This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Local data recovery on ChromeOS devices, now possible (under the correct circumstances)

Kim_Nilsson
Admin Moderator

‎04-29-2024 07:16 AM

I figured this might be an interesting topic to discuss.

Support article.
https://support.google.com/chrome/a/answer/14539268?hl=en

Admin setting.

https://admin.google.com/ac/chrome/settings/user/details/recovery_factor_behavior_setting_group?hl=e...

Background.

Previously, whenever a user forgot their current password, had it changed, and tried to log into their Chromebook again, they were asked to provide their old/previous password, or else any and all local data in their Chrome user session would be deleted. If they provided the old password, then the device would decrypt the content and re-encrypt it with the new password, and the user would regain access to all local content.

Now, if they still know the old password, then there is, of course, less need to change it, but perhaps it was compromised (which, as we all know, is the only valid reason to change a password, unless it's a really bad and easy to guess password).

FutureThe future is now...

With this new setting, which is disabled by default, and most probably haven't touched, it will be possible to help the user with a new password and still let them access their old content when logging in with the new password!

Requirements.

It is clearly written in the support article that this is, again of course, not possible unless the user have used their device with their old password after the feature has been enabled. It notes that it requires two proper logins, to make sure that the encryption information has been synced to the account online.

Is this good or bad?

This is where I leave the floor open for opinions. 😎

My take.

Good: Less friction when a user needs to reset their password and quickly get back to work.

Bad: Now we can't actually say that "what happens on a Chromebook stays on a Chromebook". Well, we can, because it's still staying on the CB 🙂 but now it is actually possible for a Workspace admin = not-the-user to reset the password of a user and still gain access to the local content on the device, regardless of the wishes of that user.

--
https://wheretofind.me/@NoSubstitute
Reply
4 REPLIES 4

YERKO
Contributor

‎04-29-2024 08:56 AM

Depende del punto de vista y "del uso" que se le de al Chromobook, Me inclino mas por "malo" dado que en todos los paises deben existir leyes de protección y privacidad, aun cuando los equipos y las mismas cuentas de correos sean institucionales o corporativas. Pero por otro lado si por ejemplo en un colegio se cuenta con equipos chromobooks para estudiantes, siempre hay algunos mas creativos que les da por ingresar a configuraciones o partes del sistema que no deben y cambian o crean claves bloqueando el dispositivo, en esos casos en que los equipos son de caracter "comunitario" (por así llamarlo) es util que el administrador pueda acceder de alguna forma mas sencilla que intentar formatear y volver a valores de fabrica por una broma o error de algún creativo aburrido.

Interesante discusión

Saludos @Kim_Nilsson 

Reply

SteveHarmon
Contributor

‎04-29-2024 10:38 AM

I just discussed this with my colleagues and this constantly happens with student devices. We are thinking that for our student OU we will Activate account recovery so students do not lose locally saved content (i.e. pictures) when they forget a password (and yes, we have the default save spot to be their Drive, but sometimes they change things or move things around).

The more difficult question is staff devices. Right now our staff use Windows laptops for the most part, but we do envision them using Chromebooks in the future. Our thinking is for the Staff OU we will also Activate account recovery in order for local data to be saved when a password is reset. This is similar behavior to the Windows laptops that changing a password does not lose local data... and there have been plenty of times that we have needed to recover local files from a Windows laptop of an employee who left, whether their leaving was voluntary or not.

We are going to bring this up to our larger team in a meeting tomorrow. Thanks for bringing this to my attention, @Kim_Nilsson!

Reply

YERKO
Contributor
In response to SteveHarmon

‎04-29-2024 11:48 AM

De ser posible nos compartes la sintesis de lo que decidan como unidad educativa, los pro y contras que los llevaron a la resolución final.

0 Kudos
Reply

SteveHarmon
Contributor
In response to YERKO

‎05-01-2024 12:04 PM

We ended up deciding to Activate account recovery for all users in our domain. We wanted to keep the experience similar to what happens on a Windows laptop (what the teachers currently have). I imagine that some of our users would be mortified to learn that changing their password meant that they would lose access to any local files that they might have had if we did not enable this. Everyone on our team agreed with this and no one really offered reasons to NOT activate account recovery (other than me offering alternative options!).

Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines