Chrome OS auto login

[Divamani Wickremasingha]

We are new to development for Chrome OS. We provide solutions to Public Libraries where we would like to Auto login the Chromebook with User credentials created in google Workspace. 

It seems guest mode allows Auto login. But, if we want to authenticate a user, we cannot? Is this the case? Or is there a way to do this? 

Thank you so much

[dragon788]

You likely want to use managed guest mode or kiosk mode because you can control the apps and extensions installed there and either of those should prevent a user from adding additional unauthorized extensions that could be used to compromise the security of Chrome OS or other future users of the system.

With the very strong recommendation to enable 2FA on all Google workspace accounts an auto login authentication mode wouldn't make a lot of sense because it would require some way to bypass MFA or leave the account with a weak security posture.

--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
https://groups.google.com/a/chromium.org/group/chromium-os-dev
---
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-d...@chromium.org.

[Divamani Wickremasingha]

Hi!

Thank you for your response. So, we definitely considered guest mode. But, the issue there is that it doesn't allow things like google drive and other apps which patrons find useful. 

The way that we were going to set things up was that each device has an assigned user through Workspace. THrough Workspace we were going to configure the user with locked down permissions. 

We weren't going to enable 2FA. Since we were hoping to try and limit permissions. 

Do you feel that is not feasible? 

Trying to offer the best of both worlds. But, perhaps it is not intended to be used this way?

[dragon788]

Is the intent that they access shared resources from the institution's Google Drive or that they can save things to their own Google Drive account?

if it is the latter I believe the setting you are looking for is ephemeral user sessions with a cache limit that keeps a certain amount of data per logged in user and allows them to use their own personal accounts and when they sign out the system forgets they had used it.

It can also be configured not to show previous logins on the main screen but could also include a managed guest session for users without a Google account that just need to do research or print something.

[Divamani Wickremasingha]

  So, here's the current setup to give some context.

We have Chromebook1 and Chromebook2, Workspace has User1 and User2. 

When you boot up Chromebook1, you login with User1. Bootup Chromebook2 and login to it with User2. 

Then our App loads requiring that they login with a Library card number and PIN. Which we authenticate in our back end.

The patron logging in to Chromebook1/User1 has access to the google apps for User1. They use it, and when they end their session, we clear everything that person did during that 1-2 hour session.

Patron logging in to Chromebook2/User2 has access to the google apps for User2. Once they log off, we clear everything used during that session.

So, there won't be any privacy issues for the Patrons. 

IF someone wants to login with their own google account, they can. If they do, we don't clear their centralized data. 

If we use a Guest session, they it does not offer all the other useful apps patrons tend to want to use. You know what I mean?

So, do you think there is a risk using these Authenticated users and not Guest account? WHat can they really do? 

[dragon788]

my points of concern would be does the user get to know the credentials for user 1 that they could then attempt to log into that user from Chromebook 2 when they check it out or log into that account on their phone to access the files and then not log out?

when you say you clear traces of the session after they log out, is that on the Chromebook or does someone have to manually go into Google Drive/etc and delete any information the user added before giving out the login information again?

within the context of a managed device and a managed guest session or a kiosk session I believe you can force certain apps to be installed and available they simply won't be associated with a specific Google account so the user can supply their own and you can avoid privacy and liability issues for having access to health information or other PII if for example they had to take a photo of their ID to upload to a site and they used the Chromebook webcam to do that.

I'm sure someone from Google can probably supply more information about these types of concerns and how they would suggest mitigating them.

[Divamani Wickremasingha]

Well, Therein lies the problem. It's almost impossible to get in touch with development support. 

Appreciate all your insight dragon788 Truly. 

[Yves Arrouye]

Managed guest sessions are perfect for organization like libraries. See https://support.google.com/chrome/a/answer/3017014?hl=en

You can install all the apps you want in managed guest sessions, through the Google administration console. See https://knowledge.workspace.google.com/kb/how-to-force-install-apps-extensions-000004540#solution

> IF someone wants to login with their own google account, they can. If they do, we don't clear their centralized data. 

If you are talking about ChromeOS login, then in order for them to do that, they will need to create an account on the device. Do you really want that, and have lots of accounts, potentially all taking space and slowly filling layout disk with downloads and whatever else the patrons would do? Or have to manage deletion of those accounts?

Even if you do want to allow this, the managed guest session will be the first displayed option on the sign in screen, making it always visible.

[dragon788]

If concerned about the build-up of personal account information on the devices, enabling EphemeralMode should mitigate that. Managed Guest Sessions is definitely the way to go IMO for anybody who doesn't want to use their own account, and if you support/encourage them to use their own account, then Ephemeral mode is a great option to ensure their information gets purged when they log out to limit everybody's exposure.

https://support.google.com/chrome/a/answer/3538894?hl=en
https://chromeenterprise.google/policies/?policy=DeviceEphemeralUsersEnabled

[Divamani Wickremasingha]

Does anyone know of the best way to actually communicate with Google development support?