Only update block_devmode when the device is owned.

The previous code would reset the block_devmode even when no owner is
present, which is incorrect and leads to the flag incorrectly getting
cleared prematurely during OOBE.

BUG=chromium:375772
TEST=Manual: Set block_devmode=1, go through recovery, boot into OOBE, switch to dev. Dev-mode should be blocked.

Change-Id: Id2a39187c32e07039becffc881754570fd0f867f
Reviewed-on: https://chromium-review.googlesource.com/201630
Tested-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Reviewed-by: Chris Masone <cmasone@chromium.org>
Commit-Queue: Mattias Nissler <mnissler@chromium.org>
diff --git a/session_manager_impl.cc b/session_manager_impl.cc
index 4b87b3c..33cc1d6 100644
--- a/session_manager_impl.cc
+++ b/session_manager_impl.cc
@@ -77,21 +77,6 @@
 // The name of the flag that indicates whether dev mode should be blocked.
 const char kCrossystemBlockDevmode[] = "block_devmode";
 
-// Applies system settings as specified in |settings|.
-static void UpdateSystemSettings(
-    const enterprise_management::ChromeDeviceSettingsProto& settings) {
-  int block_devmode_setting =
-      settings.system_settings().block_devmode() ? 1 : 0;
-  int block_devmode_value = VbGetSystemPropertyInt(kCrossystemBlockDevmode);
-  if (block_devmode_value == -1)
-    LOG(ERROR) << "Failed to read block_devmode flag!";
-
-  if (block_devmode_setting != block_devmode_value) {
-    if (VbSetSystemPropertyInt(kCrossystemBlockDevmode, block_devmode_setting))
-      LOG(ERROR) << "Failed to write block_devmode flag!";
-  }
-}
-
 }  // namespace
 
 SessionManagerImpl::Error::Error() : set_(false) {}
@@ -215,7 +200,7 @@
   if (device_policy_->Initialize()) {
     device_local_account_policy_->UpdateDeviceSettings(
         device_policy_->GetSettings());
-    UpdateSystemSettings(device_policy_->GetSettings());
+    UpdateSystemSettings();
     return true;
   }
   return false;
@@ -567,7 +552,7 @@
                                               success);
   device_local_account_policy_->UpdateDeviceSettings(
       device_policy_->GetSettings());
-  UpdateSystemSettings(device_policy_->GetSettings());
+  UpdateSystemSettings();
 }
 
 void SessionManagerImpl::OnKeyPersisted(bool success) {
@@ -658,4 +643,21 @@
   return it == user_sessions_.end() ? NULL : it->second->policy_service.get();
 }
 
+void SessionManagerImpl::UpdateSystemSettings() {
+  // Only write settings when device ownership is established.
+  if (!owner_key_.IsPopulated())
+    return;
+
+  int block_devmode_setting =
+      device_policy_->GetSettings().system_settings().block_devmode() ? 1 : 0;
+  int block_devmode_value = VbGetSystemPropertyInt(kCrossystemBlockDevmode);
+  if (block_devmode_value == -1)
+    LOG(ERROR) << "Failed to read block_devmode flag!";
+
+  if (block_devmode_setting != block_devmode_value) {
+    if (VbSetSystemPropertyInt(kCrossystemBlockDevmode, block_devmode_setting))
+      LOG(ERROR) << "Failed to write block_devmode flag!";
+  }
+}
+
 }  // namespace login_manager
diff --git a/session_manager_impl.h b/session_manager_impl.h
index 0ca8056..891d3b3 100644
--- a/session_manager_impl.h
+++ b/session_manager_impl.h
@@ -191,6 +191,9 @@
 
   PolicyService* GetPolicyService(const std::string& user_email);
 
+  // Updates system settings according to |device_policy_|.
+  void UpdateSystemSettings();
+
   bool session_started_;
   bool session_stopping_;
   bool screen_locked_;