[detaro]

OP didn't mention that the child's account is a secondary account. AFAIK if you log-in with an account the first time on a fresh(ly reset) chromebook, it becomes the "administrator" account - and at the same time if its in an organization (i.e. the school) the orgs policies are applied. No clue how that interacts if you do attempt to login such account as a second account, it's possible the org can require an account to be in control of the device. Chromebooks are deeply designed for exactly this centrally managed scenario after all, that's (partly) why they are so popular with schools and companies.

[MereInterest]

Based on this support thread [0], which was linked to by awinter-py's comment [1] elsewhere in the comments, it doesn't really matter which is first. Remote policies supersede any local controls, and can promote themselves to have Owner privileges. That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.

[0] https://support.google.com/chromebook/thread/117916330/how-t...

[1] https://news.ycombinator.com/item?id=30912427

[cosine83]

>That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.

You've actually got it backwards. In an enterprise domain like this, allowing local management to take precedence over remote management and policies is a massive security hole for the domain as a whole not to mention required by regulatory bodies dictating information security for educational institutions. A locally managed node is effectively a rogue node on the network. There are use cases for it but they're specialized. OP most likely signed a consent form as part of the online learning stuff at some point and this is the consequence of not reading the things you sign. This whole thing is so massively overblown like no one here has worked anywhere with a BYOD policy and MDM.

[kuschku]

The device belongs to the owner and the owner should be able to override anything.

If an organization wants to set policies that can’t be overridden, it should pay for the devices. (And even then, the user still has a right to privacy and a certain level of control).

If they set a MDM policy on a device I own, I’ll mail the organization the device and a bill for buying a new one that very same day.

[op00to]

So you’re out both the device AND a stamp?

[dTal]

No, it's a terrifying security hole, full stop. If I leave my non-managed Chromebook unattended (logged out!) for 30 seconds, someone can sign into it with their managed account and install spyware without me knowing?

[gime_tree_fiddy]

I think it works similarly on Android phones. Google policy for the Android Corp devices requires you to set it up using corp account, then add secondary personal accounts(if needed).