@meacer: Mind flipping the Security review bit (re e-mail thread "Proposal to extend the chrome.enterprise.deviceAttributes API")

+mnissler FYI

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/2e197f8b0ae78cc716c1a121100f6a1c2cefaf48

commit 2e197f8b0ae78cc716c1a121100f6a1c2cefaf48
Author: Pavol Marko <pmarko@chromium.org>
Date: Tue Feb 20 09:52:13 2018

login: Pass site isolation startup flags according to device policy

Pass site isolation start-up flags to chrome based on the
DeviceLoginScreenSitePerProcess and DeviceLoginScreenIsolateOrigins
device policies.

Note:
If the device policy values don't match the respective user policy
values (or if the user is unmanaged), chrome will request to restart.
See CL:924147 on the chrome side.

BUG= chromium:813015 
TEST=cros_run_unit_tests --board=${BOARD} --packages \
     chromeos-base/chromeos-login
Change-Id: Ie86563f9917d49e48648c262bfe6e2bb2ebfeb0a
Reviewed-on: https://chromium-review.googlesource.com/924421
Commit-Ready: Pavol Marko <pmarko@chromium.org>
Tested-by: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>

[modify] https://crrev.com/2e197f8b0ae78cc716c1a121100f6a1c2cefaf48/login_manager/device_policy_service.cc
[modify] https://crrev.com/2e197f8b0ae78cc716c1a121100f6a1c2cefaf48/login_manager/device_policy_service_unittest.cc

Quoting [1]: "For public APIs, please email the proposal to extension-api-reviews@chromium.org for any additional feedback."

[1] https://chromium.googlesource.com/chromium/src/+/master/extensions/docs/new_api_proposal.md

Could you please cc me to that thread?

The CL in Comment #3 has nothing to do with this bug. I accidentally used the wrong bug on the CL. It is supposed to be mapped to bug 800117.

Re Comment #4:
Done. This must have changed very recently, because the same document was talking about security-enamel@chromium.org (where I've sent it to), but it doesn't mention that anymore.

Thanks Pavol!

A stable device id is already available [1] today via chrome.enterprise.deviceAttributes.getDirectoryDeviceId(). The main difference is that the directory id gets reset upon re-enrollment whereas the serial number stays constant. From a privacy perspective this seems reasonable as we recognize admins' interest of including the serial number into a CSR so that for example certificates of stolen devices may be revoked.

Admin-annotated asset id and device location are fine to share because they have been defined by the admin and are not permanent (reset upon powerwash).

[1] https://developer.chrome.com/extensions/enterprise_deviceAttributes

Thank you Thiemo!

Setting Launch-Security: Started to reflect the fact that this has been in review on the e-mail thread.

Flipping security bit based on the discussion at https://groups.google.com/a/chromium.org/forum/#!topic/apps-dev/G3TkGKtmbgY

Thanks!

As discussed on the thread, I have no objections, assuming this is an enterprise-only API.  Since this is CrOS-specific, +benwells@ FYI.

Given that M-66 will go to stable very soon, can someone please update this feature with a new target milestone, or close this bug if work has completed?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vpd/+/17fd16b23e36148d437014463c08d4356f81d55d

commit 17fd16b23e36148d437014463c08d4356f81d55d
Author: Thiemo Nagel <tnagel@chromium.org>
Date: Tue May 08 11:58:01 2018

dump_vpd_log: Add to filter whitelist

Include more VPD keys in the filtered file to support  crbug.com/813015 
and crbug.com/820800 launches:
  Product_S/N
  serial_number
  should_send_rlz_ping
  rlz_embargo_end_date

BRANCH=none
BUG= chromium:823724 , chromium:813015 , chromium:839910 
TEST=none

Change-Id: Iccbcfaf971aa5b77b71d19c30fcd29fa2b4dd0be
Reviewed-on: https://chromium-review.googlesource.com/1041965
Commit-Ready: Thiemo Nagel <tnagel@chromium.org>
Tested-by: Thiemo Nagel <tnagel@chromium.org>
Reviewed-by: Thiemo Nagel <tnagel@chromium.org>
Reviewed-by: Pavol Marko <pmarko@chromium.org>

[modify] https://crrev.com/17fd16b23e36148d437014463c08d4356f81d55d/util/dump_vpd_log

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vpd/+/7981ec789af5714b9bed80773f68d7879ba44ee8

commit 7981ec789af5714b9bed80773f68d7879ba44ee8
Author: Thiemo Nagel <tnagel@chromium.org>
Date: Thu May 10 20:58:02 2018

dump_vpd_log: Add to filter whitelist

Include more VPD keys in the filtered file to support  crbug.com/813015 
and crbug.com/820800 launches:
  Product_S/N
  serial_number
  should_send_rlz_ping
  rlz_embargo_end_date

BRANCH=none
BUG= chromium:823724 , chromium:813015 , chromium:839910 
TEST=none

Change-Id: Iccbcfaf971aa5b77b71d19c30fcd29fa2b4dd0be
Reviewed-on: https://chromium-review.googlesource.com/1041965
Commit-Ready: Thiemo Nagel <tnagel@chromium.org>
Tested-by: Thiemo Nagel <tnagel@chromium.org>
Reviewed-by: Thiemo Nagel <tnagel@chromium.org>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
(cherry picked from commit 17fd16b23e36148d437014463c08d4356f81d55d)
Reviewed-on: https://chromium-review.googlesource.com/1054228
Commit-Queue: Thiemo Nagel <tnagel@chromium.org>

[modify] https://crrev.com/7981ec789af5714b9bed80773f68d7879ba44ee8/util/dump_vpd_log

Verified using M68