For privacy reasons, I’m not going to talk a lot about the background here. So I’ll just state that there are two Chromebooks (Dell 11 3189) in my household and that it turned out the local school system had acquired one of them – not physically, but functionally. I learned a lot about Chromebooks, ChromeOS, “Managed” devices and “Owned” devices that I wanted to document for myself and for anyone else that might benefit.
During some sort of onboarding effort last year, all of the Chromebooks for students were supposed to go through what we were told was a check. Sure enough, after the onboarding, the Chromebook had something saying it was “Managed” by the schools. And it wasn’t just the one student account that was managed but the entire damned device. So a Chromebook that I bought with my money is now off-limits to me making certain settings changes. This was a bigger deal to me conceptually than practically. Because as I type this now a year later, I can’t come up with a single thing that I wanted to change during the last year that I was prohibited from doing due to it being “Managed”. So it feels like overreach on the part of Google but I wasn’t really impacted by that.
But I recently got a request for Minecraft on the Chromebooks. As you can read in my other post about it, that seemed like a reasonable request and although you can’t run it in ChomeOS, directly, you can turn on “Linux (Beta)” on a Chromebook in ChromeOS. Except not when it is “Managed” and that is not a distinction for the manager to set – it is a Google thing that “Managed” means no “Linux (Beta)” period. Which meant the Chromebooks were definitely not going to be able to be used to run Minecraft.
At least not in ChromeOS. But I discovered that I could run a Linux operating system in a dual boot mode so that the Chromebook could run Minecraft in GalliumOS (again more on that in the other post). However during the setup for Gallium, where you need to wipe out the computer, one of my Chromebooks did exactly what it was supposed to and the other did not enter Developer Mode instead showing the ominous statement “The device owner has disabled developer mode for this device”.
I was incredulous. I yelled at the Chromebook “what do you mean the device owner has disabled.. I’m the freaking device owner and I didn’t do that!”. At least I didn’t think I did. And bit by bit the truth of the situation became clear. Apparently during the onboarding, the school had run out of time and one of the devices skipped part of the process. That’s the device that behaved correctly, Chromebook #2. However Chromebook #1, had been fully onboarded and part of that process was capturing the Chromebook’s serial number to include in the database of the school’s Chromebooks. Once the serial number is entered into the database, it becomes effectively owned by the database owner, which in this case was the school. And that means I can’t Powerwash the computer and enter anything other than an account belonging to the school. It means that I wouldn’t be able to sell the computer to somebody else. And it means, most importantly for me at this point, that I wouldn’t be able to put the Chromebook in Developer Mode to continue my dual boot plan.
Fearing administrative run-around at the school during the summer and during COVID, I thought the best plan would be to simply blast away the ownership record. I tried removing the write-protect screw that is inside the Chromebook but that didn’t do it. I tried removing the main battery and holding the power button to forcibly drain the power out of all the chips but that also wasn’t successful. Then I figured there must be a CMOS battery still holding power that I would need to disconnect but it turned out my particular Chromebook didn’t have a CMOS battery. And the storage wasn’t removable – it was embedded on the motherboard. And I eventually realized that all of those were fruitless since the nature of the lock is based on the serial number in the motherboard. So the only way to free the lock is to change the serial number. Except the only way to change the serial number is to have the device in Developer Mode. Which you can’t do when it has been disabled by the owner. Which is no longer me. Aigh!!
At this point I had no choice but to have the schools remove the lock so I contacted the IT people at the school. I was calm in my interaction but I was irate inside. The school had stolen my Chromebook (and would have stolen 2 if there was time). They had told me to buy it but then took it over in their inventory. And there is no reason to have a Chromebook in inventory other than asset management. “Managed” takes care of what IT really cares about day to day and Google has that covered. The “Ownership” does nothing about day to day use and only impacts things like Developer Mode and clearing it out and selling it. Which means it is entirely meaningless for what the school wanted and that was proven by the fact that one of my Chromebooks had theoretically failed the onboarding process but in reality functioned perfectly well for a year of use – 2/3 of the school year in school and 1/3 of the school year during remote at home.
The head of IT eventually got back to me indicating that the serial number had been somewhat grudgingly removed. I thanked him but couldn’t help replying with a small lecture on why the school should clear out all of the serial numbers they own since they don’t actually own them.
Now with that serial number freed up, I needed to let the Chromebook boot into Verified (Normal) Mode, then establish a network connection. At that point, it modified the ownership of the device and marked it as no longer owned by the school. Then I could resume the process by truly enabling Developer Mode.
In summary, schools should only lock serial numbers as being owned when they are actually physically owned by the school. If you try to enable Developer Mode and discover that you cannot because a “device owner” has prohibited it, you’ll need to find out who that is. There is no way to remove that lock forcibly since the lock isn’t maintained locally on the computer but remotely in a database. And the computer won’t go through the setup process without a network connection specifically so that it can access that database. Also, if you are going to buy a used Chromebook, ensure that it will not arrive with a serial number lock. While it’s nice to know that serial numbers can be tracked like this in the case of theft, in practice a system like this is only as good as those that maintain it and if there are wrong decisions made about ownership, then it gets in the way of those that actually do own the devices.