[Managed Session] Change warning UI based on managed session settings

Show warning icon on public session login screen when managed
sessions are enabled.


Bug: 910218
Change-Id: I119dd321c6d9a7bf8dd3b3da533b8774e9620bc7
Reviewed-on: https://chromium-review.googlesource.com/c/1337492
Commit-Queue: Zakhar Voit <voit@google.com>
Reviewed-by: Ivan Šandrk <isandrk@chromium.org>
Reviewed-by: Jacob Dufault <jdufault@chromium.org>
Reviewed-by: Oliver Chang <ochang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#613352}

ash/ash_strings.grd

@@ -1476,6 +1476,9 @@ This file contains the strings for ash.
       <message name="IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_WARNING" desc="Template for text shown in the public account user pod, informing the user that this is a public, managed account.">
         The device admin may monitor your browsing activity.
       </message>
+      <message name="IDS_ASH_LOGIN_MANAGED_SESSION_MONITORING_WARNING" desc="Text shown in the public account user pod, informing the user that this session is managed and admin can monitor all activity.">
+        The administrator of this device has access to all activity, including passwords and communications.
+      </message>
       <message name="IDS_ASH_LOGIN_PUBLIC_ACCOUNT_SIGNOUT_REMINDER" desc="Text shown in the public account user pod, reminding the user to log out.">
         Your internet session will be cleared when you sign out. <ph name="LEARN_MORE">$1<ex>Learn more</ex></ph>
       </message>
@@ -1546,13 +1549,13 @@ This file contains the strings for ash.
         The admin of this device has the ability to:
       </message>
       <message name="IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_INFO_ITEM_1" desc="Text shown in the warning dialog after user clicks on the learn more link, notifying the user of potential security and privacy implications of using the device">
-        Access your browsing activity
+        Access all your activity in this session
       </message>
       <message name="IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_INFO_ITEM_2" desc="Text shown in the warning dialog after user clicks on the learn more link, notifying the user of potential security and privacy implications of using the device">
-        Choose whether websites can use location services or the device’s microphone, camera, or other features
+        Grant websites, apps, and extensions permission to use location services, the device’s microphone, camera, or other features
       </message>
       <message name="IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_INFO_ITEM_3" desc="Text shown in the warning dialog after user clicks on the learn more link, notifying the user of potential security and privacy implications of using the device">
-        Manage apps, extensions, and themes
+        Install apps, extensions, and themes
       </message>
       <message name="IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_INFO_ITEM_4" desc="Text shown in the warning dialog after user clicks on the learn more link, notifying the user of potential security and privacy implications of using the device">
         Adjust privacy settings

ash/ash_strings_grd/IDS_ASH_LOGIN_MANAGED_SESSION_MONITORING_WARNING.png.sha1

+fc94bc425276cd747602bc95d63545291236458e
\ No newline at end of file

ash/ash_strings_grd/IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_INFO.png.sha1

-2091cb3898940640a4f42008bcab455c8731679b
\ No newline at end of file
+8b670a863f65430694c71ec4066e546c8b72ec24
\ No newline at end of file

ash/ash_strings_grd/IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_INFO_ITEM_1.png.sha1

-b57a43652610329c02562ec19ced8c3591ca42c6
\ No newline at end of file
+8b670a863f65430694c71ec4066e546c8b72ec24
\ No newline at end of file

ash/ash_strings_grd/IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_INFO_ITEM_2.png.sha1

-2091cb3898940640a4f42008bcab455c8731679b
\ No newline at end of file
+8b670a863f65430694c71ec4066e546c8b72ec24
\ No newline at end of file

ash/ash_strings_grd/IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_INFO_ITEM_3.png.sha1

-2091cb3898940640a4f42008bcab455c8731679b
\ No newline at end of file
+8b670a863f65430694c71ec4066e546c8b72ec24
\ No newline at end of file

ash/login/login_screen_controller.cc

@@ -462,6 +462,14 @@ void LoginScreenController::SetPublicSessionKeyboardLayouts(
   }
 }
 
+void LoginScreenController::SetPublicSessionShowFullManagementDisclosure(
+    bool is_full_management_disclosure_needed) {
+  if (DataDispatcher()) {
+    DataDispatcher()->SetPublicSessionShowFullManagementDisclosure(
+        is_full_management_disclosure_needed);
+  }
+}
+
 void LoginScreenController::SetKioskApps(
     std::vector<mojom::KioskAppInfoPtr> kiosk_apps) {
   Shelf::ForWindow(Shell::Get()->GetPrimaryRootWindow())

ash/login/login_screen_controller.h

@@ -148,6 +148,8 @@ class ASH_EXPORT LoginScreenController : public mojom::LoginScreen,
       const AccountId& account_id,
       const std::string& locale,
       std::vector<mojom::InputMethodItemPtr> keyboard_layouts) override;
+  void SetPublicSessionShowFullManagementDisclosure(
+      bool is_full_management_disclosure_needed) override;
   void SetKioskApps(std::vector<mojom::KioskAppInfoPtr> kiosk_apps) override;
   void ShowKioskAppError(const std::string& message) override;
   void NotifyOobeDialogState(mojom::OobeDialogState state) override;

ash/login/ui/lock_contents_view.cc

@@ -945,6 +945,12 @@ void LockContentsView::OnPublicSessionKeyboardLayoutsChanged(
   user_view->UpdateForUser(user_info, false /*animate*/);
 }
 
+void LockContentsView::OnPublicSessionShowFullManagementDisclosureChanged(
+    bool show_full_management_disclosure) {
+  expanded_view_->SetShowFullManagementDisclosure(
+      show_full_management_disclosure);
+}
+
 void LockContentsView::OnDetachableBasePairingStatusChanged(
     DetachableBasePairingStatus pairing_status) {
   // If the current big user is public account user, or the base is not paired,

ash/login/ui/lock_contents_view.h

@@ -176,6 +176,8 @@ class ASH_EXPORT LockContentsView
       const AccountId& account_id,
       const std::string& locale,
       const std::vector<mojom::InputMethodItemPtr>& keyboard_layouts) override;
+  void OnPublicSessionShowFullManagementDisclosureChanged(
+      bool show_full_management_disclosure) override;
   void OnDetachableBasePairingStatusChanged(
       DetachableBasePairingStatus pairing_status) override;
 

ash/login/ui/login_data_dispatcher.cc

@@ -68,6 +68,10 @@ void LoginDataDispatcher::Observer::OnPublicSessionKeyboardLayoutsChanged(
     const std::string& locale,
     const std::vector<mojom::InputMethodItemPtr>& keyboard_layouts) {}
 
+void LoginDataDispatcher::Observer::
+    OnPublicSessionShowFullManagementDisclosureChanged(
+        bool show_full_management_disclosure) {}
+
 void LoginDataDispatcher::Observer::OnDetachableBasePairingStatusChanged(
     DetachableBasePairingStatus pairing_status) {}
 
@@ -190,6 +194,14 @@ void LoginDataDispatcher::SetPublicSessionKeyboardLayouts(
   }
 }
 
+void LoginDataDispatcher::SetPublicSessionShowFullManagementDisclosure(
+    bool show_full_management_disclosure) {
+  for (auto& observer : observers_) {
+    observer.OnPublicSessionShowFullManagementDisclosureChanged(
+        show_full_management_disclosure);
+  }
+}
+
 void LoginDataDispatcher::SetDetachableBasePairingStatus(
     DetachableBasePairingStatus pairing_status) {
   for (auto& observer : observers_)

ash/login/ui/login_data_dispatcher.h

@@ -113,6 +113,11 @@ class ASH_EXPORT LoginDataDispatcher {
         const std::string& locale,
         const std::vector<mojom::InputMethodItemPtr>& keyboard_layouts);
 
+    // Called when conditions for showing full management disclosure message
+    // are changed.
+    virtual void OnPublicSessionShowFullManagementDisclosureChanged(
+        bool show_full_management_disclosure);
+
     // Called when the pairing status of detachable base changes - e.g. when the
     // base is attached or detached.
     virtual void OnDetachableBasePairingStatusChanged(
@@ -155,6 +160,8 @@ class ASH_EXPORT LoginDataDispatcher {
       const AccountId& account_id,
       const std::string& locale,
       const std::vector<mojom::InputMethodItemPtr>& keyboard_layouts);
+  void SetPublicSessionShowFullManagementDisclosure(
+      bool show_full_management_disclosure);
   void SetDetachableBasePairingStatus(
       DetachableBasePairingStatus pairing_status);
 

ash/login/ui/login_expanded_public_account_view.cc

@@ -18,6 +18,7 @@
 #include "ash/shell.h"
 #include "ash/strings/grit/ash_strings.h"
 #include "base/strings/utf_string_conversions.h"
+#include "components/vector_icons/vector_icons.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/gfx/canvas.h"
 #include "ui/gfx/paint_vector_icon.h"
@@ -74,6 +75,7 @@ constexpr int kNonEmptyHeight = 1;
 
 constexpr char kMonitoringWarningClassName[] = "MonitoringWarning";
 constexpr int kSpacingBetweenMonitoringWarningIconAndLabelDp = 8;
+constexpr int kMonitoringWarningIconSizeDp = 20;
 
 views::Label* CreateLabel(const base::string16& text, SkColor color) {
   auto* label = new views::Label(text);
@@ -187,17 +189,43 @@ class MonitoringWarningView : public NonAccessibleView {
         views::BoxLayout::kHorizontal, gfx::Insets(),
         kSpacingBetweenMonitoringWarningIconAndLabelDp));
 
+    image_ = new views::ImageView();
+    image_->SetImage(gfx::CreateVectorIcon(
+        vector_icons::kWarningIcon, kMonitoringWarningIconSizeDp, SK_ColorRED));
+    image_->SetPreferredSize(
+        gfx::Size(kMonitoringWarningIconSizeDp, kMonitoringWarningIconSizeDp));
+    AddChildView(image_);
+
     const base::string16 label_text = l10n_util::GetStringUTF16(
         IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_WARNING);
-    views::Label* label = CreateLabel(label_text, SK_ColorWHITE);
-    label->SetMultiLine(true);
-    label->SetLineHeight(kTextLineHeightDp);
-    AddChildView(label);
+    label_ = CreateLabel(label_text, SK_ColorWHITE);
+    label_->SetMultiLine(true);
+    label_->SetLineHeight(kTextLineHeightDp);
+    AddChildView(label_);
+  }
+
+  enum class WarningType { kSoftWarning, kFullWarning };
+
+  void SetWarningType(WarningType warning_type) {
+    base::string16 label_text;
+    if (warning_type == WarningType::kFullWarning) {
+      label_text = l10n_util::GetStringUTF16(
+          IDS_ASH_LOGIN_MANAGED_SESSION_MONITORING_WARNING);
+      image_->SetVisible(true);
+    } else if (warning_type == WarningType::kSoftWarning) {
+      label_text = l10n_util::GetStringUTF16(
+          IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_WARNING);
+      image_->SetVisible(false);
+    }
+    label_->SetText(label_text);
   }
 
   ~MonitoringWarningView() override = default;
 
  private:
+  views::ImageView* image_;
+  views::Label* label_;
+
   DISALLOW_COPY_AND_ASSIGN(MonitoringWarningView);
 };
 
@@ -220,8 +248,8 @@ class RightPaneView : public NonAccessibleView,
         views::BoxLayout::kVertical, gfx::Insets(), kSpacingBetweenLabelsDp));
     AddChildView(labels_view_);
 
-    auto* top_container = new MonitoringWarningView();
-    labels_view_->AddChildView(top_container);
+    monitoring_warning_view_ = new MonitoringWarningView();
+    labels_view_->AddChildView(monitoring_warning_view_);
 
     const base::string16 link = l10n_util::GetStringUTF16(IDS_ASH_LEARN_MORE);
     size_t offset;
@@ -407,6 +435,13 @@ class RightPaneView : public NonAccessibleView,
     Layout();
   }
 
+  void SetShowFullManagementDisclosure(bool show_full_management_disclosure) {
+    monitoring_warning_view_->SetWarningType(
+        show_full_management_disclosure
+            ? MonitoringWarningView::WarningType::kFullWarning
+            : MonitoringWarningView::WarningType::kSoftWarning);
+  }
+
   void OnLanguageSelected(LoginMenuView::Item item) {
     language_changed_by_user_ = true;
     selected_language_item_ = item;
@@ -497,6 +532,7 @@ class RightPaneView : public NonAccessibleView,
   SelectionButtonView* keyboard_selection_ = nullptr;
   ArrowButtonView* submit_button_ = nullptr;
   views::StyledLabel* learn_more_label_ = nullptr;
+  MonitoringWarningView* monitoring_warning_view_ = nullptr;
 
   std::unique_ptr<LoginBubble> language_menu_;
   std::unique_ptr<LoginBubble> keyboard_menu_;
@@ -676,6 +712,11 @@ void LoginExpandedPublicAccountView::OnWarningDialogClosed() {
   warning_dialog_ = nullptr;
 }
 
+void LoginExpandedPublicAccountView::SetShowFullManagementDisclosure(
+    bool show_full_management_disclosure) {
+  right_pane_->SetShowFullManagementDisclosure(show_full_management_disclosure);
+}
+
 void LoginExpandedPublicAccountView::OnPaint(gfx::Canvas* canvas) {
   views::View::OnPaint(canvas);
 

ash/login/ui/login_expanded_public_account_view.h

@@ -58,6 +58,7 @@ class ASH_EXPORT LoginExpandedPublicAccountView : public NonAccessibleView {
   void Hide();
   void ShowWarningDialog();
   void OnWarningDialogClosed();
+  void SetShowFullManagementDisclosure(bool show_full_management_disclosure);
 
   // views::View:
   void OnPaint(gfx::Canvas* canvas) override;

ash/login/ui/public_account_warning_dialog.cc

@@ -19,7 +19,7 @@ namespace ash {
 namespace {
 
 constexpr int kDialogWidthDp = 400;
-constexpr int kDialogHeightDp = 145;
+constexpr int kDialogHeightDp = 160;
 constexpr int kDialogContentMarginDp = 13;
 
 constexpr int kBulletRadiusDp = 2;

ash/public/interfaces/login_screen.mojom

@@ -184,6 +184,11 @@ interface LoginScreen {
                                   string locale,
                                   array<InputMethodItem> keyboard_layouts);
 
+  // Sets whether full management disclosure is needed for the public/managed
+  // session login screen.
+  SetPublicSessionShowFullManagementDisclosure(
+      bool show_full_management_disclosure);
+
   // Update the kiosk app data for the login screen.
   SetKioskApps(array<KioskAppInfo> kiosk_apps);
 

chrome/browser/chromeos/login/screens/chrome_user_selection_screen.cc

@@ -17,6 +17,7 @@
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_process_platform_part.h"
 #include "chrome/browser/chromeos/login/ui/views/user_board_view.h"
+#include "chrome/browser/chromeos/login/users/chrome_user_manager.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/ui/webui/chromeos/login/l10n_util.h"
 #include "chrome/browser/ui/webui/chromeos/login/signin_screen_handler.h"
@@ -76,6 +77,7 @@ void ChromeUserSelectionScreen::OnPolicyUpdated(const std::string& user_id) {
 
   CheckForPublicSessionDisplayNameChange(broker);
   CheckForPublicSessionLocalePolicyChange(broker);
+  CheckIfFullManagementDisclosureNeeded(broker);
 }
 
 void ChromeUserSelectionScreen::OnDeviceLocalAccountsChanged() {
@@ -151,6 +153,12 @@ void ChromeUserSelectionScreen::CheckForPublicSessionLocalePolicyChange(
     recommended_locales = new_recommended_locales;
 }
 
+void ChromeUserSelectionScreen::CheckIfFullManagementDisclosureNeeded(
+    policy::DeviceLocalAccountPolicyBroker* broker) {
+  SetPublicSessionShowFullManagementDisclosure(
+      ChromeUserManager::Get()->IsFullManagementDisclosureNeeded(broker));
+}
+
 void ChromeUserSelectionScreen::SetPublicSessionDisplayName(
     const AccountId& account_id) {
   const user_manager::User* user =
@@ -191,4 +199,10 @@ void ChromeUserSelectionScreen::SetPublicSessionLocales(
                                  two_or_more_recommended_locales);
 }
 
+void ChromeUserSelectionScreen::SetPublicSessionShowFullManagementDisclosure(
+    bool show_full_management_disclosure) {
+  view_->SetPublicSessionShowFullManagementDisclosure(
+      show_full_management_disclosure);
+}
+
 }  // namespace chromeos

chrome/browser/chromeos/login/screens/chrome_user_selection_screen.h

@@ -45,6 +45,11 @@ class ChromeUserSelectionScreen
   void CheckForPublicSessionLocalePolicyChange(
       policy::DeviceLocalAccountPolicyBroker* broker);
 
+  // Check whether full management disclosure is needed for the public/managed
+  // session login screen and if so, notify the UI.
+  void CheckIfFullManagementDisclosureNeeded(
+      policy::DeviceLocalAccountPolicyBroker* broker);
+
   // Notify the UI that the display name for a public session has changed,
   // taking the display name from the |User| owned by |UserManager|.
   void SetPublicSessionDisplayName(const AccountId& account_id);
@@ -55,6 +60,11 @@ class ChromeUserSelectionScreen
       const AccountId& account_id,
       const std::vector<std::string>& recommended_locales);
 
+  // Send an updated flag for enabling/disable full management disclosure to the
+  // UI.
+  void SetPublicSessionShowFullManagementDisclosure(
+      bool show_full_management_disclosure);
+
   policy::DeviceLocalAccountPolicyService* device_local_account_policy_service_;
 
   // Map from public session account IDs to their display names set by policy.

chrome/browser/chromeos/login/ui/views/user_board_view.h

@@ -42,6 +42,8 @@ class UserBoardView {
                                        std::unique_ptr<base::ListValue> locales,
                                        const std::string& default_locale,
                                        bool multiple_recommended_locales) = 0;
+  virtual void SetPublicSessionShowFullManagementDisclosure(
+      bool show_full_management_disclosure) = 0;
   virtual void ShowBannerMessage(const base::string16& message,
                                  bool is_warning) = 0;
   virtual void ShowUserPodCustomIcon(

chrome/browser/chromeos/login/user_board_view_mojo.cc

@@ -88,6 +88,14 @@ void UserBoardViewMojo::SetPublicSessionLocales(
                                                                 default_locale);
 }
 
+void UserBoardViewMojo::SetPublicSessionShowFullManagementDisclosure(
+    bool show_full_management_disclosure) {
+  LoginScreenClient::Get()
+      ->login_screen()
+      ->SetPublicSessionShowFullManagementDisclosure(
+          show_full_management_disclosure);
+}
+
 void UserBoardViewMojo::ShowBannerMessage(const base::string16& message,
                                           bool is_warning) {
   // As of M69, ShowBannerMessage is used only for showing ext4 migration

chrome/browser/chromeos/login/user_board_view_mojo.h

@@ -24,6 +24,8 @@ class UserBoardViewMojo : public UserBoardView {
                                std::unique_ptr<base::ListValue> locales,
                                const std::string& default_locale,
                                bool multiple_recommended_locales) override;
+  void SetPublicSessionShowFullManagementDisclosure(
+      bool show_full_management_disclosure) override;
   void ShowBannerMessage(const base::string16& message,
                          bool is_warning) override;
   void ShowUserPodCustomIcon(

chrome/browser/chromeos/login/users/chrome_user_manager.cc

@@ -10,7 +10,6 @@
 #include "chrome/browser/chromeos/policy/device_local_account_policy_service.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chromeos/chromeos_switches.h"
-#include "chromeos/login/login_state.h"
 #include "chromeos/settings/cros_settings_names.h"
 #include "components/policy/core/common/policy_map.h"
 #include "components/policy/policy_constants.h"
@@ -20,68 +19,6 @@
 #include "components/user_manager/user_type.h"
 
 namespace chromeos {
-namespace {
-
-bool IsManagedSessionEnabled(const user_manager::User& active_user) {
-  // If the service doesn't exist or the policy is not set, enable managed
-  // session by default.
-  const bool managed_session_enabled_by_default = true;
-
-  policy::DeviceLocalAccountPolicyService* service =
-      g_browser_process->platform_part()
-          ->browser_policy_connector_chromeos()
-          ->GetDeviceLocalAccountPolicyService();
-  if (!service)
-    return managed_session_enabled_by_default;
-
-  const policy::PolicyMap::Entry* entry =
-      service->GetBrokerForUser(active_user.GetAccountId().GetUserEmail())
-          ->core()
-          ->store()
-          ->policy_map()
-          .Get(policy::key::kDeviceLocalAccountManagedSessionEnabled);
-
-  if (!entry)
-    return managed_session_enabled_by_default;
-
-  return entry && entry->value && entry->value->GetBool();
-}
-
-LoginState::LoggedInUserType GetLoggedInUserType(
-    const user_manager::User& active_user,
-    bool is_current_user_owner) {
-  if (is_current_user_owner)
-    return LoginState::LOGGED_IN_USER_OWNER;
-
-  switch (active_user.GetType()) {
-    case user_manager::USER_TYPE_REGULAR:
-      return LoginState::LOGGED_IN_USER_REGULAR;
-    case user_manager::USER_TYPE_GUEST:
-      return LoginState::LOGGED_IN_USER_GUEST;
-    case user_manager::USER_TYPE_PUBLIC_ACCOUNT:
-      return IsManagedSessionEnabled(active_user)
-                 ? LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT_MANAGED
-                 : LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT;
-    case user_manager::USER_TYPE_SUPERVISED:
-      return LoginState::LOGGED_IN_USER_SUPERVISED;
-    case user_manager::USER_TYPE_KIOSK_APP:
-      return LoginState::LOGGED_IN_USER_KIOSK_APP;
-    case user_manager::USER_TYPE_CHILD:
-      return LoginState::LOGGED_IN_USER_CHILD;
-    case user_manager::USER_TYPE_ARC_KIOSK_APP:
-      return LoginState::LOGGED_IN_USER_ARC_KIOSK_APP;
-    case user_manager::USER_TYPE_ACTIVE_DIRECTORY:
-      // NOTE(olsen) There's no LOGGED_IN_USER_ACTIVE_DIRECTORY - is it needed?
-      return LoginState::LOGGED_IN_USER_REGULAR;
-    case user_manager::NUM_USER_TYPES:
-      break;  // Go to invalid-type handling code.
-      // Since there is no default, the compiler warns about unhandled types.
-  }
-  NOTREACHED() << "Invalid type for active user: " << active_user.GetType();
-  return LoginState::LOGGED_IN_USER_REGULAR;
-}
-
-}  // namespace
 
 ChromeUserManager::ChromeUserManager(
     scoped_refptr<base::TaskRunner> task_runner)
@@ -145,6 +82,40 @@ bool ChromeUserManager::GetPlatformKnownUserId(
   return false;
 }
 
+LoginState::LoggedInUserType ChromeUserManager::GetLoggedInUserType(
+    const user_manager::User& active_user,
+    bool is_current_user_owner) const {
+  if (is_current_user_owner)
+    return LoginState::LOGGED_IN_USER_OWNER;
+
+  switch (active_user.GetType()) {
+    case user_manager::USER_TYPE_REGULAR:
+      return LoginState::LOGGED_IN_USER_REGULAR;
+    case user_manager::USER_TYPE_GUEST:
+      return LoginState::LOGGED_IN_USER_GUEST;
+    case user_manager::USER_TYPE_PUBLIC_ACCOUNT:
+      return IsManagedSessionEnabledForUser(active_user)
+                 ? LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT_MANAGED
+                 : LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT;
+    case user_manager::USER_TYPE_SUPERVISED:
+      return LoginState::LOGGED_IN_USER_SUPERVISED;
+    case user_manager::USER_TYPE_KIOSK_APP:
+      return LoginState::LOGGED_IN_USER_KIOSK_APP;
+    case user_manager::USER_TYPE_CHILD:
+      return LoginState::LOGGED_IN_USER_CHILD;
+    case user_manager::USER_TYPE_ARC_KIOSK_APP:
+      return LoginState::LOGGED_IN_USER_ARC_KIOSK_APP;
+    case user_manager::USER_TYPE_ACTIVE_DIRECTORY:
+      // NOTE(olsen) There's no LOGGED_IN_USER_ACTIVE_DIRECTORY - is it needed?
+      return LoginState::LOGGED_IN_USER_REGULAR;
+    case user_manager::NUM_USER_TYPES:
+      break;  // Go to invalid-type handling code.
+      // Since there is no default, the compiler warns about unhandled types.
+  }
+  NOTREACHED() << "Invalid type for active user: " << active_user.GetType();
+  return LoginState::LOGGED_IN_USER_REGULAR;
+}
+
 // static
 ChromeUserManager* ChromeUserManager::Get() {
   user_manager::UserManager* user_manager = user_manager::UserManager::Get();

chrome/browser/chromeos/login/users/chrome_user_manager.h

@@ -10,6 +10,8 @@
 #include "base/task_runner.h"
 #include "chrome/browser/chromeos/login/users/affiliation.h"
 #include "chrome/browser/chromeos/login/users/user_manager_interface.h"
+#include "chrome/browser/chromeos/policy/device_local_account_policy_service.h"
+#include "chromeos/login/login_state.h"
 #include "components/account_id/account_id.h"
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager_base.h"
@@ -51,6 +53,23 @@ class ChromeUserManager : public user_manager::UserManagerBase,
   // policy::DeviceStatusCollector).
   virtual bool ShouldReportUser(const std::string& user_id) const = 0;
 
+  // Checks whether 'DeviceLocalAccountManagedSessionEnabled' policy is enabled
+  // for |active_user|.
+  virtual bool IsManagedSessionEnabledForUser(
+      const user_manager::User& active_user) const = 0;
+
+  // Checks whether full management disclosure is needed for the public/managed
+  // session login screen UI. Full disclosure is needed if the session is
+  // managed and any risky extensions or network certificates are forced
+  // through the policies.
+  virtual bool IsFullManagementDisclosureNeeded(
+      policy::DeviceLocalAccountPolicyBroker* broker) const = 0;
+
+ private:
+  LoginState::LoggedInUserType GetLoggedInUserType(
+      const user_manager::User& active_user,
+      bool is_current_user_owner) const;
+
   DISALLOW_COPY_AND_ASSIGN(ChromeUserManager);
 };
 

chrome/browser/chromeos/login/users/chrome_user_manager_impl.cc

@@ -124,6 +124,10 @@ constexpr char kGoogleDotCom[] = "@google.com";
 
 constexpr char kBluetoothLoggingUpstartJob[] = "bluetoothlog";
 
+// If the service doesn't exist or the policy is not set, enable managed
+// session by default.
+constexpr bool kManagedSessionEnabledByDefault = true;
+
 bool FakeOwnership() {
   return base::CommandLine::ForCurrentProcess()->HasSwitch(
       switches::kStubCrosSettings);
@@ -211,6 +215,15 @@ void MaybeStartBluetoothLogging(const AccountId& account_id) {
       kBluetoothLoggingUpstartJob, {}, EmptyVoidDBusMethodCallback());
 }
 
+bool IsManagedSessionEnabled(policy::DeviceLocalAccountPolicyBroker* broker) {
+  const policy::PolicyMap::Entry* entry =
+      broker->core()->store()->policy_map().Get(
+          policy::key::kDeviceLocalAccountManagedSessionEnabled);
+  if (!entry)
+    return kManagedSessionEnabledByDefault;
+  return entry->value && entry->value->GetBool();
+}
+
 }  // namespace
 
 // static
@@ -1409,6 +1422,24 @@ bool ChromeUserManagerImpl::ShouldReportUser(const std::string& user_id) const {
   return !(reporting_users.Find(user_id_value) == reporting_users.end());
 }
 
+bool ChromeUserManagerImpl::IsManagedSessionEnabledForUser(
+    const user_manager::User& active_user) const {
+  policy::DeviceLocalAccountPolicyService* service =
+      g_browser_process->platform_part()
+          ->browser_policy_connector_chromeos()
+          ->GetDeviceLocalAccountPolicyService();
+  if (!service)
+    return kManagedSessionEnabledByDefault;
+
+  return IsManagedSessionEnabled(
+      service->GetBrokerForUser(active_user.GetAccountId().GetUserEmail()));
+}
+
+bool ChromeUserManagerImpl::IsFullManagementDisclosureNeeded(
+    policy::DeviceLocalAccountPolicyBroker* broker) const {
+  return IsManagedSessionEnabled(broker);
+}
+
 void ChromeUserManagerImpl::AddReportingUser(const AccountId& account_id) {
   ListPrefUpdate users_update(GetLocalState(), prefs::kReportingUsers);
   users_update->AppendIfNotPresent(

chrome/browser/chromeos/login/users/chrome_user_manager_impl.h

@@ -148,6 +148,10 @@ class ChromeUserManagerImpl
       const AccountId& account_id,
       const AffiliationIDSet& user_affiliation_ids) override;
   bool ShouldReportUser(const std::string& user_id) const override;
+  bool IsManagedSessionEnabledForUser(
+      const user_manager::User& active_user) const override;
+  bool IsFullManagementDisclosureNeeded(
+      policy::DeviceLocalAccountPolicyBroker* broker) const override;
 
  protected:
   const std::string& GetApplicationLocale() const override;

chrome/browser/chromeos/login/users/fake_chrome_user_manager.cc

@@ -707,6 +707,16 @@ bool FakeChromeUserManager::ShouldReportUser(const std::string& user_id) const {
   return false;
 }
 
+bool FakeChromeUserManager::IsManagedSessionEnabledForUser(
+    const user_manager::User& active_user) const {
+  return true;
+}
+
+bool FakeChromeUserManager::IsFullManagementDisclosureNeeded(
+    policy::DeviceLocalAccountPolicyBroker* broker) const {
+  return true;
+}
+
 user_manager::User* FakeChromeUserManager::GetActiveUserInternal() const {
   if (active_user_ != nullptr)
     return active_user_;

chrome/browser/chromeos/login/users/fake_chrome_user_manager.h

@@ -173,6 +173,10 @@ class FakeChromeUserManager : public ChromeUserManager {
       const AccountId& account_id,
       const AffiliationIDSet& user_affiliation_ids) override;
   bool ShouldReportUser(const std::string& user_id) const override;
+  bool IsManagedSessionEnabledForUser(
+      const user_manager::User& active_user) const override;
+  bool IsFullManagementDisclosureNeeded(
+      policy::DeviceLocalAccountPolicyBroker* broker) const override;
 
   void set_ephemeral_users_enabled(bool ephemeral_users_enabled) {
     fake_ephemeral_users_enabled_ = ephemeral_users_enabled;

chrome/browser/chromeos/login/users/mock_user_manager.h

@@ -146,6 +146,10 @@ class MockUserManager : public ChromeUserManager {
                     const chromeos::AffiliationIDSet& user_affiliation_ids));
 
   bool ShouldReportUser(const std::string& user_id) const override;
+  MOCK_CONST_METHOD1(IsManagedSessionEnabledForUser,
+                     bool(const user_manager::User&));
+  MOCK_CONST_METHOD1(IsFullManagementDisclosureNeeded,
+                     bool(policy::DeviceLocalAccountPolicyBroker*));
 
   // We cannot mock ScheduleResolveLocale directly because of
   // base::OnceClosure's removed deleter. This is a trampoline to the actual

chrome/browser/ui/webui/chromeos/login/user_board_screen_handler.cc

@@ -58,6 +58,11 @@ void UserBoardScreenHandler::SetPublicSessionLocales(
                    multiple_recommended_locales);
 }
 
+void UserBoardScreenHandler::SetPublicSessionShowFullManagementDisclosure(
+    bool show_full_management_disclosure) {
+  // This method is only called from browser_tests and shouldn't do anything.
+}
+
 void UserBoardScreenHandler::ShowBannerMessage(const base::string16& message,
                                                bool is_warning) {
   CallJSWithPrefix("login.AccountPickerScreen.showBannerMessage", message,

chrome/browser/ui/webui/chromeos/login/user_board_screen_handler.h

@@ -44,6 +44,8 @@ class UserBoardScreenHandler : public BaseScreenHandler, public UserBoardView {
                                std::unique_ptr<base::ListValue> locales,
                                const std::string& default_locale,
                                bool multiple_recommended_locales) override;
+  void SetPublicSessionShowFullManagementDisclosure(
+      bool show_full_management_disclosure) override;
   void ShowBannerMessage(const base::string16& message,
                          bool is_warning) override;
   void ShowUserPodCustomIcon(