New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 717745 link

Starred by 6 users

Issue metadata

Status: WontFix
Owner:
Closed: Sep 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Parental Controls on Mac blocking access to Chrome

Reported by syamash...@mililaniwaena.k12.hi.us, May 2 2017

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce the problem:
1. Update from 57.0.2987.133 .... to 58.0.3029.96 (64bit) on a laptop with parental controls
2. Restart Chrome
3. Message that it is blocked in System Preferences

What is the expected behavior?
Chrome expected to launch when clicked on.

What went wrong?
Message that you need system administrator to allow usage.

Did this work before? Yes 57.0.2987.133 (64-bit)

Chrome version: 56.0.2924.87  Channel: n/a
OS Version: OS X 10.11.6
Flash Version: Shockwave Flash 25.0 r0
 
Labels: Needs-Bisect Needs-Triage-M58
Cc: mark@chromium.org kerrnel@chromium.org
Chrome changed its code signing certificate in M58, so it's possible that this is related.
Labels: Needs-Feedback
Thanks for the report. I am working to reproduce this but so far cannot. Can you please provide more information about the actual parental controls setup? What options are configured in Settings? I likely need to be on the parental controls setup to reproduce.
Also is Chrome being updated through the account under parental controls or the admin account?
Hi.  Thank you for the response.  I will do my best to answer the
questions.  Our laptops have an admin account and student account.  Chrome
is updated through the admin account.  The admin account will run okay but
the student account will not open Chrome once the updated is launched.  We
receive the message that says "You don't have permission to use the
application "Chrome"."  When you go to Parental Controls as a student, we
now Chrome is unchecked.  We had unchecked System Preferences & Time
Machine previously.

I am attaching copies of our Chrome Settings and the Parental Controls
settings.

Hopefully this can be resolved so that our students can continue to use
Google Chrome to do their work and as a web browswer.

Susan
Project Member

Comment 6 by sheriffbot@chromium.org, May 4 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "kerrnel@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Needs-Feedback
Thanks for the information, but I don't see any attachments. Did you attach the files?
Note that our system cannot accept attachments via email. Please attach the files by clicking through to the bug page where you can attach files.
I finally reproduced this, but it seems to affect 10.11 and not 10.12 initially.
chrome issue.pdf
6.9 MB Download
Project Member

Comment 11 by sheriffbot@chromium.org, May 4 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "kerrnel@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Thank you for letting me know.  I just uploaded it in the bug page.

I also noticed that someone said that they were able to reproduce it but on
10.11 or 10.12.  Yes, our OS is 10.11 (El Capitan).  It has affected
approximately 900 of our accounts.  The only way they were not affected is
if they did not automatically update.
I am sorry to hear you've hit this problem. Is there an easy way to re-authorize Chrome on all of those accounts? Rest assured, I am continuing to investigate this. Thank you.
Cc: rbasuvula@chromium.org manoranj...@chromium.org
Labels: -Needs-Bisect TE-NeedsTriageFromMTV
This looks like out of scope for TE, hence adding the respective label for it to  triage further.
Owner: kerrnel@chromium.org
Status: Assigned (was: Unconfirmed)
I have investigated and reproduced, but unfortunately I am not sure what Chrome can do about this. Does the Apple support article on using Parental Controls help you find an easy way to re-authorize Chrome for all of your users? (https://support.apple.com/kb/PH25799?locale=en_GB)

The concern here is that the parental controls have a database of allowed applications, apparently based on their signing certificate. Chrome would have to forcibly inject its new signing certificate into that database, and I doubt Apple has API for apps to forcibly allow themselves.
Sadly we do not have an east way to reauthorize chrome.  We have to go EACH
laptop and reauthorize this. This is very frustrating as our school year is
coming to an end and students need to be able to complete tasks started
using their Google accounts.

This is not okay. Please continue to see of there is a way that you can
rectify the situation that was created by your update.
Cc: jcopel...@chromium.org
Since this is working on the currently installed version of Chrome, what is the best way to temporarily prevent auto updates?
I'm sorry, what's the question? Temporarily disabling auto updates will not solve this (and is very dangerous from a security standpoint). Users would have to avoid updating forever, which isn't a good strategy. I don't think we can do anything about this as the underlying OS provides no mechanism for Chrome to register that it was signed with a new certificate.
Trying to get to the end of the school year without a disruption to students and teachers.  Schools have parental controls set so having to go to each machine is disruptive.  Agreed that turning off auto updates are not a good thing but schools do need someway around this until either Apple can provide a fix or school is out.  I'm also not sure why some are just now running into this issue when 58 has been out for a month.
Interesting. I'm not sure how to temporarily disable auto updates, but are you saying that more reports of this problem are coming in?
Yes.  A very large district brought this up today. We are confirming this is the exact symptoms they are seeing (so far seems like it)--they are East Coast based so won't hear back until tomorrow.  

Cc: pinkerton@chromium.org blumberg@chromium.org georgesak@chromium.org
Cc: shrike@chromium.org
+Shrike
I filed radar 32514193 about this issue. 

Summary:
Google Chrome recently updated its Developer ID signing certificate due to the old certificate expiring. Google Chrome uses a custom designated requirement (DR) that specifies the hash of the signing certificate (see the full DR pasted below). To cope with the certificate transition, Chrome is signed with a DR that accepts both the old and new certificate to handle such issues as permitting the new certificate to access Chrome's keychain entries.

Once Chrome transitioned to the new certificate, customers using the allowed applications feature of Parental Controls reported that Chrome was no longer allowed to run, and internal testing demonstrates that this happens when updating to Chrome signed with the new certificate. It appears the Parental Controls do not recognize Chrome, with the new certificate, as valid. As seen on https://bugs.chromium.org/p/chromium/issues/detail?id=717745, this issue is affecting a number of school districts.
Labels: -TE-NeedsTriageFromMTV -Needs-Triage-M58
Dropping needs triage labels since we are reaching out to Apple at this point.
Apple's reply:

This bug is determined to behave correctly. You might have your team review TN 2206: macOS Code Signing in Depth ( https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG401 ), specially the discussions about resource rules.

Hello team, I have a customer experiencing this issue, I want to know if there is any update about it.
Per c#26, the update is basically that Apple says this behavior is expected, so customers only long term option is to re-whitelist Chrome in the allowed apps.
Status: WontFix (was: Assigned)
Closing the issue at this point.

Sign in to add a comment