessing Integration Settings
Administrators configure and monitor the integration in Management > Integration Settings > G Suite Integrations.
| UI Element | Purpose |
|---|---|
| Job History | Shows each nightly ETL run with start time, job name, status, and notes |
| Initiate One-Time Sync | Runs an on-demand sync |
| Client ID/Client Secret | OAuth credentials from Google Cloud |
| Authorize G Suite | Completes the OAuth authorization process |
| Disable devices in Google… | Enables status-based device disable and enable automation |
Google MDM Setup and Authorization
A Google Super Admin must create the Google Cloud project, enable the required APIs, generate the OAuth credentials, and authorize the integration in Frontline Asset Management.
- Create a Google Cloud project in Google Cloud Console.
- Enable the required APIs, including Admin SDK and OAuth 2.0.
- Generate OAuth credentials and record the Client ID and Client Secret.
- Grant the required Admin SDK scopes in Google Admin Console.
- In Frontline Asset Management, go to “G Suite Integrations,” enter the credentials, and click Authorize G Suite.
- Click Initiate One-Time Sync to confirm the connection is working.
For a detailed walkthrough, see "Provisioning Asset Management in Google G Suite."
Monitoring, Verification, and Data Access
Nightly Sync Logic
- Runs once every night
- Matches devices by serial number. If a serial number is missing, the asset is not updated.
- Duplicate serial numbers trigger a warning and are skipped
Verifying a Sync
- Check the “Job History” grid for a “Completed” status.
- Open a tag record and confirm the MDM fields are populated.
- Compare the values with Google Admin Console if needed.
- Download the device import information report:
- Click the Completed link in the “Job History” grid.
- On the next page, scroll to the bottom and click Download device import information.
- Review the CSV file to see which serial numbers were updated, skipped, or not found.
Viewing MDM Data
| Where | How to Use |
|---|---|
| Tag Information window | Review synced MDM fields for a single asset. |
| Tags grid | Add MDM columns, apply filters or sorting, and export for bulk review. |
MDM Status Automation (Disable/Enable)
Frontline Asset Management can disable or re-enable Chromebooks in Google Admin Console based on selected asset tag statuses.
How It Works
| Asset Management Action | Google Admin Console Result | Timing |
|---|---|---|
| Asset enters a selected disabled status, such as “Lost” or “Stolen” | Device is disabled | Nightly sync |
| Asset leaves a selected disabled status through actions such as “Issued to Staff,” “Issued to Student,” “Quick Collect,” “Room to Room,” “Tag Detail,” “Bulk Edit,” or “Archived” | Device is re-enabled | Immediate |
Setup Guide
- Go to Integration Settings > G Suite Integrations.
- Select Disable devices in Google Console when tags are in a status of….
- Select one or more statuses, such as “Lost,” “Stolen,” or “Retired,” and click Save.
- On the first nightly run after setup, Asset Management disables all existing tags already in those selected statuses.
Validation Steps
- After a status change, confirm the “MDM Status” field updates.
- Verify the device state in Google Admin Console.
- Review “Job History” for any errors.
Known Limitations
- Devices must already exist in Asset Management. The sync does not create new assets.
- No other bidirectional actions, such as changing an OU or deprovisioning a device, are supported.
- MDM fields are read-only and are not available in audit workflows.
- Some data points may be blank if Google does not provide them for that device type.
- Google enforces daily API request limits for sync, disable, and enable actions. If a large number of assets are updated on the same day, some device changes may not appear in Google until the next nightly sync.
Frequently Asked Questions
How can I tell if My OAuth credentials have expired?
In Integration Settings > G Suite Integrations, an “Authentication Required” message appears in red when the token is invalid or expired. Reauthorize the integration by clicking Authorize G Suite and signing in with a Google Super Admin account.
Why did my newly purchased Chromebook not appear after the sync?
The nightly job updates existing assets only. First import or create the asset in Asset Management, such as through a purchasing import, manual entry, or room initialization, so the serial number exists in the database. After that, the next sync can populate the MDM fields.
Can we sync latitude/longitude or internal/external IP for Google mobile devices?
Google’s current APIs do not provide those values by default for Google mobile devices. Frontline will continue to monitor Google updates for future support.
Do I need Google Super Admin Authentication for this integration?
A Google Super Admin account is recommended because it includes the required Admin SDK access. A delegated admin may work only if it has both admin.directory.device.chromeos and, if needed, admin.directory.device.mobile scopes. Without those scopes, sync and automation actions will fail.
We changed nearly 5,000 Chromebooks to “Lost,” but only some devices were disabled in Google. Why?
Google enforces daily limits on API requests. When a very large number of devices are updated in a single day, some disable or enable actions may be delayed until the next nightly sync.