Issue metadata
Sign in to add a comment
|
AutoSelectCertificateForUrls policy added via "defaults write com.google.Chrome" shows up as "Policy level is not supported" in chrome://policy
Reported by
alek...@uber.com,
Jun 29 2018
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3476.0 Safari/537.36
Steps to reproduce the problem:
This ins on MacOS:
1. Open Terminal and do "defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"your-pattern","filter":{"ISSUER":{"CN":"your-cn"}}}'"
2. Open chrome://policy/
3. Click "reload policy"
What is the expected behavior?
AutoSelectCertificateForUrls is applied with Level "Recommended" and status "OK"
What went wrong?
AutoSelectCertificateForUrls is applied with status "Policy level is not supported"
Did this work before? Yes
Chrome version: 69.0.3476.0 Channel: canary
OS Version: OS X 10.13.5
Flash Version:
,
Jul 2
If this is by design, is there a change log that shows when this was changed? The policy was applied correctly until a few days ago -- I can't pinpoint the exact version .
,
Jul 3
A workaround is to use Mac OS's "Device Profiles" feature instead of `defaults write`. 1. Create a plist file (XML is fine) and fill it out according to policy list (in my case https://www.chromium.org/administrators/policy-list-3#AutoSelectCertificateForUrls): ❯ cat com.google.Chrome.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AutoSelectCertificateForUrls</key> <array> <string>{"pattern":"https://[*.]mydomain.com","filter":{"ISSUER":{"CN":"My CN"}}}</string> </array> </dict> </plist> 2. Convert plist to .mobileconfig file using https://github.com/timsutton/mcxToProfile: ❯ ~/mcxToProfile/mcxToProfile.py --plist com.google.Chrome.plist --identifier com.google.Chrome 3. Open the .mobileconfig file it generated: ❯ open com.google.Chrome.mobileconfig This will apply the chrome managed policy as device profile, which somehow makes the "Policy Level" to be "Mandatory" -- This is all very confusing and the docs are a bit lackluster IMHO. Why is defaults write does it one way and the device policy does it the other way? Why is so much of the docs geared towards windows?
,
Jul 4
Pavol, please take a look.
,
Jul 4
Yes, the policy is mandatory level only now. (And it seems that this is not defined in the policy templates.) +Andrew Olsen as the CL owner. https://chromium.googlesource.com/chromium/src/+/2b24d355f98eb7c3690a546033ced70f78244581%5E%21/#F0
,
Jul 4
,
Jul 6
The documentation in policy_templates.json indicates that policies should be flagged with "can_be_reccomended": True if they can be recommended - otherwise they cannot be recommended. This became enforced as part of some other validation checks I was making. However, since it was not enforced previously, since "recommended" seems to work fine and since other tools seem to assume that it can be recommended, it doesn't seem worth enforcing this going forward. I will make sure these policies work at level "recommended" again.
,
Jul 6
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c5aa46a25fb697ad472799934c77e9a16f543113 commit c5aa46a25fb697ad472799934c77e9a16f543113 Author: A Olsen <olsen@chromium.org> Date: Fri Jul 06 11:22:43 2018 Allow setting policies at level "recommended" Two policices, DefaultPrinterSelection and AutoSelectCertificateForUrls, until CL 1106158 could be set at level RECOMMENDED, although this was undocumented. This change restores that behavior since people are already setting these policies at level recommended, and it is working, and we have no reason to break them. This CL does not fix the other problem - some policies can be recommended but this is undocumented. There are many policies with this problem, so documentation (or some other fix) can be addressed in another CL. See https://crbug/860633 Bug: 859185 Change-Id: I3db5270a2f8869031080ae71034c0d1a9eb2833b Reviewed-on: https://chromium-review.googlesource.com/1127664 Reviewed-by: Pavol Marko <pmarko@chromium.org> Commit-Queue: A Olsen <olsen@chromium.org> Cr-Commit-Position: refs/heads/master@{#572940} [modify] https://crrev.com/c5aa46a25fb697ad472799934c77e9a16f543113/chrome/browser/policy/configuration_policy_handler_list_factory.cc
,
Jul 6
,
Jul 9
Tested this issue on Mac Enterprise machine using chrome reported version & latest Canary-69.0.3486.0. Able to reproduce the issue on chrome reported version-69.0.3476.0 as per steps mentioned in C#0. Steps: ---- 1. Connect to Mac enterprise machine 2. Uninstall and install required chrome 3. Upload required plist build from the below (profile manager) path & save https://as-macbook-air.local/profilemanager/#/device/13/ 4. Open terminal & launch chrome with below command /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --"defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"your-pattern","filter":{"ISSUER":{"CN":"your-cn"}}}'" 5. open chrome://version & check flag get applied 6. Open chrome://policy & observed above policy status set to 'Policy level is not supported'. Seems issue got fixed on latest Canary- 69.0.3486.0. Followed above same steps form 1 to 6 & observed status as 'OK'and AutoSelectCertificateForUrls is applied with Level "Recommended". Please find the attached screencast for reference . As it is working as intended , adding TE Verified Labels. Thanks..! |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by yini...@chromium.org
, Jul 2