Right now, DMToken is stored using DMTokenStorage for AD managed devices. This is different from cloud management, where DMToken is stored in device policy. It might also be an issue in case Chrome is hacked. Instead, we should store DMToken in device policy also for AD managed devices.
For this purpose, send DMToken to authpolicy during domain join (add it to JoinDomainRequest) and have authpolicy store it in device policy.
Comment 1 by rsorokin@chromium.org
, Feb 12 2018