Add profile information for security event reporting

This adds the profile.dmToken and profile.clientId fields on non-CrOS, and also excludes device information from reports when they are profile-specific. Bug: 1159533 Change-Id: I85df025aabfedbea2a295cf02225d0b44ed630a2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2611546Reviewed-by: Owen Min <zmin@chromium.org> Reviewed-by: David Roger <droger@chromium.org> Reviewed-by: Daniel Rubery <drubery@chromium.org> Commit-Queue: Dominique Fauteux-Chapleau <domfc@chromium.org> Cr-Commit-Position: refs/heads/master@{#842215}

Add profile information for security event reporting
This adds the profile.dmToken and profile.clientId fields on non-CrOS, and also excludes device information from reports when they are profile-specific. Bug: 1159533 Change-Id: I85df025aabfedbea2a295cf02225d0b44ed630a2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2611546Reviewed-by: Owen Min <zmin@chromium.org> Reviewed-by: David Roger <droger@chromium.org> Reviewed-by: Daniel Rubery <drubery@chromium.org> Commit-Queue: Dominique Fauteux-Chapleau <domfc@chromium.org> Cr-Commit-Position: refs/heads/master@{#842215}
93c9d23b · Dominique Fauteux-Chapleau · Chromium LUCI CQ · eea48782 · 93c9d23b · 93c9d23b
Commit 93c9d23b authored Jan 11, 2021 by Dominique Fauteux-Chapleau Committed by Chromium LUCI CQ Jan 11, 2021
14 changed files
--- a/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.cc
+++ b/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.cc
@@ -1043,6 +1043,7 @@ void SafeBrowsingPrivateEventRouter::ReportRealtimeEventCallback(
  auto* client = settings.per_profile ? profile_client_ : browser_client_;
  client->UploadSecurityEventReport(
      context_,
+      /* include_device_info */ !settings.per_profile,
      policy::RealtimeReportingJobConfiguration::BuildReport(
          std::move(event_list),
          reporting::GetContext(Profile::FromBrowserContext(context_))),

--- a/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router_unittest.cc
+++ b/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router_unittest.cc
@@ -62,7 +62,7 @@ namespace extensions {
 namespace {
 ACTION_P(CaptureArg, wrapper) {
-  *wrapper = arg1.Clone();
+  *wrapper = arg2.Clone();
 }
 constexpr char kConnectorsPrefValue[] = R"([
@@ -279,7 +279,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestOnReuseDetected) {
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillOnce(CaptureArg(&report));
  TriggerOnPolicySpecifiedPasswordReuseDetectedEvent();
@@ -315,7 +315,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestOnPasswordChanged) {
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillOnce(CaptureArg(&report));
  TriggerOnPolicySpecifiedPasswordChangedEvent();
@@ -348,7 +348,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestOnDangerousDownloadOpened) {
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillOnce(CaptureArg(&report));
  TriggerOnDangerousDownloadOpenedEvent();
@@ -398,7 +398,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest,
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillOnce(CaptureArg(&report));
  TriggerOnSecurityInterstitialProceededEvent();
@@ -438,7 +438,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestOnSecurityInterstitialShown) {
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillOnce(CaptureArg(&report));
  TriggerOnSecurityInterstitialShownEvent();
@@ -478,7 +478,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestOnDangerousDownloadWarning) {
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillOnce(CaptureArg(&report));
  TriggerOnDangerousDownloadEvent();
@@ -520,7 +520,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest,
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillOnce(CaptureArg(&report));
  TriggerOnDangerousDownloadEventBypass();
@@ -560,7 +560,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, PolicyControlOnToOffIsDynamic) {
      api::safe_browsing_private::OnSecurityInterstitialShown::kEventName);
  event_router_->AddEventObserver(&event_observer);
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(1);
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(1);
  TriggerOnSecurityInterstitialShownEvent();
  base::RunLoop().RunUntilIdle();
  EXPECT_EQ(1u, event_observer.PassEventArgs().GetList().size());
@@ -568,7 +568,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, PolicyControlOnToOffIsDynamic) {
  // Now turn off policy.  This time no report should be generated.
  SetReportingPolicy(false);
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(0);
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(0);
  TriggerOnSecurityInterstitialShownEvent();
  base::RunLoop().RunUntilIdle();
  EXPECT_EQ(1u, event_observer.PassEventArgs().GetList().size());
@@ -587,7 +587,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, PolicyControlOffToOnIsDynamic) {
  // Now turn on policy.
  SetReportingPolicy(true);
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(1);
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(1);
  TriggerOnSecurityInterstitialShownEvent();
  base::RunLoop().RunUntilIdle();
  EXPECT_EQ(1u, event_observer.PassEventArgs().GetList().size());
@@ -602,7 +602,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestUnauthorizedOnReuseDetected) {
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(0);
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(0);
  TriggerOnPolicySpecifiedPasswordReuseDetectedEvent();
  base::RunLoop().RunUntilIdle();
@@ -618,7 +618,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestUnauthorizedOnPasswordChanged) {
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(0);
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(0);
  TriggerOnPolicySpecifiedPasswordChangedEvent();
  base::RunLoop().RunUntilIdle();
@@ -635,7 +635,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest,
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(0);
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(0);
  TriggerOnDangerousDownloadOpenedEvent();
  base::RunLoop().RunUntilIdle();
@@ -652,7 +652,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest,
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(0);
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(0);
  TriggerOnSecurityInterstitialProceededEvent();
  base::RunLoop().RunUntilIdle();
@@ -669,7 +669,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest,
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(0);
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(0);
  TriggerOnSecurityInterstitialShownEvent();
  base::RunLoop().RunUntilIdle();
@@ -686,7 +686,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest,
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(0);
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(0);
  TriggerOnDangerousDownloadEvent();
  base::RunLoop().RunUntilIdle();
@@ -703,7 +703,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest,
  event_router_->AddEventObserver(&event_observer);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(0);
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(0);
  TriggerOnDangerousDownloadEventBypass();
  base::RunLoop().RunUntilIdle();
@@ -716,7 +716,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestOnSensitiveDataEvent_Allowed) {
  SetUpRouters(/*realtime_reporting_enable=*/true, /*authorized=*/true);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillOnce(CaptureArg(&report));
  TriggerOnSensitiveDataEvent(safe_browsing::EventResult::ALLOWED);
@@ -766,7 +766,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestOnSensitiveDataEvent_Blocked) {
  SetUpRouters(/*realtime_reporting_enable=*/true, /*authorized=*/true);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillOnce(CaptureArg(&report));
  TriggerOnSensitiveDataEvent(safe_browsing::EventResult::BLOCKED);
@@ -816,7 +816,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestOnUnscannedFileEvent_Allowed) {
  SetUpRouters(/*realtime_reporting_enable=*/true, /*authorized=*/true);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillOnce(CaptureArg(&report));
  TriggerOnUnscannedFileEvent(safe_browsing::EventResult::ALLOWED);
@@ -860,7 +860,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestOnUnscannedFileEvent_Blocked) {
  SetUpRouters(/*realtime_reporting_enable=*/true, /*authorized=*/true);
  base::Value report;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillOnce(CaptureArg(&report));
  TriggerOnUnscannedFileEvent(safe_browsing::EventResult::BLOCKED);
@@ -911,7 +911,7 @@ TEST_F(SafeBrowsingPrivateEventRouterTest, TestProfileUsername) {
      ->SetIdentityManagerForTesting(
          identity_test_environment.identity_manager());
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
      .WillRepeatedly(Return());
  // With no primary account, we should not set the username.
@@ -1043,13 +1043,13 @@ TEST_P(SafeBrowsingIsRealtimeReportingEnabledTest, CheckRealtimeReport) {
 #endif
  if (should_report) {
-    EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(1);
+    EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(1);
  } else if (client_) {
    // Because the test will crate a |client_| object when the policy is
    // set, even if the feature flag or other conditions indicate that
    // reports should not be sent, it is possible that the pointer is not
    // null. In this case, make sure UploadSecurityEventReport() is not called.
-    EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(0);
+    EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(0);
  }
  TriggerOnPolicySpecifiedPasswordChangedEvent();

--- a/chrome/browser/profiles/reporting_util.cc
+++ b/chrome/browser/profiles/reporting_util.cc
@@ -17,31 +17,31 @@
 #include "chrome/browser/profiles/profile_manager.h"
 #include "components/account_id/account_id.h"
 #include "components/policy/core/common/cloud/cloud_policy_store.h"
+#include "components/policy/core/common/cloud/user_cloud_policy_manager.h"
 #include "components/policy/proto/device_management_backend.pb.h"
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
-#ifdef OS_CHROMEOS
+#if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/login/users/affiliation.h"
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
-#endif  // OS_CHROMEOS
+#endif  // defined(OS_CHROMEOS)
 namespace {
-#ifdef OS_CHROMEOS
-// A callback which fetches device dm_token based on user affiliation.
-using DeviceDMTokenCallback = base::RepeatingCallback<std::string(
-    const std::vector<std::string>& user_affiliation_ids)>;
 // Returns policy for the given |profile|. If failed to get policy returns
 // nullptr.
 const enterprise_management::PolicyData* GetPolicyData(Profile* profile) {
  if (!profile)
    return nullptr;
-  policy::UserCloudPolicyManagerChromeOS* manager =
+  auto* manager =
+#if defined(OS_CHROMEOS)
      profile->GetUserCloudPolicyManagerChromeOS();
+#else
+      profile->GetUserCloudPolicyManager();
+#endif
  if (!manager)
    return nullptr;
@@ -52,6 +52,28 @@ const enterprise_management::PolicyData* GetPolicyData(Profile* profile) {
  return store->policy();
 }
+// Returns User DMToken for a given |profile| if:
+// * |profile| is NOT incognito profile.
+// * |profile| is NOT sign-in screen profile
+// * user corresponding to a |profile| is managed.
+// Otherwise returns empty string. More about DMToken:
+// go/dmserver-domain-model#dmtoken.
+std::string GetUserDmToken(Profile* profile) {
+  if (!profile)
+    return std::string();
+  const enterprise_management::PolicyData* policy = GetPolicyData(profile);
+  if (!policy || !policy->has_request_token())
+    return std::string();
+  return policy->request_token();
+}
+#if defined(OS_CHROMEOS)
+// A callback which fetches device dm_token based on user affiliation.
+using DeviceDMTokenCallback = base::RepeatingCallback<std::string(
+    const std::vector<std::string>& user_affiliation_ids)>;
 // Returns the Device DMToken for the given |profile| if:
 // * |profile| is NOT incognito profile
 // * user corresponding to a given |profile| is affiliated.
@@ -81,23 +103,7 @@ std::string GetDeviceDmToken(Profile* profile) {
  return device_dm_token_callback.Run(user_affiliation_ids);
 }
-// Returns User DMToken for a given |profile| if:
+#endif  // defined(OS_CHROMEOS)
-// * |profile| is NOT incognito profile.
-// * |profile| is NOT sign-in screen profile
-// * user corresponding to a |profile| is managed.
-// Otherwise returns empty string. More about DMToken:
-// go/dmserver-domain-model#dmtoken.
-std::string GetUserDmToken(Profile* profile) {
-  if (!profile)
-    return std::string();
-  const enterprise_management::PolicyData* policy = GetPolicyData(profile);
-  if (!policy || !policy->has_request_token())
-    return std::string();
-  return policy->request_token();
-}
-#endif  // OS_CHROMEOS
 }  // namespace
@@ -120,22 +126,22 @@ base::Value GetContext(Profile* profile) {
  context.SetStringPath("profile.profilePath", profile->GetPath().value());
-#ifdef OS_CHROMEOS
  const enterprise_management::PolicyData* policy = GetPolicyData(profile);
  if (policy) {
    if (policy->has_device_id())
      context.SetStringPath("profile.clientId", policy->device_id());
+#if defined(OS_CHROMEOS)
    std::string device_dm_token = GetDeviceDmToken(profile);
    if (!device_dm_token.empty())
      context.SetStringPath("device.dmToken", device_dm_token);
+#endif
    std::string user_dm_token = GetUserDmToken(profile);
    if (!user_dm_token.empty())
      context.SetStringPath("profile.dmToken", user_dm_token);
  }
-#endif  // OS_CHROMEOS
  return context;
 }

--- a/chrome/browser/safe_browsing/cloud_content_scanning/deep_scanning_test_utils.cc
+++ b/chrome/browser/safe_browsing/cloud_content_scanning/deep_scanning_test_utils.cc
@@ -53,8 +53,9 @@ void EventReportValidator::ExpectUnscannedFileEvent(
  content_size_ = expected_content_size;
  result_ = expected_result;
  username_ = expected_username;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
-      .WillOnce([this](content::BrowserContext* context, base::Value& report,
+      .WillOnce([this](content::BrowserContext* context,
+                       bool include_device_info, base::Value& report,
                       base::OnceCallback<void(bool)>& callback) {
        ValidateReport(&report);
        if (!done_closure_.is_null())
@@ -82,8 +83,9 @@ void EventReportValidator::ExpectDangerousDeepScanningResult(
  content_size_ = expected_content_size;
  result_ = expected_result;
  username_ = expected_username;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
-      .WillOnce([this](content::BrowserContext* context, base::Value& report,
+      .WillOnce([this](content::BrowserContext* context,
+                       bool include_device_info, base::Value& report,
                       base::OnceCallback<void(bool)>& callback) {
        ValidateReport(&report);
        if (!done_closure_.is_null())
@@ -112,8 +114,9 @@ void EventReportValidator::ExpectSensitiveDataEvent(
  content_size_ = expected_content_size;
  result_ = expected_result;
  username_ = expected_username;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
-      .WillOnce([this](content::BrowserContext* context, base::Value& report,
+      .WillOnce([this](content::BrowserContext* context,
+                       bool include_device_info, base::Value& report,
                       base::OnceCallback<void(bool)>& callback) {
        ValidateReport(&report);
        if (!done_closure_.is_null())
@@ -144,13 +147,15 @@ void EventReportValidator::
  content_size_ = expected_content_size;
  result_ = expected_result;
  username_ = expected_username;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
-      .WillOnce([this](content::BrowserContext* context, base::Value& report,
+      .WillOnce([this](content::BrowserContext* context,
+                       bool include_device_info, base::Value& report,
                       base::OnceCallback<void(bool)>& callback) {
        ValidateReport(&report);
      })
      .WillOnce([this, expected_dlp_verdict](
-                    content::BrowserContext* context, base::Value& report,
+                    content::BrowserContext* context, bool include_device_info,
+                    base::Value& report,
                    base::OnceCallback<void(bool)>& callback) {
        event_key_ = SafeBrowsingPrivateEventRouter::kKeySensitiveDataEvent;
        threat_type_ = base::nullopt;
@@ -184,13 +189,15 @@ void EventReportValidator::
  result_ = expected_result;
  dlp_verdict_ = expected_dlp_verdict;
  username_ = expected_username;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
-      .WillOnce([this](content::BrowserContext* context, base::Value& report,
+      .WillOnce([this](content::BrowserContext* context,
+                       bool include_device_info, base::Value& report,
                       base::OnceCallback<void(bool)>& callback) {
        ValidateReport(&report);
      })
      .WillOnce([this, expected_threat_type](
-                    content::BrowserContext* context, base::Value& report,
+                    content::BrowserContext* context, bool include_device_info,
+                    base::Value& report,
                    base::OnceCallback<void(bool)>& callback) {
        event_key_ = SafeBrowsingPrivateEventRouter::kKeyDangerousDownloadEvent;
        threat_type_ = expected_threat_type;
@@ -221,8 +228,9 @@ void EventReportValidator::ExpectDangerousDownloadEvent(
  content_size_ = expected_content_size;
  result_ = expected_result;
  username_ = expected_username;
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _))
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _))
-      .WillOnce([this](content::BrowserContext* context, base::Value& report,
+      .WillOnce([this](content::BrowserContext* context,
+                       bool include_device_info, base::Value& report,
                       base::OnceCallback<void(bool)>& callback) {
        ValidateReport(&report);
        if (!done_closure_.is_null())
@@ -335,7 +343,7 @@ void EventReportValidator::ValidateField(
 }
 void EventReportValidator::ExpectNoReport() {
-  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _)).Times(0);
+  EXPECT_CALL(*client_, UploadSecurityEventReport_(_, _, _, _)).Times(0);
 }
 void EventReportValidator::SetDoneClosure(base::RepeatingClosure closure) {

--- a/components/policy/core/common/cloud/cloud_policy_client.cc
+++ b/components/policy/core/common/cloud/cloud_policy_client.cc
@@ -596,6 +596,7 @@ void CloudPolicyClient::UploadChromeOsUserReport(
 void CloudPolicyClient::UploadSecurityEventReport(
    content::BrowserContext* context,
+    bool include_device_info,
    base::Value report,
    StatusCallback callback) {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -603,7 +604,7 @@ void CloudPolicyClient::UploadSecurityEventReport(
  CreateNewRealtimeReportingJob(
      std::move(report),
      service()->configuration()->GetReportingConnectorServerUrl(context),
-      add_connector_url_params_, std::move(callback));
+      include_device_info, add_connector_url_params_, std::move(callback));
 }
 void CloudPolicyClient::UploadEncryptedReport(
@@ -636,7 +637,8 @@ void CloudPolicyClient::UploadAppInstallReport(base::Value report,
  app_install_report_request_job_ = CreateNewRealtimeReportingJob(
      std::move(report),
      service()->configuration()->GetRealtimeReportingServerUrl(),
-      /* add_connector_url_params=*/false, std::move(callback));
+      /* include_device_info */ true, /* add_connector_url_params=*/false,
+      std::move(callback));
  DCHECK(app_install_report_request_job_);
 }
@@ -657,6 +659,7 @@ void CloudPolicyClient::UploadExtensionInstallReport(base::Value report,
  extension_install_report_request_job_ = CreateNewRealtimeReportingJob(
      std::move(report),
      service()->configuration()->GetRealtimeReportingServerUrl(),
+      /* include_device_info */ true,
      /* add_connector_url_params=*/false, std::move(callback));
  DCHECK(extension_install_report_request_job_);
 }
@@ -702,11 +705,12 @@ void CloudPolicyClient::FetchRemoteCommands(
 DeviceManagementService::Job* CloudPolicyClient::CreateNewRealtimeReportingJob(
    base::Value report,
    const std::string& server_url,
+    bool include_device_info,
    bool add_connector_url_params,
    StatusCallback callback) {
  std::unique_ptr<RealtimeReportingJobConfiguration> config =
      std::make_unique<RealtimeReportingJobConfiguration>(
-          this, server_url, add_connector_url_params,
+          this, server_url, include_device_info, add_connector_url_params,
          base::BindOnce(&CloudPolicyClient::OnRealtimeReportUploadCompleted,
                         weak_ptr_factory_.GetWeakPtr(), std::move(callback)));

--- a/components/policy/core/common/cloud/cloud_policy_client.h
+++ b/components/policy/core/common/cloud/cloud_policy_client.h
@@ -313,8 +313,11 @@ class POLICY_EXPORT CloudPolicyClient {
  // Uploads a report containing enterprise connectors real-time security
  // events for |context|. As above, the client must be in a registered state.
-  // The |callback| will be called when the operation completes.
+  // If |include_device_info| is true, information specific to the device such
+  // as the device name, user, id and OS will be included in the report. The
+  // |callback| will be called when the operation completes.
  virtual void UploadSecurityEventReport(content::BrowserContext* context,
+                                         bool include_device_info,
                                         base::Value report,
                                         StatusCallback callback);
@@ -792,12 +795,15 @@ class POLICY_EXPORT CloudPolicyClient {
 private:
  // Creates a new real-time reporting job and appends it to |request_jobs_|.
  // The job will send its report to the |server_url| endpoint.  If
+  // |include_device_info| is true, information specific to the device such as
+  // the device name, user, id and OS will be included in the report. If
  // |add_connector_url_params| is true then URL paramaters specific to
  // enterprise connectors are added to the request uploading the report.
  // |callback| is invoked once the report is uploaded.
  DeviceManagementService::Job* CreateNewRealtimeReportingJob(
      base::Value report,
      const std::string& server_url,
+      bool include_device_info,
      bool add_connector_url_params,
      StatusCallback callback);

--- a/components/policy/core/common/cloud/cloud_policy_client_unittest.cc
+++ b/components/policy/core/common/cloud/cloud_policy_client_unittest.cc
@@ -1477,7 +1477,19 @@ TEST_F(CloudPolicyClientTest, UploadChromeOsUserReport) {
 #if defined(OS_WIN) || defined(OS_APPLE) || defined(OS_LINUX) || \
    defined(OS_CHROMEOS)
-TEST_F(CloudPolicyClientTest, UploadSecurityEventReport) {
+class CloudPolicyClientUploadSecurityEventTest
+    : public CloudPolicyClientTest,
+      public testing::WithParamInterface<bool> {
+ public:
+  bool include_device_info() const { return GetParam(); }
+};
+INSTANTIATE_TEST_SUITE_P(,
+                         CloudPolicyClientUploadSecurityEventTest,
+                         testing::Bool());
+TEST_P(CloudPolicyClientUploadSecurityEventTest, Test) {
  RegisterClient();
  ExpectAndCaptureJSONJob(/*response=*/"{}");
@@ -1486,7 +1498,8 @@ TEST_F(CloudPolicyClientTest, UploadSecurityEventReport) {
      base::BindOnce(&MockStatusCallbackObserver::OnCallbackComplete,
                     base::Unretained(&callback_observer_));
-  client_->UploadSecurityEventReport(nullptr, MakeDefaultRealtimeReport(),
+  client_->UploadSecurityEventReport(nullptr, include_device_info(),
+                                     MakeDefaultRealtimeReport(),
                                     std::move(callback));
  base::RunLoop().RunUntilIdle();
  EXPECT_EQ(
@@ -1498,33 +1511,54 @@ TEST_F(CloudPolicyClientTest, UploadSecurityEventReport) {
  base::Optional<base::Value> payload = base::JSONReader::Read(job_payload_);
  ASSERT_TRUE(payload);
-  EXPECT_EQ(kDMToken, *payload->FindStringPath(
+  ASSERT_FALSE(policy::GetDeviceName().empty());
-                          ReportingJobConfigurationBase::
-                              DeviceDictionaryBuilder::GetDMTokenPath()));
-  EXPECT_EQ(client_id_, *payload->FindStringPath(
-                            ReportingJobConfigurationBase::
-                                DeviceDictionaryBuilder::GetClientIdPath()));
-  EXPECT_EQ(policy::GetOSUsername(),
-            *payload->FindStringPath(
-                ReportingJobConfigurationBase::BrowserDictionaryBuilder::
-                    GetMachineUserPath()));
  EXPECT_EQ(version_info::GetVersionNumber(),
            *payload->FindStringPath(
                ReportingJobConfigurationBase::BrowserDictionaryBuilder::
                    GetChromeVersionPath()));
-  EXPECT_EQ(policy::GetOSPlatform(),
-            *payload->FindStringPath(
+  if (include_device_info()) {
-                ReportingJobConfigurationBase::DeviceDictionaryBuilder::
+    EXPECT_EQ(kDMToken, *payload->FindStringPath(
-                    GetOSPlatformPath()));
+                            ReportingJobConfigurationBase::
-  EXPECT_EQ(policy::GetOSVersion(),
+                                DeviceDictionaryBuilder::GetDMTokenPath()));
-            *payload->FindStringPath(
+    EXPECT_EQ(client_id_, *payload->FindStringPath(
-                ReportingJobConfigurationBase::DeviceDictionaryBuilder::
+                              ReportingJobConfigurationBase::
-                    GetOSVersionPath()));
+                                  DeviceDictionaryBuilder::GetClientIdPath()));
-  EXPECT_FALSE(policy::GetDeviceName().empty());
+    EXPECT_EQ(policy::GetOSUsername(),
-  EXPECT_EQ(
+              *payload->FindStringPath(
-      policy::GetDeviceName(),
+                  ReportingJobConfigurationBase::BrowserDictionaryBuilder::
-      *payload->FindStringPath(ReportingJobConfigurationBase::
+                      GetMachineUserPath()));
-                                   DeviceDictionaryBuilder::GetNamePath()));
+    EXPECT_EQ(policy::GetOSPlatform(),
+              *payload->FindStringPath(
+                  ReportingJobConfigurationBase::DeviceDictionaryBuilder::
+                      GetOSPlatformPath()));
+    EXPECT_EQ(policy::GetOSVersion(),
+              *payload->FindStringPath(
+                  ReportingJobConfigurationBase::DeviceDictionaryBuilder::
+                      GetOSVersionPath()));
+    EXPECT_EQ(
+        policy::GetDeviceName(),
+        *payload->FindStringPath(ReportingJobConfigurationBase::
+                                     DeviceDictionaryBuilder::GetNamePath()));
+  } else {
+    EXPECT_FALSE(
+        payload->FindStringPath(ReportingJobConfigurationBase::
+                                    DeviceDictionaryBuilder::GetDMTokenPath()));
+    EXPECT_FALSE(payload->FindStringPath(
+        ReportingJobConfigurationBase::DeviceDictionaryBuilder::
+            GetClientIdPath()));
+    EXPECT_FALSE(payload->FindStringPath(
+        ReportingJobConfigurationBase::BrowserDictionaryBuilder::
+            GetMachineUserPath()));
+    EXPECT_FALSE(payload->FindStringPath(
+        ReportingJobConfigurationBase::DeviceDictionaryBuilder::
+            GetOSPlatformPath()));
+    EXPECT_FALSE(payload->FindStringPath(
+        ReportingJobConfigurationBase::DeviceDictionaryBuilder::
+            GetOSVersionPath()));
+    EXPECT_FALSE(payload->FindStringPath(
+        ReportingJobConfigurationBase::DeviceDictionaryBuilder::GetNamePath()));
+  }
  base::Value* events =
      payload->FindPath(RealtimeReportingJobConfiguration::kEventListKey);
@@ -1535,7 +1569,7 @@ TEST_F(CloudPolicyClientTest, UploadSecurityEventReport) {
 TEST_F(CloudPolicyClientTest, RealtimeReportMerge) {
  auto config = std::make_unique<RealtimeReportingJobConfiguration>(
      client_.get(), service_.configuration()->GetRealtimeReportingServerUrl(),
-      /*add_connector_url_params=*/false,
+      /*include_device_info*/ true, /*add_connector_url_params=*/false,
      RealtimeReportingJobConfiguration::UploadCompleteCallback());
  // Add one report to the config.

--- a/components/policy/core/common/cloud/encrypted_reporting_job_configuration.cc
+++ b/components/policy/core/common/cloud/encrypted_reporting_job_configuration.cc
@@ -31,6 +31,7 @@ EncryptedReportingJobConfiguration::EncryptedReportingJobConfiguration(
                                    client->GetURLLoaderFactory(),
                                    client,
                                    server_url,
+                                    /*include_device_info*/ true,
                                    std::move(complete_cb)) {
  // Merge it into the base class payload.
  payload_.MergeDictionary(&merging_payload);

--- a/components/policy/core/common/cloud/mock_cloud_policy_client.h
+++ b/components/policy/core/common/cloud/mock_cloud_policy_client.h
@@ -101,12 +101,14 @@ class MockCloudPolicyClient : public CloudPolicyClient {
                    StatusCallback&));
  void UploadSecurityEventReport(content::BrowserContext* context,
+                                 bool include_device_info,
                                 base::Value value,
                                 StatusCallback callback) override {
-    UploadSecurityEventReport_(context, value, callback);
+    UploadSecurityEventReport_(context, include_device_info, value, callback);
  }
-  MOCK_METHOD3(UploadSecurityEventReport_,
+  MOCK_METHOD4(UploadSecurityEventReport_,
               void(content::BrowserContext* context,
+                    bool include_device_info,
                    base::Value&,
                    StatusCallback&));

--- a/components/policy/core/common/cloud/realtime_reporting_job_configuration.cc
+++ b/components/policy/core/common/cloud/realtime_reporting_job_configuration.cc
@@ -42,12 +42,14 @@ base::Value RealtimeReportingJobConfiguration::BuildReport(
 RealtimeReportingJobConfiguration::RealtimeReportingJobConfiguration(
    CloudPolicyClient* client,
    const std::string& server_url,
+    bool include_device_info,
    bool add_connector_url_params,
    UploadCompleteCallback callback)
    : ReportingJobConfigurationBase(TYPE_UPLOAD_REAL_TIME_REPORT,
                                    client->GetURLLoaderFactory(),
                                    client,
                                    server_url,
+                                    include_device_info,
                                    std::move(callback)) {
  InitializePayloadInternal(client, add_connector_url_params);
 }

--- a/components/policy/core/common/cloud/realtime_reporting_job_configuration.h
+++ b/components/policy/core/common/cloud/realtime_reporting_job_configuration.h
@@ -46,6 +46,7 @@ class POLICY_EXPORT RealtimeReportingJobConfiguration
  // parameters will be used.
  RealtimeReportingJobConfiguration(CloudPolicyClient* client,
                                    const std::string& server_url,
+                                    bool include_device_info,
                                    bool add_connector_url_params,
                                    UploadCompleteCallback callback);

--- a/components/policy/core/common/cloud/realtime_reporting_job_configuration_unittest.cc
+++ b/components/policy/core/common/cloud/realtime_reporting_job_configuration_unittest.cc
@@ -79,7 +79,7 @@ class RealtimeReportingJobConfigurationTest : public testing::Test {
    client_.SetDMToken(kDummyToken);
    configuration_ = std::make_unique<RealtimeReportingJobConfiguration>(
        &client_, service_.configuration()->GetRealtimeReportingServerUrl(),
-        /*add_connector_url_params=*/false,
+        /*include_device_info=*/true, /*add_connector_url_params=*/false,
        base::BindOnce(&MockCallbackObserver::OnURLLoadComplete,
                       base::Unretained(&callback_observer_)));
    base::Value context(base::Value::Type::DICTIONARY);

--- a/components/policy/core/common/cloud/reporting_job_configuration_base.cc
+++ b/components/policy/core/common/cloud/reporting_job_configuration_base.cc
@@ -112,8 +112,9 @@ const char
        "chromeVersion";
 // static
-base::Value ReportingJobConfigurationBase::BrowserDictionaryBuilder::
+base::Value
-    BuildBrowserDictionary() {
+ReportingJobConfigurationBase::BrowserDictionaryBuilder::BuildBrowserDictionary(
+    bool include_device_info) {
  base::Value browser_dictionary{base::Value::Type::DICTIONARY};
  base::FilePath browser_id;
@@ -121,7 +122,9 @@ base::Value ReportingJobConfigurationBase::BrowserDictionaryBuilder::
    browser_dictionary.SetStringKey(kBrowserId, browser_id.value());
  }
-  browser_dictionary.SetStringKey(kMachineUser, GetOSUsername());
+  if (include_device_info)
+    browser_dictionary.SetStringKey(kMachineUser, GetOSUsername());
  browser_dictionary.SetStringKey(kChromeVersion,
                                  version_info::GetVersionNumber());
  return browser_dictionary;
@@ -265,6 +268,7 @@ ReportingJobConfigurationBase::ReportingJobConfigurationBase(
    scoped_refptr<network::SharedURLLoaderFactory> factory,
    CloudPolicyClient* client,
    const std::string& server_url,
+    bool include_device_info,
    UploadCompleteCallback callback)
    : JobConfigurationBase(type,
                           DMAuth::FromDMToken(client->dm_token()),
@@ -274,20 +278,24 @@ ReportingJobConfigurationBase::ReportingJobConfigurationBase(
      callback_(std::move(callback)),
      server_url_(server_url) {
  DCHECK(GetAuth().has_dm_token());
-  InitializePayload(client);
+  InitializePayload(client, include_device_info);
 }
 ReportingJobConfigurationBase::~ReportingJobConfigurationBase() = default;
 void ReportingJobConfigurationBase::InitializePayload(
-    CloudPolicyClient* client) {
+    CloudPolicyClient* client,
+    bool include_device_info) {
  AddParameter("key", google_apis::GetAPIKey());
-  payload_.SetKey(DeviceDictionaryBuilder::kDeviceKey,
+  if (include_device_info) {
-                  DeviceDictionaryBuilder::BuildDeviceDictionary(
+    payload_.SetKey(DeviceDictionaryBuilder::kDeviceKey,
-                      client->dm_token(), client->client_id()));
+                    DeviceDictionaryBuilder::BuildDeviceDictionary(
-  payload_.SetKey(BrowserDictionaryBuilder::kBrowserKey,
+                        client->dm_token(), client->client_id()));
-                  BrowserDictionaryBuilder::BuildBrowserDictionary());
+  }
+  payload_.SetKey(
+      BrowserDictionaryBuilder::kBrowserKey,
+      BrowserDictionaryBuilder::BuildBrowserDictionary(include_device_info));
 }
 }  // namespace policy
--- a/components/policy/core/common/cloud/reporting_job_configuration_base.h
+++ b/components/policy/core/common/cloud/reporting_job_configuration_base.h
@@ -81,7 +81,7 @@ class POLICY_EXPORT ReportingJobConfigurationBase
    // Dictionary Key Name
    static const char kBrowserKey[];
-    static base::Value BuildBrowserDictionary();
+    static base::Value BuildBrowserDictionary(bool include_device_info);
    static std::string GetBrowserIdPath();
    static std::string GetUserAgentPath();
@@ -120,6 +120,7 @@ class POLICY_EXPORT ReportingJobConfigurationBase
      scoped_refptr<network::SharedURLLoaderFactory> factory,
      CloudPolicyClient* client,
      const std::string& server_url,
+      bool include_device_info,
      UploadCompleteCallback callback);
  ~ReportingJobConfigurationBase() override;
@@ -150,8 +151,10 @@ class POLICY_EXPORT ReportingJobConfigurationBase
  UploadCompleteCallback callback_;
 private:
-  // Initializes request payload.
+  // Initializes request payload. If |include_device_info| is false, the
-  void InitializePayload(CloudPolicyClient* client);
+  // "device" and "browser.machineUser" fields (see comment at the top of the
+  // file) are excluded from the payload.
+  void InitializePayload(CloudPolicyClient* client, bool include_device_info);
  const std::string server_url_;