Chromebook Console
Open source · self-hosted · no Workspace license

An admin console for the Chromebooks you own.

Tokenless local pairing over mDNS. A modern dark dashboard that runs on a master Chromebook (or any home computer). Real firmware lockdown when you are in dev mode with WP off.

Get started View on GitHub 
curl -fsSL https://criticalhd.github.io/ChromeOS-Management/install.sh | bash
Auto-detects whether you're on a Chromebook (host or Crostini) or on a regular computer.

What it does

Tokenless pairing

Master scans the LAN with mDNS, finds the Chromebook automatically, you click Trust. No codes to type. The trust window auto-closes after 5 minutes.

Master Chromebook

Same dashboard runs on a Chromebook in dev-mode. Open http://<master-ip>:8765 from any device on your Wi-Fi — no install on the controller.

Firmware lockdown

block_devmode, GBB hardening, Cr50 CCD lock, custom recovery + root keys, neutered clobber-state. Closes the recovery-USB gap.

Remote shell & CRD

Live xterm.js terminal into the Chromebook over WebSocket. One-click launch into Chrome Remote Desktop for screen view + control.

Activity & policy

URL allow/blocklists, extension allowlists, app blocklists. Site-visit and block timeline. Enforced by the bundled MV3 extension.

No SaaS, no servers

Everything runs on your hardware. No cloud, no telemetry, no licenses. The agent talks directly to the dashboard over the LAN.

Install

The recommended deployment is Master Chromebook: one Chromebook in dev-mode root shell hosts the dashboard, every other Chromebook on the LAN registers itself automatically.

1 · On the master Chromebook

Switch to dev-mode root shell (Ctrl+Alt+T → shellsudo su):

curl -fsSL https://criticalhd.github.io/ChromeOS-Management/install.sh \
  | sudo bash -s -- chromebook-host --role master

The script installs the agent + dashboard, starts both, and prints the LAN URL.

2 · On every managed Chromebook

Same dev-mode root shell:

curl -fsSL https://criticalhd.github.io/ChromeOS-Management/install.sh \
  | sudo bash -s -- chromebook-host --role managed

The first 5 minutes the trust window is open. Click Trust on the master to pair.

3 · Open the dashboard

From any device on the same Wi-Fi:

http://<master-chromebook-ip>:8765

Discovered Chromebooks appear automatically. Each one has a Trust button while its trust window is open.

Fallback paths: a regular home PC can host the dashboard with install.sh home-pc; Crostini works with install.sh chromebook-crostini (slow first-time install). Both are supported but not the default.

How pairing works

  1. Agent broadcasts on mDNS. Every chromebook-agent publishes _chromemgmt._tcp.local. with name, role, and trust-window state.
  2. Master browses the LAN. The dashboard runs a mDNS browser and lists peers in real time.
  3. Trust window opens for 5 min the first time the agent runs (or whenever you run chromebook-agent --reopen-trust).
  4. Click Trust. The master POSTs /api/pair with its master id; the peer issues a session token; the trust window closes immediately.
  5. All future requests are auth'd with the issued session token. No tokens are ever shown to humans.