Wipe device data - where is it in chromium os?
314 views
Skip to first unread message
Sergey P
Feb 9, 2015, 9:07:25 AM2/9/15
to chromium-...@chromium.org
There's a mention of `Wipe device data` feature in knowledge base: https://support.google.com/chrome/a/answer/1360642?hl=en
How to trigger this `wipe` on regular chromiumos that is running on some general x86 laptop?
How to trigger this `wipe` on regular chromiumos that is running on some general x86 laptop?
Mike Frysinger
Feb 9, 2015, 9:21:17 AM2/9/15
to Sergey P, Chromium OS discuss
you can't trigger it remotely if it's not enrolled
if you have the device in front of you, just perform a powerwash:
-mike
On Mon, Feb 9, 2015 at 9:07 AM, Sergey P <uaz...@gmail.com> wrote:
There's a mention of `Wipe device data` feature in knowledge base: https://support.google.com/chrome/a/answer/1360642?hl=en
How to trigger this `wipe` on regular chromiumos that is running on some general x86 laptop?
--
--
Chromium OS discuss mailing list: chromium-...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en
Sergey P
Feb 9, 2015, 9:44:00 AM2/9/15
to chromium-...@chromium.org, uaz...@gmail.com
Mike, from your answer I get that probably it's possible to `wipe device data` remotely on enrolled device. Is it true?
Is it possible to wipe device data locally on the machine? Maybe there's some command-line script for this?
понедельник, 9 февраля 2015 г., 16:21:17 UTC+2 пользователь Mike Frysinger написал:
Is it possible to wipe device data locally on the machine? Maybe there's some command-line script for this?
понедельник, 9 февраля 2015 г., 16:21:17 UTC+2 пользователь Mike Frysinger написал:
Mike Frysinger
Feb 9, 2015, 9:51:38 AM2/9/15
to Sergey P, Chromium OS discuss
please read the article i referenced -- it explains how to do local wipes. afaik it works in Chromium OS and does not require firmware you'd find on Chromebooks.
if you want to understand how it works internally, you can review the design doc:
-mikeSergey P
Feb 13, 2015, 12:27:26 PM2/13/15
to chromium-...@chromium.org, uaz...@gmail.com
Thanks, Mike.
The thing I want to know is to how wipe device data on enrolled chromiumos machine? It seems like powerwash is a slightly different feature - it resets device as it was never enrolled. In the settings menu under advanced settings I found "Powerwash" button and "Reset settings". Last is for resetting browser settings to defaults, if I get it right. And powerwash will reset device to the state it was on first boot (or to the state that is really close to that).
I wanted to dig deeper and investigate this issue. Idea was to enroll the device and try to see what changes.
I tried to set up testing policy server according to this manual: http://www.chromium.org/developers/how-tos/enterprise/running-the-cloud-policy-test-server
I installed fresh chromiumos build (R40 if it matters) on hdd on my old acer laptop and tried
Also I should say few words about testing policy server documentation. To make chromiumos use custom policy server it's required to edit `/etc/chrome_dev.conf` and write there:
The thing I want to know is to how wipe device data on enrolled chromiumos machine? It seems like powerwash is a slightly different feature - it resets device as it was never enrolled. In the settings menu under advanced settings I found "Powerwash" button and "Reset settings". Last is for resetting browser settings to defaults, if I get it right. And powerwash will reset device to the state it was on first boot (or to the state that is really close to that).
I wanted to dig deeper and investigate this issue. Idea was to enroll the device and try to see what changes.
I tried to set up testing policy server according to this manual: http://www.chromium.org/developers/how-tos/enterprise/running-the-cloud-policy-test-server
I installed fresh chromiumos build (R40 if it matters) on hdd on my old acer laptop and tried
Also I should say few words about testing policy server documentation. To make chromiumos use custom policy server it's required to edit `/etc/chrome_dev.conf` and write there:
--device-management-url=http://123.4.5.67:8889/device_management
and then `restart ui`
I tried to enroll machine using this testing server and it failed. On the testing policy server stdout I see that two post request
First one is:
POST /device_management?request=register&devicetype=2&apptype=Chrome.............
Second one is:
I tried to enroll machine using this testing server and it failed. On the testing policy server stdout I see that two post request
First one is:
POST /device_management?request=register&devicetype=2&apptype=Chrome.............
Second one is:
POST /device_management?request=policy&devicetype=2&apptype=Chrome.................
But the enterprise enrollment fails with the message:
But the enterprise enrollment fails with the message:
Error when fetching policy settings from the server: Failed to decode response. _Try again_?
Any further suggestions about wiping device data while keeping enrollment status?
Should enrollment work with testing policy server? How to test enrollment and wiping the data (or powerwashing)?
More to that, I am unable to initiate powerwashing by pressing Alt + Ctrl + Shift + R on login screen. This key combination simply does noting. The only way I know is to log in and go to advanced settings in chrome
Any further suggestions about wiping device data while keeping enrollment status?
Should enrollment work with testing policy server? How to test enrollment and wiping the data (or powerwashing)?
More to that, I am unable to initiate powerwashing by pressing Alt + Ctrl + Shift + R on login screen. This key combination simply does noting. The only way I know is to log in and go to advanced settings in chrome
Mike Frysinger
Feb 13, 2015, 12:36:53 PM2/13/15
to Sergey P, Chromium OS discuss
there is support for forced re-enrollment so that, even if the device is wiped, it will re-enroll itself automatically. you can read a bit more about that here:
otherwise, i can't really answer the deeper technical parts of enterprise enrollment as i'm not familiar with them. hopefully someone else here can help.
-mike
Bartosz Fabianowski
Feb 16, 2015, 3:39:21 AM2/16/15
to vap...@chromium.org, Sergey P, Chromium OS discuss
It sounds like the feature you want are "ephemeral users." You can
enable this via the Control Panel on enterprise-enrolled devices. When
this feature is on, users' data is held temporarily in RAM only and
disappears on logout.
You should be able to enroll a Chromium build against the cloud policy
test server and experiment with ephemeral users that way. The page you
linked to is somewhat out of date. Try putting the following in your
/etc/chrome_dev.conf file before you restart ui instead:
--device-management-url=http://url-of-your-cloud-policy-test-server
--disable-policy-key-verification
--enterprise-enrollment-skip-robot-auth
- Bartosz
enable this via the Control Panel on enterprise-enrolled devices. When
this feature is on, users' data is held temporarily in RAM only and
disappears on logout.
You should be able to enroll a Chromium build against the cloud policy
test server and experiment with ephemeral users that way. The page you
linked to is somewhat out of date. Try putting the following in your
/etc/chrome_dev.conf file before you restart ui instead:
--device-management-url=http://url-of-your-cloud-policy-test-server
--disable-policy-key-verification
--enterprise-enrollment-skip-robot-auth
- Bartosz
Sergey P
Feb 16, 2015, 6:14:09 AM2/16/15
to chromium-...@chromium.org, vap...@chromium.org, uaz...@gmail.com
Thanks, Bartosz
I added --disable-policy-key-verification and --enterprise-enrollment-skip-robot-auth options to chrome,
and it behaves exactly as it was with only --device-management-url= specified:
On enterprise entrollment screen (Alt+Ctrl+E on first login) I type my google account credentials. On other machine I monitor testing policy server console.
On submitting enterprise enrollment screen I see one POST request to policy server POST /device_management?request=register&devicetype=2&apptype=Chrome&agent=.. with reply code 200 and second POST request after few seconds: POST /device_management?request=policy&devicetype=2&apptype=Chrome&agent=... with 200 reply code.
On the chromiumos I then see an error:
On enterprise entrollment screen (Alt+Ctrl+E on first login) I type my google account credentials. On other machine I monitor testing policy server console.
On submitting enterprise enrollment screen I see one POST request to policy server POST /device_management?request=register&devicetype=2&apptype=Chrome&agent=.. with reply code 200 and second POST request after few seconds: POST /device_management?request=policy&devicetype=2&apptype=Chrome&agent=... with 200 reply code.
On the chromiumos I then see an error:
Error when fetching policy settings from the server: Failed to decode response.
Once again
Cancel
Any suggestions how to check enrollment and device reset/wipe/powerwash feature?
I wonder how tests for enrollment process pass while I'm unable to reproduce desired behavior.
Maybe I use outdated policy config for testing policy server? Where can I get a working config?
Any suggestions how to check enrollment and device reset/wipe/powerwash feature?
I wonder how tests for enrollment process pass while I'm unable to reproduce desired behavior.
Maybe I use outdated policy config for testing policy server? Where can I get a working config?
Bartosz Fabianowski
Feb 16, 2015, 7:45:23 AM2/16/15
to uaz...@gmail.com, chromium-...@chromium.org, vap...@chromium.org
On 02/16/2015 12:14 PM, Sergey P wrote:
> Thanks, Bartosz
>
> I added --disable-policy-key-verification and --enterprise-enrollment-skip-robot-auth options
> to chrome,
> and it behaves exactly as it was with only --device-management-url=
> specified:
> On enterprise entrollment screen (Alt+Ctrl+E on first login) I type my
> google account credentials. On other machine I monitor testing policy
> server console.
> On submitting enterprise enrollment screen I see one POST request to policy
> server POST /device_management?request=register&devicetype=2&apptype=Chrome&agent=..
> with reply code 200 and second POST request after few seconds: POST
> /device_management?request=policy&devicetype=2&apptype=Chrome&agent=...
> with 200 reply code.
> On the chromiumos I then see an error:
>
> Error when fetching policy settings from the server: Failed to decode
> response.
> Once again
> Cancel
I have not used the python cloud policy test server in a long time. Two
> Thanks, Bartosz
>
> I added --disable-policy-key-verification and --enterprise-enrollment-skip-robot-auth options
> to chrome,
> and it behaves exactly as it was with only --device-management-url=
> specified:
> On enterprise entrollment screen (Alt+Ctrl+E on first login) I type my
> google account credentials. On other machine I monitor testing policy
> server console.
> On submitting enterprise enrollment screen I see one POST request to policy
> server POST /device_management?request=register&devicetype=2&apptype=Chrome&agent=..
> with reply code 200 and second POST request after few seconds: POST
> /device_management?request=policy&devicetype=2&apptype=Chrome&agent=...
> with 200 reply code.
> On the chromiumos I then see an error:
>
> Error when fetching policy settings from the server: Failed to decode
> response.
> Once again
> Cancel
possibilities come to mind:
- Maybe the policy JSON file you set up is invalid? It may have
incorrect syntax (e.g. trailing commas) or invalid settings inside it.
- Maybe the cloud policy test server bitrotted and broke?
>
> Any suggestions how to check enrollment and device reset/wipe/powerwash
> feature?
it in another way.
> I wonder how tests for enrollment process pass while I'm unable to
> reproduce desired behavior.
> Maybe I use outdated policy config for testing policy server? Where can I
> get a working config?
out user policy first - set up all command line parameters as before,
but do *not* enroll. Instead, log in with a non-consumer account and
check whether Chrome is able to pull policy for this user from your server.
- Bartosz
Forrest Smith
Mar 27, 2015, 3:56:32 PM3/27/15
to chromium-...@chromium.org, uaz...@gmail.com, vap...@chromium.org
HI all,
I'd like to follow up on this same set of questions.
Though I'm not at the level where I can quickly deploy the test-server to mock up enrollment, I do have examples of machine which are running Chromium and also enrolled in the management console.
My goal is to find a way to trigger the "Forced Re-Enrollment" sequence and test the related management settings on a Chromium device which is enrolled, but so far I cannot identify any way to provoke a state where Forced Re-Enrollment is necessary (since, as explained in Chromium docs, the "Wipe-Device-Data" event is initiated by special hardware switches or key-combos not present for machines running Chromium).
Can anyone help me understand how to get a machine into a state where I can see if the Forced Re-Enrollment setting is or is not working? My best guess is that programmatically emulating the steps of a "Wipe-Device-Data" procedure is the key here, but any other methods would be very welcome.
Thanks!
Reply all
Reply to author
Forward
0 new messages