Bug 1680129 - In Chrome 73, 'Managed by your organization' shows up for non-enterprise users
Summary: In Chrome 73, 'Managed by your organization' shows up for non-enterprise users
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: fedora-chromium-config
Version: 30
Hardware: All
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-22 19:05 UTC by Nicolas Ouellet-Payeur
Modified: 2019-05-20 12:03 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-13 12:39:55 UTC


Attachments (Terms of Use)

Description Nicolas Ouellet-Payeur 2019-02-22 19:05:20 UTC
Description of problem:
Chrome 73 uses policies as a signal that it is running in a 'managed' (e.g. enterprise) environment, and now displays UI based on that. But the UI is displaying for non-enterprise users as well.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install Chrome Dev (https://www.google.com/intl/en_ca/chrome/dev/)
2. Install the 'fedora-chromium-config' package
3. In Chrome Dev, navigate to 'about:flags' and enable the 'show-managed-ui' flag
4. Restart Chrome Dev
5. Open the 3-dot menu in the top right

Actual results:
The message that says 'Your browser is managed by your administrator' doesn't show up.

Expected results:
The message shows up, even for consumers who aren't managed.

Additional info:
This new feature is shipping in Chrome 73. We want Chrome to be more transparent for enterprise users by showing them that their administrator can set policies on their machine, and control various things.

The logic is that if the user has policies set, this means an admin is managing their machine. Because the 'fedora-chromium-config' package sets policies, this message could confuse users.

More context on https://crbug.com/930495

Comment 1 Nicolas Ouellet-Payeur 2019-02-22 19:08:48 UTC
sgallagh, it looks like you wrote the patch that adds policies to fedora-chromium-config. needinfo-ing

Comment 2 Stephen Gallagher 2019-02-25 13:23:16 UTC
Yes, I'm now engaging in the conversation upstream at https://bugs.chromium.org/p/chromium/issues/detail?id=930495

The short version is that we added a default configuration for Chrome so that we can get support for single-sign-on of the Fedora web services (such as Pagure and Bodhi) out of the box if you add a fedoraproject.org kerberos account in GNOME Online Accounts (or whatever other equivalent kerberos tool on other desktops).

However, as of Chrome 73, this now causes the browser to report as "managed", which is misleading. I'm hoping we can come to a compromise with upstream and either have the 00_gssapi.json file excluded from marking the browser as "managed" or else get a separate configuration path for distro modifications.

Comment 3 Mai Ling 2019-03-26 21:53:25 UTC
upstream has unfortunately closed as wontfix
what is the plan next?

i understand the intention but i'd like to opt-in instead for those *.fedoraproject.org policies and not be enrolled by default.

Comment 4 Mai Ling 2019-03-26 21:56:50 UTC
solved with removal of fedora-chromium-config-1.1-2.fc30.noarch 
the change did not require restart of chrome

Comment 5 Stephen Gallagher 2019-03-27 00:14:09 UTC
Upstream isn't going to change their behavior here, but at the same time this is really unlikely to be seen. You need to be changing a non-default option (the 'show-managed-ui' flag) and then it reports that the system is managed, which... is true. We *are* shipping some content that is managing your browser configuration, intentionally.

It's really *not* a good idea to make this an opt-in behavior, mostly because we are actively trying to make Fedora an easier community to contribute to. Having single-sign-on to Fedora applications is a desirable default configuration. Avoidance of a slightly confusing message that almost no one will ever see does not sound like a valid justification to remove this functionality from the default configuration.

Comment 6 Nicolas Ouellet-Payeur 2019-03-27 13:56:54 UTC
> You need to be changing a non-default 

FYI, it's going to be on-by-default soon.

Comment 7 Alfie Fresta 2019-05-07 20:08:35 UTC
> Avoidance of a slightly confusing message that almost no one will ever see does not sound like a valid justification to remove this functionality from the default configuration.

The option seems to be enabled by default as of Chrome 74. Would it be worth revisiting this?

Clicking on the message will now take users to a FAQ page which explains unequivocally that their organisation *can monitor their activity*, and control how they use their browser (https://support.google.com/chrome/answer/9281740).

Whilst further investigation (i.e. chrome://policy/) reveals the installed policies are in fact harmless, I wouldn't blame users for being confused by the message and/or frustrated with Fedora. Most users aren't Fedora contributors - would it be possible to find another way to allow single sign-on to Fedora apps?

Comment 8 Stephen Gallagher 2019-05-07 20:21:49 UTC
Ok, I’ll look into this next week. In the meantime, I’m CCing Matthew Miller to see if he has any contacts at Google. Their explanation of the feature is outright incorrect and alarming, so I’d like to see if we can negotiate a better solution here.

Comment 9 Nicolas Ouellet-Payeur 2019-05-07 20:50:38 UTC
There's also an upstream bug for this (marked WONTFIX), if you haven't taken a look yet: https://crbug.com/930495

Comment 10 Stephen Gallagher 2019-05-13 12:39:55 UTC
I finally got a chance to look into this today, and I don't think it's as alarming as this BZ makes it sound. Yes, Chrome (over-)states that it is "Managed by your organization". Clicking on that links to https://support.google.com/chrome/answer/9281740 which lists the things a managed system *can* do. However, if you read just a few sentences further, it tells you how to view exactly which settings your administrator has enabled, which in turn has links to the descriptions of what those features are. As clearly linked there, the only settings we've enabled is "This browser can negotiate authentication with *.fedoraproject.org".

So, I'm inclined to say that while the initial reading page might lead a user to be slightly concerned, I don't feel that the situation is particularly dire. They can always just read content in the links.

In the worst case, if someone *really* doesn't want to have that message appear, they can just `dnf remove fedora-chromium-config`.

Comment 11 Tim Hughes 2019-05-20 09:53:53 UTC
This is a bit annoying. I am getting staff members that use fedora on their personal machines asking why the IT Dept at work has installed some management tool on their personal machine. I am happily explaining it to people but in some of the more paranoid there was a bit of panic until I pointed out this bug.

Maybe rather than trying to get them to remove it see if upstream will add something indicating which domains have are involved such as a 'See Organizations' details page or something and add the ability to leave a note with the configurations that is displayed with the domain.

Comment 12 Stephen Gallagher 2019-05-20 12:03:23 UTC
(In reply to Tim Hughes from comment #11)
> This is a bit annoying. I am getting staff members that use fedora on their
> personal machines asking why the IT Dept at work has installed some
> management tool on their personal machine. I am happily explaining it to
> people but in some of the more paranoid there was a bit of panic until I
> pointed out this bug.
> 
> Maybe rather than trying to get them to remove it see if upstream will add
> something indicating which domains have are involved such as a 'See
> Organizations' details page or something and add the ability to leave a note
> with the configurations that is displayed with the domain.

Fedora Magazine published a post[1] today that I wrote explaining how to set up SSO for Fedora Project services, with a section explaining the presence of that message on Chrome browsers. Unfortunately, Google is unwilling to accommodate our requests for better messaging here.

I encourage anyone who is having trouble explaining this to link to the article and to file bugs with Google about the messaging. Maybe they'll change their minds once they hear user complaints.


[1] https://fedoramagazine.org/getting-set-up-with-fedora-project-services/


Note You need to log in before you can comment on or make changes to this bug.