Great discussion this morning and definitely going to follow this thread so I can keep up with popular settings shared by others.

I've done a write up before on using Enhanced Desktop Security for Windows (EDSW) for Chrome Browser Cloud Management (CBCM).
https://hjkimbrian.medium.com/enrolling-chrome-browser-using-google-workspace-enterprise-f82cb101744...

And it looks like my issue with software discovery has been solved by a Windows update and removing and re-enrolling a test device.

That said - a big part of device management for us is software auditing. It's great I can see installed software via Enhanced Desktop Security... but it's less great there's not an API (at least that I can find...) to query this information. Or is there a page of documentation I've missed 😛

Just to recap the story - and highlight what we’re trying to achieve…

Thoughtworks is a Mac-centric company with a relatively small number of Windows devices. We generally operate using a “trust but verify” approach - and have rolled out a lightweight Mac-specific management solution, which has been incredibly useful as part of this. Now we would like to do the same thing for our Windows fleet - and have been enrolling our Windows devices into Google Enhanced Desktop Management, to see if that will work for us in a similar fashion.

We’re a data-driven organisation - there’s a few basic security posture settings we control, but the majority of the value we get from management is providing software discovery and patch status events to downstream systems.

APIs that will let us do this are critical - as the ultimate goal is to pull the information together, and allow stakeholders to get a complete picture of all devices, as well as drill down to the places where we need to take action. 

This is a core requirement for us - and there are some gaps in the APIs that are quite important. I’ve put each one of these in as a feature request - as I thought it would be helpful to gauge broader interest - but I also wanted to post here to connect things all together for the folks who were part of this discussion:

An API for exporting software discovery information from managed Windows devices

More detailed OS information in the Device API (especially for Windows 10)

Improved ability to filter Device API queries

But it's not just APIs - there are a few other places where Enhanced Desktop Security could be more helpful or more user friendly. These feature requests revolve around the lack of an API - and could be potential (short term!) workarounds. What do you all think?

More granular device management permissions in the admin console

Better csv export options for managed device information

And finally - the bigger asks, namely:

Device Management by Group (not OU)

Ability to self-host custom software packages for Windows

Neither of these are show stoppers for our current rollout - but both could cause pain in the medium to long term.

Thanks 🙂

a common ask from r/gsuite and some of our customers is the ability to escrow bitlocker keys. any update you can share on this @rkkumar ?

another common ask is the ability to sign automatically into Drive for Desktop app. it automatically signs into Chrome browser, but still requires user interaction to complete sign in to Drive for Desktop. If we can do this either as a Chrome policy/Windows Policy or tighter product integration, I think we could possibly see a higher adoption.

On somewhat related note, I just recorded a quick video on associating existing Windows profile with GCPW.

https://www.youtube.com/watch?v=6HLKguw1oVo