UserAgent: Mozilla/5.0 (X11; CrOS x86_64 10323.46.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.107 Safari/537.36
Platform: 10323.46.0 (Official Build) beta-channel auron_yuna

Steps to reproduce the problem:
1. Lose track of a ChromeOS device due to theft or misplacing it.
2. Try to lock it remotely and locate it.
3. Learn that "Locate my device" is not available.
4. Go to myaccount.google.com > remove access as a way to protect data.

What is the expected behavior?
1. Expect to be able to locate and lock a ChromeOS device just like a phone or tablet.
2. Expect that removing the account will protect my data from access by a thief or other unauthorized individual.

What went wrong?
1. Device cannot be located. This is not unexpected since there is no built in GPS module, but WiFi location (as used by many services) is still quite useful in finding a lost or stolen device that is online. 

[FEATURE REQUEST] Use WiFi location to assist in finding a ChromeOS device.

2. SECURITY ISSUE - this is a significant concern. If the device was unlocked, and still offline, anyone picking it up has full access to the device and all local data.

If you go to myaccount.google.com > remove access, it appears that you have protected your data, but you haven't. 

This is the scenario:

Imagine a Chromebook with a lot of Drive files synced for offline use.
It's not locked.
It's not near a WiFi connection.

If you open the lid, you can access any of the offline files. 

No password needed to get to the offline files and any other local data in Downloads or Android app storage. This is currently WAI, but presents a significant security and privacy concern.

While the device is still offline, the owner removes the device from their account.

Nothing can change on the Chromebook because it's not connected to the internet.

So, all the offline files are still accessible by the thief or others.

*** This is an unexpected vulnerability for users - and it is undocumented in the Help Center. ***

Now as soon as the device connects to the internet, that all changes. But I am looking at vulnerability BEFORE the device is placed online.

[FEATURE REQUEST]

Improve the security of the ChromeOS device, even for users who choose to not lock the device automatically in sleep.

Possible solution - 

If a sleeping device wakes while offline AND has a logged in profile, force use of the login password, or PIN. 

This will be somewhat inconvenient to anyone not using a screen lock PIN, but would continue the design intent that security comes first first for ChromeOS devices.

There could be many variations of this, but the goal should be that access to data while offline should be protected from theft or loss.

Warn users who do not use sleep screen lock.

Other enhanced features should also be considered that would allow a full remote wipe similar to that available for enrolled devices.

[DOCUMENTATION REQUEST] Enhance the warnings in Help Center now. Until an improved security feature is released, describe the vulnerability of an unlocked device when offline and the inability to remotely lock it. Add warnings wherever screen lock features are described.

Did this work before? No 

Chrome version: 65.0.3325.107  Channel: beta
OS Version: 10323.46.0
Flash Version: 29.0.0.108 

This issue has been escalated to the private CBC forum as the result of an end user experience:

https://productforums.google.com/forum/#!private-topic/chromebook-central+rs-mentor/8wQmQOOt6Tw;context-place=private-forum/chromebook-central+rs-mentor

Here is the public thread that shows some of the confusion and concern:

https://productforums.google.com/forum/#!topic/chromebook-central/fJPBQC5Udb4

#CBC-RS/TC-watchlist