Skip to content
Robost Help

Enrollment & Device Credentials

Every device running the Robost extension must be enrolled before it can report AI usage data or receive policy updates. Enrollment binds the device to your organization and gives it the credentials needed to authenticate with the Robost backend.

How a device gets enrolled

Section titled “How a device gets enrolled”

The extension supports two enrollment paths, tried in order at startup:

Section titled “1. MDM-managed config (recommended)”

When the extension is deployed via Google Workspace, Microsoft Intune, or Jamf, the MDM pushes two keys through Chrome’s managed storage policy:

  • api_base_url — the base URL of the Robost API server
  • enrollment_token — the device credential token

The extension reads these keys from chrome.storage.managed on every service-worker startup. If both keys are present, the device is considered enrolled immediately and no user interaction is required. This is the correct path for production rollouts.

2. Manual enrollment via the options page

Section titled “2. Manual enrollment via the options page”

For development, QA, or individual pilot devices, an admin or the device owner can enroll manually:

  1. Open the extension’s options page (puzzle icon → Robost).
  2. Enter the Server URL and Enrollment token.
  3. Click Save & enroll.

The credentials are stored locally under the key clarity-enrollment in chrome.storage.local. Local enrollment takes effect after the service worker restarts (reload the extension from chrome://extensions). Managed storage always takes precedence over local enrollment if both are present.

What credentials the extension holds

Section titled “What credentials the extension holds”

An enrolled device holds two pieces of information:

  • API base URL — identifies which Robost server to contact. This is not a secret.
  • Enrollment token — a bearer token (ctk_... prefix) that authenticates the device to the Robost API. Treat this like a password: it grants the device permission to submit alerts and receive policy config on behalf of your organization.

The extension never stores raw employee credentials. The enrollment token is scoped to a device context and does not grant access to the Robost admin UI.

Token lifecycle

Section titled “Token lifecycle”

Enrollment tokens have a 365-day expiry by default (configurable per token via the expires_in_days field in the POST /settings/devices API, with a maximum of 3 650 days). After expiry, the extension’s requests are rejected with HTTP 403 and the device needs a fresh enrollment token. Tokens can also be revoked at any time before expiry.

Revoking a device

Section titled “Revoking a device”

To revoke an enrolled device, call the Robost API:

POST /settings/devices/{device_id}/revoke

This sets the device credential to inactive. Once revoked, the enrollment token is rejected by the API with HTTP 403. The extension will stop submitting alerts and will show Enrolled: No the next time the options page is opened. To re-enroll the device, generate a new token via POST /settings/devices and push it via MDM or re-enter it on the options page.

Self-service device management in the admin console is planned. In the interim, contact Robost support if you need assistance revoking a credential.