blob: 031d254a1c79f49be915df56b774233764606c20 [file] [log] [blame]
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
syntax = "proto2";
option optimize_for = LITE_RUNTIME;
package enterprise_management;
import "private_membership_rlwe.proto";
// Everything below this comment will be synchronized between client and server
// repos ( go/cros-proto-sync ).
// DEPRECATED: This enum needs to be shared between DeviceRegisterRequest and
// LicenseAvailability protos. With java_api_version 1, this means that enum
// needs to be wrapped into a message.
message LicenseType {
// Enumerates different license types.
enum LicenseTypeEnum {
// Unknown/undefined
UNDEFINED = 0;
// Chrome Device Management Perpetual
CDM_PERPETUAL = 1;
// Chrome Device Management Annual
CDM_ANNUAL = 2;
// Chrome Kiosk
KIOSK = 3;
}
optional LicenseTypeEnum license_type_deprecated = 1 [deprecated = true];
}
// Data along with a cryptographic signature verifying their authenticity.
message SignedData {
// The data to be signed.
optional bytes data = 1;
// The signature of the data field.
optional bytes signature = 2;
// How many bytes were added to the end of original data before signature
// (e.g. a nonce to avoid proxy attacks of the signing service).
optional int32 extra_data_bytes = 3;
}
// Request from device to server to check user account type for enrollment.
message CheckUserAccountRequest {
// Email address of a user.
// The user may not exist in GAIA.
optional string user_email = 1;
}
// Request from device to server to register a device, user or browser.
message DeviceRegisterRequest {
reserved 5, 10;
// Reregister device without erasing server state. It can be used
// to refresh dmtoken etc. Client MUST set this value to true if it
// reuses an existing device id.
optional bool reregister = 1;
// Register type. This field does not exist for TT release.
// When a client requests for policies, server should verify the
// client has been registered properly. For example, a client must
// register with type DEVICE in order to retrieve device policies.
enum Type {
reserved 5;
TT = 0; // Register for TT release.
USER = 1; // Register for Chrome OS user polices.
DEVICE = 2; // Register for Chrome OS device policies.
BROWSER = 3; // Register for desktop Chrome browser user policies.
ANDROID_BROWSER = 4; // Register for Android Chrome browser user policies.
}
// NOTE: we also use this field to detect client version. If this
// field is missing, then the request comes from TT. We will remove
// Chrome OS TT support once it is over.
optional Type type = 2 [default = TT];
// Machine hardware id, such as serial number.
// This field is required if register type == DEVICE.
optional string machine_id = 3;
// Machine model name, such as "ZGA", "Cr-48", "Nexus One". If the
// model name is not available, client SHOULD send generic name like
// "Android", or "Chrome OS".
optional string machine_model = 4;
// Indicates a requisition of the registering entity that the server can act
// upon. This allows clients to pass hints e.g. at device enrollment time
// about the intended use of the device.
optional string requisition = 6;
// The current server-backed state key for the client, if applicable. This can
// be used by the server to link the registration request to an existing
// device record for re-enrollment.
optional bytes server_backed_state_key = 7;
// Enumerates different flavors of registration.
enum Flavor {
// User manually enrolls a device for device management.
FLAVOR_ENROLLMENT_MANUAL = 0;
// User re-starts enrollment manually to recover from loss of policy.
FLAVOR_ENROLLMENT_MANUAL_RENEW = 1;
// Device enrollment forced by local device configuration, such as OEM
// partition flags to force enrollment.
FLAVOR_ENROLLMENT_LOCAL_FORCED = 2;
// Enrollment advertised by local device configuration, such as OEM
// partition flags indicating to prompt for enrollment, but allowing the
// user to skip.
FLAVOR_ENROLLMENT_LOCAL_ADVERTISED = 3;
// Device state downloaded from the server during OOBE indicates that
// re-enrollment is mandatory.
FLAVOR_ENROLLMENT_SERVER_FORCED = 4;
// Device state downloaded from the server during OOBE indicates that the
// device should prompt for (re-)enrollment, but the user is allowed to
// skip.
FLAVOR_ENROLLMENT_SERVER_ADVERTISED = 5;
// Device detected in steady state that it is supposed to be enrolled, but
// the policy is missing.
FLAVOR_ENROLLMENT_RECOVERY = 6;
// User policy registration for a logged-in user.
FLAVOR_USER_REGISTRATION = 7;
// Attestation-based with the option to use a different authentication
// mechanism.
FLAVOR_ENROLLMENT_ATTESTATION = 8;
// Forced attestation-based enrollment (cannot fallback to another flavor).
FLAVOR_ENROLLMENT_ATTESTATION_LOCAL_FORCED = 9;
// Device state downloaded from the server during OOBE indicates that
// re-enrollment is mandatory and should be attestation-based.
FLAVOR_ENROLLMENT_ATTESTATION_SERVER_FORCED = 10;
// Device state downloaded from the server indicated that re-enrollment is
// mandatory, but it failed and we are doing a fallback to manual
// enrollment.
FLAVOR_ENROLLMENT_ATTESTATION_MANUAL_FALLBACK = 11;
// Enrollment triggered by USB pre-configuration
FLAVOR_ENROLLMENT_ATTESTATION_USB_ENROLLMENT = 12;
// Device state downloaded from the server during OOBE indicates that
// initial enrollment is mandatory.
FLAVOR_ENROLLMENT_INITIAL_SERVER_FORCED = 13;
// Device state downloaded from the server during OOBE indicates that
// initial enrollment is mandatory and should be attestation-based.
FLAVOR_ENROLLMENT_ATTESTATION_INITIAL_SERVER_FORCED = 14;
// Device state downloaded from the server indicated that initial enrollment
// is mandatory, but it failed and we are doing a fallback to manual
// enrollment.
FLAVOR_ENROLLMENT_ATTESTATION_INITIAL_MANUAL_FALLBACK = 15;
}
// Indicates the registration flavor. This is passed to the server FYI when
// registering for policy so the server can distinguish registration triggers.
optional Flavor flavor = 8;
// If specified, represents the license type selected by user on the device.
optional LicenseType license_type = 9;
// Enumerates different expected lifetimes of registration.
enum Lifetime {
// Default case.
LIFETIME_UNDEFINED = 0;
// No expiration, most of the registrations have this lifetime.
LIFETIME_INDEFINITE = 1;
// Lifetime for ephemeral user policy registration.
LIFETIME_EPHEMERAL_USER = 2;
}
// Indicates the expected lifetime of registration.
optional Lifetime lifetime = 11 [default = LIFETIME_INDEFINITE];
// The 4-character brand code of the device.
optional string brand_code = 12;
// Previous DMToken that should be reused for re-registration.
optional string reregistration_dm_token = 13;
// MAC address for onboard network (ethernet) interface.
// The format is twelve (12) hexadecimal digits without any delimiter
// (uppercase letters).
// This field might be set only if register type == DEVICE.
optional string ethernet_mac_address = 14;
// Built-in MAC address for the docking station that the device can be
// connected to.
// The format is twelve (12) hexadecimal digits without any delimiter
// (uppercase letters).
// This field might be set only if register type == DEVICE.
optional string dock_mac_address = 15;
// The date the device was manufactured in yyyy-mm-dd format.
// This field might be set only if register type == DEVICE.
optional string manufacture_date = 16;
// Currently using in token enrollment to ensure domain in request matches
// domain from token.
optional string expected_enrollment_domain = 17;
// Identification of the device that is not already available.
optional DeviceRegisterIdentification device_register_identification = 18;
// Indicates all possible PSM (Private Set Membership) protocol final results
// without specifying the root cause in case of an error.
enum PsmExecutionResult {
// PSM protocol started and it neither finished successfully nor
// terminated due to a protocol's error.
PSM_RESULT_UNKNOWN = 0;
// PSM finished successfully and there was server-backed state for the
// device.
PSM_RESULT_SUCCESSFUL_WITH_STATE = 1;
// PSM finished successfully and there was no server-backed state for the
// device.
PSM_RESULT_SUCCESSFUL_WITHOUT_STATE = 2;
// PSM terminated due to an error.
PSM_RESULT_ERROR = 3;
}
optional PsmExecutionResult psm_execution_result = 19;
// Timestamp of PSM retrieving the device's determination successfully in
// milliseconds since Epoch in UTC timezone (Java time).
optional int64 psm_determination_timestamp_ms = 20;
// Next id: 21.
}
// Identification of a device used during its registration.
message DeviceRegisterIdentification {
// The attested device ID for devices using Zero-Touch (see go/zt-sn).
optional string attested_device_id = 1;
}
// Response from server to device
message CheckUserAccountResponse {
// Enum listing the possible user account status.
enum UserAccountType {
UNKNOWN_USER_ACCOUNT_TYPE = 0;
// There is no GAIA user exist mapping to the specific user email.
NOT_EXIST = 1;
// The GAIA user mapping to the specific user email is not a dasher user.
CONSUMER = 2;
// The GAIA user is a dasher user. See http://go/is-dasher-user
DASHER = 3;
}
// The domain abstracted from the specific email has been verified by dasher.
optional bool domain_verified = 1;
// The account type mapping from the specific user email.
optional UserAccountType user_account_type = 2;
}
// Response from server to device register request.
message DeviceRegisterResponse {
// Device management token for this registration. This token MUST be
// part of HTTP Authorization header for all future requests from
// device to server.
required string device_management_token = 1;
// Device display name. By default, server generates the name in
// the format of "Machine Model - Machine Id". However, domain
// admin can update it using Admin console, so do NOT treat it as constant.
optional string machine_name = 2;
// Enum listing the possible modes the device should be locked into when the
// registration is finished.
enum DeviceMode {
// In ENTERPRISE mode the device has no local owner and device settings are
// controlled through the cloud policy infrastructure. Auto-enrollment is
// supported in that mode.
ENTERPRISE = 0;
// DEPRECATED: Devices in RETAIL mode also have no local owner and get their
// device settings from the cloud, but additionally this mode enables the
// demo account on the device.
RETAIL_DEPRECATED = 1;
// Devices in CHROME_AD mode are in enterprises with AD. Device settings
// are controlled through the AD policy infrastructure.
CHROME_AD = 2;
// Devices in DEMO mode have no local owner and get their device settings
// from the cloud. They are controlled by demo mode domain and provide
// customized demo experience to the users.
DEMO = 3;
}
optional DeviceMode enrollment_type = 3 [default = ENTERPRISE];
// An opaque configuration string for devices that require it. CHROME_AD
// devices, for example, may use this string for AD discovery. Must be at
// most a few kBytes.
optional string configuration_seed = 4;
// List of user affiliation IDs. The list is used to define if the user
// registering for policy is affiliated on the device.
// Only sent if DeviceRegisterRequest.Type == USER
repeated string user_affiliation_ids = 5;
// The unique directory api ID of the device which was generated on the
// server-side.
optional string directory_api_id = 6;
}
// Request from device to server to unregister device.
// GoogleDMToken MUST be in HTTP Authorization header.
message DeviceUnregisterRequest {}
// Response from server to device for unregister request.
message DeviceUnregisterResponse {}
// Request from device to server to upload a device certificate or an enrollment
// identifier.
// GoogleDMToken MUST be in HTTP Authorization header.
message DeviceCertUploadRequest {
enum CertificateType {
// Default value for when a type is not specified.
CERTIFICATE_TYPE_UNSPECIFIED = 0;
// Enterprise machine certificate used for remote attestation.
ENTERPRISE_MACHINE_CERTIFICATE = 1;
// Enrollment certificate used to obtain an enrollment identifier.
ENTERPRISE_ENROLLMENT_CERTIFICATE = 2;
}
// Certificate in X.509 format.
optional bytes device_certificate = 1;
// Type of certificate. If omitted, will be guessed from the other fields.
optional CertificateType certificate_type = 2;
// Enrollment identifier if provided.
optional bytes enrollment_id = 3;
}
// Response from server to device for cert upload request.
message DeviceCertUploadResponse {}
// Request to access a Google service with the given scope.
message DeviceServiceApiAccessRequest {
// The list of auth scopes the device requests from DMServer.
repeated string auth_scopes = 1;
// OAuth2 client ID to which the returned authorization code is bound.
optional string oauth2_client_id = 2;
// Enumerates different flavors of registration.
enum DeviceType {
// Authcode will be used by Chrome OS
// (this is typically requested during device enrollment)
CHROME_OS = 0;
// Authcode will be used by Android (ARC) subsystem
// (this is typically requested during ARC Kiosk session setup)
ANDROID_OS = 1;
// Authcode will be used by Chrome OS Demo Mode. This auth code can be used
// to access Google Docs.
// Please see go/cros-demo-mode and go/demo-mode-account-brainstorm.
CHROME_OS_DEMO_MODE = 2;
// Authcode will be used by the enterprise-managed Chrome Browser to
// register for policy invalidations. This is requested during enrollment.
CHROME_BROWSER = 3;
}
// Device type indicates the intended use of the auth code.
optional DeviceType device_type = 3;
}
// Response from server to API access request.
message DeviceServiceApiAccessResponse {
// The OAuth2 authorization code for the requested scope(s).
// This can be exchanged for a refresh token.
optional string auth_code = 1;
}
// Device Identifier for non-Chrome OS platform.
message BrowserDeviceIdentifier {
// Name of the computer.
optional string computer_name = 1;
// Device serial number (definition depending on the platform).
optional string serial_number = 2;
// Android-specific identifiers.
optional AndroidIdentifier android_identifier = 3;
}
message PolicyFetchRequest {
reserved 5;
// This is the policy type, which maps to D3 policy type internally.
// By convention, we use "/" as separator to create policy namespace.
// The policy type names are case insensitive.
//
// Possible values for Chrome OS are:
// google/chromeos/device => ChromeDeviceSettingsProto
// google/chromeos/user => ChromeSettingsProto
// google/chromeos/publicaccount => ChromeSettingsProto
// google/chrome/machine-level-user => ChromeSettingsProto
// google/chrome/machine-level-user-android => ChromeSettingsProto
// google/chrome/machine-level-user-ios => ChromeSettingsProto
// google/chrome/extension => ExternalPolicyData
// google/chrome/machine-level-extension => ExternalPolicyData
// google/chromeos/signinextension => ExternalPolicyData
// google/android/user => ChromeSettingsProto
// google/chromeos/remotecommand => RemoteCommand (*)
//
// Types marked with an (*) are not policies, but data signed with the policy
// key. It is illegal to try to fetch policies with those types.
optional string policy_type = 1;
// This is the last policy timestamp that client received from server. The
// expectation is that this field is filled by the value of
// PolicyData.timestamp from the last policy received by the client.
optional int64 timestamp = 2;
// Tell server what kind of security signature is required.
// TODO(b/147782972): Move to toplevel in sync with Chrome OS client code.
enum SignatureType {
NONE = 0;
SHA1_RSA = 1;
SHA256_RSA = 2;
}
optional SignatureType signature_type = 3 [default = NONE];
// The version number of the public key that is currently stored
// on the client. This should be the last number the server had
// supplied as new_public_key_version in PolicyData.
// This field is unspecified if the client does not yet have a
// public key.
optional int32 public_key_version = 4;
// This field is used for devices to send the additional ID to fetch settings.
// Retrieving some settings requires more than just device or user ID.
// For example, to retrieve public account, devices need to pass in
// public account ID in addition to device ID. To retrieve extension or
// plug-in settings, devices need to pass in extension/plug-in ID in
// addition to user ID.
// policy_type represents the type of settings (e.g. public account,
// extension) devices request to fetch.
optional string settings_entity_id = 6;
// If this fetch is due to a policy invalidation, this field contains the
// version provided with the invalidation. The server interprets this value
// and the value of invalidation_payload to fetch the up-to-date policy.
optional int64 invalidation_version = 7;
// If this fetch is due to a policy invalidation, this field contains the
// payload delivered with the invalidation. The server interprets this value
// and the value of invalidation_version to fetch the up-to-date policy.
optional bytes invalidation_payload = 8;
// Hash string for the chrome policy verification public key which is embedded
// into Chrome binary. Matching private key will be used by the server
// to sign per-domain policy keys during key rotation. If server does not
// have the key which matches this hash string, that could indicate malicious
// or out-of-date Chrome client.
optional string verification_key_hash = 9;
// Encoded information from a policy invalidation notification. This is opaque
// to the client and should be forwarded from the invalidation notification.
optional string policy_invalidation_info = 10;
// Whether or not the client only supports the new PolicyData invalidation
// topics. If true, only the policy_invalidation_topic and
// command_invalidation_topic fields will be set in the PolicyData response.
optional bool invalidation_topics_only = 11;
// If this is an affiliated user, this is the device's DMToken.
optional string device_dm_token = 12;
// Device identifier for helping identify non-Chrome OS devices.
optional BrowserDeviceIdentifier browser_device_identifier = 13;
}
// This message customizes how the device behaves when it is disabled by its
// owner. The message will be sent as part of the DeviceState fetched during
// normal operation and as part of the DeviceStateRetrievalResponse fetched when
// the device is wiped/reinstalled.
message DisabledState {
// A message to the finder/thief that should be shown on the screen.
optional string message = 1;
}
message DeviceState {
// Modes of operation that the device can be in.
enum DeviceMode {
// The device is operating normally. Sessions can be started and the device
// can be used.
DEVICE_MODE_NORMAL = 0;
// The device has been disabled by its owner. The device will show a warning
// screen and will not allow any sessions to be started.
DEVICE_MODE_DISABLED = 1;
}
// The mode of operation that the device should be in.
optional DeviceMode device_mode = 1 [default = DEVICE_MODE_NORMAL];
// State that is relevant only when the |device_mode| is
// |DEVICE_MODE_DISABLED|.
optional DisabledState disabled_state = 2;
}
message CustomerLogo {
// The SCS url for the logo set by the admin for a particular OU.
// This is in the form https://admin.googleusercontent.com/<scs_url_key>.
optional string logo_url = 1;
}
// This message is included in serialized form in PolicyFetchResponse below. It
// may also be signed, with the signature being created for the serialized form.
message PolicyData {
reserved 10;
// See PolicyFetchRequest.policy_type.
optional string policy_type = 1;
// [timestamp] is milliseconds since Epoch in UTC timezone (Java time). It is
// included here so that the time at which the server issued this response
// cannot be faked (as protection against replay attacks). It is the timestamp
// generated by DMServer, NOT the time admin last updated the policy or
// anything like that.
optional int64 timestamp = 2;
// The DM token that was used by the client in the HTTP POST header for
// authenticating the request. It is included here again so that the client
// can verify that the response is meant for them (and not issued by a replay
// or man-in-the-middle attack).
// Note that the existence or non-existence of the DM token is not the correct
// way to determine whether the device is managed. Cf. |management_mode| below
// for details.
optional string request_token = 3;
// The serialized value of the actual policy protobuf. This can be
// deserialized to an instance of, for example, ChromeSettingsProto,
// ChromeDeviceSettingsProto, or ExternalPolicyData.
optional bytes policy_value = 4;
// The device display name assigned by the server. It is only
// filled if the display name is available.
//
// The display name of the machine as generated by the server or set
// by the Administrator in the Admin console GUI. This is the same thing as
// |machine_name| in DeviceRegisterResponse but it might have
// changed since then.
optional string machine_name = 5;
// Version number of the server's current public key. (The key that
// was used to sign this response. Numbering should start at 1 and be
// increased by 1 at each key rotation.)
optional int32 public_key_version = 6;
// The user this policy is intended for. In case of device policy, the name
// of the owner (who registered the device).
optional string username = 7;
// In this field the DMServer should echo back the "deviceid" HTTP parameter
// from the request. This is also used for user and device local accounts ids,
// see client_id in code.
optional string device_id = 8;
// Indicates which state this association with DMServer is in. This can be
// used to tell the client that it is not receiving policy even though the
// registration with the server is kept active.
enum AssociationState {
// Association is active and policy is pushed.
ACTIVE = 0;
// Association is alive, but the corresponding domain is not managed.
UNMANAGED = 1;
// The device has been deprovisioned by the administrator and is no longer
// managed.
DEPROVISIONED = 2;
}
optional AssociationState state = 9 [default = ACTIVE];
// Indicates which public account or extension/plug-in this policy data is
// for. See PolicyFetchRequest.settings_entity_id for more details.
optional string settings_entity_id = 11;
// Indicates the identity the device service account is associated with.
// This is only sent as part of device policy fetch.
optional string service_account_identity = 12;
// TODO(crbug/1073504): Clean up after legacy Tango shutdown.
// The object source which hosts policy objects within the invalidation
// service. This value is combined with invalidation_name to form the object
// id used to register for invalidations to this policy.
optional int32 invalidation_source = 13;
// TODO(crbug/1073504): Clean up after legacy Tango shutdown.
// The name which uniquely identifies this policy within the invalidation
// service object source. This value is combined with invalidation_source to
// form the object id used to register for invalidations to this policy.
optional bytes invalidation_name = 14;
// Server-provided identifier of the fetched policy. This is to be used
// by the client when requesting Policy Posture assertion through an API
// call or SAML flow. For details, see http://go/chrome-nac-server-design.
optional string policy_token = 15;
// Indicates the management mode of the device. Note that old policies do not
// have this field. If this field is not set but request_token is set, assume
// the management mode is ENTERPRISE_MANAGED. If both this field and
// request_token are not set, assume the management mode is LOCAL_OWNER.
enum ManagementMode {
// The device is owned locally. The policies are set by the local owner of
// the device.
LOCAL_OWNER = 0;
// The device is enterprise-managed (either via DM server or through Active
// Directory). See the comment above for backward compatibility.
ENTERPRISE_MANAGED = 1;
// Obsolete. Don't use.
OBSOLETE_CONSUMER_MANAGED = 2;
}
optional ManagementMode management_mode = 16;
// Indicates the state that the device should be in.
optional DeviceState device_state = 17;
// TODO(crbug/1073504): Clean up after legacy Tango shutdown.
// The object source which hosts command queue objects within the
// invalidation service. This value is combined with
// command_invalidation_name to form the object ID used to
// register for invalidations to the command queue.
optional int32 command_invalidation_source = 18;
// TODO(crbug/1073504): Clean up after legacy Tango shutdown.
// The name which uniquely identifies this device’s queue within
// the invalidation service object source. This value is combined
// with command_invalidation_source to form the object ID used to
// register for invalidations to the command queue.
optional bytes command_invalidation_name = 19;
// The free-text location info the admin enters to associate the device
// with a location.
optional string annotated_location = 20;
// The free-text asset identifier the admin enters to associate the device
// with a user-generated identifier.
optional string annotated_asset_id = 21;
// The unique directory api ID of the device which was generated on the
// server-side.
optional string directory_api_id = 22;
// List of device affiliation IDs. If there exists an overlap between user
// affiliation IDs and device affiliation IDs, we consider that the user is
// affiliated on the device. Otherwise the user is not affiliated on the
// device. Should be fetched with device policy. Ignored if fetched with
// other polices.
repeated string device_affiliation_ids = 23;
// List of user affiliation IDs. The list is used to define if current user
// is affiliated on the device. See device_affiliation_ids for details.
// Should be fetched with user policy. Ignored if fetched with other polices.
repeated string user_affiliation_ids = 24;
// Used as the display domain when the primary domain gets renamed. This field
// is present only for device policies.
optional string display_domain = 25;
// Invalidation topic for devices. Clients register for FCM messages using
// this topic in order to receive notifications for device policy changes.
optional string policy_invalidation_topic = 26;
// Invalidation topic for commands. Clients register for FCM messages using
// this topic in order to receive notifications that one or more commands are
// available for execution.
optional string command_invalidation_topic = 27;
// Whether the device needs to upload an enrollment identifier to the cloud.
// TODO(b/136188860) migrates to enrollment_certificate_needed under
// client_action_required.
optional bool enrollment_id_needed = 28;
// Gaia id of the user the policy is intended for.
// Should be fetched with user policy.
optional string gaia_id = 29;
// Indicate this device's market segment. The MarketSegment enum in
// cloud_policy_constants.h (http://shortn/_3iFWcdjy0P) must be kept in sync
// with this enum.
enum MarketSegment {
MARKET_SEGMENT_UNSPECIFIED = 0;
ENROLLED_EDUCATION = 1;
ENROLLED_ENTERPRISE = 2;
}
// This field should only be set for Device Policy response.
// See go/cros-rlz-segments
optional MarketSegment market_segment = 30;
// This field is currently only set for Device Policy response.
// This represents the logo set by the admin for the OU that the device
// belongs to. This is domain metadata included in a device policy response,
// but it is not an explicit device policy.
optional CustomerLogo customer_logo = 31;
// b/129771193
// This setting is from SingleSignOnSettingsProto#change_password_uri
// http://google3/ccc/hosted/policies/services/common/sso_settings.proto?l=48&rcl=241246111
// This field is currently only set for User Policy response.
optional string change_password_uri = 32;
// This field is used for asking client to perform some actions. For instance,
// server asks client to re-upload enrollment certificate. In long term, new
// added field which asks client to perform an action in policy data should be
// put in ClientActionRequired message.
optional ClientActionRequired client_action_required = 33;
// Obfuscated customerId the device is enrolled into.
// Only set for device policy.
optional string obfuscated_customer_id = 34;
// The different types of user segments for metrics logging. If any values are
// added to this enum, the corresponding enum in
// UserTypeByDeviceTypeMetricsProvider::UserSegment
// (http://shortn/_uK3ZM4pC0a) should be updated.
enum MetricsLogSegment {
UNSPECIFIED = 0;
K12 = 1;
UNIVERSITY = 2;
NONPROFIT = 3;
ENTERPRISE = 4;
}
// Indicates the segment the user's metrics should be logged under,
// UNSPECIFIED if not relevant.
// This field should only be set for User Policy response.
optional MetricsLogSegment metrics_log_segment = 35;
// This field will be populated with primary domain name for domain verified
// customer, and primary admin email for domainless customer. The client side
// will use this field to display who manages this device/browser/user.
optional string managed_by = 36;
// An identifier (e.g. "inboundSamlSsoProfiles/0abcdefg1234567") for the
// device's managing OU's SSO profile. Currently, this points to the OU's
// SAML settings. May support OIDC in the future.
optional string sso_profile = 37;
}
message ClientActionRequired {
// Whether device needs to upload an enterprise enrollment certificate to
// cloud.
optional bool enrollment_certificate_needed = 1;
}
message PolicyFetchResponse {
// Since a single policy request may ask for multiple policies, DM server
// provides separate error codes (making use of standard HTTP Status Codes)
// for each individual policy fetch.
optional int32 error_code = 1;
// Human readable error message for customer support purpose.
optional string error_message = 2;
// This is a serialized |PolicyData| protobuf (defined above).
optional bytes policy_data = 3;
// Signature of the policy data above.
optional bytes policy_data_signature = 4;
// If the public key has been rotated on the server, the new public
// key is sent here. It is already used for |policy_data_signature|
// above, whereas |new_public_key_signature| is created using the
// old key (so the client can trust the new key). If this is the
// first time when the client requests policies (so it doesn't have
// on old public key), then |new_public_key_signature| is empty.
optional bytes new_public_key = 5;
optional bytes new_public_key_signature = 6;
// DEPRECATED: Exists only to support older clients. This signature is similar
// to new_public_key_verification_data_signature, but is computed over
// DEPRECATEDPolicyPublicKeyAndDomain (which is equivalent to
// PublicKeyVerificationData proto with version field unset).
optional bytes new_public_key_verification_signature_deprecated = 7
[deprecated = true];
// This is a serialized |PublicKeyVerificationData| protobuf (defined
// below). See comments for |new_public_key_verification_data_signature| field
// for details on how this data is signed.
// Please note that |new_public_key| is also included inside this data
// field. Thus we have new public key signed with old version of private key
// (if client indicated to us that it has old key version), and
// new public key data signed by primary verification key (if client told
// us that it has public verification key - see |verification_key_id| field
// of |PolicyFetchRequest|). In most cases, both signatures will be provided.
// However, client might not have old policy signing key - for example, when
// new profile is being set up. In this case, only verification signature
// is supplied.
// Or, client might not have verification public key (legacy Chrome build
// before verification key was introduced, or outdated build which has
// old/compromised verification key). In that case, verification signature
// cannot be provided.
// If client is missing both public keys (old signing key and verification
// key), then we are unable to produce any valid signature and client must
// drop such PolicyFetchResponse.
optional bytes new_public_key_verification_data = 8;
// If new_public_key is specified, this field contains the signature of a
// PublicKeyVerificationData protobuf, signed using a key only available to
// DMServer. The public key portion of this well-known key is embedded into
// the Chrome binary. The hash of that embedded key is passed to DMServer as
// verification_key_hash field in PolicyFetchRequest. DMServer picks a private
// key on the server which matches the hash (matches public key on the
// client). If DMServer is unable to find matching key, it returns an error
// instead of policy data. In case a hash was not specified, DMServer leaves
// the verification signature field empty (legacy behavior).
// This signature is provided to better protect first key delivery (since the
// browser does not possess the previous signing key, DMServer cannot compute
// new_public_key_signature).
// See http://go/chrome-nac-server-design for more information.
optional bytes new_public_key_verification_data_signature = 9;
// DEPRECATED! Client-side should verify and rely on the policy_type inside
// the signed policy_data.
optional string policy_type = 10 [deprecated = true];
// The type of signature used to generate policy_data_signature.
optional PolicyFetchRequest.SignatureType policy_data_signature_type = 11;
}
// DEPRECATED: Protobuf used to generate the deprecated
// new_public_key_verification_signature field.
message DEPRECATEDPolicyPublicKeyAndDomain {
// The public key to sign (taken from the |new_public_key| field in
// PolicyFetchResponse).
optional bytes new_public_key = 1;
// The domain associated with this key (should match the domain portion of the
// username field of the policy).
optional string domain = 2;
}
// This message contains the information which is signed by the verification key
// during policy key rotation. It is included in serialized form in
// PolicyFetchResponse above. A signature of the serialized form is included in
// the new_public_key_verification_data_signature field.
message PublicKeyVerificationData {
// The new public policy key after a key rotation.
optional bytes new_public_key = 1;
// The domain of the device/user.
optional string domain = 2;
// The version number of the new_public_key. This must be monotonically
// increasing (within a domain).
optional int32 new_public_key_version = 3;
}
// Request from device to server for reading policies.
message DevicePolicyRequest {
// The policy fetch requests. If this field exists, the requests must come
// from a non-TT client. The repeated field allows clients to request
// multiple policies for better performance.
repeated PolicyFetchRequest requests = 3;
}
// Response from server to device for reading policies.
message DevicePolicyResponse {
// The policy fetch responses.
repeated PolicyFetchResponse responses = 3;
}
message TimePeriod {
// [timestamp] is milliseconds since Epoch in UTC timezone (Java time).
optional int64 start_timestamp = 1;
optional int64 end_timestamp = 2;
}
message ActiveTimePeriod {
optional TimePeriod time_period = 1;
// The active duration during the above time period.
// The unit is milli-second.
optional int32 active_duration = 2;
// Email address of the active user. Present only if the user type is managed
// and affiliated.
optional string user_email = 3;
enum SessionType {
SESSION_UNKNOWN = 0;
SESSION_AFFILIATED_USER = 1;
SESSION_MANAGED_GUEST = 2;
SESSION_KIOSK = 3;
SESSION_ARC_KIOSK = 4;
SESSION_WEB_KIOSK = 5;
}
optional SessionType session_type = 4;
}
// Details about a network interface.
message NetworkInterface {
// Indicates the type of network device.
enum NetworkDeviceType {
reserved 2;
TYPE_ETHERNET = 0;
TYPE_WIFI = 1;
TYPE_BLUETOOTH = 3;
TYPE_CELLULAR = 4;
}
// Network device type.
optional NetworkDeviceType type = 1;
// MAC address (if applicable) of the corresponding network device. This is
// formatted as an ASCII string with 12 hex digits. Example: A0B1C2D3E4F5.
optional string mac_address = 2;
// MEID (if applicable) of the corresponding network device. Formatted as
// ASCII string composed of 14 hex digits. Example: A10000009296F2.
optional string meid = 3;
// IMEI (if applicable) of the corresponding network device. 15-16 decimal
// digits encoded as ASCII string. Example: 355402040158759.
optional string imei = 4;
// The device path associated with this network interface.
optional string device_path = 5;
// The integrated circuit card ID associated with the device's sim card.
optional string iccid = 6;
// The mobile directory number associated with the device's sim card.
optional string mdn = 7;
// List of EID (EUICC Identifier) of all cellular EUICCs
// (Embedded Universal Integrated Circuit Cards) on the device.
// 32 decimal digits encoded as ASCII string. e.g.
repeated string eids = 8;
}
// Information about configured/visible networks - this is separate from
// NetworkInterface because a configured network may not be associated with
// any specific interface, or may be visible across multiple interfaces.
message NetworkState {
// The current state of this network.
// CARRIER (1), DISCONNECT (8) and ACTIVATION_FAILURE (10) are not used by the
// client.
enum ConnectionState {
IDLE = 0;
CARRIER = 1;
ASSOCIATION = 2;
CONFIGURATION = 3;
READY = 4;
PORTAL = 5;
OFFLINE = 6;
ONLINE = 7;
DISCONNECT = 8;
FAILURE = 9;
ACTIVATION_FAILURE = 10;
UNKNOWN = 11;
}
// For networks associated with a device, the path of the device.
optional string device_path = 1;
// Current state of this connection as reported by shill.
optional ConnectionState connection_state = 2;
// For wireless networks, the signal_strength in dBm.
optional int32 signal_strength = 3;
// The IP address this interface is bound to, if any.
optional string ip_address = 4;
// The gateway IP for this interface, if any.
optional string gateway = 5;
}
// Details about a device user.
message DeviceUser {
// Types of device users which can be reported.
enum UserType {
// A user managed by the same domain as the device.
USER_TYPE_MANAGED = 0;
// A user not managed by the same domain as the device.
USER_TYPE_UNMANAGED = 1;
}
// The type of the user.
required UserType type = 1;
// Email address of the user. Present only if the user type is managed.
optional string email = 2;
}
// Information about a single disk volume.
message VolumeInfo {
optional string volume_id = 1;
// The unit is bytes.
optional int64 storage_total = 2;
optional int64 storage_free = 3;
}
// Information about a single CPU utilization.
message CpuUtilizationInfo {
// CPU utilization (0-100).
optional int32 cpu_utilization_pct = 1;
// The timestamp representing time at which the information was collected.
// [timestamp] is milliseconds since Epoch in UTC timezone (Java time).
optional int64 timestamp = 2;
}
// Information about a single free RAM.
message SystemFreeRamInfo {
// Free RAM [in bytes] (unreliable due to GC).
optional int64 size_in_bytes = 1;
// The timestamp representing time at which the information was collected.
// [timestamp] is milliseconds since Epoch in UTC timezone (Java time).
optional int64 timestamp = 2;
}
// Information about a single CPU temperature channel.
message CPUTempInfo {
// Temperature channel label.
optional string cpu_label = 1;
// CPU temperature in Celsius.
optional int32 cpu_temp = 2;
// Unix timestamp.
optional int64 timestamp = 3;
}
// Contains the Stateful Partition Information for user data storage in the
// device.
message StatefulPartitionInfo {
// Available space for user data storage in the device in bytes.
optional uint64 available_space = 1;
// Total space for user data storage in the device in bytes.
optional uint64 total_space = 2;
// File system on stateful partition. e.g. ext4.
optional string filesystem = 3;
// Source of stateful partition. e.g. /dev/mmcblk0p1.
optional string mount_source = 4;
}
// Chrome release channel, shared for different reports.
enum Channel {
CHANNEL_UNKNOWN = 0;
CHANNEL_CANARY = 1;
CHANNEL_DEV = 2;
CHANNEL_BETA = 3;
CHANNEL_STABLE = 4;
}
// Frequently changing data for battery.
message BatterySample {
optional int64 timestamp = 1;
// Battery voltage
optional int64 voltage = 2;
// Battery remaining capacity (mA-hours)
optional int64 remaining_capacity = 3;
// Temperature in Celsius.
optional int32 temperature = 4;
// The battery discharge rate measured in mW. Positive if the battery is being
// discharged, negative if it's being charged.
optional int32 discharge_rate = 5;
// Battery charge percentage
optional int32 charge_rate = 6;
// Battery current (mA)
optional int64 current = 7;
// Battery status read from sysfs
optional string status = 8;
}
// Status of the single battery
message BatteryInfo {
optional string serial = 1;
optional string manufacturer = 2;
optional string battery_health = 3;
// Design capacity (mA-hours)
optional int64 design_capacity = 4;
// Full charge capacity (mA-hours)
optional int64 full_charge_capacity = 5;
optional int32 cycle_count = 6;
// Last sampling data.
repeated BatterySample samples = 7;
// Designed minimum output voltage (mV)
optional int32 design_min_voltage = 9;
// The date the battery was manufactured in yyyy-mm-dd format.
optional string manufacture_date = 10;
// Technology of the battery.
optional string technology = 11;
}
// Status of the power subsystem
message PowerStatus {
enum PowerSource {
POWER_UNKNOWN = 0;
POWER_AC = 1;
POWER_BATTERY = 2;
}
optional PowerSource power_source = 1;
repeated BatteryInfo batteries = 2;
}
// LifeTime estimation for eMMC devices
message DiskLifetimeEstimation {
// Lifetime estimations for SLC and MLC areas of eMMC.
// Values range from 00h to 0Bh -- indicating the percentage of device
// lifetime used.
optional int32 slc = 1;
optional int32 mlc = 2;
}
// Status of the single storage device
// Next id: 27
message DiskInfo {
optional string serial = 1;
optional string manufacturer = 2;
optional string model = 3;
// Size in bytes
optional int64 size = 4;
// eMMC / NVMe / ATA / SCSI.
optional string type = 5;
optional string health = 6;
// volume_id for volumes on this disk.
repeated string volumes = 7;
// Read/write statistics for this disk.
optional uint64 bytes_read_since_last_boot = 8;
optional uint64 bytes_written_since_last_boot = 9;
optional uint64 read_time_seconds_since_last_boot = 10;
optional uint64 write_time_seconds_since_last_boot = 11;
// Counts the time the disk and queue were busy, so unlike the fields above,
// parallel requests are not counted multiple times.
optional uint64 io_time_seconds_since_last_boot = 12;
// Time spent discarding since last boot. Discarding is writing to clear
// blocks which are no longer in use. Supported on kernels 4.18+.
optional uint64 discard_time_seconds_since_last_boot = 13;
// The manufacturer of the block device.
oneof vendor_id {
// NVME vendors:
// https://pcisig.com/membership/member-companies
uint32 nvme_subsystem_vendor = 14;
// EMMC oemids
// https://screenshot.googleplex.com/eZWNnV8qGnc
uint32 emmc_oemid = 15;
uint32 other_vendor = 16;
}
// The manufacturer-specific product identifier.
oneof product_id {
uint32 nvme_subsystem_device = 17;
uint32 emmc_pnm = 18;
uint32 other_product = 19;
}
// The revision of the device's hardware.
oneof hardware_revision {
uint32 nvme_hardware_rev = 20;
uint32 emmc_hardware_rev = 21;
uint32 other_hardware_rev = 22;
}
// The revision of the device's firmware.
oneof firmware_revision {
uint64 nvme_firmware_rev = 23;
uint64 emmc_firmware_rev = 24;
uint32 other_firmware_rev = 25;
}
// The purpose of the device on the system.
enum DevicePurpose {
PURPOSE_UNKNOWN = 0;
PURPOSE_BOOT = 1;
PURPOSE_SWAP = 2;
}
optional DevicePurpose purpose = 26;
}
// Status of the storage subsystem.
message StorageStatus {
repeated DiskInfo disks = 1;
optional DiskLifetimeEstimation lifetime_estimation = 2;
}
// Sampling for single temperature measurements
message ThermalSample {
optional int64 timestamp = 1;
optional int32 temperature = 2;
}
// Temperature measurement series for thermal point.
message ThermalInfo {
reserved 2;
optional string label = 1;
repeated ThermalSample samples = 3;
}
// Status for various on-board components
message BoardStatus {
repeated ThermalInfo thermal_infos = 1;
}
// Status about a system's various elements.
message SystemStatus {
// The product SKU (stock keeping unit) number.
optional string vpd_sku_number = 1;
// The date the device was first activated.
// Format: YYYY-WW.
optional string first_power_date = 2;
// The date the device was manufactured (finalized in factory).
// Format: YYYY-MM-DD.
optional string manufacture_date = 3;
// Contents of CrosConfig in /arc/build-properties/marketing-name. E.g. "HP
// Chromebook x360 14"
optional string marketing_name = 4;
// The BIOS version. E.g. "Google_Sarien.12200.58.0"
optional string bios_version = 5;
// The product name of the motherboard. E.g. "Sarien"
optional string board_name = 6;
// The version of the motherboard. E.g. "rev16"
optional string board_version = 7;
// The chassis type of the device. The values reported by chassis type are
// mapped in
// www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.0.0.pdf.
// E.g. "9"
optional uint64 chassis_type = 8;
// The product name (model) of the system. E.g. "Sarien"
optional string product_name = 9;
// The product serial number.
optional string vpd_serial_number = 10;
}
// Status of a single C-state. C-states are various modes the CPU can transition
// to in order to use more or less power.
message CpuCStateInfo {
// Name of the state.
optional string name = 1;
// Time spent in the state since the last reboot, in microseconds.
optional uint64 time_in_state_since_last_boot_us = 2;
}
// Status of a single logical CPU.
message LogicalCpuInfo {
// Maximum frequency the CPU is allowed to run at, by policy.
optional uint32 scaling_max_frequency_khz = 1;
// Current frequency the CPU is running at.
optional uint32 scaling_current_frequency_khz = 2;
// Idle time since last boot.
optional uint64 idle_time_seconds = 3;
// Information about the logical CPU's time in various C-states.
repeated CpuCStateInfo c_states = 4;
}
// Status of a single physical CPU on the device.
message CpuInfo {
// The CPU model name.
optional string model_name = 1;
// The CPU architecture.
enum Architecture {
ARCHITECTURE_UNSPECIFIED = 0;
X86_64 = 1;
AARCH64 = 2;
ARMV7L = 3;
}
optional Architecture architecture = 2;
// The max CPU clock speed in kHz.
optional uint32 max_clock_speed_khz = 3;
repeated LogicalCpuInfo logical_cpus = 4;
}
// Overall CPU information for the device.
message GlobalCpuInfo {
// Total number of threads on the device.
optional uint32 num_total_threads = 1;
}
// Status for a single display. A display screen with resolution 1920x1080
// would have resolution_width: 1920 and resolution_height: 1080.
message DisplayInfo {
// Resolution width
optional uint32 resolution_width = 1;
// Resolution height
optional uint32 resolution_height = 2;
// Refresh rate (Hz)
optional uint32 refresh_rate = 3;
// Set to true if display is internal, otherwise set to false.
optional bool is_internal = 4;
}
// Status of a single graphics adapter (GPU).
message GraphicsAdapterInfo {
// Adapter name. Example: Mesa DRI Intel(R) UHD Graphics 620 (Kabylake GT2)
optional string name = 1;
// Driver version
optional string driver_version = 2;
// Represents the graphics card device id
optional uint64 device_id = 3;
// GPU consumption of system RAM (bytes)
optional uint64 system_ram_usage = 4;
}
// Status of the graphics subsystem.
message GraphicsStatus {
optional GraphicsAdapterInfo adapter = 1;
repeated DisplayInfo displays = 2;
}
// Status of a crash report.
message CrashReportInfo {
// The status options should align with crash_reporter::ReportUploadState.
enum CrashReportUploadStatus {
UPLOAD_STATUS_UNKNOWN = 0;
UPLOAD_STATUS_NOT_UPLOADED = 1;
UPLOAD_STATUS_PENDING = 2;
UPLOAD_STATUS_PENDING_USER_REQUESTED = 3;
UPLOAD_STATUS_UPLOADED = 4;
}
// ID as provided by chrome://crashes.
optional string remote_id = 1;
// The timestamp when the crash is captured.
// [timestamp] is milliseconds since Epoch in UTC timezone (Java time).
optional int64 capture_timestamp = 2;
// Human readable string that identifies what caused the crash.
optional string cause = 3;
// The upload status of crash report.
optional CrashReportUploadStatus upload_status = 4;
}
// Timezone information for the device. This reflects what set timezone of the
// device, not necessarily the actual location of the device.
message TimezoneInfo {
// The timezone of the device in POSIX standard. (MST7MDT,M3.2.0,M11.1.0)
optional string posix = 1;
// The timezone region of the device in the Olsen format (America/Denver).
optional string region = 2;
}
// Memory information for the device.
message MemoryInfo {
// Total memory, in KiB.
optional uint32 total_memory_kib = 1;
// Free memory, in KiB.
optional uint32 free_memory_kib = 2;
// Available memory, in KiB.
optional uint32 available_memory_kib = 3;
// Number of page faults since the last boot.
optional uint64 page_faults_since_last_boot = 4;
}
// Information about the device's backlights.
message BacklightInfo {
// Path to this backlight on the system. Useful if the caller needs to
// correlate with other information.
optional string path = 1;
// Maximum brightness for the backlight.
optional uint32 max_brightness = 2;
// Current brightness of the backlight, between 0 and max_brightness.
optional uint32 brightness = 3;
}
// Information about the device's fan.
message FanInfo {
// Fan speed in RPM.
optional uint32 speed_rpm = 1;
}
// Information about a device's Bluetooth adapter, which is used to detect and
// connect to Bluetooth devices.
message BluetoothAdapterInfo {
// The name of the adapter.
optional string name = 1;
// The MAC address of the adapter.
optional string address = 2;
// Indicates whether the adapter is on or off.
optional bool powered = 3;
// The number of devices connected to this adapter.
optional uint32 num_connected_devices = 4;
}
// Information from the device's SMBIOS. This is used to determine
// info such as the device's vendor and product name/version.
message SmbiosInfo {
optional string sys_vendor = 1;
optional string product_name = 2;
optional string product_version = 3;
optional string bios_version = 4;
}
// Information about the parameters passed to the kernel.
message KernelParameters {
// True if cros_efi was passed to the kernel.
// Used to know if the device was booted via EFI.
optional bool cros_efi = 1;
}
// Information about the device's EFI Variables from efivarfs.
message EFIVars {
// True if Secure Boot is enabled on the device.
optional bool secure_boot = 1;
}
// Information about how the OS was booted. This is information
// such as boot method and other bios settings
message BootInfo {
enum BootMethod {
UNKNOWN = 0;
CROS_SECURE = 1;
// This field maps to kCrosEfi from cros_healthd.
CROS_UEFI = 2;
CROS_LEGACY = 3;
CROS_EFI_SECURE = 4;
}
optional BootMethod boot_method = 1;
// DEPRECATED: secure_boot is deprecated in favor of the
// CROS_EFI_SECURE BootMethod value.
optional bool secure_boot = 2 [deprecated = true];
}
// Report device level status.
message DeviceStatusReportRequest {
reserved 4, 7, 13, 20;
// The OS version reported by the device is a platform version
// e.g. 1435.0.2011_12_16_1635.
optional string os_version = 1;
optional string firmware_version = 2;
// "Verified", "Dev". Same as verified mode.
// If the mode is unknown, this field should not be set.
optional string boot_mode = 3;
// The browser version string as shown in the About dialog.
// e.g. 17.0.963.18.
optional string browser_version = 5;
// A list of periods when the device was active, aggregated by day by user.
repeated ActiveTimePeriod active_periods = 6;
// List of network interfaces.
repeated NetworkInterface network_interfaces = 8;
// List of recent device users, in descending order by last login time.
repeated DeviceUser users = 9;
// Disk space + other info about mounted/connected volumes.
repeated VolumeInfo volume_infos = 10;
// List of visible/configured networks
repeated NetworkState network_states = 11;
// Samples of CPU utilization (0-100), sampled once every 120 seconds.
// To deprecate: Use CpuUtilizationInfo instead.
repeated int32 cpu_utilization_pct_samples = 12;
// Total RAM on the device.
// To deprecate: Use SystemFreeRamInfo instead.
optional int64 system_ram_total = 14;
// Samples of free RAM [in bytes] (unreliable due to GC).
repeated int64 system_ram_free_samples = 15;
// Samples of CPU temperatures in Celsius, plus associated labels
// identifying which CPU produced the temperature measurement.
repeated CPUTempInfo cpu_temp_infos = 16;
// This field is set only when an OS update is needed because of the required
// platform version of an updated kiosk app is different from the current
// OS version.
optional OsUpdateStatus os_update_status = 17;
// Set only when there is an auto launched with zero delay Chrome or ARC kiosk
// app and it is currently running. Otherwise, this field is empty.
optional AppStatus running_kiosk_app = 18;
// Sound output volume level in range [0,100].
optional int32 sound_volume = 19;
// TPM version information.
optional TpmVersionInfo tpm_version_info = 21;
// Release channel (stable, beta, etc.).
optional Channel channel = 22;
// TPM status information.
optional TpmStatusInfo tpm_status_info = 23;
// Whether hardware write protect switch is on.
optional bool write_protect_switch = 24;
// Status of the power subsystem.
optional PowerStatus power_status = 25;
// Status of the storage subsystem.
optional StorageStatus storage_status = 26;
// Status of various main board components.
optional BoardStatus board_status = 27;
// Information about a system's various non-hardware elements. This includes
// information from cached VPD, CrosConfig, and DMI.
optional SystemStatus system_status = 28;
// Stateful Partition Information for user data.
optional StatefulPartitionInfo stateful_partition_info = 29;
// Samples of CPU utilization (0-100), sampled once every 120 seconds.
repeated CpuUtilizationInfo cpu_utilization_infos = 30;
// Samples of free RAM [in bytes] (unreliable due to GC).
repeated SystemFreeRamInfo system_ram_free_infos = 31;
// Information about a devices physical CPU(s).
repeated CpuInfo cpu_info = 32;
// Status of the graphics adapter(s) and display(s).
optional GraphicsStatus graphics_status = 33;
// Information about the crash report(s) generated from the local device.
repeated CrashReportInfo crash_report_infos = 34;
// Information of the device's current timezone.
optional TimezoneInfo timezone_info = 35;
// Information about the device's memory.
optional MemoryInfo memory_info = 36;
// Information about the device's backlights.
repeated BacklightInfo backlight_info = 37;
// Information about the device's fans.
repeated FanInfo fan_info = 38;
// Overall information about the device's CPUs.
optional GlobalCpuInfo global_cpu_info = 39;
// Information about the device's Bluetooth adapters.
repeated BluetoothAdapterInfo bluetooth_adapter_info = 40;
// Information from the device's SMBIOS.
optional SmbiosInfo smbios_info = 41;
// Information about the parameters passed to the kernel.
optional KernelParameters kernel_parameters = 42;
// Information about the device's EFI Variables from efivarfs.
optional EFIVars efi_vars = 43;
// KernelParameters(42) and EFIVars(43) are deprecated
// and rolled into BootInfo(44)
// Information about how the os was booted.
optional BootInfo boot_info = 44;
}
message OsUpdateStatus {
enum UpdateStatus {
OS_UP_TO_DATE = 0;
OS_IMAGE_DOWNLOAD_NOT_STARTED = 1;
OS_IMAGE_DOWNLOAD_IN_PROGRESS = 2;
OS_UPDATE_NEED_REBOOT = 3;
}
optional UpdateStatus update_status = 1;
// New platform version of the os image being downloaded and applied. It
// is only set when update status is OS_IMAGE_DOWNLOAD_IN_PROGRESS or
// OS_UPDATE_NEED_REBOOT. Note this could be a dummy "0.0.0.0" for
// OS_UPDATE_NEED_REBOOT status for some edge cases, e.g. update engine is
// restarted without a reboot.
optional string new_platform_version = 2;
// New required platform version from the pending updated kiosk app.
optional string new_required_platform_version = 3;
// The timestamp of the last update check.
// [timestamp] is milliseconds since Epoch in UTC timezone (Java time).
optional int64 last_checked_timestamp = 4;
// The timestamp of the last reboot.
// [timestamp] is milliseconds since Epoch in UTC timezone (Java time).
optional int64 last_reboot_timestamp = 5;
}
// Provides status information for an installed app/extension.
message AppStatus {
// ID of the installed app/extension for a Chrome app.
// Package name for ARC kiosk app.
optional string app_id = 1;
// Currently installed version of the app for a Chrome app.
// Empty for ARC kiosk app.
optional string extension_version = 2;
// Self-reported status summary (via chrome.reporting APIs)
optional string status = 3;
// If true, the application is currently in a self-reported error state.
optional bool error = 4;
// App required Chrome version, specified in app’s manifest file.
// Empty for ARC kiosk app.
optional string required_platform_version = 5;
}
// Provides all application types information.
message AppInfo {
enum AppType {
TYPE_UNKNOWN = 0;
TYPE_ARC = 1; // Android app.
TYPE_BUILTIN = 2; // Built-in app.
TYPE_CROSTINI = 3; // Linux (via Crostini) app.
TYPE_EXTENSION = 4; // Extension-backed app.
TYPE_WEB = 5; // Web app.
TYPE_PLUGINVM = 6; // Plugin VM app.
TYPE_BOREALIS = 7; // Borealis app.
}
enum Status {
STATUS_UNKNOWN = 0;
STATUS_INSTALLED = 1; // Installed and launachable.
STATUS_DISABLED = 2; // Disabled or terminated.
STATUS_UNINSTALLED = 3; // Uninstalled by user.
}
// ID of the application as defined by the OS, except for web apps, where it
// is the start url.
optional string app_id = 1;
// Type of application (Chrome native, extension, Crostini, web app).
optional AppType app_type = 2;
// Name of the application as defined by the OS.
optional string app_name = 3;
// Identify if the app is installed, disabled, or uninstalled.
optional Status status = 4;
// The time the app was installed, if available.
optional int64 install_time = 5;
// Version of the application, if applicable.
optional string version = 7;
// A list of time periods when the app was active. These times are aggregated
// per day, are pruned on the device after reporting successfully, and are
// stored only for 30 days in the past.
repeated TimePeriod active_time_periods = 8;
}
// LINT.IfChange
// Provides Android application permission.
message AndroidAppPermission {
// Name of application permission.
optional string name = 1;
// Identify whether the application permission is granted.
optional bool granted = 2;
// Identify whether the application permission is managed.
optional bool managed = 3;
}
// Provides Android application information.
message AndroidAppInfo {
enum AndroidAppStatus {
STATUS_UNKNOWN = 0;
STATUS_ENABLED = 1;
STATUS_SUSPENDED = 2;
STATUS_DISABLED = 3;
}
enum InstalledSource {
SOURCE_UNKNOWN = 0;
SOURCE_BY_ADMIN = 1;
SOURCE_BY_USER = 2;
SOURCE_NOT_INSTALLED = 3;
}
// ID of the Android application.
optional string app_id = 1;
// Name of the Android application.
optional string app_name = 2;
// Name of the Android application package.
optional string package_name = 3;
// Status of the Android application. It is set as STATUS_SUSPENDED if the
// application is suspended by specific policies.
optional AndroidAppStatus status = 4;
// Identify how the Android application is installed.
optional InstalledSource installed_source = 5;
// Package version of the Android application.
optional int32 version = 6;
// Permissions of the Android application.
repeated AndroidAppPermission permissions = 7;
}
// LINT.ThenChange(//depot/google3/java/com/google/chrome/cros/spanner/devicemanagement/schema/chrome_os.proto)
// Chrome user profile level status.
// Deprecated : Use ChromeUserProfileInfo instead.
message ChromeUserProfileReport {
// A string to uniquely identify this profile within the browser.
optional string id = 1;
// A JSON encoded string containing both the “email” and “id” (obfuscated
// GaiaID) of the user signed in to the Chrome browser, if any.
optional string chrome_signed_in_user = 2;
// The list of extensions installed in the browser. This string contains
// the json encoded data as returned by the chrome.management.getAll() API.
optional string extension_data = 3;
// The list of plugins installed in the browser, one plugin name per repeated
// string. This string contains the JSON encoded data as returned by
// the navigator.plugins .
optional string plugins = 4;
// The list of browser policies set for this user profile and their sources.
// This string contains the json encoded data as generated by the
// chrome://policy page “Export to JSON” button.
optional string policy_data = 5;
// The last time the user level policies where fetched.
// [policy_fetched_timestamp] is milliseconds since Epoch in UTC timezone
// (Java time). For V1, we may need to rely on the DM server for this info.
optional int64 policy_fetched_timestamp = 6;
// The number of safe browsing warning pages the user has seen since the last
// report was successfully uploaded.
optional uint64 safe_browsing_warnings = 7;
// The number of safe browsing warning pages the user has clicked through
// since the last report was successfully uploaded.
optional uint64 safe_browsing_warnings_click_through = 8;
// The name of the loaded profile, which was entered by the user when creating
// the profile. Empty when in incognito mode.
optional string name = 9;
// A list of extensions requested for installation.
repeated ExtensionRequest extension_requests = 10;
}
// Sign in information of Profile.
message ChromeSignedInUser {
// The email of the signed in user.
optional string email = 1;
// The obfuscated GaiaID of the signed in user.
optional string obfuscated_gaia_id = 2;
}
// Extension request information.
message ExtensionRequest {
// ID of the installed app/extension for a Chrome app or extension.
optional string id = 1;
// When the user commits to requesting the extension.
// [request_timestamp] is milliseconds since Epoch in UTC timezone
// (Java time).
optional int64 request_timestamp = 2;
// User justification describing why the extension is being requested.
optional string justification = 3;
}
// Extension information.
message Extension {
reserved 7, 12;
// ID of the installed app/extension for a Chrome app or extension.
optional string id = 1;
// Currently installed version of the extension.
optional string version = 2;
// The name of the extension.
optional string name = 3;
// The description of the extension that is provided by extension author.
optional string description = 4;
// The type of extension.
enum ExtensionType {
TYPE_UNKNOWN = 0;
TYPE_EXTENSION = 1;
TYPE_HOSTED_APP = 2;
TYPE_PACKAGED_APP = 3;
TYPE_LEGACY_PACKAGED_APP = 4;
TYPE_THEME = 5;
TYPE_USER_SCRIPT = 6;
TYPE_PLATFORM_APP = 7;
TYPE_LOGIN_SCREEN_EXTENSION = 8;
TYPE_CHROMEOS_SYSTEM_EXTENSION = 9;
}
optional ExtensionType app_type = 5;
// URL of the homepage.
optional string homepage_url = 6;
// The installation source of the extension.
enum InstallType {
// An extension that is installed by user or installed by default but not
// component extension.
TYPE_NORMAL = 0;
// An extension that is loaded as unpacked extension from chrome extension
// page or --load-extension command line switch.
TYPE_DEVELOPMENT = 1;
// An extension that is loaded from the settings in Window Registry or
// a preferences JSON file on Mac and Linux.
TYPE_SIDELOAD = 2;
// An extension that is loaded from policy settings.
TYPE_ADMIN = 3;
// Chrome component extension and unknown sources.
TYPE_OTHER = 4;
}
optional InstallType install_type = 8;
// True if the extension is currently enabled.
optional bool enabled = 9;
// The list of api based permissions the extension requires.
repeated string permissions = 10;
// The list of host based permissions the extension requires.
repeated string host_permissions = 11;
// True if the extension comes from web store.
optional bool from_webstore = 13;
// Manifest version of the extension.
optional int32 manifest_version = 14;
}
// Plugin information.
message Plugin {
// The human friendly name of plugin.
optional string name = 1;
// Currently installed version of the plugin.
optional string version = 2;
// The file name from the path of the plugin.
optional string filename = 3;
// More details of the plugin.
optional string description = 4;
}
// Policy information.
message Policy {
// The name of the policy.
optional string name = 1;
// The level of a policy determines its enforceability and whether users can
// override it or not.
enum PolicyLevel {
LEVEL_UNKNOWN = 0;
// Recommended policies are a default value configured by admins and users
// can choose to override it.
LEVEL_RECOMMENDED = 1;
// Mandatory policies must be enforced and users can't circumvent them.
LEVEL_MANDATORY = 2;
}
optional PolicyLevel level = 2;
// The scope of a policy flags whether it's applied to the current user or to
// the machine.
enum PolicyScope {
SCOPE_UNKNOWN = 0;
// User policies apply to current Session/Profile if it's cloud policy.
// Or apply to current OS user on Windows.
SCOPE_USER = 1;
// Machine policies apply to any users of the current machine.
SCOPE_MACHINE = 2;
}
optional PolicyScope scope = 3;
// The source of a policy indicates where its value is originating from.
enum PolicySource {
SOURCE_UNKNOWN = 0;
// A policy is set by Chrome when it's running in an
// enterprise environment.
SOURCE_ENTERPRISE_DEFAULT = 1;
// A policy is set by Google's cloud management tool.
SOURCE_CLOUD = 2;
// A policy is set by active directory on ChromeOS.
SOURCE_ACTIVE_DIRECTORY = 3;
// A policy is overridden by ChromeOS if it's running in a public session or
// kiosk mode.
SOURCE_DEVICE_LOCAL_ACCOUNT_OVERRIDE_DEPRECATED = 4;
// A policy is set by OS built-in tool on desktop.
SOURCE_PLATFORM = 5;
// A policy is set by Google's cloud management tool but has higher
// priority.
SOURCE_PRIORITY_CLOUD_DEPRECATED = 6;
// A policy is set by multiple sources and value has been merged.
SOURCE_MERGED = 7;
// A policy is set by command line switch for testing purpose.
SOURCE_COMMAND_LINE = 8;
// A policy is set by Google's cloud management tool in Ash and piped to
// Lacros.
SOURCE_CLOUD_FROM_ASH = 9;
// A policy that is set by the restricted managed guest session override.
SOURCE_RESTRICTED_MANAGED_GUEST_SESSION_OVERRIDE = 10;
}
optional PolicySource source = 4;
// The value of policy.
optional string value = 5;
// The error message of policy.
optional string error = 6;
}
// Extension policy information.
message ExtensionPolicy {
// The id of extension that policies apply to.
optional string extension_id = 1;
// The list of policies that extension currently uses.
repeated Policy policies = 2;
}
// Cloud policy last fetch time.
message PolicyFetchTimestamp {
// The type of cloud policy.
optional string type = 1;
// The last time the policies where fetched for the policy type.
// [timestamp] is milliseconds since Epoch in UTC timezone (Java time).
optional int64 timestamp = 2;
}
// Chrome user profile level status, used by activated Profiles. Profile name is
// not listed here as they are in the ChromeUserProfileBasicInfo.
message ChromeUserProfileInfo {
reserved 6;
// A string to uniquely identify this profile within the browser.
optional string id = 1;
// The name of the profile, which was entered by the user when creating
// the profile. Empty when in incognito mode
optional string name = 2;
// Indicates if the profile contains all details. Only active profiles can
// upload all needed details, idle profiles only upload |id| and |name|.
optional bool is_detail_available = 3;
// Gaia account information if the Profile is signed in.
optional ChromeSignedInUser chrome_signed_in_user = 4;
// A list of extensions installed in the browser.
repeated Extension extensions = 5;
// A list of extensions requested for installation.
repeated ExtensionRequest extension_requests = 10;
// A list of Chrome browser policies set for this user profile.
repeated Policy chrome_policies = 7;
// A list of extensions' policies set for this user profile. The policies is
// only added if the extension is installed.
repeated ExtensionPolicy extension_policies = 8;
// The last time the cloud policies where fetched for each policy type.
// Only one policy type which is google/chrome/machine-level-user uploads
// timestamp currently. More details in b/132973694
repeated PolicyFetchTimestamp policy_fetched_timestamps = 9;
}
// Report browser level status.
message BrowserReport {
// The Chrome browser version, as seen from within Chrome code as opposed to
// user agent.
optional string browser_version = 1;
// Release channel (stable, beta, etc.).
optional Channel channel = 2;
// Required. The path to the browser executable so that we can uniquely
// identify it.
optional string executable_path = 3;
// Profile specific reports, one per profile.
// Deprecated by ChromeUserProfileInfo and only used by old Chrome browser.
repeated ChromeUserProfileReport chrome_user_profile_reports = 4;
// A list of all Profiles that are created in the current browser instance.
// Only activated Profiles are able to upload full details while the idle ones
// contain id and name only. Please note that some activated Profiles may not
// upload full details due to the limitation of the report size.
// These details will be uploaded in the following reports.
repeated ChromeUserProfileInfo chrome_user_profile_infos = 6;
// A list of plugins installed in the browser.
repeated Plugin plugins = 7;
// The installed version of the browser if it differs from |browser_version|,
// or absent otherwise. When present, it indicates that an update (of a higher
// or lower version) has been installed and will be the active version
// following a browser restart.
optional string installed_browser_version = 8;
// True for an extended stable channel installation.
optional bool is_extended_stable_channel = 9 [default = false];
}
// Report Operating system related information.
message OSReport {
// A string contains OS name.
optional string name = 1;
// A string contains OS architecture.
optional string arch = 2;
// A string contains OS version.
optional string version = 3;
}
// An enum shows which information a partial CBCM report contains.
enum PartialReportType {
UNSPECIFIED = 0;
EXTENSION_REQUEST = 1;
}
// Android-specific IDs to be reported in addition to the Client ID. Explicit
// approval from Chrome Privacy is required for new IDs.
message AndroidIdentifier {
// Gservices Android ID, only uploaded for Android version S and older.
optional string gservices_android_id = 1;
}
// Report the status of a Chrome installation on non-Chrome OS platform.
message ChromeDesktopReportRequest {
// The name of the machine within its local network. The string is a JSON
// encoded structure with a single computername field.
// This field is replaced by computer_name and only used by old Chrome
// browser using the JSON legacy browser.
// TODO(b/189584065): Remove when usage goes to zero.
optional string machine_name = 1 [deprecated = true];
// OS info. The string is a an encoded JSON object as returned by
// chrome.runtime.getPlatformInfo.
// This field is replaced by OSReport and only used by old Chrome browser.
optional string os_info = 2;
// The user name from the OS point of view. The string is a JSON encoded
// structure with a single username field containing "DOMAIN\username".
// This field is replaced by os_user_name and only used by old Chrome browser.
optional string os_user = 3;
// Browser related info.
optional BrowserReport browser_report = 4;
// The device serial number (this might differ with the client ID, depending
// on the platform). Deprecated: Please use
// ChromeDesktopReportProtoProcessor.getBrowserDeviceIdentifier().getSerialNumber
// to extract the Serial Number from the Report Request.
optional string serial_number = 5 [deprecated = true];
// A string represents the name of computer. Deprecated: Please use
// ChromeDesktopReportProtoProcessor.getBrowserDeviceIdentifier().getSerialNumber
// to extract the Computer Name from the Report Request.
optional string computer_name = 6 [deprecated = true];
// Operating system related information.
optional OSReport os_report = 7;
// A string contains OS user name.
optional string os_user_name = 8;
// Device identifier for helping identify non-Chrome OS devices.
// TODO(crbug.com/1105938): This will also replace the computer_name and
// serial_number fields.
optional BrowserDeviceIdentifier browser_device_identifier = 9;
// A list of flags indicating that the report only contains particular
// information. When the list is empty or unset, the report should contain all
// information.
repeated PartialReportType partial_report_types = 10;
// Public key that can be used for attesting the machine.
optional string machine_attestation_key = 11;
// A string that represents the device model.
optional string device_model = 12;
// A string that represents the brand/manufacturer of a device.
optional string brand_name = 13;
}
// Report user level status on Chrome OS platform. Chrome OS equivalent of
// ChromeDesktopReportRequest.
message ChromeOsUserReportRequest {
// Browser related info.
optional BrowserReport browser_report = 1;
// Android applications installed in primary profile.
repeated AndroidAppInfo android_app_infos = 2;
// A list of flags indicates that the report only contains particular
// information. When list is empty or unset, the report should contains all
// information.
repeated PartialReportType partial_report_types = 3;
}
// Report user level status on all platforms. It includes the information of the
// profile that user has signed in plus some basic browser and OS information.
message ChromeProfileReportRequest {
// Browser related info
optional BrowserReport browser_report = 1;
// Basic OS information
optional OSReport os_report = 2;
}
// A validation issue from validating a policy value that was contained in
// the payload of the policy fetch response.
message PolicyValueValidationIssue {
// Policy name of the faulty value.
optional string policy_name = 1;
//# LINT.IfChange
enum ValueValidationIssueSeverity {
// Default value for when a severity is not specified.
VALUE_VALIDATION_ISSUE_SEVERITY_UNSPECIFIED = 0;
// This result is a warning. The policy blob has not been rejected.
VALUE_VALIDATION_ISSUE_SEVERITY_WARNING = 1;
// This result is an error. The policy blob was rejected completely and not
// updated on the device.
VALUE_VALIDATION_ISSUE_SEVERITY_ERROR = 2;
} // LINT.ThenChange(
// //depot/google3/chrome/cros/reporting/api/proto/policy_validation_report.proto)
// Severity of this policy value validation result.
optional ValueValidationIssueSeverity severity = 2;
// Message containing detailed information about the value validation warning
// or error (e.g. type and specific location). This message is intended as
// debug information for developers (not localized).
optional string debug_message = 3;
}
// This message is used to upload the result of cloud policy validation after a
// PolicyFetchRequest.
message PolicyValidationReportRequest {
// |policy_type| sent in PolicyFetchRequest on the request which
// returned policy with validation errors.
optional string policy_type = 1;
// |policy_token| from the PolicyFetchResponse. This is used to identify the
// specific policy fetch event that triggered this validation report.
optional string policy_token = 2;
// Specifies the result type of the validation.
// Each enum value can correspond to one of three client behaviors (noted as
// 'Client behavior' in the comment for each enum value):
// - Unknown:
// It is not known if the fetched policy blob was accepted or rejected.
// - Policy blob accepted:
// The client has accepted and applied the fetched policy blob.
// - Policy blob rejected:
// The client has completely rejected the fetched policy blob.
// LINT.IfChange
enum ValidationResultType {
// An enum value was received which is not known in this version of the
// proto.
// Client behavior: Unknown.
VALIDATION_RESULT_TYPE_ERROR_UNSPECIFIED = 0;
// Policy validated successfully.
// Client behavior: Policy blob accepted.
// Note: This result is here for completeness, the client will not send
// reports with this enum value.
VALIDATION_RESULT_TYPE_SUCCESS = 1;
// Bad signature on the initial key.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_BAD_INITIAL_SIGNATURE = 2;
// Bad signature.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_BAD_SIGNATURE = 3;
// Policy blob contains error code.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_ERROR_CODE_PRESENT = 4;
// Policy payload failed to decode.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_PAYLOAD_PARSE_ERROR = 5;
// Unexpected policy type.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_WRONG_POLICY_TYPE = 6;
// Unexpected settings entity id.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_WRONG_SETTINGS_ENTITY_ID = 7;
// Timestamp is missing or is older than the timestamp of the previous
// policy.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_BAD_TIMESTAMP = 8;
// DM token is empty or doesn't match.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_BAD_DM_TOKEN = 9;
// Device id is empty or doesn't match.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_BAD_DEVICE_ID = 10;
// Username doesn't match.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_BAD_USER = 11;
// Policy payload protobuf parse error.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_POLICY_PARSE_ERROR = 12;
// Policy key signature could not be verified using the hard-coded
// verification key.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_BAD_KEY_VERIFICATION_SIGNATURE = 13;
// There were validation warnings during validation of policy values in the
// payload. See |policy_value_validation_results|.
// Client behavior: Policy blob accepted.
VALIDATION_RESULT_TYPE_VALUE_WARNING = 14;
// There were validation errors during validation of policy values in the
// payload. There may also have been warnings. See
// |policy_value_validation_results| - that list will contain at least one
// payload validation errors, and zero or more payload validation warnings.
// Client behavior: Policy blob rejected.
VALIDATION_RESULT_TYPE_VALUE_ERROR = 15;
} // LINT.ThenChange(
// //depot/google3/chrome/cros/reporting/api/proto/policy_validation_report.proto)
// The validation result.
optional ValidationResultType validation_result_type = 3;
// Value validation issues in the policy payload. Will be filled if
// |validation_result_type| is VALIDATION_RESULT_TYPE_VALUE_WARNING
// or VALIDATION_RESULT_TYPE_VALUE_ERROR.
repeated PolicyValueValidationIssue policy_value_validation_issues = 4;
}
// Response from DMServer to a policy validation report.
message PolicyValidationReportResponse {}
message AndroidStatus {
// JSON string of ARC status report.
optional string status_payload = 1;
// DroidGuard response obtained from DroidGuard server.
optional string droid_guard_info = 2;
}
enum CrostiniAppType {
// The default terminal App.
CROSTINI_APP_TYPE_TERMINAL = 0;
// A registered interactive Crostini App which is
// not the default terminal app.
CROSTINI_APP_TYPE_INTERACTIVE = 1;
// Detected non-registered container applications.
CROSTINI_APP_TYPE_OTHER = 2;
}
message CrostiniApp {
// The default display name of the App.
optional string app_name = 1;
// The type of the App.
optional CrostiniAppType app_type = 2;
// Time stamp of last launch of the App with a three day granularity.
// The timestamp is milliseconds since Epoch in UTC timezone (Java time).
optional int64 last_launch_time_window_start_timestamp = 3;
// If available, the name of the Debian package belonging to this App.
optional string package_name = 4;
// If available, the version of the Debian package belonging to this App.
optional string package_version = 5;
// If available, a hash of the package belonging to this App.
optional string package_hash = 6;
}
message CrostiniStatus {
// Time stamp of last launch of a Crostini app with three day granularity,
// The timestamp is milliseconds since Epoch in UTC timezone (Java time).
optional int64 last_launch_time_window_start_timestamp = 1;
// The VM image version at the time of the last launch.
optional string last_launch_vm_image_version = 2;
// The VM kernel version at the time of the last launch.
optional string last_launch_vm_kernel_version = 3;
// Contains information about each installed app at the time of the
// report.
repeated CrostiniApp installed_apps = 4;
}
// Report current active session (a user on one device) level status.
message SessionStatusReportRequest {
reserved 1, 2, 3, 6;
// If this is a kiosk session, this is the device local account ID.
optional string device_local_account_id = 4;
// Information about kiosk app for kiosk session.
repeated AppStatus installed_apps = 5;
// Information about ARC status.
optional AndroidStatus android_status = 7;
// If this is a regular user session, this is the user's DMToken.
optional string user_dm_token = 8;
// Time zone id of the active user. Not set for enterprise users.
// Format of the id is as specified in tz database e.g. Pacific/Honolulu. For
// more details check third_party/icu/source/i18n/unicode/timezone.h.
optional string time_zone = 9;
// Information about Crostini status.
optional CrostiniStatus crostini_status = 10;
// Information about all applications for this user on this device, including
// uninstalled and disabled apps.
repeated AppInfo app_infos = 11;
}
// Response from DMServer to update devices' status.
// It is possible that status report fails but policy request succeed. In such
// case, the DeviceStatusReportResponse will contain an error code and the
// device should re-send status report data in the next policy request. The
// device should re-send report data if policy request fails, even if
// DeviceStatusReportResponse contains no error code.
message DeviceStatusReportResponse {
optional int32 error_code = 1;
// Human readable error message for customer support purpose.
optional string error_message = 2;
}
// Response from DMServer to a Chrome desktop report request. The report
// upload errors will be set in the containing DeviceManagementResponse or
// eventually at the HTTP level.
message ChromeDesktopReportResponse {}
// Response from DMServer to a ChromeOS user report request. The report
// upload errors will be set in the containing DeviceManagementResponse or
// eventually at the HTTP level.
message ChromeOsUserReportResponse {}
// Response from DMServer to a profile report request. The report
// upload errors will be set in the containing DeviceManagementResponse or
// eventually at the HTTP level.
message ChromeProfileReportResponse {}
// Response from DMServer to update user devices' status.
// It is possible that status report fails but policy request succeed. In such
// case, the SessionStatusReportResponse will contain an error code and the
// device should re-send status report data in the next policy request. The
// device should re-send report data if policy request fails, even if
// SessionStatusReportResponse contains no error code.
message SessionStatusReportResponse {
optional int32 error_code = 1;
// Human readable error message for customer support purpose.
optional string error_message = 2;
}
// Request from client to query device state using Private Set Membership (PSM).
// Please see go/cros-enterprise-psm and go/cros-client-psm for more details.
message PrivateSetMembershipRequest {
// A request proto from the RLWE PSM protocol.
optional PrivateSetMembershipRlweRequest rlwe_request = 1;
}
message PrivateSetMembershipResponse {
// A response proto from the RLWE PSM protocol.
optional PrivateSetMembershipRlweResponse rlwe_response = 1;
}
message PrivateSetMembershipRlweRequest {
// First request sent by the client for checking membership.
optional private_membership.rlwe.PrivateMembershipRlweOprfRequest
oprf_request = 1;
// Second request sent by the client for checking membership.
optional private_membership.rlwe.PrivateMembershipRlweQueryRequest
query_request = 2;
}
message PrivateSetMembershipRlweResponse {
// First response sent by the server for checking membership.
optional private_membership.rlwe.PrivateMembershipRlweOprfResponse
oprf_response = 1;
// Second response sent by the server for checking membership.
optional private_membership.rlwe.PrivateMembershipRlweQueryResponse
query_response = 2;
}
// Request from device to server to determine whether the device should
// go through enterprise enrollment. Unlike the other requests, this request is
// not authenticated.
message DeviceAutoEnrollmentRequest {
// Device identifier hash, mod |modulus|.
// The type of the device identifier hash depends on |enrollment_check_type|.
// If |modulus| is 1, |remainder| should be 0.
// |remainder| should always be present.
optional int64 remainder = 1;
// Modulus of the hash used by the client. For now, it is a power of 2, but
// due to the strict constraint on how many serial numbers a bucket can
// contain, it may become non power of 2. If that happens, client-side needs
// to change its assumption.
// |modulus| should always be present, but setting |modulus| to 1 means that
// no bits of the client's hash are uploaded. |remainder| should be 0 in this
// case.
optional int64 modulus = 2;
enum EnrollmentCheckType {
// Unspecified.
ENROLLMENT_CHECK_TYPE_UNSPECIFIED = 0;
// Forced Re-Enrollment check with full SHA-256 hashes of the
// server-backed state key.
ENROLLMENT_CHECK_TYPE_FRE = 1;
// Forced Enrollment check with SHA-256 hashes of (brand code + “_” + serial
// number), truncated to first 8 bytes each.
ENROLLMENT_CHECK_TYPE_FORCED_ENROLLMENT = 2;
}
// Specifies the type of auto enrollment check that is being made.
// This also defines the format of the device identifier hash used in this
// exchange.
optional EnrollmentCheckType enrollment_check_type = 3
[default = ENROLLMENT_CHECK_TYPE_FRE];
}
// Response from server to auto-enrollment detection request.
message DeviceAutoEnrollmentResponse {
// If this field is present, the other fields are ignored and the client
// should send a new DeviceAutoEnrollmentRequest with a |remainder|
// computed using this new |expected_modulus|. If this field is empty, the
// client's request was accepted.
// DMServer guarantees that if the modulus sent by client in
// DeviceAutoEnrollmentRequest matches server's expectation, this field
// is unset.
optional int64 expected_modulus = 1;
// List of hashes. If the client's hash matches any in this list, the
// client device should do enterprise enrollment. If it matches none,
// enrollment should be optional.
// The format of each entry depends on the |enrollment_check_type| that was
// set in the DeviceAutoEnrollmentRequest.
repeated bytes hashes = 2;
}
// Sent by the client to the server. The device management server keeps a
// mapping of device identifiers to device state. Devices query this table after
// hard reset in order recover state. This request is keyed just by the opaque
// server-backed state key; there is no further authentication.
message DeviceStateRetrievalRequest {
// Opaque, client-determined, unpredictable, stable and unique device
// identifier to retrieve state for. This field contains 32 bytes of data that
// looks essentially random to the server. It may be generated e.g. by running
// a concatenation of suitable device identifiers through a cryptographic hash
// algorithm such as SHA-256.
optional bytes server_backed_state_key = 1;
}
// Sent by the client to the server when in registered state to update the
// device-determined device state keys.
message DeviceStateKeyUpdateRequest {
// The client-determined state keys. To the server, these look like 32 bytes
// of random data. The client should generate these keys using a deterministic
// algorithm that takes stable device identifiers as an input and produces a
// key as the output, possibly by running the identifiers through a
// cryptographic hash function such as SHA-256.
repeated bytes server_backed_state_keys = 1;
}
// Server to client message carrying the device state response. Because the
// request is not authenticated, the only protection against state extraction
// from server is the unpredictability of the server-backed state ID. Thus, the
// response should not contain any sensitive data. If the server doesn't know
// the requested identifier, it just returns a message with restore_mode set to
// RESTORE_MODE_NONE.
message DeviceStateRetrievalResponse {
// Restorative action to take after device reset.
enum RestoreMode {
// No secondary state restoration.
RESTORE_MODE_NONE = 0;
// Enterprise enrollment requested, but user may skip.
RESTORE_MODE_REENROLLMENT_REQUESTED = 1;
// Enterprise enrollment is enforced and cannot be skipped.
RESTORE_MODE_REENROLLMENT_ENFORCED = 2;
// The device has been disabled by its owner. The device will show a warning
// screen and prevent the user from proceeding further.
RESTORE_MODE_DISABLED = 3;
// Enterprise enrollment is enforced using Zero-Touch and cannot be skipped.
RESTORE_MODE_REENROLLMENT_ZERO_TOUCH = 4;
}
// The server-indicated restore mode.
optional RestoreMode restore_mode = 1 [default = RESTORE_MODE_NONE];
// Primary domain the device is associated with.
optional string management_domain = 2;
// State that is relevant only when the |restore_mode| is
// |RESTORE_MODE_DISABLED|.
optional DisabledState disabled_state = 3;
// Initial device state if |restore_mode| is |RESTORE_MODE_NONE|.
optional DeviceInitialEnrollmentStateResponse initial_state_response = 4;
}
// Request from device to server to retrieve the enrollment mode and domain for
// this device. The client will use this request when the
// DeviceAutoEnrollmentRequest exchange with |enrollment_check_type| set to
// |ENROLLMENT_CHECK_TYPE_FORCED_ENROLLMENT| indicated that it should be
// enrolled. This request is not authenticated.
message DeviceInitialEnrollmentStateRequest {
// The serial number of the device.
optional string serial_number = 1;
// The 4-character brand code of the device.
optional string brand_code = 2;
}
// Response from server DeviceInitialEnrollmentStateRequest.
message DeviceInitialEnrollmentStateResponse {
// Initial action to take after OOBE.
enum InitialEnrollmentMode {
// No initial enrollment.
INITIAL_ENROLLMENT_MODE_NONE = 0;
// Enterprise enrollment is enforced and cannot be skipped.
INITIAL_ENROLLMENT_MODE_ENROLLMENT_ENFORCED = 1;
// Zero-Touch (attestation-based) enrollment is enforced and cannot be
// skipped.
INITIAL_ENROLLMENT_MODE_ZERO_TOUCH_ENFORCED = 2;
// The device has been disabled by its owner. The device will show a warning
// screen and prevent the user from proceeding further.
INITIAL_ENROLLMENT_MODE_DISABLED = 3;
}
// The server-indicated initial enrollment mode.
optional InitialEnrollmentMode initial_enrollment_mode = 1
[default = INITIAL_ENROLLMENT_MODE_NONE];
// The domain the device should be enrolled into.
optional string management_domain = 2;
// Whether the device comes packaged with a license or not.
optional bool is_license_packaged_with_device = 3;
// State that is relevant only when the |initial_enrollment_mode| is
// |INITIAL_ENROLLMENT_MODE_DISABLED|.
optional DisabledState disabled_state = 4;
// License Packaging SKU type.
// LINT.IfChange
enum LicensePackagingSKU {
// Not a License Packaged Device.
NOT_EXIST = 0;
// Enterprise SKU.
CHROME_ENTERPRISE = 1;
// Education SKU.
CHROME_EDUCATION = 2;
// Terminal SKU
CHROME_TERMINAL = 3;
}
// LINT.ThenChange(//depot/google3/google/chrome/licensepackaging/v1/service.proto)
// SKU Type for License Packaged Device.
optional LicensePackagingSKU license_packaging_sku = 5;
}
// Sent by the client to the server to pair the Host device with the Controller
// device. The HTTP request contains an end-user OAuth token and only succeeds
// if both Host and Controller devices belong to the end-user domain.
message DevicePairingRequest {
// The device ID of the Host device.
optional string host_device_id = 1;
// The device ID of the Controller device.
optional string controller_device_id = 2;
}
// Response from the server to the device pairing request.
message DevicePairingResponse {
// The client should check HTTP status code first. If HTTP status code is not
// 200 (e.g. 500 internal error), then it means the pairing fails. If HTTP
// status code is 200, then the client should check the status code within the
// response.
enum StatusCode {
SUCCESS = 0;
// A generic failure code for pairing.
FAILED = 1;
// The Host device cannot be found in the user's domain.
HOST_DEVICE_NOT_FOUND = 2;
// The Controller device cannot be found in the user's domain.
CONTROLLER_DEVICE_NOT_FOUND = 3;
// The Host device is deprovisioned.
HOST_DEVICE_DEPROVISIONED = 4;
// The Controller device is deprovisioned.
CONTROLLER_DEVICE_DEPROVISIONED = 5;
}
optional StatusCode status_code = 1 [default = FAILED];
}
// Sent by the client to the server to check if the devices are paired. The HTTP
// request contains controller service account OAuth token as well as the
// DMToken from the Host device.
message CheckDevicePairingRequest {
// The device ID of the Host device.
optional string host_device_id = 1;
// The device ID of the Controller device.
optional string controller_device_id = 2;
}
// Response from the server to the check device pairing request.
message CheckDevicePairingResponse {
// The client should check HTTP status code first. If HTTP status code is not
// 200 (e.g. 500 internal error), then it means the pairing status is unknown.
// If HTTP status code is 200, then the client should check the status code
// within the response.
enum StatusCode {
PAIRED = 0;
// The Host and Controller devices are not paired.
NOT_PAIRED = 1;
// The Host device cannot be found in the Host device domain.
HOST_DEVICE_NOT_FOUND = 2;
// The Controller device cannot be found in the Host device domain.
CONTROLLER_DEVICE_NOT_FOUND = 3;
// The Host device is deprovisioned.
HOST_DEVICE_DEPROVISIONED = 4;
// The Controller device is deprovisioned.
CONTROLLER_DEVICE_DEPROVISIONED = 5;
// Invalid controller identity.
INVALID_CONTROLLER_DEVICE_IDENTITY = 6;
}
optional StatusCode status_code = 1 [default = NOT_PAIRED];
}
// This protobuf defines a single remote command from server to client for
// execution.
message RemoteCommand {
// The names are used as part of metric names. If enumeration is updated
// the names should also be updated:
// - components/policy/core/common/cloud/enterprise_metrics.cc;
// - components/policy/core/common/remote_commands/remote_commands_service.cc;
// - Enterprise.RemoteCommandType in
// tools/metrics/histograms/metadata/enterprise/histograms.xml;
enum Type {
// Simple echo command for testing, will be ignored in production code.
COMMAND_ECHO_TEST = -1;
// Reboot the device.
DEVICE_REBOOT = 0;
// Take a screenshot.
DEVICE_SCREENSHOT = 1;
// Set device volume.
DEVICE_SET_VOLUME = 2;
// Force a refresh of device status (attributes and logs).
DEVICE_FETCH_STATUS = 3;
// Forwards a user command received from the management server to the ARC++
// side. The payload is opaque to Chrome OS.
USER_ARC_COMMAND = 4;
// Wipe all the users off of the device.
DEVICE_WIPE_USERS = 5;
// Start Chrome Remote Desktop session (limited to Kiosk sessions only).
DEVICE_START_CRD_SESSION = 6;
// Wipe the device (perform a powerwash).
DEVICE_REMOTE_POWERWASH = 7;
// Refresh the device machine certificate and re-upload it.
DEVICE_REFRESH_ENTERPRISE_MACHINE_CERTIFICATE = 8;
// Retrieve a list of available diagnostics routines.
DEVICE_GET_AVAILABLE_DIAGNOSTIC_ROUTINES = 9;
// Run a given diagnostics routine on the platform.
DEVICE_RUN_DIAGNOSTIC_ROUTINE = 10;
// Send a command or get an update from an existing diagnostics routine.
DEVICE_GET_DIAGNOSTIC_ROUTINE_UPDATE = 11;
// Clear the cache and cookies associated with a given profile.
BROWSER_CLEAR_BROWSING_DATA = 12;
// Reset the cellular EUICC (Embedded Universal Integrated Circuit Card) on
// the device.
DEVICE_RESET_EUICC = 13;
// Please update metrics after adding a new item - see the comment above.
}
// The command type.
optional Type type = 1;
// An opaque unique identifier for the command. The client processes
// the commands in the order of the command list it receives.
optional int64 command_id = 2;
// The age of the command (in milliseconds) when it is sent from server to
// client, defined as current_server_time - command_generated_time.
optional int64 age_of_command = 3;
// Extra parameters for this command, expected to be a JSON string. The exact
// format of the JSON payload depends on the command type specified by the
// |type| field:
// |DEVICE_SCREENSHOT|: {"fileUploadUrl" : url_string}.
// |DEVICE_SET_VOLUME|: {"volume": volume_value}, where volume_value must be
// an integer between 0 and 100.
// |DEVICE_RUN_DIAGNOSTIC_ROUTINE|: {"routine" : routine_enum, "params" :
// params_dict}, where params_dict varies by routine.
// |DEVICE_GET_DIAGNOSTIC_ROUTINE_UPDATE|: {"id" : id_integer, "command" :
// command, "includeOutput" : include_output_bool}, where command must be a
// valid chromeos::cros_healthd::mojom::DiagnosticRoutineCommandEnum.
optional string payload = 4;
// An identifier for the target this command is for. This is the same as
// the device_id in PolicyData. We rely on this identifier not being stable
// across powerwashes.
optional string target_device_id = 5;
}
// This protobuf defines the execution result of a single remote command
// which will be sent back to the server.
message RemoteCommandResult {
// If you change this, update policy.mojom/CommandResultType.
enum ResultType {
RESULT_IGNORED = 0; // The command was ignored as obsolete.
RESULT_FAILURE = 1; // The command could not be executed or parsed.
RESULT_SUCCESS = 2; // The command was successfully executed. Commands
// such as powerwash will return success before they
// are executed since state will be forgotten.
}
// The result of the command.
optional ResultType result = 1;
// The opaque unique identifier of the command. This value is copied from the
// RemoteCommand protobuf that contained the command.
optional int64 command_id = 2;
// The timestamp representing time at which the command was executed, if the
// result is RESULT_SUCCESS. The timestamp is milliseconds since Epoch in UTC
// timezone (Java time).
optional int64 timestamp = 3;
// Extra information sent to server as result of execution, expected to be a
// JSON string.
optional string payload = 4;
}
message DeviceRemoteCommandRequest {
// The command ID of the last command received from the server until
// now. Omitted if no commands have been received yet.
optional int64 last_command_unique_id = 1;
// The execution results of previously fetched commands.
// The client should send back a command result whenever possible.
repeated RemoteCommandResult command_results = 2;
// Whether the server should send secure commands or not.
optional bool send_secure_commands = 3;
// What type of signature to use. Only valid if send_secure_commmands is true.
// If NONE is passed, SHA1_RSA will be used instead for compatibility.
optional PolicyFetchRequest.SignatureType signature_type = 4;
}
message DeviceRemoteCommandResponse {
// The queue of pending, non secure commands. If this is present then there
// shall be no secure commands in this response (and vice versa).
repeated RemoteCommand commands = 1;
// The queue of pending, secure commands. If this is present then there shall
// be no non secure commands in this response (and vice versa).
//
// The secure_commands.data field contains a serialized PolicyData with a
// “google/chromeos/remotecommand” policy_type. The secure_commands.signature
// field is a signature of the data field with the policy key for the domain
// the device belongs to.
repeated SignedData secure_commands = 2;
}
// Sent by the client to the server to check if the current user is allowed
// to update attributes (asset id and location). The HTTP request contains an
// end-user OAuth token.
message DeviceAttributeUpdatePermissionRequest {}
// Response from the server specifying whether the current user is allowed to
// update attributes (asset id and location).
message DeviceAttributeUpdatePermissionResponse {
enum ResultType {
ATTRIBUTE_UPDATE_DISALLOWED = 0;
ATTRIBUTE_UPDATE_ALLOWED = 1;
}
optional ResultType result = 1;
}
// Sent by the client to the server to update device attributes (asset id and
// location). The HTTP request contains an end-user OAuth token.
message DeviceAttributeUpdateRequest {
// The user-generated asset identifier.
optional string asset_id = 1;
// The user input device location.
optional string location = 2;
}
// Response from the server to update device attributes (asset id and location).
message DeviceAttributeUpdateResponse {
enum ResultType {
ATTRIBUTE_UPDATE_ERROR = 0;
ATTRIBUTE_UPDATE_SUCCESS = 1;
}
optional ResultType result = 1;
}
// Sent by the client to server to update the mapping from GCM id to device_id
// on the server side.
message GcmIdUpdateRequest {
optional string gcm_id = 1;
}
// Response for GcmIdUpdateRequest, an empty message for now.
message GcmIdUpdateResponse {}
// Request from device to server to check for Android-for-Work service with
// DPC enforcement. Must be sent only for users who are not managed in Chrome
// OS.
// Provide user's OAuth token with your HTTP Request.
message CheckAndroidManagementRequest {}
// Response from server to device for check for Android-for-Work service with
// DPC enforcement request.
// SC_CONFLICT HTTP code is returned if DPC enforcement is required.
message CheckAndroidManagementResponse {}
// Request to register a new device (authenticated by enterprise enrollment
// certificate). See http://go/zero-touch-chrome for details.
// The response message will be the DeviceRegisterResponse.
message CertificateBasedDeviceRegisterRequest {
// Signed request to register with a certificate. The signed_request.data
// field contains a CertificateBasedDeviceRegistrationData with a nonce
// (as added by the Chrome OS cryptohome client) appended. The
// signed_request.signature field is a signature of the data field signed
// with the enrollment certificate's private key.
optional SignedData signed_request = 1;
}
// Requested configuration to be passed along a registration request.
message DeviceRegisterConfiguration {
// The device owner's email address.
optional string device_owner = 1;
}
message CertificateBasedDeviceRegistrationData {
enum CertificateType {
UNKNOWN = 0;
ENTERPRISE_ENROLLMENT_CERTIFICATE = 1;
}
optional CertificateType certificate_type = 1;
// Device certificate in X.509 format.
// We use CertificateFactory.generateCertificate() call and
// the certificate provided must be DER-encoded and may be supplied in binary
// or printable (Base64) encoding. If the certificate is provided in Base64
// encoding, it must be bounded at the beginning by
// -----BEGIN CERTIFICATE-----, and must be bounded at the end by
// -----END CERTIFICATE-----.
optional bytes device_certificate = 2;
// regular device registration request
optional DeviceRegisterRequest device_register_request = 3;
// Additional configuration to register the device.
optional DeviceRegisterConfiguration device_register_configuration = 4;
}
// Request to enroll a Chrome browser. Fields match identically named fields
// in ChromeBrowserDeviceInfo.
message RegisterBrowserRequest {
// The name of the machine within its local network.
optional string machine_name = 1;
// Platform, e.g., Windows or Mac.
optional string os_platform = 2;
// Platform specific version number, e.g., 6.1.7601.0 or 10.12.6
optional string os_version = 3;
// Device identifier for helping identify non-Chrome OS devices.
// TODO(crbug.com/1105938): This will also replace the machine_name field.
optional BrowserDeviceIdentifier browser_device_identifier = 4;
// The device model, e.g., iPad6,11
optional string device_model = 5;
// A string that represents the brand/manufacturer of a device.
optional string brand_name = 6;
}
// Gets an enrollment token to a managed Google Play account for using it with
// Active Directory. Sent when a new user logs in with Active Directory and
// opens Play Store for the first time.
message ActiveDirectoryEnrollPlayUserRequest {
// A server-provider identifier for the previously established SAML session.
// If left empty and SAML authentication is required,
// ActiveDirectoryEnrollPlayUserResponse.saml_parameters.auth_redirect_url
// will contain initial Redirect required to start the SAML flow.
optional string auth_session_id = 1;
}
// The result when a new user logs in to Play Store with Active Directory.
// 904 Arc Disabled HTTP error code is returned if the reason of the failure is
// that ARC is not enabled for the domain.
// 403 Forbidden HTTP error code is returned if the device can't get Managed
// Google Play accounts.
message ActiveDirectoryEnrollPlayUserResponse {
// The enrollment token which can be used to fetch a Managed Google Play
// account.
optional string enrollment_token = 1;
// The user id which identifies the user enrolled by this token. This user id
// is opaque to the client and is only used in the ActiveDirectoryPlayActivity
// requests.
optional string user_id = 2;
// If SAML authentication is required, SAML flow parameters are specified in
// this proto and both enrollment_token and user_id fields are left unset.
optional SamlParametersProto saml_parameters = 3;
}
message SamlParametersProto {
// Initial Redirect URL to start the SAML flow.
optional string auth_redirect_url = 1;
// Auth Session ID which the client is supposed to use in the subsequent
// DMServer request (to be sent after SAML flow completes).
optional string auth_session_id = 2;
}
// Gets a URL to the SAML IdP authentication flow for using it with public
// SAML session. Sent when a user logs in to a SAML public session account.
message PublicSamlUserRequest {
// Identifier for the public saml account. Same as
// DeviceLocalAccountInfoProto.account_id.
optional string account_id = 1;
}
// The result when a user logs in to a SAML public session account.
message PublicSamlUserResponse {
// SAML flow parameters are specified in this proto.
optional SamlParametersProto saml_parameters = 1;
}
// Reports that a managed Google Play account is used. This makes the garbage
// collection of accounts possible by reporting the ones which are still in use.
message ActiveDirectoryPlayActivityRequest {
// The user id received in ActiveDirectoryEnrollPlayUserResponse which
// identifies the user.
optional string user_id = 1;
}
// Response to the Play account activity request.
message ActiveDirectoryPlayActivityResponse {}
// DEPRECATED: Request to retrieve available device licenses. User auth token
// or auth cookie must be provided with DeviceManagementRequest when
// CheckDeviceLicenseRequest is being sent.
// See go/cdm-mixed-license-pool for more info
message CheckDeviceLicenseRequest {}
// Represents availability of a single license type.
message LicenseAvailability {
// License type.
optional LicenseType license_type_deprecated = 1 [deprecated = true];
// Remaining available licenses (can be 0).
optional int32 available_licenses_deprecated = 2 [deprecated = true];
}
// DEPRECATED: Response to a check device license request.
message CheckDeviceLicenseResponse {
enum LicenseSelectionMode {
// Should not happen, included for compatibility.
UNDEFINED = 0;
// User is allowed to choose license.
USER_SELECTION = 1;
// Admin controls license selection preferences through management UI.
ADMIN_SELECTION = 2;
}
// Policy setting value for license selection mode.
optional LicenseSelectionMode license_selection_mode_deprecated = 1
[deprecated = true];
// Provides available license counts for each purchased license type.
// This field would list each subscription for the domain even if all licenses
// have been used up (in which case available_licenses field is set to zero).
//
// If license_selection_mode == USER_SELECTION and license_availability
// contains more than one entry then device should display a screen asking
// user to choose license type and send selected license type value in the
// DeviceRegisterRequest.license_type field.
repeated LicenseAvailability license_availabilities_deprecated = 2
[deprecated = true];
}
// Sign in an Active Directory user using SAML SSO. The device management server
// redirects the client to the Active Directory server in order to authenticate
// and identify the Active Directory user. Active Directory redirects the client
// back to the device management server with an assertion of the Active
// Directory user's identity. The device management server then redirects the
// client to Google's authentication service in order to provision the user on
// the device.
message ActiveDirectoryUserSigninRequest {}
message ActiveDirectoryUserSigninResponse {
// Initial Redirect URL to start the SAML flow.
optional string auth_redirect_url = 1;
}
// Contains information about the TPM used on the device.
message TpmVersionInfo {
enum GscVersion {
GSC_VERSION_UNSPECIFIED = 0;
GSC_VERSION_NOT_GSC = 1;
GSC_VERSION_CR50 = 2;