Chrome Device Trust Setup Guide
Chrome Device Trust allows Google Chrome to send detailed device signals — such as disk encryption status, firewall state, and antivirus presence — to XFA during agentless sign-in. This enables limited security checks when the XFA agent is not installed.
It requires Chrome Enterprise Core, which is free.
Prerequisites
- An XFA organization with agentless verification enabled
- Access to the Google Admin Console
- Chrome browsers on the devices you want to verify
Step 1: Sign up for Chrome Enterprise Core
Chrome Enterprise Core is a free subscription that unlocks extra management options for Google Chrome browsers. It costs nothing beyond your existing Google Workspace subscription — you just need to sign up and enroll your browsers.
- Go to chromeenterprise.google and sign up (or verify you already have access).
- Open the Google Admin Console.
Chrome Enterprise Core is required to use Chrome Device Trust, but it is available at no additional cost. Organizations simply need to sign up for it and enroll their Chrome browsers — no paid Chrome Enterprise license is required.
Step 2: Set up managed Chrome profiles
For Chrome Device Trust to work, you need to configure Google to manage Chrome profiles in your organization. This means enabling the setting that requires users to sign into Chrome with a Google account managed by your organization (e.g., their Google Workspace account).
Managed Chrome profiles are sufficient for device trust — users just need to sign into Chrome with their work account. Managed browser enrollment (where the browser itself is enrolled via a token) is not required.
This is an important distinction: you do not need to enroll browsers into Chrome Browser Cloud Management. A managed profile is enough.
Step 3: Add XFA as a device trust connector
- In the Google Admin Console, go to Devices → Chrome → Connectors.
- Click New provider configuration.
- Select Universal Device Trust as the provider.
- Enter the following settings:
| Setting | Value |
|---|---|
| URL pattern | https://device-api.xfa.tech/device-trust |
| Service account | device-trust-connector@xfa-verified-access.iam.gserviceaccount.com |
| Enrollment level | Managed profiles only |
- Assign the connector to the relevant organizational units that contain the users whose devices you want to verify.
- Click Save.
Make sure to select Universal Device Trust as the provider — XFA is not pre-listed as a named provider. Do not select "Chrome Verified Access".
Step 4: Enable Chrome Device Trust in XFA
- In the XFA dashboard, navigate to Agentless.
- Toggle Google Chrome device trust on.
- Click Save.
Verification
After completing the setup, you can verify it's working:
- Have a user with a managed Chrome profile open an app or identity provider that is protected by XFA.
- During device verification, an agentless sign-in button will become available when the XFA policy is limited enough, or when the security checks provided by Chrome are sufficient to satisfy the required device security policy. The user can click that button to sign in without installing the XFA agent.
- In the XFA dashboard, navigate to Devices and find the user's device. It will show that the XFA agent is uninstalled and that agentless was used to log in.
Make sure to configure the XFA agent install prompt to show the agentless option where appropriate, so users are aware they can sign in without installing the agent.
If the agentless button does not appear, verify that:
- The user is signed into Chrome with a managed Google account
- The connector is assigned to the correct organizational unit
- The Chrome browser has been restarted after the connector was configured
- Agentless is enabled in the relevant XFA policy