#Ownership
The concept of ownership allows ChromeOS to decide who should have the full control over the device, including changing settings that might affect all users on the device.
A ChromeOS device can be owned by a single user (in contrast to an organization), in which case it is consumer owned.
The first user created on the device becomes the owner. ChromeOS generates an owner key pair for the user and produces initial device settings. The device settings mention the owner user as the author, they include the public part of the owner key and they are signed by the private part of the owner key. Chrome sends signed device settings to the session manager daemon for storing them on disk. Session manager also stores the public owner key separately, so all users can verify the signature on the device settings.
Later the owner user can produce, sign and store new device settings as long as they have the owner key. And other users can read and verify them, but they cannot change them.
If the public part of the owner key gets lost or corrupted, it can be restored by the session manager from the device settings. If the private part of the key is lost and the device settings claim that the current user is the owner, it is allowed to generate a new owner key and store new device settings signed with it. As a last resort the local state preferences also store which user is the owner.
A ChromeOS device can be owned by an organization, in which case it is enterprise managed.
To initiate this mode the device needs to be enterprise enrolled on the OOBE (out-of-the-box experience) screen or automatically. The owner key pair is owned by the management server and the device only receives the public part of the owner key together with device policies from it. Session manager processes device policies from the management server in the same way as device settings on consumer devices.
The management server has an ability to rotate the owner key.