New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 851496 link

Starred by 1 user
Status: Available
Owner: ----
Cc:
zalcorn@chromium.org
migue@google.com
r...@chromium.org
tbuck...@chromium.org
jdufault@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

Immediately enforce PIN policy

Project Member Reported by tbuck...@chromium.org, Jun 11 2018 
Enterprises should be able to control PIN Unlock/Sign-in on a per-account basis instead of per-device. I.e. it should be possible to say that no @myschool.edu domains can use PIN, but it should not be possible to prevent any/all accounts on the device from using PIN.

Comment 1 by jdufault@chromium.org, Jun 11 2018

Cc: r...@chromium.org
Summary: Remove existing PIN from device if disabled by policy (was: Switch PIN device policy to user policy)
Based on [1], it looks like all of the policy values are per-profile (ie, user) policies already.

- settings already checks to see if PIN is disabled by policy before allowing a user to set it up
- the prefs backend checks policy before authenticating

I currently see one edge case, if policy changes after a user has already setup a cryptohome-based PIN then the PIN will not be removed and the user will be able to continue using it to log in and unlock.

1: https://cs.chromium.org/chromium/src/components/policy/resources/policy_templates.json?l=10567-10598&rcl=3a079323fc7fa046461acfc85c521fae5b0f5548

Comment 2 by tbuck...@chromium.org, Jul 23

Labels: -Pri-1 -M-69 M-70 Pri-2
Summary: Immediately enforce PIN policy (was: Remove existing PIN from device if disabled by policy)
You're right, this is per-profile. Not sure why I thought it was different. Updating summary to reflect edge case in #1, lowering priority.

Comment 3 by zalcorn@chromium.org, Nov 21

Cc: jdufault@chromium.org
Labels: -Pri-2 -M-70 Hotlist-auth-polish Pri-3
Owner: ----
Status: Available (was: Assigned)

Sign in to add a comment