Improve determination of managed state in DeviceSettingsProvider

components/policy/proto/device_management_backend.proto

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 syntax = "proto2";
 
 option optimize_for = LITE_RUNTIME;
 
 package enterprise_management;
 
@@ skipping 272 matching lines @@
   // See PolicyFetchRequest.policy_type.
   optional string policy_type = 1;
 
   // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). It is
   // included here so that the time at which the server issued this response
   // cannot be faked (as protection against replay attacks). It is the timestamp
   // generated by DMServer, NOT the time admin last updated the policy or
   // anything like that.
   optional int64 timestamp = 2;
 
-  // The DM token that was used by the client in the HTTP POST header
-  // for authenticating the request. It is included here again so that
-  // the client can verify that the response is meant for them (and not
-  // issued by a replay or man-in-the-middle attack).
+  // The DM token that was used by the client in the HTTP POST header for
+  // authenticating the request. It is included here again so that the client
+  // can verify that the response is meant for them (and not issued by a replay
+  // or man-in-the-middle attack).
+  // Note that the existence or non-existence of the DM token is not the correct
+  // way to determine whether the device is managed. Cf. |management_mode| below
+  // for details.
   optional string request_token = 3;
 
   // The serialized value of the actual policy protobuf.  This can be
   // deserialized to an instance of, for example, ChromeSettingsProto,
   // ChromeDeviceSettingsProto, or ExternalPolicyData.
   optional bytes policy_value = 4;
 
   // The device display name assigned by the server.  It is only
   // filled if the display name is available.
   //
@@ skipping 54 matching lines @@
   optional string policy_token = 15;
 
   // Indicates the management mode of the device. Note that old policies do not
   // have this field. If this field is not set but request_token is set, assume
   // the management mode is ENTERPRISE_MANAGED. If both this field and
   // request_token are not set, assume the management mode is LOCAL_OWNER.
   enum ManagementMode {
     // The device is owned locally. The policies are set by the local owner of
     // the device.
     LOCAL_OWNER = 0;
-    // The device is enterprise-managed. The policies come from the enterprise
-    // server. See the comment above for backward compatibility.
+    // The device is enterprise-managed (either via cloud or through Active

[ljusten (tachyonic), 2017/05/29 12:43:01]

Nit: I guess at some point we might support Azure AD servers as well, so I'd
suggest to refer to DM Server instead of 'cloud'.

[Thiemo Nagel, 2017/05/29 15:07:16]

Valid point, I guess.  Thanks.

[ljusten (tachyonic), 2017/05/30 08:55:10]

IMHO, we should rename cloud policy to user policy everywhere. It confused the
hell out of me that we always refer to it as user policy, but it's called cloud
policy. Device policy, which is also coming from the cloud, is not called cloud
policy...

[Thiemo Nagel, 2017/05/30 12:25:06]

Note that it's possible to have non-cloud user policy on non-CrOS platforms,
e.g. GPO on Windows, JSON on Linux, ...

If there's something you'd like to clarify, I'm happy to review CLs. :)

+    // Directory). See the comment above for backward compatibility.
     ENTERPRISE_MANAGED = 1;
     // Obsolete. Don't use.
     OBSOLETE_CONSUMER_MANAGED = 2;
   }
   optional ManagementMode management_mode = 16;
 
   // Indicates the state that the device should be in.
   optional DeviceState device_state = 17;
 
   // The object source which hosts command queue objects within the
@@ skipping 1036 matching lines @@
       check_android_management_response = 18;
 
   // Response to an Active Directory Play user enrollment request.
   optional ActiveDirectoryEnrollPlayUserResponse
       active_directory_enroll_play_user_response = 19;
 
   // Response to a Play activity request.
   optional ActiveDirectoryPlayActivityResponse
       active_directory_play_activity_response = 20;
 }