Use the Windows MDM API to check if the machine is being managed.

components/policy/core/common/policy_loader_win.cc

 // Copyright (c) 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/policy/core/common/policy_loader_win.h"
 
 #include <windows.h>
 #include <ntdsapi.h>  // For Ds[Un]Bind
 #include <rpc.h>      // For struct GUID
 #include <shlwapi.h>  // For PathIsUNC()
@@ skipping 72 matching lines @@
 // Hence,
 //   (a) existing enumerated constants should never be deleted or reordered, and
 //   (b) new constants should only be appended at the end of the enumeration.
 enum DomainCheckErrors {
   // The check error below is no longer possible.
   DEPRECATED_DOMAIN_CHECK_ERROR_GET_JOIN_INFO = 0,
   DOMAIN_CHECK_ERROR_DS_BIND = 1,
   DOMAIN_CHECK_ERROR_SIZE,  // Not a DomainCheckError.  Must be last.
 };
 
+bool ShouldHonorPolicies() {

[pastarmovj, 2017/02/17 16:21:17]

nit: I presume the indirection here is to be able to swap out what
ShouldHonorPolicies mean? Can you please document that in a comment above this
function.

[Roger Tawa OOO till Jul 10th, 2017/02/17 19:20:13]

Done.

+  return base::win::IsEnterpriseManaged();
+}
+
 // Verifies that untrusted policies contain only safe values. Modifies the
 // |policy| in place.
 void FilterUntrustedPolicy(PolicyMap* policy) {
-  if (base::win::IsEnrolledToDomain())
+  if (ShouldHonorPolicies())
     return;
 
   int invalid_policies = 0;
   const PolicyMap::Entry* map_entry =
       policy->Get(key::kExtensionInstallForcelist);
   if (map_entry && map_entry->value) {
     const base::ListValue* policy_list_value = NULL;
     if (!map_entry->value->GetAsList(&policy_list_value))
       return;
 
@@ skipping 177 matching lines @@
 }
 
 // Collects stats about the enterprise environment that can be used to decide
 // how to parse the existing policy information.
 void CollectEnterpriseUMAs() {
   // Collect statistics about the windows suite.
   UMA_HISTOGRAM_ENUMERATION("EnterpriseCheck.OSType",
                             base::win::OSInfo::GetInstance()->version_type(),
                             base::win::SUITE_LAST);
 
-  bool in_domain = base::win::IsEnrolledToDomain();
-  UMA_HISTOGRAM_BOOLEAN("EnterpriseCheck.InDomain", in_domain);
+  UMA_HISTOGRAM_BOOLEAN("EnterpriseCheck.InDomain",
+                        base::win::IsEnrolledToDomain());
+  UMA_HISTOGRAM_BOOLEAN("EnterpriseCheck.IsManaged",
+                        base::win::IsDeviceRegisteredWithManagement());
+  UMA_HISTOGRAM_BOOLEAN("EnterpriseCheck.IsEnterpriseUser",
+                        base::win::IsEnterpriseManaged());
 }
 
 }  // namespace
 
 const base::FilePath::CharType PolicyLoaderWin::kPRegFileName[] =
     FILE_PATH_LITERAL("Registry.pol");
 
 PolicyLoaderWin::PolicyLoaderWin(
     scoped_refptr<base::SequencedTaskRunner> task_runner,
     const base::string16& chrome_policy_key,
@@ skipping 53 matching lines @@
 
   // Policy scope and corresponding hive.
   static const struct {
     PolicyScope scope;
     HKEY hive;
   } kScopes[] = {
     { POLICY_SCOPE_MACHINE, HKEY_LOCAL_MACHINE },
     { POLICY_SCOPE_USER,    HKEY_CURRENT_USER  },
   };
 
-  bool is_enterprise = base::win::IsEnrolledToDomain();
+  bool honor_policies = ShouldHonorPolicies();
   VLOG(1) << "Reading policy from the registry is "
-          << (is_enterprise ? "enabled." : "disabled.");
+          << (honor_policies ? "enabled." : "disabled.");
 
   // Load policy data for the different scopes/levels and merge them.
   std::unique_ptr<PolicyBundle> bundle(new PolicyBundle());
   PolicyMap* chrome_policy =
       &bundle->Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()));
   for (size_t i = 0; i < arraysize(kScopes); ++i) {
     PolicyScope scope = kScopes[i].scope;
     PolicyLoadStatusSample status;
     RegistryDict gpo_dict;
 
     // Note: GPO rules mandate a call to EnterCriticalPolicySection() here, and
     // a matching LeaveCriticalPolicySection() call below after the
     // ReadPolicyFromGPO() block. Unfortunately, the policy mutex may be
     // unavailable for extended periods of time, and there are reports of this
     // happening in the wild: http://crbug.com/265862.
     //
     // Blocking for minutes is neither acceptable for Chrome startup, nor on
     // the FILE thread on which this code runs in steady state. Given that
     // there have never been any reports of issues due to partially-applied /
     // corrupt group policy, this code intentionally omits the
     // EnterCriticalPolicySection() call.
     //
     // If there's ever reason to revisit this decision, one option could be to
     // make the EnterCriticalPolicySection() call on a dedicated thread and
     // timeout on it more aggressively. For now, there's no justification for
     // the additional effort this would introduce.
 
-    bool is_registry_forced = is_enterprise || gpo_provider_ == nullptr;
+    bool is_registry_forced = honor_policies || gpo_provider_ == nullptr;
     if (is_registry_forced || !ReadPolicyFromGPO(scope, &gpo_dict, &status)) {
       VLOG_IF(1, !is_registry_forced) << "Failed to read GPO files for "
                                       << scope << " falling back to registry.";
       gpo_dict.ReadRegistry(kScopes[i].hive, chrome_policy_key_);
     }
 
     // Remove special-cased entries from the GPO dictionary.
     std::unique_ptr<RegistryDict> recommended_dict(
         gpo_dict.RemoveKey(kKeyRecommended));
     std::unique_ptr<RegistryDict> third_party_dict(
@@ skipping 200 matching lines @@
 
 void PolicyLoaderWin::OnObjectSignaled(HANDLE object) {
   DCHECK(object == user_policy_changed_event_.handle() ||
          object == machine_policy_changed_event_.handle())
       << "unexpected object signaled policy reload, obj = "
       << std::showbase << std::hex << object;
   Reload(false);
 }
 
 }  // namespace policy