Forbid a managed, primary user to enable adb sideloading

Until the device and user policies are clearly defined, force to disable
a managed user to enable adb sideloading, even if on an unmanaged device
(and as the primary user).

TEST=powerwash and initialize with a managed account, then try to enable
     adb sideloading
     => see policy indicator with disabled toggle
TEST=bypass the UI to force enable
     => fail to enable
BUG=chromium:893332

Change-Id: I26b16046ef9210b878ab234b122b962bf090cf1e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1913071
Commit-Queue: Victor Hsieh <victorhsieh@chromium.org>
Auto-Submit: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: Kyle Horimoto <khorimoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#715359}

chrome/browser/ui/webui/settings/chromeos/crostini_handler.cc

@@ -18,6 +18,7 @@
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/lifetime/application_lifetime.h"
+#include "chrome/browser/policy/profile_policy_connector.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/common/pref_names.h"
 #include "chromeos/dbus/session_manager/session_manager_client.h"
@@ -347,7 +348,12 @@ bool CrostiniHandler::CheckEligibilityToChangeArcAdbSideloading() const {
   }
 
   if (user_manager::UserManager::Get()->IsLoggedInAsChildUser()) {
-    DVLOG(1) << "Child account is currently unsupported";
+    DVLOG(1) << "adb sideloading is currently unsupported for child account";
+    return false;
+  }
+
+  if (profile_->GetProfilePolicyConnector()->IsManaged()) {
+    DVLOG(1) << "adb sideloading is currently unsupported for managed user";
     return false;
   }
 

chrome/browser/ui/webui/settings/settings_localized_strings_provider.cc

@@ -88,6 +88,7 @@
 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos_factory.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/browser/policy/profile_policy_connector.h"
 #include "chrome/browser/ui/webui/chromeos/assistant_optin/assistant_optin_utils.h"
 #include "chrome/browser/ui/webui/chromeos/bluetooth_dialog_localized_strings_provider.h"
 #include "chrome/browser/ui/webui/chromeos/network_element_localized_strings_provider.h"
@@ -138,11 +139,15 @@ base::string16 GetHelpUrlWithBoard(const std::string& original_url) {
                             "&b=" + base::SysInfo::GetLsbReleaseBoard());
 }
 
-bool IsEnterpriseManaged() {
+bool IsDeviceManaged() {
   policy::BrowserPolicyConnectorChromeOS* connector =
       g_browser_process->platform_part()->browser_policy_connector_chromeos();
   return connector->IsEnterpriseManaged();
 }
+
+bool IsProfileManaged(Profile* profile) {
+  return profile->GetProfilePolicyConnector()->IsManaged();
+}
 #endif
 
 void AddCommonStrings(content::WebUIDataSource* html_source, Profile* profile) {
@@ -618,7 +623,8 @@ void AddCrostiniStrings(content::WebUIDataSource* html_source,
                               chromeos::features::kArcAdbSideloadingFeature));
   html_source->AddBoolean("isOwnerProfile",
                           chromeos::ProfileHelper::IsOwnerProfile(profile));
-  html_source->AddBoolean("isEnterpriseManaged", IsEnterpriseManaged());
+  html_source->AddBoolean("isEnterpriseManaged",
+                          IsDeviceManaged() || IsProfileManaged(profile));
 }
 
 void AddPluginVmStrings(content::WebUIDataSource* html_source,
@@ -1711,7 +1717,7 @@ void AddChromeOSUserStrings(content::WebUIDataSource* html_source,
   html_source->AddBoolean("isActiveDirectoryUser",
                           user && user->IsActiveDirectoryUser());
 
-  if (!IsEnterpriseManaged() && !user_manager->IsCurrentUserOwner()) {
+  if (!IsDeviceManaged() && !user_manager->IsCurrentUserOwner()) {
     html_source->AddString("ownerEmail",
                            user_manager->GetOwnerAccountId().GetUserEmail());
   }