New issue
Advanced search Search tips

Issue 912982 link

Starred by 1 user
Status: WontFix
Owner:
marcuskoehler@chromium.org
Closed: Dec 26
Cc:
maxkir...@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Feature



Sign in to add a comment

ChromeOS - Define device policy requirements per user to login

Project Member Reported by nrpeter@chromium.org, Dec 7 
Background:
ChromeOS Device policies are offer useful security controls like blocking USB access, minimum version, whether rollback is allowed, etc.

This depends on making sure the user only logs on via ChromeOS devices with these restrictions. Currently there is no way for an enterprise to limit which devices the user can login to.

Use Case:
Why do admins want to do this? Two main reasons.
1. To restrict login to devices under their physical control
2. To make sure users only login from devices with these security controls in place.

What if we let an administrator specify per-user what requirements the device must meet for the user to login?

A. To accomplish #1 from above we could allow an admin to specify login is only allowed from devices in a specific OU.

B. To accomplish #2 above, we could allow an admin to specify which device policies must be set along with their values.


Motivation:
For EDU/Enterprise customers, they may wish to restrict students/employees from using USB devices. Enterprises may want to only allow login from devices which upload system logs.

Existing workarounds:
Specify a user policy which force installs a Chrome extension. This extension blocks all web requests if the user has logged in from an unapproved device.

This however doesn't do anything for Android apps or using Linux apps.

Comment 1 by nrpeter@chromium.org, Dec 7

Summary: ChromeOS - Define device policy requirements per user to login (was: ChromeOS - Define device policy requirements per user to allow use login)

Comment 2 by grt@chromium.org, Dec 10

Labels: Enterprise-Triaged
Owner: marcuskoehler@chromium.org
Status: Assigned (was: Untriaged)
Can this be accomplished with MDM?

Assigning to Chrome OS PM for further triage and processing.

Comment 3 by marcuskoehler@chromium.org, Dec 18

Cc: maxkir...@google.com

Comment 4 by maxkir...@google.com, Dec 26

Status: WontFix (was: Assigned)
I think this should be an IdaaS feature rather than a Chrome feature.  Will forward along to the team and CC you nrpeter@.

Comment 5 by nrpeter@chromium.org, Jan 4 

Thanks for taking a look at this Marcus though I'm not sure this is a great fit for IdaaS. We'd want this feature to work for customers that used other identity services like Active Directory too. 

I was imagining such a feature being implemented solely within ChromeOS itself as part of the login process.

Possibly a user policy which defines the device policy requirements that must be met to allow login. Sure there is a bit of a chicken and egg issue here, but we have the same issues with policies like IsolateOrigins which don't come down until after initial sync.

Sign in to add a comment