Added explanatory dialog for enterprise users during OOBE.

This is only shown when auto-enrollment is performed and doesn't succeed
automatically at first. It explains the user what he has to do, and gives a
(buried) option to opt out of enterprise enrollment.

This feature is behind a flag, and is still disabled by default.

BUG=chromium-os:23063
TEST=Login with an invalid (e.g. @gmail.com) account at the first sign-in screen during OOBE. Auto-enrollment should fail and show an explanatory dialog.


Review URL: http://codereview.chromium.org/9022049

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@118087 0039d316-1c4b-4281-b951-d872f2087c98

12 files changed, 269 insertions, 79 deletions

diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
index f503db1..92c9ca7 100644
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -14606,6 +14606,33 @@ Battery full
       <message name="IDS_ENTERPRISE_ENROLLMENT_RESUMING_LOGIN" desc="Status message to show after enterprise enrollment is complete and the first user login is prepared.">
         Preparing for first enterprise login...
       </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_EXPLAIN" desc="Explanatory text describing what enterprise enrollment is and guiding the user to sign in with an account from the enterprise domain.">
+        Welcome to your managed Chromebook!
+
+        To complete the setup of this Chromebook, you must sign in with a username given to you by your organization.
+
+        Contact your system administrator for more information.
+
+        If this device does not belong to your organization, and is your personal device, you can use the link below to go back to the sign in screen and cancel enrollment of the device.
+      </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_EXPLAIN_LINK" desc="Text on the link to the screen that explain what enterprise enrollment is.">
+        Learn more about Enterprise Enrollment
+      </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_EXPLAIN_BUTTON" desc="Text on the button that closes the explanatory dialog and sends to user back to the sign in screen.">
+        Sign in now
+      </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_CANCEL_AUTO" desc="Text on the link that cancels and opts out of auto enrollment.">
+        Cancel enterprise enrollment on this device.
+      </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_CANCEL_AUTO_REALLY" desc="Message asking the user to confirm if he really wants to cancel auto enrollment.">
+        Please confirm that this is not an enterprise device. Enterprise enrollment will be cancelled.
+      </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_CANCEL_AUTO_CONFIRM" desc="Text on the button that confirms opting out of auto enrollment.">
+        Cancel enterprise enrollment
+      </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_CANCEL_AUTO_GO_BACK" desc="Text on the button that goes back to enrollment from the confirmation dialog.">
+        Back
+      </message>
     </if>
 
     <!-- Fullscreen Strings -->
diff --git a/chrome/browser/chromeos/login/base_login_display_host.cc b/chrome/browser/chromeos/login/base_login_display_host.cc
index a551ced..6563f5a 100644
--- a/chrome/browser/chromeos/login/base_login_display_host.cc
+++ b/chrome/browser/chromeos/login/base_login_display_host.cc
@@ -78,15 +78,12 @@ const int kBackgroundTranslate = -50;
 // network requests are made while the system is idle waiting for user input.
 const int64 kPolicyServiceInitializationDelayMilliseconds = 100;
 
-// A boolean pref of the auto-enrollment decision. This pref only exists if the
-// auto-enrollment check has been done once and completed.
-const char kShouldAutoEnroll[] = "ShouldAutoEnroll";
-
 // Returns true if an auto-enrollment decision has been made and is cached in
 // local state. If so, the decision is stored in |auto_enroll|.
 bool GetAutoEnrollmentDecision(bool* auto_enroll) {
+  PrefService* local_state = g_browser_process->local_state();
   const PrefService::Preference* pref =
-      g_browser_process->local_state()->FindPreference(kShouldAutoEnroll);
+      local_state->FindPreference(prefs::kShouldAutoEnroll);
   if (pref && !pref->IsDefaultValue())
     return pref->GetValue()->GetAsBoolean(auto_enroll);
   else
@@ -174,7 +171,7 @@ BaseLoginDisplayHost::~BaseLoginDisplayHost() {
 
 // static
 void BaseLoginDisplayHost::RegisterPrefs(PrefService* local_state) {
-  local_state->RegisterBooleanPref(kShouldAutoEnroll,
+  local_state->RegisterBooleanPref(prefs::kShouldAutoEnroll,
                                    false,
                                    PrefService::UNSYNCABLE_PREF);
 }
@@ -445,7 +442,7 @@ void BaseLoginDisplayHost::OnAutoEnrollmentClientDone() {
   // Auto-update might be in progress and might force a reboot. Cache the
   // decision in local_state.
   PrefService* local_state = g_browser_process->local_state();
-  local_state->SetBoolean(kShouldAutoEnroll, auto_enroll);
+  local_state->SetBoolean(prefs::kShouldAutoEnroll, auto_enroll);
   local_state->CommitPendingWrite();
 
   if (auto_enroll)
diff --git a/chrome/browser/resources/chromeos/login/login.html b/chrome/browser/resources/chromeos/login/login.html
index 159dae1..7ca89a8 100644
--- a/chrome/browser/resources/chromeos/login/login.html
+++ b/chrome/browser/resources/chromeos/login/login.html
@@ -3,6 +3,7 @@
 <head>
 <title i18n-content="title"></title>
 <link rel="stylesheet" href="chrome://resources/css/button.css">
+<link rel="stylesheet" href="chrome://resources/css/dialogs.css"></link>
 <link rel="stylesheet" href="chrome://resources/css/list.css">
 <link rel="stylesheet" href="chrome://resources/css/select.css">
 <link rel="stylesheet" href="chrome://resources/css/spinner.css">
@@ -18,6 +19,7 @@
 <script src="chrome://resources/js/cr/event_target.js"></script>
 <script src="chrome://resources/js/cr/ui.js"></script>
 <script src="chrome://resources/js/cr/ui/array_data_model.js"></script>
+<script src="chrome://resources/js/cr/ui/dialogs.js"></script>
 <script src="chrome://resources/js/cr/ui/list_selection_controller.js"></script>
 <script src="chrome://resources/js/cr/ui/list_selection_model.js"></script>
 <script src="chrome://resources/js/cr/ui/list_single_selection_model.js"></script>
diff --git a/chrome/browser/resources/chromeos/login/oobe.css b/chrome/browser/resources/chromeos/login/oobe.css
index b399177..e2bfb8f 100644
--- a/chrome/browser/resources/chromeos/login/oobe.css
+++ b/chrome/browser/resources/chromeos/login/oobe.css
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  *
@@ -361,6 +361,8 @@ html[dir=rtl] #user-image-preview {
 #oobe.signin #signin-button,
 #oobe.user-image #ok-button,
 #oobe.oauth-enrollment #oauth-enroll-cancel-button,
+#oobe.oauth-enrollment #oauth-enroll-try-again-button,
+#oobe.oauth-enrollment #oauth-enroll-explain-button,
 #oobe.oauth-enrollment #oauth-enroll-done-button {
   display: block;
 }
@@ -602,13 +604,25 @@ button {
 }
 
 #oauth-enroll-signin-frame {
-  bottom: 0;
-  display: -webkit-box;
+  border: 0 none;
   height: 100%;
-  left: 0;
+  width: 100%;
+}
+
+#oauth-enroll-signin-frame-container {
+  box-sizing: border-box;
+  height: 100%;
+  padding-bottom: 20px;
+  width: 100%;
+}
+
+#oauth-enroll-signin-link-container {
+  bottom: 0;
   position: absolute;
   right: 0;
-  top: 0;
+}
+
+#oauth-enroll-step-signin {
   width: 100%;
 }
 
@@ -646,7 +660,11 @@ button {
   vertical-align: top;
 }
 
-#oauth-enroll-error-retry {
+#oauth-enroll-explain-message {
+  white-space: pre-line;
+}
+
+.oauth-enroll-link {
   color: -webkit-link;
   cursor: pointer;
   text-decoration: underline;
diff --git a/chrome/browser/resources/chromeos/login/oobe.html b/chrome/browser/resources/chromeos/login/oobe.html
index 271ec4e..1926457 100644
--- a/chrome/browser/resources/chromeos/login/oobe.html
+++ b/chrome/browser/resources/chromeos/login/oobe.html
@@ -3,6 +3,7 @@
 <head>
 <title i18n-content="title"></title>
 <link rel="stylesheet" href="chrome://resources/css/button.css">
+<link rel="stylesheet" href="chrome://resources/css/dialogs.css"></link>
 <link rel="stylesheet" href="chrome://resources/css/list.css">
 <link rel="stylesheet" href="chrome://resources/css/select.css">
 <link rel="stylesheet" href="chrome://resources/css/spinner.css">
@@ -19,6 +20,7 @@
 <script src="chrome://resources/js/cr/event_target.js"></script>
 <script src="chrome://resources/js/cr/ui.js"></script>
 <script src="chrome://resources/js/cr/ui/array_data_model.js"></script>
+<script src="chrome://resources/js/cr/ui/dialogs.js"></script>
 <script src="chrome://resources/js/cr/ui/list_selection_controller.js"></script>
 <script src="chrome://resources/js/cr/ui/list_selection_model.js"></script>
 <script src="chrome://resources/js/cr/ui/list_single_selection_model.js"></script>
diff --git a/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.html b/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.html
index 6859216..65b08f9 100644
--- a/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.html
+++ b/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.html
@@ -1,8 +1,14 @@
 <div id="oauth-enrollment" class="step right hidden">
   <div id="oauth-enroll-container">
     <div id="oauth-enroll-step-signin">
-      <iframe id="oauth-enroll-signin-frame" src="about:blank" marginwidth="0"
-          marginheight="0" frameborder="0" scrolling="no"></iframe>
+      <div id="oauth-enroll-signin-frame-container">
+        <iframe id="oauth-enroll-signin-frame" src="about:blank" marginwidth="0"
+            marginheight="0" frameborder="0" scrolling="no"></iframe>
+      </div>
+      <div id="oauth-enroll-signin-link-container">
+        <a class="oauth-enroll-explain-link oauth-enroll-link"
+            i18n-content="oauthEnrollExplainLink" hidden></a>
+      </div>
     </div>
     <div id="oauth-enroll-step-working" class="oauth-enroll-step-center" hidden>
       <div class="oauth-enroll-step-content">
@@ -10,7 +16,7 @@
           <span class="spinner"></span>
         </span>
         <span class="oauth-enroll-step-message">
-          <div id="oauth-enroll-working-message"></div>
+          <span id="oauth-enroll-working-message"></span>
         </span>
       </div>
     </div>
@@ -20,8 +26,28 @@
           <img src="chrome://theme/IDR_ENROLL_FAILURE">
         </span>
         <span class="oauth-enroll-step-message">
-          <div id="oauth-enroll-error-message"></div>
-          <a id='oauth-enroll-error-retry' i18n-content="oauthEnrollRetry"></a>
+          <span id="oauth-enroll-error-message"></span>
+          <p>
+            <a id="oauth-enroll-error-retry" class="oauth-enroll-link"
+                i18n-content="oauthEnrollRetry"></a>
+            <a class="oauth-enroll-explain-link oauth-enroll-link"
+                i18n-content="oauthEnrollExplainLink" hidden></a>
+          </p>
+        </span>
+      </div>
+    </div>
+    <div id="oauth-enroll-step-explain" class="oauth-enroll-step-center" hidden>
+      <div class="oauth-enroll-step-content">
+        <span class="oauth-enroll-step-icon">
+          <img src="chrome://theme/IDR_INFO">
+        </span>
+        <span class="oauth-enroll-step-message">
+          <span id="oauth-enroll-explain-message"
+              i18n-content="oauthEnrollExplain"></span>
+          <p>
+            <a id="oauth-enroll-cancel-auto-link" class="oauth-enroll-link"
+                i18n-content="oauthEnrollCancelAutoEnrollment"></a>
+          </p>
         </span>
       </div>
     </div>
@@ -30,8 +56,8 @@
         <span class="oauth-enroll-step-icon">
           <img src="chrome://theme/IDR_ENROLL_SUCCESS">
         </span>
-        <span class="oauth-enroll-step-message"
-            i18n-content="oauthEnrollSuccess">
+        <span class="oauth-enroll-step-message">
+          <span i18n-content="oauthEnrollSuccess"></span>
         </span>
       </div>
     </div>
diff --git a/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.js b/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.js
index 1ddb9a6..9bb1242 100644
--- a/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.js
+++ b/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.js
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -54,33 +54,35 @@ cr.define('oobe', function() {
     /**
      * URL to load in the sign in frame.
      */
-    signin_url_ : null,
+    signInUrl_: null,
 
     /**
      * Whether this is a manual or auto enrollment.
      */
-    is_auto_enrollment_: false,
+    isAutoEnrollment_: false,
 
     /**
      * Enrollment steps with names and buttons to show.
      */
-    steps_ : [
-      { name: 'signin',
-        button: 'cancel' },
-      { name: 'working',
-        button: 'cancel' },
-      { name: 'error',
-        button: 'cancel' },
-      { name: 'success',
-        button: 'done',
-        focusButton: true },
-    ],
+    steps_: null,
+
+    /**
+     * Dialog to confirm that auto-enrollment should really be cancelled.
+     * This is only created the first time it's used.
+     */
+    confirmDialog_: null,
 
     /** @inheritDoc */
     decorate: function() {
-      $('oauth-enroll-error-retry').addEventListener('click', function() {
-        chrome.send('oauthEnrollRetry', []);
-      });
+      $('oauth-enroll-error-retry').addEventListener('click',
+                                                     this.doRetry_.bind(this));
+      $('oauth-enroll-cancel-auto-link').addEventListener(
+          'click',
+          this.confirmCancelAutoEnrollment_.bind(this));
+      var links = document.querySelectorAll('.oauth-enroll-explain-link');
+      for (var i = 0; i < links.length; i++) {
+        links[i].addEventListener('click', this.showStep.bind(this, 'explain'));
+      }
     },
 
     /**
@@ -103,17 +105,33 @@ cr.define('oobe', function() {
       cancelButton.textContent =
           localStrings.getString('oauthEnrollCancel');
       cancelButton.addEventListener('click', function(e) {
-        chrome.send('oauthEnrollCancel', []);
+        chrome.send('oauthEnrollClose', ['cancel']);
       });
       buttons.push(cancelButton);
 
+      var tryAgainButton = this.ownerDocument.createElement('button');
+      tryAgainButton.id = 'oauth-enroll-try-again-button';
+      tryAgainButton.hidden = true;
+      tryAgainButton.textContent =
+          localStrings.getString('oauthEnrollRetry');
+      tryAgainButton.addEventListener('click', this.doRetry_.bind(this));
+      buttons.push(tryAgainButton);
+
+      var explainButton = this.ownerDocument.createElement('button');
+      explainButton.id = 'oauth-enroll-explain-button';
+      explainButton.hidden = true;
+      explainButton.textContent =
+          localStrings.getString('oauthEnrollExplainButton');
+      explainButton.addEventListener('click', this.doRetry_.bind(this));
+      buttons.push(explainButton);
+
       var doneButton = this.ownerDocument.createElement('button');
       doneButton.id = 'oauth-enroll-done-button';
       doneButton.hidden = true;
       doneButton.textContent =
           localStrings.getString('oauthEnrollDone');
       doneButton.addEventListener('click', function(e) {
-        chrome.send('oauthEnrollClose', []);
+        chrome.send('oauthEnrollClose', ['done']);
       });
       buttons.push(doneButton);
 
@@ -133,10 +151,36 @@ cr.define('oobe', function() {
         url += '&test_email=' + encodeURIComponent(data.test_email);
         url += '&test_password=' + encodeURIComponent(data.test_password);
       }
-      this.signin_url_ = url;
-      this.is_auto_enrollment_ = data.is_auto_enrollment;
+      this.signInUrl_ = url;
+      this.isAutoEnrollment_ = data.is_auto_enrollment;
+
       $('oauth-enroll-signin-frame').contentWindow.location.href =
-          this.signin_url_;
+          this.signInUrl_;
+
+      // The cancel button is not available during auto-enrollment.
+      var cancel = this.isAutoEnrollment_ ? null : 'cancel';
+      // During auto-enrollment the user must try again from the error screen.
+      var error_cancel = this.isAutoEnrollment_ ? 'try-again' : 'cancel';
+      this.steps_ = [
+        { name: 'signin',
+          button: cancel },
+        { name: 'working',
+          button: cancel },
+        { name: 'error',
+          button: error_cancel,
+          focusButton: this.isAutoEnrollment_ },
+        { name: 'explain',
+          button: 'explain',
+          focusButton: true },
+        { name: 'success',
+          button: 'done',
+          focusButton: true },
+      ];
+
+      var links = document.querySelectorAll('.oauth-enroll-explain-link');
+      for (var i = 0; i < links.length; i++)
+        links[i].hidden = !this.isAutoEnrollment_;
+
       this.showStep('signin');
     },
 
@@ -144,9 +188,8 @@ cr.define('oobe', function() {
      * Cancels enrollment and drops the user back to the login screen.
      */
     cancel: function() {
-      // TODO(joaodasilva): this is triggered by the accelerator (Escape key),
-      // but should be prevented while auto-enrolling.
-      chrome.send('oauthEnrollCancel', []);
+      if (!this.isAutoEnrollment_)
+        chrome.send('oauthEnrollClose', ['cancel']);
     },
 
     /**
@@ -156,21 +199,20 @@ cr.define('oobe', function() {
      */
     showStep: function(step) {
       $('oauth-enroll-cancel-button').hidden = true;
+      $('oauth-enroll-try-again-button').hidden = true;
+      $('oauth-enroll-explain-button').hidden = true;
       $('oauth-enroll-done-button').hidden = true;
       for (var i = 0; i < this.steps_.length; i++) {
         var theStep = this.steps_[i];
         var active = (theStep.name == step);
         $('oauth-enroll-step-' + theStep.name).hidden = !active;
-        if (active) {
+        if (active && theStep.button) {
           var button = $('oauth-enroll-' + theStep.button + '-button');
           button.hidden = false;
           if (theStep.focusButton)
             button.focus();
         }
       }
-      // TODO(joaodasilva): handle auto-enrollment in a proper way.
-      if (this.is_auto_enrollment_)
-        $('oauth-enroll-cancel-button').hidden = true;
     },
 
     /**
@@ -180,7 +222,7 @@ cr.define('oobe', function() {
      */
     showError: function(message, retry) {
       $('oauth-enroll-error-message').textContent = message;
-      $('oauth-enroll-error-retry').hidden = !retry;
+      $('oauth-enroll-error-retry').hidden = !retry || this.isAutoEnrollment_;
       this.showStep('error');
     },
 
@@ -194,14 +236,47 @@ cr.define('oobe', function() {
     },
 
     /**
+     * Retries the enrollment process after an error occurred in a previous
+     * attempt. This goes to the C++ side through |chrome| first to clean up the
+     * profile, so that the next attempt is performed with a clean state.
+     */
+    doRetry_: function() {
+      chrome.send('oauthEnrollRetry', []);
+    },
+
+    /**
+     * Handler for cancellations of an enforced auto-enrollment.
+     */
+    confirmCancelAutoEnrollment_: function() {
+      if (!this.confirmDialog_) {
+        this.confirmDialog_ = new cr.ui.dialogs.ConfirmDialog(document.body);
+        this.confirmDialog_.setOkLabel(
+            localStrings.getString('oauthEnrollCancelAutoEnrollmentConfirm'));
+        this.confirmDialog_.setCancelLabel(
+            localStrings.getString('oauthEnrollCancelAutoEnrollmentGoBack'));
+        this.confirmDialog_.setInitialFocusOnCancel();
+      }
+      this.confirmDialog_.show(
+          localStrings.getString('oauthEnrollCancelAutoEnrollmentReally'),
+          this.onConfirmCancelAutoEnrollment_.bind(this));
+    },
+
+    /**
+     * Handler for confirmation of cancellation of auto-enrollment.
+     */
+    onConfirmCancelAutoEnrollment_: function() {
+      chrome.send('oauthEnrollClose', ['autocancel']);
+    },
+
+    /**
      * Checks if a given HTML5 message comes from the URL loaded into the signin
      * frame.
      * @param m {object} HTML5 message.
      * @type {bool} whether the message comes from the signin frame.
      */
     isSigninMessage_: function(m) {
-      return this.signin_url_ != null &&
-          this.signin_url_.indexOf(m.origin) == 0 &&
+      return this.signInUrl_ != null &&
+          this.signInUrl_.indexOf(m.origin) == 0 &&
           m.source == $('oauth-enroll-signin-frame').contentWindow;
     },
 
diff --git a/chrome/browser/resources/shared/js/cr/ui/dialogs.js b/chrome/browser/resources/shared/js/cr/ui/dialogs.js
index bf97e22..43d1a6d 100644
--- a/chrome/browser/resources/shared/js/cr/ui/dialogs.js
+++ b/chrome/browser/resources/shared/js/cr/ui/dialogs.js
@@ -103,6 +103,10 @@ cr.define('cr.ui.dialogs', function() {
     this.cancelButton_.textContent = label;
   };
 
+  BaseDialog.prototype.setInitialFocusOnCancel = function() {
+    this.initialFocusElement_ = this.cancelButton_;
+  };
+
   BaseDialog.prototype.show = function(message, onOk, onCancel, onShow) {
     this.showWithTitle(null, message, onOk, onCancel, onShow);
   }
diff --git a/chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.cc b/chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.cc
index 16d67ae..423439e 100644
--- a/chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.cc
+++ b/chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,13 +9,16 @@
 #include "base/callback.h"
 #include "base/message_loop.h"
 #include "base/metrics/histogram.h"
+#include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/login/login_utils.h"
 #include "chrome/browser/net/gaia/gaia_oauth_fetcher.h"
 #include "chrome/browser/policy/enterprise_metrics.h"
+#include "chrome/browser/prefs/pref_service.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/common/net/gaia/gaia_constants.h"
 #include "chrome/common/net/gaia/gaia_urls.h"
 #include "chrome/common/net/gaia/google_service_auth_error.h"
+#include "chrome/common/pref_names.h"
 #include "content/public/browser/web_contents.h"
 #include "grit/chromium_strings.h"
 #include "grit/generated_resources.h"
@@ -100,10 +103,6 @@ void EnterpriseOAuthEnrollmentScreenHandler::RegisterMessages() {
       base::Bind(&EnterpriseOAuthEnrollmentScreenHandler::HandleClose,
                  base::Unretained(this)));
   web_ui()->RegisterMessageCallback(
-      "oauthEnrollCancel",
-      base::Bind(&EnterpriseOAuthEnrollmentScreenHandler::HandleCancel,
-                 base::Unretained(this)));
-  web_ui()->RegisterMessageCallback(
       "oauthEnrollCompleteLogin",
       base::Bind(&EnterpriseOAuthEnrollmentScreenHandler::HandleCompleteLogin,
                  base::Unretained(this)));
@@ -256,6 +255,27 @@ void EnterpriseOAuthEnrollmentScreenHandler::GetLocalizedStrings(
   localized_strings->SetString(
       "oauthEnrollSuccess",
       l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_SUCCESS));
+  localized_strings->SetString(
+      "oauthEnrollExplain",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_EXPLAIN));
+  localized_strings->SetString(
+      "oauthEnrollExplainLink",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_EXPLAIN_LINK));
+  localized_strings->SetString(
+      "oauthEnrollExplainButton",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_EXPLAIN_BUTTON));
+  localized_strings->SetString(
+      "oauthEnrollCancelAutoEnrollment",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_CANCEL_AUTO));
+  localized_strings->SetString(
+      "oauthEnrollCancelAutoEnrollmentReally",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_CANCEL_AUTO_REALLY));
+  localized_strings->SetString(
+      "oauthEnrollCancelAutoEnrollmentConfirm",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_CANCEL_AUTO_CONFIRM));
+  localized_strings->SetString(
+      "oauthEnrollCancelAutoEnrollmentGoBack",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_CANCEL_AUTO_GO_BACK));
 }
 
 void EnterpriseOAuthEnrollmentScreenHandler::OnGetOAuthTokenFailure(
@@ -321,19 +341,41 @@ void EnterpriseOAuthEnrollmentScreenHandler::OnBrowsingDataRemoverDone() {
 
 void EnterpriseOAuthEnrollmentScreenHandler::HandleClose(
     const base::ListValue* value) {
-  RevokeTokens();
-
-  // If the user account used for enrollment is not whitelisted, send the user
-  // back to the login screen. In that case, clear the profile data too.
-  bool is_whitelisted = !user_.empty() && LoginUtils::IsWhitelisted(user_);
+  bool back_to_signin = true;
+
+  std::string reason;
+  CHECK_EQ(1U, value->GetSize());
+  CHECK(value->GetString(0, &reason));
+
+  if (reason == "cancel") {
+    DCHECK(!is_auto_enrollment_);
+    UMA_HISTOGRAM_ENUMERATION(policy::kMetricEnrollment,
+                              policy::kMetricEnrollmentCancelled,
+                              policy::kMetricEnrollmentSize);
+  } else if (reason == "autocancel") {
+    // Store the user's decision so that the sign-in screen doesn't go
+    // automatically to the enrollment screen again.
+    PrefService* local_state = g_browser_process->local_state();
+    local_state->SetBoolean(prefs::kShouldAutoEnroll, false);
+    local_state->CommitPendingWrite();
+    // TODO(joaodasilva): record UMA for this.
+  } else if (reason == "done") {
+    // If the user account used for enrollment is not whitelisted, send the user
+    // back to the login screen. In that case, clear the profile data too.
+    bool is_whitelisted = !user_.empty() && LoginUtils::IsWhitelisted(user_);
+
+    // If enrollment failed at least once, the profile was cleared and the user
+    // had to retry with another account, or even cancelled the whole thing.
+    // In that case, go back to the sign-in screen; otherwise, if this was an
+    // auto-enrollment, resume the pending signin.
+    back_to_signin = !is_auto_enrollment_ ||
+                     enrollment_failed_once_ ||
+                     !is_whitelisted;
+  } else {
+    NOTREACHED();
+  }
 
-  // If enrollment failed at least once, the profile was cleared and the user
-  // had to retry with another account, or even cancelled the whole thing.
-  // In that case, go back to the sign-in screen; otherwise, if this was an
-  // auto-enrollment, resume the pending signin.
-  bool back_to_signin = !is_auto_enrollment_ ||
-                        enrollment_failed_once_ ||
-                        !is_whitelisted;
+  RevokeTokens();
 
   if (back_to_signin) {
     // Clean the profile before going back to signin.
@@ -349,14 +391,6 @@ void EnterpriseOAuthEnrollmentScreenHandler::HandleClose(
   }
 }
 
-void EnterpriseOAuthEnrollmentScreenHandler::HandleCancel(
-    const base::ListValue* value) {
-  UMA_HISTOGRAM_ENUMERATION(policy::kMetricEnrollment,
-                            policy::kMetricEnrollmentCancelled,
-                            policy::kMetricEnrollmentSize);
-  HandleClose(value);
-}
-
 void EnterpriseOAuthEnrollmentScreenHandler::HandleCompleteLogin(
     const base::ListValue* value) {
   if (!controller_) {
diff --git a/chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.h b/chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.h
index b9d07c6..6c20d61 100644
--- a/chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.h
+++ b/chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -77,7 +77,6 @@ class EnterpriseOAuthEnrollmentScreenHandler
  private:
   // Handlers for WebUI messages.
   void HandleClose(const base::ListValue* args);
-  void HandleCancel(const base::ListValue* args);
   void HandleCompleteLogin(const base::ListValue* args);
   void HandleRetry(const base::ListValue* args);
 
diff --git a/chrome/common/pref_names.cc b/chrome/common/pref_names.cc
index 06b8a5d..ed49897 100644
--- a/chrome/common/pref_names.cc
+++ b/chrome/common/pref_names.cc
@@ -1586,6 +1586,11 @@ const char kHardwareKeyboardLayout[] = "intl.hardware_keyboard";
 // notification has been shown to user.
 const char kCarrierDealPromoShown[] =
     "settings.internet.mobile.carrier_deal_promo_shown";
+
+// A boolean pref of the auto-enrollment decision. This pref only exists if the
+// auto-enrollment check has been done once and completed. It can be reset to
+// false if the user opts out of auto enrollment.
+const char kShouldAutoEnroll[] = "ShouldAutoEnroll";
 #endif
 
 // Whether there is a Flash version installed that supports clearing LSO data.
diff --git a/chrome/common/pref_names.h b/chrome/common/pref_names.h
index f7daa0c..5a57861 100644
--- a/chrome/common/pref_names.h
+++ b/chrome/common/pref_names.h
@@ -611,6 +611,7 @@ extern const char kManagedAutoSelectCertificateForUrls[];
 extern const char kSignedSettingsCache[];
 extern const char kHardwareKeyboardLayout[];
 extern const char kCarrierDealPromoShown[];
+extern const char kShouldAutoEnroll[];
 #endif
 
 extern const char kClearPluginLSODataEnabled[];