That doesn't really make sense to me. User accounts, whether managed remotely or locally, should be subordinate to administrator accounts. That administrator-level privileges are insufficient to undo a change made with user-level privileges breaks this relationship.
OP didn't mention that the child's account is a secondary account. AFAIK if you log-in with an account the first time on a fresh(ly reset) chromebook, it becomes the "administrator" account - and at the same time if its in an organization (i.e. the school) the orgs policies are applied. No clue how that interacts if you do attempt to login such account as a second account, it's possible the org can require an account to be in control of the device. Chromebooks are deeply designed for exactly this centrally managed scenario after all, that's (partly) why they are so popular with schools and companies.
Based on this support thread [0], which was linked to by awinter-py's comment [1] elsewhere in the comments, it doesn't really matter which is first. Remote policies supersede any local controls, and can promote themselves to have Owner privileges. That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.
>That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.
You've actually got it backwards. In an enterprise domain like this, allowing local management to take precedence over remote management and policies is a massive security hole for the domain as a whole not to mention required by regulatory bodies dictating information security for educational institutions. A locally managed node is effectively a rogue node on the network. There are use cases for it but they're specialized. OP most likely signed a consent form as part of the online learning stuff at some point and this is the consequence of not reading the things you sign. This whole thing is so massively overblown like no one here has worked anywhere with a BYOD policy and MDM.
The device belongs to the owner and the owner should be able to override anything.
If an organization wants to set policies that can’t be overridden, it should pay for the devices. (And even then, the user still has a right to privacy and a certain level of control).
If they set a MDM policy on a device I own, I’ll mail the organization the device and a bill for buying a new one that very same day.
No, it's a terrifying security hole, full stop. If I leave my non-managed Chromebook unattended (logged out!) for 30 seconds, someone can sign into it with their managed account and install spyware without me knowing?
I think it works similarly on Android phones. Google policy for the Android Corp devices requires you to set it up using corp account, then add secondary personal accounts(if needed).
They are, but there has always been a contention between local admin vs domain admin (managed accounts) and usually the case has been that the domain admin overrules the local but the local admin can un-join the domain.
This is not that different. The moment you join the remote domain, you no longer have top privileges. You can still unjoin at any point but as soon as you join, you're placed under a different hierarchy.
You were never the owner of the chromebook in the first place so Google the actual owner just transferred control to the school. They never needed your permission to do this in the first place because you just paid full fare for an unlimited rental of someone else's property.
That's the conclusion I tend to reach, and I believe Google to have fraudulently described a rental as a purchase. Whoever is the source of authority to run software on a device is the owner of that device. Since enabling remote management does not require administrator privilege, the right to do so doesn't come from the administrator. Since disabling remote management cannot be done by a local administrator, the granted authority is even greater than the nominal authority granted to the buyer. Each of these implies that Google remained the source of authority, and therefore didn't transfer ownership over the device.
