diff options
Diffstat (limited to 'chromium/components/policy/proto/chrome_device_policy.proto')
| -rw-r--r-- | chromium/components/policy/proto/chrome_device_policy.proto | 1873 |
1 files changed, 1873 insertions, 0 deletions
diff --git a/chromium/components/policy/proto/chrome_device_policy.proto b/chromium/components/policy/proto/chrome_device_policy.proto new file mode 100644 index 00000000000..826b585c5c3 --- /dev/null +++ b/chromium/components/policy/proto/chrome_device_policy.proto @@ -0,0 +1,1873 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +syntax = "proto2"; + +option optimize_for = LITE_RUNTIME; + +import "policy_common_definitions.proto"; + +package enterprise_management; + +option go_package="chromium/policy/enterprise_management_proto"; + +// Everything below this comment will be synchronized between client and server +// repos ( go/cros-proto-sync ). + +message DevicePolicyRefreshRateProto { + // In milliseconds. + optional int64 device_policy_refresh_rate = 1; +} + +message UserWhitelistProto { + // If a UserWhitelistProto is included in the ChromeDeviceSettingsProto but + // the user_whitelist field is empty then no user can sign-in. + repeated string user_whitelist = 1; +} + +message UserAllowlistProto { + // If a UserAllowlistProto is included in the ChromeDeviceSettingsProto but + // the user_whitelist field is empty then no user can sign-in. + repeated string user_allowlist = 1; +} + +message AllowNewUsersProto { + // Determines whether we allow arbitrary users to log into the device. + // This interacts with the UserAllowlistProto as follows: + // allow_new_users | user_allowlist | anyone can log in + //-----------------+--------------------+------------------ + // present, true | not present | Yes + //-----------------+--------------------+------------------ + // present, true | present | Yes + //-----------------+--------------------+------------------ + // present, false | not present | (Broken) Yes + //-----------------+--------------------+------------------ + // present, false | present | No, W/L enforced + //-----------------+--------------------+------------------ + // not present | not present | Yes + //-----------------+--------------------+------------------ + // not present | present, empty | Yes + //-----------------+--------------------+------------------ + // not present | present, non-empty | No, W/L enforced + //-----------------+--------------------+------------------ + optional bool allow_new_users = 1 [default = true]; +} + +message GuestModeEnabledProto { + // Determines if guests are allowed to log in to the device. + optional bool guest_mode_enabled = 1 [default = true]; +} + +message ShowUserNamesOnSigninProto { + // Determines if we show pods for existing users on the sign in screen. + optional bool show_user_names = 1 [default = true]; +} + +message DataRoamingEnabledProto { + // Determines if cellular data roaming is enabled. + optional bool data_roaming_enabled = 1 [default = false]; +} + +message OBSOLETE_DeviceProxySettingsProto { + // One of "direct", "auto_detect", "pac_script", "fixed_servers", "system" + optional string OBSOLETE_proxy_mode = 1 [deprecated = true]; + optional string OBSOLETE_proxy_server = 2 [deprecated = true]; + optional string OBSOLETE_proxy_pac_url = 3 [deprecated = true]; + optional string OBSOLETE_proxy_bypass_list = 4 [deprecated = true]; +} + +// This is used by chromeos, make sure to do cleanup there before marking it as +// obsolette. +message CameraEnabledProto { + optional bool camera_enabled = 1; +} + +message MetricsEnabledProto { + optional bool metrics_enabled = 1; +} + +message ReleaseChannelProto { + // One of "stable-channel", "beta-channel", or "dev-channel" + optional string release_channel = 1; + + // The user can select the channel if |release_channel_delegated| is true. + // The value of |release_channel| is only taken into account if + // |release_channel_delegated| is set to false. + optional bool release_channel_delegated = 2; + + // |release_lts_tag| is forwarded as the "ltshint" attribute to Omaha. + optional string release_lts_tag = 3; +} + +message DeviceOpenNetworkConfigurationProto { + // The network configuration blob. This is a JSON string as specified by ONC. + optional string open_network_configuration = 1; +} + +message NetworkHostnameProto { + // The device hostname template. It might contain following + // patterns that would be substituted by the device: + // ASSET_ID, SERIAL_NUM, MAC_ADDR, and string after substitution should + // be a valid hostname. + optional string device_hostname_template = 1; +} + +message HostnameUserConfigurableProto { + // Determines if user is allowed to configure the device hostname + optional bool device_hostname_user_configurable = 1 [default = false]; +} + +// Policies to turn on portions of the device status reports. +// If changed, the default values have to be updated in +// chrome/browser/ash/policy/status_collector/device_status_collector.cc +// and +// chrome/browser/ash/policy/status_collector/child_status_collector.cc. +message DeviceReportingProto { + optional bool report_version_info = 1 [default = true]; + optional bool report_activity_times = 2 [default = true]; + optional bool report_boot_mode = 3 [default = true]; + optional bool report_location = 4 [default = false]; + optional bool report_network_interfaces = 5 [default = true]; + optional bool report_users = 6 [default = true]; + optional bool report_hardware_status = 7 [default = true]; + optional bool report_session_status = 8 [default = true]; + optional bool report_os_update_status = 10 [default = false]; + optional bool report_running_kiosk_app = 11 [default = false]; + optional bool report_power_status = 12 [default = false]; + optional bool report_storage_status = 13 [default = false]; + optional bool report_board_status = 14 [default = false]; + optional bool report_cpu_info = 15 [default = false]; + optional bool report_graphics_status = 16 [default = false]; + optional bool report_crash_report_info = 17 [default = false]; + optional bool report_timezone_info = 18 [default = false]; + optional bool report_memory_info = 19 [default = false]; + optional bool report_backlight_info = 20 [default = false]; + optional bool report_app_info = 21 [default = false]; + optional bool report_bluetooth_info = 22 [default = false]; + optional bool report_fan_info = 23 [default = false]; + optional bool report_vpd_info = 24 [default = false]; + optional bool report_system_info = 25 [default = false]; + optional bool report_print_jobs = 26 [default = false]; + optional bool report_login_logout = 27 [default = false]; + optional bool report_audio_status = 28 [default = true]; + optional bool report_network_configuration = 29 [default = true]; + optional bool report_network_status = 30 [default = true]; + optional bool report_security_status = 31 [default = false]; + optional bool report_crd_sessions = 36 [default = false]; + optional bool report_peripherals = 37 [default = false]; + + // Frequency to report device status, default to 3 hours. + // If changed, the default value has to be updated in + // chrome/browser/ash/policy/core/device_cloud_policy_manager_ash.cc. + optional int64 device_status_frequency = 9 [default = 10800000]; + + // This is a internal flag that will be used to control whether enable + // granular device reporting is enabled + optional bool enable_granular_reporting = 32 [default = true]; + + // Network telemetry policies. + optional int64 report_network_telemetry_collection_rate_ms = 33 + [default = 3600000]; + optional int64 report_network_telemetry_event_checking_rate_ms = 34 + [default = 600000]; + + // Audio telemetry policy + optional int64 report_device_audio_status_checking_rate_ms = 35 + [default = 600000]; +} + +message EphemeralUsersEnabledProto { + // Determines whether users should be treated as ephemeral. In ephemeral users + // mode, no cryptohome is created for the user, but a tmpfs mount is used + // instead such that upon logout all user state is discarded. + optional bool ephemeral_users_enabled = 1; +} + +message DeviceKeylockerForStorageEncryptionEnabledProto { + // Determines whether cryptohome uses Keylocker for storage encryption ciphers + // when supported. + optional bool enabled = 1; +} + +// Details of an extension to install as part of the AppPack. +message OBSOLETE_AppPackEntryProto { + optional string OBSOLETE_extension_id = 1 [deprecated = true]; + optional string OBSOLETE_update_url = 2 [deprecated = true]; + + // This field was added but never used and there are no plans to support it + // eventually either. + optional bool OBSOLETE_online_only = 3 [deprecated = true]; +} + +message OBSOLETE_AppPackProto { + // List of extensions to install as part of the AppPack. + repeated OBSOLETE_AppPackEntryProto app_pack = 1 [deprecated = true]; +} + +// This is a special policy for kiosk/retail mode that specifies what apps +// should be pinned to the launcher. For regular accounts, pinned apps are +// controlled through user policy. +message OBSOLETE_PinnedAppsProto { + // App IDs for the apps to pin. + repeated string OBSOLETE_app_id = 1 [deprecated = true]; +} + +message OBSOLETE_ForcedLogoutTimeoutsProto { + // All timeouts are specified in milliseconds. + + // Specifies the timeout before an idle user session is terminated. + // If this field is omitted or set to 0, no logout on idle will be performed. + optional int64 OBSOLETE_idle_logout_timeout = 1 [deprecated = true]; + + // Specifies the duration of a warning countdown before the user is logged out + // because of idleness as specified by the |idle_logout_timeout| value. + // This field is only used if |idle_logout_timeout| != 0 is specified. + optional int64 OBSOLETE_idle_logout_warning_duration = 2 [deprecated = true]; +} + +message OBSOLETE_ScreenSaverProto { + // Specifies the extension ID which is to be used as a screen saver on the + // login screen if no user activity is present. Only respected if the device + // is in RETAIL mode. + optional string OBSOLETE_screen_saver_extension_id = 1 [deprecated = true]; + + // Specifies the timeout before the screen saver is activated. If this field + // is omitted or set to 0, no screen-saver will be started. + // Measured in milliseconds. + optional int64 OBSOLETE_screen_saver_timeout = 2 [deprecated = true]; +} + +// Enterprise controls for auto-update behavior of Chrome OS. +message AutoUpdateSettingsProto { + reserved 13; + + // True if we don't want the device to auto-update (target_version_prefix is + // ignored in this case). + optional bool update_disabled = 1; + + // Specifies the prefix of the target version we want the device to + // update to, if it's on an older version. If the device is already on + // a version with the given prefix, then there's no effect. If the device is + // on a higher version, the behavior depends on |rollback_to_target_version|. + // The format of this version can be one of the following: + // --------------------------------------------------------------------- + // "" (or not set at all): update to latest version available. + // 1412.: update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2) + // 1412.2.: update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2) + // 1412.24.34: update to this specific version only + // --------------------------------------------------------------------- + optional string target_version_prefix = 2; + + // The Chrome browser version (e.g. "17.*") corresponding to the + // target_version_prefix above. The target_version_prefix is the internal OS + // version that external users normally are not aware of. This display_name + // can be used by the devices to display a message to end-users about the auto + // update setting. + optional string target_version_display_name = 3; + + // Specifies the number of seconds up to which a device may randomly + // delay its download of an update from the time the update was first pushed + // out to the server. The device may wait a portion of this time in terms + // of wall-clock-time and the remaining portion in terms of the number of + // update checks. In any case, the scatter is upper bounded by a constant + // amount of time so that a device does not ever get stuck waiting to download + // an update forever. + optional int64 scatter_factor_in_seconds = 4; + + // Enumerates network connection types. + enum ConnectionType { + reserved 2; + + CONNECTION_TYPE_ETHERNET = 0; + CONNECTION_TYPE_WIFI = 1; + CONNECTION_TYPE_BLUETOOTH = 3; + CONNECTION_TYPE_CELLULAR = 4; + } + + // The types of connections that are OK to use for OS updates. OS updates + // potentially put heavy strain on the connection due to their size and may + // incur additional cost. Therefore, they are by default not enabled for + // connection types that are considered expensive (currently only Cellular). + repeated ConnectionType allowed_connection_types = 5; + + // This has been replaced by |reboot_after_update| below. + optional bool OBSOLETE_reboot_after_update = 6 [deprecated = true]; + + // True if AU payloads can be downloaded via HTTP. False otherwise. + optional bool http_downloads_enabled = 7 [default = false]; + + // True if the device should reboot automatically when an update has been + // applied and a reboot is required to complete the update process. + // + // Note: Currently, automatic reboots are only enabled while the login screen + // is being shown or a kiosk app session is in progress. This will change in + // the future and the policy will always apply, regardless of whether a + // session of any particular type is in progress or not. + optional bool reboot_after_update = 8; + + // True if AU payloads may be shared with and consumed from other devices + // on the LAN, using p2p. False otherwise. + optional bool p2p_enabled = 9 [default = false]; + + // The possible types of rollback. + enum RollbackToTargetVersion { + // No value set. Default is ROLLBACK_DISABLED. + ROLLBACK_UNSPECIFIED = 0; + // No rollback should happen if |target_version_prefix| specifies an older + // version than the currently installed Chrome OS version. If this is the + // case, the device will still respect |target_version_prefix|, so it will + // not update Chrome OS. + ROLLBACK_DISABLED = 1; + // If |target_version_prefix| specifies an older version than the currently + // installed Chrome OS version, the device should roll back to a Chrome OS + // version starting with |target_version_prefix|. The device does a full + // powerwash during the rollback, including TPM reset. + ROLLBACK_AND_POWERWASH = 2; + // If |target_version_prefix| specifies an older version than the currently + // installed Chrome OS version, the device should roll back to a Chrome OS + // version starting with |target_version_prefix|. + // If possible, the device tries to carry over device-level configuration + // including network credentials during the rollback process. + // If that is not possible, rolls back with a full powerwash. + ROLLBACK_AND_RESTORE_IF_POSSIBLE = 3; + } + + // Specifies what should happen if |target_version_prefix| specifies an older + // version than the currently installed Chrome OS version. + optional RollbackToTargetVersion rollback_to_target_version = 10 + [default = ROLLBACK_DISABLED]; + + // Specifies the number of Chrome milestones rollback should be allowed, + // starting from the stable version at any time. Setting this policy prevents + // firmware and kernel rollback protection to apply for at least this number + // of milestones. + optional int32 rollback_allowed_milestones = 11 [default = 0]; + + // Specifies the time intervals during which the device is not allowed to do + // automatic update checks. This is a JSON string, for details see + // "DeviceAutoUpdateTimeRestrictions" in policy_templates.json. + optional string disallowed_time_intervals = 12; + + // Specifies how much of the fleet to update per day as a json + // string that contains a list of pairs <day, percentage>. For more + // details and examples, see "DeviceUpdateStagingSchedule" in + // policy_templates.json. + optional string staging_schedule = 14; + + // This token is forwarded to omaha by update_engine. If it is set, omaha may + // serve a quick fix build identified by the token. + // + // This field is primarily used for quick fixes, but it is also used by the + // Hotrod team to subdivide the Stable channel into cohorts. + optional string device_quick_fix_build_token = 15; + + // Types of channel downgrade behavior. + enum ChannelDowngradeBehavior { + // Channel downgrade behavior unspecified. Default is + // WAIT_FOR_VERSION_CATCH_UP. + CHANNEL_DOWNGRADE_BEHAVIOR_UNSPECIFIED = 0; + // On a channel downgrade, e.g. beta to stable, wait for the device's + // version to become available on the new channel. No updates happen until + // then. This is the default. + WAIT_FOR_VERSION_CATCH_UP = 1; + // Roll back and reset the device on a channel downgrade. This does a full + // powerwash and tries to preserve wifi and enrollment. + ROLLBACK = 2; + // Allow the user to decide whether to wait or roll back and reset on a + // user-initiated channel downgrade. + ALLOW_USER_TO_CONFIGURE = 3; + } + + // Specifies what should happen if the device channel is downgraded. + optional ChannelDowngradeBehavior channel_downgrade_behavior = 16 + [default = WAIT_FOR_VERSION_CATCH_UP]; + + // |target_version_selector| is forwarded as the "targetversionselector" + // attribute to Omaha and is used by it if for minor version pinning. The + // field is not and shall not be processed by the client. + optional string target_version_selector = 17; +} + +message OBSOLETE_StartUpUrlsProto { + // Specifies the URLs to be loaded on login to the anonymous account used if + // the device is in RETAIL mode. + repeated string OBSOLETE_start_up_urls = 1 [deprecated = true]; +} + +message SystemTimezoneProto { + // Specifies an owner-determined timezone that applies to the login screen and + // all users. Valid values are listed in "timezone_settings.cc". Additionally, + // timezones from the "IANA Time Zone Database" (e.g. listed on wikipedia) + // that are equivalent to one of the timezones in "timezone_settings.cc" are + // valid. In case of an invalid value, the setting is still activated with a + // fallback timezone (currently "GMT"). In case of an empty string or if no + // value is provided, the timezone device setting is inactive. In that case, + // the currently active timezone will remain in use however users can change + // the timezone and the change is persistent. Thus a change by one user + // affects the login-screen and all other users. + optional string timezone = 1; + + // This allows domain administrators to control the timezone settings for + // their devices. + enum AutomaticTimezoneDetectionType { + USERS_DECIDE = 0; + DISABLED = 1; + IP_ONLY = 2; + SEND_WIFI_ACCESS_POINTS = 3; + SEND_ALL_LOCATION_INFO = 4; + } + + optional AutomaticTimezoneDetectionType timezone_detection_type = 2; +} + +message SystemUse24HourClockProto { + // Specifies an owner-determined clock format that applies to the login + // screen and is used as a default for all user sessions. Users can still + // override the format to use for their account. + // + // True and false select a 24 and 12 hour clock format, respectively. The + // default format for the case the setting is not present is 24 hour clock. + optional bool use_24hour_clock = 1; +} + +// Parameters for Kiosk App device-local accounts. +message KioskAppInfoProto { + // Indicates the Kiosk App for the corresponding device-local account. The + // string value should be a valid 32-character Chrome App identifier and + // specifies the Kiosk App to download and run. + optional string app_id = 1; + + // Optional extension update URL to download the Kiosk App package from. If + // not specified, the app will be downloaded from the standard Chrome Web + // Store update URL. + optional string update_url = 2; +} + +// Describes which Android application is to be launched. +message AndroidKioskAppInfoProto { + // Package name (must be present). + // In the event this is the only field that is specified, runtime may use + // PackageManager.getLaunchIntentForPackage() to start the app. See + // https://developer.android.com/reference/android/content/pm/PackageManager.html + // Example of the package name: "com.android.camera". Do not include "app:" + // prefix in the package name. + optional string package_name = 1; + + // Class name (optional). If present, class name is to be combined with + // package name to form a ComponentName. See + // https://developer.android.com/reference/android/content/ComponentName.html + optional string class_name = 2; + + // Action (optional). The third parameter required for creating an Intent. + // If omitted, runtime may choose a reasonable default action + // (e.g. android.intent.action.MAIN). + // If package and action are specified, but not the class name, runtime may + // use PackageManager.queryIntentActivity() to find out the class name. + optional string action = 3; + + // Display name (optional). + // User-friendly app name that should be used in Chrome UI where kiosk app + // name is shown. Chrome side could override the string with an updated + // value that it will get from Google Play when the app will be installed. + optional string display_name = 4; +} + +// Parameters for Web App-based device local accounts. +message WebKioskAppInfoProto { + // Install url (must be present). + // In case it is the only field provided, title and icon will be deduced + // during first app launch. + optional string url = 1; + + // Title (optional). + // User-friendly app name that should be used in Chrome UI where kiosk app + // name is shown. Chrome side could override the string with an updated + // value that it will get during actual app launch. + optional string title = 2; + + // Icon url (optional). + // Is not used in the current Implementation. Will be used instead of the + // placeholder icon that is displayed before the first successful app + // launch. + optional string icon_url = 3; +} + +// Describes a single device-local account. +message DeviceLocalAccountInfoProto { + // Deprecated: Account identifier for a public session device-local account. + // Old code didn't have the |type| field, so it can't handle new types of + // device-local accounts gracefully (i.e. ignoring unsupported types). New + // code should instead set type to ACCOUNT_TYPE_PUBLIC_SESSION and write the + // identifier to the |account_id| field below. If the |type| field is present, + // |deprecated_public_session_id| will be ignored. + optional string deprecated_public_session_id = 1; + + // Identifier for the device-local account. This is an opaque identifier that + // is used to distinguish different device-local accounts configured. All + // configured accounts on a device must have unique identifiers. + optional string account_id = 2; + + // LINT.IfChange + // Indicates the type of device-local account. + enum AccountType { + // A login-less, policy-configured browsing session. + ACCOUNT_TYPE_PUBLIC_SESSION = 0; + // An account that serves as a container for a single full-screen + // Chrome app. + ACCOUNT_TYPE_KIOSK_APP = 1; + // An account that serves as a container for a single full-screen + // Android app. + ACCOUNT_TYPE_KIOSK_ANDROID_APP = 2; + // SAML public session account + ACCOUNT_TYPE_SAML_PUBLIC_SESSION = 3; + // Web App. + ACCOUNT_TYPE_WEB_KIOSK_APP = 4; + } + // Should keep ChromeServletUtil.toDimensionAccountType logic in sync with + // AccountType enum. + // LINT.ThenChange(//depot/google3/java/com/google/chrome/cros/dmserver/chrome/ChromeServletUtil.java) + + // The account type. + optional AccountType type = 3; + + // Kiosk App parameters, relevant if |type| is ACCOUNT_TYPE_KIOSK_APP. + optional KioskAppInfoProto kiosk_app = 4; + + // Kiosk App parameters, relevant if |type| is ACCOUNT_TYPE_KIOSK_ANDROID_APP + optional AndroidKioskAppInfoProto android_kiosk_app = 5; + + // Web Kiosk App parameters, relevant if |type| is ACCOUNT_TYPE_WEB_KIOSK_APP + optional WebKioskAppInfoProto web_kiosk_app = 6; +} + +message DeviceLocalAccountsProto { + // The list of device-local accounts (i.e. accounts without an associated + // cloud-backed profile) that are available on the device. + repeated DeviceLocalAccountInfoProto account = 1; + + // The identifier of the device-local account to which the device + // should be logged in automatically. Should be equal to one of the + // ids in DeviceLocalAccountInfoProto. + optional string auto_login_id = 2; + + // The amount of time, in milliseconds, that should elapse at the signin + // screen without user interaction before automatically logging in. + optional int64 auto_login_delay = 3; + + // Whether the keyboard shortcut to prevent zero-delay auto-login should be + // enabled or not. By default, the user has 3 seconds to press a shortcut + // to prevent auto-login, which is useful to sign-in to a regular user session + // and configure the machine. If this policy is set to false then this + // shortcut is disabled and there is no way to skip auto-login. + optional bool enable_auto_login_bailout = 4 [default = true]; + + // Whether network configuration should be offered or not when the device + // does not have access to the Internet. If the policy is omitted or set to + // true, the network configuration will be offered. Otherwise, only an error + // message is displayed. + // Note: If both this policy and enable_auto_login_bailout policy above is + // set to false, there are chances that the device might become totally + // unusable when there is no Internet access and has to go through the + // recovery process. + // If the device is offline at startup then the network configuration screen + // is always shown, before auto-login kicks in. + optional bool prompt_for_network_when_offline = 5 [default = true]; +} + +message ManagedGuestSessionPrivacyWarningsProto { + // Enable the privacy warnings on both; the login screen of the managed-guest + // session & inside the auto-launched managed-guest sessions. + // If this policy is set to false, all the privacy warnings are deactivated. + // If it's set to true or not set, then the privacy warnings will be shown by + // default. + optional bool enabled = 1 [default = true]; +} + +message AllowRedeemChromeOsRegistrationOffersProto { + // Chrome OS Registration service provides way for chromeos device users + // to redeem electronic offers provided by service provider. + // This value determines if users are allowed to redeem offers through + // Chrome OS Registration service. + optional bool allow_redeem_offers = 1 [default = true]; +} + +message FeatureFlagsProto { + // Specifies switches that should be passed to Google Chrome when it starts. + // The specified switches are applied on the login screen only. Switches set + // via this policy do not propagate into user sessions. + // This is deprecated because it turned out that storing raw switches is + // problematic since Chrome can't easily tie switches back to feature flags to + // validate them. The |feature_flags| field below works in terms of feature + // flag names (i.e. chrome://flags items) instead and supersedes |switches|. + repeated string switches = 1 [deprecated = true]; + + // Specifies feature flags (i.e. chrome://flags items) that should be enabled + // when Chrome starts. The format of the individual entries matches the format + // chrome://flags uses for internal bookkeeping, i.e. either the flag name as + // listed on chrome://flags (for flags that only have a single choice besides + // the default) or the flag name followed by the index of the chosen option, + // separated by an '@' character (for flags with multiple choices). The + // specified feature flags are applied on the login screen only and don't + // propagate into the user session. + repeated string feature_flags = 2; +} + +message UptimeLimitProto { + // This has been replaced by |uptime_limit| below. + optional int64 OBSOLETE_uptime_limit = 1 [deprecated = true]; + + // Sets the length of device uptime after which an automatic reboot is + // scheduled. An automatic reboot is scheduled at the selected time but may be + // delayed on the device by up to 24 hours, e.g. if a user is currently using + // the device or an app/extension has requested reboots to be inhibited + // temporarily. The policy value should be specified in seconds. + // + // Note: Currently, automatic reboots are only enabled while the login screen + // is being shown or a kiosk app session is in progress. This will change in + // the future and the policy will always apply, regardless of whether a + // session of any particular type is in progress or not. + optional int64 uptime_limit = 2; +} + +message VariationsParameterProto { + // The string for the restrict parameter to be appended to the Variations URL + // when pinging the Variations server. + optional string parameter = 1; +} + +message AttestationSettingsProto { + // Attestation involves proving that a cryptographic key is protected by a + // legitimate Chrome OS TPM and reporting the operating mode of the platform. + // This setting enables enterprise attestation features at a device level. If + // this is enabled a machine key will be generated and certified by the Chrome + // OS CA. If this setting is disabled, even users with attestation settings + // enabled will not be able to use those features on the device. + optional bool attestation_enabled = 1 [default = false]; + + // Chrome OS devices can use remote attestation (Verified Access) to get a + // certificate issued by the Chrome OS CA that asserts the device is eligible + // to play protected content. This process involves sending hardware + // endorsement information to the Chrome OS CA which uniquely identifies the + // device. This setting allows this feature to be disabled for the device + // regardless of any user-specific settings. + optional bool content_protection_enabled = 2 [default = true]; +} + +message AccessibilitySettingsProto { + // Sets the default state of the following accessibility features on the login + // screen: + // + // 1) Large cursor: login_screen_default_large_cursor_enabled + // 2) Spoken feedback: login_screen_default_spoken_feedback_enabled + // 3) High contrast: login_screen_default_high_contrast_enabled + // 4) Screen magnifier: login_screen_default_screen_magnifier_type + // 5) Virtual keyboard: login_screen_default_virtual_keyboard_enabled + // + // Each acts as follows: If the corresponding policy is set to true, the + // associated accessibility feature will be enabled when the login screen is + // shown. If this policy is set to false, the accessibility feature will be + // disabled when the login screen is shown. Users can temporarily override + // this setting by enabling or disabling the corresponding accessibiilty + // feature. However, the user's choice is not persistent and the default is + // restored whenever the login screen is shown anew or the user remains idle + // on the login screen for a minute. If this policy is left unset, the + // corresponding accessibiilty feature is disabled when the login screen is + // first shown. Users can enable or disable the corresponding accessibiilty + // feature anytime and its status on the login screen is persisted between + // users. + + optional bool login_screen_default_large_cursor_enabled = 1; + optional bool login_screen_default_spoken_feedback_enabled = 2; + optional bool login_screen_default_high_contrast_enabled = 3; + + // Enumerates the screen magnifier types. + enum ScreenMagnifierType { + // Screen magnifier disabled. + SCREEN_MAGNIFIER_TYPE_NONE = 0; + // Full-screen magnifier enabled. + SCREEN_MAGNIFIER_TYPE_FULL = 1; + } + optional ScreenMagnifierType login_screen_default_screen_magnifier_type = 4; + + optional bool login_screen_default_virtual_keyboard_enabled = 5; + + // Sets the mandatory or default state, depending on the PolicyOptions, of the + // following accessibility features on the login screen: + // + // 1) Large cursor: login_screen_large_cursor_enabled + // PolicyOptions: login_screen_large_cursor_enabled_options + // 2) Spoken feedback: login_screen_spoken_feedback_enabled + // PolicyOptions: login_screen_spoken_feedback_enabled_options + // 3) High contrast: login_screen_high_contrast_enabled + // PolicyOptions: login_screen_high_contrast_enabled_options + // 4) Virtual keyboard: login_screen_virtual_keyboard_enabled + // PolicyOptions: login_screen_virtual_keyboard_enabled_options + // 5) Dictation: login_screen_dictation_enabled + // PolicyOptions: login_screen_dictation_enabled_options + // 6) Select to speak: login_screen_select_to_speak_enabled + // PolicyOptions: login_screen_select_to_speak_enabled_options + // 7) Cursor highlight: login_screen_cursor_highlight_enabled + // PolicyOptions: login_screen_cursor_highlight_enabled_options + // 8) Caret highlight: login_screen_caret_highlight_enabled + // PolicyOptions: login_screen_caret_highlight_enabled_options + // 9) Mono audio: login_screen_mono_audio_enabled + // PolicyOptions: login_screen_mono_audio_enabled_options + // 10) Autoclick: login_screen_autoclick_enabled + // PolicyOptions: login_screen_autoclick_enabled_options + // 11) Sticky keys: login_screen_sticky_keys_enabled + // PolicyOptions: login_screen_sticky_keys_enabled_options + // 12) Keyboard focus highlight: login_screen_keyboard_focus_highlight_enabled + // PolicyOptions: login_screen_keyboard_focus_highlight_enabled_options + // 13) Screen magnifier: login_screen_screen_magnifier_type + // PolicyOptions: login_screen_screen_magnifier_type_options + // 14) Show options in system tray menu: + // login_screen_show_options_in_system_tray_menu_enabled + // PolicyOptions: login_screen_sticky_keys_enabled_options + // 15) Accessibility shortcuts: login_screen_shortcuts_enabled + // PolicyOptions: login_screen_shortcuts_enabled_options + // + // For all the aforementioned accessibility policies: + // - If this policy is set to true, the accessibility feature will be enabled + // when the login screen is shown. + // - If the policy is set to false, the accessibility feature will be + // disabled when the login screen is shown. + // - If the policy is left unset, the accessibility feature is disabled when + // the login screen is first shown. + // - If the PolicyOptions is set to mandatory, the user won't be able + // to change these settings. + // - If the PolicyOptions is set to recommended, the user can temporarily + // override this setting by enabling or disabling the accessibility feature. + // However, the user's choice is not persistent and the default is restored + // whenever the login screen is shown anew or the user remains idle on the + // login screen for a minute. Users can enable or disable the accessibility + // feature anytime and its status on the login screen is persisted between + // users. + + optional bool login_screen_large_cursor_enabled = 6; + optional PolicyOptions login_screen_large_cursor_enabled_options = 7; + + optional bool login_screen_spoken_feedback_enabled = 8; + optional PolicyOptions login_screen_spoken_feedback_enabled_options = 9; + + optional bool login_screen_high_contrast_enabled = 10; + optional PolicyOptions login_screen_high_contrast_enabled_options = 11; + + optional bool login_screen_virtual_keyboard_enabled = 12; + optional PolicyOptions login_screen_virtual_keyboard_enabled_options = 13; + + optional bool login_screen_dictation_enabled = 14; + optional PolicyOptions login_screen_dictation_enabled_options = 15; + + optional bool login_screen_select_to_speak_enabled = 16; + optional PolicyOptions login_screen_select_to_speak_enabled_options = 17; + + optional bool login_screen_cursor_highlight_enabled = 18; + optional PolicyOptions login_screen_cursor_highlight_enabled_options = 19; + + optional bool login_screen_caret_highlight_enabled = 20; + optional PolicyOptions login_screen_caret_highlight_enabled_options = 21; + + optional bool login_screen_mono_audio_enabled = 22; + optional PolicyOptions login_screen_mono_audio_enabled_options = 23; + + optional bool login_screen_autoclick_enabled = 24; + optional PolicyOptions login_screen_autoclick_enabled_options = 25; + + optional bool login_screen_sticky_keys_enabled = 26; + optional PolicyOptions login_screen_sticky_keys_enabled_options = 27; + + optional bool login_screen_keyboard_focus_highlight_enabled = 28; + optional PolicyOptions login_screen_keyboard_focus_highlight_enabled_options = + 29; + + optional int64 login_screen_screen_magnifier_type = 30; + optional PolicyOptions login_screen_screen_magnifier_type_options = 31; + + optional bool login_screen_show_options_in_system_tray_menu_enabled = 32; + optional PolicyOptions + login_screen_show_options_in_system_tray_menu_enabled_options = 33; + + optional bool login_screen_shortcuts_enabled = 34; + optional PolicyOptions login_screen_shortcuts_enabled_options = 35; +} + +message OBSOLETE_SupervisedUsersSettingsProto { + // Defines whether supervised users can be created on the device. + optional bool OBSOLETE_supervised_users_enabled = 1 [deprecated = true]; +} + +message LoginScreenPowerManagementProto { + // Configures power management on the login screen. The policy should be + // specified as a string that expresses the individual settings in JSON + // format, conforming to the following schema: + // { + // "type": "object", + // "properties": { + // "AC": { + // "description": "Power management settings applicable only when + // running on AC power", + // "type": "object", + // "properties": { + // "Delays": { + // "type": "object", + // "properties": { + // "ScreenDim": { + // "description": "The length of time without user input after + // which the screen is dimmed, in milliseconds", + // "type": "integer", + // "minimum": 0 + // }, + // "ScreenOff": { + // "description": "The length of time without user input after + // which the screen is turned off, in + // milliseconds", + // "type": "integer", + // "minimum": 0 + // }, + // "Idle": { + // "description": "The length of time without user input after + // which the idle action is taken, in + // milliseconds", + // "type": "integer", + // "minimum": 0 + // } + // } + // }, + // "IdleAction": { + // "description": "Action to take when the idle delay is reached", + // "enum": [ "Suspend", "Shutdown", "DoNothing" ] + // } + // } + // }, + // "Battery": { + // "description": "Power management settings applicable only when + // running on battery power", + // "type": "object", + // "properties": { + // "Delays": { + // "type": "object", + // "properties": { + // "ScreenDim": { + // "description": "The length of time without user input after + // which the screen is dimmed, in milliseconds", + // "type": "integer", + // "minimum": 0 + // }, + // "ScreenOff": { + // "description": "The length of time without user input after + // which the screen is turned off, in + // milliseconds", + // "type": "integer", + // "minimum": 0 + // }, + // "Idle": { + // "description": "The length of time without user input after + // which the idle action is taken, in + // milliseconds", + // "type": "integer", + // "minimum": 0 + // } + // } + // }, + // "IdleAction": { + // "description": "Action to take when the idle delay is reached", + // "enum": [ "Suspend", "Shutdown", "DoNothing" ] + // } + // } + // }, + // "LidCloseAction": { + // "description": "Action to take when the lid is closed", + // "enum": [ "Suspend", "Shutdown", "DoNothing" ] + // }, + // "UserActivityScreenDimDelayScale": { + // "description": "Percentage by which the screen dim delay is scaled + // when user activity is observed while the screen is + // dimmed or soon after the screen has been turned off", + // "type": "integer", + // "minimum": 0 + // } + // } + // } + optional string login_screen_power_management = 1; +} + +message AutoCleanupSettigsProto { + // Deprecated. There is only one disk-full cleanup strategy: LRU. + optional string clean_up_strategy = 1; +} + +// Settings that control low-level functions of the system. +message SystemSettingsProto { + // Whether developer mode is allowed on the device. If the device owner sets + // this flag to true, the system will refuse to boot and show an error screen + // when the developer switch is turned on. + optional bool block_devmode = 1; +} + +// Settings that control login for SAML users. +message SAMLSettingsProto { + // Whether cookies set by a SAML IdP should be transferred to users' profiles + // every time a user authenticates via SAML during login. If false, cookies + // are transferred during each user's first login only. + optional bool transfer_saml_cookies = 1; +} + +message RebootOnShutdownProto { + // Determines whether the device automatically reboots whenever the user shuts + // it down. If this flag is set to true, shutdown is forbidden and UI elements + // trigger a device reboot instead of a power off. This policy affects + // shutdowns triggered from the UI only. If the user shuts down the device + // using the power button, it will not automatically reboot, even if the + // policy is enabled. + optional bool reboot_on_shutdown = 1 [default = false]; +} + +// Settings that control whether a device would send heartbeat messages to GCM, +// and how frequently to send these. +message DeviceHeartbeatSettingsProto { + // Whether the device should send heartbeat messages. The default is false. + optional bool heartbeat_enabled = 1 [default = false]; + + // How frequently devices send heartbeats back to server. The unit is in + // milliseconds. The default is 2 minutes. + optional int64 heartbeat_frequency = 2 [default = 120000]; +} + +message ExtensionCacheSizeProto { + // Specifies the maximum extension cache size, in bytes. The default is 256 + // MiB. The minimum allowed value is 1 MiB, smaller values will get ignored. + optional int64 extension_cache_size = 1; +} + +message LoginScreenDomainAutoCompleteProto { + // If this policy is not configured or set to a blank string, + // no autocomplete option during user sign-in flow will be shown. + // If this policy is set to a string representing a domain name, an + // autocomplete option during user sign-in will be shown allowing the user + // to type in only their user name without the domain name extension. The user + // will be able to overwrite this domain name extension. + optional string login_screen_domain_auto_complete = 1; +} + +// Settings that control whether a device would send system logs to the server. +message DeviceLogUploadSettingsProto { + // Whether the device should send system logs. The default is false. + optional bool system_log_upload_enabled = 1 [default = false]; +} + +// This setting is controlled by the device policy DisplayRotationDefault. +// If the policy is set and therefore display_rotation_default contains a value, +// all displays will be rotated clockwise to the specified orientation at +// reboot, when first connected, or when the setting is changed. +// If the optional field |Rotation display_rotation_default = 1| is not present, +// no changes are done to the rotation. +message DisplayRotationDefaultProto { + // This enum corresponds to gfx::Display::Rotation in ui/gfx/display.h. + enum Rotation { + ROTATE_0 = 0; + ROTATE_90 = 1; + ROTATE_180 = 2; + ROTATE_270 = 3; + } + optional Rotation display_rotation_default = 1; +} + +// This setting is controlled by the device policy +// DeviceLoginScreenPrivacyScreenEnabled. +message DeviceLoginScreenPrivacyScreenEnabledProto { + optional bool enabled = 1 [default = false]; +} + +// This setting is configured by the device policy DeviceDisplayResolution. +// If |device_display_resolution| contains a value, then it's treated as a JSON +// object that uses the schema defined for DeviceDisplayResolution policy. +// Example of the policy value: +// { +// "external_width": 1920, +// "external_height": 1080, +// "external_scale_percentage": 50, +// "internal_scale_percentage": 150, +// "recommended": true +// } +// It sets a 1920x1080 display mode for any external displays and +// scales them to 50%, also scales the built-in display to 150%. +// If "recommended" flag is set to true, user is able to override +// any settings via the settings page. +message DeviceDisplayResolutionProto { + optional string device_display_resolution = 1; +} + +// Settings that control whether to allow Chrome to be pinned to a specific +// version according to the auto-launched kiosk app’s requirement. +message AllowKioskAppControlChromeVersionProto { + optional bool allow_kiosk_app_control_chrome_version = 1 [default = false]; +} + +// Settings that control the flow of the login authentication to be either via +// GAIA (default), or via an interstitial screen that can redirect to a SAML IdP +// endpoint or return back to the default GAIA flow. +message LoginAuthenticationBehaviorProto { + enum LoginBehavior { + GAIA = 0; + SAML_INTERSTITIAL = 1; + } + + optional LoginBehavior login_authentication_behavior = 1 [default = GAIA]; +} + +// Identifiers of a USB device or device family. +message UsbDeviceIdProto { + // USB Vendor Identifier (aka idVendor). + optional int32 vendor_id = 1; + // USB Product Identifier (aka idProduct). + optional int32 product_id = 2; +} + +// This setting contains the list of USB devices to detach from the kernel +// drivers in order to use them in web applications. +// The list is used by the permission_broker daemon. +message UsbDetachableWhitelistProto { + repeated UsbDeviceIdProto id = 1; +} + +// Identifiers of a USB device or device family. +message UsbDeviceIdInclusiveProto { + // USB Vendor Identifier (aka idVendor). + optional int32 vendor_id = 1; + // USB Product Identifier (aka idProduct). + optional int32 product_id = 2; +} + +// This setting contains the list of USB devices to detach from the kernel +// drivers in order to use them in web applications. +// The list is used by the permission_broker daemon. +message UsbDetachableAllowlistProto { + repeated UsbDeviceIdInclusiveProto id = 1; +} + +message AllowBluetoothProto { + // Policy which controls whether Bluetooth is available. + optional bool allow_bluetooth = 1 [default = true]; +} + +message DeviceWiFiAllowedProto { + // Policy which controls the ability to connect to wireless networks. + optional bool device_wifi_allowed = 1 [default = true]; +} + +// Settings that control whether a device can download hardware configuration +// files from the Quirks Server. +message DeviceQuirksDownloadEnabledProto { + optional bool quirks_download_enabled = 1; +} + +// A list of security origins for SAML login pages that are allowed to +// access the webcam. No login pages will be allowed to access the +// webcam if the list is empty. +message LoginVideoCaptureAllowedUrlsProto { + repeated string urls = 1; +} + +// Settings that control whether a device can connect to a 802.11r enabled +// WiFi network. +message DeviceWiFiFastTransitionEnabledProto { + optional bool device_wifi_fast_transition_enabled = 1; +} + +message NetworkThrottlingEnabledProto { + optional bool enabled = 1 [default = false]; + optional int32 upload_rate_kbits = 2 [default = 0]; + optional int32 download_rate_kbits = 3 [default = 0]; +} + +// A list of apps or extensions to install from the webstore on the login page. +// It is a list of strings, each string contains an extension ID and an update +// URL, delimited by a semicolon. +message DeviceLoginScreenExtensionsProto { + repeated string device_login_screen_extensions = 1; +} + +// A list of allowed locales on the login screen. +message LoginScreenLocalesProto { + repeated string login_screen_locales = 1; +} + +// A list of allowed input methods on the login screen. +message LoginScreenInputMethodsProto { + repeated string login_screen_input_methods = 1; +} + +// The url and hash specified in JSON format that can be used to set the +// device-level wallpaper on the login screen before any user logs in. +message DeviceWallpaperImageProto { + optional string device_wallpaper_image = 1; +} + +// Migration strategy for the case when ARC(N+) needs the ext4 encryption while +// the device used ecryptfs in the past. +message DeviceEcryptfsMigrationStrategyProto { + enum MigrationStrategy { + // Default value, unspecified. + UNSET = 0; + // ARC is not allowed, no data migration needed. + DISALLOW_ARC = 1; + // The data migration is allowed, opening the possibility to use ARC. + ALLOW_MIGRATION = 2; + } + + optional MigrationStrategy migration_strategy = 1; +} + +// This setting controls how the on-board secure element hardware can be used +// to provide a second-factor authentication in addition to the TPM +// functionality. +message DeviceSecondFactorAuthenticationProto { + enum U2fMode { + // Default value, unspecified. + UNSET = 0; + // Feature disabled. + DISABLED = 1; + // U2F as defined by the FIDO Alliance specification: + // https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915.zip + U2F = 2; + // U2F plus extensions for individual attestation certificate. + U2F_EXTENDED = 3; + } + + optional U2fMode mode = 1; +} + +message CastReceiverNameProto { + // The name advertised as a Google Cast destination by the device, + // up to 24 characters. If the name is empty, the device name will + // be used. + optional string name = 1; +} + +// Day of the week and time in milliseconds since the start of the day. +message WeeklyTimeProto { + enum DayOfWeek { + DAY_OF_WEEK_UNSPECIFIED = 0; + MONDAY = 1; + TUESDAY = 2; + WEDNESDAY = 3; + THURSDAY = 4; + FRIDAY = 5; + SATURDAY = 6; + SUNDAY = 7; + } + // Day of week. + optional DayOfWeek day_of_week = 1; + // Time of day in milliseconds from beginning of the day. + optional int32 time = 2; +} + +// Start and end of an interval represented by WeeklyTimes +message WeeklyTimeIntervalProto { + optional WeeklyTimeProto start = 1; + optional WeeklyTimeProto end = 2; +} + +// Allow less restricted using of Chromebooks that are managed by school, +// while the device is not at school ("OffHours"). +message DeviceOffHoursProto { + // List of intervals when ignored policies are not applied. These intervals + // are in the timezone specified by the timezone string. + repeated WeeklyTimeIntervalProto intervals = 1; + // Timezone in the same format as SystemTimezoneProto.timezone. + optional string timezone = 2; + // List of policy proto tags which settings are ignored during OffHours + // mode. List contains policy proto tags from ChromeDeviceSettingsProto + // (i.e. proto tag = 1 means device_policy_refresh_rate policy). + // Proto tags are used because they are consistent identifiers. + // During OffHoursMode default settings of ignored policies are used. + repeated int32 ignored_policy_proto_tags = 3; +} + +// The url and hash specified in JSON format that can be used to retrieve +// the device-level printers configuration file. +message DeviceNativePrintersProto { + // External policy blob encoded as JSON. + optional string external_policy = 1; +} + +// The policy which determines the type of access restriction that is applied to +// the devicel-level printers list. +message DeviceNativePrintersAccessModeProto { + enum AccessMode { + ACCESS_MODE_BLACKLIST = 0; // Use NatvePrintersBlacklistProto. + ACCESS_MODE_WHITELIST = 1; // Use NaviePrintersWhitelistProto. + ACCESS_MODE_ALL = 2; // Allow access to all specified printers. + } + + // The type of access which is applied to the device-level printer list. + optional AccessMode access_mode = 1; +} + +// A collection of ids defining the printers which are explicitly disallowed for +// the device. +message DeviceNativePrintersBlacklistProto { + // A collection of ids for which are explicitly disallowed. + repeated string blacklist = 1; +} + +// A collection of ids defining the printers which are explicitly allowed for +// the device. +message DeviceNativePrintersWhitelistProto { + // A collection of ids for the list of printers which are accessible. + repeated string whitelist = 1; +} + +// The url and hash specified in JSON format that can be used to retrieve +// the device-level printers configuration file. +message DevicePrintersProto { + // External policy blob encoded as JSON. + optional string external_policy = 1; +} + +// A collection of ids for the list of print servers which are accessible. +// The policy which determines the type of access restriction that is applied to +// the devicel-level printers list. +message DevicePrintersAccessModeProto { + enum AccessMode { + ACCESS_MODE_BLOCKLIST = 0; // Use DevicePrintersBlocklistProto. + ACCESS_MODE_ALLOWLIST = 1; // Use DevicePrintersAllowlistProto. + ACCESS_MODE_ALL = 2; // Allow access to all specified printers. + } + + // The type of access which is applied to the device-level printer list. + optional AccessMode access_mode = 1; +} + +// A collection of ids defining the printers which are explicitly disallowed for +// the device. +message DevicePrintersBlocklistProto { + // A collection of ids for which are explicitly disallowed. + repeated string blocklist = 1; +} + +// A collection of ids defining the printers which are explicitly allowed for +// the device. +message DevicePrintersAllowlistProto { + // A collection of ids for the list of printers which are accessible. + repeated string allowlist = 1; +} + +// The url and hash specified in JSON format that can be used to retrieve +// the device-level external print servers configuration file. +message DeviceExternalPrintServersProto { + // External policy blob encoded as JSON. + optional string external_policy = 1; +} + +// A collection of ids defining the external print servers which are explicitly +// allowed for the device. +message DeviceExternalPrintServersAllowlistProto { + // A collection of ids for the list of print servers which are accessible. + repeated string allowlist = 1; +} + +// Settings to control the behavior of the TPM firmware update functionality. +message TPMFirmwareUpdateSettingsProto { + // Whether the user is allowed to invoke the update via powerwash. This flow + // performs a powerwash operation (which implies a TPM clear), followed by + // installation of the TPM firmware update. As a result of the powerwash, all + // writable data on the device will be cleared. + optional bool allow_user_initiated_powerwash = 1; + + // Whether the user is allowed to invoke a variant of the update flow that + // clears the TPM to install the firmware update, but preserves device-wide + // state (including enrollment). User data will not be preserved in this flow. + optional bool allow_user_initiated_preserve_device_state = 2; + + enum AutoUpdateMode { + // No value set. Default is NEVER. + AUTO_UPDATE_MODE_UNSPECIFIED = 0; + // Don't auto update TPM firmware. + NEVER = 1; + // Update firmware at the next reboot after user acknowledges the update. + USER_ACKNOWLEDGMENT = 2; + // Update firmware at the next reboot. + WITHOUT_ACKNOWLEDGMENT = 3; + // Update firmware after enrollment. + ENROLLMENT = 4; + } + + // Controls how automatic firmware updates are enforced for vulnerable + // firmware. All flows preserve local device state. + optional AutoUpdateMode auto_update_mode = 3 [default = NEVER]; +} + +// Settings to control the minimum version that is allowed to sign in / stay +// in session. This is now deprecated from M82 onwards. +message OBSOLETE_MinimumRequiredVersionProto { + // Value is chrome_version string, e.g. 61.0.3163.120 + // The client will use prefix matching to compare its version against the + // value of this field. + optional string OBSOLETE_chrome_version = 1 [deprecated = true]; +} + +// Specifies a list of rules to automatically select certificates on SAML IdP +// pages on the sign-in screen. +message DeviceLoginScreenAutoSelectCertificateForUrls { + // Each entry is one rule, which must be a stringified JSON dictionary. + // Each dictionary must have the form { "pattern": "$URL_PATTERN", "filter" : + // $FILTER }. $FILTER restricts from which client certificates the browser + // will automatically select. Independent of the filter, only certificates + // will be selected that match the server's certificate request. If $FILTER + // has the form { "ISSUER": { "CN": "$ISSUER_CN" } }, additionally only client + // certificates are selected that are issued by a certificate with the + // CommonName $ISSUER_CN. If $FILTER is the empty dictionary {}, the selection + // of client certificates is not additionally restricted. + repeated string login_screen_auto_select_certificate_rules = 1; +} + +// Setting that controls whether unaffiliated users are allowed to use ARC +// (true by default) +message UnaffiliatedArcAllowedProto { + optional bool unaffiliated_arc_allowed = 1; +} + +// Allowed encryption types for requesting Kerberos tickets from Active +// Directory servers. Applies to Active Directory management mode only. +message DeviceKerberosEncryptionTypesProto { + enum Types { + ENC_TYPES_ALL = 0; // AES + RC4_HMAC. + ENC_TYPES_STRONG = 1; // AES only. + ENC_TYPES_LEGACY = 2; // RC4_HMAC only. + // Next ID to use: 3 + } + + optional Types types = 1 [default = ENC_TYPES_STRONG]; +} + +// Specifies how user policy from device GPOs interacts with user policy from +// user GPOs. In 'MERGE' mode, device GPOs take preference in case of conflicts. +// Applies to Active Directory management mode only. +message DeviceUserPolicyLoopbackProcessingModeProto { + enum Mode { + USER_POLICY_MODE_DEFAULT = 0; // Only take user policy from user GPOs. + USER_POLICY_MODE_MERGE = 1; // Merge device GPOs on top of user GPOs. + USER_POLICY_MODE_REPLACE = 2; // Only take user policy from device GPOs. + // Next ID to use: 3 + } + + optional Mode mode = 1 [default = USER_POLICY_MODE_DEFAULT]; +} + +// Specifies a list of origins. Each of the specified origins will run in its +// own process on the sign-in screen. +message OBSOLETE_DeviceLoginScreenIsolateOriginsProto { + // A comma-separated list of the origins to be run in a separate process on + // the sign-in screen. + // If the value of this policy does not match the value of the user policy + // IsolateOrigins, the chrome process will be restarted on user sign-in to + // apply the value specified by the user policy. + optional string OBSOLETE_isolate_origins = 1 [deprecated = true]; +} + +// Specifies if each site should run in its own process on the sign-in screen. +message OBSOLETE_DeviceLoginScreenSitePerProcessProto { + // If true, each site will run in its own process on the sign-in screen. + // If the value of this policy does not match the value of the user policy + // SitePerProcess, the chrome process will be restarted on user sign-in to + // apply the value specified by the user policy. + optional bool OBSOLETE_site_per_process = 1 [deprecated = true]; +} + +// Setting to control if running virtual machines on Chrome OS is allowed. +message VirtualMachinesAllowedProto { + optional bool virtual_machines_allowed = 1; +} + +// Specifies if and how often Active Directory machine (computer) account +// passwords are changed in the AuthPolicy daemon in Chrome OS. +// Applies to Active Directory management mode only. +message DeviceMachinePasswordChangeRateProto { + optional int32 rate_days = 1; +} + +// Specifies how long cached Active Directory Group Policy Objects (GPOs) may be +// reused until they are re-downloaded (a version change also forces a +// re-download). +// Applies to Active Directory management mode only. +message DeviceGpoCacheLifetimeProto { + optional int32 lifetime_hours = 1; +} + +// Specifies how long cached Active Directory authentication data may be reused +// until it is refreshed. This can significantly speed up user authentication. +// Applies to Active Directory management mode only. +message DeviceAuthDataCacheLifetimeProto { + optional int32 lifetime_hours = 1; +} + +// Setting to control the authentication type for newly added users which log in +// via SAML. +message SamlLoginAuthenticationTypeProto { + enum Type { + TYPE_DEFAULT = 0; // Implementation-defined default config. + TYPE_CLIENT_CERTIFICATE = 1; // Client certificate authentication. + // Next ID to use: 2 + } + + optional Type saml_login_authentication_type = 1 [default = TYPE_DEFAULT]; +} + +// Setting that controls whether unaffiliated users are allowed to run Crostini +// (true by default) +message DeviceUnaffiliatedCrostiniAllowedProto { + optional bool device_unaffiliated_crostini_allowed = 1; +} + +// Setting that controls whether PluginVm is allowed to run on this device. +message PluginVmAllowedProto { + optional bool plugin_vm_allowed = 1; +} + +// Setting that specifies PluginVm license key for this device. +message PluginVmLicenseKeyProto { + optional string plugin_vm_license_key = 1; +} + +// Setting that controls whether the device should reboot when user sign out. +message DeviceRebootOnUserSignoutProto { + enum RebootOnSignoutMode { + // No value set. Default is NEVER. + REBOOT_ON_SIGNOUT_MODE_UNSPECIFIED = 0; + // Do not reboot on signout. + NEVER = 1; + // Reboot on signout if an ARC session was active during the user session. + ARC_SESSION = 2; + // Always reboot on signout. + ALWAYS = 3; + // Reboot on signout if an ARC session was active or a VM was started + // during the user session. + VM_STARTED_OR_ARC_SESSION = 4; + } + + optional RebootOnSignoutMode reboot_on_signout_mode = 1 [default = NEVER]; +} + +// Setting that controls whether wilco diagnostics and telemetry controller is +// allowed on this device. +message DeviceWilcoDtcAllowedProto { + optional bool device_wilco_dtc_allowed = 1; +} + +// Setting that specifies wilco diagnostics and telemetry controller +// configuration for this device. +message DeviceWilcoDtcConfigurationProto { + optional string device_wilco_dtc_configuration = 1; +} + +// Settings that control power peak shift policy. +message DevicePowerPeakShiftProto { + // Setting that controls whether power peak shift is enabled on this device. + // For details see "DevicePowerPeakShiftEnabled" in policy_templates.json. + optional bool enabled = 1; + + // Setting that controls power peak shift battery threshold on this device. + // For details see "DevicePowerPeakShiftBatteryThreshold" in + // policy_templates.json. + optional int32 battery_threshold = 2; + + // Setting that controls power peak shift day configs on this device. + // This is a JSON string, for details see "DevicePowerPeakShiftDayConfig" in + // policy_templates.json. + optional string day_configs = 3; +} + +// Settings that control boot on AC policy. +message DeviceBootOnAcProto { + // Setting that controls whether boot on AC is enabled on this device. + optional bool enabled = 1; +} + +// Settings that control device's dock MAC address source. +message DeviceDockMacAddressSourceProto { + enum Source { + SOURCE_UNSPECIFIED = 0; + // Device's designated dock MAC address. + DEVICE_DOCK_MAC_ADDRESS = 1; + // Device's built-in NIC MAC address. + DEVICE_NIC_MAC_ADDRESS = 2; + // Dock's built-in NIC MAC address. + DOCK_NIC_MAC_ADDRESS = 3; + } + optional Source source = 1; +} + +// Settings that control advanced battery charge mode policy. +message DeviceAdvancedBatteryChargeModeProto { + // Setting that controls whether advanced battery charge mode is enabled on + // this device. + // For details see "DeviceAdvancedBatteryChargeModeEnabled" in + // policy_templates.json. + optional bool enabled = 1; + + // Setting that controls advanced battery charge mode day config on this + // device. + // This is a JSON string, for details see + // "DeviceAdvancedBatteryChargeModeDayConfig" in policy_templates.json. + optional string day_configs = 2; +} + +// Settings that control battery charge mode policy. +message DeviceBatteryChargeModeProto { + enum BatteryChargeMode { + MODE_UNSPECIFIED = 0; + STANDARD = 1; + EXPRESS_CHARGE = 2; + PRIMARILY_AC_USE = 3; + ADAPTIVE = 4; + CUSTOM = 5; + } + + // Setting that controls battery charge mode on this device. + // For details see "DeviceBatteryChargeMode" in policy_templates.json. + optional BatteryChargeMode battery_charge_mode = 1; + + // Percent at which charging starts when using CUSTOM. + // For details see "DeviceBatteryChargeCustomStartCharging" in + // policy_templates.json. + optional int32 custom_charge_start = 2; + + // Percent at which charging stops when using CUSTOM. + // For details see "DeviceBatteryChargeCustomStopCharging" in + // policy_templates.json. + optional int32 custom_charge_stop = 3; +} + +// Settings that control USB power share policy. +message DeviceUsbPowerShareProto { + // Setting that controls whether USB power share is enabled on this device. + optional bool enabled = 1; +} + +// Settings that control when a device will wake up and check for updates. These +// checks are recurring. In order to disable a set schedule the policy must be +// removed. +message DeviceScheduledUpdateCheckProto { + // This is a JSON string, for details see "DeviceScheduledUpdateCheck" in + // policy_templates.json. + optional string device_scheduled_update_check_settings = 1; +} + +// Settings that control if the device is allowed to powerwash. +message DevicePowerwashAllowedProto { + // Determines if powerwash is allowed on the device. + optional bool device_powerwash_allowed = 1; +} + +// Settings that controls which devices are whitelisted for certain urls to be +// used via the WebUSB API on the login screen. +message DeviceLoginScreenWebUsbAllowDevicesForUrlsProto { + // This is a JSON string, for details see + // "DeviceLoginScreenWebUsbAllowDevicesForUrls" in policy_templates.json. + optional string device_login_screen_webusb_allow_devices_for_urls = 1; +} + +// Settings that control the availability of System-proxy service and the web +// proxy credentials for system services connecting through System-proxy. +message SystemProxySettingsProto { + // This is a JSON string, for details see "SystemProxySettings" in + // policy_templates.json. + optional string system_proxy_settings = 1; +} + +// Settings that control what certificates should be privisioned via DM server. +message RequiredClientCertificateForDeviceProto { + // This is a JSON string, for details see + // "RequiredClientCertificateForDevice" in policy_templates.json. + optional string required_client_certificate_for_device = 1; +} + +// Setting that controls whether ARC ADB sideloading is allowed for the device. +message DeviceCrostiniArcAdbSideloadingAllowedProto { + enum AllowanceMode { + DISALLOW = 0; + DISALLOW_WITH_POWERWASH = 1; + ALLOW_FOR_AFFILIATED_USERS = 2; + // Next ID to use: 3 + } + + optional AllowanceMode mode = 1 [default = DISALLOW]; +} + +message DeviceShowLowDiskSpaceNotificationProto { + optional bool device_show_low_disk_space_notification = 1; +} + +// Setting that controls whether all Family Link accounts are allowed on the +// device additionally to the accounts listed in UserAllowlistProto. +message DeviceFamilyLinkAccountsAllowedProto { + optional bool family_link_accounts_allowed = 1 [default = false]; +} + +// Setting that controls whether ARC data snapshotting is enabled for the device +// and time intervals of updating ARC data snapshot. +message DeviceArcDataSnapshotHoursProto { + // This is a JSON string, for details see + // "DeviceArcDataSnapshotHours" in policy_template.json + optional string arc_data_snapshot_hours = 1; +} + +// Setting that controls whether system-wide trace collection using the Perfetto +// system tracing service is allowed. +message DeviceSystemWideTracingEnabledProto { + optional bool enabled = 1 [default = false]; +} + +// Setting that controls whether data access is enabled for Thunderbolt/USB4 +// peripherals. This proto is no longer being used, please use +// DevicePciPeripheralDataAccessEnabledProtoV2. +message DevicePciPeripheralDataAccessEnabledProto { + optional bool enabled = 1 [default = false]; +} + +// Setting that controls whether data access is enabled for Thunderbolt/USB4 +// peripherals. This replaces DevicePciPeripheralDataAccessEnabledProto. Used +// only for the associated CrosSetting. +message DevicePciPeripheralDataAccessEnabledProtoV2 { + optional bool enabled = 1; +} + +// Setting that controls whether Borealis will be allowed on the device. +message DeviceBorealisAllowedProto { + optional bool allowed = 1 [default = true]; +} + +message DeviceAllowedBluetoothServicesProto { + // Policy which controls which service UUID is available. + repeated string allowlist = 1; +} + +// Policy that controls whether packet captures will be allowed on the device. +message DeviceDebugPacketCaptureAllowedProto { + optional bool allowed = 1; +} + +// Settings that control when a device will reboot. The reboots are +// recurring. In order to disable scheduled reboots the policy must be +// removed. +message DeviceScheduledRebootProto { + // This is a JSON string, for details see "DeviceScheduledReboot" in + // policy_templates.json. + optional string device_scheduled_reboot_settings = 1; +} + +// Setting that controls whether restricted managed guest session is enabled on +// the device. +message DeviceRestrictedManagedGuestSessionEnabledProto { + // If this policy is set to true, it will forcefully override certain + // policies. If it's set to false or not set, then no policies will be + // overridden. + optional bool enabled = 1 [default = false]; +} + +// Setting that controls whether keyboard shortcuts mapping are consistent +// across all international keyboard layouts. +message DeviceI18nShortcutsEnabledProto { + optional bool enabled = 1 [default = true]; +} + +// reven board collects hardware data of the device to provide relevant updates. +// Setting that controls whether device hardware data can be also used for other +// purposes. +message RevenDeviceHWDataUsageEnabledProto { + optional bool hardware_data_usage_enabled = 1 [default = false]; +} + +// Controls whether Login WebUI will be explicitly loaded on start. +// Overrides EnableLazyLoginWebUILoading feature. +message DeviceLoginScreenWebUILazyLoadingProto { + optional bool enabled = 1 [default = false]; +} + +// Setting that controls different configurations for the Encrypted Reporting +// Pipeline. +message EncryptedReportingPipelineConfigurationProto { + // Controls overall functioning of Encrypted Reporting Pipeline: setting it to + // false would disable the pipeline on a device + optional bool enabled = 1 [default = true]; +} + +message ChromeDeviceSettingsProto { + reserved 61, 90; + optional DevicePolicyRefreshRateProto device_policy_refresh_rate = 1; + optional UserWhitelistProto user_whitelist = 2; + optional GuestModeEnabledProto guest_mode_enabled = 3; + optional OBSOLETE_DeviceProxySettingsProto device_proxy_settings = 4 + [deprecated = true]; + optional CameraEnabledProto camera_enabled = 5; + optional ShowUserNamesOnSigninProto show_user_names = 6; + optional DataRoamingEnabledProto data_roaming_enabled = 7; + optional AllowNewUsersProto allow_new_users = 8; + optional MetricsEnabledProto metrics_enabled = 9; + optional ReleaseChannelProto release_channel = 10; + optional DeviceOpenNetworkConfigurationProto open_network_configuration = 11; + optional DeviceReportingProto device_reporting = 12; + optional EphemeralUsersEnabledProto ephemeral_users_enabled = 13; + optional OBSOLETE_AppPackProto app_pack = 14 [deprecated = true]; + optional OBSOLETE_ForcedLogoutTimeoutsProto forced_logout_timeouts = 15 + [deprecated = true]; + optional OBSOLETE_ScreenSaverProto login_screen_saver = 16 + [deprecated = true]; + optional AutoUpdateSettingsProto auto_update_settings = 17; + optional OBSOLETE_StartUpUrlsProto start_up_urls = 18 [deprecated = true]; + optional OBSOLETE_PinnedAppsProto pinned_apps = 19 [deprecated = true]; + optional SystemTimezoneProto system_timezone = 20; + optional DeviceLocalAccountsProto device_local_accounts = 21; + optional AllowRedeemChromeOsRegistrationOffersProto allow_redeem_offers = 22; + optional FeatureFlagsProto feature_flags = 23; + optional UptimeLimitProto uptime_limit = 24; + optional VariationsParameterProto variations_parameter = 25; + optional AttestationSettingsProto attestation_settings = 26; + optional AccessibilitySettingsProto accessibility_settings = 27; + optional OBSOLETE_SupervisedUsersSettingsProto supervised_users_settings = 28 + [deprecated = true]; + optional LoginScreenPowerManagementProto login_screen_power_management = 29; + optional SystemUse24HourClockProto use_24hour_clock = 30; + optional AutoCleanupSettigsProto auto_clean_up_settings = 31; + optional SystemSettingsProto system_settings = 32; + optional SAMLSettingsProto saml_settings = 33; + optional RebootOnShutdownProto reboot_on_shutdown = 34; + optional DeviceHeartbeatSettingsProto device_heartbeat_settings = 35; + optional ExtensionCacheSizeProto extension_cache_size = 36; + optional LoginScreenDomainAutoCompleteProto + login_screen_domain_auto_complete = 37; + optional DeviceLogUploadSettingsProto device_log_upload_settings = 38; + optional DisplayRotationDefaultProto display_rotation_default = 39; + optional AllowKioskAppControlChromeVersionProto + allow_kiosk_app_control_chrome_version = 40; + optional LoginAuthenticationBehaviorProto login_authentication_behavior = 41; + optional UsbDetachableWhitelistProto usb_detachable_whitelist = 42; + optional AllowBluetoothProto allow_bluetooth = 43; + optional DeviceQuirksDownloadEnabledProto quirks_download_enabled = 44; + optional LoginVideoCaptureAllowedUrlsProto login_video_capture_allowed_urls = + 45; + optional DeviceLoginScreenExtensionsProto device_login_screen_extensions = 46; + optional NetworkThrottlingEnabledProto network_throttling = 47; + optional DeviceWallpaperImageProto device_wallpaper_image = 48; + optional LoginScreenLocalesProto login_screen_locales = 49; + optional LoginScreenInputMethodsProto login_screen_input_methods = 50; + optional DeviceEcryptfsMigrationStrategyProto + device_ecryptfs_migration_strategy = 51 [deprecated = true]; + optional DeviceSecondFactorAuthenticationProto + device_second_factor_authentication = 52; + optional CastReceiverNameProto cast_receiver_name = 53; + optional DeviceOffHoursProto device_off_hours = 54; + optional DeviceNativePrintersProto native_device_printers = 55; + optional DeviceNativePrintersAccessModeProto + native_device_printers_access_mode = 56; + optional DeviceNativePrintersBlacklistProto native_device_printers_blacklist = + 57; + optional DeviceNativePrintersWhitelistProto native_device_printers_whitelist = + 58; + optional TPMFirmwareUpdateSettingsProto tpm_firmware_update_settings = 59; + optional OBSOLETE_MinimumRequiredVersionProto minimum_required_version = 60 + [deprecated = true]; + optional DeviceLoginScreenAutoSelectCertificateForUrls + device_login_screen_auto_select_certificate_for_urls = 62; + optional UnaffiliatedArcAllowedProto unaffiliated_arc_allowed = 63; + optional NetworkHostnameProto network_hostname = 64; + optional DeviceKerberosEncryptionTypesProto device_kerberos_encryption_types = + 65; + optional DeviceUserPolicyLoopbackProcessingModeProto + device_user_policy_loopback_processing_mode = 66; + optional OBSOLETE_DeviceLoginScreenIsolateOriginsProto + device_login_screen_isolate_origins = 67 [deprecated = true]; + optional OBSOLETE_DeviceLoginScreenSitePerProcessProto + device_login_screen_site_per_process = 68 [deprecated = true]; + optional VirtualMachinesAllowedProto virtual_machines_allowed = 69; + optional DeviceMachinePasswordChangeRateProto + device_machine_password_change_rate = 70; + optional SamlLoginAuthenticationTypeProto saml_login_authentication_type = 71; + optional DeviceUnaffiliatedCrostiniAllowedProto + device_unaffiliated_crostini_allowed = 72; + optional DeviceWiFiFastTransitionEnabledProto + device_wifi_fast_transition_enabled = 73; + optional DeviceDisplayResolutionProto device_display_resolution = 74; + optional PluginVmAllowedProto plugin_vm_allowed = 75; + optional DeviceGpoCacheLifetimeProto device_gpo_cache_lifetime = 76; + optional DeviceAuthDataCacheLifetimeProto device_auth_data_cache_lifetime = + 77; + optional PluginVmLicenseKeyProto plugin_vm_license_key = 78; + optional DeviceRebootOnUserSignoutProto device_reboot_on_user_signout = 79; + optional DeviceWilcoDtcAllowedProto device_wilco_dtc_allowed = 80; + optional DeviceWilcoDtcConfigurationProto device_wilco_dtc_configuration = 81; + optional DeviceWiFiAllowedProto device_wifi_allowed = 82; + optional DevicePowerPeakShiftProto device_power_peak_shift = 83; + optional DeviceBootOnAcProto device_boot_on_ac = 84; + optional DeviceDockMacAddressSourceProto device_dock_mac_address_source = 85; + optional DeviceAdvancedBatteryChargeModeProto + device_advanced_battery_charge_mode = 86; + optional DeviceBatteryChargeModeProto device_battery_charge_mode = 87; + optional DeviceUsbPowerShareProto device_usb_power_share = 88; + optional DeviceScheduledUpdateCheckProto device_scheduled_update_check = 89; + optional DevicePowerwashAllowedProto device_powerwash_allowed = 91; + optional DeviceLoginScreenWebUsbAllowDevicesForUrlsProto + device_login_screen_webusb_allow_devices_for_urls = 92; + optional BooleanPolicyProto device_login_screen_system_info_enforced = 93; + optional StringListPolicyProto device_web_based_attestation_allowed_urls = 94; + optional BooleanPolicyProto device_show_numeric_keyboard_for_password = 95; + optional BooleanPolicyProto login_screen_primary_mouse_button_switch = 96; + optional StringPolicyProto device_minimum_version = 97; + optional SystemProxySettingsProto system_proxy_settings = 98; + optional IntegerPolicyProto device_chrome_variations_type = 99; + optional DeviceLoginScreenPrivacyScreenEnabledProto + device_login_screen_privacy_screen_enabled = 100; + optional RequiredClientCertificateForDeviceProto + required_client_certificate_for_device = 101; + optional DeviceCrostiniArcAdbSideloadingAllowedProto + device_crostini_arc_adb_sideloading_allowed = 102; + optional StringPolicyProto device_minimum_version_aue_message = 103; + optional ManagedGuestSessionPrivacyWarningsProto + managed_guest_session_privacy_warnings = 104; + optional DeviceExternalPrintServersProto external_print_servers = 105; + optional DeviceExternalPrintServersAllowlistProto + external_print_servers_allowlist = 106; + optional DevicePrintersAccessModeProto device_printers_access_mode = 107; + optional DevicePrintersBlocklistProto device_printers_blocklist = 108; + optional DevicePrintersAllowlistProto device_printers_allowlist = 109; + optional DevicePrintersProto device_printers = 110; + optional DeviceShowLowDiskSpaceNotificationProto + device_show_low_disk_space_notification = 111; + optional UserAllowlistProto user_allowlist = 112; + optional UsbDetachableAllowlistProto usb_detachable_allowlist = 113; + optional DeviceFamilyLinkAccountsAllowedProto family_link_accounts_allowed = + 114; + optional DeviceArcDataSnapshotHoursProto arc_data_snapshot_hours = 115; + optional BooleanPolicyProto device_allow_mgs_to_store_display_properties = + 116; + optional DeviceSystemWideTracingEnabledProto + device_system_wide_tracing_enabled = 117; + optional DevicePciPeripheralDataAccessEnabledProto + device_pci_peripheral_data_access_enabled = 118; + optional DeviceBorealisAllowedProto device_borealis_allowed = 119; + optional DeviceAllowedBluetoothServicesProto + device_allowed_bluetooth_services = 120; + optional DeviceDebugPacketCaptureAllowedProto + device_debug_packet_capture_allowed = 121; + optional DeviceScheduledRebootProto device_scheduled_reboot = 122; + optional DevicePciPeripheralDataAccessEnabledProtoV2 + device_pci_peripheral_data_access_enabled_v2 = 123; + optional DeviceRestrictedManagedGuestSessionEnabledProto + device_restricted_managed_guest_session_enabled = 124; + optional HostnameUserConfigurableProto hostname_user_configurable = 125; + optional BooleanPolicyProto + login_screen_prompt_on_multiple_matching_certificates = 126; + optional BooleanPolicyProto kiosk_crx_manifest_update_url_ignored = 127; + optional DeviceI18nShortcutsEnabledProto device_i18n_shortcuts_enabled = 128; + optional BooleanPolicyProto chromad_to_cloud_migration_enabled = 129; + optional RevenDeviceHWDataUsageEnabledProto hardware_data_usage_enabled = 130; + optional DeviceLoginScreenWebUILazyLoadingProto login_web_ui_lazy_loading = + 131; + optional DeviceKeylockerForStorageEncryptionEnabledProto + keylocker_for_storage_encryption_enabled = 132; + optional BooleanPolicyProto device_run_automatic_cleanup_on_login = 133; + optional EncryptedReportingPipelineConfigurationProto + device_encrypted_reporting_pipeline_enabled = 134; +} |