Unrelated to this news, but this is so rudimentary, when the correct solution instead is:

1. Make it ridiculously easy to install hardware vendor keys and register it with OS of choice. (like a standardized dialog box in UEFI and a standardized/regulated IPMI-like interface)

2. Allow for only measured boot on those devices.

3. Provided facility to verify signatures.

Do this on consumer and enterprise laptops and desktops alike and all of these weird set of conditions just go out of play and replaced by something much much simpler.

Why is there a policy to require “Chrome” and not a policy to require another browser, hmm?

"wow look at all these options available...to limit users to only use software provided by the same corp" you are missing the point entirely.