|  | // Copyright 2013 The Chromium Authors. All rights reserved. | 
|  | // Use of this source code is governed by a BSD-style license that can be | 
|  | // found in the LICENSE file. | 
|  |  | 
|  | syntax = "proto2"; | 
|  |  | 
|  | option optimize_for = LITE_RUNTIME; | 
|  |  | 
|  | import "policy_common_definitions.proto"; | 
|  |  | 
|  | package enterprise_management; | 
|  |  | 
|  | // Everything below this comment will be synchronized between client and server | 
|  | // repos ( go/cros-proto-sync ). | 
|  |  | 
|  | message DevicePolicyRefreshRateProto { | 
|  | // In milliseconds. | 
|  | optional int64 device_policy_refresh_rate = 1; | 
|  | } | 
|  |  | 
|  | message UserWhitelistProto { | 
|  | // If a UserWhitelistProto is included in the ChromeDeviceSettingsProto but | 
|  | // the user_whitelist field is empty then no user can sign-in. | 
|  | repeated string user_whitelist = 1; | 
|  | } | 
|  |  | 
|  | message UserAllowlistProto { | 
|  | // If a UserAllowlistProto is included in the ChromeDeviceSettingsProto but | 
|  | // the user_whitelist field is empty then no user can sign-in. | 
|  | repeated string user_allowlist = 1; | 
|  | } | 
|  |  | 
|  | message AllowNewUsersProto { | 
|  | // Determines whether we allow arbitrary users to log into the device. | 
|  | // This interacts with the UserAllowlistProto as follows: | 
|  | // allow_new_users | user_allowlist     | anyone can log in | 
|  | //-----------------+--------------------+------------------ | 
|  | //  present, true  | not present        | Yes | 
|  | //-----------------+--------------------+------------------ | 
|  | //  present, true  | present            | Yes | 
|  | //-----------------+--------------------+------------------ | 
|  | //  present, false | not present        | (Broken) Yes | 
|  | //-----------------+--------------------+------------------ | 
|  | //  present, false | present            | No, W/L enforced | 
|  | //-----------------+--------------------+------------------ | 
|  | //  not present    | not present        | Yes | 
|  | //-----------------+--------------------+------------------ | 
|  | //  not present    | present, empty     | Yes | 
|  | //-----------------+--------------------+------------------ | 
|  | //  not present    | present, non-empty | No, W/L enforced | 
|  | //-----------------+--------------------+------------------ | 
|  | optional bool allow_new_users = 1 [default = true]; | 
|  | } | 
|  |  | 
|  | message GuestModeEnabledProto { | 
|  | // Determines if guests are allowed to log in to the device. | 
|  | optional bool guest_mode_enabled = 1 [default = true]; | 
|  | } | 
|  |  | 
|  | message ShowUserNamesOnSigninProto { | 
|  | // Determines if we show pods for existing users on the sign in screen. | 
|  | optional bool show_user_names = 1 [default = true]; | 
|  | } | 
|  |  | 
|  | message DataRoamingEnabledProto { | 
|  | // Determines if cellular data roaming is enabled. | 
|  | optional bool data_roaming_enabled = 1 [default = false]; | 
|  | } | 
|  |  | 
|  | message OBSOLETE_DeviceProxySettingsProto { | 
|  | // One of "direct", "auto_detect", "pac_script", "fixed_servers", "system" | 
|  | optional string OBSOLETE_proxy_mode = 1 [deprecated = true]; | 
|  | optional string OBSOLETE_proxy_server = 2 [deprecated = true]; | 
|  | optional string OBSOLETE_proxy_pac_url = 3 [deprecated = true]; | 
|  | optional string OBSOLETE_proxy_bypass_list = 4 [deprecated = true]; | 
|  | } | 
|  |  | 
|  | // This is used by chromeos, make sure to do cleanup there before marking it as | 
|  | // obsolette. | 
|  | message CameraEnabledProto { | 
|  | optional bool camera_enabled = 1; | 
|  | } | 
|  |  | 
|  | message MetricsEnabledProto { | 
|  | optional bool metrics_enabled = 1; | 
|  | } | 
|  |  | 
|  | message ReleaseChannelProto { | 
|  | // One of "stable-channel", "beta-channel", or "dev-channel" | 
|  | optional string release_channel = 1; | 
|  |  | 
|  | // The user can select the channel if |release_channel_delegated| is true. | 
|  | // The value of |release_channel| is only taken into account if | 
|  | // |release_channel_delegated| is set to false. | 
|  | optional bool release_channel_delegated = 2; | 
|  |  | 
|  | // |release_lts_tag| is forwarded as the "ltshint" attribute to Omaha. | 
|  | optional string release_lts_tag = 3; | 
|  | } | 
|  |  | 
|  | message DeviceOpenNetworkConfigurationProto { | 
|  | // The network configuration blob. This is a JSON string as specified by ONC. | 
|  | optional string open_network_configuration = 1; | 
|  | } | 
|  |  | 
|  | message NetworkHostnameProto { | 
|  | // The device hostname template. It might contain following | 
|  | // patterns that would be substituted by the device: | 
|  | // ASSET_ID, SERIAL_NUM, MAC_ADDR, and string after substitution should | 
|  | // be a valid hostname. | 
|  | optional string device_hostname_template = 1; | 
|  | } | 
|  |  | 
|  | // Policies to turn on portions of the device status reports. | 
|  | // If changed, the default values have to be updated in | 
|  | // chrome/browser/chromeos/policy/status_collector/device_status_collector.cc | 
|  | // and | 
|  | // chrome/browser/chromeos/policy/status_collector/child_status_collector.cc. | 
|  | message DeviceReportingProto { | 
|  | optional bool report_version_info = 1 [default = true]; | 
|  | optional bool report_activity_times = 2 [default = true]; | 
|  | optional bool report_boot_mode = 3 [default = true]; | 
|  | optional bool report_location = 4 [default = false]; | 
|  | optional bool report_network_interfaces = 5 [default = true]; | 
|  | optional bool report_users = 6 [default = true]; | 
|  | optional bool report_hardware_status = 7 [default = true]; | 
|  | optional bool report_session_status = 8 [default = true]; | 
|  | optional bool report_os_update_status = 10 [default = false]; | 
|  | optional bool report_running_kiosk_app = 11 [default = false]; | 
|  | optional bool report_power_status = 12 [default = false]; | 
|  | optional bool report_storage_status = 13 [default = false]; | 
|  | optional bool report_board_status = 14 [default = false]; | 
|  | optional bool report_cpu_info = 15 [default = false]; | 
|  | optional bool report_graphics_status = 16 [default = false]; | 
|  | optional bool report_crash_report_info = 17 [default = false]; | 
|  | optional bool report_timezone_info = 18 [default = false]; | 
|  | optional bool report_memory_info = 19 [default = false]; | 
|  | optional bool report_backlight_info = 20 [default = false]; | 
|  | optional bool report_app_info = 21 [default = false]; | 
|  | optional bool report_bluetooth_info = 22 [default = false]; | 
|  | optional bool report_fan_info = 23 [default = false]; | 
|  | optional bool report_vpd_info = 24 [default = false]; | 
|  | optional bool report_system_info = 25 [default = false]; | 
|  | optional bool report_print_jobs = 26 [default = false]; | 
|  |  | 
|  | // Frequency to report device status, default to 3 hours. | 
|  | // If changed, the default value has to be updated in | 
|  | // chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.cc. | 
|  | optional int64 device_status_frequency = 9 [default = 10800000]; | 
|  | } | 
|  |  | 
|  | message EphemeralUsersEnabledProto { | 
|  | // Determines whether users should be treated as ephemeral. In ephemeral users | 
|  | // mode, no cryptohome is created for the user, but a tmpfs mount is used | 
|  | // instead such that upon logout all user state is discarded. | 
|  | optional bool ephemeral_users_enabled = 1; | 
|  | } | 
|  |  | 
|  | // Details of an extension to install as part of the AppPack. | 
|  | message OBSOLETE_AppPackEntryProto { | 
|  | optional string OBSOLETE_extension_id = 1 [deprecated = true]; | 
|  | optional string OBSOLETE_update_url = 2 [deprecated = true]; | 
|  |  | 
|  | // This field was added but never used and there are no plans to support it | 
|  | // eventually either. | 
|  | optional bool OBSOLETE_online_only = 3 [deprecated = true]; | 
|  | } | 
|  |  | 
|  | message OBSOLETE_AppPackProto { | 
|  | // List of extensions to install as part of the AppPack. | 
|  | repeated OBSOLETE_AppPackEntryProto app_pack = 1 [deprecated = true]; | 
|  | } | 
|  |  | 
|  | // This is a special policy for kiosk/retail mode that specifies what apps | 
|  | // should be pinned to the launcher. For regular accounts, pinned apps are | 
|  | // controlled through user policy. | 
|  | message OBSOLETE_PinnedAppsProto { | 
|  | // App IDs for the apps to pin. | 
|  | repeated string OBSOLETE_app_id = 1 [deprecated = true]; | 
|  | } | 
|  |  | 
|  | message OBSOLETE_ForcedLogoutTimeoutsProto { | 
|  | // All timeouts are specified in milliseconds. | 
|  |  | 
|  | // Specifies the timeout before an idle user session is terminated. | 
|  | // If this field is omitted or set to 0, no logout on idle will be performed. | 
|  | optional int64 OBSOLETE_idle_logout_timeout = 1 [deprecated = true]; | 
|  |  | 
|  | // Specifies the duration of a warning countdown before the user is logged out | 
|  | // because of idleness as specified by the |idle_logout_timeout| value. | 
|  | // This field is only used if |idle_logout_timeout| != 0 is specified. | 
|  | optional int64 OBSOLETE_idle_logout_warning_duration = 2 [deprecated = true]; | 
|  | } | 
|  |  | 
|  | message OBSOLETE_ScreenSaverProto { | 
|  | // Specifies the extension ID which is to be used as a screen saver on the | 
|  | // login screen if no user activity is present. Only respected if the device | 
|  | // is in RETAIL mode. | 
|  | optional string OBSOLETE_screen_saver_extension_id = 1 [deprecated = true]; | 
|  |  | 
|  | // Specifies the timeout before the screen saver is activated. If this field | 
|  | // is omitted or set to 0, no screen-saver will be started. | 
|  | // Measured in milliseconds. | 
|  | optional int64 OBSOLETE_screen_saver_timeout = 2 [deprecated = true]; | 
|  | } | 
|  |  | 
|  | // Enterprise controls for auto-update behavior of Chrome OS. | 
|  | message AutoUpdateSettingsProto { | 
|  | reserved 13; | 
|  |  | 
|  | // True if we don't want the device to auto-update (target_version_prefix is | 
|  | // ignored in this case). | 
|  | optional bool update_disabled = 1; | 
|  |  | 
|  | // Specifies the prefix of the target version we want the device to | 
|  | // update to, if it's on an older version. If the device is already on | 
|  | // a version with the given prefix, then there's no effect. If the device is | 
|  | // on a higher version, the behavior depends on |rollback_to_target_version|. | 
|  | // The format of this version can be one of the following: | 
|  | // --------------------------------------------------------------------- | 
|  | // "" (or not set at all): update to latest version available. | 
|  | // 1412.: update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2) | 
|  | // 1412.2.: update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2) | 
|  | // 1412.24.34: update to this specific version only | 
|  | // --------------------------------------------------------------------- | 
|  | optional string target_version_prefix = 2; | 
|  |  | 
|  | // The Chrome browser version (e.g. "17.*") corresponding to the | 
|  | // target_version_prefix above. The target_version_prefix is the internal OS | 
|  | // version that external users normally are not aware of. This display_name | 
|  | // can be used by the devices to display a message to end-users about the auto | 
|  | // update setting. | 
|  | optional string target_version_display_name = 3; | 
|  |  | 
|  | // Specifies the number of seconds up to which a device may randomly | 
|  | // delay its download of an update from the time the update was first pushed | 
|  | // out to the server. The device may wait a portion of this time in terms | 
|  | // of wall-clock-time and the remaining portion in terms of the number of | 
|  | // update checks. In any case, the scatter is upper bounded by a constant | 
|  | // amount of time so that a device does not ever get stuck waiting to download | 
|  | // an update forever. | 
|  | optional int64 scatter_factor_in_seconds = 4; | 
|  |  | 
|  | // Enumerates network connection types. | 
|  | enum ConnectionType { | 
|  | reserved 2; | 
|  |  | 
|  | CONNECTION_TYPE_ETHERNET = 0; | 
|  | CONNECTION_TYPE_WIFI = 1; | 
|  | CONNECTION_TYPE_BLUETOOTH = 3; | 
|  | CONNECTION_TYPE_CELLULAR = 4; | 
|  | } | 
|  |  | 
|  | // The types of connections that are OK to use for OS updates. OS updates | 
|  | // potentially put heavy strain on the connection due to their size and may | 
|  | // incur additional cost. Therefore, they are by default not enabled for | 
|  | // connection types that are considered expensive (currently only Cellular). | 
|  | repeated ConnectionType allowed_connection_types = 5; | 
|  |  | 
|  | // This has been replaced by |reboot_after_update| below. | 
|  | optional bool OBSOLETE_reboot_after_update = 6 [deprecated = true]; | 
|  |  | 
|  | // True if AU payloads can be downloaded via HTTP. False otherwise. | 
|  | optional bool http_downloads_enabled = 7 [default = false]; | 
|  |  | 
|  | // True if the device should reboot automatically when an update has been | 
|  | // applied and a reboot is required to complete the update process. | 
|  | // | 
|  | // Note: Currently, automatic reboots are only enabled while the login screen | 
|  | // is being shown or a kiosk app session is in progress. This will change in | 
|  | // the future and the policy will always apply, regardless of whether a | 
|  | // session of any particular type is in progress or not. | 
|  | optional bool reboot_after_update = 8; | 
|  |  | 
|  | // True if AU payloads may be shared with and consumed from other devices | 
|  | // on the LAN, using p2p. False otherwise. | 
|  | optional bool p2p_enabled = 9 [default = false]; | 
|  |  | 
|  | // The possible types of rollback. | 
|  | enum RollbackToTargetVersion { | 
|  | // No value set. Default is ROLLBACK_DISABLED. | 
|  | ROLLBACK_UNSPECIFIED = 0; | 
|  | // No rollback should happen if |target_version_prefix| specifies an older | 
|  | // version than the currently installed Chrome OS version. If this is the | 
|  | // case, the device will still respect |target_version_prefix|, so it will | 
|  | // not update Chrome OS. | 
|  | ROLLBACK_DISABLED = 1; | 
|  | // If |target_version_prefix| specifies an older version than the currently | 
|  | // installed Chrome OS version, the device should roll back to a Chrome OS | 
|  | // version starting with |target_version_prefix|. The device does a full | 
|  | // powerwash during the rollback, including TPM reset. | 
|  | ROLLBACK_AND_POWERWASH = 2; | 
|  | // If |target_version_prefix| specifies an older version than the currently | 
|  | // installed Chrome OS version, the device should roll back to a Chrome OS | 
|  | // version starting with |target_version_prefix|. | 
|  | // If possible, the device tries to carry over device-level configuration | 
|  | // including network credentials during the rollback process. | 
|  | // If that is not possible, rolls back with a full powerwash. | 
|  | ROLLBACK_AND_RESTORE_IF_POSSIBLE = 3; | 
|  | } | 
|  |  | 
|  | // Specifies what should happen if |target_version_prefix| specifies an older | 
|  | // version than the currently installed Chrome OS version. | 
|  | optional RollbackToTargetVersion rollback_to_target_version = 10 | 
|  | [default = ROLLBACK_DISABLED]; | 
|  |  | 
|  | // Specifies the number of Chrome milestones rollback should be allowed, | 
|  | // starting from the stable version at any time. Setting this policy prevents | 
|  | // firmware and kernel rollback protection to apply for at least this number | 
|  | // of milestones. | 
|  | optional int32 rollback_allowed_milestones = 11 [default = 0]; | 
|  |  | 
|  | // Specifies the time intervals during which the device is not allowed to do | 
|  | // automatic update checks. This is a JSON string, for details see | 
|  | // "DeviceAutoUpdateTimeRestrictions" in policy_templates.json. | 
|  | optional string disallowed_time_intervals = 12; | 
|  |  | 
|  | // Specifies how much of the fleet to update per day as a json | 
|  | // string that contains a list of pairs <day, percentage>. For more | 
|  | // details and examples, see "DeviceUpdateStagingSchedule" in | 
|  | // policy_templates.json. | 
|  | optional string staging_schedule = 14; | 
|  |  | 
|  | // This token is forwarded to omaha by update_engine. If it is set, omaha may | 
|  | // serve a quick fix build identified by the token. | 
|  | // | 
|  | // This field is primarily used for quick fixes, but it is also used by the | 
|  | // Hotrod team to subdivide the Stable channel into cohorts. | 
|  | optional string device_quick_fix_build_token = 15; | 
|  |  | 
|  | // Types of channel downgrade behavior. | 
|  | enum ChannelDowngradeBehavior { | 
|  | // Channel downgrade behavior unspecified. Default is | 
|  | // WAIT_FOR_VERSION_CATCH_UP. | 
|  | CHANNEL_DOWNGRADE_BEHAVIOR_UNSPECIFIED = 0; | 
|  | // On a channel downgrade, e.g. beta to stable, wait for the device's | 
|  | // version to become available on the new channel. No updates happen until | 
|  | // then. This is the default. | 
|  | WAIT_FOR_VERSION_CATCH_UP = 1; | 
|  | // Roll back and reset the device on a channel downgrade. This does a full | 
|  | // powerwash and tries to preserve wifi and enrollment. | 
|  | ROLLBACK = 2; | 
|  | // Allow the user to decide whether to wait or roll back and reset on a | 
|  | // user-initiated channel downgrade. | 
|  | ALLOW_USER_TO_CONFIGURE = 3; | 
|  | } | 
|  |  | 
|  | // Specifies what should happen if the device channel is downgraded. | 
|  | optional ChannelDowngradeBehavior channel_downgrade_behavior = 16 | 
|  | [default = WAIT_FOR_VERSION_CATCH_UP]; | 
|  | } | 
|  |  | 
|  | message OBSOLETE_StartUpUrlsProto { | 
|  | // Specifies the URLs to be loaded on login to the anonymous account used if | 
|  | // the device is in RETAIL mode. | 
|  | repeated string OBSOLETE_start_up_urls = 1 [deprecated = true]; | 
|  | } | 
|  |  | 
|  | message SystemTimezoneProto { | 
|  | // Specifies an owner-determined timezone that applies to the login screen and | 
|  | // all users. Valid values are listed in "timezone_settings.cc". Additionally, | 
|  | // timezones from the "IANA Time Zone Database" (e.g. listed on wikipedia) | 
|  | // that are equivalent to one of the timezones in "timezone_settings.cc" are | 
|  | // valid. In case of an invalid value, the setting is still activated with a | 
|  | // fallback timezone (currently "GMT"). In case of an empty string or if no | 
|  | // value is provided, the timezone device setting is inactive. In that case, | 
|  | // the currently active timezone will remain in use however users can change | 
|  | // the timezone and the change is persistent. Thus a change by one user | 
|  | // affects the login-screen and all other users. | 
|  | optional string timezone = 1; | 
|  |  | 
|  | // This allows domain administrators to control the timezone settings for | 
|  | // their devices. | 
|  | enum AutomaticTimezoneDetectionType { | 
|  | USERS_DECIDE = 0; | 
|  | DISABLED = 1; | 
|  | IP_ONLY = 2; | 
|  | SEND_WIFI_ACCESS_POINTS = 3; | 
|  | SEND_ALL_LOCATION_INFO = 4; | 
|  | } | 
|  |  | 
|  | optional AutomaticTimezoneDetectionType timezone_detection_type = 2; | 
|  | } | 
|  |  | 
|  | message SystemUse24HourClockProto { | 
|  | // Specifies an owner-determined clock format that applies to the login | 
|  | // screen and is used as a default for all user sessions. Users can still | 
|  | // override the format to use for their account. | 
|  | // | 
|  | // True and false select a 24 and 12 hour clock format, respectively. The | 
|  | // default format for the case the setting is not present is 24 hour clock. | 
|  | optional bool use_24hour_clock = 1; | 
|  | } | 
|  |  | 
|  | // Parameters for Kiosk App device-local accounts. | 
|  | message KioskAppInfoProto { | 
|  | // Indicates the Kiosk App for the corresponding device-local account. The | 
|  | // string value should be a valid 32-character Chrome App identifier and | 
|  | // specifies the Kiosk App to download and run. | 
|  | optional string app_id = 1; | 
|  |  | 
|  | // Optional extension update URL to download the Kiosk App package from. If | 
|  | // not specified, the app will be downloaded from the standard Chrome Web | 
|  | // Store update URL. | 
|  | optional string update_url = 2; | 
|  | } | 
|  |  | 
|  | // Describes which Android application is to be launched. | 
|  | message AndroidKioskAppInfoProto { | 
|  | // Package name (must be present). | 
|  | // In the event this is the only field that is specified, runtime may use | 
|  | // PackageManager.getLaunchIntentForPackage() to start the app. See | 
|  | // https://developer.android.com/reference/android/content/pm/PackageManager.html | 
|  | // Example of the package name: "com.android.camera". Do not include "app:" | 
|  | // prefix in the package name. | 
|  | optional string package_name = 1; | 
|  |  | 
|  | // Class name (optional). If present, class name is to be combined with | 
|  | // package name to form a ComponentName. See | 
|  | // https://developer.android.com/reference/android/content/ComponentName.html | 
|  | optional string class_name = 2; | 
|  |  | 
|  | // Action (optional). The third parameter required for creating an Intent. | 
|  | // If omitted, runtime may choose a reasonable default action | 
|  | // (e.g. android.intent.action.MAIN). | 
|  | // If package and action are specified, but not the class name, runtime may | 
|  | // use PackageManager.queryIntentActivity() to find out the class name. | 
|  | optional string action = 3; | 
|  |  | 
|  | // Display name (optional). | 
|  | // User-friendly app name that should be used in Chrome UI where kiosk app | 
|  | // name is shown. Chrome side could override the string with an updated | 
|  | // value that it will get from Google Play when the app will be installed. | 
|  | optional string display_name = 4; | 
|  | } | 
|  |  | 
|  | // Parameters for Web App-based device local accounts. | 
|  | message WebKioskAppInfoProto { | 
|  | // Install url (must be present). | 
|  | // In case it is the only field provided, title and icon will be deduced | 
|  | // during first app launch. | 
|  | optional string url = 1; | 
|  |  | 
|  | // Title (optional). | 
|  | // User-friendly app name that should be used in Chrome UI where kiosk app | 
|  | // name is shown. Chrome side could override the string with an updated | 
|  | // value that it will get during actual app launch. | 
|  | optional string title = 2; | 
|  |  | 
|  | // Icon url (optional). | 
|  | // Is not used in the current Implementation. Will be used instead of the | 
|  | // placeholder icon that is displayed before the first successful app | 
|  | // launch. | 
|  | optional string icon_url = 3; | 
|  | } | 
|  |  | 
|  | // Describes a single device-local account. | 
|  | message DeviceLocalAccountInfoProto { | 
|  | // Deprecated: Account identifier for a public session device-local account. | 
|  | // Old code didn't have the |type| field, so it can't handle new types of | 
|  | // device-local accounts gracefully (i.e. ignoring unsupported types). New | 
|  | // code should instead set type to ACCOUNT_TYPE_PUBLIC_SESSION and write the | 
|  | // identifier to the |account_id| field below. If the |type| field is present, | 
|  | // |deprecated_public_session_id| will be ignored. | 
|  | optional string deprecated_public_session_id = 1; | 
|  |  | 
|  | // Identifier for the device-local account. This is an opaque identifier that | 
|  | // is used to distinguish different device-local accounts configured. All | 
|  | // configured accounts on a device must have unique identifiers. | 
|  | optional string account_id = 2; | 
|  |  | 
|  | // LINT.IfChange | 
|  | // Indicates the type of device-local account. | 
|  | enum AccountType { | 
|  | // A login-less, policy-configured browsing session. | 
|  | ACCOUNT_TYPE_PUBLIC_SESSION = 0; | 
|  | // An account that serves as a container for a single full-screen | 
|  | // Chrome app. | 
|  | ACCOUNT_TYPE_KIOSK_APP = 1; | 
|  | // An account that serves as a container for a single full-screen | 
|  | // Android app. | 
|  | ACCOUNT_TYPE_KIOSK_ANDROID_APP = 2; | 
|  | // SAML public session account | 
|  | ACCOUNT_TYPE_SAML_PUBLIC_SESSION = 3; | 
|  | // Web App. | 
|  | ACCOUNT_TYPE_WEB_KIOSK_APP = 4; | 
|  | } | 
|  | // Should keep ChromeServletUtil.toDimensionAccountType logic in sync with | 
|  | // AccountType enum. | 
|  | // LINT.ThenChange(//depot/google3/java/com/google/chrome/cros/dmserver/chrome/ChromeServletUtil.java) | 
|  |  | 
|  | // The account type. | 
|  | optional AccountType type = 3; | 
|  |  | 
|  | // Kiosk App parameters, relevant if |type| is ACCOUNT_TYPE_KIOSK_APP. | 
|  | optional KioskAppInfoProto kiosk_app = 4; | 
|  |  | 
|  | // Kiosk App parameters, relevant if |type| is ACCOUNT_TYPE_KIOSK_ANDROID_APP | 
|  | optional AndroidKioskAppInfoProto android_kiosk_app = 5; | 
|  |  | 
|  | // Web Kiosk App parameters, relevant if |type| is ACCOUNT_TYPE_WEB_KIOSK_APP | 
|  | optional WebKioskAppInfoProto web_kiosk_app = 6; | 
|  | } | 
|  |  | 
|  | message DeviceLocalAccountsProto { | 
|  | // The list of device-local accounts (i.e. accounts without an associated | 
|  | // cloud-backed profile) that are available on the device. | 
|  | repeated DeviceLocalAccountInfoProto account = 1; | 
|  |  | 
|  | // The identifier of the device-local account to which the device | 
|  | // should be logged in automatically.  Should be equal to one of the | 
|  | // ids in DeviceLocalAccountInfoProto. | 
|  | optional string auto_login_id = 2; | 
|  |  | 
|  | // The amount of time, in milliseconds, that should elapse at the signin | 
|  | // screen without user interaction before automatically logging in. | 
|  | optional int64 auto_login_delay = 3; | 
|  |  | 
|  | // Whether the keyboard shortcut to prevent zero-delay auto-login should be | 
|  | // enabled or not. By default, the user has 3 seconds to press a shortcut | 
|  | // to prevent auto-login, which is useful to sign-in to a regular user session | 
|  | // and configure the machine. If this policy is set to false then this | 
|  | // shortcut is disabled and there is no way to skip auto-login. | 
|  | optional bool enable_auto_login_bailout = 4 [default = true]; | 
|  |  | 
|  | // Whether network configuration should be offered or not when the device | 
|  | // does not have access to the Internet. If the policy is omitted or set to | 
|  | // true, the network configuration will be offered. Otherwise, only an error | 
|  | // message is displayed. | 
|  | // Note: If both this policy and enable_auto_login_bailout policy above is | 
|  | // set to false, there are chances that the device might become totally | 
|  | // unusable when there is no Internet access and has to go through the | 
|  | // recovery process. | 
|  | // If the device is offline at startup then the network configuration screen | 
|  | // is always shown, before auto-login kicks in. | 
|  | optional bool prompt_for_network_when_offline = 5 [default = true]; | 
|  | } | 
|  |  | 
|  | message ManagedGuestSessionPrivacyWarningsProto { | 
|  | // Enable the privacy warnings on both; the login screen of the managed-guest | 
|  | // session & inside the auto-launched managed-guest sessions. | 
|  | // If this policy is set to false, all the privacy warnings are deactivated. | 
|  | // If it's set to true or not set, then the privacy warnings will be shown by | 
|  | // default. | 
|  | optional bool enabled = 1 [default = true]; | 
|  | } | 
|  |  | 
|  | message AllowRedeemChromeOsRegistrationOffersProto { | 
|  | // Chrome OS Registration service provides way for chromeos device users | 
|  | // to redeem electronic offers provided by service provider. | 
|  | // This value determines if users are allowed to redeem offers through | 
|  | // Chrome OS Registration service. | 
|  | optional bool allow_redeem_offers = 1 [default = true]; | 
|  | } | 
|  |  | 
|  | message FeatureFlagsProto { | 
|  | // Specifies switches that should be passed to Google Chrome when it starts. | 
|  | // The specified switches are applied on the login screen only. Switches set | 
|  | // via this policy do not propagate into user sessions. | 
|  | // This is deprecated because it turned out that storing raw switches is | 
|  | // problematic since Chrome can't easily tie switches back to feature flags to | 
|  | // validate them. The |feature_flags| field below works in terms of feature | 
|  | // flag names (i.e. chrome://flags items) instead and supersedes |switches|. | 
|  | repeated string switches = 1 [deprecated = true]; | 
|  |  | 
|  | // Specifies feature flags (i.e. chrome://flags items) that should be enabled | 
|  | // when Chrome starts. The format of the individual entries matches the format | 
|  | // chrome://flags uses for internal bookkeeping, i.e. either the flag name as | 
|  | // listed on chrome://flags (for flags that only have a single choice besides | 
|  | // the default) or the flag name followed by the index of the chosen option, | 
|  | // separated by an '@' character (for flags with multiple choices). The | 
|  | // specified feature flags are applied on the login screen only and don't | 
|  | // propagate into the user session. | 
|  | repeated string feature_flags = 2; | 
|  | } | 
|  |  | 
|  | message UptimeLimitProto { | 
|  | // This has been replaced by |uptime_limit| below. | 
|  | optional int64 OBSOLETE_uptime_limit = 1 [deprecated = true]; | 
|  |  | 
|  | // Sets the length of device uptime after which an automatic reboot is | 
|  | // scheduled. An automatic reboot is scheduled at the selected time but may be | 
|  | // delayed on the device by up to 24 hours, e.g. if a user is currently using | 
|  | // the device or an app/extension has requested reboots to be inhibited | 
|  | // temporarily. The policy value should be specified in seconds. | 
|  | // | 
|  | // Note: Currently, automatic reboots are only enabled while the login screen | 
|  | // is being shown or a kiosk app session is in progress. This will change in | 
|  | // the future and the policy will always apply, regardless of whether a | 
|  | // session of any particular type is in progress or not. | 
|  | optional int64 uptime_limit = 2; | 
|  | } | 
|  |  | 
|  | message VariationsParameterProto { | 
|  | // The string for the restrict parameter to be appended to the Variations URL | 
|  | // when pinging the Variations server. | 
|  | optional string parameter = 1; | 
|  | } | 
|  |  | 
|  | message AttestationSettingsProto { | 
|  | // Attestation involves proving that a cryptographic key is protected by a | 
|  | // legitimate Chrome OS TPM and reporting the operating mode of the platform. | 
|  | // This setting enables enterprise attestation features at a device level.  If | 
|  | // this is enabled a machine key will be generated and certified by the Chrome | 
|  | // OS CA.  If this setting is disabled, even users with attestation settings | 
|  | // enabled will not be able to use those features on the device. | 
|  | optional bool attestation_enabled = 1 [default = false]; | 
|  |  | 
|  | // Chrome OS devices can use remote attestation (Verified Access) to get a | 
|  | // certificate issued by the Chrome OS CA that asserts the device is eligible | 
|  | // to play protected content.  This process involves sending hardware | 
|  | // endorsement information to the Chrome OS CA which uniquely identifies the | 
|  | // device.  This setting allows this feature to be disabled for the device | 
|  | // regardless of any user-specific settings. | 
|  | optional bool content_protection_enabled = 2 [default = true]; | 
|  | } | 
|  |  | 
|  | message AccessibilitySettingsProto { | 
|  | // Sets the default state of the large cursor accessibility feature on the | 
|  | // login screen. If this policy is set to true, the large cursor will be | 
|  | // enabled when the login screen is shown. If this policy is set to false, the | 
|  | // large cursor will be disabled when the login screen is shown. Users can | 
|  | // temporarily override this setting by enabling or disabling the large | 
|  | // cursor. However, the user's choice is not persistent and the default is | 
|  | // restored whenever the login screen is shown anew or the user remains idle | 
|  | // on the login screen for a minute. If this policy is left unset, the large | 
|  | // cursor is disabled when the login screen is first shown. Users can enable | 
|  | // or disable the large cursor anytime and its status on the login screen is | 
|  | // persisted between users. | 
|  | optional bool login_screen_default_large_cursor_enabled = 1; | 
|  |  | 
|  | // Sets the default state of the spoken feedback accessibility feature on the | 
|  | // login screen. If this policy is set to true, spoken feedback will be | 
|  | // enabled when the login screen is shown. If this policy is set to false, | 
|  | // spoken feedback will be disabled when the login screen is shown. Users can | 
|  | // temporarily override this setting by enabling or disabling spoken feedback. | 
|  | // However, the user's choice is not persistent and the default is restored | 
|  | // whenever the login screen is shown anew or the user remains idle on the | 
|  | // login screen for a minute. If this policy is left unset, spoken feedback is | 
|  | // disabled when the login screen is first shown. Users can enable or disable | 
|  | // spoken feedback anytime and its status on the login screen is persisted | 
|  | // between users. | 
|  | optional bool login_screen_default_spoken_feedback_enabled = 2; | 
|  |  | 
|  | // Sets the default state of the high contrast mode accessibility feature on | 
|  | // the login screen. If this policy is set to true, high contrast mode will be | 
|  | // enabled when the login screen is shown. If this policy is set to false, | 
|  | // high contrast mode will be disabled when the login screen is shown. Users | 
|  | // can temporarily override this setting by enabling or disabling high | 
|  | // contrast mode. However, the user's choice is not persistent and the default | 
|  | // is restored whenever the login screen is shown anew or the user remains | 
|  | // idle on the login screen for a minute. If this policy is left unset, high | 
|  | // contrast mode is disabled when the login screen is first shown. Users can | 
|  | // enable or disable high contrast mode anytime and its status on the login | 
|  | // screen is persisted between users. | 
|  | optional bool login_screen_default_high_contrast_enabled = 3; | 
|  |  | 
|  | // Enumerates the screen magnifier types. | 
|  | enum ScreenMagnifierType { | 
|  | // Screen magnifier disabled. | 
|  | SCREEN_MAGNIFIER_TYPE_NONE = 0; | 
|  | // Full-screen magnifier enabled. | 
|  | SCREEN_MAGNIFIER_TYPE_FULL = 1; | 
|  | } | 
|  |  | 
|  | // Sets the default type of screen magnifier that is enabled on the login | 
|  | // screen. If this policy is set, it controls the type of screen magnifier | 
|  | // that is enabled when the login screen is shown. Users can temporarily | 
|  | // override this setting by enabling or disabling the screen magnifier. | 
|  | // However, the user's choice is not persistent and the default is restored | 
|  | // whenever the login screen is shown anew or the user remains idle on the | 
|  | // login screen for a minute. If this policy is left unset, the screen | 
|  | // magnifier is disabled when the login screen is first shown. Users can | 
|  | // enable or disable the screen magnifier anytime and its status on the login | 
|  | // screen is persisted between users. | 
|  | optional ScreenMagnifierType login_screen_default_screen_magnifier_type = 4; | 
|  |  | 
|  | // Sets the default state of the on-screen keyboard accessibility feature on | 
|  | // the login screen. If this policy is set to true, the on-screen keyboard | 
|  | // will be enabled when the login screen is shown. If this policy is set to | 
|  | // false, the on-screen keyboard will be disabled when the login screen is | 
|  | // shown. Users can temporarily override this setting by enabling or disabling | 
|  | // the on-screen keyboard. However, the user's choice is not persistent and | 
|  | // the default is restored whenever the login screen is shown anew or the user | 
|  | // remains idle on the login screen for a minute. If this policy is left | 
|  | // unset, the on-screen keyboard is disabled when the login screen is first | 
|  | // shown. Users can enable or disable the on-screen keyboard anytime and its | 
|  | // status on the login screen is persisted between users. | 
|  | optional bool login_screen_default_virtual_keyboard_enabled = 5; | 
|  |  | 
|  | // Sets the state of the large cursor accessibility feature on the login | 
|  | // screen. If this policy is set to true, the large cursor will be enabled | 
|  | // when the login screen is shown. If this policy is set to false, the large | 
|  | // cursor will be disabled when the login screen is shown. If the | 
|  | // PolicyOptions mode was being mandatory then the user won't be able to | 
|  | // change these settings. Only if PolicyOptions was being set as recommended | 
|  | // users can temporarily override this setting by enabling or disabling the | 
|  | // large cursor. However, the user's choice is not persistent and the default | 
|  | // is restored whenever the login screen is shown anew or the user remains | 
|  | // idle on the login screen for a minute. If this policy is left unset, the | 
|  | // large cursor is disabled when the login screen is first shown. Users can | 
|  | // enable or disable the large cursor anytime and its status on the login | 
|  | // screen is persisted between users. | 
|  | optional bool login_screen_large_cursor_enabled = 6; | 
|  | optional PolicyOptions login_screen_large_cursor_enabled_options = 7; | 
|  |  | 
|  | // Sets the state of the spoken feedback accessibility feature on the login | 
|  | // screen. If this policy is set to true, the spoken feedback will be enabled | 
|  | // when the login screen is shown. If this policy is set to false, the spoken | 
|  | // feedback will be disabled when the spoken feedback is shown. If the | 
|  | // PolicyOptions mode was being mandatory then the user won't be able to | 
|  | // change these settings. Only if PolicyOptions was being set as | 
|  | // recommended users can temporarily override this setting by enabling or | 
|  | // disabling the spoken feedback. However, the user's choice is not persistent | 
|  | // and the default is restored whenever the login screen is shown anew or the | 
|  | // user remains idle on the login screen for a minute. If this policy is left | 
|  | // unset, the spoken feedback is disabled when the login screen is first | 
|  | // shown. Users can enable or disable the spoken feedback anytime and its | 
|  | // status on the login screen is persisted between users. | 
|  | optional bool login_screen_spoken_feedback_enabled = 8; | 
|  | optional PolicyOptions login_screen_spoken_feedback_enabled_options = 9; | 
|  |  | 
|  | // Sets the state of the high contrast accessibility feature on the login | 
|  | // screen. If this policy is set to true, the high contrast will be enabled | 
|  | // when the login screen is shown. If this policy is set to false, the high | 
|  | // contrast will be disabled when the login screen is shown. If the | 
|  | // PolicyOptions mode was being mandatory then the user won't be able to | 
|  | // change these settings. Only if PolicyOptions was being set as | 
|  | // recommended users can temporarily override this setting by enabling or | 
|  | // disabling the high contrast. However, the user's choice is not persistent | 
|  | // and the default is restored whenever the login screen is shown anew or the | 
|  | // user remains idle on the login screen for a minute. If this policy is left | 
|  | // unset, the high contrast is disabled when the login screen is first | 
|  | // shown. Users can enable or disable the high contrast anytime and its | 
|  | // status on the login screen is persisted between users. | 
|  | optional bool login_screen_high_contrast_enabled = 10; | 
|  | optional PolicyOptions login_screen_high_contrast_enabled_options = 11; | 
|  |  | 
|  | // Sets the state of the virtual keyboard accessibility feature on the login | 
|  | // screen. If this policy is set to true, the virtual keyboard will be enabled | 
|  | // when the login screen is shown. If this policy is set to false, the virtual | 
|  | // keyboard will be disabled when the login screen is shown. If the | 
|  | // PolicyOptions mode was being mandatory then the user won't be able to | 
|  | // change these settings. Only if PolicyOptions was being set as | 
|  | // recommended users can temporarily override this setting by enabling or | 
|  | // disabling the virtual keyboard. However, the user's choice is not | 
|  | // persistent and the default is restored whenever the login screen is shown | 
|  | // anew or the user remains idle on the login screen for a minute. If this | 
|  | // policy is left unset, the virtual keyboard is disabled when the login | 
|  | // screen is first shown. Users can enable or disable the virtual keyboard | 
|  | // anytime and its status on the login screen is persisted between users. | 
|  | optional bool login_screen_virtual_keyboard_enabled = 12; | 
|  | optional PolicyOptions login_screen_virtual_keyboard_enabled_options = 13; | 
|  |  | 
|  | // Sets the state of the dictation accessibility feature on the login screen. | 
|  | // If this policy is set to true, the dictation will be enabled when the login | 
|  | // screen is shown. If this policy is set to false, the dictation will | 
|  | // be disabled when the login screen is shown. If the PolicyOptions mode was | 
|  | // being mandatory then the user won't be able to change these settings. Only | 
|  | // if PolicyOptions was being set as recommended users can temporarily | 
|  | // override this setting by enabling or disabling the dictation. However, the | 
|  | // user's choice is not persistent and the default is restored whenever the | 
|  | // login screen is shown anew or the user remains idle on the login screen for | 
|  | // a minute. If this policy is left unset, the dictation is disabled when the | 
|  | // login screen is first shown. Users can enable or disable the dictation | 
|  | // anytime and its status on the login screen is persisted between users. | 
|  | optional bool login_screen_dictation_enabled = 14; | 
|  | optional PolicyOptions login_screen_dictation_enabled_options = 15; | 
|  |  | 
|  | // Sets the state of the select to speak accessibility feature on the login | 
|  | // screen. If this policy is set to true, the select to speak will be enabled | 
|  | // when the login screen is shown. If this policy is set to false, the select | 
|  | // to speak will be disabled when the login screen is shown. If the | 
|  | // PolicyOptions mode was being mandatory then the user won't be able to | 
|  | // change these settings. Only if PolicyOptions was being set as recommended | 
|  | // users can temporarily override this setting by enabling or disabling the | 
|  | // select to speak. However, the user's choice is not persistent and the | 
|  | // default is restored whenever the login screen is shown anew or the user | 
|  | // remains idle on the login screen for a minute. If this policy is left | 
|  | // unset, the select to speak is disabled when the login screen is first | 
|  | // shown. Users can enable or disable the select to speak anytime and its | 
|  | // status on the login screen is persisted between users. | 
|  | optional bool login_screen_select_to_speak_enabled = 16; | 
|  | optional PolicyOptions login_screen_select_to_speak_enabled_options = 17; | 
|  |  | 
|  | // Sets the state of the cursor highlight accessibility feature on the login | 
|  | // screen. If this policy is set to true, the cursor highlight will be enabled | 
|  | // when the login screen is shown. If this policy is set to false, the cursor | 
|  | // highlight will be disabled when the login screen is shown. If the | 
|  | // PolicyOptions mode was being mandatory then the user won't be able to | 
|  | // change these settings. Only if PolicyOptions was being set as recommended | 
|  | // users can temporarily override this setting by enabling or disabling the | 
|  | // cursor highlight. However, the user's choice is not persistent and the | 
|  | // default is restored whenever the login screen is shown anew or the user | 
|  | // remains idle on the login screen for a minute. If this policy is left | 
|  | // unset, the cursor highlight is disabled when the login screen is first | 
|  | // shown. Users can enable or disable the cursor highlight anytime and its | 
|  | // status on the login screen is persisted between users. | 
|  | optional bool login_screen_cursor_highlight_enabled = 18; | 
|  | optional PolicyOptions login_screen_cursor_highlight_enabled_options = 19; | 
|  |  | 
|  | // Sets the state of the caret highlight accessibility feature on the login | 
|  | // screen. If this policy is set to true, the caret highlight will be enabled | 
|  | // when the login screen is shown. If this policy is set to false, the spoken | 
|  | // feedback will be disabled when the login screen is shown. If the | 
|  | // PolicyOptions mode was being mandatory then the user won't be able to | 
|  | // change these settings. Only if PolicyOptions was being set as recommended | 
|  | // users can temporarily override this setting by enabling or disabling the | 
|  | // caret highlight. However, the user's choice is not persistent and the | 
|  | // default is restored whenever the login screen is shown anew or the user | 
|  | // remains idle on the login screen for a minute. If this policy is left | 
|  | // unset, the caret highlight is disabled when the login screen is first | 
|  | // shown. Users can enable or disable the caret highlight anytime and its | 
|  | // status on the login screen is persisted between users. | 
|  | optional bool login_screen_caret_highlight_enabled = 20; | 
|  | optional PolicyOptions login_screen_caret_highlight_enabled_options = 21; | 
|  |  | 
|  | // Sets the state of the mono audio accessibility feature on the login | 
|  | // screen. If this policy is set to true, the mono audio will be enabled | 
|  | // when the login screen is shown. If this policy is set to false, the mono | 
|  | // audio will be disabled when the login screen is shown. If the PolicyOptions | 
|  | // mode was being mandatory then the user won't be able to change these | 
|  | // settings. Only if PolicyOptions was being set as recommended users can | 
|  | // temporarily override this setting by enabling or disabling the mono audio. | 
|  | // However, the user's choice is not persistent and the default is restored | 
|  | // whenever the login screen is shown anew or the user remains idle on the | 
|  | // login screen for a minute. If this policy is left unset, the mono audio is | 
|  | // disabled when the login screen is first shown. Users can enable or disable | 
|  | // the mono audio anytime and its status on the login screen is persisted | 
|  | // between users. | 
|  | optional bool login_screen_mono_audio_enabled = 22; | 
|  | optional PolicyOptions login_screen_mono_audio_enabled_options = 23; | 
|  |  | 
|  | // Sets the state of the autoclick accessibility feature on the login | 
|  | // screen. If this policy is set to true, the autoclick will be enabled | 
|  | // when the login screen is shown. If this policy is set to false, the | 
|  | // autoclick will be disabled when the login screen is shown. If the | 
|  | // PolicyOptions mode was being mandatory then the user won't be able to | 
|  | // change these settings. Only if PolicyOptions was being set as recommended | 
|  | // users can temporarily override this setting by enabling or disabling the | 
|  | // autoclick. However, the user's choice is not persistent and the | 
|  | // default is restored whenever the login screen is shown anew or the user | 
|  | // remains idle on the login screen for a minute. If this policy is left | 
|  | // unset, the autoclick is disabled when the login screen is first | 
|  | // shown. Users can enable or disable the autoclick anytime and its | 
|  | // status on the login screen is persisted between users. | 
|  | optional bool login_screen_autoclick_enabled = 24; | 
|  | optional PolicyOptions login_screen_autoclick_enabled_options = 25; | 
|  |  | 
|  | // Sets the state of the sticky keys accessibility feature on the login | 
|  | // screen. If this policy is set to true, the sticky keys will be enabled | 
|  | // when the login screen is shown. If this policy is set to false, the | 
|  | // sticky keys will be disabled when the login screen is shown. If the | 
|  | // PolicyOptions mode was being mandatory then the user won't be able to | 
|  | // change these settings. Only if PolicyOptions was being set as recommended | 
|  | // users can temporarily override this setting by enabling or disabling the | 
|  | // sticky keys. However, the user's choice is not persistent and the | 
|  | // default is restored whenever the login screen is shown anew or the user | 
|  | // remains idle on the login screen for a minute. If this policy is left | 
|  | // unset, the sticky keys is disabled when the login screen is first | 
|  | // shown. Users can enable or disable the sticky keys anytime and its | 
|  | // status on the login screen is persisted between users. | 
|  | optional bool login_screen_sticky_keys_enabled = 26; | 
|  | optional PolicyOptions login_screen_sticky_keys_enabled_options = 27; | 
|  |  | 
|  | // Sets the state of the keyboard focus highlight accessibility feature on the | 
|  | // login screen. If this policy is set to true, the keyboard focus highlight | 
|  | // will be enabled when the login screen is shown. If this policy is set to | 
|  | // false, the keyboard focus highlight will be disabled when the login screen | 
|  | // is shown. If the PolicyOptions mode was being mandatory then the user won't | 
|  | // be able to change these settings. Only if PolicyOptions was being set as | 
|  | // recommended users can temporarily override this setting by enabling or | 
|  | // disabling the keyboard focus highlight. However, the user's choice is not | 
|  | // persistent and the default is restored whenever the login screen is shown | 
|  | // anew or the user remains idle on the login screen for a minute. If this | 
|  | // policy is left unset, the keyboard focus highlight is disabled when the | 
|  | // login screen is first shown. Users can enable or disable the keyboard focus | 
|  | // highlight anytime and its status on the login screen is persisted between | 
|  | // users. | 
|  | optional bool login_screen_keyboard_focus_highlight_enabled = 28; | 
|  | optional PolicyOptions login_screen_keyboard_focus_highlight_enabled_options = | 
|  | 29; | 
|  |  | 
|  | // Sets the state of the screen magnifier accessibility feature on the login | 
|  | // screen. If this policy is set to 1, the screen magnifier will be enabled | 
|  | // in full-screen magnifier mode, when the login screen is shown. If this | 
|  | // policy is set to 2, the screen magnifier will be enabled in docked | 
|  | // magnifier mode, when the login screen is shown. If this policy is set | 
|  | // to 0, the screen magnifier will be disabled, when the login screen is | 
|  | // shown. If the PolicyOptions mode was being mandatory then the user won't be | 
|  | // able to change these settings. Only if PolicyOptions was being set as | 
|  | // recommended users can temporarily override this setting by changing the | 
|  | // screen magnifier state the. However, the user's choice is not persistent | 
|  | // and the default is restored whenever the login screen is shown anew or the | 
|  | // user remains idle on the login screen for a minute. If this policy is left | 
|  | // unset, the screen magnifier is disabled when the login screen is first | 
|  | // shown. Users can enable or disable the screen magnifier anytime and its | 
|  | // status on the login screen is persisted between users. | 
|  | optional int64 login_screen_screen_magnifier_type = 30; | 
|  | optional PolicyOptions login_screen_screen_magnifier_type_options = 31; | 
|  |  | 
|  | // Sets the state of the visibility of the accessibility options on quick | 
|  | // settings accessibility feature on the login screen. If this policy is set | 
|  | // to true, the accessibility options on quick settings will always be shown | 
|  | // when the login screen is shown. If this policy is set to false, the | 
|  | // accessibility options will never appear on system tray menu when the login | 
|  | // screen is shown. If the PolicyOptions mode was being mandatory then the | 
|  | // user won't be able to change these settings. Only if PolicyOptions was | 
|  | // being set as recommended users can temporarily override this setting by | 
|  | // enabling or disabling the accessibility options on system tray menu. | 
|  | // However, the user's choice is not persistent and the default is restored | 
|  | // whenever the login screen is shown anew or the user remains idle on the | 
|  | // login screen for a minute. If this policy is left unset, accessibility | 
|  | // options will not appear in the system tray menu, but the user can cause the | 
|  | // accessibility options to appear via the Settings page. | 
|  | // When accessiblity features are enabled by other means (e.g by a key | 
|  | // combination), Accessibility options will always appear in system tray menu. | 
|  | optional bool login_screen_show_options_in_system_tray_menu_enabled = 32; | 
|  | optional PolicyOptions | 
|  | login_screen_show_options_in_system_tray_menu_enabled_options = 33; | 
|  |  | 
|  | // Sets whether all the accessibility features shortcuts are being enabled or | 
|  | // not on the login screen. If this policy is set to true, the accessibility | 
|  | // shortcuts are going to be enabled when the login screen is shown. If this | 
|  | // policy is set to false, the accessibility shortcuts are going to be | 
|  | // disabled when the login screen is shown. If this policy is left unset, the | 
|  | // accessibility shortcuts are going to be enabled on the login screen. | 
|  | optional bool login_screen_shortcuts_enabled = 34; | 
|  | optional PolicyOptions login_screen_shortcuts_enabled_options = 35; | 
|  | } | 
|  |  | 
|  | message OBSOLETE_SupervisedUsersSettingsProto { | 
|  | // Defines whether supervised users can be created on the device. | 
|  | optional bool OBSOLETE_supervised_users_enabled = 1 [deprecated = true]; | 
|  | } | 
|  |  | 
|  | message LoginScreenPowerManagementProto { | 
|  | // Configures power management on the login screen. The policy should be | 
|  | // specified as a string that expresses the individual settings in JSON | 
|  | // format, conforming to the following schema: | 
|  | // { | 
|  | //   "type": "object", | 
|  | //   "properties": { | 
|  | //     "AC": { | 
|  | //       "description": "Power management settings applicable only when | 
|  | //                       running on AC power", | 
|  | //       "type": "object", | 
|  | //       "properties": { | 
|  | //         "Delays": { | 
|  | //           "type": "object", | 
|  | //           "properties": { | 
|  | //             "ScreenDim": { | 
|  | //               "description": "The length of time without user input after | 
|  | //                               which the screen is dimmed, in milliseconds", | 
|  | //               "type": "integer", | 
|  | //               "minimum": 0 | 
|  | //             }, | 
|  | //             "ScreenOff": { | 
|  | //               "description": "The length of time without user input after | 
|  | //                               which the screen is turned off, in | 
|  | //                               milliseconds", | 
|  | //               "type": "integer", | 
|  | //               "minimum": 0 | 
|  | //             }, | 
|  | //             "Idle": { | 
|  | //               "description": "The length of time without user input after | 
|  | //                               which the idle action is taken, in | 
|  | //                               milliseconds", | 
|  | //               "type": "integer", | 
|  | //               "minimum": 0 | 
|  | //             } | 
|  | //           } | 
|  | //         }, | 
|  | //         "IdleAction": { | 
|  | //           "description": "Action to take when the idle delay is reached", | 
|  | //           "enum": [ "Suspend", "Shutdown", "DoNothing" ] | 
|  | //         } | 
|  | //       } | 
|  | //     }, | 
|  | //     "Battery": { | 
|  | //       "description": "Power management settings applicable only when | 
|  | //                       running on battery power", | 
|  | //       "type": "object", | 
|  | //       "properties": { | 
|  | //         "Delays": { | 
|  | //           "type": "object", | 
|  | //           "properties": { | 
|  | //             "ScreenDim": { | 
|  | //               "description": "The length of time without user input after | 
|  | //                               which the screen is dimmed, in milliseconds", | 
|  | //               "type": "integer", | 
|  | //               "minimum": 0 | 
|  | //             }, | 
|  | //             "ScreenOff": { | 
|  | //               "description": "The length of time without user input after | 
|  | //                               which the screen is turned off, in | 
|  | //                               milliseconds", | 
|  | //               "type": "integer", | 
|  | //               "minimum": 0 | 
|  | //             }, | 
|  | //             "Idle": { | 
|  | //               "description": "The length of time without user input after | 
|  | //                               which the idle action is taken, in | 
|  | //                               milliseconds", | 
|  | //               "type": "integer", | 
|  | //               "minimum": 0 | 
|  | //             } | 
|  | //           } | 
|  | //         }, | 
|  | //         "IdleAction": { | 
|  | //           "description": "Action to take when the idle delay is reached", | 
|  | //           "enum": [ "Suspend", "Shutdown", "DoNothing" ] | 
|  | //         } | 
|  | //       } | 
|  | //     }, | 
|  | //     "LidCloseAction": { | 
|  | //       "description": "Action to take when the lid is closed", | 
|  | //       "enum": [ "Suspend", "Shutdown", "DoNothing" ] | 
|  | //     }, | 
|  | //     "UserActivityScreenDimDelayScale": { | 
|  | //       "description": "Percentage by which the screen dim delay is scaled | 
|  | //                       when user activity is observed while the screen is | 
|  | //                       dimmed or soon after the screen has been turned off", | 
|  | //       "type": "integer", | 
|  | //       "minimum": 0 | 
|  | //     } | 
|  | //   } | 
|  | // } | 
|  | optional string login_screen_power_management = 1; | 
|  | } | 
|  |  | 
|  | message AutoCleanupSettigsProto { | 
|  | // Deprecated.  There is only one disk-full cleanup strategy: LRU. | 
|  | optional string clean_up_strategy = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control low-level functions of the system. | 
|  | message SystemSettingsProto { | 
|  | // Whether developer mode is allowed on the device. If the device owner sets | 
|  | // this flag to true, the system will refuse to boot and show an error screen | 
|  | // when the developer switch is turned on. | 
|  | optional bool block_devmode = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control login for SAML users. | 
|  | message SAMLSettingsProto { | 
|  | // Whether cookies set by a SAML IdP should be transferred to users' profiles | 
|  | // every time a user authenticates via SAML during login. If false, cookies | 
|  | // are transferred during each user's first login only. | 
|  | optional bool transfer_saml_cookies = 1; | 
|  | } | 
|  |  | 
|  | message RebootOnShutdownProto { | 
|  | // Determines whether the device automatically reboots whenever the user shuts | 
|  | // it down. If this flag is set to true, shutdown is forbidden and UI elements | 
|  | // trigger a device reboot instead of a power off. This policy affects | 
|  | // shutdowns triggered from the UI only. If the user shuts down the device | 
|  | // using the power button, it will not automatically reboot, even if the | 
|  | // policy is enabled. | 
|  | optional bool reboot_on_shutdown = 1 [default = false]; | 
|  | } | 
|  |  | 
|  | // Settings that control whether a device would send heartbeat messages to GCM, | 
|  | // and how frequently to send these. | 
|  | message DeviceHeartbeatSettingsProto { | 
|  | // Whether the device should send heartbeat messages. The default is false. | 
|  | optional bool heartbeat_enabled = 1 [default = false]; | 
|  |  | 
|  | // How frequently devices send heartbeats back to server. The unit is in | 
|  | // milliseconds. The default is 2 minutes. | 
|  | optional int64 heartbeat_frequency = 2 [default = 120000]; | 
|  | } | 
|  |  | 
|  | message ExtensionCacheSizeProto { | 
|  | // Specifies the maximum extension cache size, in bytes. The default is 256 | 
|  | // MiB. The minimum allowed value is 1 MiB, smaller values will get ignored. | 
|  | optional int64 extension_cache_size = 1; | 
|  | } | 
|  |  | 
|  | message LoginScreenDomainAutoCompleteProto { | 
|  | // If this policy is not configured or set to a blank string, | 
|  | // no autocomplete option during user sign-in flow will be shown. | 
|  | // If this policy is set to a string representing a domain name, an | 
|  | // autocomplete option during user sign-in will be shown allowing the user | 
|  | // to type in only their user name without the domain name extension. The user | 
|  | // will be able to overwrite this domain name extension. | 
|  | optional string login_screen_domain_auto_complete = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control whether a device would send system logs to the server. | 
|  | message DeviceLogUploadSettingsProto { | 
|  | // Whether the device should send system logs. The default is false. | 
|  | optional bool system_log_upload_enabled = 1 [default = false]; | 
|  | } | 
|  |  | 
|  | // This setting is controlled by the device policy DisplayRotationDefault. | 
|  | // If the policy is set and therefore display_rotation_default contains a value, | 
|  | // all displays will be rotated clockwise to the specified orientation at | 
|  | // reboot, when first connected, or when the setting is changed. | 
|  | // If the optional field |Rotation display_rotation_default = 1| is not present, | 
|  | // no changes are done to the rotation. | 
|  | message DisplayRotationDefaultProto { | 
|  | // This enum corresponds to gfx::Display::Rotation in ui/gfx/display.h. | 
|  | enum Rotation { | 
|  | ROTATE_0 = 0; | 
|  | ROTATE_90 = 1; | 
|  | ROTATE_180 = 2; | 
|  | ROTATE_270 = 3; | 
|  | } | 
|  | optional Rotation display_rotation_default = 1; | 
|  | } | 
|  |  | 
|  | // This setting is controlled by the device policy | 
|  | // DeviceLoginScreenPrivacyScreenEnabled. | 
|  | message DeviceLoginScreenPrivacyScreenEnabledProto { | 
|  | optional bool enabled = 1 [default = false]; | 
|  | } | 
|  |  | 
|  | // This setting is configured by the device policy DeviceDisplayResolution. | 
|  | // If |device_display_resolution| contains a value, then it's treated as a JSON | 
|  | // object that uses the schema defined for DeviceDisplayResolution policy. | 
|  | // Example of the policy value: | 
|  | // { | 
|  | //   "external_width": 1920, | 
|  | //   "external_height": 1080, | 
|  | //   "external_scale_percentage": 50, | 
|  | //   "internal_scale_percentage": 150, | 
|  | //   "recommended": true | 
|  | // } | 
|  | // It sets a 1920x1080 display mode for any external displays and | 
|  | // scales them to 50%, also scales the built-in display to 150%. | 
|  | // If "recommended" flag is set to true, user is able to override | 
|  | // any settings via the settings page. | 
|  | message DeviceDisplayResolutionProto { | 
|  | optional string device_display_resolution = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control whether to allow Chrome to be pinned to a specific | 
|  | // version according to the auto-launched kiosk app’s requirement. | 
|  | message AllowKioskAppControlChromeVersionProto { | 
|  | optional bool allow_kiosk_app_control_chrome_version = 1 [default = false]; | 
|  | } | 
|  |  | 
|  | // Settings that control the flow of the login authentication to be either via | 
|  | // GAIA (default), or via an interstitial screen that can redirect to a SAML IdP | 
|  | // endpoint or return back to the default GAIA flow. | 
|  | message LoginAuthenticationBehaviorProto { | 
|  | enum LoginBehavior { | 
|  | GAIA = 0; | 
|  | SAML_INTERSTITIAL = 1; | 
|  | } | 
|  |  | 
|  | optional LoginBehavior login_authentication_behavior = 1 [default = GAIA]; | 
|  | } | 
|  |  | 
|  | // Identifiers of a USB device or device family. | 
|  | message UsbDeviceIdProto { | 
|  | // USB Vendor Identifier (aka idVendor). | 
|  | optional int32 vendor_id = 1; | 
|  | // USB Product Identifier (aka idProduct). | 
|  | optional int32 product_id = 2; | 
|  | } | 
|  |  | 
|  | // This setting contains the list of USB devices to detach from the kernel | 
|  | // drivers in order to use them in web applications. | 
|  | // The list is used by the permission_broker daemon. | 
|  | message UsbDetachableWhitelistProto { | 
|  | repeated UsbDeviceIdProto id = 1; | 
|  | } | 
|  |  | 
|  | // Identifiers of a USB device or device family. | 
|  | message UsbDeviceIdInclusiveProto { | 
|  | // USB Vendor Identifier (aka idVendor). | 
|  | optional int32 vendor_id = 1; | 
|  | // USB Product Identifier (aka idProduct). | 
|  | optional int32 product_id = 2; | 
|  | } | 
|  |  | 
|  | // This setting contains the list of USB devices to detach from the kernel | 
|  | // drivers in order to use them in web applications. | 
|  | // The list is used by the permission_broker daemon. | 
|  | message UsbDetachableAllowlistProto { | 
|  | repeated UsbDeviceIdInclusiveProto id = 1; | 
|  | } | 
|  |  | 
|  | message AllowBluetoothProto { | 
|  | // Policy which controls whether Bluetooth is available. | 
|  | optional bool allow_bluetooth = 1 [default = true]; | 
|  | } | 
|  |  | 
|  | message DeviceWiFiAllowedProto { | 
|  | // Policy which controls the ability to connect to wireless networks. | 
|  | optional bool device_wifi_allowed = 1 [default = true]; | 
|  | } | 
|  |  | 
|  | // Settings that control whether a device can download hardware configuration | 
|  | // files from the Quirks Server. | 
|  | message DeviceQuirksDownloadEnabledProto { | 
|  | optional bool quirks_download_enabled = 1; | 
|  | } | 
|  |  | 
|  | // A list of security origins for SAML login pages that are allowed to | 
|  | // access the webcam.  No login pages will be allowed to access the | 
|  | // webcam if the list is empty. | 
|  | message LoginVideoCaptureAllowedUrlsProto { | 
|  | repeated string urls = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control whether a device can connect to a 802.11r enabled | 
|  | // WiFi network. | 
|  | message DeviceWiFiFastTransitionEnabledProto { | 
|  | optional bool device_wifi_fast_transition_enabled = 1; | 
|  | } | 
|  |  | 
|  | message NetworkThrottlingEnabledProto { | 
|  | optional bool enabled = 1 [default = false]; | 
|  | optional int32 upload_rate_kbits = 2 [default = 0]; | 
|  | optional int32 download_rate_kbits = 3 [default = 0]; | 
|  | } | 
|  |  | 
|  | // A list of apps or extensions to install from the webstore on the login page. | 
|  | // It is a list of strings, each string contains an extension ID and an update | 
|  | // URL, delimited by a semicolon. | 
|  | message DeviceLoginScreenExtensionsProto { | 
|  | repeated string device_login_screen_extensions = 1; | 
|  | } | 
|  |  | 
|  | // A list of allowed locales on the login screen. | 
|  | message LoginScreenLocalesProto { | 
|  | repeated string login_screen_locales = 1; | 
|  | } | 
|  |  | 
|  | // A list of allowed input methods on the login screen. | 
|  | message LoginScreenInputMethodsProto { | 
|  | repeated string login_screen_input_methods = 1; | 
|  | } | 
|  |  | 
|  | // The url and hash specified in JSON format that can be used to set the | 
|  | // device-level wallpaper on the login screen before any user logs in. | 
|  | message DeviceWallpaperImageProto { | 
|  | optional string device_wallpaper_image = 1; | 
|  | } | 
|  |  | 
|  | // Migration strategy for the case when ARC(N+) needs the ext4 encryption while | 
|  | // the device used ecryptfs in the past. | 
|  | message DeviceEcryptfsMigrationStrategyProto { | 
|  | enum MigrationStrategy { | 
|  | // Default value, unspecified. | 
|  | UNSET = 0; | 
|  | // ARC is not allowed, no data migration needed. | 
|  | DISALLOW_ARC = 1; | 
|  | // The data migration is allowed, opening the possibility to use ARC. | 
|  | ALLOW_MIGRATION = 2; | 
|  | } | 
|  |  | 
|  | optional MigrationStrategy migration_strategy = 1; | 
|  | } | 
|  |  | 
|  | // This setting controls how the on-board secure element hardware can be used | 
|  | // to provide a second-factor authentication in addition to the TPM | 
|  | // functionality. | 
|  | message DeviceSecondFactorAuthenticationProto { | 
|  | enum U2fMode { | 
|  | // Default value, unspecified. | 
|  | UNSET = 0; | 
|  | // Feature disabled. | 
|  | DISABLED = 1; | 
|  | // U2F as defined by the FIDO Alliance specification: | 
|  | // https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915.zip | 
|  | U2F = 2; | 
|  | // U2F plus extensions for individual attestation certificate. | 
|  | U2F_EXTENDED = 3; | 
|  | } | 
|  |  | 
|  | optional U2fMode mode = 1; | 
|  | } | 
|  |  | 
|  | message CastReceiverNameProto { | 
|  | // The name advertised as a Google Cast destination by the device, | 
|  | // up to 24 characters. If the name is empty, the device name will | 
|  | // be used. | 
|  | optional string name = 1; | 
|  | } | 
|  |  | 
|  | // Day of the week and time in milliseconds since the start of the day. | 
|  | message WeeklyTimeProto { | 
|  | enum DayOfWeek { | 
|  | DAY_OF_WEEK_UNSPECIFIED = 0; | 
|  | MONDAY = 1; | 
|  | TUESDAY = 2; | 
|  | WEDNESDAY = 3; | 
|  | THURSDAY = 4; | 
|  | FRIDAY = 5; | 
|  | SATURDAY = 6; | 
|  | SUNDAY = 7; | 
|  | } | 
|  | // Day of week. | 
|  | optional DayOfWeek day_of_week = 1; | 
|  | // Time of day in milliseconds from beginning of the day. | 
|  | optional int32 time = 2; | 
|  | } | 
|  |  | 
|  | // Start and end of an interval represented by WeeklyTimes | 
|  | message WeeklyTimeIntervalProto { | 
|  | optional WeeklyTimeProto start = 1; | 
|  | optional WeeklyTimeProto end = 2; | 
|  | } | 
|  |  | 
|  | // Allow less restricted using of Chromebooks that are managed by school, | 
|  | // while the device is not at school ("OffHours"). | 
|  | message DeviceOffHoursProto { | 
|  | // List of intervals when ignored policies are not applied. These intervals | 
|  | // are in the timezone specified by the timezone string. | 
|  | repeated WeeklyTimeIntervalProto intervals = 1; | 
|  | // Timezone in the same format as SystemTimezoneProto.timezone. | 
|  | optional string timezone = 2; | 
|  | // List of policy proto tags which settings are ignored during OffHours | 
|  | // mode. List contains policy proto tags from ChromeDeviceSettingsProto | 
|  | // (i.e. proto tag = 1 means device_policy_refresh_rate policy). | 
|  | // Proto tags are used because they are consistent identifiers. | 
|  | // During OffHoursMode default settings of ignored policies are used. | 
|  | repeated int32 ignored_policy_proto_tags = 3; | 
|  | } | 
|  |  | 
|  | // The url and hash specified in JSON format that can be used to retrieve | 
|  | // the device-level printers configuration file. | 
|  | message DeviceNativePrintersProto { | 
|  | // External policy blob encoded as JSON. | 
|  | optional string external_policy = 1; | 
|  | } | 
|  |  | 
|  | // The policy which determines the type of access restriction that is applied to | 
|  | // the devicel-level printers list. | 
|  | message DeviceNativePrintersAccessModeProto { | 
|  | enum AccessMode { | 
|  | ACCESS_MODE_BLACKLIST = 0;  // Use NatvePrintersBlacklistProto. | 
|  | ACCESS_MODE_WHITELIST = 1;  // Use NaviePrintersWhitelistProto. | 
|  | ACCESS_MODE_ALL = 2;        // Allow access to all specified printers. | 
|  | } | 
|  |  | 
|  | // The type of access which is applied to the device-level printer list. | 
|  | optional AccessMode access_mode = 1; | 
|  | } | 
|  |  | 
|  | // A collection of ids defining the printers which are explicitly disallowed for | 
|  | // the device. | 
|  | message DeviceNativePrintersBlacklistProto { | 
|  | // A collection of ids for which are explicitly disallowed. | 
|  | repeated string blacklist = 1; | 
|  | } | 
|  |  | 
|  | // A collection of ids defining the printers which are explicitly allowed for | 
|  | // the device. | 
|  | message DeviceNativePrintersWhitelistProto { | 
|  | // A collection of ids for the list of printers which are accessible. | 
|  | repeated string whitelist = 1; | 
|  | } | 
|  |  | 
|  | // The url and hash specified in JSON format that can be used to retrieve | 
|  | // the device-level printers configuration file. | 
|  | message DevicePrintersProto { | 
|  | // External policy blob encoded as JSON. | 
|  | optional string external_policy = 1; | 
|  | } | 
|  |  | 
|  | // A collection of ids for the list of print servers which are accessible. | 
|  | // The policy which determines the type of access restriction that is applied to | 
|  | // the devicel-level printers list. | 
|  | message DevicePrintersAccessModeProto { | 
|  | enum AccessMode { | 
|  | ACCESS_MODE_BLOCKLIST = 0;  // Use DevicePrintersBlocklistProto. | 
|  | ACCESS_MODE_ALLOWLIST = 1;  // Use DevicePrintersAllowlistProto. | 
|  | ACCESS_MODE_ALL = 2;        // Allow access to all specified printers. | 
|  | } | 
|  |  | 
|  | // The type of access which is applied to the device-level printer list. | 
|  | optional AccessMode access_mode = 1; | 
|  | } | 
|  |  | 
|  | // A collection of ids defining the printers which are explicitly disallowed for | 
|  | // the device. | 
|  | message DevicePrintersBlocklistProto { | 
|  | // A collection of ids for which are explicitly disallowed. | 
|  | repeated string blocklist = 1; | 
|  | } | 
|  |  | 
|  | // A collection of ids defining the printers which are explicitly allowed for | 
|  | // the device. | 
|  | message DevicePrintersAllowlistProto { | 
|  | // A collection of ids for the list of printers which are accessible. | 
|  | repeated string allowlist = 1; | 
|  | } | 
|  |  | 
|  | // The url and hash specified in JSON format that can be used to retrieve | 
|  | // the device-level external print servers configuration file. | 
|  | message DeviceExternalPrintServersProto { | 
|  | // External policy blob encoded as JSON. | 
|  | optional string external_policy = 1; | 
|  | } | 
|  |  | 
|  | // A collection of ids defining the external print servers which are explicitly | 
|  | // allowed for the device. | 
|  | message DeviceExternalPrintServersAllowlistProto { | 
|  | // A collection of ids for the list of print servers which are accessible. | 
|  | repeated string allowlist = 1; | 
|  | } | 
|  |  | 
|  | // Settings to control the behavior of the TPM firmware update functionality. | 
|  | message TPMFirmwareUpdateSettingsProto { | 
|  | // Whether the user is allowed to invoke the update via powerwash. This flow | 
|  | // performs a powerwash operation (which implies a TPM clear), followed by | 
|  | // installation of the TPM firmware update. As a result of the powerwash, all | 
|  | // writable data on the device will be cleared. | 
|  | optional bool allow_user_initiated_powerwash = 1; | 
|  |  | 
|  | // Whether the user is allowed to invoke a variant of the update flow that | 
|  | // clears the TPM to install the firmware update, but preserves device-wide | 
|  | // state (including enrollment). User data will not be preserved in this flow. | 
|  | optional bool allow_user_initiated_preserve_device_state = 2; | 
|  |  | 
|  | enum AutoUpdateMode { | 
|  | // No value set. Default is NEVER. | 
|  | AUTO_UPDATE_MODE_UNSPECIFIED = 0; | 
|  | // Don't auto update TPM firmware. | 
|  | NEVER = 1; | 
|  | // Update firmware at the next reboot after user acknowledges the update. | 
|  | USER_ACKNOWLEDGMENT = 2; | 
|  | // Update firmware at the next reboot. | 
|  | WITHOUT_ACKNOWLEDGMENT = 3; | 
|  | // Update firmware after enrollment. | 
|  | ENROLLMENT = 4; | 
|  | } | 
|  |  | 
|  | // Controls how automatic firmware updates are enforced for vulnerable | 
|  | // firmware. All flows preserve local device state. | 
|  | optional AutoUpdateMode auto_update_mode = 3 [default = NEVER]; | 
|  | } | 
|  |  | 
|  | // Settings to control the minimum version that is allowed to sign in / stay | 
|  | // in session. This is now deprecated from M82 onwards. | 
|  | message OBSOLETE_MinimumRequiredVersionProto { | 
|  | // Value is chrome_version string, e.g. 61.0.3163.120 | 
|  | // The client will use prefix matching to compare its version against the | 
|  | // value of this field. | 
|  | optional string OBSOLETE_chrome_version = 1 [deprecated = true]; | 
|  | } | 
|  |  | 
|  | // Specifies a list of rules to automatically select certificates on SAML IdP | 
|  | // pages on the sign-in screen. | 
|  | message DeviceLoginScreenAutoSelectCertificateForUrls { | 
|  | // Each entry is one rule, which must be a stringified JSON dictionary. | 
|  | // Each dictionary must have the form { "pattern": "$URL_PATTERN", "filter" : | 
|  | // $FILTER }. $FILTER restricts from which client certificates the browser | 
|  | // will automatically select. Independent of the filter, only certificates | 
|  | // will be selected that match the server's certificate request. If $FILTER | 
|  | // has the form { "ISSUER": { "CN": "$ISSUER_CN" } }, additionally only client | 
|  | // certificates are selected that are issued by a certificate with the | 
|  | // CommonName $ISSUER_CN. If $FILTER is the empty dictionary {}, the selection | 
|  | // of client certificates is not additionally restricted. | 
|  | repeated string login_screen_auto_select_certificate_rules = 1; | 
|  | } | 
|  |  | 
|  | // Setting that controls whether unaffiliated users are allowed to use ARC | 
|  | // (true by default) | 
|  | message UnaffiliatedArcAllowedProto { | 
|  | optional bool unaffiliated_arc_allowed = 1; | 
|  | } | 
|  |  | 
|  | // Allowed encryption types for requesting Kerberos tickets from Active | 
|  | // Directory servers. Applies to Active Directory management mode only. | 
|  | message DeviceKerberosEncryptionTypesProto { | 
|  | enum Types { | 
|  | ENC_TYPES_ALL = 0;     // AES + RC4_HMAC. | 
|  | ENC_TYPES_STRONG = 1;  // AES only. | 
|  | ENC_TYPES_LEGACY = 2;  // RC4_HMAC only. | 
|  | // Next ID to use: 3 | 
|  | } | 
|  |  | 
|  | optional Types types = 1 [default = ENC_TYPES_STRONG]; | 
|  | } | 
|  |  | 
|  | // Specifies how user policy from device GPOs interacts with user policy from | 
|  | // user GPOs. In 'MERGE' mode, device GPOs take preference in case of conflicts. | 
|  | // Applies to Active Directory management mode only. | 
|  | message DeviceUserPolicyLoopbackProcessingModeProto { | 
|  | enum Mode { | 
|  | USER_POLICY_MODE_DEFAULT = 0;  // Only take user policy from user GPOs. | 
|  | USER_POLICY_MODE_MERGE = 1;    // Merge device GPOs on top of user GPOs. | 
|  | USER_POLICY_MODE_REPLACE = 2;  // Only take user policy from device GPOs. | 
|  | // Next ID to use: 3 | 
|  | } | 
|  |  | 
|  | optional Mode mode = 1 [default = USER_POLICY_MODE_DEFAULT]; | 
|  | } | 
|  |  | 
|  | // Specifies a list of origins. Each of the specified origins will run in its | 
|  | // own process on the sign-in screen. | 
|  | message OBSOLETE_DeviceLoginScreenIsolateOriginsProto { | 
|  | // A comma-separated list of the origins to be run in a separate process on | 
|  | // the sign-in screen. | 
|  | // If the value of this policy does not match the value of the user policy | 
|  | // IsolateOrigins, the chrome process will be restarted on user sign-in to | 
|  | // apply the value specified by the user policy. | 
|  | optional string OBSOLETE_isolate_origins = 1 [deprecated = true]; | 
|  | } | 
|  |  | 
|  | // Specifies if each site should run in its own process on the sign-in screen. | 
|  | message OBSOLETE_DeviceLoginScreenSitePerProcessProto { | 
|  | // If true, each site will run in its own process on the sign-in screen. | 
|  | // If the value of this policy does not match the value of the user policy | 
|  | // SitePerProcess, the chrome process will be restarted on user sign-in to | 
|  | // apply the value specified by the user policy. | 
|  | optional bool OBSOLETE_site_per_process = 1 [deprecated = true]; | 
|  | } | 
|  |  | 
|  | // Setting to control if running virtual machines on Chrome OS is allowed. | 
|  | message VirtualMachinesAllowedProto { | 
|  | optional bool virtual_machines_allowed = 1; | 
|  | } | 
|  |  | 
|  | // Specifies if and how often Active Directory machine (computer) account | 
|  | // passwords are changed in the AuthPolicy daemon in Chrome OS. | 
|  | // Applies to Active Directory management mode only. | 
|  | message DeviceMachinePasswordChangeRateProto { | 
|  | optional int32 rate_days = 1; | 
|  | } | 
|  |  | 
|  | // Specifies how long cached Active Directory Group Policy Objects (GPOs) may be | 
|  | // reused until they are re-downloaded (a version change also forces a | 
|  | // re-download). | 
|  | // Applies to Active Directory management mode only. | 
|  | message DeviceGpoCacheLifetimeProto { | 
|  | optional int32 lifetime_hours = 1; | 
|  | } | 
|  |  | 
|  | // Specifies how long cached Active Directory authentication data may be reused | 
|  | // until it is refreshed. This can significantly speed up user authentication. | 
|  | // Applies to Active Directory management mode only. | 
|  | message DeviceAuthDataCacheLifetimeProto { | 
|  | optional int32 lifetime_hours = 1; | 
|  | } | 
|  |  | 
|  | // Setting to control the authentication type for newly added users which log in | 
|  | // via SAML. | 
|  | message SamlLoginAuthenticationTypeProto { | 
|  | enum Type { | 
|  | TYPE_DEFAULT = 0;             // Implementation-defined default config. | 
|  | TYPE_CLIENT_CERTIFICATE = 1;  // Client certificate authentication. | 
|  | // Next ID to use: 2 | 
|  | } | 
|  |  | 
|  | optional Type saml_login_authentication_type = 1 [default = TYPE_DEFAULT]; | 
|  | } | 
|  |  | 
|  | // Setting that controls whether unaffiliated users are allowed to run Crostini | 
|  | // (true by default) | 
|  | message DeviceUnaffiliatedCrostiniAllowedProto { | 
|  | optional bool device_unaffiliated_crostini_allowed = 1; | 
|  | } | 
|  |  | 
|  | // Setting that controls whether PluginVm is allowed to run on this device. | 
|  | message PluginVmAllowedProto { | 
|  | optional bool plugin_vm_allowed = 1; | 
|  | } | 
|  |  | 
|  | // Setting that specifies PluginVm license key for this device. | 
|  | message PluginVmLicenseKeyProto { | 
|  | optional string plugin_vm_license_key = 1; | 
|  | } | 
|  |  | 
|  | // Setting that controls whether the device should reboot when user sign out. | 
|  | message DeviceRebootOnUserSignoutProto { | 
|  | enum RebootOnSignoutMode { | 
|  | // No value set. Default is NEVER. | 
|  | REBOOT_ON_SIGNOUT_MODE_UNSPECIFIED = 0; | 
|  | // Do not reboot on signout. | 
|  | NEVER = 1; | 
|  | // Reboot on signout if an ARC session was active during the user session. | 
|  | ARC_SESSION = 2; | 
|  | // Always reboot on signout. | 
|  | ALWAYS = 3; | 
|  | // Reboot on signout if an ARC session was active or a VM was started | 
|  | // during the user session. | 
|  | VM_STARTED_OR_ARC_SESSION = 4; | 
|  | } | 
|  |  | 
|  | optional RebootOnSignoutMode reboot_on_signout_mode = 1 [default = NEVER]; | 
|  | } | 
|  |  | 
|  | // Setting that controls whether wilco diagnostics and telemetry controller is | 
|  | // allowed on this device. | 
|  | message DeviceWilcoDtcAllowedProto { | 
|  | optional bool device_wilco_dtc_allowed = 1; | 
|  | } | 
|  |  | 
|  | // Setting that specifies wilco diagnostics and telemetry controller | 
|  | // configuration for this device. | 
|  | message DeviceWilcoDtcConfigurationProto { | 
|  | optional string device_wilco_dtc_configuration = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control power peak shift policy. | 
|  | message DevicePowerPeakShiftProto { | 
|  | // Setting that controls whether power peak shift is enabled on this device. | 
|  | // For details see "DevicePowerPeakShiftEnabled" in policy_templates.json. | 
|  | optional bool enabled = 1; | 
|  |  | 
|  | // Setting that controls power peak shift battery threshold on this device. | 
|  | // For details see "DevicePowerPeakShiftBatteryThreshold" in | 
|  | // policy_templates.json. | 
|  | optional int32 battery_threshold = 2; | 
|  |  | 
|  | // Setting that controls power peak shift day configs on this device. | 
|  | // This is a JSON string, for details see "DevicePowerPeakShiftDayConfig" in | 
|  | // policy_templates.json. | 
|  | optional string day_configs = 3; | 
|  | } | 
|  |  | 
|  | // Settings that control boot on AC policy. | 
|  | message DeviceBootOnAcProto { | 
|  | // Setting that controls whether boot on AC is enabled on this device. | 
|  | optional bool enabled = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control device's dock MAC address source. | 
|  | message DeviceDockMacAddressSourceProto { | 
|  | enum Source { | 
|  | SOURCE_UNSPECIFIED = 0; | 
|  | // Device's designated dock MAC address. | 
|  | DEVICE_DOCK_MAC_ADDRESS = 1; | 
|  | // Device's built-in NIC MAC address. | 
|  | DEVICE_NIC_MAC_ADDRESS = 2; | 
|  | // Dock's built-in NIC MAC address. | 
|  | DOCK_NIC_MAC_ADDRESS = 3; | 
|  | } | 
|  | optional Source source = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control advanced battery charge mode policy. | 
|  | message DeviceAdvancedBatteryChargeModeProto { | 
|  | // Setting that controls whether advanced battery charge mode is enabled on | 
|  | // this device. | 
|  | // For details see "DeviceAdvancedBatteryChargeModeEnabled" in | 
|  | // policy_templates.json. | 
|  | optional bool enabled = 1; | 
|  |  | 
|  | // Setting that controls advanced battery charge mode day config on this | 
|  | // device. | 
|  | // This is a JSON string, for details see | 
|  | // "DeviceAdvancedBatteryChargeModeDayConfig" in policy_templates.json. | 
|  | optional string day_configs = 2; | 
|  | } | 
|  |  | 
|  | // Settings that control battery charge mode policy. | 
|  | message DeviceBatteryChargeModeProto { | 
|  | enum BatteryChargeMode { | 
|  | MODE_UNSPECIFIED = 0; | 
|  | STANDARD = 1; | 
|  | EXPRESS_CHARGE = 2; | 
|  | PRIMARILY_AC_USE = 3; | 
|  | ADAPTIVE = 4; | 
|  | CUSTOM = 5; | 
|  | } | 
|  |  | 
|  | // Setting that controls battery charge mode on this device. | 
|  | // For details see "DeviceBatteryChargeMode" in policy_templates.json. | 
|  | optional BatteryChargeMode battery_charge_mode = 1; | 
|  |  | 
|  | // Percent at which charging starts when using CUSTOM. | 
|  | // For details see "DeviceBatteryChargeCustomStartCharging" in | 
|  | // policy_templates.json. | 
|  | optional int32 custom_charge_start = 2; | 
|  |  | 
|  | // Percent at which charging stops when using CUSTOM. | 
|  | // For details see "DeviceBatteryChargeCustomStopCharging" in | 
|  | // policy_templates.json. | 
|  | optional int32 custom_charge_stop = 3; | 
|  | } | 
|  |  | 
|  | // Settings that control USB power share policy. | 
|  | message DeviceUsbPowerShareProto { | 
|  | // Setting that controls whether USB power share is enabled on this device. | 
|  | optional bool enabled = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control when a device will wake up and check for updates. These | 
|  | // checks are recurring. In order to disable a set schedule the policy must be | 
|  | // removed. | 
|  | message DeviceScheduledUpdateCheckProto { | 
|  | // This is a JSON string, for details see "DeviceScheduledUpdateCheck" in | 
|  | // policy_templates.json. | 
|  | optional string device_scheduled_update_check_settings = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control if the device is allowed to powerwash. | 
|  | message DevicePowerwashAllowedProto { | 
|  | // Determines if powerwash is allowed on the device. | 
|  | optional bool device_powerwash_allowed = 1; | 
|  | } | 
|  |  | 
|  | // Settings that controls which devices are whitelisted for certain urls to be | 
|  | // used via the WebUSB API on the login screen. | 
|  | message DeviceLoginScreenWebUsbAllowDevicesForUrlsProto { | 
|  | // This is a JSON string, for details see | 
|  | // "DeviceLoginScreenWebUsbAllowDevicesForUrls" in policy_templates.json. | 
|  | optional string device_login_screen_webusb_allow_devices_for_urls = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control the availability of System-proxy service and the web | 
|  | // proxy credentials for system services connecting through System-proxy. | 
|  | message SystemProxySettingsProto { | 
|  | // This is a JSON string, for details see "SystemProxySettings" in | 
|  | // policy_templates.json. | 
|  | optional string system_proxy_settings = 1; | 
|  | } | 
|  |  | 
|  | // Settings that control what certificates should be privisioned via DM server. | 
|  | message RequiredClientCertificateForDeviceProto { | 
|  | // This is a JSON string, for details see | 
|  | // "RequiredClientCertificateForDevice" in policy_templates.json. | 
|  | optional string required_client_certificate_for_device = 1; | 
|  | } | 
|  |  | 
|  | // Setting that controls whether ARC ADB sideloading is allowed for the device. | 
|  | message DeviceCrostiniArcAdbSideloadingAllowedProto { | 
|  | enum AllowanceMode { | 
|  | DISALLOW = 0; | 
|  | DISALLOW_WITH_POWERWASH = 1; | 
|  | ALLOW_FOR_AFFILIATED_USERS = 2; | 
|  | // Next ID to use: 3 | 
|  | } | 
|  |  | 
|  | optional AllowanceMode mode = 1 [default = DISALLOW]; | 
|  | } | 
|  |  | 
|  | message DeviceShowLowDiskSpaceNotificationProto { | 
|  | optional bool device_show_low_disk_space_notification = 1; | 
|  | } | 
|  |  | 
|  | // Setting that controls whether all Family Link accounts are allowed on the | 
|  | // device additionally to the accounts listed in UserAllowlistProto. | 
|  | message DeviceFamilyLinkAccountsAllowedProto { | 
|  | optional bool family_link_accounts_allowed = 1 [default = false]; | 
|  | } | 
|  |  | 
|  | // Setting that controls whether ARC data snapshotting is enabled for the device | 
|  | // and time intervals of updating ARC data snapshot. | 
|  | message DeviceArcDataSnapshotHoursProto { | 
|  | // This is a JSON string, for details see | 
|  | // "DeviceArcDataSnapshotHours" in policy_template.json | 
|  | optional string arc_data_snapshot_hours = 1; | 
|  | } | 
|  |  | 
|  | // Setting that controls whether system-wide trace collection using the Perfetto | 
|  | // system tracing service is allowed. | 
|  | message DeviceSystemWideTracingEnabledProto { | 
|  | optional bool enabled = 1 [default = true]; | 
|  | } | 
|  |  | 
|  | // Setting that controls whether data access is enabled for Thunderbolt/USB4 | 
|  | // peripherals. | 
|  | message DevicePciPeripheralDataAccessEnabledProto { | 
|  | optional bool enabled = 1 [default = false]; | 
|  | } | 
|  |  | 
|  | // Setting that controls whether Borealis will be allowed on the device. | 
|  | message DeviceBorealisAllowedProto { | 
|  | optional bool allowed = 1 [default = true]; | 
|  | } | 
|  |  | 
|  | message DeviceAllowedBluetoothServicesProto { | 
|  | // Policy which controls which service UUID is available. | 
|  | repeated string allowlist = 1; | 
|  | } | 
|  |  | 
|  | // Policy that controls whether packet captures will be allowed on the device. | 
|  | message DeviceDebugPacketCaptureAllowedProto { | 
|  | optional bool allowed = 1; | 
|  | } | 
|  |  | 
|  | message ChromeDeviceSettingsProto { | 
|  | reserved 61, 90; | 
|  | optional DevicePolicyRefreshRateProto device_policy_refresh_rate = 1; | 
|  | optional UserWhitelistProto user_whitelist = 2; | 
|  | optional GuestModeEnabledProto guest_mode_enabled = 3; | 
|  | optional OBSOLETE_DeviceProxySettingsProto device_proxy_settings = 4 | 
|  | [deprecated = true]; | 
|  | optional CameraEnabledProto camera_enabled = 5; | 
|  | optional ShowUserNamesOnSigninProto show_user_names = 6; | 
|  | optional DataRoamingEnabledProto data_roaming_enabled = 7; | 
|  | optional AllowNewUsersProto allow_new_users = 8; | 
|  | optional MetricsEnabledProto metrics_enabled = 9; | 
|  | optional ReleaseChannelProto release_channel = 10; | 
|  | optional DeviceOpenNetworkConfigurationProto open_network_configuration = 11; | 
|  | optional DeviceReportingProto device_reporting = 12; | 
|  | optional EphemeralUsersEnabledProto ephemeral_users_enabled = 13; | 
|  | optional OBSOLETE_AppPackProto app_pack = 14 [deprecated = true]; | 
|  | optional OBSOLETE_ForcedLogoutTimeoutsProto forced_logout_timeouts = 15 | 
|  | [deprecated = true]; | 
|  | optional OBSOLETE_ScreenSaverProto login_screen_saver = 16 | 
|  | [deprecated = true]; | 
|  | optional AutoUpdateSettingsProto auto_update_settings = 17; | 
|  | optional OBSOLETE_StartUpUrlsProto start_up_urls = 18 [deprecated = true]; | 
|  | optional OBSOLETE_PinnedAppsProto pinned_apps = 19 [deprecated = true]; | 
|  | optional SystemTimezoneProto system_timezone = 20; | 
|  | optional DeviceLocalAccountsProto device_local_accounts = 21; | 
|  | optional AllowRedeemChromeOsRegistrationOffersProto allow_redeem_offers = 22; | 
|  | optional FeatureFlagsProto feature_flags = 23; | 
|  | optional UptimeLimitProto uptime_limit = 24; | 
|  | optional VariationsParameterProto variations_parameter = 25; | 
|  | optional AttestationSettingsProto attestation_settings = 26; | 
|  | optional AccessibilitySettingsProto accessibility_settings = 27; | 
|  | optional OBSOLETE_SupervisedUsersSettingsProto supervised_users_settings = 28 | 
|  | [deprecated = true]; | 
|  | optional LoginScreenPowerManagementProto login_screen_power_management = 29; | 
|  | optional SystemUse24HourClockProto use_24hour_clock = 30; | 
|  | optional AutoCleanupSettigsProto auto_clean_up_settings = 31; | 
|  | optional SystemSettingsProto system_settings = 32; | 
|  | optional SAMLSettingsProto saml_settings = 33; | 
|  | optional RebootOnShutdownProto reboot_on_shutdown = 34; | 
|  | optional DeviceHeartbeatSettingsProto device_heartbeat_settings = 35; | 
|  | optional ExtensionCacheSizeProto extension_cache_size = 36; | 
|  | optional LoginScreenDomainAutoCompleteProto | 
|  | login_screen_domain_auto_complete = 37; | 
|  | optional DeviceLogUploadSettingsProto device_log_upload_settings = 38; | 
|  | optional DisplayRotationDefaultProto display_rotation_default = 39; | 
|  | optional AllowKioskAppControlChromeVersionProto | 
|  | allow_kiosk_app_control_chrome_version = 40; | 
|  | optional LoginAuthenticationBehaviorProto login_authentication_behavior = 41; | 
|  | optional UsbDetachableWhitelistProto usb_detachable_whitelist = 42; | 
|  | optional AllowBluetoothProto allow_bluetooth = 43; | 
|  | optional DeviceQuirksDownloadEnabledProto quirks_download_enabled = 44; | 
|  | optional LoginVideoCaptureAllowedUrlsProto login_video_capture_allowed_urls = | 
|  | 45; | 
|  | optional DeviceLoginScreenExtensionsProto device_login_screen_extensions = 46; | 
|  | optional NetworkThrottlingEnabledProto network_throttling = 47; | 
|  | optional DeviceWallpaperImageProto device_wallpaper_image = 48; | 
|  | optional LoginScreenLocalesProto login_screen_locales = 49; | 
|  | optional LoginScreenInputMethodsProto login_screen_input_methods = 50; | 
|  | optional DeviceEcryptfsMigrationStrategyProto | 
|  | device_ecryptfs_migration_strategy = 51 [deprecated = true]; | 
|  | optional DeviceSecondFactorAuthenticationProto | 
|  | device_second_factor_authentication = 52; | 
|  | optional CastReceiverNameProto cast_receiver_name = 53; | 
|  | optional DeviceOffHoursProto device_off_hours = 54; | 
|  | optional DeviceNativePrintersProto native_device_printers = 55; | 
|  | optional DeviceNativePrintersAccessModeProto | 
|  | native_device_printers_access_mode = 56; | 
|  | optional DeviceNativePrintersBlacklistProto native_device_printers_blacklist = | 
|  | 57; | 
|  | optional DeviceNativePrintersWhitelistProto native_device_printers_whitelist = | 
|  | 58; | 
|  | optional TPMFirmwareUpdateSettingsProto tpm_firmware_update_settings = 59; | 
|  | optional OBSOLETE_MinimumRequiredVersionProto minimum_required_version = 60 | 
|  | [deprecated = true]; | 
|  | optional DeviceLoginScreenAutoSelectCertificateForUrls | 
|  | device_login_screen_auto_select_certificate_for_urls = 62; | 
|  | optional UnaffiliatedArcAllowedProto unaffiliated_arc_allowed = 63; | 
|  | optional NetworkHostnameProto network_hostname = 64; | 
|  | optional DeviceKerberosEncryptionTypesProto device_kerberos_encryption_types = | 
|  | 65; | 
|  | optional DeviceUserPolicyLoopbackProcessingModeProto | 
|  | device_user_policy_loopback_processing_mode = 66; | 
|  | optional OBSOLETE_DeviceLoginScreenIsolateOriginsProto | 
|  | device_login_screen_isolate_origins = 67 [deprecated = true]; | 
|  | optional OBSOLETE_DeviceLoginScreenSitePerProcessProto | 
|  | device_login_screen_site_per_process = 68 [deprecated = true]; | 
|  | optional VirtualMachinesAllowedProto virtual_machines_allowed = 69; | 
|  | optional DeviceMachinePasswordChangeRateProto | 
|  | device_machine_password_change_rate = 70; | 
|  | optional SamlLoginAuthenticationTypeProto saml_login_authentication_type = 71; | 
|  | optional DeviceUnaffiliatedCrostiniAllowedProto | 
|  | device_unaffiliated_crostini_allowed = 72; | 
|  | optional DeviceWiFiFastTransitionEnabledProto | 
|  | device_wifi_fast_transition_enabled = 73; | 
|  | optional DeviceDisplayResolutionProto device_display_resolution = 74; | 
|  | optional PluginVmAllowedProto plugin_vm_allowed = 75; | 
|  | optional DeviceGpoCacheLifetimeProto device_gpo_cache_lifetime = 76; | 
|  | optional DeviceAuthDataCacheLifetimeProto device_auth_data_cache_lifetime = | 
|  | 77; | 
|  | optional PluginVmLicenseKeyProto plugin_vm_license_key = 78; | 
|  | optional DeviceRebootOnUserSignoutProto device_reboot_on_user_signout = 79; | 
|  | optional DeviceWilcoDtcAllowedProto device_wilco_dtc_allowed = 80; | 
|  | optional DeviceWilcoDtcConfigurationProto device_wilco_dtc_configuration = 81; | 
|  | optional DeviceWiFiAllowedProto device_wifi_allowed = 82; | 
|  | optional DevicePowerPeakShiftProto device_power_peak_shift = 83; | 
|  | optional DeviceBootOnAcProto device_boot_on_ac = 84; | 
|  | optional DeviceDockMacAddressSourceProto device_dock_mac_address_source = 85; | 
|  | optional DeviceAdvancedBatteryChargeModeProto | 
|  | device_advanced_battery_charge_mode = 86; | 
|  | optional DeviceBatteryChargeModeProto device_battery_charge_mode = 87; | 
|  | optional DeviceUsbPowerShareProto device_usb_power_share = 88; | 
|  | optional DeviceScheduledUpdateCheckProto device_scheduled_update_check = 89; | 
|  | optional DevicePowerwashAllowedProto device_powerwash_allowed = 91; | 
|  | optional DeviceLoginScreenWebUsbAllowDevicesForUrlsProto | 
|  | device_login_screen_webusb_allow_devices_for_urls = 92; | 
|  | optional BooleanPolicyProto device_login_screen_system_info_enforced = 93; | 
|  | optional StringListPolicyProto device_web_based_attestation_allowed_urls = 94; | 
|  | optional BooleanPolicyProto device_show_numeric_keyboard_for_password = 95; | 
|  | optional BooleanPolicyProto login_screen_primary_mouse_button_switch = 96; | 
|  | optional StringPolicyProto device_minimum_version = 97; | 
|  | optional SystemProxySettingsProto system_proxy_settings = 98; | 
|  | optional IntegerPolicyProto device_chrome_variations_type = 99; | 
|  | optional DeviceLoginScreenPrivacyScreenEnabledProto | 
|  | device_login_screen_privacy_screen_enabled = 100; | 
|  | optional RequiredClientCertificateForDeviceProto | 
|  | required_client_certificate_for_device = 101; | 
|  | optional DeviceCrostiniArcAdbSideloadingAllowedProto | 
|  | device_crostini_arc_adb_sideloading_allowed = 102; | 
|  | optional StringPolicyProto device_minimum_version_aue_message = 103; | 
|  | optional ManagedGuestSessionPrivacyWarningsProto | 
|  | managed_guest_session_privacy_warnings = 104; | 
|  | optional DeviceExternalPrintServersProto external_print_servers = 105; | 
|  | optional DeviceExternalPrintServersAllowlistProto | 
|  | external_print_servers_allowlist = 106; | 
|  | optional DevicePrintersAccessModeProto device_printers_access_mode = 107; | 
|  | optional DevicePrintersBlocklistProto device_printers_blocklist = 108; | 
|  | optional DevicePrintersAllowlistProto device_printers_allowlist = 109; | 
|  | optional DevicePrintersProto device_printers = 110; | 
|  | optional DeviceShowLowDiskSpaceNotificationProto | 
|  | device_show_low_disk_space_notification = 111; | 
|  | optional UserAllowlistProto user_allowlist = 112; | 
|  | optional UsbDetachableAllowlistProto usb_detachable_allowlist = 113; | 
|  | optional DeviceFamilyLinkAccountsAllowedProto family_link_accounts_allowed = | 
|  | 114; | 
|  | optional DeviceArcDataSnapshotHoursProto arc_data_snapshot_hours = 115; | 
|  | optional BooleanPolicyProto device_allow_mgs_to_store_display_properties = | 
|  | 116; | 
|  | optional DeviceSystemWideTracingEnabledProto | 
|  | device_system_wide_tracing_enabled = 117; | 
|  | optional DevicePciPeripheralDataAccessEnabledProto | 
|  | device_pci_peripheral_data_access_enabled = 118; | 
|  | optional DeviceBorealisAllowedProto device_borealis_allowed = 119; | 
|  | optional DeviceAllowedBluetoothServicesProto | 
|  | device_allowed_bluetooth_services = 120; | 
|  | optional DeviceDebugPacketCaptureAllowedProto | 
|  | device_debug_packet_capture_allowed = 121; | 
|  | } |