1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 option optimize_for = LITE_RUNTIME;
9 package enterprise_management;
11 message DevicePolicyRefreshRateProto {
13 optional int64 device_policy_refresh_rate = 1;
16 message UserWhitelistProto {
17 // If a UserWhitelistProto is included in the ChromeDeviceSettingsProto but
18 // the user_whitelist field is empty then no user can sign-in.
19 repeated string user_whitelist = 1;
22 message AllowNewUsersProto {
23 // Determines whether we allow arbitrary users to log into the device.
24 // This interacts with the UserWhitelistProto as follows:
25 // allow_new_users | user_whitelist | anyone can log in
26 //-----------------+--------------------+------------------
27 // present, true | not present | Yes
28 //-----------------+--------------------+------------------
29 // present, true | present | Yes
30 //-----------------+--------------------+------------------
31 // present, false | not present | (Broken) Yes
32 //-----------------+--------------------+------------------
33 // present, false | present | No, W/L enforced
34 //-----------------+--------------------+------------------
35 // not present | not present | Yes
36 //-----------------+--------------------+------------------
37 // not present | present, empty | Yes
38 //-----------------+--------------------+------------------
39 // not present | present, non-empty | No, W/L enforced
40 //-----------------+--------------------+------------------
41 optional bool allow_new_users = 1 [default = true];
44 message GuestModeEnabledProto {
45 // Determines if guests are allowed to log in to the device.
46 optional bool guest_mode_enabled = 1 [default = true];
49 message ShowUserNamesOnSigninProto {
50 // Determines if we show pods for existing users on the sign in screen.
51 optional bool show_user_names = 1 [default = true];
54 message DataRoamingEnabledProto {
55 // Determines if cellular data roaming is enabled.
56 optional bool data_roaming_enabled = 1 [default = false];
59 message DeviceProxySettingsProto {
60 // One of "direct", "auto_detect", "pac_script", "fixed_servers", "system"
61 optional string proxy_mode = 1;
62 optional string proxy_server = 2;
63 optional string proxy_pac_url = 3;
64 optional string proxy_bypass_list = 4;
67 // This is used by chromeos, make sure to do cleanup there before marking it as
69 message CameraEnabledProto {
70 optional bool camera_enabled = 1;
73 message MetricsEnabledProto {
74 optional bool metrics_enabled = 1;
77 message ReleaseChannelProto {
78 // One of "stable-channel", "beta-channel", or "dev-channel"
79 optional string release_channel = 1;
81 // If |release_channel_delegated| is set to true and the |release_channel|
82 // field is not set or left empty, the user can select the channel. If the
83 // |release_channel| is specified it will always override users choice!
84 optional bool release_channel_delegated = 2;
87 message DeviceOpenNetworkConfigurationProto {
88 // The network configuration blob. This is a JSON string as specified by ONC.
89 optional string open_network_configuration = 1;
92 // Policies to turn on portions of the device status reports.
93 message DeviceReportingProto {
94 optional bool report_version_info = 1;
95 optional bool report_activity_times = 2;
96 optional bool report_boot_mode = 3;
97 optional bool report_location = 4;
98 optional bool report_network_interfaces = 5;
99 optional bool report_users = 6;
102 message EphemeralUsersEnabledProto {
103 // Determines whether users should be treated as ephemeral. In ephemeral users
104 // mode, no cryptohome is created for the user, but a tmpfs mount is used
105 // instead such that upon logout all user state is discarded.
106 optional bool ephemeral_users_enabled = 1;
109 // Details of an extension to install as part of the AppPack.
110 message AppPackEntryProto {
111 optional string extension_id = 1;
112 optional string update_url = 2;
114 // This field was added but never used and there are no plans to support it
115 // eventually either.
116 optional bool OBSOLETE_online_only = 3 [deprecated = true];
119 message AppPackProto {
120 // List of extensions to install as part of the AppPack.
121 repeated AppPackEntryProto app_pack = 1;
124 // This is a special policy for kiosk/retail mode that specifies what apps
125 // should be pinned to the launcher. For regular accounts, pinned apps are
126 // controlled through user policy.
127 message PinnedAppsProto {
128 // App IDs for the apps to pin.
129 repeated string app_id = 1;
132 message ForcedLogoutTimeoutsProto {
133 // All timeouts are specified in milliseconds.
135 // Specifies the timeout before an idle user session is terminated.
136 // If this field is omitted or set to 0, no logout on idle will be performed.
137 optional int64 idle_logout_timeout = 1;
139 // Specifies the duration of a warning countdown before the user is logged out
140 // because of idleness as specified by the |idle_logout_timeout| value.
141 // This field is only used if |idle_logout_timeout| != 0 is specified.
142 optional int64 idle_logout_warning_duration = 2;
145 message ScreenSaverProto {
146 // Specifies the extension ID which is to be used as a screen saver on the
147 // login screen if no user activity is present. Only respected if the device
148 // is in RETAIL mode.
149 optional string screen_saver_extension_id = 1;
151 // Specifies the timeout before the screen saver is activated. If this field
152 // is omitted or set to 0, no screen-saver will be started.
153 // Measured in milliseconds.
154 optional int64 screen_saver_timeout = 2;
157 // Enterprise controls for auto-update behavior of Chrome OS.
158 message AutoUpdateSettingsProto {
159 // True if we don't want the device to auto-update (target_version_prefix is
160 // ignored in this case).
161 optional bool update_disabled = 1;
163 // Specifies the prefix of the target version we want the device to
164 // update to, if it's on a older version. If the device is already on
165 // a version with the given prefix, then there's no effect. If the device is
166 // on a higher version, it will remain on the higher version as we
167 // don't support rollback yet. The format of this version can be one
169 // ---------------------------------------------------------------------
170 // "" (or not set at all): update to latest version available.
171 // 1412.: update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2)
172 // 1412.2.: update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2)
173 // 1412.24.34: update to this specific version only
174 // ---------------------------------------------------------------------
175 optional string target_version_prefix = 2;
177 // The Chrome browser version (e.g. "17.*") corresponding to the
178 // target_version_prefix above. The target_version_prefix is the internal OS
179 // version that external users normally are not aware of. This display_name
180 // can be used by the devices to display a message to end-users about the auto
182 optional string target_version_display_name = 3;
184 // Specifies the number of seconds up to which a device may randomly
185 // delay its download of an update from the time the update was first pushed
186 // out to the server. The device may wait a portion of this time in terms
187 // of wall-clock-time and the remaining portion in terms of the number of
188 // update checks. In any case, the scatter is upper bounded by a constant
189 // amount of time so that a device does not ever get stuck waiting to download
190 // an update forever.
191 optional int64 scatter_factor_in_seconds = 4;
193 // Enumerates network connection types.
194 enum ConnectionType {
195 CONNECTION_TYPE_ETHERNET = 0;
196 CONNECTION_TYPE_WIFI = 1;
197 CONNECTION_TYPE_WIMAX = 2;
198 CONNECTION_TYPE_BLUETOOTH = 3;
199 CONNECTION_TYPE_CELLULAR = 4;
202 // The types of connections that are OK to use for OS updates. OS updates
203 // potentially put heavy strain on the connection due to their size and may
204 // incur additional cost. Therefore, they are by default not enabled for
205 // connection types that are considered expensive, which include WiMax,
206 // Bluetooth and Cellular at the moment.
207 repeated ConnectionType allowed_connection_types = 5;
209 // This has been replaced by |reboot_after_update| below.
210 optional bool OBSOLETE_reboot_after_update = 6 [deprecated = true];
212 // True if AU payloads can be downloaded via HTTP. False otherwise.
213 optional bool http_downloads_enabled = 7 [default = false];
215 // True if the device should reboot automatically when an update has been
216 // applied and a reboot is required to complete the update process.
218 // Note: Currently, automatic reboots are only enabled while the login screen
219 // is being shown or a kiosk app session is in progress. This will change in
220 // the future and the policy will always apply, regardless of whether a
221 // session of any particular type is in progress or not.
222 optional bool reboot_after_update = 8;
224 // True if AU payloads may be shared with and consumed from other devices
225 // on the LAN, using p2p. False otherwise.
226 optional bool p2p_enabled = 9 [default = false];
229 message StartUpUrlsProto {
230 // Specifies the URLs to be loaded on login to the anonymous account used if
231 // the device is in RETAIL mode.
232 repeated string start_up_urls = 1;
235 message SystemTimezoneProto {
236 // Specifies an owner-determined timezone that applies to the login screen and
237 // all users. Valid values are listed in "timezone_settings.cc". Additionally,
238 // timezones from the "IANA Time Zone Database" (e.g. listed on wikipedia)
239 // that are equivalent to one of the timezones in "timezone_settings.cc" are
240 // valid. In case of an invalid value, the setting is still activated with a
241 // fallback timezone (currently "GMT"). In case of an empty string or if no
242 // value is provided, the timezone device setting is inactive. In that case,
243 // the currently active timezone will remain in use however users can change
244 // the timezone and the change is persistent. Thus a change by one user
245 // affects the login-screen and all other users.
246 optional string timezone = 1;
249 message SystemUse24HourClockProto {
250 // Specifies an owner-determined clock format that applies to the login
251 // screen and is used as a default for all user sessions. Users can still
252 // override the format to use for their account.
254 // True and false select a 24 and 12 hour clock format, respectively. The
255 // default format for the case the setting is not present is 24 hour clock.
256 optional bool use_24hour_clock = 1;
259 // Parameters for Kiosk App device-local accounts.
260 message KioskAppInfoProto {
261 // Indicates the Kiosk App for the corresponding device-local account. The
262 // string value should be a valid 32-character Chrome App identifier and
263 // specifies the Kiosk App to download and run.
264 optional string app_id = 1;
266 // Optional extension update URL to download the Kiosk App package from. If
267 // not specified, the app will be downloaded from the standard Chrome Web
269 optional string update_url = 2;
272 // Describes a single device-local account.
273 message DeviceLocalAccountInfoProto {
274 // Deprecated: Account identifier for a public session device-local account.
275 // Old code didn't have the |type| field, so it can't handle new types of
276 // device-local accounts gracefully (i.e. ignoring unsupported types). New
277 // code should instead set type to ACCOUNT_TYPE_PUBLIC_SESSION and write the
278 // identifier to the |account_id| field below. If the |type| field is present,
279 // |deprecated_public_session_id| will be ignored.
280 optional string deprecated_public_session_id = 1;
282 // Identifier for the device-local account. This is an opaque identifier that
283 // is used to distinguish different device-local accounts configured. All
284 // configured accounts on a device must have unique identifiers.
285 optional string account_id = 2;
287 // Indicates the type of device-local account.
289 // A login-less, policy-configured browsing session.
290 ACCOUNT_TYPE_PUBLIC_SESSION = 0;
291 // An account that serves as a container for a single full-screen app.
292 ACCOUNT_TYPE_KIOSK_APP = 1;
296 optional AccountType type = 3;
298 // Kiosk App parameters, relevant if |type| is ACCOUNT_TYPE_KIOSK_APP.
299 optional KioskAppInfoProto kiosk_app = 4;
302 message DeviceLocalAccountsProto {
303 // The list of device-local accounts (i.e. accounts without an associated
304 // cloud-backed profile) that are available on the device.
305 repeated DeviceLocalAccountInfoProto account = 1;
307 // The identifier of the device-local account to which the device
308 // should be logged in automatically. Should be equal to one of the
309 // ids in DeviceLocalAccountInfoProto.
310 optional string auto_login_id = 2;
312 // The amount of time, in milliseconds, that should elapse at the signin
313 // screen without user interaction before automatically logging in.
314 optional int64 auto_login_delay = 3;
316 // Whether the keyboard shortcut to prevent zero-delay auto-login should be
317 // enabled or not. By default, the user has 3 seconds to press a shortcut
318 // to prevent auto-login, which is useful to sign-in to a regular user session
319 // and configure the machine. If this policy is set to false then this
320 // shortcut is disabled and there is no way to skip auto-login.
321 optional bool enable_auto_login_bailout = 4 [default = true];
323 // Whether network configuration should be offered or not when the device
324 // does not have access to the Internet. If the policy is omitted or set to
325 // true, the network configuration will be offered. Otherwise, only an error
326 // message is displayed.
327 // Note: If both this policy and enable_auto_login_bailout policy above is
328 // set to false, there are chances that the device might become totally
329 // unusable when there is no Internet access and has to go through the
331 // If the device is offline at startup then the network configuration screen
332 // is always shown, before auto-login kicks in.
333 optional bool prompt_for_network_when_offline = 5 [default = true];
336 message AllowRedeemChromeOsRegistrationOffersProto {
337 // Chrome OS Registration service provides way for chromeos device users
338 // to redeem electronic offers provided by service provider.
339 // This value determines if users are allowed to redeem offers through
340 // Chrome OS Registration service.
341 optional bool allow_redeem_offers = 1 [default = true];
344 message StartUpFlagsProto {
345 // The list of flags to be applied to chrome on start-up (back up store for
346 // owner set flags in about:flags).
347 repeated string flags = 1;
350 message UptimeLimitProto {
351 // This has been replaced by |uptime_limit| below.
352 optional int64 OBSOLETE_uptime_limit = 1 [deprecated = true];
354 // Sets the length of device uptime after which an automatic reboot is
355 // scheduled. An automatic reboot is scheduled at the selected time but may be
356 // delayed on the device by up to 24 hours, e.g. if a user is currently using
357 // the device or an app/extension has requested reboots to be inhibited
358 // temporarily. The policy value should be specified in seconds.
360 // Note: Currently, automatic reboots are only enabled while the login screen
361 // is being shown or a kiosk app session is in progress. This will change in
362 // the future and the policy will always apply, regardless of whether a
363 // session of any particular type is in progress or not.
364 optional int64 uptime_limit = 2;
367 message VariationsParameterProto {
368 // The string for the restrict parameter to be appended to the Variations URL
369 // when pinging the Variations server.
370 optional string parameter = 1;
373 message AttestationSettingsProto {
374 // Attestation involves proving that a cryptographic key is protected by a
375 // legitimate Chrome OS TPM and reporting the operating mode of the platform.
376 // This setting enables enterprise attestation features at a device level. If
377 // this is enabled a machine key will be generated and certified by the Chrome
378 // OS CA. If this setting is disabled, even users with attestation settings
379 // enabled will not be able to use those features on the device.
380 optional bool attestation_enabled = 1 [default = false];
382 // Chrome OS devices can use remote attestation (Verified Access) to get a
383 // certificate issued by the Chrome OS CA that asserts the device is eligible
384 // to play protected content. This process involves sending hardware
385 // endorsement information to the Chrome OS CA which uniquely identifies the
386 // device. This setting allows this feature to be disabled for the device
387 // regardless of any user-specific settings.
388 optional bool content_protection_enabled = 2 [default = true];
391 message AccessibilitySettingsProto {
392 // Sets the default state of the large cursor accessibility feature on the
393 // login screen. If this policy is set to true, the large cursor will be
394 // enabled when the login screen is shown. If this policy is set to false, the
395 // large cursor will be disabled when the login screen is shown. Users can
396 // temporarily override this setting by enabling or disabling the large
397 // cursor. However, the user's choice is not persistent and the default is
398 // restored whenever the login screen is shown anew or the user remains idle
399 // on the login screen for a minute. If this policy is left unset, the large
400 // cursor is disabled when the login screen is first shown. Users can enable
401 // or disable the large cursor anytime and its status on the login screen is
402 // persisted between users.
403 optional bool login_screen_default_large_cursor_enabled = 1;
405 // Sets the default state of the spoken feedback accessibility feature on the
406 // login screen. If this policy is set to true, spoken feedback will be
407 // enabled when the login screen is shown. If this policy is set to false,
408 // spoken feedback will be disabled when the login screen is shown. Users can
409 // temporarily override this setting by enabling or disabling spoken feedback.
410 // However, the user's choice is not persistent and the default is restored
411 // whenever the login screen is shown anew or the user remains idle on the
412 // login screen for a minute. If this policy is left unset, spoken feedback is
413 // disabled when the login screen is first shown. Users can enable or disable
414 // spoken feedback anytime and its status on the login screen is persisted
416 optional bool login_screen_default_spoken_feedback_enabled = 2;
418 // Sets the default state of the high contrast mode accessibility feature on
419 // the login screen. If this policy is set to true, high contrast mode will be
420 // enabled when the login screen is shown. If this policy is set to false,
421 // high contrast mode will be disabled when the login screen is shown. Users
422 // can temporarily override this setting by enabling or disabling high
423 // contrast mode. However, the user's choice is not persistent and the default
424 // is restored whenever the login screen is shown anew or the user remains
425 // idle on the login screen for a minute. If this policy is left unset, high
426 // contrast mode is disabled when the login screen is first shown. Users can
427 // enable or disable high contrast mode anytime and its status on the login
428 // screen is persisted between users.
429 optional bool login_screen_default_high_contrast_enabled = 3;
431 // Enumerates the screen magnifier types.
432 enum ScreenMagnifierType {
433 // Screen magnifier disabled.
434 SCREEN_MAGNIFIER_TYPE_NONE = 0;
435 // Full-screen magnifier enabled.
436 SCREEN_MAGNIFIER_TYPE_FULL = 1;
439 // Sets the default type of screen magnifier that is enabled on the login
440 // screen. If this policy is set, it controls the type of screen magnifier
441 // that is enabled when the login screen is shown. Users can temporarily
442 // override this setting by enabling or disabling the screen magnifier.
443 // However, the user's choice is not persistent and the default is restored
444 // whenever the login screen is shown anew or the user remains idle on the
445 // login screen for a minute. If this policy is left unset, the screen
446 // magnifier is disabled when the login screen is first shown. Users can
447 // enable or disable the screen magnifier anytime and its status on the login
448 // screen is persisted between users.
449 optional ScreenMagnifierType login_screen_default_screen_magnifier_type = 4;
451 // Sets the default state of the on-screen keyboard accessibility feature on
452 // the login screen. If this policy is set to true, the on-screen keyboard
453 // will be enabled when the login screen is shown. If this policy is set to
454 // false, the on-screen keyboard will be disabled when the login screen is
455 // shown. Users can temporarily override this setting by enabling or disabling
456 // the on-screen keyboard. However, the user's choice is not persistent and
457 // the default is restored whenever the login screen is shown anew or the user
458 // remains idle on the login screen for a minute. If this policy is left
459 // unset, the on-screen keyboard is disabled when the login screen is first
460 // shown. Users can enable or disable the on-screen keyboard anytime and its
461 // status on the login screen is persisted between users.
462 optional bool login_screen_default_virtual_keyboard_enabled = 5;
465 message SupervisedUsersSettingsProto {
466 // Defines whether supervised users can be created on the device.
467 optional bool supervised_users_enabled = 1;
470 message LoginScreenPowerManagementProto {
471 // Configures power management on the login screen. The policy should be
472 // specified as a string that expresses the individual settings in JSON
473 // format, conforming to the following schema:
478 // "description": "Power management settings applicable only when
479 // running on AC power",
486 // "description": "The length of time without user input after
487 // which the screen is dimmed, in milliseconds",
488 // "type": "integer",
492 // "description": "The length of time without user input after
493 // which the screen is turned off, in
495 // "type": "integer",
499 // "description": "The length of time without user input after
500 // which the idle action is taken, in
502 // "type": "integer",
508 // "description": "Action to take when the idle delay is reached",
509 // "enum": [ "Suspend", "Shutdown", "DoNothing" ]
514 // "description": "Power management settings applicable only when
515 // running on battery power",
522 // "description": "The length of time without user input after
523 // which the screen is dimmed, in milliseconds",
524 // "type": "integer",
528 // "description": "The length of time without user input after
529 // which the screen is turned off, in
531 // "type": "integer",
535 // "description": "The length of time without user input after
536 // which the idle action is taken, in
538 // "type": "integer",
544 // "description": "Action to take when the idle delay is reached",
545 // "enum": [ "Suspend", "Shutdown", "DoNothing" ]
549 // "LidCloseAction": {
550 // "description": "Action to take when the lid is closed",
551 // "enum": [ "Suspend", "Shutdown", "DoNothing" ]
553 // "UserActivityScreenDimDelayScale": {
554 // "description": "Percentage by which the screen dim delay is scaled
555 // when user activity is observed while the screen is
556 // dimmed or soon after the screen has been turned off",
557 // "type": "integer",
562 optional string login_screen_power_management = 1;
565 message AutoCleanupSettigsProto {
566 // Deprecated. There is only one disk-full cleanup strategy: LRU.
567 optional string clean_up_strategy = 1;
570 // Settings that control low-level functions of the system.
571 message SystemSettingsProto {
572 // Whether developer mode is allowed on the device. If the device owner sets
573 // this flag to true, the system will refuse to boot and show an error screen
574 // when the developer switch is turned on.
575 optional bool block_devmode = 1;
578 // Settings that control login for SAML users.
579 message SAMLSettingsProto {
580 // Whether cookies set by a SAML IdP should be transferred to users' profiles
581 // every time a user authenticates via SAML during login. If false, cookies
582 // are transferred during each user's first login only.
583 optional bool transfer_saml_cookies = 1;
586 message ChromeDeviceSettingsProto {
587 optional DevicePolicyRefreshRateProto device_policy_refresh_rate = 1;
588 optional UserWhitelistProto user_whitelist = 2;
589 optional GuestModeEnabledProto guest_mode_enabled = 3;
590 optional DeviceProxySettingsProto device_proxy_settings = 4;
591 optional CameraEnabledProto camera_enabled = 5;
592 optional ShowUserNamesOnSigninProto show_user_names = 6;
593 optional DataRoamingEnabledProto data_roaming_enabled = 7;
594 optional AllowNewUsersProto allow_new_users = 8;
595 optional MetricsEnabledProto metrics_enabled = 9;
596 optional ReleaseChannelProto release_channel = 10;
597 optional DeviceOpenNetworkConfigurationProto open_network_configuration = 11;
598 optional DeviceReportingProto device_reporting = 12;
599 optional EphemeralUsersEnabledProto ephemeral_users_enabled = 13;
600 optional AppPackProto app_pack = 14;
601 optional ForcedLogoutTimeoutsProto forced_logout_timeouts = 15;
602 optional ScreenSaverProto login_screen_saver = 16;
603 optional AutoUpdateSettingsProto auto_update_settings = 17;
604 optional StartUpUrlsProto start_up_urls = 18;
605 optional PinnedAppsProto pinned_apps = 19;
606 optional SystemTimezoneProto system_timezone = 20;
607 optional DeviceLocalAccountsProto device_local_accounts = 21;
608 optional AllowRedeemChromeOsRegistrationOffersProto allow_redeem_offers = 22;
609 optional StartUpFlagsProto start_up_flags = 23;
610 optional UptimeLimitProto uptime_limit = 24;
611 optional VariationsParameterProto variations_parameter = 25;
612 optional AttestationSettingsProto attestation_settings = 26;
613 optional AccessibilitySettingsProto accessibility_settings = 27;
614 optional SupervisedUsersSettingsProto supervised_users_settings = 28;
615 optional LoginScreenPowerManagementProto login_screen_power_management = 29;
616 optional SystemUse24HourClockProto use_24hour_clock = 30;
617 optional AutoCleanupSettigsProto auto_clean_up_settings = 31;
618 optional SystemSettingsProto system_settings = 32;
619 optional SAMLSettingsProto saml_settings = 33;