List enrollment scenarios in documentation

TBR=bartfab@chromium.org TBR=atwilson@chromium.org Change-Id: I1a5b19902797ecb3c7944c7623d0f93abb5a52ad Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1611611Reviewed-by: Denis Kuznetsov <antrim@chromium.org> Reviewed-by: Sergey Poromov <poromov@chromium.org> Commit-Queue: Denis Kuznetsov <antrim@chromium.org> Cr-Commit-Position: refs/heads/master@{#660056}

List enrollment scenarios in documentation
TBR=bartfab@chromium.org TBR=atwilson@chromium.org Change-Id: I1a5b19902797ecb3c7944c7623d0f93abb5a52ad Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1611611Reviewed-by: Denis Kuznetsov <antrim@chromium.org> Reviewed-by: Sergey Poromov <poromov@chromium.org> Commit-Queue: Denis Kuznetsov <antrim@chromium.org> Cr-Commit-Position: refs/heads/master@{#660056}
885b1859 · Denis Kuznetsov · Commit Bot · 0e8c828e · 885b1859 · 885b1859
Commit 885b1859 authored May 15, 2019 by Denis Kuznetsov Committed by Commit Bot May 15, 2019
5 changed files
--- a/docs/README.md
+++ b/docs/README.md
@@ -278,7 +278,8 @@ used when committed.

 ### Misc Chrome-OS-Specific Docs
 *   [Setting up captive portals and other restrictive networks](login/restrictive_networks.md)
-*   [Enrolling a device in OOBE/Login](login/enterprise_enrollment.md)
+*   [Enterprise Enrollment](enterprise/enrollment.md)
+    *   [Kiosk mode and public sessions](enterprise/kiosk_public_session.md)
 *   [Debugging UI in OOBE/login/lock](login/ui_debugging.md)
 *   [Chrome Logging on Chrome OS](chrome_os_logging.md)


--- a/docs/enterprise/enrollment.md
+++ b/docs/enterprise/enrollment.md
+# Enterprise Enrollment on Chrome OS
+
+Enterprise Enrollment is a process that marks a device as belonging to
+particular organization and enables [management](management.md) of the device
+by organization admins.
+
+[TOC]
+
+## Requirements
+
+Only **devices without owner** can be enrolled. Ownership of the device is
+established either during Enterprise Enrollment (the organization becomes the
+owner of the device) or during first user sign-in (in this case this user
+becomes the owner of the device).
+
+Ownership of the device can be reset using factory reset (```Ctrl+Alt+Shift+R```
+on the login screen), if it is not disabled via device policy.
+
+Developers can reset ownership by running following commands as root in shell:
+```
+pkill -9 chrome
+rm -rf /home/chronos/Local\ State /var/lib/whitelist /home/.shadow
+rm /home/chronos/.oobe_completed
+crossystem clear_tpm_owner_request=1
+reboot
+```
+
+Only **enterprise users** can enroll devices (device will be owned by the
+organization user belongs to).
+
+#### Instructions for Google Employees
+Are you a Google employee? See
+[http://go/managed-devices/faq/using-yaps](https://goto.google.com/managed-devices/faq/using-yaps)
+to learn how to use simple development device management server.
+
+See
+[http://go/managed-devices/faq/test-account](https://goto.google.com/managed-devices/faq/test-account)
+for instuctions on how to get enterprise account for testing.
+
+## Enrollment scenarios
+
+There are several enrollment scenarios, exact choice is made based on
+following factors:
+ * How the authentication is performed
+ * If enrollment can be avoided by user
+ * What initiates enrollment.
+
+#### Instructions for Google Employees
+Are you a Google employee? See
+[go/chromeos-enrollment-overview](https://goto.google.com/chromeos-enrollment-overview)
+for other enrollment scenarios in development.
+
+### Manual enrollment
+
+Enrollment can be triggered manually on the login screen via `Ctrl+Alt+E`
+shortcut. User will have to authenticate using username/password. User can
+cancel enrollment attempt and return to login screen.
+
+### Re-enrollment
+
+During initial setup device queries management service to check if it was
+previously enrolled, and if organization admins indicated that device should
+be enrolled again.
+
+This is set on https://admin.google.com/ under `Enrollment & Access` section on
+`Device Management>Chrome>Device Settings` page.
+
+Authentication is the same as in **Manual enrollment** case, and whether
+enrollment can be skipped depends on policy set by admins.
+
+### OEM-triggered Enrollment
+
+Device manufacturers can provide special [OEM manifest](https://cs.chromium.org/chromium/src/chromeos/system/statistics_provider.cc?rcl=2e366a611abdd2be6995e625f3281d40fab5b5e3&l=83)
+that controls if device should be enrolled, and if enrollment is forced.
+Authentication is the same as in **Manual enrollment** case.
+
+### Offline demo-mode enrollment
+
+This mode is intended for demo ChromeOS features e.g. in retail stores. This
+enrollment does not require network connection, it enrolls device to a fixed
+domain and uses policy from a local resource.
+
+Demo enrollment can be triggered during initial setup on welcome/network
+screens via `Ctrl+Alt+D` shortcut. No authentication is required during
+enrollment.
--- a/docs/enterprise/kiosk_public_session.md
+++ b/docs/enterprise/kiosk_public_session.md
-#Kiosk mode and public sessions (ChromeOS)
+#Kiosk mode and public sessions (Chrome OS)

-When ChromeOS device is enterprise enrolled, organization admins can add two
+When Chrome OS device is enterprise enrolled, organization admins can add two
 special types of users on the device. Those are Public sessions and Kiosk apps.

 ## Public sessions

--- a/docs/enterprise/management.md
+++ b/docs/enterprise/management.md
+# Enterprise Management on Chrome OS
+
+Once enrolled, Chrome OS device can be managed by organization admins via
+https://admin.google.com/.
+
+Few notable management options are:
+
+`Kiosk settings` section on `Device Management>Chrome>Device Settings` page
+allows to configure [public sessions / Kiosk mode](kiosk_public_session.md).
+
+`Enrollment & Access` section on `Device Management>Chrome>Device Settings`
+page controls if device should be automatically re-enrolled after factory reset.
--- a/docs/login/enterprise_enrollment.md
+++ b/docs/login/enterprise_enrollment.md
-# Enterprise Enrollment on Login
-
-The easiest way to test enterprise enrollment on login is to use an actual
-enterprise account. If you don't have one, reach out a teammate; anyone with an
-account can add new accounts.
-
-Once you have an enterprise account, run chrome and [enroll the device](https://support.google.com/chrome/a/answer/1360534?hl=en). The shortcut combo is
-`Ctrl+Alt+E`.
-
-Note, that you can only enroll device if it does not have owner (no user have
-signed in on the device, nor it was already enrolled). If device have an owner
-you would need to clear the ownership first. If you're testing on device and
-wish to clear enrollment state, the easiest way is to run
-`crossystem clear_tpm_owner_request=1` and then reboot. This clears
-TPM state which will destroy cryptohome and enrollment state. When the device
-boots next it will check and see if it needs to be force re-enrolled.
-
-Policy can be configured at admin.google.com; log in with your enterprise
-account. Whoever created the account should have granted you superuser
-privileges. You may need to log in using an incognito window if your primary
-Google account is part of an enterprise domain.
-
-Few notable policy sections in admin.google.com under
-`Device Management>Chrome>Device Settings` are `Enrollment & Access` that
-controls if device would be automatically re-enrolled after wipe and
-`Kiosk settings` that allows to configure public sessions / Kiosk mode for
-the ChromeOS device.
-
-When you're changing policies in admin.google.com, pay attention to the
-organization you are modifying. Try to only adjust your test organization to
-avoid propagating changes to other users.
\ No newline at end of file