On the flip side of that "minors have no rights" coin you're holding up is the fact that laptop is the parent's property since they bought the laptop for the child to use. They did a factory reset and the problem software still remains. What if the parent did a factory reset to use the laptop for themselves? There is no reason for the spyware to remain in that case. It needs to be removable.

They did a factory reset and reconnected the Chromebook to the school account, which configures the device according to the schools requirements. If they wanted to use it themselves, they would reset it, do not connect the school account and all is well. GPs argument seems to support that the school doesn't have to allow to use a school account without the device being put under the schools control.

(at least as I understand it. if the MDM enrollment is actually tied to the device somehow, then they could reasonably demand it to be released if they planned to use it themselves)

That doesn't really make sense to me. User accounts, whether managed remotely or locally, should be subordinate to administrator accounts. That administrator-level privileges are insufficient to undo a change made with user-level privileges breaks this relationship.

OP didn't mention that the child's account is a secondary account. AFAIK if you log-in with an account the first time on a fresh(ly reset) chromebook, it becomes the "administrator" account - and at the same time if its in an organization (i.e. the school) the orgs policies are applied. No clue how that interacts if you do attempt to login such account as a second account, it's possible the org can require an account to be in control of the device. Chromebooks are deeply designed for exactly this centrally managed scenario after all, that's (partly) why they are so popular with schools and companies.

Based on this support thread [0], which was linked to by awinter-py's comment [1] elsewhere in the comments, it doesn't really matter which is first. Remote policies supersede any local controls, and can promote themselves to have Owner privileges. That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.

[0] https://support.google.com/chromebook/thread/117916330/how-t...

[1] https://news.ycombinator.com/item?id=30912427

>That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.

You've actually got it backwards. In an enterprise domain like this, allowing local management to take precedence over remote management and policies is a massive security hole for the domain as a whole not to mention required by regulatory bodies dictating information security for educational institutions. A locally managed node is effectively a rogue node on the network. There are use cases for it but they're specialized. OP most likely signed a consent form as part of the online learning stuff at some point and this is the consequence of not reading the things you sign. This whole thing is so massively overblown like no one here has worked anywhere with a BYOD policy and MDM.

The device belongs to the owner and the owner should be able to override anything.

If an organization wants to set policies that can’t be overridden, it should pay for the devices. (And even then, the user still has a right to privacy and a certain level of control).

If they set a MDM policy on a device I own, I’ll mail the organization the device and a bill for buying a new one that very same day.

So you’re out both the device AND a stamp?

No, it's a terrifying security hole, full stop. If I leave my non-managed Chromebook unattended (logged out!) for 30 seconds, someone can sign into it with their managed account and install spyware without me knowing?

I think it works similarly on Android phones. Google policy for the Android Corp devices requires you to set it up using corp account, then add secondary personal accounts(if needed).

They are, but there has always been a contention between local admin vs domain admin (managed accounts) and usually the case has been that the domain admin overrules the local but the local admin can un-join the domain.

This is not that different. The moment you join the remote domain, you no longer have top privileges. You can still unjoin at any point but as soon as you join, you're placed under a different hierarchy.

You were never the owner of the chromebook in the first place so Google the actual owner just transferred control to the school. They never needed your permission to do this in the first place because you just paid full fare for an unlimited rental of someone else's property.

That's the conclusion I tend to reach, and I believe Google to have fraudulently described a rental as a purchase. Whoever is the source of authority to run software on a device is the owner of that device. Since enabling remote management does not require administrator privilege, the right to do so doesn't come from the administrator. Since disabling remote management cannot be done by a local administrator, the granted authority is even greater than the nominal authority granted to the buyer. Each of these implies that Google remained the source of authority, and therefore didn't transfer ownership over the device.

> Whoever is the source of authority to run software on a device is the owner of that device

Hundreds of years of established case law refutes this claim.

The most pragmatic thing to do is probably acquire another school only Chromebook. Either have one issued from the school or buy another one. This is probably a worthwhile lesson for how to treat personal and employer assets separately anyway.

The work to try to get the school to make the software removable is a laudable stand for citizens, parent, and student rights - but would come at some cost of time, money (more than buying a second chromebook anyway), and maybe strained relationships with school officials.

> to your kid being a minor in school which means they don't have full legal rights, and the interpretation of 4A is likely up in the air here anyway

IANAL, either. Just because the student is a minor, I don't see how that gives the school the right to pwn a private laptop (were the laptop a school laptop, my opinion would be different here); at best, this would seem to be the parent's machine, or right to decide, at that point.

The OP's post isn't very clear on how the school managed to get into a private laptop in the first place; he mentions they "logged on", but onto what? And how does signing into something permit installs? (There's a comment below that hypothesizes this might be an MDM profile sort of situation, and that's … trickier. But doesn't even an MDM login have an uninstall of some sort? (Although, IDK, perhaps Chromebooks just can't do that, but that would seem to be an issue then with their software. But I've never tried, as I don't usually go for MDM stuff myself, as companies that do it typically want too much permission onto what is my personal device.))

Probably a Google account sign on.

If I sign into my work Google account on my androids chrome it basically forces you to install spyware so our IT team can suck up my browser history.

It sounds like chrome os takes this approach and adds steroids.

This is why people should be issued a work phone (or children a school laptop in the case of the OP) if the IT department is going to request control of it.

A while ago my company eventually decided to enable security settings for Microsoft Outlook, Teams etc on all mobile devices (the wipe phone on demand option). All that happened was everyone without a company phone uninstalled Teams and used WhatsApp instead.

I wouldn't accept a work phone unless I was given full control over it and can use it for personal use as well.

I'm not carrying two around.

If you want me to leave one at my desk that's fine but you won't reach me on it unless I'm there.

Same goes for work laptops and working from home.

The whole idea that you need to separate work from personal is based on the idea that if you use work laptop for personal work then they own it, that's an entirely made up constraint, one I won't accept.

In before bad analogies, there are plenty of industries that provide tradies with tool stipends, those are still owned by the tradesman but paid for by the employer do to their consumable nature. It allows tradies to buy more expensive tools if they prefer and encourages them to look after them better.

pwning the laptop was a req for doing school work, like how you essentially give prior consent to a field sobriety test when you get a drivers license. I'm not saying it's right, but that likely the school district's argument in court, and I'm sure it's buried deep in a EULA or privacy policy somewhere.

> you essentially give prior consent to a field sobriety test when you get a drivers license

If USA, this is false.

You are misinformed. In the USA, every state has a law stating licensed drivers give their implied consent to roadside DUI testing. Failure to comply will result in extra charges and almost certain conviction.

It's comical how your best advice is seek a lawyer. Any lawyer worth their salt would advise to contact the school directly to handle this matter. No need for a lawyer at this stage.

Nit: I think it's "Bong Hits 4 Jesus."

Thank you, this one still makes me lose my damn mind.

The lawyer route makes no sense, it's all about small claims here. Sue for the cost of the chromebook, that will get someone's attention and you can likely settle it out of court or get the money to purchase a new one.

The important part here is that the computer is not usable with their software and that you have no way to remove said software despite being the owner of the computer.

But the school doesn’t own the machine, the parent does.