Hey there guys.
I hate to break this to you all, but this is nearly impossible. I'm stuck in the exact same situation on a Lenovo Thinkpad 11e Chromebook running Chrome OS 61 Stable-Release (which I'm currently typing this response on).
Let me give you some knowledge that I've picked up during my tournament to attempt to gain victory against the Enterprise Admin of my school district:
1) I have bypassed enrollment before...three or four times. It did involve doing exactly what Eric Tribble did (only without me removing the write-protect screw because I honestly don't know where the !&&* it is on my Chromebook).
2) Now, with the completely new device they gave me (same make and model), I can't bypass enrollment for the life of me. If you refer to chrome://policy on an enterprise enrolled device, you'll see the many policies that your Enterprise Admin has set for you.
3) This is the ass kicker of them all...all those policies I just mentioned AREN'T tied to the firmware, the BIOS, or any of that (well they are but you'll see what I mean). They're all tied to your serial number. When you reset your Chromebook, go through the GUI Setup process, and right before the enrollment screen you see "Determining device configuration"...that's Google checking in with it's servers to see if your device is managed by a domain. So that's really hard to bypass. I can give you all a few extra suggestions to try, but don't get your hopes up. It's also just a policy called "Forced Re-Enroll" in the Admin Console. These things have security tighter than a bug's ass, but I guess that's why all of our G Suite admins are laughing at us right now, me included.
1) Shut down the device, disconnect DC Power, open up the back of your Chromebook using a Phillips Head Screwdriver, locate the battery, and disconnect it from the motherboard. If your policies aren't as strict, you'll need to wait about 25-30 minutes. This allows the BIOS/UEFI/CMOS chips to clear, and the capacitors on the motherboard to drain since they're not receiving any power from the local main battery. After the allotted amount of time (or even after), plug in the DC Power ONLY. Proceed to press ESC+REFRESH+POWER, hit Ctrl+D at the "Chrome OS Is Missing or Damaged" screen, press enter to be delivered to a screen that states "OS Verification is OFF", hit Ctrl+D again or wait thirty seconds to transition to Developer Mode. If you were successful, refer to step three. If you were unsuccessful, refer to step two.
2) If you failed to achieve Developer Mode because the foul Administrator blocked it, unplug DC Power to kill all power to your computer again, and press the power button for 60-75 seconds, increasing it by 5-7 seconds per time as needed. This should bypass the Admin block by further draining those capacitors and the BIOS/UEFI/CMOS chips.
3) If you succeeded in reaching Developer Mode, great job! You defeated the foul Admin. Refer to Eric Tribble's post on changing the internal MLB_SERIAL_NUMBER and the SERIAL_NUMBER.
4) Sorry for the long post, I just enjoy sharing the knowledge I have, especially against foul Enterprise/Domain G Suite Admins.
5) If you have any questions, or want to tell me if it did/didn't work, please email me at firstname.lastname@example.org
I hope that this helps at least one person defeat their disgustingly foul G Suite Admin. Good luck and let the hacking gods be with you.
Here's an updated to my post from a few months back.
If it's just websites you want to unblock, you can try with changing the DNS Server to Comodo Secure's Server address (220.127.116.11 for primary and 18.104.22.168 for secondary).
However, I have been unable to bypass the developer (dev) mode block on my Lenovo Thinkpad 11e Chromebook (Type: 20DU0003US), and I have also been unable to use the motherboard/capacitor draining. I have tried everything, and will most likely give up. Here are the stats of my system:
Version: 64.0.3282.144 (official build) (64-bit)
10176.68.0 (Official Build) stable-channel glimmer
Currently on stable
Mozilla/5.0 (X11; CrOS x86_64 10176.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.144 Safari/537.36
/opt/google/chrome/chrome --ppapi-flash-path=/opt/google/chrome/pepper/libpepflashplayer.so --ppapi-flash-version=22.214.171.124 --ui-prioritize-in-gpu-process --use-gl=egl --enable-native-gpu-memory-buffers --gpu-sandbox-failures-fatal=yes --enable-logging --log-level=1 --use-cras --enable-wayland-server --user-data-dir=/home/chronos --max-unused-resource-memory-usage-percentage=5 --login-profile=user --has-chromeos-keyboard --enable-touchview --default-wallpaper-large=/usr/share/chromeos-assets/wallpaper/default_large.jpg --default-wallpaper-small=/usr/share/chromeos-assets/wallpaper/default_small.jpg --child-wallpaper-large=/usr/share/chromeos-assets/wallpaper/child_large.jpg --child-wallpaper-small=/usr/share/chromeos-assets/wallpaper/child_small.jpg --guest-wallpaper-large=/usr/share/chromeos-assets/wallpaper/guest_large.jpg --guest-wallpaper-small=/usr/share/chromeos-assets/wallpaper/guest_small.jpg --enable-consumer-kiosk --enterprise-enrollment-initial-modulus=15 --enterprise-enrollment-modulus-limit=19 --login-manager --first-exec-after-boot --vmodule=tablet_power_button_controller=1,*chromeos/login/*=1,auto_enrollment_controller=1,*plugin*=2,*zygote*=1,*/ui/ozone/*=1,*/ui/display/manager/chromeos/*=1,*night_light*=1,power_button_observer=2,webui_login_view=2,lock_state_controller=2,webui_screen_locker=2,screen_locker=2 --silent-launch
Friday, February 2, 2018.
I have to admit asking this hurts my self-esteem, as I am typically used to bypassing this myself...but I can't on the newer versions...so can someone please help me?