We are wondering how intial forced/automatic enrollment (ZeroTouch) will play with Chromad.
During ZeroTouch, the device performs an exchange with DMServer on the initial boot. Posisble outcomes are:
(1) Auto-enroll into domain X.
-> The device requests an enrollment certificate and tries to enroll using that.
(2) Force-enroll into domain X.
-> The device shows an enrollment screen with the domain pre-filled.
This then does the standard enterprise enrollment.
Will AD domain-join be required as a second step for chromad domains?
Comment 1 by ljusten@google.com
, Nov 13Yes, Chromad enrollment is not complete until the device is domain-joined. Domain join requires a machine name, AD credentials and others ([1], password not sent in proto, but as file descriptor). We have already semi-automated this ("streamlined domain join", DD [2]), but it still requires a user to enter a password, see discussion in DD. [1] https://cs.chromium.org/chromium/src/third_party/cros_system_api/dbus/authpolicy/active_directory_info.proto [2] https://docs.google.com/document/d/14gF6UR3qwhupg3Zt9cakVQSxXPmd543iXA1NS9RoDts