Tell HN: My kid's school installed spyware and I can't remove it

[xg15]

Can the managed account actually access files from the unmanaged account or control which processes are active while the unmanaged account runs?

Because, if yes, this absolutely does sound like a security hole:

1) Set up an organisation and add a managed account. Set up policies that install a backdoor on first login.

2) Get hold of victim's Chromebook.

3) Log into the Chromebook using the account from (1)

4) Chromebook will execute the policies and run the backdoor.

5) Use the backdoor to snoop victim's files.

You've successfully gained access to the victim's files without knowing their password. Profit!

This would work even if the victim is fully aware of the issue and never intended to mix managed and unmanaged accounts on their own.

[ghostpepper]

Does a chromebook allow you to have more than one user account? It sounds like a factory reset was necessary to allow enrollment

[MereInterest]

Chromebooks do allow more than one user account, yes. The factory reset mentioned by the OP was necessary in order to undo the enrollment, as no application of Administrator/Owner privileges would undo it otherwise.

[ac29]

I think you misunderstand the original post - the parent didnt have some sort of local administrator account (which isnt really a thing on ChromeOS). They signed into a managed account run by the school district, didnt like the policy, then reset the device, signed into the same managed account again, and noticed the same policy was applied.

[toast0]

> local administrator account (which isnt really a thing on ChromeOS).

The first user to sign in on a chromebook has limited special powers. I don't think they involve reading other people's data though.