Description of problem:
Chrome 73 uses policies as a signal that it is running in a 'managed' (e.g. enterprise) environment, and now displays UI based on that. But the UI is displaying for non-enterprise users as well.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install Chrome Dev (https://www.google.com/intl/en_ca/chrome/dev/)
2. Install the 'fedora-chromium-config' package
3. In Chrome Dev, navigate to 'about:flags' and enable the 'show-managed-ui' flag
4. Restart Chrome Dev
5. Open the 3-dot menu in the top right
The message that says 'Your browser is managed by your administrator' doesn't show up.
The message shows up, even for consumers who aren't managed.
This new feature is shipping in Chrome 73. We want Chrome to be more transparent for enterprise users by showing them that their administrator can set policies on their machine, and control various things.
The logic is that if the user has policies set, this means an admin is managing their machine. Because the 'fedora-chromium-config' package sets policies, this message could confuse users.
More context on https://crbug.com/930495
sgallagh, it looks like you wrote the patch that adds policies to fedora-chromium-config. needinfo-ing
Yes, I'm now engaging in the conversation upstream at https://bugs.chromium.org/p/chromium/issues/detail?id=930495
The short version is that we added a default configuration for Chrome so that we can get support for single-sign-on of the Fedora web services (such as Pagure and Bodhi) out of the box if you add a fedoraproject.org kerberos account in GNOME Online Accounts (or whatever other equivalent kerberos tool on other desktops).
However, as of Chrome 73, this now causes the browser to report as "managed", which is misleading. I'm hoping we can come to a compromise with upstream and either have the 00_gssapi.json file excluded from marking the browser as "managed" or else get a separate configuration path for distro modifications.
upstream has unfortunately closed as wontfix
what is the plan next?
i understand the intention but i'd like to opt-in instead for those *.fedoraproject.org policies and not be enrolled by default.
solved with removal of fedora-chromium-config-1.1-2.fc30.noarch
the change did not require restart of chrome
Upstream isn't going to change their behavior here, but at the same time this is really unlikely to be seen. You need to be changing a non-default option (the 'show-managed-ui' flag) and then it reports that the system is managed, which... is true. We *are* shipping some content that is managing your browser configuration, intentionally.
It's really *not* a good idea to make this an opt-in behavior, mostly because we are actively trying to make Fedora an easier community to contribute to. Having single-sign-on to Fedora applications is a desirable default configuration. Avoidance of a slightly confusing message that almost no one will ever see does not sound like a valid justification to remove this functionality from the default configuration.
> You need to be changing a non-default
FYI, it's going to be on-by-default soon.
> Avoidance of a slightly confusing message that almost no one will ever see does not sound like a valid justification to remove this functionality from the default configuration.
The option seems to be enabled by default as of Chrome 74. Would it be worth revisiting this?
Clicking on the message will now take users to a FAQ page which explains unequivocally that their organisation *can monitor their activity*, and control how they use their browser (https://support.google.com/chrome/answer/9281740).
Whilst further investigation (i.e. chrome://policy/) reveals the installed policies are in fact harmless, I wouldn't blame users for being confused by the message and/or frustrated with Fedora. Most users aren't Fedora contributors - would it be possible to find another way to allow single sign-on to Fedora apps?
Ok, I’ll look into this next week. In the meantime, I’m CCing Matthew Miller to see if he has any contacts at Google. Their explanation of the feature is outright incorrect and alarming, so I’d like to see if we can negotiate a better solution here.
There's also an upstream bug for this (marked WONTFIX), if you haven't taken a look yet: https://crbug.com/930495
I finally got a chance to look into this today, and I don't think it's as alarming as this BZ makes it sound. Yes, Chrome (over-)states that it is "Managed by your organization". Clicking on that links to https://support.google.com/chrome/answer/9281740 which lists the things a managed system *can* do. However, if you read just a few sentences further, it tells you how to view exactly which settings your administrator has enabled, which in turn has links to the descriptions of what those features are. As clearly linked there, the only settings we've enabled is "This browser can negotiate authentication with *.fedoraproject.org".
So, I'm inclined to say that while the initial reading page might lead a user to be slightly concerned, I don't feel that the situation is particularly dire. They can always just read content in the links.
In the worst case, if someone *really* doesn't want to have that message appear, they can just `dnf remove fedora-chromium-config`.
This is a bit annoying. I am getting staff members that use fedora on their personal machines asking why the IT Dept at work has installed some management tool on their personal machine. I am happily explaining it to people but in some of the more paranoid there was a bit of panic until I pointed out this bug.
Maybe rather than trying to get them to remove it see if upstream will add something indicating which domains have are involved such as a 'See Organizations' details page or something and add the ability to leave a note with the configurations that is displayed with the domain.
(In reply to Tim Hughes from comment #11)
> This is a bit annoying. I am getting staff members that use fedora on their
> personal machines asking why the IT Dept at work has installed some
> management tool on their personal machine. I am happily explaining it to
> people but in some of the more paranoid there was a bit of panic until I
> pointed out this bug.
> Maybe rather than trying to get them to remove it see if upstream will add
> something indicating which domains have are involved such as a 'See
> Organizations' details page or something and add the ability to leave a note
> with the configurations that is displayed with the domain.
Fedora Magazine published a post today that I wrote explaining how to set up SSO for Fedora Project services, with a section explaining the presence of that message on Chrome browsers. Unfortunately, Google is unwilling to accommodate our requests for better messaging here.
I encourage anyone who is having trouble explaining this to link to the article and to file bugs with Google about the messaging. Maybe they'll change their minds once they hear user complaints.