Issue metadata
Sign in to add a comment
|
Management Domain Depends on Enrolling User's Domain
Reported by
t.d.pie...@g.maranausd.org,
Dec 15 2016
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.21 Safari/537.36 Platform: 8872.70.0 (Offical Build) stable channel terra Steps to reproduce the problem: On an unprovisioned Chromebook: 1. Complete enrollment with user foo@example.org 2. Chromebook will be managed by "exmaple.org" On another unprovisioned Chromebook: 1. Complete enrollment with user "foo@bar.example.org" 2. Chromebook will be managed by "bar.example.org" On any already enrolled Chromebook that has not been deprovisioned (let's say it's managed by "example.org"): 1. Reset the device by disabling/enabling Os Verification 2. Go through the setup process, the enrollment screen should come up automatically and say "managed by example.org" 3. Enroll as user@baz.example.org 4. Chromebook should now say "managed by baz.example.org" What is the expected behavior? Enrollment domain should not be able to be changed by end users. The process described above in the third example can be completed by any user in the domain, regardless of enrollment settings. Thus any user in the domain can change the "managed by" domain to match their domain regardless of what it was originally enrolled as. Example: Organization ABC.org buys out XYZ.com and rolls them into their Google Domain as a subdomain. If a user completes the steps in example 3, it will change the enrollment domain completely and could confuse future end users of the device. The "managed by" domain should either match the Primary Domain of the organization, stay fixed to the domain of the user that provisioned the device, or be editable in Device Settings in the Admin Console. For example, Devices at "Example Elementary School" could say "Managed by Example Elementary School" and devices at "Test Middle School" would say "Managed by Test Middle School." I would say "Managed by Example LLC" would look better than "managed by example.org" and still convey the same message to the user that it is a managed device, managed by an organization. What went wrong? Management domain follows the user that most recently enrolled/re-enrolled the device, and can be changed by end users. Did this work before? No Chrome version: 56.0.2924.21 Channel: stable OS Version: 55.0.2883.87 Flash Version: 23.0.0.207
,
Jan 3 2017
Can you please clarify what you mean by "rolls them into their Google Domain as a subdomain"? Assigning to Bin and Matt as they own this space.
,
Jan 3 2017
,
Jan 3 2017
,
Jan 3 2017
If I understand the reproduction correctly, this is actually a UI glitch, but working as intended. Technically, even if a subdomain user enrolls the device, the primary domain in Admin console is what dictates policy. When you are completing re-enrollment after resetting the device, any domain user can complete enrollment (sub- or primary domain users) and the device just maintains the domain name in the UI that originally enrolled it. Given policy is still functioning as expected, I'll reduce the priority here and likely mark as working as intended after I chat with Bin unless I'm missing something in the reproduction provided. Feel free to elaborate otherwise.
,
Jan 9 2017
RE #6: Actually, re-enrolling the devices after a mere reset DOES change the domain displayed in the UI. So, any end user can change what is shown there assuming they want it to display their domain, just by simply resetting the device.
,
Jan 16 2017
Thank you for providing more feedback. Adding "Needs-Review" label for tracking. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 13 2017
Cleaning up "Needs-Review" label as we are not using this label for triage. Ref bug 684919
,
Mar 13 2017
,
Jul 5 2017
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by pastarmovj@chromium.org
, Dec 15 2016