F.A.Q.

Q: What are the benefits of RSU versus alternative ways of servicing enrolled Chrome OS
devices?
A: RSU was designed with the following benefits in mind:
1. Security: RSU users are authenticated to a central Google server via a 2-factor key that
you control and can revoke. This means that even if someone steals an RMA shim, they
cannot use it to steal an enterprise-enrolled Chromebook.
2. Speed: RSU functionality is already integrated into the RMA shim and service flow (no
separate shim required), and entering the challenge code/response is assisted by a QR
code for faster input.
3. Removal of hardware write-protect without having to open the device: For example,
if a device contains a fingerprint sensor, its biometric data will need to be cleared before
sending it to a different customer. RSU facilitates this in a way that does not require
trying to remove the battery while resetting the fingerprint sensor at the same time.
4. Prevention of errors: With RSU, it is much harder to accidentally send a Chrome OS
device to another customer in a state of being enrolled to its original organization.
5. Proper accounting for enrolled devices: Enterprise administrators see the fleet of
devices enrolled to their organization in the admin console. RSU ensures that
decommissioned motherboards are removed from the enterprise’s roster, preventing
them from being billed for licenses that they cannot use.

Q: What is the difference between the terms “enrolled”, “managed” and “provisioned”?
A: For the purposes of this document, they are the same.

Q: How does RSU relate to Shimless RMA?

A: RSU is already required for enrolled devices going back to a different owner under the
Shimless RMA program.

Q: Do I need to deploy 2-factor authentication tokens to all my service staff?

A: Since force-unenrolling a device via RSU is a highly sensitive operation, a one-time code
generated by a hardware security key has always been required. This is the same Google
account-based process used by thousands of enterprises to authenticate users, and includes
the ability to revoke keys if they were to go missing. While there is an initial cost to acquire the
keys, there are significant benefits for increased security and goodwill of organizations investing
in devices under your brand.

Q: Which devices have Google Titan-C (H1) Security Chip?

All Chromebooks launched since January 2019 come with the Titan security chip except for the
Lenovo 100e Chromebook 2nd Gen MTK and the Lenovo 300e Chromebook 2nd Gen MTK,
which come with a different security chip which does not support RSU.
Q: What will change after RSU becomes mandatory?
A: If a device is enrolled, the RMA shim will stop and require that the device is first un-enrolled
via RSU before proceeding. See the screenshot below for the proposed (tentative) UI.

Specifically, although the operation of RMA shims will change upon the next time you update
them after the rollout date, it is not a supported workaround to continue using older RMA shims
or other methods to circumvent RSU. Google reserves the right to enforce the mandatory RSU
policy in ways other than the RMA shim, including discontinuing support for non-RSU workflows
and designing future devices with enhanced security measures built to prevent unenrollment
through ways other than RSU.