New issue
Advanced search Search tips

Issue 896036 link

Starred by 1 user
Status: Closed
Owner: ----
Closed: Oct 16
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Candy: a user signed in on Chromebook with unmanaged account *DUP*

Project Member Reported by ykrychala@google.com, Oct 16 
ChromeOS version: 69.0.3497.95 
ChromeOS device model: Dell Chromebook 11 (3120) (Candy)
Case#: 17168703

Description:
Customer has received report from one of the teachers that student signed in on Chromebook with unmanaged account 
"Sign-in Restriction" policy is in place 
-Recent Users tracking is enabled, there is entry on AC "User not managed by your domain" 
-the device was not recently moved and the policy was not recently changed 
- The issue occurred on October 9th.

Debug log shows that RO firmware switch is writeable:

ro bios version      | Google_Candy.5216.310.57
Boot switch status:
  Recovery button: released
  Developer mode:  not enabled
  RO firmware:     writeable
Boot reason (0): normal
Boot firmware: A
Active EC code: RW
Raw log:
arch                   = x86                            # Platform architecture
backup_nvram_request   = 1                              # Backup the nvram somewhere at the next boot. Cleared on success.
battery_cutoff_request = 0                              # Cut off battery and shutdown on next boot.
block_devmode          = 1                              # Block all use of developer mode
wpsw_boot              = 0                              # Firmware write protect hardware switch position at boot
wpsw_cur               = 0                              # Firmware write protect hardware switch current position

This Chromebook model has physical WP screw that must be unscrewed to enable 'writeable' mode. Customer opened the device and the screw was in place. He also explains that the computer seemed that this was the first time that it was open as all the screws were as brand new and didn't seemed that were tinkered before. Because of this we are reaching you as customer is baffled about why this could've happened. Additionally, he tested again if he was able to login with a different address and he was not. It looks like 'writeable' mode somehow allowed the student to bypass sign-in restrictions, although developer mode was not enabled at the time customer collected debug logs.

Steps to reproduce: 
N/A

Current Behavior / Reproduction: 
- RO firmware is 'writeable', WP screw is in place, a student was able to log in to Chromebook with unmanaged account.

Expected Behavior: 
- RO firmware is 'normal'

Drive link to logs: 
https://drive.google.com/open?id=1w0UzPlBVpaFxfH8jqnyv5eJa-d4eWHRS (bundle with screenshots, logs, etc)

Screenshot from Admin Console:
https://drive.google.com/open?id=1TegtwezLxflRN6utyQQc8LpoiX5q0YkW

Comment 1 by ykrychala@google.com, Oct 16

Cc: -jayhlee@chromium.org
Labels: -Hotlist-Enterprise
Status: Closed (was: Untriaged)
Summary: Candy: a user signed in on Chromebook with unmanaged account *DUP* (was: Candy: a user signed in on Chromebook with unmanaged account )

Sign in to add a comment