When I logged in with my son’s school account on chrome OS it had some notifications about who owns the account and so on.

I don’t think it is as much a mystery as implied.

In the end there’s no getting around that mixing device uses like this doesn’t work. It works less and less as the history of computers goes on.

Can the managed account actually access files from the unmanaged account or control which processes are active while the unmanaged account runs?

Because, if yes, this absolutely does sound like a security hole:

1) Set up an organisation and add a managed account. Set up policies that install a backdoor on first login.

2) Get hold of victim's Chromebook.

3) Log into the Chromebook using the account from (1)

4) Chromebook will execute the policies and run the backdoor.

5) Use the backdoor to snoop victim's files.

You've successfully gained access to the victim's files without knowing their password. Profit!

This would work even if the victim is fully aware of the issue and never intended to mix managed and unmanaged accounts on their own.

Does a chromebook allow you to have more than one user account? It sounds like a factory reset was necessary to allow enrollment

Chromebooks do allow more than one user account, yes. The factory reset mentioned by the OP was necessary in order to undo the enrollment, as no application of Administrator/Owner privileges would undo it otherwise.

I think you misunderstand the original post - the parent didnt have some sort of local administrator account (which isnt really a thing on ChromeOS). They signed into a managed account run by the school district, didnt like the policy, then reset the device, signed into the same managed account again, and noticed the same policy was applied.

> local administrator account (which isnt really a thing on ChromeOS).

The first user to sign in on a chromebook has limited special powers. I don't think they involve reading other people's data though.

>In the end there’s no getting around that mixing device uses like this doesn’t work

Surely this is the entire value proposition of ChromeOS - you sign in to your account, and the laptop magically becomes yours? It seems like a serious hole if a single sign-in is able to compromise other accounts.

It's tied directly to the remotely managed account, that's how the account works. If you don't sign into the account, the software won't be installed.

Students don't get to decide what software to install when it comes to logging in to school accounts. Generally the laptops are provided by the district, but it seems OP was trying to add another personal device to their system.

You can't participate in their system without the software. So I guess the alternative would be to block personal devices from logging in like this at all.