Added ConsumerManagementService class to handle enroll state and device owner info in boot lockbox.

Also added the code to store owner info into boot lockbox during enrollment.

BUG=chromium:353050
TEST=unit_tests

Review URL: https://codereview.chromium.org/438493002

Cr-Commit-Position: refs/heads/master@{#288451}
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@288451 0039d316-1c4b-4281-b951-d872f2087c98

21 files changed, 574 insertions, 74 deletions

diff --git a/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.cc b/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.cc
index 70b4ff0..156f1dc 100644
--- a/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.cc
+++ b/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.cc
@@ -19,6 +19,7 @@
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/sequenced_worker_pool.h"
 #include "chrome/browser/chromeos/policy/app_pack_updater.h"
+#include "chrome/browser/chromeos/policy/consumer_management_service.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_invalidator.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
@@ -35,6 +36,7 @@
 #include "chromeos/chromeos_paths.h"
 #include "chromeos/chromeos_switches.h"
 #include "chromeos/cryptohome/system_salt_getter.h"
+#include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/network/network_handler.h"
 #include "chromeos/network/onc/onc_certificate_importer_impl.h"
@@ -73,7 +75,7 @@ scoped_refptr<base::SequencedTaskRunner> GetBackgroundTaskRunner() {
       pool->GetSequenceToken(), base::SequencedWorkerPool::SKIP_ON_SHUTDOWN);
 }
 
-std::string GetConsumerDeviceManagementServerUrl() {
+std::string GetDeviceManagementServerUrlForConsumer() {
   const CommandLine* command_line = CommandLine::ForCurrentProcess();
   if (command_line->HasSwitch(
           chromeos::switches::kConsumerDeviceManagementUrl)) {
@@ -142,12 +144,20 @@ void BrowserPolicyConnectorChromeOS::Init(
 
   scoped_ptr<DeviceManagementService::Configuration> configuration(
       new DeviceManagementServiceConfiguration(
-          GetConsumerDeviceManagementServerUrl()));
+          GetDeviceManagementServerUrlForConsumer()));
   consumer_device_management_service_.reset(
       new DeviceManagementService(configuration.Pass()));
   consumer_device_management_service_->ScheduleInitialization(
       kServiceInitializationStartupDelay);
 
+  const CommandLine* command_line = CommandLine::ForCurrentProcess();
+  if (command_line->HasSwitch(chromeos::switches::kEnableConsumerManagement)) {
+    chromeos::CryptohomeClient* cryptohome_client =
+        chromeos::DBusThreadManager::Get()->GetCryptohomeClient();
+    consumer_management_service_.reset(
+        new ConsumerManagementService(cryptohome_client));
+  }
+
   if (device_cloud_policy_manager_) {
     // Note: for now the |device_cloud_policy_manager_| is using the global
     // schema registry. Eventually it will have its own registry, once device
@@ -160,7 +170,7 @@ void BrowserPolicyConnectorChromeOS::Init(
         new DeviceCloudPolicyInitializer(
             local_state,
             device_management_service(),
-            consumer_device_management_service(),
+            GetDeviceManagementServiceForConsumer(),
             GetBackgroundTaskRunner(),
             install_attributes_.get(),
             state_keys_broker_.get(),
diff --git a/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h b/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h
index 8c01d5b..9e3dd37 100644
--- a/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h
+++ b/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h
@@ -24,6 +24,7 @@ class URLRequestContextGetter;
 namespace policy {
 
 class AppPackUpdater;
+class ConsumerManagementService;
 class DeviceCloudPolicyInitializer;
 class DeviceCloudPolicyInvalidator;
 class DeviceCloudPolicyManagerChromeOS;
@@ -105,10 +106,14 @@ class BrowserPolicyConnectorChromeOS : public ChromeBrowserPolicyConnector {
   void SetUserPolicyDelegate(ConfigurationPolicyProvider* user_policy_provider);
 
   // Returns the device management service for consumer management.
-  DeviceManagementService* consumer_device_management_service() const {
+  DeviceManagementService* GetDeviceManagementServiceForConsumer() const {
     return consumer_device_management_service_.get();
   }
 
+  ConsumerManagementService* GetConsumerManagementService() const {
+    return consumer_management_service_.get();
+  }
+
   // Sets the install attributes for testing. Must be called before the browser
   // is created. RemoveInstallAttributesForTesting must be called after the test
   // to free the attributes.
@@ -146,6 +151,7 @@ class BrowserPolicyConnectorChromeOS : public ChromeBrowserPolicyConnector {
   scoped_ptr<NetworkConfigurationUpdater> network_configuration_updater_;
 
   scoped_ptr<DeviceManagementService> consumer_device_management_service_;
+  scoped_ptr<ConsumerManagementService> consumer_management_service_;
 
   base::WeakPtrFactory<BrowserPolicyConnectorChromeOS> weak_ptr_factory_;
 
diff --git a/chrome/browser/chromeos/policy/consumer_management_service.cc b/chrome/browser/chromeos/policy/consumer_management_service.cc
new file mode 100644
index 0000000..6267bf5
--- /dev/null
+++ b/chrome/browser/chromeos/policy/consumer_management_service.cc
@@ -0,0 +1,125 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/policy/consumer_management_service.h"
+
+#include "base/bind.h"
+#include "base/callback.h"
+#include "base/logging.h"
+#include "base/prefs/pref_registry_simple.h"
+#include "base/prefs/pref_service.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/common/pref_names.h"
+#include "chromeos/dbus/cryptohome/rpc.pb.h"
+#include "chromeos/dbus/cryptohome_client.h"
+
+namespace {
+
+const char* kAttributeOwnerId = "consumer_management.owner_id";
+
+}  // namespace
+
+namespace policy {
+
+ConsumerManagementService::ConsumerManagementService(
+    chromeos::CryptohomeClient* client) : client_(client),
+                                          weak_ptr_factory_(this) {
+}
+
+ConsumerManagementService::~ConsumerManagementService() {
+}
+
+// static
+void ConsumerManagementService::RegisterPrefs(PrefRegistrySimple* registry) {
+  registry->RegisterIntegerPref(
+      prefs::kConsumerManagementEnrollmentState, ENROLLMENT_NONE);
+}
+
+ConsumerManagementService::EnrollmentState
+ConsumerManagementService::GetEnrollmentState() const {
+  const PrefService* prefs = g_browser_process->local_state();
+  int state = prefs->GetInteger(prefs::kConsumerManagementEnrollmentState);
+  if (state < 0 || state >= ENROLLMENT_LAST) {
+    LOG(ERROR) << "Unknown enrollment state: " << state;
+    state = 0;
+  }
+  return static_cast<EnrollmentState>(state);
+}
+
+void ConsumerManagementService::SetEnrollmentState(EnrollmentState state) {
+  PrefService* prefs = g_browser_process->local_state();
+  prefs->SetInteger(prefs::kConsumerManagementEnrollmentState, state);
+}
+
+void ConsumerManagementService::GetOwner(const GetOwnerCallback& callback) {
+  cryptohome::GetBootAttributeRequest request;
+  request.set_name(kAttributeOwnerId);
+  client_->GetBootAttribute(
+      request,
+      base::Bind(&ConsumerManagementService::OnGetBootAttributeDone,
+                 weak_ptr_factory_.GetWeakPtr(),
+                 callback));
+}
+
+void ConsumerManagementService::OnGetBootAttributeDone(
+    const GetOwnerCallback& callback,
+    chromeos::DBusMethodCallStatus call_status,
+    bool dbus_success,
+    const cryptohome::BaseReply& reply) {
+  if (!dbus_success || reply.error() != 0) {
+    LOG(ERROR) << "Failed to get the owner info from boot lockbox.";
+    callback.Run("");
+    return;
+  }
+
+  callback.Run(
+      reply.GetExtension(cryptohome::GetBootAttributeReply::reply).value());
+}
+
+void ConsumerManagementService::SetOwner(const std::string& user_id,
+                                         const SetOwnerCallback& callback) {
+  cryptohome::SetBootAttributeRequest request;
+  request.set_name(kAttributeOwnerId);
+  request.set_value(user_id.data(), user_id.size());
+  client_->SetBootAttribute(
+      request,
+      base::Bind(&ConsumerManagementService::OnSetBootAttributeDone,
+                 weak_ptr_factory_.GetWeakPtr(),
+                 callback));
+}
+
+void ConsumerManagementService::OnSetBootAttributeDone(
+    const SetOwnerCallback& callback,
+    chromeos::DBusMethodCallStatus call_status,
+    bool dbus_success,
+    const cryptohome::BaseReply& reply) {
+  if (!dbus_success || reply.error() != 0) {
+    LOG(ERROR) << "Failed to set owner info in boot lockbox.";
+    callback.Run(false);
+    return;
+  }
+
+  cryptohome::FlushAndSignBootAttributesRequest request;
+  client_->FlushAndSignBootAttributes(
+      request,
+      base::Bind(&ConsumerManagementService::OnFlushAndSignBootAttributesDone,
+                 weak_ptr_factory_.GetWeakPtr(),
+                 callback));
+}
+
+void ConsumerManagementService::OnFlushAndSignBootAttributesDone(
+    const SetOwnerCallback& callback,
+    chromeos::DBusMethodCallStatus call_status,
+    bool dbus_success,
+    const cryptohome::BaseReply& reply) {
+  if (!dbus_success || reply.error() != 0) {
+    LOG(ERROR) << "Failed to flush and sign boot lockbox.";
+    callback.Run(false);
+    return;
+  }
+
+  callback.Run(true);
+}
+
+}  // namespace policy
diff --git a/chrome/browser/chromeos/policy/consumer_management_service.h b/chrome/browser/chromeos/policy/consumer_management_service.h
new file mode 100644
index 0000000..b667466
--- /dev/null
+++ b/chrome/browser/chromeos/policy/consumer_management_service.h
@@ -0,0 +1,97 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_POLICY_CONSUMER_MANAGEMENT_SERVICE_H_
+#define CHROME_BROWSER_CHROMEOS_POLICY_CONSUMER_MANAGEMENT_SERVICE_H_
+
+#include <string>
+
+#include "base/callback_forward.h"
+#include "base/macros.h"
+#include "base/memory/weak_ptr.h"
+#include "chromeos/dbus/dbus_method_call_status.h"
+
+class PrefRegistrySimple;
+
+namespace chromeos {
+class CryptohomeClient;
+}
+
+namespace cryptohome {
+class BaseReply;
+}
+
+namespace policy {
+
+// The consumer management service handles the enrollment state, which is an
+// enum value stored in local state to pass the information across reboots
+// and between compoments, including settings page, sign-in screen, and user
+// notification. It also handles the owner user ID stored in the boot lockbox.
+class ConsumerManagementService {
+ public:
+  enum EnrollmentState {
+    ENROLLMENT_NONE = 0,        // Not enrolled, or the enrollment is completed.
+    ENROLLMENT_ENROLLING,       // Enrollment is in progress.
+    ENROLLMENT_SUCCESS,         // Success. The notification is not sent yet.
+    ENROLLMENT_CANCELED,        // Canceled by the user.
+    ENROLLMENT_BOOT_LOCKBOX_FAILED,  // Failed to write to the boot lockbox.
+    ENROLLMENT_DM_SERVER_FAILED,     // Failed to register the device.
+
+    ENROLLMENT_LAST,            // This should always be the last one.
+  };
+
+  // GetOwner() invokes this with an argument set to the owner user ID,
+  // or an empty string on failure.
+  typedef base::Callback<void(const std::string&)> GetOwnerCallback;
+
+  // SetOwner() invokes this with an argument indicating success or failure.
+  typedef base::Callback<void(bool)> SetOwnerCallback;
+
+  explicit ConsumerManagementService(chromeos::CryptohomeClient* client);
+
+  virtual ~ConsumerManagementService();
+
+  // Registers prefs.
+  static void RegisterPrefs(PrefRegistrySimple* registry);
+
+  // Returns the enrollment state.
+  EnrollmentState GetEnrollmentState() const;
+
+  // Sets the enrollment state.
+  void SetEnrollmentState(EnrollmentState state);
+
+  // Returns the device owner stored in the boot lockbox via |callback|.
+  void GetOwner(const GetOwnerCallback& callback);
+
+  // Stores the device owner user ID into the boot lockbox and signs it.
+  // |callback| is invoked with an agument indicating success or failure.
+  void SetOwner(const std::string& user_id, const SetOwnerCallback& callback);
+
+ private:
+  void OnGetBootAttributeDone(
+      const GetOwnerCallback& callback,
+      chromeos::DBusMethodCallStatus call_status,
+      bool dbus_success,
+      const cryptohome::BaseReply& reply);
+
+  void OnSetBootAttributeDone(const SetOwnerCallback& callback,
+                              chromeos::DBusMethodCallStatus call_status,
+                              bool dbus_success,
+                              const cryptohome::BaseReply& reply);
+
+  void OnFlushAndSignBootAttributesDone(
+      const SetOwnerCallback& callback,
+      chromeos::DBusMethodCallStatus call_status,
+      bool dbus_success,
+      const cryptohome::BaseReply& reply);
+
+  chromeos::CryptohomeClient* client_;
+  base::WeakPtrFactory<ConsumerManagementService> weak_ptr_factory_;
+
+  DISALLOW_COPY_AND_ASSIGN(ConsumerManagementService);
+};
+
+}  // namespace policy
+
+#endif  // CHROME_BROWSER_CHROMEOS_POLICY_CONSUMER_MANAGEMENT_SERVICE_H_
diff --git a/chrome/browser/chromeos/policy/consumer_management_service_unittest.cc b/chrome/browser/chromeos/policy/consumer_management_service_unittest.cc
new file mode 100644
index 0000000..a4fc6c7
--- /dev/null
+++ b/chrome/browser/chromeos/policy/consumer_management_service_unittest.cc
@@ -0,0 +1,167 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/policy/consumer_management_service.h"
+
+#include "base/bind.h"
+#include "base/bind_helpers.h"
+#include "base/callback.h"
+#include "base/prefs/pref_registry_simple.h"
+#include "base/prefs/testing_pref_service.h"
+#include "chrome/common/pref_names.h"
+#include "chrome/test/base/scoped_testing_local_state.h"
+#include "chrome/test/base/testing_browser_process.h"
+#include "chromeos/dbus/cryptohome/rpc.pb.h"
+#include "chromeos/dbus/cryptohome_client.h"
+#include "chromeos/dbus/mock_cryptohome_client.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+using testing::Invoke;
+using testing::NiceMock;
+using testing::_;
+
+namespace {
+const char* kAttributeOwnerId = "consumer_management.owner_id";
+const char* kTestOwner = "test@chromium.org.test";
+}
+
+namespace policy {
+
+class ConsumerManagementServiceTest : public testing::Test {
+ public:
+  ConsumerManagementServiceTest()
+      : testing_local_state_(TestingBrowserProcess::GetGlobal()),
+        service_(new ConsumerManagementService(&mock_cryptohome_client_)),
+        cryptohome_result_(false),
+        set_owner_status_(false) {
+    ON_CALL(mock_cryptohome_client_, GetBootAttribute(_, _))
+        .WillByDefault(
+            Invoke(this, &ConsumerManagementServiceTest::MockGetBootAttribute));
+    ON_CALL(mock_cryptohome_client_, SetBootAttribute(_, _))
+        .WillByDefault(
+            Invoke(this, &ConsumerManagementServiceTest::MockSetBootAttribute));
+    ON_CALL(mock_cryptohome_client_, FlushAndSignBootAttributes(_, _))
+        .WillByDefault(
+            Invoke(this,
+                   &ConsumerManagementServiceTest::
+                       MockFlushAndSignBootAttributes));
+  }
+
+  void MockGetBootAttribute(
+      const cryptohome::GetBootAttributeRequest& request,
+      const chromeos::CryptohomeClient::ProtobufMethodCallback& callback) {
+    get_boot_attribute_request_ = request;
+    callback.Run(cryptohome_status_, cryptohome_result_, cryptohome_reply_);
+  }
+
+  void MockSetBootAttribute(
+      const cryptohome::SetBootAttributeRequest& request,
+      const chromeos::CryptohomeClient::ProtobufMethodCallback& callback) {
+    set_boot_attribute_request_ = request;
+    callback.Run(cryptohome_status_, cryptohome_result_, cryptohome_reply_);
+  }
+
+  void MockFlushAndSignBootAttributes(
+      const cryptohome::FlushAndSignBootAttributesRequest& request,
+      const chromeos::CryptohomeClient::ProtobufMethodCallback& callback) {
+    callback.Run(cryptohome_status_, cryptohome_result_, cryptohome_reply_);
+  }
+
+  void OnGetOwnerDone(const std::string& owner) {
+    owner_ = owner;
+  }
+
+  void OnSetOwnerDone(bool status) {
+    set_owner_status_ = status;
+  }
+
+  ScopedTestingLocalState testing_local_state_;
+  NiceMock<chromeos::MockCryptohomeClient> mock_cryptohome_client_;
+  scoped_ptr<ConsumerManagementService> service_;
+
+  chromeos::DBusMethodCallStatus cryptohome_status_;
+  bool cryptohome_result_;
+  cryptohome::BaseReply cryptohome_reply_;
+  cryptohome::GetBootAttributeRequest get_boot_attribute_request_;
+  cryptohome::SetBootAttributeRequest set_boot_attribute_request_;
+
+  std::string owner_;
+  bool set_owner_status_;
+};
+
+TEST_F(ConsumerManagementServiceTest, CanGetEnrollmentState) {
+  EXPECT_EQ(ConsumerManagementService::ENROLLMENT_NONE,
+            service_->GetEnrollmentState());
+
+  testing_local_state_.Get()->SetInteger(
+      prefs::kConsumerManagementEnrollmentState,
+      ConsumerManagementService::ENROLLMENT_ENROLLING);
+
+  EXPECT_EQ(ConsumerManagementService::ENROLLMENT_ENROLLING,
+            service_->GetEnrollmentState());
+}
+
+TEST_F(ConsumerManagementServiceTest, CanSetEnrollmentState) {
+  EXPECT_EQ(ConsumerManagementService::ENROLLMENT_NONE,
+            testing_local_state_.Get()->GetInteger(
+                prefs::kConsumerManagementEnrollmentState));
+
+  service_->SetEnrollmentState(ConsumerManagementService::ENROLLMENT_ENROLLING);
+
+  EXPECT_EQ(ConsumerManagementService::ENROLLMENT_ENROLLING,
+            testing_local_state_.Get()->GetInteger(
+                prefs::kConsumerManagementEnrollmentState));
+}
+
+TEST_F(ConsumerManagementServiceTest, CanGetOwner) {
+  cryptohome_status_ = chromeos::DBUS_METHOD_CALL_SUCCESS;
+  cryptohome_result_ = true;
+  cryptohome_reply_.MutableExtension(cryptohome::GetBootAttributeReply::reply)->
+      set_value(kTestOwner);
+
+  service_->GetOwner(base::Bind(&ConsumerManagementServiceTest::OnGetOwnerDone,
+                                base::Unretained(this)));
+
+  EXPECT_EQ(kAttributeOwnerId, get_boot_attribute_request_.name());
+  EXPECT_EQ(kTestOwner, owner_);
+}
+
+TEST_F(ConsumerManagementServiceTest, GetOwnerReturnsAnEmptyStringWhenItFails) {
+  cryptohome_status_ = chromeos::DBUS_METHOD_CALL_FAILURE;
+  cryptohome_result_ = false;
+  cryptohome_reply_.MutableExtension(cryptohome::GetBootAttributeReply::reply)->
+      set_value(kTestOwner);
+
+  service_->GetOwner(base::Bind(&ConsumerManagementServiceTest::OnGetOwnerDone,
+                                base::Unretained(this)));
+
+  EXPECT_EQ("", owner_);
+}
+
+TEST_F(ConsumerManagementServiceTest, CanSetOwner) {
+  cryptohome_status_ = chromeos::DBUS_METHOD_CALL_SUCCESS;
+  cryptohome_result_ = true;
+
+  service_->SetOwner(kTestOwner,
+                     base::Bind(&ConsumerManagementServiceTest::OnSetOwnerDone,
+                                base::Unretained(this)));
+
+  EXPECT_EQ(kAttributeOwnerId, set_boot_attribute_request_.name());
+  EXPECT_EQ(kTestOwner, set_boot_attribute_request_.value());
+  EXPECT_TRUE(set_owner_status_);
+}
+
+TEST_F(ConsumerManagementServiceTest, SetOwnerReturnsFalseWhenItFails) {
+  cryptohome_status_ = chromeos::DBUS_METHOD_CALL_FAILURE;
+  cryptohome_result_ = false;
+
+  service_->SetOwner(kTestOwner,
+                     base::Bind(&ConsumerManagementServiceTest::OnSetOwnerDone,
+                                base::Unretained(this)));
+
+  EXPECT_FALSE(set_owner_status_);
+}
+
+}  // namespace policy
diff --git a/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.cc b/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.cc
index c784c37..4814dcd 100644
--- a/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.cc
+++ b/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.cc
@@ -179,8 +179,6 @@ void DeviceCloudPolicyManagerChromeOS::RegisterPrefs(
   registry->RegisterBooleanPref(prefs::kDeviceEnrollmentAutoStart, false);
   registry->RegisterBooleanPref(prefs::kDeviceEnrollmentCanExit, true);
   registry->RegisterDictionaryPref(prefs::kServerBackedDeviceState);
-  registry->RegisterBooleanPref(prefs::kConsumerManagementEnrollmentRequested,
-                                false);
 }
 
 // static
diff --git a/chrome/browser/prefs/browser_prefs.cc b/chrome/browser/prefs/browser_prefs.cc
index 35472d8..3ab88f7 100644
--- a/chrome/browser/prefs/browser_prefs.cc
+++ b/chrome/browser/prefs/browser_prefs.cc
@@ -160,6 +160,7 @@
 #include "chrome/browser/chromeos/net/proxy_config_handler.h"
 #include "chrome/browser/chromeos/policy/auto_enrollment_client.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/policy/consumer_management_service.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
 #include "chrome/browser/chromeos/policy/device_status_collector.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
@@ -328,6 +329,7 @@ void RegisterLocalState(PrefRegistrySimple* registry) {
   invalidation::InvalidatorStorage::RegisterPrefs(registry);
   policy::AutoEnrollmentClient::RegisterPrefs(registry);
   policy::BrowserPolicyConnectorChromeOS::RegisterPrefs(registry);
+  policy::ConsumerManagementService::RegisterPrefs(registry);
   policy::DeviceCloudPolicyManagerChromeOS::RegisterPrefs(registry);
   policy::DeviceStatusCollector::RegisterPrefs(registry);
   policy::PolicyCertServiceFactory::RegisterPrefs(registry);
diff --git a/chrome/browser/resources/chromeos/login/header_bar.html b/chrome/browser/resources/chromeos/login/header_bar.html
index 5eac53e..9f5f9728 100644
--- a/chrome/browser/resources/chromeos/login/header_bar.html
+++ b/chrome/browser/resources/chromeos/login/header_bar.html
@@ -29,7 +29,7 @@
   <div id="cancel-consumer-management-enrollment" class="header-bar-item"
       hidden>
     <button id="cancel-consumer-management-enrollment-button"
-        class="custom-appearance" i18n-content="cancel"></button>
+        class="custom-appearance" i18n-content="cancel">
     </button>
   </div>
 </div>
diff --git a/chrome/browser/resources/chromeos/login/header_bar.js b/chrome/browser/resources/chromeos/login/header_bar.js
index 311912e..18735c3 100644
--- a/chrome/browser/resources/chromeos/login/header_bar.js
+++ b/chrome/browser/resources/chromeos/login/header_bar.js
@@ -45,9 +45,9 @@ cr.define('login', function() {
           this.handleSignoutClick_);
       $('cancel-multiple-sign-in-button').addEventListener('click',
           this.handleCancelMultipleSignInClick_);
-      $('cancel-consumer-management-enrollment-button')
-          .addEventListener('click',
-              this.handleCancelConsumerManagementEnrollmentClick_);
+      $('cancel-consumer-management-enrollment-button').addEventListener(
+          'click',
+          this.handleCancelConsumerManagementEnrollmentClick_);
       if (Oobe.getInstance().displayType == DISPLAY_TYPE.LOGIN ||
           Oobe.getInstance().displayType == DISPLAY_TYPE.OOBE) {
         if (Oobe.getInstance().newKioskUI)
diff --git a/chrome/browser/resources/chromeos/login/screen_gaia_signin.js b/chrome/browser/resources/chromeos/login/screen_gaia_signin.js
index 50d0f4b..153663d 100644
--- a/chrome/browser/resources/chromeos/login/screen_gaia_signin.js
+++ b/chrome/browser/resources/chromeos/login/screen_gaia_signin.js
@@ -220,8 +220,8 @@ login.createScreen('GaiaSigninScreen', 'gaia-signin', function() {
       chrome.send('loginUIStateChanged', ['gaia-signin', true]);
       $('login-header-bar').signinUIState =
           this.isEnrollingConsumerManagement_ ?
-          SIGNIN_UI_STATE.CONSUMER_MANAGEMENT_ENROLLMENT :
-          SIGNIN_UI_STATE.GAIA_SIGNIN;
+              SIGNIN_UI_STATE.CONSUMER_MANAGEMENT_ENROLLMENT :
+              SIGNIN_UI_STATE.GAIA_SIGNIN;
 
       // Ensure that GAIA signin (or loading UI) is actually visible.
       window.requestAnimationFrame(function() {
@@ -318,13 +318,13 @@ login.createScreen('GaiaSigninScreen', 'gaia-signin', function() {
       $('createSupervisedUserNoManagerText').textContent =
           data.supervisedUsersRestrictionReason;
 
-      $('consumerManagementEnrollment').hidden =
-          !data.isEnrollingConsumerManagement;
+      var isEnrollingConsumerManagement = data.isEnrollingConsumerManagement;
+      $('consumerManagementEnrollment').hidden = !isEnrollingConsumerManagement;
 
       this.isShowUsers_ = data.isShowUsers;
       this.updateCancelButtonState();
 
-      this.isEnrollingConsumerManagement_ = data.isEnrollingConsumerManagement;
+      this.isEnrollingConsumerManagement_ = isEnrollingConsumerManagement;
 
       // Sign-in right panel is hidden if all of its items are hidden.
       var noRightPanel = $('gaia-signin-reason').hidden &&
diff --git a/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
index acf85b4..1d4e093 100644
--- a/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
+++ b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
@@ -4,6 +4,7 @@
 
 #include "chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h"
 
+#include "base/bind.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
 #include "base/strings/utf_string_conversions.h"
@@ -13,6 +14,7 @@
 #include "chrome/browser/chromeos/login/ui/login_display_host_impl.h"
 #include "chrome/browser/chromeos/login/ui/user_adding_screen.h"
 #include "chrome/browser/chromeos/login/users/user_manager.h"
+#include "chrome/browser/chromeos/policy/consumer_management_service.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chrome/browser/io_thread.h"
@@ -36,7 +38,8 @@ namespace {
 
 const char kJsScreenPath[] = "login.GaiaSigninScreen";
 
-void UpdateAuthParams(base::DictionaryValue* params, bool has_users,
+void UpdateAuthParams(base::DictionaryValue* params,
+                      bool has_users,
                       bool is_enrolling_consumer_management) {
   CrosSettings* cros_settings = CrosSettings::Get();
   bool allow_new_user = true;
@@ -109,11 +112,13 @@ GaiaContext::GaiaContext()
       has_users(false) {}
 
 GaiaScreenHandler::GaiaScreenHandler(
-    const scoped_refptr<NetworkStateInformer>& network_state_informer)
+    const scoped_refptr<NetworkStateInformer>& network_state_informer,
+    policy::ConsumerManagementService* consumer_management)
     : BaseScreenHandler(kJsScreenPath),
       frame_state_(FRAME_STATE_UNKNOWN),
       frame_error_(net::OK),
       network_state_informer_(network_state_informer),
+      consumer_management_(consumer_management),
       dns_cleared_(false),
       dns_clear_task_running_(false),
       cookies_cleared_(false),
@@ -132,6 +137,8 @@ GaiaScreenHandler::~GaiaScreenHandler() {
 
 void GaiaScreenHandler::LoadGaia(const GaiaContext& context) {
   base::DictionaryValue params;
+  const bool is_enrolling_consumer_management =
+      context.is_enrolling_consumer_management;
 
   params.SetBoolean("forceReload", context.force_reload);
   params.SetBoolean("isLocal", context.is_local);
@@ -140,10 +147,11 @@ void GaiaScreenHandler::LoadGaia(const GaiaContext& context) {
   params.SetBoolean("useOffline", context.use_offline);
   params.SetString("email", context.email);
   params.SetBoolean("isEnrollingConsumerManagement",
-                    context.is_enrolling_consumer_management);
+                    is_enrolling_consumer_management);
 
-  UpdateAuthParams(&params, context.has_users,
-                   context.is_enrolling_consumer_management);
+  UpdateAuthParams(&params,
+                   context.has_users,
+                   is_enrolling_consumer_management);
 
   if (!context.use_offline) {
     const std::string app_locale = g_browser_process->GetApplicationLocale();
@@ -289,37 +297,28 @@ void GaiaScreenHandler::HandleCompleteAuthentication(
 void GaiaScreenHandler::HandleCompleteLogin(const std::string& typed_email,
                                             const std::string& password,
                                             bool using_saml) {
-  std::string owner_email = UserManager::Get()->GetOwnerEmail();
-  if (is_enrolling_consumer_management_ && typed_email != owner_email) {
-    // Show Gaia signin page again since we only allow the owner to sign in.
-    populated_email_ = owner_email;
-    ShowGaia(is_enrolling_consumer_management_);
+  if (!is_enrolling_consumer_management_) {
+    DoCompleteLogin(typed_email, password, using_saml);
     return;
   }
 
-  if (!Delegate())
+  // Consumer management enrollment is in progress.
+  const std::string owner_email = UserManager::Get()->GetOwnerEmail();
+  if (typed_email != owner_email) {
+    // Show Gaia sign-in screen again, since we only allow the owner to sign
+    // in.
+    populated_email_ = owner_email;
+    ShowGaia(is_enrolling_consumer_management_);
     return;
-
-  if (using_saml && !using_saml_api_)
-    RecordSAMLScrapingVerificationResultInHistogram(true);
-
-  const std::string sanitized_email = gaia::SanitizeEmail(typed_email);
-  Delegate()->SetDisplayEmail(sanitized_email);
-  UserContext user_context(sanitized_email);
-  user_context.SetKey(Key(password));
-  user_context.SetAuthFlow(using_saml
-                               ? UserContext::AUTH_FLOW_GAIA_WITH_SAML
-                               : UserContext::AUTH_FLOW_GAIA_WITHOUT_SAML);
-  Delegate()->CompleteLogin(user_context);
-
-  if (test_expects_complete_login_) {
-    VLOG(2) << "Complete test login for " << typed_email
-            << ", requested=" << test_user_;
-
-    test_expects_complete_login_ = false;
-    test_user_.clear();
-    test_pass_.clear();
   }
+
+  CHECK(consumer_management_);
+  consumer_management_->SetOwner(owner_email,
+                                 base::Bind(&GaiaScreenHandler::OnSetOwnerDone,
+                                            weak_factory_.GetWeakPtr(),
+                                            typed_email,
+                                            password,
+                                            using_saml));
 }
 
 void GaiaScreenHandler::HandleUsingSAMLAPI() {
@@ -376,6 +375,49 @@ void GaiaScreenHandler::HandleGaiaUIReady() {
     SubmitLoginFormForTest();
 }
 
+void GaiaScreenHandler::OnSetOwnerDone(const std::string& typed_email,
+                                       const std::string& password,
+                                       bool using_saml,
+                                       bool success) {
+  if (!success) {
+    LOG(ERROR) << "Failed to write owner e-mail to boot lockbox.";
+    CHECK(consumer_management_);
+    consumer_management_->SetEnrollmentState(
+        policy::ConsumerManagementService::ENROLLMENT_BOOT_LOCKBOX_FAILED);
+    // We should continue loggin in the user, as there's not much we can do
+    // here.
+  }
+  DoCompleteLogin(typed_email, password, using_saml);
+}
+
+void GaiaScreenHandler::DoCompleteLogin(const std::string& typed_email,
+                                        const std::string& password,
+                                        bool using_saml) {
+  if (!Delegate())
+    return;
+
+  if (using_saml && !using_saml_api_)
+    RecordSAMLScrapingVerificationResultInHistogram(true);
+
+  const std::string sanitized_email = gaia::SanitizeEmail(typed_email);
+  Delegate()->SetDisplayEmail(sanitized_email);
+  UserContext user_context(sanitized_email);
+  user_context.SetKey(Key(password));
+  user_context.SetAuthFlow(using_saml
+                               ? UserContext::AUTH_FLOW_GAIA_WITH_SAML
+                               : UserContext::AUTH_FLOW_GAIA_WITHOUT_SAML);
+  Delegate()->CompleteLogin(user_context);
+
+  if (test_expects_complete_login_) {
+    VLOG(2) << "Complete test login for " << typed_email
+            << ", requested=" << test_user_;
+
+    test_expects_complete_login_ = false;
+    test_user_.clear();
+    test_pass_.clear();
+  }
+}
+
 void GaiaScreenHandler::PopulateEmail(const std::string& user_id) {
   populated_email_ = user_id;
 }
diff --git a/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h
index ac9f391..e357d79 100644
--- a/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h
+++ b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h
@@ -5,12 +5,18 @@
 #ifndef CHROME_BROWSER_UI_WEBUI_CHROMEOS_LOGIN_GAIA_SCREEN_HANDLER_H_
 #define CHROME_BROWSER_UI_WEBUI_CHROMEOS_LOGIN_GAIA_SCREEN_HANDLER_H_
 
+#include <string>
+
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/memory/ref_counted.h"
 #include "chrome/browser/ui/webui/chromeos/login/network_state_informer.h"
 #include "net/base/net_errors.h"
 
+namespace policy {
+class ConsumerManagementService;
+}
+
 namespace chromeos {
 
 class SigninScreenHandler;
@@ -54,8 +60,9 @@ class GaiaScreenHandler : public BaseScreenHandler {
     FRAME_STATE_ERROR
   };
 
-  explicit GaiaScreenHandler(
-      const scoped_refptr<NetworkStateInformer>& network_state_informer);
+  GaiaScreenHandler(
+      const scoped_refptr<NetworkStateInformer>& network_state_informer,
+      policy::ConsumerManagementService* consumer_management);
   virtual ~GaiaScreenHandler();
 
   void LoadGaia(const GaiaContext& context);
@@ -95,6 +102,17 @@ class GaiaScreenHandler : public BaseScreenHandler {
 
   void HandleGaiaUIReady();
 
+  // This is called when ConsumerManagementService::SetOwner() returns.
+  void OnSetOwnerDone(const std::string& typed_email,
+                      const std::string& password,
+                      bool using_saml,
+                      bool success);
+
+  // Really handles the complete login message.
+  void DoCompleteLogin(const std::string& typed_email,
+                       const std::string& password,
+                       bool using_saml);
+
   // Fill GAIA user name.
   void PopulateEmail(const std::string& user_id);
 
@@ -153,6 +171,9 @@ class GaiaScreenHandler : public BaseScreenHandler {
   // Network state informer used to keep signin screen up.
   scoped_refptr<NetworkStateInformer> network_state_informer_;
 
+  // Consumer management service for checking if enrollment is in progress.
+  policy::ConsumerManagementService* consumer_management_;
+
   // Email to pre-populate with.
   std::string populated_email_;
 
diff --git a/chrome/browser/ui/webui/chromeos/login/oobe_ui.cc b/chrome/browser/ui/webui/chromeos/login/oobe_ui.cc
index 912335e..c6fd45b 100644
--- a/chrome/browser/ui/webui/chromeos/login/oobe_ui.cc
+++ b/chrome/browser/ui/webui/chromeos/login/oobe_ui.cc
@@ -7,9 +7,13 @@
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/values.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/browser_process_platform_part.h"
 #include "chrome/browser/chromeos/kiosk_mode/kiosk_mode_settings.h"
 #include "chrome/browser/chromeos/login/enrollment/auto_enrollment_check_screen_actor.h"
 #include "chrome/browser/chromeos/login/enrollment/enrollment_screen_actor.h"
+#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/policy/consumer_management_service.h"
 #include "chrome/browser/chromeos/system/input_device_settings.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ui/webui/about_ui.h"
@@ -256,7 +260,11 @@ OobeUI::OobeUI(content::WebUI* web_ui, const GURL& url)
   user_image_screen_actor_ = user_image_screen_handler;
   AddScreenHandler(user_image_screen_handler);
 
-  gaia_screen_handler_ = new GaiaScreenHandler(network_state_informer_);
+  policy::ConsumerManagementService* consumer_management =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos()->
+          GetConsumerManagementService();
+  gaia_screen_handler_ =
+      new GaiaScreenHandler(network_state_informer_, consumer_management);
   AddScreenHandler(gaia_screen_handler_);
 
   signin_screen_handler_ = new SigninScreenHandler(network_state_informer_,
diff --git a/chrome/browser/ui/webui/chromeos/login/signin_screen_handler.cc b/chrome/browser/ui/webui/chromeos/login/signin_screen_handler.cc
index 38e6c60..75fb63e 100644
--- a/chrome/browser/ui/webui/chromeos/login/signin_screen_handler.cc
+++ b/chrome/browser/ui/webui/chromeos/login/signin_screen_handler.cc
@@ -8,7 +8,6 @@
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
-#include "base/command_line.h"
 #include "base/debug/trace_event.h"
 #include "base/location.h"
 #include "base/logging.h"
@@ -40,6 +39,7 @@
 #include "chrome/browser/chromeos/login/users/wallpaper/wallpaper_manager.h"
 #include "chrome/browser/chromeos/login/wizard_controller.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/policy/consumer_management_service.h"
 #include "chrome/browser/chromeos/policy/device_local_account.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
@@ -54,7 +54,6 @@
 #include "chrome/browser/ui/webui/chromeos/login/oobe_ui.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/common/url_constants.h"
-#include "chromeos/chromeos_switches.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/power_manager_client.h"
 #include "chromeos/ime/ime_keyboard.h"
@@ -299,12 +298,13 @@ SigninScreenHandler::SigninScreenHandler(
   if (keyboard)
     keyboard->AddObserver(this);
 
-  CommandLine* command_line = CommandLine::ForCurrentProcess();
-  PrefService* prefs = g_browser_process->local_state();
+  policy::ConsumerManagementService* consumer_management =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos()->
+          GetConsumerManagementService();
   is_enrolling_consumer_management_ =
-      command_line->HasSwitch(chromeos::switches::kEnableConsumerManagement) &&
-      prefs->GetBoolean(prefs::kConsumerManagementEnrollmentRequested);
-
+      consumer_management &&
+      consumer_management->GetEnrollmentState() ==
+          policy::ConsumerManagementService::ENROLLMENT_ENROLLING;
 }
 
 SigninScreenHandler::~SigninScreenHandler() {
@@ -431,8 +431,8 @@ void SigninScreenHandler::Show(const LoginScreenContext& context) {
 
   std::string email;
   if (is_enrolling_consumer_management_) {
-    // We don't check if the value of the owner email is trusted because it is
-    // only used to pre-fill the email field in Gaia sign-in page and a cached
+    // We don't check if the value of the owner e-mail is trusted because it is
+    // only used to pre-fill the e-mail field in Gaia sign-in page and a cached
     // value is sufficient.
     CrosSettings::Get()->GetString(kDeviceOwner, &email);
   } else {
@@ -1367,8 +1367,12 @@ void SigninScreenHandler::HandleLaunchKioskApp(const std::string& app_id,
 }
 
 void SigninScreenHandler::HandleCancelConsumerManagementEnrollment() {
-  PrefService* prefs = g_browser_process->local_state();
-  prefs->SetBoolean(prefs::kConsumerManagementEnrollmentRequested, false);
+  policy::ConsumerManagementService* consumer_management =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos()->
+          GetConsumerManagementService();
+  CHECK(consumer_management);
+  consumer_management->SetEnrollmentState(
+      policy::ConsumerManagementService::ENROLLMENT_CANCELED);
   is_enrolling_consumer_management_ = false;
   ShowImpl();
 }
diff --git a/chrome/browser/ui/webui/options/chromeos/consumer_management_handler.cc b/chrome/browser/ui/webui/options/chromeos/consumer_management_handler.cc
index e106c58..8acec3a 100644
--- a/chrome/browser/ui/webui/options/chromeos/consumer_management_handler.cc
+++ b/chrome/browser/ui/webui/options/chromeos/consumer_management_handler.cc
@@ -7,11 +7,9 @@
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/logging.h"
-#include "base/prefs/pref_service.h"
 #include "base/values.h"
-#include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/login/users/user_manager.h"
-#include "chrome/common/pref_names.h"
+#include "chrome/browser/chromeos/policy/consumer_management_service.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/power_manager_client.h"
 #include "content/public/browser/web_ui.h"
@@ -21,7 +19,9 @@
 namespace chromeos {
 namespace options {
 
-ConsumerManagementHandler::ConsumerManagementHandler() {
+ConsumerManagementHandler::ConsumerManagementHandler(
+    policy::ConsumerManagementService* management_service)
+    : management_service_(management_service) {
 }
 
 ConsumerManagementHandler::~ConsumerManagementHandler() {
@@ -83,9 +83,9 @@ void ConsumerManagementHandler::HandleEnrollConsumerManagement(
     return;
   }
 
-  PrefService* prefs = g_browser_process->local_state();
-  prefs->SetBoolean(prefs::kConsumerManagementEnrollmentRequested, true);
-  prefs->CommitPendingWrite();
+  CHECK(management_service_);
+  management_service_->SetEnrollmentState(
+      policy::ConsumerManagementService::ENROLLMENT_ENROLLING);
   chromeos::DBusThreadManager::Get()->GetPowerManagerClient()->RequestRestart();
 }
 
diff --git a/chrome/browser/ui/webui/options/chromeos/consumer_management_handler.h b/chrome/browser/ui/webui/options/chromeos/consumer_management_handler.h
index 5b4003d..2be4c0b 100644
--- a/chrome/browser/ui/webui/options/chromeos/consumer_management_handler.h
+++ b/chrome/browser/ui/webui/options/chromeos/consumer_management_handler.h
@@ -10,13 +10,18 @@
 #include "base/values.h"
 #include "chrome/browser/ui/webui/options/options_ui.h"
 
+namespace policy {
+class ConsumerManagementService;
+}
+
 namespace chromeos {
 namespace options {
 
 // Consumer management overlay page UI handler.
 class ConsumerManagementHandler : public ::options::OptionsPageUIHandler {
  public:
-  ConsumerManagementHandler();
+  explicit ConsumerManagementHandler(
+      policy::ConsumerManagementService* management_service);
   virtual ~ConsumerManagementHandler();
 
   // OptionsPageUIHandler implementation.
@@ -29,6 +34,8 @@ class ConsumerManagementHandler : public ::options::OptionsPageUIHandler {
   void HandleEnrollConsumerManagement(const base::ListValue* args);
   void HandleUnenrollConsumerManagement(const base::ListValue* args);
 
+  policy::ConsumerManagementService* management_service_;
+
   DISALLOW_COPY_AND_ASSIGN(ConsumerManagementHandler);
 };
 
diff --git a/chrome/browser/ui/webui/options/options_ui.cc b/chrome/browser/ui/webui/options/options_ui.cc
index 311d37e..68727d5 100644
--- a/chrome/browser/ui/webui/options/options_ui.cc
+++ b/chrome/browser/ui/webui/options/options_ui.cc
@@ -70,6 +70,9 @@
 #include "url/gurl.h"
 
 #if defined(OS_CHROMEOS)
+#include "chrome/browser/browser_process_platform_part.h"
+#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/policy/consumer_management_service.h"
 #include "chrome/browser/chromeos/system/pointer_device_observer.h"
 #include "chrome/browser/ui/webui/options/chromeos/accounts_options_handler.h"
 #include "chrome/browser/ui/webui/options/chromeos/bluetooth_options_handler.h"
@@ -304,8 +307,6 @@ OptionsUI::OptionsUI(content::WebUI* web_ui)
   AddOptionsPageUIHandler(localized_strings,
                           new chromeos::options::BluetoothOptionsHandler());
   AddOptionsPageUIHandler(localized_strings,
-                          new chromeos::options::ConsumerManagementHandler());
-  AddOptionsPageUIHandler(localized_strings,
                           new chromeos::options::DateTimeOptionsHandler());
   AddOptionsPageUIHandler(localized_strings,
                           new chromeos::options::DisplayOptionsHandler());
@@ -327,6 +328,13 @@ OptionsUI::OptionsUI(content::WebUI* web_ui)
       new chromeos::options::ChangePictureOptionsHandler());
   AddOptionsPageUIHandler(localized_strings,
                           new chromeos::options::StatsOptionsHandler());
+
+  policy::ConsumerManagementService* consumer_management =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos()->
+          GetConsumerManagementService();
+  chromeos::options::ConsumerManagementHandler* consumer_management_handler =
+      new chromeos::options::ConsumerManagementHandler(consumer_management);
+  AddOptionsPageUIHandler(localized_strings, consumer_management_handler);
 #endif
 #if defined(USE_NSS)
   AddOptionsPageUIHandler(localized_strings,
diff --git a/chrome/chrome_browser_chromeos.gypi b/chrome/chrome_browser_chromeos.gypi
index b44099b..7a3cdfb 100644
--- a/chrome/chrome_browser_chromeos.gypi
+++ b/chrome/chrome_browser_chromeos.gypi
@@ -805,6 +805,8 @@
         'browser/chromeos/policy/cloud_external_data_store.h',
         'browser/chromeos/policy/configuration_policy_handler_chromeos.cc',
         'browser/chromeos/policy/configuration_policy_handler_chromeos.h',
+        'browser/chromeos/policy/consumer_management_service.cc',
+        'browser/chromeos/policy/consumer_management_service.h',
         'browser/chromeos/policy/device_cloud_policy_initializer.cc',
         'browser/chromeos/policy/device_cloud_policy_initializer.h',
         'browser/chromeos/policy/device_cloud_policy_invalidator.cc',
diff --git a/chrome/chrome_tests_unit.gypi b/chrome/chrome_tests_unit.gypi
index ef3c215..02d00b6 100644
--- a/chrome/chrome_tests_unit.gypi
+++ b/chrome/chrome_tests_unit.gypi
@@ -756,6 +756,7 @@
         'browser/chromeos/policy/cloud_external_data_policy_observer_unittest.cc',
         'browser/chromeos/policy/cloud_external_data_store_unittest.cc',
         'browser/chromeos/policy/configuration_policy_handler_chromeos_unittest.cc',
+        'browser/chromeos/policy/consumer_management_service_unittest.cc',
         'browser/chromeos/policy/device_cloud_policy_invalidator_unittest.cc',
         'browser/chromeos/policy/device_cloud_policy_manager_chromeos_unittest.cc',
         'browser/chromeos/policy/device_cloud_policy_store_chromeos_unittest.cc',
diff --git a/chrome/common/pref_names.cc b/chrome/common/pref_names.cc
index abb0c8b..96a76c0 100644
--- a/chrome/common/pref_names.cc
+++ b/chrome/common/pref_names.cc
@@ -1918,9 +1918,11 @@ const char kCustomizationDefaultWallpaperURL[] =
 // This is saved to file and cleared after chrome process starts.
 const char kLogoutStartedLast[] = "chromeos.logout-started";
 
-// A boolean pref of the consumer management enrollment requested flag.
-const char kConsumerManagementEnrollmentRequested[] =
-    "consumer_management.enrollment_requested";
+// An integer pref of the current consumer management enrollment state. The
+// meaning of the value is defined in the enum EnrollmentState in:
+//   chrome/browser/chromeos/policy/consumer_management_service.h
+const char kConsumerManagementEnrollmentState[] =
+    "consumer_management.enrollment_state";
 #endif
 
 // Whether there is a Flash version installed that supports clearing LSO data.
diff --git a/chrome/common/pref_names.h b/chrome/common/pref_names.h
index 931dd0c..614f5363 100644
--- a/chrome/common/pref_names.h
+++ b/chrome/common/pref_names.h
@@ -678,7 +678,7 @@ extern const char kUsedPolicyCertificates[];
 extern const char kServerBackedDeviceState[];
 extern const char kCustomizationDefaultWallpaperURL[];
 extern const char kLogoutStartedLast[];
-extern const char kConsumerManagementEnrollmentRequested[];
+extern const char kConsumerManagementEnrollmentState[];
 #endif
 
 extern const char kClearPluginLSODataEnabled[];