chrome://policy shows incorrect policy fetch interval |
|||||||||||
Issue descriptionA number of devices are failing to do periodic device policy checks. The affected devices we know are configured to fetch device and user policy every 3 hours. User policy is fetched periodically as expected, device policy is not. Users report e.g. "last fetched: 22 hours ago" vs. "fetch interval: 3 hours". This was observed on the beta channel (8350.55.0 / 2.0.2743.75). Example client IDs are: b6b38f34-214f-43dc-a6be-e9e22d6ffeb4 2f15b2ce-e55e-433b-9382-45c59652e3ba Feedback report: https://feedback.corp.google.com/#/Report/11382531846 One manifestation of this issue is that client certs fail to renew as the device is deemed out of compliance. I just saw this certificate problem on my dev channel device (8530.13.0 / 53.0.2785.15) but the warning went away before I could investigate and I see that my policy is up to date, so treat that data point with care. The server-side team reports that no policy fetch requests have been received from the overdue devices.
,
Jul 18 2016
One more client id: 87bd8275-dda4-4d42-b865-b7c0a537a24d . As far as we can tell, 8350.46.0/52.0.2743.57 worked fine (no such reports from our elm dogfooders).
,
Jul 18 2016
If it's of any help while debugging this issue - all three client ids are from the same device type (board), which has not been released publicly yet.
,
Jul 18 2016
https://codereview.chromium.org/1623493002 changed the refresh delay to 24 hours. Problem is likely that we just aren't getting device policy invalidations. Jin, I think you were looking at this in the context of Tango invalidations for remote commands, but perhaps it's a general issue for device policy as well?
,
Jul 18 2016
Looks like Chrome OS to me, please ensure release blockers have OSes attached.
,
Jul 18 2016
Re: comment 4 - I do not think the policy is actually getting changed, so we should not be sending invalidations. My understanding of this issue is that we have an extension used for Corp certificate enrollment which looks at the last policy fetch time and the fetch interval and compares the two. If we did update Chrome OS fetch interval to 24 hours, why is chrome://policy page continues to say '3 hours'? That might be the real bug that trips up the corp Chrome extension (or at the very least it confuses users). And/or there may be some things we need to change in that extension code if it has hardcoded "3 hours" somewhere.
,
Jul 18 2016
+1 to what Dennis said. If no policy changed, then no invalidation should be triggered. We should look into why would fetch interval show 3 hours, when it was updated to 24 hours. regarding policy invalidation using Tango. It is not as time sensitive as remote commands. However, we should eventually adopt GCM-based topic invalidation in favor of Tango + Goops.
,
Jul 18 2016
What's the ETA for having this fixed? We release a stable candidate this week
,
Jul 19 2016
I think I misread the original thread. It sounds like hitting the refresh button will update policies. So policy fetching works in general but there are two problems: 1) The fetch interval is shown as 3 hours in the UI when it is really 24 hours. We can repurpose this bug here to fix that, but it is a P2 issue at most. 2) The cert provisioning extension expects policy to be max 3 hours old. This needs changing to 24 hours, but that work should be tracked in b/, not here.
,
Jul 19 2016
,
Jul 19 2016
I filed b/30211043 for updating the cert installer app.
,
Jul 19 2016
Thanks Bartosz. I was worrying that cert installer app might be reading 'current refresh interval' value from somewhere (chrome://policy page itself?), but comments in your b/ bug suggest it's a flag for the app, so I agree that this bug is P2.
,
Jul 19 2016
What boards are affected by this?
,
Jul 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/de68c7646f3169421b1d2ae201ecdce0c459dc6f commit de68c7646f3169421b1d2ae201ecdce0c459dc6f Author: atwilson <atwilson@chromium.org> Date: Thu Jul 28 17:45:11 2016 Fixed cloud policy refresh API to return correct value. Removed CloudPolicyRefreshScheduler::refresh_delay() because it returned a value that was not the actual value used in practice. Replaced with GetRefreshDelay() which returns the actual value that is used by the refresh scheduler. BUG= 628991 TBR=xiyuan Review-Url: https://codereview.chromium.org/2159223002 Cr-Commit-Position: refs/heads/master@{#408430} [modify] https://crrev.com/de68c7646f3169421b1d2ae201ecdce0c459dc6f/chrome/browser/chromeos/policy/device_local_account_policy_service.cc [modify] https://crrev.com/de68c7646f3169421b1d2ae201ecdce0c459dc6f/chrome/browser/ui/webui/policy_ui_handler.cc [modify] https://crrev.com/de68c7646f3169421b1d2ae201ecdce0c459dc6f/components/policy/core/common/cloud/cloud_policy_core.cc [modify] https://crrev.com/de68c7646f3169421b1d2ae201ecdce0c459dc6f/components/policy/core/common/cloud/cloud_policy_core_unittest.cc [modify] https://crrev.com/de68c7646f3169421b1d2ae201ecdce0c459dc6f/components/policy/core/common/cloud/cloud_policy_refresh_scheduler.cc [modify] https://crrev.com/de68c7646f3169421b1d2ae201ecdce0c459dc6f/components/policy/core/common/cloud/cloud_policy_refresh_scheduler.h [modify] https://crrev.com/de68c7646f3169421b1d2ae201ecdce0c459dc6f/components/policy/core/common/cloud/cloud_policy_refresh_scheduler_unittest.cc [modify] https://crrev.com/de68c7646f3169421b1d2ae201ecdce0c459dc6f/components/policy/resources/policy_templates.json
,
Jul 28 2016
,
Jul 29 2016
,
Aug 2 2016
Fix checked in to M54 8652.0.0 (Chrome 54.0.2811.0).
,
Aug 15 2016
Does this fix change both user policy and device policy fetch interval display to 1 day?
,
Aug 16 2016
It should update both displays - let me know if you aren't seeing that behavior.
,
Aug 16 2016
Could see fetch interval as 1 day.Initially it displays 3 hours for User settings but later it get updated to 1 day. Kip Device M ChromeOS Chrome ARC Type Channel 54 8694.0.0 54.0.2824.0 3135700 release dev |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by bartfab@chromium.org
, Jul 18 2016