UserAgent: Mozilla/5.0 (X11; CrOS x86_64 10895.56.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.95 Safari/537.36
Platform: 10895.56.0 (Official Build) stable-channel eve

Steps to reproduce the problem:
Many enterprises what to use the new Linux apps but they are not happy that a user can install an additional browser to chrome os, they can even install another version of Chrome inside of chrome os.  The problem with this is that those installed Browsers do not get any policy settings applied to them.  Enterprises don't want that as a possibility.  Right now they are going to have to disabled Crostini until this is sorted.

What is the expected behavior?
Allow Crostini but add a new policy setting that allows the Enterprise to block additional browsers from being installed.

What went wrong?
Users on managed machines with Crostini allowed can install another Chrome browser that is unmanaged or install Firefox etc that is unmanaged.

Did this work before? No 

Chrome version: 69.0.3497.95  Channel: stable
OS Version: 10895.56.0
Flash Version: 31.0.0.108 

This could be the start of a file type blacklist/Whitelist for Linux apps, which will be the next thing that the Enterprise will be asking for.