Just to make it clear: we will add a pref that would allow the user to sign in to Google web (e.g. gmail.com) without signing in to Chrome. Note that signing in to Chrome is about Chrome knowing the Google identities of the user - sync does *not* automatically start when the user signs in to Google web (e.g. gmail.com).

Note that this pref does not allow the admin for force sync on when the user signs in to Google web.

In terms of coding we are doing the following:
1. we are changing the old (and currently deprecated) SigninAllowed policy to refer to a new pref named SigninAllowedOnNextRestart.
2. On start-up, we set the value for signin.allowed pref to match the value of SigninAllowedOnNextRestart pref.
3. We are doing a couple of tweaks to the UI.

We are still trying to figure out what this means for the SigninAllowed policy and whether we need to update its description. pastarmovj@ suggested to not do any updated to the policy description for M70 as we are too late in the cycle.

Note: The following policies continue to be supported as expected:
* ForceBrowserSignin: user must be signed in to Chrome and have selected their primary account (aka sync account)
* RestrictSigninToPattern: restricts the accounts that can be selected as the primary Chrome account (aka used for sync) to the given pattern
* SyncDisabled: sync cannot be enabled in this profile.

Btw for 70 we can at least update the documentation on https://www.chromium.org/administrators/policy-list-3 manually to reflect whatever the correct behavior is. The ADM[X] templates will still be whatever is in the code but this page can be manually edited to reflect the truth more closely.

I see crbug.com/890396 has been filed for the same request - Dup'ing to consolidate the discussions.