Google Git
Sign in
chromium / chromium / src / out / f5929ea40eb65092ff9133b50898cc99e736e5b8 / . / android-Debug / gen / components / policy / proto / chrome_settings_full_runtime.proto
blob: bf33d037964aa7940fec91ff69ad7c0de4330af9 [file] [log] [blame]
//
// DO NOT MODIFY THIS FILE DIRECTLY!
// IT IS GENERATED BY generate_policy_source.py
// FROM ../../components/policy/resources/policy_templates.json
//
syntax = "proto2";
//option optimize_for = LITE_RUNTIME;
package enterprise_management;
// For StringList and PolicyOptions.
import "cloud_policy_full_runtime.proto";
// PBs for individual settings.
// Configure the home page URL
//
// Configures the default home page URL in Google Chrome and prevents users from
// changing it.
//
// The home page is the page opened by the Home button. The pages that open on
// startup are controlled by the RestoreOnStartup policies.
//
// The home page type can either be set to a URL you specify here or set to the
// New Tab Page. If you select the New Tab Page, then this policy does not take
// effect.
//
// If you enable this setting, users cannot change their home page URL in Google
// Chrome, but they can still choose the New Tab Page as their home page.
//
// Leaving this policy not set will allow the user to choose their home page on
// their own if HomepageIsNewTabPage is not set too.
//
// The URL must have a standard scheme, e.g. "http://example.com" or
// "https://example.com".
//
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message HomepageLocationProto {
optional PolicyOptions policy_options = 1;
optional string HomepageLocation = 2;
}
// Use New Tab Page as homepage
//
// Configures the type of the default home page in Google Chrome and prevents
// users from changing home page preferences. The home page can either be set to
// a URL you specify or set to the New Tab Page.
//
// If you enable this setting, the New Tab Page is always used for the home
// page, and the home page URL location is ignored.
//
// If you disable this setting, the user's homepage will never be the New Tab
// Page, unless its URL is set to 'chrome://newtab'.
//
// If you enable or disable this setting, users cannot change their homepage
// type in Google Chrome.
//
// Leaving this policy not set will allow the user to choose whether the new tab
// page is their home page on their own.
//
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message HomepageIsNewTabPageProto {
optional PolicyOptions policy_options = 1;
optional bool HomepageIsNewTabPage = 2;
}
// Configure the New Tab page URL
//
// Configures the default New Tab page URL and prevents users from changing it.
//
// The New Tab page is the page opened when new tabs are created (including the
// one opened in new windows).
//
// This policy does not decide which pages are to be opened on start up. Those
// are controlled by the RestoreOnStartup policies. Yet this policy does affect
// the Home Page if that is set to open the New Tab page, as well as the startup
// page if that is set to open the New Tab page.
//
// If the policy is not set or left empty the default new tab page is used.
//
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message NewTabPageLocationProto {
optional PolicyOptions policy_options = 1;
optional string NewTabPageLocation = 2;
}
// Set Google Chrome as Default Browser
//
// Configures the default browser checks in Google Chrome and prevents users
// from changing them.
//
// If you enable this setting, Google Chrome will always check on startup
// whether it is the default browser and automatically register itself if
// possible.
//
// If this setting is disabled, Google Chrome will never check if it is the
// default browser and will disable user controls for setting this option.
//
// If this setting is not set, Google Chrome will allow the user to control
// whether it is the default browser and whether user notifications should be
// shown when it isn't.
//
// Note for administrators of Microsoft® Windows: Enabling this setting will
// only work for machines running Windows 7. For versions of Windows starting
// with Windows 8, you must deploy a "default application associations" file
// that makes Google Chrome the handler for the https and http protocols (and,
// optionally, the ftp protocol and file formats such as .html, .htm, .pdf,
// .svg, .webp, etc...). See
// https://support.google.com/chrome?p=make_chrome_default_win for more
// information.
//
// Supported on: linux, mac, win
message DefaultBrowserSettingEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool DefaultBrowserSettingEnabled = 2;
}
// Application locale
//
// Configures the application locale in Google Chrome and prevents users from
// changing the locale.
//
// If you enable this setting, Google Chrome uses the specified locale. If the
// configured locale is not supported, 'en-US' is used instead.
//
// If this setting is disabled or not set, Google Chrome uses either the user-
// specified preferred locale (if configured), the system locale or the fallback
// locale 'en-US'.
//
// Supported on: win
message ApplicationLocaleValueProto {
optional PolicyOptions policy_options = 1;
optional string ApplicationLocaleValue = 2;
}
// Enable alternate error pages
//
// Enables the use of alternate error pages that are built into Google Chrome
// (such as 'page not found') and prevents users from changing this setting.
//
// If you enable this setting, alternate error pages are used.
//
// If you disable this setting, alternate error pages are never used.
//
// If you enable or disable this setting, users cannot change or override this
// setting in Google Chrome.
//
// If this policy is left not set, this will be enabled but the user will be
// able to change it.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message AlternateErrorPagesEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool AlternateErrorPagesEnabled = 2;
}
// Enable search suggestions
//
// Enables search suggestions in Google Chrome's omnibox and prevents users from
// changing this setting.
//
// If you enable this setting, search suggestions are used.
//
// If you disable this setting, search suggestions are never used.
//
// If you enable or disable this setting, users cannot change or override this
// setting in Google Chrome.
//
// If this policy is left not set, this will be enabled but the user will be
// able to change it.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message SearchSuggestEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SearchSuggestEnabled = 2;
}
// Enable network prediction
//
// This policy is deprecated in M48 in favor of NetworkPredictionOptions, and
// removed in M54.
//
// Enables network prediction in Google Chrome and prevents users from changing
// this setting.
//
// This controls not only DNS prefetching but also TCP and SSL preconnection and
// prerendering of web pages. The policy name refers to DNS prefetching for
// historical reasons.
//
// If you enable or disable this setting, users cannot change or override this
// setting in Google Chrome.
//
// If this policy is left not set, this will be enabled but the user will be
// able to change it.
//
// Supported on:
message DnsPrefetchingEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool DnsPrefetchingEnabled = 2;
}
// Enable network prediction
//
// Enables network prediction in Google Chrome and prevents users from changing
// this setting.
//
// This controls DNS prefetching, TCP and SSL preconnection and prerendering of
// web pages.
//
// If you set this policy, users cannot change or override this setting in
// Google Chrome.
//
// If this policy is left not set, network prediction will be enabled but the
// user will be able to change it.
//
// Valid values:
// 0: Predict network actions on any network connection
// 1: Predict network actions on any network that is not cellular.
// (Deprecated in 50, removed in 52. After 52, if value 1 is set, it
// will be treated as 0 - predict network actions on any network connection.)
// 2: Do not predict network actions on any network connection
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message NetworkPredictionOptionsProto {
optional PolicyOptions policy_options = 1;
optional int64 NetworkPredictionOptions = 2;
}
// Enable WPAD optimization
//
// Allows to turn off WPAD (Web Proxy Auto-Discovery) optimization in Google
// Chrome.
//
// If this policy is set to false, WPAD optimization is disabled causing Google
// Chrome to wait longer for DNS-based WPAD servers. If the policy is not set
// or is enabled, WPAD optimization is enabled.
//
// Independent of whether or how this policy is set, the WPAD optimization
// setting cannot be changed by users.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message WPADQuickCheckEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool WPADQuickCheckEnabled = 2;
}
// Disable SPDY protocol
//
// This policy is deprecated in M53 and removed in M54, because SPDY/3.1 support
// is removed.
//
// Disables use of the SPDY protocol in Google Chrome.
//
// If this policy is enabled the SPDY protocol will not be available in Google
// Chrome.
//
// Setting this policy to disabled will allow the usage of SPDY.
//
// If this policy is left not set, SPDY will be available.
//
// Supported on:
message DisableSpdyProto {
optional PolicyOptions policy_options = 1;
optional bool DisableSpdy = 2;
}
// Disable URL protocol schemes
//
// This policy is deprecated, please use URLBlacklist instead.
//
// Disables the listed protocol schemes in Google Chrome.
//
// URLs using a scheme from this list will not load and can not be navigated to.
//
// If this policy is left not set or the list is empty all schemes will be
// accessible in Google Chrome.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DisabledSchemesProto {
optional PolicyOptions policy_options = 1;
optional StringList DisabledSchemes = 2;
}
// Enable HTTP/0.9 support on non-default ports
//
// This policy is deprecated, and slated for removal in Chrome 78, with no
// replacement.
//
// This policy enables HTTP/0.9 on ports other than 80 for HTTP and 443 for
// HTTPS.
//
// This policy is disabled by default, and if enabled, leaves users open to the
// security issue https://crbug.com/600352.
//
// This policy is intended to give enterprises a chance to migrate exising
// servers off of HTTP/0.9, and will be removed in the future.
//
// If this policy is not set, HTTP/0.9 will be disabled on non-default ports.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message Http09OnNonDefaultPortsEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool Http09OnNonDefaultPortsEnabled = 2;
}
// Enable JavaScript
//
// This policy is deprecated, please use DefaultJavaScriptSetting instead.
//
// Can be used to disabled JavaScript in Google Chrome.
//
// If this setting is disabled, web pages cannot use JavaScript and the user
// cannot change that setting.
//
// If this setting is enabled or not set, web pages can use JavaScript but the
// user can change that setting.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message JavascriptEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool JavascriptEnabled = 2;
}
// Enable Incognito mode
//
// This policy is deprecated. Please, use IncognitoModeAvailability instead.
// Enables Incognito mode in Google Chrome.
//
// If this setting is enabled or not configured, users can open web pages in
// incognito mode.
//
// If this setting is disabled, users cannot open web pages in incognito mode.
//
// If this policy is left not set, this will be enabled and the user will be
// able to use incognito mode.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message IncognitoEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool IncognitoEnabled = 2;
}
// Incognito mode availability
//
// Specifies whether the user may open pages in Incognito mode in Google Chrome.
//
// If 'Enabled' is selected or the policy is left unset, pages may be opened in
// Incognito mode.
//
// If 'Disabled' is selected, pages may not be opened in Incognito mode.
//
// If 'Forced' is selected, pages may be opened ONLY in Incognito mode.
//
// Valid values:
// 0: Incognito mode available
// 1: Incognito mode disabled
// 2: Incognito mode forced
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message IncognitoModeAvailabilityProto {
optional PolicyOptions policy_options = 1;
optional int64 IncognitoModeAvailability = 2;
}
// Disable saving browser history
//
// Disables saving browser history in Google Chrome and prevents users from
// changing this setting.
//
// If this setting is enabled, browsing history is not saved. This setting also
// disables tab syncing.
//
// If this setting is disabled or not set, browsing history is saved.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message SavingBrowserHistoryDisabledProto {
optional PolicyOptions policy_options = 1;
optional bool SavingBrowserHistoryDisabled = 2;
}
// Enable deleting browser and download history
//
// Enables deleting browser history and download history in Google Chrome and
// prevents users from changing this setting.
//
// Note that even with this policy disabled, the browsing and download history
// are not guaranteed to be retained: users may be able to edit or delete the
// history database files directly, and the browser itself may expire or archive
// any or all history items at any time.
//
// If this setting is enabled or not set, browsing and download history can be
// deleted.
//
// If this setting is disabled, browsing and download history cannot be deleted.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message AllowDeletingBrowserHistoryProto {
optional PolicyOptions policy_options = 1;
optional bool AllowDeletingBrowserHistory = 2;
}
// Allow Dinosaur Easter Egg Game
//
// Allow users to play dinosaur easter egg game when device is offline.
//
// If this policy is set to False, users will not be able to play the dinosaur
// easter egg game when device is offline. If this setting is set to True, users
// are allowed to play the dinosaur game. If this policy is not set, users are
// not allowed to play the dinosaur easter egg game on enrolled Chrome OS, but
// are allowed to play it under other circumstances.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message AllowDinosaurEasterEggProto {
optional PolicyOptions policy_options = 1;
optional bool AllowDinosaurEasterEgg = 2;
}
// Enable firewall traversal from remote access client
//
// This policy is no longer supported.
// Enables usage of STUN and relay servers when connecting to a remote client.
//
// If this setting is enabled, then this machine can discover and connect to
// remote host machines even if they are separated by a firewall.
//
// If this setting is disabled and outgoing UDP connections are filtered by the
// firewall, then this machine can only connect to host machines within the
// local network.
//
// Supported on:
message RemoteAccessClientFirewallTraversalProto {
optional PolicyOptions policy_options = 1;
optional bool RemoteAccessClientFirewallTraversal = 2;
}
// Configure the required domain name for remote access clients
//
// This policy is deprecated. Please use RemoteAccessHostClientDomainList
// instead.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostClientDomainProto {
optional PolicyOptions policy_options = 1;
optional string RemoteAccessHostClientDomain = 2;
}
// Configure the required domain names for remote access clients
//
// Configures the required client domain names that will be imposed on remote
// access clients and prevents users from changing it.
//
// If this setting is enabled, then only clients from one of the specified
// domains can connect to the host.
//
// If this setting is disabled or not set, then the default policy for the
// connection type is applied. For remote assistance, this allows clients from
// any domain to connect to the host; for anytime remote access, only the host
// owner can connect.
//
// This setting will override RemoteAccessHostClientDomain, if present.
//
// See also RemoteAccessHostDomainList.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostClientDomainListProto {
optional PolicyOptions policy_options = 1;
optional StringList RemoteAccessHostClientDomainList = 2;
}
// Enable firewall traversal from remote access host
//
// Enables usage of STUN servers when remote clients are trying to establish a
// connection to this machine.
//
// If this setting is enabled, then remote clients can discover and connect to
// this machines even if they are separated by a firewall.
//
// If this setting is disabled and outgoing UDP connections are filtered by the
// firewall, then this machine will only allow connections from client machines
// within the local network.
//
// If this policy is left not set the setting will be enabled.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostFirewallTraversalProto {
optional PolicyOptions policy_options = 1;
optional bool RemoteAccessHostFirewallTraversal = 2;
}
// Configure the required domain name for remote access hosts
//
// This policy is deprecated. Please use RemoteAccessHostDomainList instead.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostDomainProto {
optional PolicyOptions policy_options = 1;
optional string RemoteAccessHostDomain = 2;
}
// Configure the required domain names for remote access hosts
//
// Configures the required host domain names that will be imposed on remote
// access hosts and prevents users from changing it.
//
// If this setting is enabled, then hosts can be shared only using accounts
// registered on one of the specified domain names.
//
// If this setting is disabled or not set, then hosts can be shared using any
// account.
//
// This setting will override RemoteAccessHostDomain, if present.
//
// See also RemoteAccessHostClientDomainList.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostDomainListProto {
optional PolicyOptions policy_options = 1;
optional StringList RemoteAccessHostDomainList = 2;
}
// Enable two-factor authentication for remote access hosts
//
// Enables two-factor authentication for remote access hosts instead of a user-
// specified PIN.
//
// If this setting is enabled, then users must provide a valid two-factor code
// when accessing a host.
//
// If this setting is disabled or not set, then two-factor will not be enabled
// and the default behavior of having a user-defined PIN will be used.
//
// Supported on:
message RemoteAccessHostRequireTwoFactorProto {
optional PolicyOptions policy_options = 1;
optional bool RemoteAccessHostRequireTwoFactor = 2;
}
// Configure the TalkGadget prefix for remote access hosts
//
// Configures the TalkGadget prefix that will be used by remote access hosts and
// prevents users from changing it.
//
// If specified, this prefix is prepended to the base TalkGadget name to create
// a full domain name for the TalkGadget. The base TalkGadget domain name is
// '.talkgadget.google.com'.
//
// If this setting is enabled, then hosts will use the custom domain name when
// accessing the TalkGadget instead of the default domain name.
//
// If this setting is disabled or not set, then the default TalkGadget domain
// name ('chromoting-host.talkgadget.google.com') will be used for all hosts.
//
// Remote access clients are not affected by this policy setting. They will
// always use 'chromoting-client.talkgadget.google.com' to access the
// TalkGadget.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostTalkGadgetPrefixProto {
optional PolicyOptions policy_options = 1;
optional string RemoteAccessHostTalkGadgetPrefix = 2;
}
// Enable curtaining of remote access hosts
//
// Enables curtaining of remote access hosts while a connection is in progress.
//
// If this setting is enabled, then hosts' physical input and output devices are
// disabled while a remote connection is in progress.
//
// If this setting is disabled or not set, then both local and remote users can
// interact with the host when it is being shared.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostRequireCurtainProto {
optional PolicyOptions policy_options = 1;
optional bool RemoteAccessHostRequireCurtain = 2;
}
// Enable or disable PIN-less authentication for remote access hosts
//
// If this setting is enabled or not configured, then users can opt to pair
// clients and hosts at connection time, eliminating the need to enter a PIN
// every time.
//
// If this setting is disabled, then this feature will not be available.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostAllowClientPairingProto {
optional PolicyOptions policy_options = 1;
optional bool RemoteAccessHostAllowClientPairing = 2;
}
// Allow gnubby authentication for remote access hosts
//
// If this setting is enabled, then gnubby authentication requests will be
// proxied across a remote host connection.
//
// If this setting is disabled or not configured, gnubby authentication requests
// will not be proxied.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostAllowGnubbyAuthProto {
optional PolicyOptions policy_options = 1;
optional bool RemoteAccessHostAllowGnubbyAuth = 2;
}
// Enable the use of relay servers by the remote access host
//
// Enables usage of relay servers when remote clients are trying to establish a
// connection to this machine.
//
// If this setting is enabled, then remote clients can use relay servers to
// connect to this machine when a direct connection is not available (e.g. due
// to firewall restrictions).
//
// Note that if the policy RemoteAccessHostFirewallTraversal is disabled, this
// policy will be ignored.
//
// If this policy is left not set the setting will be enabled.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostAllowRelayedConnectionProto {
optional PolicyOptions policy_options = 1;
optional bool RemoteAccessHostAllowRelayedConnection = 2;
}
// Restrict the UDP port range used by the remote access host
//
// Restricts the UDP port range used by the remote access host in this machine.
//
// If this policy is left not set, or if it is set to an empty string, the
// remote access host will be allowed to use any available port, unless the
// policy RemoteAccessHostFirewallTraversal is disabled, in which case the
// remote access host will use UDP ports in the 12400-12409 range.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostUdpPortRangeProto {
optional PolicyOptions policy_options = 1;
optional string RemoteAccessHostUdpPortRange = 2;
}
// Require that the name of the local user and the remote access host owner
// match
//
// If this setting is enabled, then the remote access host compares the name of
// the local user (that the host is associated with) and the name of the Google
// account registered as the host owner (i.e. "johndoe" if the host is owned by
// "johndoe@example.com" Google account). The remote access host will not start
// if the name of the host owner is different from the name of the local user
// that the host is associated with. RemoteAccessHostMatchUsername policy
// should be used together with RemoteAccessHostDomain to also enforce that the
// Google account of the host owner is associated with a specific domain (i.e.
// "example.com").
//
// If this setting is disabled or not set, then the remote access host can be
// associated with any local user.
//
// Supported on: chrome_os, linux, mac
message RemoteAccessHostMatchUsernameProto {
optional PolicyOptions policy_options = 1;
optional bool RemoteAccessHostMatchUsername = 2;
}
// URL where remote access clients should obtain their authentication token
//
// If this policy is set, the remote access host will require authenticating
// clients to obtain an authentication token from this URL in order to connect.
// Must be used in conjunction with RemoteAccessHostTokenValidationUrl.
//
// This feature is currently disabled server-side.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostTokenUrlProto {
optional PolicyOptions policy_options = 1;
optional string RemoteAccessHostTokenUrl = 2;
}
// URL for validating remote access client authentication token
//
// If this policy is set, the remote access host will use this URL to validate
// authentication tokens from remote access clients, in order to accept
// connections. Must be used in conjunction with RemoteAccessHostTokenUrl.
//
// This feature is currently disabled server-side.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostTokenValidationUrlProto {
optional PolicyOptions policy_options = 1;
optional string RemoteAccessHostTokenValidationUrl = 2;
}
// Client certificate for connecting to RemoteAccessHostTokenValidationUrl
//
// If this policy is set, the host will use a client certificate with the given
// issuer CN to authenticate to RemoteAccessHostTokenValidationUrl. Set it to
// "*" to use any available client certificate.
//
// This feature is currently disabled server-side.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RemoteAccessHostTokenValidationCertificateIssuerProto {
optional PolicyOptions policy_options = 1;
optional string RemoteAccessHostTokenValidationCertificateIssuer = 2;
}
// Policy overrides for Debug builds of the remote access host
//
// Overrides policies on Debug builds of the remote access host.
//
// The value is parsed as a JSON dictionary of policy name to policy value
// mappings.
//
// Supported on:
message RemoteAccessHostDebugOverridePoliciesProto {
optional PolicyOptions policy_options = 1;
optional string RemoteAccessHostDebugOverridePolicies = 2;
}
// Allow remote users to interact with elevated windows in remote assistance
// sessions
//
// If this setting is enabled, the remote assistance host will be run in a
// process with uiAccess permissions. This will allow remote users to interact
// with elevated windows on the local user's desktop.
//
// If this setting is disabled or not configured, the remote assistance host
// will run in the user's context and remote users cannot interact with elevated
// windows on the desktop.
//
// Supported on: win
message RemoteAccessHostAllowUiAccessForRemoteAssistanceProto {
optional PolicyOptions policy_options = 1;
optional bool RemoteAccessHostAllowUiAccessForRemoteAssistance = 2;
}
// Allow remote access users to transfer files to/from the host
//
// Controls the ability of a user connected to a remote access host to transfer
// files between the client and the host. This does not apply to remote
// assistance connections, which do not support file transfer.
//
// If this setting is disabled, file transfer will not be allowed. If this
// setting is enabled or not set, file transfer will be allowed.
//
// Supported on: fuchsia, linux, mac, win
message RemoteAccessHostAllowFileTransferProto {
optional PolicyOptions policy_options = 1;
optional bool RemoteAccessHostAllowFileTransfer = 2;
}
// Enable printing
//
// Enables printing in Google Chrome and prevents users from changing this
// setting.
//
// If this setting is enabled or not configured, users can print.
//
// If this setting is disabled, users cannot print from Google Chrome. Printing
// is disabled in the wrench menu, extensions, JavaScript applications, etc. It
// is still possible to print from plugins that bypass Google Chrome while
// printing. For example, certain Flash applications have the print option in
// their context menu, which is not covered by this policy.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message PrintingEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool PrintingEnabled = 2;
}
// Enable Google Cloud Print proxy
//
// Enables Google Chrome to act as a proxy between Google Cloud Print and legacy
// printers connected to the machine.
//
// If this setting is enabled or not configured, users can enable the cloud
// print proxy by authentication with their Google account.
//
// If this setting is disabled, users cannot enable the proxy, and the machine
// will not be allowed to share it's printers with Google Cloud Print.
//
// Supported on: fuchsia, linux, mac, win
message CloudPrintProxyEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool CloudPrintProxyEnabled = 2;
}
// Restrict printing color mode
//
// Sets printing to color only, monochrome only or no color mode restriction.
// Unset policy is treated as no restriction.
//
// Valid values:
// any: Allow all color modes
// color: Color printing only
// monochrome: Monochrome printing only
//
// Supported on: chrome_os
message PrintingAllowedColorModesProto {
optional PolicyOptions policy_options = 1;
optional string PrintingAllowedColorModes = 2;
}
// Restrict printing duplex mode
//
// Restricts printing duplex mode. Unset policy and empty set are treated as no
// restriction.
//
// Valid values:
// any: Allow all duplex modes
// simplex: Simplex printing only
// duplex: Duplex printing only
//
// Supported on: chrome_os
message PrintingAllowedDuplexModesProto {
optional PolicyOptions policy_options = 1;
optional string PrintingAllowedDuplexModes = 2;
}
// Restrict PIN printing mode
//
// Restricts PIN printing mode. Unset policy is treated as no restriction. If
// the mode is unavailable this policy is ignored. Note that PIN printing
// feature is enabled only for printers that use one of IPPS, USB or IPP-over-
// USB protocols
//
// Valid values:
// any: Allow printing both with and without PIN
// pin: Allow printing only with PIN
// no_pin: Allow printing only without PIN
//
// Supported on: chrome_os
message PrintingAllowedPinModesProto {
optional PolicyOptions policy_options = 1;
optional string PrintingAllowedPinModes = 2;
}
// Restrict printing page size
//
// Restricts printing page size. Unset policy and empty set are treated as no
// restriction.
//
// Value schema:
// {
// "items": {
// "properties": {
// "HeightUm": {
// "description": "Height of the page in micrometers",
// "type": "integer"
// },
// "WidthUm": {
// "description": "Width of the page in micrometers",
// "type": "integer"
// }
// },
// "required": [
// "WidthUm",
// "HeightUm"
// ],
// "type": "object"
// },
// "type": "array"
// }
//
// Supported on: chrome_os
message PrintingAllowedPageSizesProto {
optional PolicyOptions policy_options = 1;
optional string PrintingAllowedPageSizes = 2;
}
// Default printing color mode
//
// Overrides default printing color mode. If the mode is unavailable this policy
// is ignored.
//
// Valid values:
// color: Enable color printing
// monochrome: Enable monochrome printing
//
// Supported on: chrome_os
message PrintingColorDefaultProto {
optional PolicyOptions policy_options = 1;
optional string PrintingColorDefault = 2;
}
// Default printing duplex mode
//
// Overrides default printing duplex mode. If the mode is unavailable this
// policy is ignored.
//
// Valid values:
// simplex: Enable simplex printing
// short-edge: Enable short edge duplex printing
// long-edge: Enable long edge duplex printing
//
// Supported on: chrome_os
message PrintingDuplexDefaultProto {
optional PolicyOptions policy_options = 1;
optional string PrintingDuplexDefault = 2;
}
// Default PIN printing mode
//
// Overrides default PIN printing mode. If the mode is unavailable this policy
// is ignored.
//
// Valid values:
// pin: Enable PIN printing by default
// no_pin: Disable PIN printing by default
//
// Supported on: chrome_os
message PrintingPinDefaultProto {
optional PolicyOptions policy_options = 1;
optional string PrintingPinDefault = 2;
}
// Default printing page size
//
// Overrides default printing page size. If the page size is unavailable this
// policy is ignored.
//
// Value schema:
// {
// "properties": {
// "HeightUm": {
// "description": "Height of the page in micrometers",
// "type": "integer"
// },
// "WidthUm": {
// "description": "Width of the page in micrometers",
// "type": "integer"
// }
// },
// "required": [
// "WidthUm",
// "HeightUm"
// ],
// "type": "object"
// }
//
// Supported on: chrome_os
message PrintingSizeDefaultProto {
optional PolicyOptions policy_options = 1;
optional string PrintingSizeDefault = 2;
}
// Send username and filename to native printers
//
// Send username and filename to native printers server with every print job.
// The default is not to send.
//
// Setting this policy to true also disables printers that use protocols other
// than IPPS, USB, or IPP-over-USB since username and filename shouldn't be sent
// over the network openly.
//
// Supported on: chrome_os
message PrintingSendUsernameAndFilenameEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool PrintingSendUsernameAndFilenameEnabled = 2;
}
// Force SafeSearch
//
// This policy is deprecated, please use ForceGoogleSafeSearch and
// ForceYouTubeRestrict instead. This policy is ignored if either the
// ForceGoogleSafeSearch, the ForceYouTubeRestrict or the (deprecated)
// ForceYouTubeSafetyMode policies are set.
//
// Forces queries in Google Web Search to be done with SafeSearch set to active
// and prevents users from changing this setting. This setting also forces
// Moderate Restricted Mode on YouTube.
//
// If you enable this setting, SafeSearch in Google Search and Moderate
// Restricted Mode YouTube is always active.
//
// If you disable this setting or do not set a value, SafeSearch in Google
// Search and Restricted Mode in YouTube is not enforced.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message ForceSafeSearchProto {
optional PolicyOptions policy_options = 1;
optional bool ForceSafeSearch = 2;
}
// Force Google SafeSearch
//
// Forces queries in Google Web Search to be done with SafeSearch set to active
// and prevents users from changing this setting.
//
// If you enable this setting, SafeSearch in Google Search is always active.
//
// If you disable this setting or do not set a value, SafeSearch in Google
// Search is not enforced.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message ForceGoogleSafeSearchProto {
optional PolicyOptions policy_options = 1;
optional bool ForceGoogleSafeSearch = 2;
}
// Force YouTube Safety Mode
//
// This policy is deprecated. Consider using ForceYouTubeRestrict, which
// overrides this policy and allows more fine-grained tuning.
//
// Forces YouTube Moderate Restricted Mode and prevents users from changing this
// setting.
//
// If this setting is enabled, Restricted Mode on YouTube is always enforced to
// be at least Moderate.
//
// If this setting is disabled or no value is set, Restricted Mode on YouTube is
// not enforced by Google Chrome. External policies such as YouTube policies
// might still enforce Restricted Mode, though.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message ForceYouTubeSafetyModeProto {
optional PolicyOptions policy_options = 1;
optional bool ForceYouTubeSafetyMode = 2;
}
// Force minimum YouTube Restricted Mode
//
// Enforces a minimum Restricted Mode on YouTube and prevents users from
// picking a less restricted mode.
//
// If this setting is set to Strict, Strict Restricted Mode on YouTube is always
// active.
//
// If this setting is set to Moderate, the user may only pick Moderate
// Restricted Mode
// and Strict Restricted Mode on YouTube, but cannot disable Restricted Mode.
//
// If this setting is set to Off or no value is set, Restricted Mode on YouTube
// is not enforced by Google Chrome. External policies such as YouTube policies
// might still enforce Restricted Mode, though.
//
// Valid values:
// 0: Do not enforce Restricted Mode on YouTube
// 1: Enforce at least Moderate Restricted Mode on YouTube
// 2: Enforce Strict Restricted Mode for YouTube
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message ForceYouTubeRestrictProto {
optional PolicyOptions policy_options = 1;
optional int64 ForceYouTubeRestrict = 2;
}
// Enable Safe Browsing
//
// Enables Google Chrome's Safe Browsing feature and prevents users from
// changing this setting.
//
// If you enable this setting, Safe Browsing is always active.
//
// If you disable this setting, Safe Browsing is never active.
//
// If you enable or disable this setting, users cannot change or override the
// "Enable phishing and malware protection" setting in Google Chrome.
//
// If this policy is left not set, this will be enabled but the user will be
// able to change it.
//
// See https://developers.google.com/safe-browsing for more info on Safe
// Browsing.
//
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message SafeBrowsingEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SafeBrowsingEnabled = 2;
}
// Enable reporting of usage and crash-related data
//
// Enables anonymous reporting of usage and crash-related data about Google
// Chrome to Google and prevents users from changing this setting.
//
// If this setting is enabled, anonymous reporting of usage and crash-related
// data is sent to Google. If it is disabled, this information is not sent
// to Google. In both cases, users cannot change or override the setting.
// If this policy is left not set, the setting will be what the user chose
// upon installation / first run.
//
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
// (For Chrome OS, see DeviceMetricsReportingEnabled.)
//
// Supported on: fuchsia, linux, mac, win
message MetricsReportingEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool MetricsReportingEnabled = 2;
}
// Enable saving passwords to the password manager
//
// If this setting is enabled, users can have Google Chrome memorize passwords
// and provide them automatically the next time they log in to a site.
//
// If this settings is disabled, users cannot save new passwords but they
// may still use passwords that have been saved previously.
//
// If this policy is enabled or disabled, users cannot change or override it in
// Google Chrome. If this policy is unset, password saving is allowed (but can
// be turned off by the user).
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message PasswordManagerEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool PasswordManagerEnabled = 2;
}
// Allow users to show passwords in Password Manager (deprecated)
//
// The associated setting was used before reauthentication on viewing passwords
// was introduced. Since then, the setting and hence this policy had no effect
// on the behavior of Chrome. The current behavior of Chrome is now the same as
// if the policy was set to disable showing passwords in clear text in the
// password manager settings page. That means that the settings page contains
// just a placeholder, and only upon the user clicking "Show" (and
// reauthenticating, if applicable) Chrome shows the password. Original
// description of the policy follows below.
//
// Controls whether the user may show passwords in clear text in the password
// manager.
//
// If you disable this setting, the password manager does not allow showing
// stored passwords in clear text in the password manager window.
//
// If you enable or do not set this policy, users can view their passwords in
// clear text in the password manager.
//
// Supported on:
message PasswordManagerAllowShowPasswordsProto {
optional PolicyOptions policy_options = 1;
optional bool PasswordManagerAllowShowPasswords = 2;
}
// Enable AutoFill
//
// This policy is deprecated in M70, please use AutofillAddressEnabled and
// AutofillCreditCardEnabled instead.
//
// Enables Google Chrome's AutoFill feature and allows users to auto complete
// web forms using previously stored information such as address or credit card
// information.
//
// If you disable this setting, AutoFill will be inaccessible to users.
//
// If you enable this setting or do not set a value, AutoFill will remain under
// the control of the user. This will allow them to configure AutoFill profiles
// and to switch AutoFill on or off at their own discretion.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message AutoFillEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool AutoFillEnabled = 2;
}
// Enable AutoFill for addresses
//
// Enables Google Chrome's AutoFill feature and allows users to auto complete
// address information in web forms using previously stored information.
//
// If this setting is disabled, Autofill will never suggest, or fill address
// information, nor will it save additional address information that the user
// might submit while browsing the web.
//
// If this setting is enabled or has no value, the user will be able to control
// Autofill for addresses in the UI.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message AutofillAddressEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool AutofillAddressEnabled = 2;
}
// Enable AutoFill for credit cards
//
// Enables Google Chrome's AutoFill feature and allows users to auto complete
// credit card information in web forms using previously stored information.
//
// If this setting is disabled, Autofill will never suggest, or fill credit card
// information, nor will it save additional credit card information that the
// user might submit while browsing the web.
//
// If this setting is enabled or has no value, the user will be able to control
// Autofill for credit cards in the UI.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message AutofillCreditCardEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool AutofillCreditCardEnabled = 2;
}
// Specify a list of disabled plugins
//
// This policy is deprecated. Please use the DefaultPluginsSetting to control
// the avalability of the Flash plugin and AlwaysOpenPdfExternally to control
// whether the integrated PDF viewer should be used for opening PDF files.
//
// Specifies a list of plugins that are disabled in Google Chrome and prevents
// users from changing this setting.
//
// The wildcard characters '*' and '?' can be used to match sequences of
// arbitrary characters. '*' matches an arbitrary number of characters while '?'
// specifies an optional single character, i.e. matches zero or one characters.
// The escape character is '\', so to match actual '*', '?', or '\' characters,
// you can put a '\' in front of them.
//
// If you enable this setting, the specified list of plugins is never used in
// Google Chrome. The plugins are marked as disabled in 'about:plugins' and
// users cannot enable them.
//
// Note that this policy can be overridden by EnabledPlugins and
// DisabledPluginsExceptions.
//
// If this policy is left not set the user can use any plugin installed on the
// system except for hard-coded incompatible, outdated or dangerous plugins.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DisabledPluginsProto {
optional PolicyOptions policy_options = 1;
optional StringList DisabledPlugins = 2;
}
// Specify a list of enabled plugins
//
// This policy is deprecated. Please use the DefaultPluginsSetting to control
// the avalability of the Flash plugin and AlwaysOpenPdfExternally to control
// whether the integrated PDF viewer should be used for opening PDF files.
//
// Specifies a list of plugins that are enabled in Google Chrome and prevents
// users from changing this setting.
//
// The wildcard characters '*' and '?' can be used to match sequences of
// arbitrary characters. '*' matches an arbitrary number of characters while '?'
// specifies an optional single character, i.e. matches zero or one characters.
// The escape character is '\', so to match actual '*', '?', or '\' characters,
// you can put a '\' in front of them.
//
// The specified list of plugins is always used in Google Chrome if they are
// installed. The plugins are marked as enabled in 'about:plugins' and users
// cannot disable them.
//
// Note that this policy overrides both DisabledPlugins and
// DisabledPluginsExceptions.
//
// If this policy is left not set the user can disable any plugin installed on
// the system.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message EnabledPluginsProto {
optional PolicyOptions policy_options = 1;
optional StringList EnabledPlugins = 2;
}
// Specify a list of plugins that the user can enable or disable
//
// This policy is deprecated. Please use the DefaultPluginsSetting to control
// the avalability of the Flash plugin and AlwaysOpenPdfExternally to control
// whether the integrated PDF viewer should be used for opening PDF files.
//
// Specifies a list of plugins that user can enable or disable in Google Chrome.
//
// The wildcard characters '*' and '?' can be used to match sequences of
// arbitrary characters. '*' matches an arbitrary number of characters while '?'
// specifies an optional single character, i.e. matches zero or one characters.
// The escape character is '\', so to match actual '*', '?', or '\' characters,
// you can put a '\' in front of them.
//
// If you enable this setting, the specified list of plugins can be used in
// Google Chrome. Users can enable or disable them in 'about:plugins', even if
// the plugin also matches a pattern in DisabledPlugins. Users can also enable
// and disable plugins that don't match any patterns in DisabledPlugins,
// DisabledPluginsExceptions and EnabledPlugins.
//
// This policy is meant to allow for strict plugin blacklisting where the
// 'DisabledPlugins' list contains wildcarded entries like disable all plugins
// '*' or disable all Java plugins '*Java*' but the administrator wishes to
// enable some particular version like 'IcedTea Java 2.3'. This particular
// versions can be specified in this policy.
//
// Note that both the plugin name and the plugin's group name have to be
// exempted. Each plugin group is shown in a separate section in about:plugins;
// each section may have one or more plugins. For example, the "Shockwave Flash"
// plugin belongs to the "Adobe Flash Player" group, and both names have to have
// a match in the exceptions list if that plugin is to be exempted from the
// blacklist.
//
// If this policy is left not set any plugin that matches the patterns in the
// 'DisabledPlugins' will be locked disabled and the user won't be able to
// enable them.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DisabledPluginsExceptionsProto {
optional PolicyOptions policy_options = 1;
optional StringList DisabledPluginsExceptions = 2;
}
// Always Open PDF files externally
//
// Disables the internal PDF viewer in Google Chrome. Instead it treats it as
// download and allows the user to open PDF files with the default application.
//
// If this policy is left not set or disabled the PDF plugin will be used to
// open PDF files unless the user disables it.
//
// Supported on: fuchsia, linux, mac, win
message AlwaysOpenPdfExternallyProto {
optional PolicyOptions policy_options = 1;
optional bool AlwaysOpenPdfExternally = 2;
}
// Specify whether the plugin finder should be disabled (deprecated)
//
// This policy has been removed as of Google Chrome 64.
//
// Automatic search and installation of missing plugins is no longer supported.
//
// Supported on:
message DisablePluginFinderProto {
optional PolicyOptions policy_options = 1;
optional bool DisablePluginFinder = 2;
}
// Disable synchronization of data with Google
//
// Disables data synchronization in Google Chrome using Google-hosted
// synchronization services and prevents users from changing this setting.
//
// If you enable this setting, users cannot change or override this setting in
// Google Chrome.
//
// If this policy is left not set Google Sync will be available for the user to
// choose whether to use it or not.
//
// To fully disable Google Sync, it is recommended that you disable the Google
// Sync service in the Google Admin console.
//
// This policy should not be enabled when RoamingProfileSupportEnabled policy is
// set to enabled as that feature shares the same client side functionality. The
// Google-hosted synchronization is disabled in this case completely.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message SyncDisabledProto {
optional PolicyOptions policy_options = 1;
optional bool SyncDisabled = 2;
}
// Enable the creation of roaming copies for Google Chrome profile data
//
// If you enable this setting, the settings stored in Google Chrome profiles
// like bookmarks, autofill data, passwords, etc. will also be written to a file
// stored in the Roaming user profile folder or a location specified by the
// Administrator through the RoamingProfileLocation policy. Enabling this policy
// disables cloud sync.
//
// If this policy is disabled or left not set only the regular local profiles
// will be used.
//
// The SyncDisabled policy disables all data synchronization, overriding
// RoamingProfileSupportEnabled.
//
// Supported on: win
message RoamingProfileSupportEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool RoamingProfileSupportEnabled = 2;
}
// Set the roaming profile directory
//
// Configures the directory that Google Chrome will use for storing the roaming
// copy of the profiles.
//
// If you set this policy, Google Chrome will use the provided directory to
// store the roaming copy of the profiles if the RoamingProfileSupportEnabled
// policy has been enabled. If the RoamingProfileSupportEnabled policy is
// disabled or left unset the value stored in this policy is not used.
//
// See https://www.chromium.org/administrators/policy-list-3/user-data-
// directory-variables for a list of variables that can be used.
//
// If this policy is left not set the default roaming profile path will be used.
//
// Supported on: win
message RoamingProfileLocationProto {
optional PolicyOptions policy_options = 1;
optional string RoamingProfileLocation = 2;
}
// Allow sign in to Google Chrome
//
// This policy is deprecated, consider using BrowserSignin instead.
//
// Allows the user to sign in to Google Chrome.
//
// If you set this policy, you can configure whether a user is allowed to sign
// in to Google Chrome. Setting this policy to 'False' will prevent apps and
// extensions that use the chrome.identity API from functioning, so you may want
// to use SyncDisabled instead.
//
// Supported on: android, fuchsia, linux, mac, win
message SigninAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool SigninAllowed = 2;
}
// Enable the old web-based signin flow
//
// This setting was named EnableWebBasedSignin prior to Chrome 42, and support
// for it will be removed entirely in Chrome 43.
//
// This setting is useful for enterprise customers who are using SSO solutions
// that are not compatible with the new inline signin flow yet.
// If you enable this setting, the old web-based signin flow would be used.
// If you disable this setting or leave it not set, the new inline signin flow
// would be used by default. Users may still enable the old web-based signin
// flow through the command line flag --enable-web-based-signin.
//
// The experimental setting will be removed in the future when the inline signin
// fully supports all SSO signin flows.
//
// Supported on:
message EnableDeprecatedWebBasedSigninProto {
optional PolicyOptions policy_options = 1;
optional bool EnableDeprecatedWebBasedSignin = 2;
}
// Set user data directory
//
// Configures the directory that Google Chrome will use for storing user data.
//
// If you set this policy, Google Chrome will use the provided directory
// regardless whether the user has specified the '--user-data-dir' flag or not.
// To avoid data loss or other unexpected errors this policy should not be set
// to a volume's root directory or to a directory used for other purposes,
// because Google Chrome manages its contents.
//
// See https://www.chromium.org/administrators/policy-list-3/user-data-
// directory-variables for a list of variables that can be used.
//
// If this policy is left not set the default profile path will be used and the
// user will be able to override it with the '--user-data-dir' command line
// flag.
//
// Supported on: mac, win
message UserDataDirProto {
optional PolicyOptions policy_options = 1;
optional string UserDataDir = 2;
}
// Set disk cache directory
//
// Configures the directory that Google Chrome will use for storing cached files
// on the disk.
//
// If you set this policy, Google Chrome will use the provided directory
// regardless whether the user has specified the '--disk-cache-dir' flag or not.
// To avoid data loss or other unexpected errors this policy should not be set
// to a volume's root directory or to a directory used for other purposes,
// because Google Chrome manages its contents.
//
// See https://www.chromium.org/administrators/policy-list-3/user-data-
// directory-variables for a list of variables that can be used.
//
// If this policy is left not set the default cache directory will be used and
// the user will be able to override it with the '--disk-cache-dir' command line
// flag.
//
// Supported on: fuchsia, linux, mac, win
message DiskCacheDirProto {
optional PolicyOptions policy_options = 1;
optional string DiskCacheDir = 2;
}
// Set disk cache size in bytes
//
// Configures the cache size that Google Chrome will use for storing cached
// files on the disk.
//
// If you set this policy, Google Chrome will use the provided cache size
// regardless whether the user has specified the '--disk-cache-size' flag or
// not. The value specified in this policy is not a hard boundary but rather a
// suggestion to the caching system, any value below a few megabytes is too
// small and will be rounded up to a sane minimum.
//
// If the value of this policy is 0, the default cache size will be used but the
// user will not be able to change it.
//
// If this policy is not set the default size will be used and the user will be
// able to override it with the --disk-cache-size flag.
//
// Supported on: fuchsia, linux, mac, win
message DiskCacheSizeProto {
optional PolicyOptions policy_options = 1;
optional int64 DiskCacheSize = 2;
}
// Set media disk cache size in bytes
//
// Configures the cache size that Google Chrome will use for storing cached
// media files on the disk.
//
// If you set this policy, Google Chrome will use the provided cache size
// regardless whether the user has specified the '--media-cache-size' flag or
// not. The value specified in this policy is not a hard boundary but rather a
// suggestion to the caching system, any value below a few megabytes is too
// small and will be rounded up to a sane minimum.
//
// If the value of this policy is 0, the default cache size will be used but the
// user will not be able to change it.
//
// If this policy is not set the default size will be used and the user will be
// able to override it with the --media-cache-size flag.
//
// Supported on:
message MediaCacheSizeProto {
optional PolicyOptions policy_options = 1;
optional int64 MediaCacheSize = 2;
}
// Allow download restrictions
//
// Configures the type of downloads that Google Chrome will completely block,
// without letting users override the security decision.
//
// If you set this policy, Google Chrome will prevent certain types of
// downloads, and won't let user bypass the security warnings.
//
// When the 'Block dangerous downloads' option is chosen, all downloads are
// allowed, except for those that carry Safe Browsing warnings.
//
// When the 'Block potentially dangerous downloads' option is chosen, all
// downloads allowed, except for those that carry Safe Browsing warnings of
// potentially dangerous downloads.
//
// When the 'Block all downloads' option is chosen, all downloads are blocked.
//
// When this policy is not set, (or the 'No special restrictions' option is
// chosen), the downloads will go through the usual security restrictions based
// on Safe Browsing analysis results.
//
// Note that these restrictions apply to downloads triggered from web page
// content, as well as the 'download link...' context menu option. These
// restrictions do not apply to the save / download of the currently displayed
// page, nor does it apply to saving as PDF from the printing options.
//
// See https://developers.google.com/safe-browsing for more info on Safe
// Browsing.
//
// Valid values:
// 0: No special restrictions
// 1: Block dangerous downloads
// 2: Block potentially dangerous downloads
// 3: Block all downloads
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DownloadRestrictionsProto {
optional PolicyOptions policy_options = 1;
optional int64 DownloadRestrictions = 2;
}
// Set download directory
//
// Configures the directory that Google Chrome will use for downloading files.
//
// If you set this policy, Google Chrome will use the provided directory
// regardless whether the user has specified one or enabled the flag to be
// prompted for download location every time.
//
// See https://www.chromium.org/administrators/policy-list-3/user-data-
// directory-variables for a list of variables that can be used.
//
// If this policy is left not set the default download directory will be used
// and the user will be able to change it.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DownloadDirectoryProto {
optional PolicyOptions policy_options = 1;
optional string DownloadDirectory = 2;
}
// Enable Safe Browsing for trusted sources
//
// Identify if Google Chrome can allow download without Safe Browsing checks
// when it's from a trusted source.
//
// When False, downloaded files will not be sent to be analyzed by Safe Browsing
// when it's from a trusted source.
//
// When not set (or set to True), downloaded files are sent to be analyzed by
// Safe Browsing, even when it's from a trusted source.
//
// Note that these restrictions apply to downloads triggered from web page
// content, as well as the 'download link...' context menu option. These
// restrictions do not apply to the save / download of the currently displayed
// page, nor does it apply to saving as PDF from the printing options.
//
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: win
message SafeBrowsingForTrustedSourcesEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SafeBrowsingForTrustedSourcesEnabled = 2;
}
// Clear site data on browser shutdown (deprecated)
//
// This policy has been retired as of Google Chrome version 29.
//
// Supported on:
message ClearSiteDataOnExitProto {
optional PolicyOptions policy_options = 1;
optional bool ClearSiteDataOnExit = 2;
}
// Captive portal authentication ignores proxy
//
// This policy allows Google Chrome OS to bypass any proxy for captive portal
// authentication.
//
// This policy only takes effect if a proxy is configured (for example through
// policy, by the user in chrome://settings, or by extensions).
//
// If you enable this setting, any captive portal authentication pages (i.e. all
// web pages starting from captive portal signin page until Google Chrome
// detects successful internet connection) will be displayed in a separate
// window ignoring all policy settings and restrictions for the current user.
//
// If you disable this setting or leave it unset, any captive portal
// authentication pages will be shown in a (regular) new browser tab, using the
// current user's proxy settings.
//
// Supported on: chrome_os
message CaptivePortalAuthenticationIgnoresProxyProto {
optional PolicyOptions policy_options = 1;
optional bool CaptivePortalAuthenticationIgnoresProxy = 2;
}
// Choose how to specify proxy server settings
//
// Allows you to specify the proxy server used by Google Chrome and prevents
// users from changing proxy settings.
//
// This policy only takes effect if the ProxySettings policy has not been
// specified.
//
// If you choose to never use a proxy server and always connect directly, all
// other options are ignored.
//
// If you choose to use system proxy settings, all other options are ignored.
//
// If you choose to auto detect the proxy server, all other options are ignored.
//
// If you choose fixed server proxy mode, you can specify further options in
// 'Address or URL of proxy server' and 'Comma-separated list of proxy bypass
// rules'. Only the HTTP proxy server with the highest priority is available for
// ARC-apps.
//
// If you choose to use a .pac proxy script, you must specify the URL to the
// script in 'URL to a proxy .pac file'.
//
// For detailed examples, visit:
// https://www.chromium.org/developers/design-documents/network-settings#TOC-
// Command-line-options-for-proxy-sett.
//
// If you enable this setting, Google Chrome and ARC-apps ignore all proxy-
// related options specified from the command line.
//
// Leaving this policy not set will allow the users to choose the proxy settings
// on their own.
//
// Valid values:
// direct: Never use a proxy
// auto_detect: Auto detect proxy settings
// pac_script: Use a .pac proxy script
// fixed_servers: Use fixed proxy servers
// system: Use system proxy settings
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message ProxyModeProto {
optional PolicyOptions policy_options = 1;
optional string ProxyMode = 2;
}
// Choose how to specify proxy server settings
//
// This policy is deprecated, use ProxyMode instead.
//
// Allows you to specify the proxy server used by Google Chrome and prevents
// users from changing proxy settings.
//
// This policy only takes effect if the ProxySettings policy has not been
// specified.
//
// If you choose to never use a proxy server and always connect directly, all
// other options are ignored.
//
// If you choose to use system proxy settings or auto detect the proxy server,
// all other options are ignored.
//
// If you choose manual proxy settings, you can specify further options in
// 'Address or URL of proxy server', 'URL to a proxy .pac file' and 'Comma-
// separated list of proxy bypass rules'. Only the HTTP proxy server with the
// highest priority is available for ARC-apps.
//
// For detailed examples, visit:
// https://www.chromium.org/developers/design-documents/network-settings#TOC-
// Command-line-options-for-proxy-sett.
//
// If you enable this setting, Google Chrome ignores all proxy-related options
// specified from the command line.
//
// Leaving this policy not set will allow the users to choose the proxy settings
// on their own.
//
// Valid values:
// 0: Never use a proxy
// 1: Auto detect proxy settings
// 2: Manually specify proxy settings
// 3: Use system proxy settings
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message ProxyServerModeProto {
optional PolicyOptions policy_options = 1;
optional int64 ProxyServerMode = 2;
}
// Address or URL of proxy server
//
// You can specify the URL of the proxy server here.
//
// This policy only takes effect if you have selected manual proxy settings at
// 'Choose how to specify proxy server settings' and if the ProxySettings policy
// has not been specified.
//
// You should leave this policy not set if you have selected any other mode for
// setting proxy policies.
//
// For more options and detailed examples, visit:
// https://www.chromium.org/developers/design-documents/network-settings#TOC-
// Command-line-options-for-proxy-sett.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message ProxyServerProto {
optional PolicyOptions policy_options = 1;
optional string ProxyServer = 2;
}
// URL to a proxy .pac file
//
// You can specify a URL to a proxy .pac file here.
//
// This policy only takes effect if you have selected manual proxy settings at
// 'Choose how to specify proxy server settings' and if the ProxySettings policy
// has not been specified.
//
// You should leave this policy not set if you have selected any other mode for
// setting proxy policies.
//
// For detailed examples, visit:
// https://www.chromium.org/developers/design-documents/network-settings#TOC-
// Command-line-options-for-proxy-sett.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message ProxyPacUrlProto {
optional PolicyOptions policy_options = 1;
optional string ProxyPacUrl = 2;
}
// Proxy bypass rules
//
// Google Chrome will bypass any proxy for the list of hosts given here.
//
// This policy only takes effect if you have selected manual proxy settings at
// 'Choose how to specify proxy server settings' and if the ProxySettings policy
// has not been specified.
//
// You should leave this policy not set if you have selected any other mode for
// setting proxy policies.
//
// For more detailed examples, visit:
// https://www.chromium.org/developers/design-documents/network-settings#TOC-
// Command-line-options-for-proxy-sett.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message ProxyBypassListProto {
optional PolicyOptions policy_options = 1;
optional string ProxyBypassList = 2;
}
// Proxy settings
//
// Configures the proxy settings for Google Chrome. These proxy settings will be
// available for ARC-apps too.
//
// If you enable this setting, Google Chrome and ARC-apps ignore all proxy-
// related options specified from the command line.
//
// Leaving this policy not set will allow the users to choose the proxy settings
// on their own.
//
// If the ProxySettings policy is set, it will override any of the individual
// policies ProxyMode, ProxyPacUrl, ProxyServer, ProxyBypassList and
// ProxyServerMode.
//
// The ProxyMode field allows you to specify the proxy server used by Google
// Chrome and prevents users from changing proxy settings.
//
// The ProxyPacUrl field is a URL to a proxy .pac file.
//
// The ProxyServer field is a URL of the proxy server.
//
// The ProxyBypassList field is a list of proxy hosts that Google Chrome will
// bypass.
//
// The ProxyServerMode field is deprecated in favor of the field 'ProxyMode'. It
// allows you to specify the proxy server used by Google Chrome and prevents
// users from changing proxy settings.
//
// If you choose the value 'direct' as 'ProxyMode', a proxy will never be used
// and all other fields will be ignored.
//
// If you choose the value 'system' as 'ProxyMode', the systems's proxy will be
// used and all other fields will be ignored.
//
// If you choose the value 'auto_detect' as 'ProxyMode', all other fields will
// be ignored.
//
// If you choose the value 'fixed_server' as 'ProxyMode', the 'ProxyServer' and
// 'ProxyBypassList' fields will be used.
//
// If you choose the value 'pac_script' as 'ProxyMode', the 'ProxyPacUrl' and
// 'ProxyBypassList' fields will be used.
//
// Value schema:
// {
// "properties": {
// "ProxyBypassList": {
// "type": "string"
// },
// "ProxyMode": {
// "enum": [
// "direct",
// "auto_detect",
// "pac_script",
// "fixed_servers",
// "system"
// ],
// "type": "string"
// },
// "ProxyPacUrl": {
// "type": "string"
// },
// "ProxyServer": {
// "type": "string"
// },
// "ProxyServerMode": {
// "$ref": "ProxyServerMode"
// }
// },
// "type": "object"
// }
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message ProxySettingsProto {
optional PolicyOptions policy_options = 1;
optional string ProxySettings = 2;
}
// Supported authentication schemes
//
// Specifies which HTTP authentication schemes are supported by Google Chrome.
//
// Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate
// multiple values with commas.
//
// If this policy is left not set, all four schemes will be used.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message AuthSchemesProto {
optional PolicyOptions policy_options = 1;
optional string AuthSchemes = 2;
}
// Disable CNAME lookup when negotiating Kerberos authentication
//
// Specifies whether the generated Kerberos SPN is based on the canonical DNS
// name or the original name entered.
//
// If you enable this setting, CNAME lookup will be skipped and the server name
// will be used as entered.
//
// If you disable this setting or leave it not set, the canonical name of the
// server will be determined via CNAME lookup.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DisableAuthNegotiateCnameLookupProto {
optional PolicyOptions policy_options = 1;
optional bool DisableAuthNegotiateCnameLookup = 2;
}
// Include non-standard port in Kerberos SPN
//
// Specifies whether the generated Kerberos SPN should include a non-standard
// port.
//
// If you enable this setting, and a non-standard port (i.e., a port other than
// 80 or 443) is entered, it will be included in the generated Kerberos SPN.
//
// If you disable this setting or leave it not set, the generated Kerberos SPN
// will not include a port in any case.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message EnableAuthNegotiatePortProto {
optional PolicyOptions policy_options = 1;
optional bool EnableAuthNegotiatePort = 2;
}
// Authentication server whitelist
//
// Specifies which servers should be whitelisted for integrated authentication.
// Integrated authentication is only enabled when Google Chrome receives an
// authentication challenge from a proxy or from a server which is in this
// permitted list.
//
// Separate multiple server names with commas. Wildcards (*) are allowed.
//
// If you leave this policy not set Google Chrome will try to detect if a server
// is on the Intranet and only then will it respond to IWA requests. If a
// server is detected as Internet then IWA requests from it will be ignored by
// Google Chrome.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, webview_android, win
message AuthServerWhitelistProto {
optional PolicyOptions policy_options = 1;
optional string AuthServerWhitelist = 2;
}
// Kerberos delegation server whitelist
//
// Servers that Google Chrome may delegate to.
//
// Separate multiple server names with commas. Wildcards (*) are allowed.
//
// If you leave this policy not set Google Chrome will not delegate user
// credentials even if a server is detected as Intranet.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message AuthNegotiateDelegateWhitelistProto {
optional PolicyOptions policy_options = 1;
optional string AuthNegotiateDelegateWhitelist = 2;
}
// Use KDC policy to delegate credentials.
//
// Controls whether approval by KDC policy is respected to decide whether to
// delegate Kerberos tickets.
//
// If this policy is true, HTTP authentication respects approval by KDC policy,
// i.e. Chrome only delegates credentials if the KDC sets OK-AS-DELEGATE on a
// service ticket. Please see https://tools.ietf.org/html/rfc5896.html for more
// information. Service should also match 'AuthNegotiateDelegateWhitelist'
// policy.
//
// If this policy is not set or set to false, KDC policy is ignored on supported
// platforms and 'AuthNegotiateDelegateWhitelist' policy only is respected.
//
// On Windows KDC policy is always respected.
//
// Supported on: chrome_os, linux, mac
message AuthNegotiateDelegateByKdcPolicyProto {
optional PolicyOptions policy_options = 1;
optional bool AuthNegotiateDelegateByKdcPolicy = 2;
}
// GSSAPI library name
//
// Specifies which GSSAPI library to use for HTTP authentication. You can set
// either just a library name, or a full path.
//
// If no setting is provided, Google Chrome will fall back to using a default
// library name.
//
// Supported on: linux
message GSSAPILibraryNameProto {
optional PolicyOptions policy_options = 1;
optional string GSSAPILibraryName = 2;
}
// Account type for HTTP Negotiate authentication
//
// Specifies the account type of the accounts provided by the Android
// authentication app that supports HTTP Negotiate authentication (e.g. Kerberos
// authentication). This information should be available from the supplier of
// the authentication app. For more details see https://goo.gl/hajyfN.
//
// If no setting is provided, HTTP Negotiate authentication is disabled on
// Android.
//
// Supported on: android, webview_android
message AuthAndroidNegotiateAccountTypeProto {
optional PolicyOptions policy_options = 1;
optional string AuthAndroidNegotiateAccountType = 2;
}
// Cross-origin HTTP Basic Auth prompts
//
// Controls whether third-party sub-content on a page is allowed to pop-up an
// HTTP Basic Auth dialog box.
//
// Typically this is disabled as a phishing defense. If this policy is not set,
// this is disabled and third-party sub-content will not be allowed to pop up a
// HTTP Basic Auth dialog box.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message AllowCrossOriginAuthPromptProto {
optional PolicyOptions policy_options = 1;
optional bool AllowCrossOriginAuthPrompt = 2;
}
// Enable NTLMv2 authentication.
//
// Controls whether NTLMv2 is enabled.
//
// All recent versions of Samba and Windows servers support NTLMv2. This should
// only be disabled for backwards compatibility and reduces the security of
// authentication.
//
// If this policy is not set, the default is true and NTLMv2 is enabled.
//
// Supported on: android, chrome_os, linux, mac, webview_android
message NtlmV2EnabledProto {
optional PolicyOptions policy_options = 1;
optional bool NtlmV2Enabled = 2;
}
// Configure extension installation blacklist
//
// Allows you to specify which extensions the users can NOT install. Extensions
// already installed will be disabled if blacklisted, without a way for the user
// to enable them. Once an extension disabled due to the blacklist is removed
// from it, it will automatically get re-enabled.
//
// A blacklist value of '*' means all extensions are blacklisted unless they are
// explicitly listed in the whitelist.
//
// If this policy is left not set the user can install any extension in Google
// Chrome.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ExtensionInstallBlacklistProto {
optional PolicyOptions policy_options = 1;
optional StringList ExtensionInstallBlacklist = 2;
}
// Configure extension installation whitelist
//
// Allows you to specify which extensions are not subject to the blacklist.
//
// A blacklist value of * means all extensions are blacklisted and users can
// only install extensions listed in the whitelist.
//
// By default, all extensions are whitelisted, but if all extensions have been
// blacklisted by policy, the whitelist can be used to override that policy.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ExtensionInstallWhitelistProto {
optional PolicyOptions policy_options = 1;
optional StringList ExtensionInstallWhitelist = 2;
}
// Configure the list of force-installed apps and extensions
//
// Specifies a list of apps and extensions that are installed silently,
// without user interaction, and which cannot be uninstalled nor
// disabled by the user. All permissions requested by the
// apps/extensions are granted implicitly, without user interaction,
// including any additional permissions requested by future versions of
// the app/extension. Furthermore, permissions are granted for the
// enterprise.deviceAttributes and enterprise.platformKeys extension
// APIs. (These two APIs are not available to apps/extensions that are
// not force-installed.)
//
// This policy takes precedence over a potentially conflicting
// ExtensionInstallBlacklist policy. If an app or extension that previously had
// been force-installed is removed from this list, it is automatically
// uninstalled by Google Chrome.
//
// For Windows instances that are not joined to a Microsoft® Active Directory®
// domain, forced installation is limited to apps and extensions listed in the
// Chrome Web Store.
//
// Note that the source code of any extension may be altered by users via
// Developer Tools (potentially rendering the extension dysfunctional). If this
// is a concern, the DeveloperToolsDisabled policy should be set.
//
// Each list item of the policy is a string that contains an extension ID and,
// optionally, an "update" URL separated by a semicolon (;). The extension ID is
// the 32-letter string found e.g. on chrome://extensions when in developer
// mode. The "update" URL, if specified, should point to an Update Manifest XML
// document as described at https://developer.chrome.com/extensions/autoupdate.
// By default, the Chrome Web Store's update URL is used (which currently is
// "https://clients2.google.com/service/update2/crx"). Note that the "update"
// URL set in this policy is only used for the initial installation; subsequent
// updates of the extension employ the update URL indicated in the extension's
// manifest. Note also that specifying the "update" URL explicitly was mandatory
// in Google Chrome versions up to and including 67.
//
// For example, aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/ser
// vice/update2/crx installs the extension with id
// aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa from the standard Chrome Web Store "update"
// URL. For more information about hosting extensions, see:
// https://developer.chrome.com/extensions/hosting.
//
// If this policy is left not set, no apps or extensions are installed
// automatically and the user can uninstall any app or extension in Google
// Chrome.
//
// Note that this policy doesn't apply to incognito mode.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ExtensionInstallForcelistProto {
optional PolicyOptions policy_options = 1;
optional StringList ExtensionInstallForcelist = 2;
}
// Configure extension, app, and user script install sources
//
// Allows you to specify which URLs are allowed to install extensions, apps, and
// themes.
//
// Starting in Google Chrome 21, it is more difficult to install extensions,
// apps, and user scripts from outside the Chrome Web Store. Previously, users
// could click on a link to a *.crx file, and Google Chrome would offer to
// install the file after a few warnings. After Google Chrome 21, such files
// must be downloaded and dragged onto the Google Chrome settings page. This
// setting allows specific URLs to have the old, easier installation flow.
//
// Each item in this list is an extension-style match pattern (see
// https://developer.chrome.com/extensions/match_patterns). Users will be able
// to easily install items from any URL that matches an item in this list. Both
// the location of the *.crx file and the page where the download is started
// from (i.e. the referrer) must be allowed by these patterns.
//
// ExtensionInstallBlacklist takes precedence over this policy. That is, an
// extension on the blacklist won't be installed, even if it happens from a site
// on this list.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ExtensionInstallSourcesProto {
optional PolicyOptions policy_options = 1;
optional StringList ExtensionInstallSources = 2;
}
// Allow insecure algorithms in integrity checks on extension updates and
// installs
//
// Google Chrome provides for the secure update and installation of extensions.
// However, the content of some extensions hosted outside of the Chrome Web
// Store may only be protected by insecure signing or hashing algorithms such as
// SHA1. When this policy is disabled, fresh installation of and updates to such
// extensions will not be permitted by Chrome (until the extension developers
// rebuild the extension with stronger algorithms). When this policy is enabled,
// installation and updates for such extensions will be permitted.
//
// This will default to the enabled behavior when unset.
// Starting in Google Chrome 76, this will default to the disabled behavior when
// unset.
//
// Starting in Google Chrome 78, this policy will be ignored and treated as
// disabled.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ExtensionAllowInsecureUpdatesProto {
optional PolicyOptions policy_options = 1;
optional bool ExtensionAllowInsecureUpdates = 2;
}
// Configure allowed app/extension types
//
// Controls which app/extension types are allowed to be installed and limits
// runtime access.
//
// This setting white-lists the allowed types of extension/apps that can be
// installed in Google Chrome and which hosts they can interact with. The value
// is a list of strings, each of which should be one of the following:
// "extension", "theme", "user_script", "hosted_app", "legacy_packaged_app",
// "platform_app". See the Google Chrome extensions documentation for more
// information on these types.
//
// Note that this policy also affects extensions and apps to be force-installed
// via ExtensionInstallForcelist.
//
// If this setting is configured, extensions/apps which have a type that is not
// on the list will not be installed.
//
// If this settings is left not-configured, no restrictions on the acceptable
// extension/app types are enforced.
//
// Prior to version 75 using multiple comma separated extension IDs is not
// supported and will be skipped. The rest of the policy will continue to apply.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ExtensionAllowedTypesProto {
optional PolicyOptions policy_options = 1;
optional StringList ExtensionAllowedTypes = 2;
}
// Extension management settings
//
// Configures extension management settings for Google Chrome.
//
// This policy controls multiple settings, including settings controlled by any
// existing extension-related policies. This policy will override any legacy
// policies if both are set.
//
// This policy maps an extension ID or an update URL to its configuration. With
// an extension ID, configuration will be applied to the specified extension
// only. A default configuration can be set for the special ID "*", which will
// apply to all extensions that don't have a custom configuration set in this
// policy. With an update URL, configuration will be applied to all extensions
// with the exact update URL stated in manifest of this extension, as described
// at https://developer.chrome.com/extensions/autoupdate.
//
// For Windows instances that are not joined to a Microsoft® Active Directory®
// domain, forced installation is limited to apps and extensions listed in the
// Chrome Web Store.
//
// Value schema:
// {
// "patternProperties": {
// "^[a-p]{32}(?:,[a-p]{32})*,?$": {
// "properties": {
// "allowed_permissions": {
// "$ref": "ListOfPermissions"
// },
// "blocked_install_message": {
// "description": "text that will be displayed to the user
// in the chrome webstore if installation is blocked.",
// "type": "string"
// },
// "blocked_permissions": {
// "id": "ListOfPermissions",
// "items": {
// "pattern": "^[a-z][a-zA-Z.]*$",
// "type": "string"
// },
// "type": "array"
// },
// "installation_mode": {
// "enum": [
// "blocked",
// "allowed",
// "force_installed",
// "normal_installed",
// "removed"
// ],
// "type": "string"
// },
// "minimum_version_required": {
// "pattern": "^[0-9]+([.][0-9]+)*$",
// "type": "string"
// },
// "runtime_allowed_hosts": {
// "$ref": "ListOfUrlPatterns"
// },
// "runtime_blocked_hosts": {
// "id": "ListOfUrlPatterns",
// "items": {
// "type": "string"
// },
// "type": "array"
// },
// "update_url": {
// "type": "string"
// }
// },
// "type": "object"
// },
// "^update_url:": {
// "properties": {
// "allowed_permissions": {
// "$ref": "ListOfPermissions"
// },
// "blocked_permissions": {
// "$ref": "ListOfPermissions"
// },
// "installation_mode": {
// "enum": [
// "blocked",
// "allowed",
// "removed"
// ],
// "type": "string"
// }
// },
// "type": "object"
// }
// },
// "properties": {
// "*": {
// "properties": {
// "allowed_types": {
// "$ref": "ExtensionAllowedTypes"
// },
// "blocked_install_message": {
// "type": "string"
// },
// "blocked_permissions": {
// "$ref": "ListOfPermissions"
// },
// "install_sources": {
// "$ref": "ExtensionInstallSources"
// },
// "installation_mode": {
// "enum": [
// "blocked",
// "allowed",
// "removed"
// ],
// "type": "string"
// },
// "runtime_allowed_hosts": {
// "$ref": "ListOfUrlPatterns"
// },
// "runtime_blocked_hosts": {
// "$ref": "ListOfUrlPatterns"
// }
// },
// "type": "object"
// }
// },
// "type": "object"
// }
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ExtensionSettingsProto {
optional PolicyOptions policy_options = 1;
optional string ExtensionSettings = 2;
}
// Merge extension install list policies from multiple sources
//
// Enables merging of the extension install list policies
// ExtensionInstallBlacklist, ExtensionInstallWhitelist and
// ExtensionInstallForcelist.
//
// If you enable this setting, the values from machine platform policy, machine
// cloud policy and user platform policy are merged into a single list and used
// as a whole instead of only using the values from the single source with
// highest priority.
//
// If you disable this setting or leave it unset, only list entries from the
// highest priority source are taken and all other sources are shown as
// conflicts but ignored.
//
// Supported on: fuchsia, linux, mac, win
message ExtensionInstallListsMergeEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ExtensionInstallListsMergeEnabled = 2;
}
// Show Home button on toolbar
//
// Shows the Home button on Google Chrome's toolbar.
//
// If you enable this setting, the Home button is always shown.
//
// If you disable this setting, the Home button is never shown.
//
// If you enable or disable this setting, users cannot change or override this
// setting in Google Chrome.
//
// Leaving this policy not set will allow the user to choose whether to show the
// home button.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ShowHomeButtonProto {
optional PolicyOptions policy_options = 1;
optional bool ShowHomeButton = 2;
}
// Disable Developer Tools
//
// This policy is deprecated in M68, please use DeveloperToolsAvailability
// instead.
//
// Disables the Developer Tools and the JavaScript console.
//
// If you enable this setting, the Developer Tools can not be accessed and web-
// site elements can not be inspected anymore. Any keyboard shortcuts and any
// menu or context menu entries to open the Developer Tools or the JavaScript
// Console will be disabled.
//
// Setting this option to disabled or leaving it not set allows the user to use
// the Developer Tools and the JavaScript console.
//
// If the policy DeveloperToolsAvailability is set, the value of the policy
// DeveloperToolsDisabled is ignored.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DeveloperToolsDisabledProto {
optional PolicyOptions policy_options = 1;
optional bool DeveloperToolsDisabled = 2;
}
// Control where Developer Tools can be used
//
// Allows you to control where Developer Tools can be used.
//
// If this policy is set to
// 'DeveloperToolsDisallowedForForceInstalledExtensions' (value 0, which is the
// default value), the Developer Tools and the JavaScript console can be
// accessed in general, but they can not be accessed in the context of
// extensions installed by enterprise policy.
// If this policy is set to 'DeveloperToolsAllowed' (value 1), the Developer
// Tools and the JavaScript console can be accessed and used in all contexts,
// including the context of extensions installed by enterprise policy.
// If this policy is set to 'DeveloperToolsDisallowed' (value 2), the Developer
// Tools can not be accessed and web-site elements can not be inspected anymore.
// Any keyboard shortcuts and any menu or context menu entries to open the
// Developer Tools or the JavaScript Console will be disabled.
//
// Valid values:
// 0: Disallow usage of the Developer Tools on extensions installed by
// enterprise policy, allow usage of the Developer Tools in other contexts
// 1: Allow usage of the Developer Tools
// 2: Disallow usage of the Developer Tools
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DeveloperToolsAvailabilityProto {
optional PolicyOptions policy_options = 1;
optional int64 DeveloperToolsAvailability = 2;
}
// Action on startup
//
// Allows you to specify the behavior on startup.
//
// If you choose 'Open New Tab Page' the New Tab Page will always be opened when
// you start Google Chrome.
//
// If you choose 'Restore the last session', the URLs that were open last time
// Google Chrome was closed will be reopened and the browsing session will be
// restored as it was left.
// Choosing this option disables some settings that rely on sessions or that
// perform actions on exit (such as Clear browsing data on exit or session-only
// cookies).
//
// If you choose 'Open a list of URLs', the list of 'URLs to open on startup'
// will be opened when a user starts Google Chrome.
//
// If you enable this setting, users cannot change or override it in Google
// Chrome.
//
// Disabling this setting is equivalent to leaving it not configured. The user
// will still be able to change it in Google Chrome.
//
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Valid values:
// 5: Open New Tab Page
// 1: Restore the last session
// 4: Open a list of URLs
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RestoreOnStartupProto {
optional PolicyOptions policy_options = 1;
optional int64 RestoreOnStartup = 2;
}
// URLs to open on startup
//
// If 'Open a list of URLs' is selected as the startup action, this allows you
// to specify the list of URLs that are opened. If left not set no URL will be
// opened on start up.
//
// This policy only works if the 'RestoreOnStartup' policy is set to
// 'RestoreOnStartupIsURLs'.
//
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RestoreOnStartupURLsProto {
optional PolicyOptions policy_options = 1;
optional StringList RestoreOnStartupURLs = 2;
}
// Block third party cookies
//
// Enabling this setting prevents cookies from being set by web page elements
// that are not from the domain that is in the browser's address bar.
//
// Disabling this setting allows cookies to be set by web page elements that are
// not from the domain that is in the browser's address bar and prevents users
// from changing this setting.
//
// If this policy is left not set, third party cookies will be enabled but the
// user will be able to change that.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message BlockThirdPartyCookiesProto {
optional PolicyOptions policy_options = 1;
optional bool BlockThirdPartyCookies = 2;
}
// Enable the default search provider
//
// Enables the use of a default search provider.
//
// If you enable this setting, a default search is performed when the user types
// text in the omnibox that is not a URL.
//
// You can specify the default search provider to be used by setting the rest of
// the default search policies. If these are left empty, the user can choose the
// default provider.
//
// If you disable this setting, no search is performed when the user enters non-
// URL text in the omnibox.
//
// If you enable or disable this setting, users cannot change or override this
// setting in Google Chrome.
//
// If this policy is left not set, the default search provider is enabled, and
// the user will be able to set the search provider list.
//
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool DefaultSearchProviderEnabled = 2;
}
// Default search provider name
//
// Specifies the name of the default search provider. If left empty or not set,
// the host name specified by the search URL will be used.
//
// This policy is only considered if the 'DefaultSearchProviderEnabled' policy
// is enabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderNameProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderName = 2;
}
// Default search provider keyword
//
// Specifies the keyword, which is the shortcut used in the omnibox to trigger
// the search for this provider.
//
// This policy is optional. If not set, no keyword will activate the search
// provider.
//
// This policy is only considered if the 'DefaultSearchProviderEnabled' policy
// is enabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderKeywordProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderKeyword = 2;
}
// Default search provider search URL
//
// Specifies the URL of the search engine used when doing a default search. The
// URL should contain the string '{searchTerms}', which will be replaced at
// query time by the terms the user is searching for.
//
// Google's search URL can be specified as: '{google:baseURL}search?q={searchTer
// ms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryS
// tats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}
// ie={inputEncoding}'.
//
// This option must be set when the 'DefaultSearchProviderEnabled' policy is
// enabled and will only be respected if this is the case.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderSearchURLProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderSearchURL = 2;
}
// Default search provider suggest URL
//
// Specifies the URL of the search engine used to provide search suggestions.
// The URL should contain the string '{searchTerms}', which will be replaced at
// query time by the text the user has entered so far.
//
// This policy is optional. If not set, no suggest URL will be used.
//
// Google's suggest URL can be specified as:
// '{google:baseURL}complete/search?output=chrome&q={searchTerms}'.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderSuggestURLProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderSuggestURL = 2;
}
// Default search provider instant URL
//
// Specifies the URL of the search engine used to provide instant results. The
// URL should contain the string '{searchTerms}', which will be replaced at
// query time by the text the user has entered so far.
//
// This policy is optional. If not set, no instant search results will be
// provided.
//
// Google's instant results URL can be specified as:
// '{google:baseURL}suggest?q={searchTerms}'.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on:
message DefaultSearchProviderInstantURLProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderInstantURL = 2;
}
// Default search provider icon
//
// Specifies the favorite icon URL of the default search provider.
//
// This policy is optional. If not set, no icon will be present for the search
// provider.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderIconURLProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderIconURL = 2;
}
// Default search provider encodings
//
// Specifies the character encodings supported by the search provider. Encodings
// are code page names like UTF-8, GB2312, and ISO-8859-1. They are tried in the
// order provided.
//
// This policy is optional. If not set, the default will be used which is UTF-8.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderEncodingsProto {
optional PolicyOptions policy_options = 1;
optional StringList DefaultSearchProviderEncodings = 2;
}
// List of alternate URLs for the default search provider
//
// Specifies a list of alternate URLs that can be used to extract search terms
// from the search engine. The URLs should contain the string '{searchTerms}',
// which will be used to extract the search terms.
//
// This policy is optional. If not set, no alternate urls will be used to
// extract search terms.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderAlternateURLsProto {
optional PolicyOptions policy_options = 1;
optional StringList DefaultSearchProviderAlternateURLs = 2;
}
// Parameter controlling search term placement for the default search provider
//
// If this policy is set and a search URL suggested from the omnibox contains
// this parameter in the query string or in the fragment identifier, then the
// suggestion will show the search terms and search provider instead of the raw
// search URL.
//
// This policy is optional. If not set, no search term replacement will be
// performed.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on:
message DefaultSearchProviderSearchTermsReplacementKeyProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderSearchTermsReplacementKey = 2;
}
// Parameter providing search-by-image feature for the default search provider
//
// Specifies the URL of the search engine used to provide image search. Search
// requests will be sent using the GET method. If the
// DefaultSearchProviderImageURLPostParams policy is set then image search
// requests will use the POST method instead.
//
// This policy is optional. If not set, no image search will be used.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderImageURLProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderImageURL = 2;
}
// Default search provider new tab page URL
//
// Specifies the URL that a search engine uses to provide a new tab page.
//
// This policy is optional. If not set, no new tab page will be provided.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderNewTabURLProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderNewTabURL = 2;
}
// Parameters for search URL which uses POST
//
// Specifies the parameters used when searching a URL with POST. It consists of
// comma-separated name/value pairs. If a value is a template parameter, like
// {searchTerms} in above example, it will be replaced with real search terms
// data.
//
// This policy is optional. If not set, search request will be sent using the
// GET method.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderSearchURLPostParamsProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderSearchURLPostParams = 2;
}
// Parameters for suggest URL which uses POST
//
// Specifies the parameters used when doing suggestion search with POST. It
// consists of comma-separated name/value pairs. If a value is a template
// parameter, like {searchTerms} in above example, it will be replaced with real
// search terms data.
//
// This policy is optional. If not set, suggest search request will be sent
// using the GET method.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderSuggestURLPostParamsProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderSuggestURLPostParams = 2;
}
// Parameters for instant URL which uses POST
//
// Specifies the parameters used when doing instant search with POST. It
// consists of comma-separated name/value pairs. If a value is a template
// parameter, like {searchTerms} in above example, it will be replaced with real
// search terms data.
//
// This policy is optional. If not set, instant search request will be sent
// using the GET method.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on:
message DefaultSearchProviderInstantURLPostParamsProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderInstantURLPostParams = 2;
}
// Parameters for image URL which uses POST
//
// Specifies the parameters used when doing image search with POST. It consists
// of comma-separated name/value pairs. If a value is a template parameter, like
// {imageThumbnail} in above example, it will be replaced with real image
// thumbnail data.
//
// This policy is optional. If not set, image search request will be sent using
// the GET method.
//
// This policy is only respected if the 'DefaultSearchProviderEnabled' policy is
// enabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultSearchProviderImageURLPostParamsProto {
optional PolicyOptions policy_options = 1;
optional string DefaultSearchProviderImageURLPostParams = 2;
}
// Default cookies setting
//
// Allows you to set whether websites are allowed to set local data. Setting
// local data can be either allowed for all websites or denied for all websites.
//
// If this policy is set to 'Keep cookies for the duration of the session' then
// cookies will be cleared when the session closes. Note that if Google Chrome
// is running in 'background mode', the session may not close when the last
// window is closed. Please see the 'BackgroundModeEnabled' policy for more
// information about configuring this behavior.
//
// If this policy is left not set, 'AllowCookies' will be used and the user will
// be able to change it.
//
// Valid values:
// 1: Allow all sites to set local data
// 2: Do not allow any site to set local data
// 4: Keep cookies for the duration of the session
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultCookiesSettingProto {
optional PolicyOptions policy_options = 1;
optional int64 DefaultCookiesSetting = 2;
}
// Default images setting
//
// Allows you to set whether websites are allowed to display images. Displaying
// images can be either allowed for all websites or denied for all websites.
//
// If this policy is left not set, 'AllowImages' will be used and the user will
// be able to change it.
//
// Note that previously this policy was erroneously enabled on Android, but this
// functionality has never been fully supported on Android.
//
// Valid values:
// 1: Allow all sites to show all images
// 2: Do not allow any site to show images
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DefaultImagesSettingProto {
optional PolicyOptions policy_options = 1;
optional int64 DefaultImagesSetting = 2;
}
// Default JavaScript setting
//
// Allows you to set whether websites are allowed to run JavaScript. Running
// JavaScript can be either allowed for all websites or denied for all websites.
//
// If this policy is left not set, 'AllowJavaScript' will be used and the user
// will be able to change it.
//
// Valid values:
// 1: Allow all sites to run JavaScript
// 2: Do not allow any site to run JavaScript
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultJavaScriptSettingProto {
optional PolicyOptions policy_options = 1;
optional int64 DefaultJavaScriptSetting = 2;
}
// Default Flash setting
//
// Allows you to set whether websites are allowed to automatically run the Flash
// plugin. Automatically running the Flash plugin can be either allowed for all
// websites or denied for all websites.
//
// Click to play allows the Flash plugin to run but the user must click on the
// placeholder to start its execution.
//
// Automatic playback is only allowed for domains explictly listed in the
// PluginsAllowedForUrls policy. If you want to enabled automatic playback for
// all sites consider adding http://* and https://* to this list.
//
// If this policy is left not set, the user will be able to change this setting
// manually.
//
// Valid values:
// 1: Allow all sites to automatically run the Flash plugin
// 2: Block the Flash plugin
// 3: Click to play
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DefaultPluginsSettingProto {
optional PolicyOptions policy_options = 1;
optional int64 DefaultPluginsSetting = 2;
}
// Default popups setting
//
// Allows you to set whether websites are allowed to show pop-ups. Showing
// popups can be either allowed for all websites or denied for all websites.
//
// If this policy is left not set, 'BlockPopups' will be used and the user will
// be able to change it.
//
// Valid values:
// 1: Allow all sites to show pop-ups
// 2: Do not allow any site to show popups
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultPopupsSettingProto {
optional PolicyOptions policy_options = 1;
optional int64 DefaultPopupsSetting = 2;
}
// Default notification setting
//
// Allows you to set whether websites are allowed to display desktop
// notifications. Displaying desktop notifications can be allowed by default,
// denied by default or the user can be asked every time a website wants to show
// desktop notifications.
//
// If this policy is left not set, 'AskNotifications' will be used and the user
// will be able to change it.
//
// Valid values:
// 1: Allow sites to show desktop notifications
// 2: Do not allow any site to show desktop notifications
// 3: Ask every time a site wants to show desktop notifications
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DefaultNotificationsSettingProto {
optional PolicyOptions policy_options = 1;
optional int64 DefaultNotificationsSetting = 2;
}
// Default geolocation setting
//
// Allows you to set whether websites are allowed to track the users' physical
// location. Tracking the users' physical location can be allowed by default,
// denied by default or the user can be asked every time a website requests the
// physical location.
//
// If this policy is left not set, 'AskGeolocation' will be used and the user
// will be able to change it.
//
// Valid values:
// 1: Allow sites to track the users' physical location
// 2: Do not allow any site to track the users' physical location
// 3: Ask whenever a site wants to track the users' physical location
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultGeolocationSettingProto {
optional PolicyOptions policy_options = 1;
optional int64 DefaultGeolocationSetting = 2;
}
// Default mediastream setting
//
// Allows you to set whether websites are allowed to get access to media capture
// devices. Access to media capture devices can be allowed by default, or the
// user can be asked every time a website wants to get access to media capture
// devices.
//
// If this policy is left not set, 'PromptOnAccess' will be used and the user
// will be able to change it.
//
// Valid values:
// 2: Do not allow any site to access the camera and microphone
// 3: Ask every time a site wants to access the camera and/or microphone
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DefaultMediaStreamSettingProto {
optional PolicyOptions policy_options = 1;
optional int64 DefaultMediaStreamSetting = 2;
}
// Control use of the Web Bluetooth API
//
// Allows you to set whether websites are allowed to get access to nearby
// Bluetooth devices. Access can be completely blocked, or the user can be asked
// every time a website wants to get access to nearby Bluetooth devices.
//
// If this policy is left not set, '3' will be used, and the user will be able
// to change it.
//
// Valid values:
// 2: Do not allow any site to request access to Bluetooth devices via the Web
// Bluetooth API
// 3: Allow sites to ask the user to grant access to a nearby Bluetooth device
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultWebBluetoothGuardSettingProto {
optional PolicyOptions policy_options = 1;
optional int64 DefaultWebBluetoothGuardSetting = 2;
}
// Default key generation setting
//
// Allows you to set whether websites are allowed to use key generation. Using
// key generation can be either allowed for all websites or denied for all
// websites.
//
// If this policy is left not set, 'BlockKeygen' will be used and the user will
// be able to change it.
//
// Valid values:
// 1: Allow all sites to use key generation
// 2: Do not allow any site to use key generation
//
// Supported on:
message DefaultKeygenSettingProto {
optional PolicyOptions policy_options = 1;
optional int64 DefaultKeygenSetting = 2;
}
// Control use of the WebUSB API
//
// Allows you to set whether websites are allowed to get access to connected USB
// devices. Access can be completely blocked, or the user can be asked every
// time a website wants to get access to connected USB devices.
//
// This policy can be overridden for specific URL patterns using the
// 'WebUsbAskForUrls' and 'WebUsbBlockedForUrls' policies.
//
// If this policy is left not set, '3' will be used, and the user will be able
// to change it.
//
// Valid values:
// 2: Do not allow any site to request access to USB devices via the WebUSB
// API
// 3: Allow sites to ask the user to grant access to a connected USB device
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DefaultWebUsbGuardSettingProto {
optional PolicyOptions policy_options = 1;
optional int64 DefaultWebUsbGuardSetting = 2;
}
// Automatically grant permission to these sites to connect to USB devices with
// the given vendor and product IDs.
//
// Allows you to set a list of urls that specify which sites will automatically
// be granted permission to access a USB device with the given vendor and
// product IDs. Each item in the list must contain both devices and urls in
// order for the policy to be valid. Each item in devices can contain a vendor
// ID and product ID field. Any ID that is omitted is treated as a wildcard with
// one exception, and that exception is that a product ID cannot be specified
// without a vendor ID also being specified. Otherwise, the policy will not be
// valid and will be ignored.
//
// The USB permission model uses the URL of the requesting site ("requesting
// URL") and the URL of the top-level frame site ("embedding URL") to grant
// permission to the requesting URL to access the USB device. The requesting URL
// may be different than the embedding URL when the requesting site is loaded in
// an iframe. Therefore, the "urls" field can contain up to two URL strings
// delimited by a comma to specify the requesting and embedding URL
// respectively. If only one URL is specified, then access to the corresponding
// USB devices will be granted when the requesting site's URL matches this URL
// regardless of embedding status. The URLs in "urls" must be valid URLs,
// otherwise the policy will be ignored.
//
// If this policy is left not set, the global default value will be used for all
// sites either from the 'DefaultWebUsbGuardSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// URL patterns in this policy should not clash with the ones configured via
// WebUsbBlockedForUrls. If there is a clash, this policy will take precedence
// over WebUsbBlockedForUrls and WebUsbAskForUrls.
//
// Values for this policy and the DeviceWebUsbAllowDevicesForUrls policy are
// merged together.
//
// Value schema:
// {
// "items": {
// "properties": {
// "devices": {
// "items": {
// "properties": {
// "product_id": {
// "type": "integer"
// },
// "vendor_id": {
// "type": "integer"
// }
// },
// "type": "object"
// },
// "type": "array"
// },
// "urls": {
// "items": {
// "type": "string"
// },
// "type": "array"
// }
// },
// "required": [
// "devices",
// "urls"
// ],
// "type": "object"
// },
// "type": "array"
// }
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message WebUsbAllowDevicesForUrlsProto {
optional PolicyOptions policy_options = 1;
optional string WebUsbAllowDevicesForUrls = 2;
}
// Allow WebUSB on these sites
//
// Allows you to set a list of url patterns that specify sites which are allowed
// to ask the user to grant them access to a USB device.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultWebUsbGuardSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// URL patterns in this policy should not clash with ones configured via
// WebUsbBlockedForUrls. It is unspecified which of the two policies takes
// precedence if a URL matches with both.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message WebUsbAskForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList WebUsbAskForUrls = 2;
}
// Block WebUSB on these sites
//
// Allows you to set a list of url patterns that specify sites which are
// prevented from asking the user to grant them access to a USB device.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultWebUsbGuardSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// URL patterns in this policy should not clash with ones configured via
// WebUsbAskForUrls. It is unspecified which of the two policies takes
// precedence if a URL matches with both.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message WebUsbBlockedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList WebUsbBlockedForUrls = 2;
}
// Automatically select client certificates for these sites
//
// Allows you to specify a list of url patterns that specify sites for which
// Google Chrome should automatically select a client certificate, if the site
// requests a certificate.
//
// The value must be an array of stringified JSON dictionaries. Each dictionary
// must have the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where
// $URL_PATTERN is a content setting pattern. $FILTER restricts from which
// client certificates the browser will automatically select. Independent of the
// filter, only certificates will be selected that match the server's
// certificate request. For example, if $FILTER has the form { "ISSUER": { "CN":
// "$ISSUER_CN" } }, additionally only client certificates are selected that are
// issued by a certificate with the CommonName $ISSUER_CN. If $FILTER contains
// an "ISSUER" and a "SUBJECT" section, a client certificate must satisfy both
// conditions to be selected. If $FILTER specifies an organization ("O"), a
// certificate must have at least one organization which matches the specified
// value to be selected. If $FILTER specifies an organization unit ("OU"), a
// certificate must have at least one organization unit which matches the
// specified value to be selected. If $FILTER is the empty dictionary {}, the
// selection of client certificates is not additionally restricted.
//
// If this policy is left not set, no auto-selection will be done for any site.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message AutoSelectCertificateForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList AutoSelectCertificateForUrls = 2;
}
// Allow cookies on these sites
//
// Allows you to set a list of url patterns that specify sites which are allowed
// to set cookies.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultCookiesSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// See also policies 'CookiesBlockedForUrls' and 'CookiesSessionOnlyForUrls'.
// Note that there must be no conflicting URL patterns between these three
// policies - it is unspecified which policy takes precedence.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message CookiesAllowedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList CookiesAllowedForUrls = 2;
}
// Block cookies on these sites
//
// Allows you to set a list of url patterns that specify sites which are not
// allowed to set cookies.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultCookiesSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// See also policies 'CookiesAllowedForUrls' and 'CookiesSessionOnlyForUrls'.
// Note that there must be no conflicting URL patterns between these three
// policies - it is unspecified which policy takes precedence.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message CookiesBlockedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList CookiesBlockedForUrls = 2;
}
// Limit cookies from matching URLs to the current session
//
// Cookies set by pages matching these URL patterns will be limited to the
// current session, i.e. they will be deleted when the browser exits.
//
// For URLs not covered by the patterns specified here, or for all URLs if this
// policy is not set, the global default value will be used either from the
// 'DefaultCookiesSetting' policy, if it is set, or the user's personal
// configuration otherwise.
//
// Note that if Google Chrome is running in 'background mode', the session may
// not be closed when the last browser window is closed, but will instead stay
// active until the browser exits. Please see the 'BackgroundModeEnabled' policy
// for more information about configuring this behavior.
//
// See also policies 'CookiesAllowedForUrls' and 'CookiesBlockedForUrls'. Note
// that there must be no conflicting URL patterns between these three policies -
// it is unspecified which policy takes precedence.
//
// If the "RestoreOnStartup" policy is set to restore URLs from previous
// sessions this policy will not be respected and cookies will be stored
// permanently for those sites.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message CookiesSessionOnlyForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList CookiesSessionOnlyForUrls = 2;
}
// Allow images on these sites
//
// Allows you to set a list of url patterns that specify sites which are allowed
// to display images.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultImagesSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// Note that previously this policy was erroneously enabled on Android, but this
// functionality has never been fully supported on Android.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ImagesAllowedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList ImagesAllowedForUrls = 2;
}
// Block images on these sites
//
// Allows you to set a list of url patterns that specify sites which are not
// allowed to display images.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultImagesSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// Note that previously this policy was erroneously enabled on Android, but this
// functionality has never been fully supported on Android.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ImagesBlockedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList ImagesBlockedForUrls = 2;
}
// Allow JavaScript on these sites
//
// Allows you to set a list of url patterns that specify sites which are allowed
// to run JavaScript.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message JavaScriptAllowedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList JavaScriptAllowedForUrls = 2;
}
// Block JavaScript on these sites
//
// Allows you to set a list of url patterns that specify sites which are not
// allowed to run JavaScript.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message JavaScriptBlockedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList JavaScriptBlockedForUrls = 2;
}
// Allow key generation on these sites
//
// Allows you to set a list of url patterns that specify sites which are allowed
// to use key generation. If a url pattern is in 'KeygenBlockedForUrls', that
// overrides these exceptions.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultKeygenSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// Supported on:
message KeygenAllowedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList KeygenAllowedForUrls = 2;
}
// Block key generation on these sites
//
// Allows you to set a list of url patterns that specify sites which are not
// allowed to use key generation. If a url pattern is in 'KeygenAllowedForUrls',
// this policy overrides these exceptions.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultKeygenSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// Supported on:
message KeygenBlockedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList KeygenBlockedForUrls = 2;
}
// Allow the Flash plugin on these sites
//
// Allows you to set a list of url patterns that specify sites which are allowed
// to run the Flash plugin.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultPluginsSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message PluginsAllowedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList PluginsAllowedForUrls = 2;
}
// Block the Flash plugin on these sites
//
// Allows you to set a list of url patterns that specify sites which are not
// allowed to run the Flash plugin.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultPluginsSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message PluginsBlockedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList PluginsBlockedForUrls = 2;
}
// Allow popups on these sites
//
// Allows you to set a list of url patterns that specify sites which are allowed
// to open popups.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultPopupsSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message PopupsAllowedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList PopupsAllowedForUrls = 2;
}
// Register protocol handlers
//
// Allows you to register a list of protocol handlers. This can only be a
// recommended policy. The property |protocol| should be set to the scheme such
// as 'mailto' and the property |url| should be set to the URL pattern of the
// application that handles the scheme. The pattern can include a '%s', which if
// present will be replaced by the handled URL.
//
// The protocol handlers registered by policy are merged with the ones
// registered by the user and both are available for use. The user can override
// the protocol handlers installed by policy by installing a new default
// handler, but cannot remove a protocol handler registered by policy.
//
// Value schema:
// {
// "items": {
// "properties": {
// "default": {
// "description": "A boolean flag indicating if the protocol
// handler should be set as the default.",
// "type": "boolean"
// },
// "protocol": {
// "description": "The protocol for the protocol handler.",
// "type": "string"
// },
// "url": {
// "description": "The URL of the protocol handler.",
// "type": "string"
// }
// },
// "required": [
// "protocol",
// "url"
// ],
// "type": "object"
// },
// "type": "array"
// }
//
// Supported on: chrome_os, fuchsia, linux, mac, win
//
// Note: this policy must have a RECOMMENDED PolicyMode set in PolicyOptions.
message RegisteredProtocolHandlersProto {
optional PolicyOptions policy_options = 1;
optional string RegisteredProtocolHandlers = 2;
}
// Block popups on these sites
//
// Allows you to set a list of url patterns that specify sites which are not
// allowed to open popups.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultPopupsSetting' policy if it is set, or the
// user's personal configuration otherwise.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message PopupsBlockedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList PopupsBlockedForUrls = 2;
}
// Allow notifications on these sites
//
// Allows you to set a list of url patterns that specify sites which are allowed
// to display notifications.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultNotificationsSetting' policy if it is set, or
// the user's personal configuration otherwise.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message NotificationsAllowedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList NotificationsAllowedForUrls = 2;
}
// Block notifications on these sites
//
// Allows you to set a list of url patterns that specify sites which are not
// allowed to display notifications.
//
// If this policy is left not set the global default value will be used for all
// sites either from the 'DefaultNotificationsSetting' policy if it is set, or
// the user's personal configuration otherwise.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message NotificationsBlockedForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList NotificationsBlockedForUrls = 2;
}
// Configure native messaging blacklist
//
// Allows you to specify which native messaging hosts that should not be loaded.
//
// A blacklist value of '*' means all native messaging hosts are blacklisted
// unless they are explicitly listed in the whitelist.
//
// If this policy is left not set Google Chrome will load all installed native
// messaging hosts.
//
// Supported on: fuchsia, linux, mac, win
message NativeMessagingBlacklistProto {
optional PolicyOptions policy_options = 1;
optional StringList NativeMessagingBlacklist = 2;
}
// Configure native messaging whitelist
//
// Allows you to specify which native messaging hosts are not subject to the
// blacklist.
//
// A blacklist value of * means all native messaging hosts are blacklisted and
// only native messaging hosts listed in the whitelist will be loaded.
//
// By default, all native messaging hosts are whitelisted, but if all native
// messaging hosts have been blacklisted by policy, the whitelist can be used to
// override that policy.
//
// Supported on: fuchsia, linux, mac, win
message NativeMessagingWhitelistProto {
optional PolicyOptions policy_options = 1;
optional StringList NativeMessagingWhitelist = 2;
}
// Allow user-level Native Messaging hosts (installed without admin permissions)
//
// Enables user-level installation of Native Messaging hosts.
//
// If this setting is enabled then Google Chrome allows usage of Native
// Messaging hosts installed on user level.
//
// If this setting is disabled then Google Chrome will only use Native Messaging
// hosts installed on system level.
//
// If this setting is left not set Google Chrome will allow usage of user-level
// Native Messaging hosts.
//
// Supported on: fuchsia, linux, mac, win
message NativeMessagingUserLevelHostsProto {
optional PolicyOptions policy_options = 1;
optional bool NativeMessagingUserLevelHosts = 2;
}
// Disable support for 3D graphics APIs
//
// Enabling this setting prevents web pages from accessing the graphics
// processing unit (GPU). Specifically, web pages can not access the WebGL API
// and plugins can not use the Pepper 3D API.
//
// Disabling this setting or leaving it not set potentially allows web pages to
// use the WebGL API and plugins to use the Pepper 3D API. The default settings
// of the browser may still require command line arguments to be passed in order
// to use these APIs.
//
// If HardwareAccelerationModeEnabled is set to false, Disable3DAPIs is ignored
// and it is equivalent to Disable3DAPIs being set to true.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message Disable3DAPIsProto {
optional PolicyOptions policy_options = 1;
optional bool Disable3DAPIs = 2;
}
// Refresh rate for user policy
//
// Specifies the period in milliseconds at which the device management service
// is queried for user policy information.
//
// Setting this policy overrides the default value of 3 hours. Valid values for
// this policy are in the range from 1800000 (30 minutes) to 86400000 (1 day).
// Any values not in this range will be clamped to the respective boundary. If
// the platform supports policy notifications, the refresh delay will be set to
// 24 hours because it is expected that policy notifications will force a
// refresh automatically whenever policy changes.
//
// Leaving this policy not set will make Google Chrome use the default value of
// 3 hours.
//
// Note that if the platform supports policy notifications, the refresh delay
// will be set to 24 hours (ignoring all defaults and the value of this policy)
// because it is expected that policy notifications will force a refresh
// automatically whenever policy changes, making more frequent refreshes
// unnecessary.
//
// Supported on: chrome_os
message PolicyRefreshRateProto {
optional PolicyOptions policy_options = 1;
optional int64 PolicyRefreshRate = 2;
}
// Maximum fetch delay after a policy invalidation
//
// Specifies the maximum delay in milliseconds between receiving a policy
// invalidation and fetching the new policy from the device management service.
//
// Setting this policy overrides the default value of 5000 milliseconds. Valid
// values for this policy are in the range from 1000 (1 second) to 300000 (5
// minutes). Any values not in this range will be clamped to the respective
// boundary.
//
// Leaving this policy not set will make Google Chrome use the default value of
// 5000 milliseconds.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message MaxInvalidationFetchDelayProto {
optional PolicyOptions policy_options = 1;
optional int64 MaxInvalidationFetchDelay = 2;
}
// Default HTML renderer for Google Chrome Frame
//
// Allows you to configure the default HTML renderer when Google Chrome Frame is
// installed.
// The default setting used when this policy is left not set is to allow the
// host browser do the rendering, but you can optionally override this and have
// Google Chrome Frame render HTML pages by default.
//
// Valid values:
// 0: Use the host browser by default
// 1: Use Google Chrome Frame by default
//
// Supported on:
message ChromeFrameRendererSettingsProto {
optional PolicyOptions policy_options = 1;
optional int64 ChromeFrameRendererSettings = 2;
}
// Always render the following URL patterns in Google Chrome Frame
//
// Customize the list of URL patterns that should always be rendered by Google
// Chrome Frame.
//
// If this policy is not set the default renderer will be used for all sites as
// specified by the 'ChromeFrameRendererSettings' policy.
//
// For example patterns see https://www.chromium.org/developers/how-tos/chrome-
// frame-getting-started.
//
// Supported on:
message RenderInChromeFrameListProto {
optional PolicyOptions policy_options = 1;
optional StringList RenderInChromeFrameList = 2;
}
// Always render the following URL patterns in the host browser
//
// Customize the list of URL patterns that should always be rendered by the host
// browser.
//
// If this policy is not set the default renderer will be used for all sites as
// specified by the 'ChromeFrameRendererSettings' policy.
//
// For example patterns see https://www.chromium.org/developers/how-tos/chrome-
// frame-getting-started.
//
// Supported on:
message RenderInHostListProto {
optional PolicyOptions policy_options = 1;
optional StringList RenderInHostList = 2;
}
// Additional command line parameters for Google Chrome
//
// Allows you to specify additional parameters that are used when Google Chrome
// Frame launches Google Chrome.
//
// If this policy is not set the default command line will be used.
//
// Supported on:
message AdditionalLaunchParametersProto {
optional PolicyOptions policy_options = 1;
optional string AdditionalLaunchParameters = 2;
}
// Skip the meta tag check in Google Chrome Frame
//
// Normally pages with X-UA-Compatible set to chrome=1 will be rendered in
// Google Chrome Frame regardless of the 'ChromeFrameRendererSettings' policy.
//
// If you enable this setting, pages will not be scanned for meta tags.
//
// If you disable this setting, pages will be scanned for meta tags.
//
// If this policy is not set, pages will be scanned for meta tags.
//
// Supported on:
message SkipMetadataCheckProto {
optional PolicyOptions policy_options = 1;
optional bool SkipMetadataCheck = 2;
}
// Allow Google Chrome Frame to handle the listed content types
//
// If this policy is set, the specified content types are handled by Google
// Chrome Frame.
//
// If this policy is not set, the default renderer is used for all sites. (The
// ChromeFrameRendererSettings policy may be used to configure the default
// renderer.)
//
// Supported on:
message ChromeFrameContentTypesProto {
optional PolicyOptions policy_options = 1;
optional StringList ChromeFrameContentTypes = 2;
}
// Enable lock when the device become idle or suspended
//
// Enable lock when Google Chrome OS devices become idle or suspended.
//
// If you enable this setting, users will be asked for a password to unlock the
// device from sleep.
//
// If you disable this setting, users will not be asked for a password to unlock
// the device from sleep.
//
// If you enable or disable this setting, users cannot change or override it.
//
// If the policy is left not set the user can choose whether they want to be
// asked for password to unlock the device or not.
//
// Supported on: chrome_os
message ChromeOsLockOnIdleSuspendProto {
optional PolicyOptions policy_options = 1;
optional bool ChromeOsLockOnIdleSuspend = 2;
}
// Control the user behavior in a multiprofile session
//
// Control the user behavior in a multiprofile session on Google Chrome OS
// devices.
//
// If this policy is set to 'MultiProfileUserBehaviorUnrestricted', the user can
// be either primary or secondary user in a multiprofile session.
//
// If this policy is set to 'MultiProfileUserBehaviorMustBePrimary', the user
// can only be the primary user in a multiprofile session.
//
// If this policy is set to 'MultiProfileUserBehaviorNotAllowed', the user
// cannot be part of a multiprofile session.
//
// If you set this setting, users cannot change or override it.
//
// If the setting is changed while the user is signed into a multiprofile
// session, all users in the session will be checked against their corresponding
// settings. The session will be closed if any one of the users is no longer
// allowed to be in the session.
//
// If the policy is left not set, the default value
// 'MultiProfileUserBehaviorMustBePrimary' applies for enterprise-managed users
// and 'MultiProfileUserBehaviorUnrestricted' will be used for non-managed
// users.
//
// Valid values:
// unrestricted: Allow enterprise user to be both primary and secondary
// (Default behavior for non-managed users)
// primary-only: Allow enterprise user to be primary multiprofile user only
// (Default behavior for enterprise-managed users)
// not-allowed: Do not allow enterprise user to be part of multiprofile
// (primary or secondary)
//
// Supported on: chrome_os
message ChromeOsMultiProfileUserBehaviorProto {
optional PolicyOptions policy_options = 1;
optional string ChromeOsMultiProfileUserBehavior = 2;
}
// Allow Multiple Sign-in Within the Browser
//
// This setting allows users to switch between Google accounts within the
// content area of their browser window after they sign into their Google Chrome
// OS device.
//
// If this policy is set to false, signing in to a different account from non-
// Incognito browser content area will not be allowed.
//
// If this policy is unset or set to true, the default behavior will be used:
// signing in to a different account from the browser content area will be
// allowed, except for child accounts where it will be blocked for non-Incognito
// content area.
//
// In case signing in to a different account shouldn't be allowed via the
// Incognito mode, consider blocking that mode using the
// IncognitoModeAvailability policy.
//
// Note that users will be able to access Google services in an unauthenticated
// state by blocking their cookies.
//
// Supported on: chrome_os
message SecondaryGoogleAccountSigninAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool SecondaryGoogleAccountSigninAllowed = 2;
}
// Enable Instant
//
// Enables Google Chrome's Instant feature and prevents users from changing this
// setting.
//
// If you enable this setting, Google Chrome Instant is enabled.
//
// If you disable this setting, Google Chrome Instant is disabled.
//
// If you enable or disable this setting, users cannot change or override this
// setting.
//
// If this setting is left not set the user can decide to use this function or
// not.
//
// This setting has been removed from Google Chrome 29 and higher versions.
//
// Supported on:
message InstantEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool InstantEnabled = 2;
}
// Enable App Recommendations in Zero State of Search Box
//
// Enable App Recommendation in Zero State of search box in launcher.
//
// If this policy is set to true, App recommendations may appear in the zero
// state search.
//
// If this policy is set to false, App recommendations will not appear in the
// zero state search.
//
// If you set this policy, users cannot change or override it.
//
// If this policy is left unset, the default is False for managed devices.
//
// Supported on: chrome_os
message AppRecommendationZeroStateEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool AppRecommendationZeroStateEnabled = 2;
}
// Enable Translate
//
// Enables the integrated Google Translate service on Google Chrome.
//
// If you enable this setting, Google Chrome will offer translation
// functionality to the user by showing an integrated translate toolbar (when
// appropriate) and a translate option on the right-click context menu.
//
// If you disable this setting, all built-in translate features will be
// disabled.
//
// If you enable or disable this setting, users cannot change or override this
// setting in Google Chrome.
//
// If this setting is left not set the user can decide to use this function or
// not.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message TranslateEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool TranslateEnabled = 2;
}
// Allow running plugins that are outdated
//
// If you enable this setting, outdated plugins are used as normal plugins.
//
// If you disable this setting, outdated plugins will not be used and users will
// not be asked for permission to run them.
//
// If this setting is not set, users will be asked for permission to run
// outdated plugins.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message AllowOutdatedPluginsProto {
optional PolicyOptions policy_options = 1;
optional bool AllowOutdatedPlugins = 2;
}
// Always runs plugins that require authorization (deprecated)
//
// If you enable this setting, plugins that are not outdated always run.
//
// If this setting is disabled or not set, users will be asked for permission to
// run plugins that require authorization. These are plugins that can compromise
// security.
//
// Supported on:
message AlwaysAuthorizePluginsProto {
optional PolicyOptions policy_options = 1;
optional bool AlwaysAuthorizePlugins = 2;
}
// Extend Flash content setting to all content
//
// If you enable this setting, all Flash content embedded on websites that have
// been set to allow Flash in content settings -- either by the user or by
// enterprise policy -- will be run, including content from other origins or
// small content.
//
// To control which websites are allowed to run Flash, see the
// "DefaultPluginsSetting", "PluginsAllowedForUrls", and "PluginsBlockedForUrls"
// policies.
//
// If this setting is disabled or not set, Flash content from other origins or
// small content might be blocked.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RunAllFlashInAllowModeProto {
optional PolicyOptions policy_options = 1;
optional bool RunAllFlashInAllowMode = 2;
}
// Enable Bookmark Bar
//
// If you enable this setting, Google Chrome will show a bookmark bar.
//
// If you disable this setting, users will never see the bookmark bar.
//
// If you enable or disable this setting, users cannot change or override it in
// Google Chrome.
//
// If this setting is left not set the user can decide to use this function or
// not.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message BookmarkBarEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool BookmarkBarEnabled = 2;
}
// Enable or disable bookmark editing
//
// If you enable this setting, bookmarks can be added, removed or modified. This
// is the default also when this policy is not set.
//
// If you disable this setting, bookmarks can not be added, removed or modified.
// Existing bookmarks are still available.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message EditBookmarksEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool EditBookmarksEnabled = 2;
}
// Show the apps shortcut in the bookmark bar
//
// Enables or disables the apps shortcut in the bookmark bar.
//
// If this policy is not set then the user can choose to show or hide the apps
// shortcut from the bookmark bar context menu.
//
// If this policy is configured then the user can't change it, and the apps
// shortcut is always shown or never shown.
//
// Supported on: fuchsia, linux, mac, win
message ShowAppsShortcutInBookmarkBarProto {
optional PolicyOptions policy_options = 1;
optional bool ShowAppsShortcutInBookmarkBar = 2;
}
// Allow invocation of file selection dialogs
//
// Allows access to local files on the machine by allowing Google Chrome to
// display file selection dialogs.
//
// If you enable this setting, users can open file selection dialogs as normal.
//
// If you disable this setting, whenever the user performs an action which would
// provoke a file selection dialog (like importing bookmarks, uploading files,
// saving links, etc.) a message is displayed instead and the user is assumed to
// have clicked Cancel on the file selection dialog.
//
// If this setting is not set, users can open file selection dialogs as normal.
//
// Supported on: fuchsia, linux, mac, win
message AllowFileSelectionDialogsProto {
optional PolicyOptions policy_options = 1;
optional bool AllowFileSelectionDialogs = 2;
}
// URLs/domains automatically permitted direct Security Key attestation
//
// Specifies URLs and domains for which no prompt will be shown when attestation
// certificates from Security Keys are requested. Additionally, a signal will be
// sent to the Security Key indicating that individual attestation may be used.
// Without this, users will be prompted in Chrome 65+ when sites request
// attestation of Security Keys.
//
// URLs (like https://example.com/some/path) will only match as U2F appIDs.
// Domains (like example.com) only match as webauthn RP IDs. Thus, to cover both
// U2F and webauthn APIs for a given site, both the appID URL and domain would
// need to be listed.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message SecurityKeyPermitAttestationProto {
optional PolicyOptions policy_options = 1;
optional StringList SecurityKeyPermitAttestation = 2;
}
// Set Google Chrome Frame user data directory
//
// Configures the directory that Google Chrome Frame will use for storing user
// data.
//
// If you set this policy, Google Chrome Frame will use the provided directory.
//
// See https://www.chromium.org/administrators/policy-list-3/user-data-
// directory-variables for a list of variables that can be used.
//
// If this setting is left not set the default profile directory will be used.
//
// Supported on:
message GCFUserDataDirProto {
optional PolicyOptions policy_options = 1;
optional string GCFUserDataDir = 2;
}
// Import bookmarks from default browser on first run
//
// This policy forces bookmarks to be imported from the current default browser
// if enabled. If enabled, this policy also affects the import dialog.
//
// If disabled, no bookmarks are imported.
//
// If it is not set, the user may be asked whether to import, or importing may
// happen automatically.
//
// Supported on: fuchsia, linux, mac, win
message ImportBookmarksProto {
optional PolicyOptions policy_options = 1;
optional bool ImportBookmarks = 2;
}
// Import browsing history from default browser on first run
//
// This policy forces the browsing history to be imported from the current
// default browser if enabled. If enabled, this policy also affects the import
// dialog.
//
// If disabled, no browsing history is imported.
//
// If it is not set, the user may be asked whether to import, or importing may
// happen automatically.
//
// Supported on: fuchsia, linux, mac, win
message ImportHistoryProto {
optional PolicyOptions policy_options = 1;
optional bool ImportHistory = 2;
}
// Import of homepage from default browser on first run
//
// This policy forces the home page to be imported from the current default
// browser if enabled.
//
// If disabled, the home page is not imported.
//
// If it is not set, the user may be asked whether to import, or importing may
// happen automatically.
//
// Supported on: fuchsia, linux, mac, win
message ImportHomepageProto {
optional PolicyOptions policy_options = 1;
optional bool ImportHomepage = 2;
}
// Import search engines from default browser on first run
//
// This policy forces search engines to be imported from the current default
// browser if enabled. If enabled, this policy also affects the import dialog.
//
// If disabled, the default search engine is not imported.
//
// If it is not set, the user may be asked whether to import, or importing may
// happen automatically.
//
// Supported on: fuchsia, linux, mac, win
message ImportSearchEngineProto {
optional PolicyOptions policy_options = 1;
optional bool ImportSearchEngine = 2;
}
// Import saved passwords from default browser on first run
//
// This policy forces the saved passwords to be imported from the previous
// default browser if enabled. If enabled, this policy also affects the import
// dialog.
//
// If disabled, the saved passwords are not imported.
//
// If it is not set, the user may be asked whether to import, or importing may
// happen automatically.
//
// Supported on: fuchsia, linux, mac, win
message ImportSavedPasswordsProto {
optional PolicyOptions policy_options = 1;
optional bool ImportSavedPasswords = 2;
}
// Import autofill form data from default browser on first run
//
// This policy forces the autofill form data to be imported from the previous
// default browser if enabled. If enabled, this policy also affects the import
// dialog.
//
// If disabled, the autofill form data is not imported.
//
// If it is not set, the user may be asked whether to import, or importing may
// happen automatically.
//
// Supported on: fuchsia, linux, mac, win
message ImportAutofillFormDataProto {
optional PolicyOptions policy_options = 1;
optional bool ImportAutofillFormData = 2;
}
// Maximal number of concurrent connections to the proxy server
//
// Specifies the maximal number of simultaneous connections to the proxy server.
//
// Some proxy servers can not handle high number of concurrent connections per
// client and this can be solved by setting this policy to a lower value.
//
// The value of this policy should be lower than 100 and higher than 6 and the
// default value is 32.
//
// Some web apps are known to consume many connections with hanging GETs, so
// lowering below 32 may lead to browser networking hangs if too many such web
// apps are open. Lower below the default at your own risk.
//
// If this policy is left not set the default value will be used which is 32.
//
// Supported on: fuchsia, linux, mac, win
message MaxConnectionsPerProxyProto {
optional PolicyOptions policy_options = 1;
optional int64 MaxConnectionsPerProxy = 2;
}
// Prevent app promotions from appearing on the new tab page
//
// When set to True, promotions for Chrome Web Store apps will not appear on the
// new tab page.
//
// Setting this option to False or leaving it not set will make the promotions
// for Chrome Web Store apps appear on the new tab page
//
// Supported on:
message HideWebStorePromoProto {
optional PolicyOptions policy_options = 1;
optional bool HideWebStorePromo = 2;
}
// Block access to a list of URLs
//
// This policy prevents the user from loading web pages from blacklisted URLs.
// The blacklist provides a list of URL patterns that specify which URLs will be
// blacklisted.
//
// A URL pattern has to be formatted according to
// https://www.chromium.org/administrators/url-blacklist-filter-format.
//
// Exceptions can be defined in the URL whitelist policy. These policies are
// limited to 1000 entries; subsequent entries will be ignored.
//
// Note that it is not recommended to block internal 'chrome://*' URLs since
// this may lead to unexpected errors.
//
// From M73 you can block 'javascript://*' URLs. However, it affects only
// JavaScript typed in address bar (or, for example, bookmarklets). Note that
// in-page JavaScript URLs, as long as dynamically loaded data, are not subject
// to this policy. For example, if you block 'example.com/abc', page
// 'example.com' will still be able to load 'example.com/abc' via
// XMLHTTPRequest.
//
// If this policy is not set no URL will be blacklisted in the browser.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, webview_android, win
message URLBlacklistProto {
optional PolicyOptions policy_options = 1;
optional StringList URLBlacklist = 2;
}
// Allow access to a list of URLs
//
// Allows access to the listed URLs, as exceptions to the URL blacklist.
//
// See the description of the URL blacklist policy for the format of entries of
// this list.
//
// This policy can be used to open exceptions to restrictive blacklists. For
// example, '*' can be blacklisted to block all requests, and this policy can be
// used to allow access to a limited list of URLs. It can be used to open
// exceptions to certain schemes, subdomains of other domains, ports, or
// specific paths.
//
// The most specific filter will determine if a URL is blocked or allowed. The
// whitelist takes precedence over the blacklist.
//
// This policy is limited to 1000 entries; subsequent entries will be ignored.
//
// If this policy is not set there will be no exceptions to the blacklist from
// the 'URLBlacklist' policy.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, webview_android, win
message URLWhitelistProto {
optional PolicyOptions policy_options = 1;
optional StringList URLWhitelist = 2;
}
// Allow merging list policies from different sources
//
// Allows the selected policies to be merged when they come from different
// sources, with the same scopes and level.
//
// If a policy is in the list, in case there is conflict between two sources,
// given that they have the same scopes and level, the values will be merged
// into a new policy list.
//
// If a policy is in the list, in case there is conflict between two sources but
// also between different scopes and/or level, the policy with the highest
// priority will be applied.
//
// If a policy is not in the list, in case there is any conflict between
// sources, scopes and/or level, the policy with the highest priority will be
// applied.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message PolicyListMultipleSourceMergeListProto {
optional PolicyOptions policy_options = 1;
optional StringList PolicyListMultipleSourceMergeList = 2;
}
// Allow merging dictionary policies from different sources
//
// Allows the selected policies to be merged when they come from different
// sources, with the same scopes and level.
//
// The merging consists in merging the first level keys of the dictionary from
// each source. In case of conflict between keys, the key coming from the
// highest priority source will be applied.
//
// If a policy is in the list, in case there is conflict between two sources,
// given that they have the same scopes and level, the values will be merged
// into a new policy dictionary.
//
// If a policy is in the list, in case there is conflict between two sources but
// also between different scopes and/or level, the policy with the highest
// priority will be applied.
//
// If a policy is not in the list, in case there is any conflict between
// sources, scopes and/or level, the policy with the highest priority will be
// applied.
//
// Valid values:
// ContentPackManualBehaviorURLs: Managed user manual exception URLs
// DeviceLoginScreenPowerManagement: Power management on the login screen
// ExtensionSettings: Extension management settings
// KeyPermissions: Key Permissions
// PowerManagementIdleSettings: Power management settings when the user
// becomes idle
// ScreenBrightnessPercent: Screen brightness percent
// ScreenLockDelays: Screen lock delays
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message PolicyDictionaryMultipleSourceMergeListProto {
optional PolicyOptions policy_options = 1;
optional StringList PolicyDictionaryMultipleSourceMergeList = 2;
}
// User-level network configuration
//
// Allows pushing network configuration to be applied per-user to a Chromium OS
// device. The network configuration is a JSON-formatted string as defined by
// the Open Network Configuration format.
//
// Supported on: chrome_os
message OpenNetworkConfigurationProto {
optional PolicyOptions policy_options = 1;
optional string OpenNetworkConfiguration = 2;
}
// Enable submission of documents to Google Cloud Print
//
// Enables Google Chrome to submit documents to Google Cloud Print for printing.
// NOTE: This only affects Google Cloud Print support in Google Chrome. It does
// not prevent users from submitting print jobs on web sites.
//
// If this setting is enabled or not configured, users can print to Google Cloud
// Print from the Google Chrome print dialog.
//
// If this setting is disabled, users cannot print to Google Cloud Print from
// the Google Chrome print dialog
//
// Supported on: fuchsia, linux, mac, win
message CloudPrintSubmitEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool CloudPrintSubmitEnabled = 2;
}
// Enterprise web store URL (deprecated)
//
// This setting has been retired as of Google Chrome version 29. The recommended
// way to set up organization-hosted extension/app collections is to include the
// site hosting the CRX packages in ExtensionInstallSources and put direct
// download links to the packages on a web page. A launcher for that web page
// can be created using the ExtensionInstallForcelist policy.
//
// Supported on:
message EnterpriseWebStoreURLProto {
optional PolicyOptions policy_options = 1;
optional string EnterpriseWebStoreURL = 2;
}
// Enterprise web store name (deprecated)
//
// This setting has been retired as of Google Chrome version 29. The recommended
// way to set up organization-hosted extension/app collections is to include the
// site hosting the CRX packages in ExtensionInstallSources and put direct
// download links to the packages on a web page. A launcher for that web page
// can be created using the ExtensionInstallForcelist policy.
//
// Supported on:
message EnterpriseWebStoreNameProto {
optional PolicyOptions policy_options = 1;
optional string EnterpriseWebStoreName = 2;
}
// Enable TLS domain-bound certificates extension (deprecated)
//
// This policy has been retired as of Google Chrome version 36.
//
// Specifies whether the TLS domain-bound certificates extension should be
// enabled.
//
// This setting is used to enable the TLS domain-bound certificates extension
// for testing. This experimental setting will be removed in the future.
//
// Supported on:
message EnableOriginBoundCertsProto {
optional PolicyOptions policy_options = 1;
optional bool EnableOriginBoundCerts = 2;
}
// Enable reporting memory info (JS heap size) to page (deprecated)
//
// This policy has been retired as of Google Chrome version 35.
//
// Memory info is anyway reported to page, regardless of the option value, but
// the sizes reported are
// quantized and the rate of updates is limited for security reasons. To obtain
// real-time precise data,
// please use tools like Telemetry.
//
// Supported on:
message EnableMemoryInfoProto {
optional PolicyOptions policy_options = 1;
optional bool EnableMemoryInfo = 2;
}
// Disable Print Preview
//
// Show the system print dialog instead of print preview.
//
// When this setting is enabled, Google Chrome will open the system print dialog
// instead of the built-in print preview when a user requests a page to be
// printed.
//
// If this policy is not set or is set to false, print commands trigger the
// print preview screen.
//
// Supported on: fuchsia, linux, mac, win
message DisablePrintPreviewProto {
optional PolicyOptions policy_options = 1;
optional bool DisablePrintPreview = 2;
}
// Print Headers and Footers
//
// Force 'headers and footers' to be on or off in the printing dialog.
//
// If the policy is unset, the user can decide whether to print headers and
// footers.
//
// If the policy is set to false, 'Headers and footers' is not selected in the
// print preview dialog, and the user cannot change it.
//
// If the policy is set to true, 'Headers and footers' is selected in the print
// preview dialog, and the user cannot change it.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message PrintHeaderFooterProto {
optional PolicyOptions policy_options = 1;
optional bool PrintHeaderFooter = 2;
}
// Default printer selection rules
//
// Overrides Google Chrome default printer selection rules.
//
// This policy determines the rules for selecting the default printer in Google
// Chrome which happens the first time the print function is used with a
// profile.
//
// When this policy is set, Google Chrome will attempt to find a printer
// matching all of the specified attributes, and select it as default printer.
// The first printer found matching the policy is selected, in case of non-
// unique match any matching printer can be selected, depending on the order
// printers are discovered.
//
// If this policy is not set or matching printer is not found within the
// timeout, the printer defaults to built-in PDF printer or no printer selected,
// when PDF printer is not available.
//
// Printers connected to Google Cloud Print are considered "cloud", the rest of
// the printers are classified as "local".
// Omitting a field means all values match, for example, not specifying
// connectivity will cause Print Preview to initiate the discovery of all kinds
// of printers, local and cloud.
// Regular expression patterns must follow the JavaScript RegExp syntax and
// matches are case sensistive.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DefaultPrinterSelectionProto {
optional PolicyOptions policy_options = 1;
optional string DefaultPrinterSelection = 2;
}
// Disable TLS False Start
//
// Specifies whether the TLS False Start optimization should be disabled. For
// historical reasons, this policy is named DisableSSLRecordSplitting.
//
// If the policy is not set, or is set to false, then TLS False Start will be
// enabled. If it is set to true, TLS False Start will be disabled.
//
// Supported on:
message DisableSSLRecordSplittingProto {
optional PolicyOptions policy_options = 1;
optional bool DisableSSLRecordSplitting = 2;
}
// Enable online OCSP/CRL checks
//
// In light of the fact that soft-fail, online revocation checks provide no
// effective security benefit, they are disabled by default in Google Chrome
// version 19 and later. By setting this policy to true, the previous behavior
// is restored and online OCSP/CRL checks will be performed.
//
// If the policy is not set, or is set to false, then Google Chrome will not
// perform online revocation checks in Google Chrome 19 and later.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message EnableOnlineRevocationChecksProto {
optional PolicyOptions policy_options = 1;
optional bool EnableOnlineRevocationChecks = 2;
}
// Require online OCSP/CRL checks for local trust anchors
//
// When this setting is enabled, Google Chrome will always perform revocation
// checking for server certificates that successfully validate and are signed by
// locally-installed CA certificates.
//
// If Google Chrome is unable to obtain revocation status information, such
// certificates will be treated as revoked ('hard-fail').
//
// If this policy is not set, or it is set to false, then Google Chrome will use
// the existing online revocation checking settings.
//
// Supported on: chrome_os, linux, win
message RequireOnlineRevocationChecksForLocalAnchorsProto {
optional PolicyOptions policy_options = 1;
optional bool RequireOnlineRevocationChecksForLocalAnchors = 2;
}
// Allow SHA-1 signed certificates issued by local trust anchors
//
// When this setting is enabled, Google Chrome allows SHA-1 signed certificates
// as long as they successfully validate and chain to a locally-installed CA
// certificates.
//
// Note that this policy depends on the operating system certificate
// verification stack allowing SHA-1 signatures. If an OS update changes the OS
// handling of SHA-1 certificates, this policy may no longer have effect.
// Further, this policy is intended as a temporary workaround to give
// enterprises more time to move away from SHA-1. This policy will be removed
// on or around January 1st 2019.
//
// If this policy is not set, or it is set to false, then Google Chrome follows
// the publicly announced SHA-1 deprecation schedule.
//
// Supported on:
message EnableSha1ForLocalAnchorsProto {
optional PolicyOptions policy_options = 1;
optional bool EnableSha1ForLocalAnchors = 2;
}
// Allow certificates issued by local trust anchors without
// subjectAlternativeName extension
//
// When this setting is enabled, Google Chrome will use the commonName of a
// server certificate to match a hostname if the certificate is missing a
// subjectAlternativeName extension, as long as it successfully validates and
// chains to a locally-installed CA certificates.
//
// Note that this is not recommended, as this may allow bypassing the
// nameConstraints extension that restricts the hostnames that a given
// certificate can be authorized for.
//
// If this policy is not set, or is set to false, server certificates that lack
// a subjectAlternativeName extension containing either a DNS name or IP address
// will not be trusted.
//
// Supported on:
message EnableCommonNameFallbackForLocalAnchorsProto {
optional PolicyOptions policy_options = 1;
optional bool EnableCommonNameFallbackForLocalAnchors = 2;
}
// Enable trust in Symantec Corporation's Legacy PKI Infrastructure
//
// When this setting is enabled, Google Chrome allows certificates issued by
// Symantec Corporation's Legacy PKI operations to be trusted if they otherwise
// successfully validate and chain to a recognized CA certificate.
//
// Note that this policy depends on the operating system still recognizing
// certificates from Symantec's legacy infrastructure. If an OS update changes
// the OS handling of such certificates, this policy no longer has effect.
// Further, this policy is intended as a temporary workaround to give
// enterprises more time to transition away from legacy Symantec certificates.
// This policy will be removed on or around January 1st 2019.
//
// If this policy is not set, or it is set to false, then Google Chrome follows
// the publicly announced deprecation schedule.
//
// See https://g.co/chrome/symantecpkicerts for more details on this
// deprecation.
//
// Supported on:
message EnableSymantecLegacyInfrastructureProto {
optional PolicyOptions policy_options = 1;
optional bool EnableSymantecLegacyInfrastructure = 2;
}
// Determines whether the built-in certificate verifier will be used to verify
// server certificates
//
// When this setting is enabled, Google Chrome OS will perform verification of
// server certificates using the built-in certificate verifier.
// When this setting is disabled, Google Chrome OS will perform verification of
// server certificates using the legacy certificate verifier provided by the
// platform.
// When this setting is not set, Google Chrome OS the built-in or the legacy
// certificate verifier may be used.
//
// This policy is planned to be removed in Google Chrome OS version 81, when
// support for the legacy certificate verifier on Google Chrome OS is planned to
// be removed.
//
// Supported on: chrome_os
message BuiltinCertificateVerifierEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool BuiltinCertificateVerifierEnabled = 2;
}
// Ephemeral profile
//
// If set to enabled this policy forces the profile to be switched to ephemeral
// mode. If this policy is specified as an OS policy (e.g. GPO on Windows) it
// will apply to every profile on the system; if the policy is set as a Cloud
// policy it will apply only to a profile signed in with a managed account.
//
// In this mode the profile data is persisted on disk only for the length of the
// user session. Features like browser history, extensions and their data, web
// data like cookies and web databases are not preserved after the browser is
// closed. However this does not prevent the user from downloading any data to
// disk manually, save pages or print them.
//
// If the user has enabled sync all this data is preserved in their sync profile
// just like with regular profiles. Incognito mode is also available if not
// explicitly disabled by policy.
//
// If the policy is set to disabled or left not set signing in leads to regular
// profiles.
//
// Supported on: fuchsia, linux, mac, win
message ForceEphemeralProfilesProto {
optional PolicyOptions policy_options = 1;
optional bool ForceEphemeralProfiles = 2;
}
// Limit the time for which a user authenticated via SAML can log in offline
//
// During login, Google Chrome OS can authenticate against a server (online) or
// using a cached password (offline).
//
// When this policy is set to a value of -1, the user can authenticate offline
// indefinitely. When this policy is set to any other value, it specifies the
// length of time since the last online authentication after which the user must
// use online authentication again.
//
// Leaving this policy not set will make Google Chrome OS use a default time
// limit of 14 days after which the user must use online authentication again.
//
// This policy affects only users who authenticated using SAML.
//
// The policy value should be specified in seconds.
//
// Supported on: chrome_os
message SAMLOfflineSigninTimeLimitProto {
optional PolicyOptions policy_options = 1;
optional int64 SAMLOfflineSigninTimeLimit = 2;
}
// Report information about status of Android
//
// Information about the status of Android is sent back to the
// server.
//
// If the policy is set to false or left unset, no status information is
// reported.
// If set to true, status information is reported.
//
// This policy only applies if Android apps are enabled.
//
// Supported on: chrome_os
message ReportArcStatusEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ReportArcStatusEnabled = 2;
}
// Report information about usage of Linux apps
//
// Information about the usage of Linux apps is sent back to the
// server.
//
// If the policy is set to false or left unset, no usage information is
// reported. If set to true, usage information is reported.
//
// This policy only applies if Linux app support is enabled.
//
// Supported on: chrome_os
message ReportCrostiniUsageEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ReportCrostiniUsageEnabled = 2;
}
// Allow managed session on device
//
// If this policy is set to false, managed guest session will behave as
// documented in https://support.google.com/chrome/a/answer/3017014 - the
// standard "Public Session".
//
// If this policy is set to true or left unset, managed guest session will take
// on "Managed Session" behaviour which lifts many of the restrictions that are
// in place for regular "Public Sessions".
//
// If this policy is set, the user cannot change or override it.
//
// Supported on: chrome_os
message DeviceLocalAccountManagedSessionEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool DeviceLocalAccountManagedSessionEnabled = 2;
}
// Continue running background apps when Google Chrome is closed
//
// Determines whether a Google Chrome process is started on OS login and keeps
// running when the last browser window is closed, allowing background apps and
// the current browsing session to remain active, including any session cookies.
// The background process displays an icon in the system tray and can always be
// closed from there.
//
// If this policy is set to True, background mode is enabled and cannot be
// controlled by the user in the browser settings.
//
// If this policy is set to False, background mode is disabled and cannot be
// controlled by the user in the browser settings.
//
// If this policy is left unset, background mode is initially disabled and can
// be controlled by the user in the browser settings.
//
// Supported on: linux, win
message BackgroundModeEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool BackgroundModeEnabled = 2;
}
// Disable Drive in the Google Chrome OS Files app
//
// Disables Google Drive syncing in the Google Chrome OS Files app when set to
// True. In that case, no data is uploaded to Google Drive.
//
// If not set or set to False, then users will be able to transfer files to
// Google Drive.
//
// Supported on: chrome_os
message DriveDisabledProto {
optional PolicyOptions policy_options = 1;
optional bool DriveDisabled = 2;
}
// Disable Google Drive over cellular connections in the Google Chrome OS Files
// app
//
// Disables Google Drive syncing in the Google Chrome OS Files app when using a
// cellular connection when set to True. In that case, data is only synced to
// Google Drive when connected via WiFi or Ethernet.
//
// If not set or set to False, then users will be able to transfer files to
// Google Drive via cellular connections.
//
// Supported on: chrome_os
message DriveDisabledOverCellularProto {
optional PolicyOptions policy_options = 1;
optional bool DriveDisabledOverCellular = 2;
}
// List of pinned apps to show in the launcher
//
// Lists the application identifiers Google Chrome OS shows as pinned apps in
// the launcher bar.
//
// Chrome Apps are specified by their Id, e.g.
// "pjkljhegncpnkpknbcohdijeoejaedia", Android Apps by their package name, e.g.
// "com.google.android.gm", and Web Apps are specified by the URL used in
// WebAppInstallForceList e.g. "https://google.com/maps".
//
// If this policy is configured, the set of applications is fixed and can't be
// changed by the user.
//
// If this policy is left unset, the user may change the list of pinned apps in
// the launcher.
//
// Supported on: chrome_os
message PinnedLauncherAppsProto {
optional PolicyOptions policy_options = 1;
optional StringList PinnedLauncherApps = 2;
}
// Restrict which Google accounts are allowed to be set as browser primary
// accounts in Google Chrome
//
// Contains a regular expression which is used to determine which Google
// accounts can be set as browser primary accounts in Google Chrome (i.e. the
// account that is chosen during the Sync opt-in flow).
//
// An appropriate error is displayed if a user tries to set a browser primary
// account with a username that does not match this pattern.
//
// If this policy is left not set or blank, then the user can set any Google
// account as a browser primary account in Google Chrome.
//
// Supported on: fuchsia, linux, mac, win
message RestrictSigninToPatternProto {
optional PolicyOptions policy_options = 1;
optional string RestrictSigninToPattern = 2;
}
// Disable proceeding from the Safe Browsing warning page
//
// The Safe Browsing service shows a warning page when users navigate to sites
// that are flagged as potentially malicious. Enabling this setting prevents
// users from proceeding anyway from the warning page to the malicious site.
//
// This policy only prevents users from proceeding on Safe Browsing warnings
// (e.g. malware and phishing) not for SSL certificate related issues like
// invalid or expired certificates.
//
// If this setting is disabled or not configured then users can choose to
// proceed to the flagged site after being shown the warning.
//
// See https://developers.google.com/safe-browsing for more info on Safe
// Browsing.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message DisableSafeBrowsingProceedAnywayProto {
optional PolicyOptions policy_options = 1;
optional bool DisableSafeBrowsingProceedAnyway = 2;
}
// Allow users to opt in to Safe Browsing extended reporting
//
// This setting is deprecated, use SafeBrowsingExtendedReportingEnabled instead.
// Enabling or disabling SafeBrowsingExtendedReportingEnabled is equivalent to
// setting SafeBrowsingExtendedReportingOptInAllowed to False.
//
// Setting this policy to false stops users from choosing to send some system
// information and page content to Google servers. If this setting is true or
// not configured, then users will be allowed to send some system information
// and page content to Safe Browsing to help detect dangerous apps and sites.
//
// See https://developers.google.com/safe-browsing for more info on Safe
// Browsing.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message SafeBrowsingExtendedReportingOptInAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool SafeBrowsingExtendedReportingOptInAllowed = 2;
}
// Enable or disable spell checking web service
//
// Google Chrome can use a Google web service to help resolve spelling errors.
// If this setting is enabled, then this service is always used. If this setting
// is disabled, then this service is never used.
//
// Spell checking can still be performed using a downloaded dictionary; this
// policy only controls the usage of the online service.
//
// If this setting is not configured then users can choose whether the spell
// checking service should be used or not.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message SpellCheckServiceEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SpellCheckServiceEnabled = 2;
}
// Disable mounting of external storage
//
// When this policy is set to true, external storage will not be available in
// the file browser.
//
// This policy affects all types of storage media. For example: USB flash
// drives, external hard drives, SD and other memory cards, optical storage etc.
// Internal storage is not affected, therefore files saved in the Download
// folder can still be accessed. Google Drive is also not affected by this
// policy.
//
// If this setting is disabled or not configured then users can use all
// supported types of external storage on their device.
//
// Supported on: chrome_os
message ExternalStorageDisabledProto {
optional PolicyOptions policy_options = 1;
optional bool ExternalStorageDisabled = 2;
}
// Treat external storage devices as read-only
//
// When this policy is set to true, users cannot write anything to external
// storage devices.
//
// If this setting is set to false or not configured, then users can create and
// modify files of external storage devices which are physically writable.
//
// The ExternalStorageDisabled policy takes precedence over this policy - if
// ExternalStorageDisabled is set to true, then all access to external storage
// is disabled and this policy is consequently ignored.
//
// Dynamic refresh of this policy is supported in M56 and later.
//
// Supported on: chrome_os
message ExternalStorageReadOnlyProto {
optional PolicyOptions policy_options = 1;
optional bool ExternalStorageReadOnly = 2;
}
// Allow playing audio
//
// When this policy is set to false, audio output will not be available on the
// device while the user is logged in.
//
// This policy affects all types of audio output and not only the built-in
// speakers. Audio accessibility features are also inhibited by this policy. Do
// not enable this policy if a screen reader is required for the user.
//
// If this setting is set to true or not configured then users can use all
// supported audio outputs on their device.
//
// Supported on: chrome_os
message AudioOutputAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool AudioOutputAllowed = 2;
}
// Allow or deny audio capture
//
// If enabled or not configured (default), the user will be prompted for
// audio capture access except for URLs configured in the
// AudioCaptureAllowedUrls list which will be granted access without prompting.
//
// When this policy is disabled, the user will never be prompted and audio
// capture only be available to URLs configured in AudioCaptureAllowedUrls.
//
// This policy affects all types of audio inputs and not only the built-in
// microphone.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message AudioCaptureAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool AudioCaptureAllowed = 2;
}
// URLs that will be granted access to audio capture devices without prompt
//
// Patterns in this list will be matched against the security
// origin of the requesting URL. If a match is found, access to audio
// capture devices will be granted without prompt.
//
// NOTE: Until version 45, this policy was only supported in Kiosk mode.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message AudioCaptureAllowedUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList AudioCaptureAllowedUrls = 2;
}
// Allow or deny video capture
//
// If enabled or not configured (default), the user will be prompted for
// video capture access except for URLs configured in the
// VideoCaptureAllowedUrls list which will be granted access without prompting.
//
// When this policy is disabled, the user will never be prompted and video
// capture only be available to URLs configured in VideoCaptureAllowedUrls.
//
// This policy affects all types of video inputs and not only the built-in
// camera.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message VideoCaptureAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool VideoCaptureAllowed = 2;
}
// URLs that will be granted access to video capture devices without prompt
//
// Patterns in this list will be matched against the security
// origin of the requesting URL. If a match is found, access to video
// capture devices will be granted without prompt.
//
// NOTE: Until version 45, this policy was only supported in Kiosk mode.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message VideoCaptureAllowedUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList VideoCaptureAllowedUrls = 2;
}
// Disable taking screenshots
//
// If enabled, screenshots cannot be taken using keyboard shortcuts or extension
// APIs.
//
// If disabled or not specified, taking screenshots is allowed.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message DisableScreenshotsProto {
optional PolicyOptions policy_options = 1;
optional bool DisableScreenshots = 2;
}
// Enable virtual keyboard
//
// This policy configures enabling the virtual keyboard as an input device on
// ChromeOS. Users cannot override this policy.
//
// If the policy is set to true, the on-screen virtual keyboard will always be
// enabled.
//
// If set to false, the on-screen virtual keyboard will always be disabled.
//
// If you set this policy, users cannot change or override it. However, users
// will still be able to enable/disable an accessibility on-screen keyboard
// which takes precedence over the virtual keyboard controlled by this policy.
// See the |VirtualKeyboardEnabled| policy for controlling the accessibility on-
// screen keyboard.
//
// If this policy is left unset, the on-screen keyboard is disabled initially
// but can be enabled by the user anytime. Heuristic rules may also be used to
// decide when to display the keyboard.
//
// Supported on: chrome_os
message TouchVirtualKeyboardEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool TouchVirtualKeyboardEnabled = 2;
}
// Add a logout button to the system tray
//
// If enabled, a big, red logout button is shown in the system tray while a
// session is active and the screen is not locked.
//
// If disabled or not specified, no big, red logout button is shown in the
// system tray.
//
// Supported on: chrome_os
message ShowLogoutButtonInTrayProto {
optional PolicyOptions policy_options = 1;
optional bool ShowLogoutButtonInTray = 2;
}
// Use built-in DNS client
//
// Controls whether the built-in DNS client is used in Google Chrome.
//
// If this policy is set to true, the built-in DNS client will be used, if
// available.
//
// If this policy is set to false, the built-in DNS client will never be used.
//
// If this policy is left not set, the built-in DNS client will be enabled by
// default on MacOS, Android (when neither Private DNS nor VPN are enabled) and
// ChromeOS, and the users will be able to change whether the built-in DNS
// client is used by editing chrome://flags or specifying a command-line flag.
//
// Supported on: fuchsia, linux, mac, win
message BuiltInDnsClientEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool BuiltInDnsClientEnabled = 2;
}
// Control shelf auto-hiding
//
// Control auto-hiding of the Google Chrome OS shelf.
//
// If this policy is set to 'AlwaysAutoHideShelf', the shelf will always auto-
// hide.
//
// If this policy is set to 'NeverAutoHideShelf', the shelf never auto-hide.
//
// If you set this policy, users cannot change or override it.
//
// If the policy is left not set, users can choose whether the shelf should
// auto-hide.
//
// Valid values:
// Always: Always auto-hide the shelf
// Never: Never auto-hide the shelf
//
// Supported on: chrome_os
message ShelfAutoHideBehaviorProto {
optional PolicyOptions policy_options = 1;
optional string ShelfAutoHideBehavior = 2;
}
// Set the display name for device-local accounts
//
// Controls the account name Google Chrome OS shows on the login screen for the
// corresponding device-local account.
//
// If this policy is set, the login screen will use the specified string in the
// picture-based login chooser for the corresponding device-local account.
//
// If the policy is left not set, Google Chrome OS will use the device-local
// account's email account ID as the display name on the login screen.
//
// This policy is ignored for regular user accounts.
//
// Supported on: chrome_os
message UserDisplayNameProto {
optional PolicyOptions policy_options = 1;
optional string UserDisplayName = 2;
}
// Limit the length of a user session
//
// When this policy is set, it specifies the length of time after which a user
// is automatically logged out, terminating the session. The user is informed
// about the remaining time by a countdown timer shown in the system tray.
//
// When this policy is not set, the session length is not limited.
//
// If you set this policy, users cannot change or override it.
//
// The policy value should be specified in milliseconds. Values are clamped to a
// range of 30 seconds to 24 hours.
//
// Supported on: chrome_os
message SessionLengthLimitProto {
optional PolicyOptions policy_options = 1;
optional int64 SessionLengthLimit = 2;
}
// Allow fullscreen mode
//
// This policy controls the availability of fullscreen mode in which all Google
// Chrome UI is hidden and only web content is visible.
//
// If this policy is set to true or not not configured, the user, apps and
// extensions with appropriate permissions can enter fullscreen mode.
//
// If this policy is set to false, neither the user nor any apps or extensions
// can enter fullscreen mode.
//
// On all platforms except Google Chrome OS, kiosk mode is unavailable when
// fullscreen mode is disabled.
//
// Supported on: chrome_os, linux, win
message FullscreenAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool FullscreenAllowed = 2;
}
// Screen dim delay when running on AC power
//
// Specifies the length of time without user input after which the screen is
// dimmed when running on AC power.
//
// When this policy is set to a value greater than zero, it specifies the length
// of time that the user must remain idle before Google Chrome OS dims the
// screen.
//
// When this policy is set to zero, Google Chrome OS does not dim the screen
// when the user becomes idle.
//
// When this policy is unset, a default length of time is used.
//
// The policy value should be specified in milliseconds. Values are clamped to
// be less than or equal the screen off delay (if set) and the idle delay.
//
// Supported on: chrome_os
message ScreenDimDelayACProto {
optional PolicyOptions policy_options = 1;
optional int64 ScreenDimDelayAC = 2;
}
// Screen off delay when running on AC power
//
// Specifies the length of time without user input after which the screen is
// turned off when running on AC power.
//
// When this policy is set to a value greater than zero, it specifies the length
// of time that the user must remain idle before Google Chrome OS turns off the
// screen.
//
// When this policy is set to zero, Google Chrome OS does not turn off the
// screen when the user becomes idle.
//
// When this policy is unset, a default length of time is used.
//
// The policy value should be specified in milliseconds. Values are clamped to
// be less than or equal the idle delay.
//
// Supported on: chrome_os
message ScreenOffDelayACProto {
optional PolicyOptions policy_options = 1;
optional int64 ScreenOffDelayAC = 2;
}
// Screen lock delay when running on AC power
//
// Specifies the length of time without user input after which the screen is
// locked when running on AC power.
//
// When this policy is set to a value greater than zero, it specifies the length
// of time that the user must remain idle before Google Chrome OS locks the
// screen.
//
// When this policy is set to zero, Google Chrome OS does not lock the screen
// when the user becomes idle.
//
// When this policy is unset, a default length of time is used.
//
// The recommended way to lock the screen on idle is to enable screen locking on
// suspend and have Google Chrome OS suspend after the idle delay. This policy
// should only be used when screen locking should occur a significant amount of
// time sooner than suspend or when suspend on idle is not desired at all.
//
// The policy value should be specified in milliseconds. Values are clamped to
// be less than the idle delay.
//
// Supported on: chrome_os
message ScreenLockDelayACProto {
optional PolicyOptions policy_options = 1;
optional int64 ScreenLockDelayAC = 2;
}
// Idle warning delay when running on AC power
//
// Specifies the length of time without user input after which a warning dialog
// is shown when running on AC power.
//
// When this policy is set, it specifies the length of time that the user must
// remain idle before Google Chrome OS shows a warning dialog telling the user
// that the idle action is about to be taken.
//
// When this policy is unset, no warning dialog is shown.
//
// The policy value should be specified in milliseconds. Values are clamped to
// be less than or equal the idle delay.
//
// The warning message is only shown if the idle action is to logout or shut
// down.
//
// Supported on: chrome_os
message IdleWarningDelayACProto {
optional PolicyOptions policy_options = 1;
optional int64 IdleWarningDelayAC = 2;
}
// Idle delay when running on AC power
//
// Specifies the length of time without user input after which the idle action
// is taken when running on AC power.
//
// When this policy is set, it specifies the length of time that the user must
// remain idle before Google Chrome OS takes the idle action, which can be
// configured separately.
//
// When this policy is unset, a default length of time is used.
//
// The policy value should be specified in milliseconds.
//
// Supported on: chrome_os
message IdleDelayACProto {
optional PolicyOptions policy_options = 1;
optional int64 IdleDelayAC = 2;
}
// Screen dim delay when running on battery power
//
// Specifies the length of time without user input after which the screen is
// dimmed when running on battery power.
//
// When this policy is set to a value greater than zero, it specifies the length
// of time that the user must remain idle before Google Chrome OS dims the
// screen.
//
// When this policy is set to zero, Google Chrome OS does not dim the screen
// when the user becomes idle.
//
// When this policy is unset, a default length of time is used.
//
// The policy value should be specified in milliseconds. Values are clamped to
// be less than or equal the screen off delay (if set) and the idle delay.
//
// Supported on: chrome_os
message ScreenDimDelayBatteryProto {
optional PolicyOptions policy_options = 1;
optional int64 ScreenDimDelayBattery = 2;
}
// Screen off delay when running on battery power
//
// Specifies the length of time without user input after which the screen is
// turned off when running on battery power.
//
// When this policy is set to a value greater than zero, it specifies the length
// of time that the user must remain idle before Google Chrome OS turns off the
// screen.
//
// When this policy is set to zero, Google Chrome OS does not turn off the
// screen when the user becomes idle.
//
// When this policy is unset, a default length of time is used.
//
// The policy value should be specified in milliseconds. Values are clamped to
// be less than or equal the idle delay.
//
// Supported on: chrome_os
message ScreenOffDelayBatteryProto {
optional PolicyOptions policy_options = 1;
optional int64 ScreenOffDelayBattery = 2;
}
// Screen lock delay when running on battery power
//
// Specifies the length of time without user input after which the screen is
// locked when running on battery power.
//
// When this policy is set to a value greater than zero, it specifies the length
// of time that the user must remain idle before Google Chrome OS locks the
// screen.
//
// When this policy is set to zero, Google Chrome OS does not lock the screen
// when the user becomes idle.
//
// When this policy is unset, a default length of time is used.
//
// The recommended way to lock the screen on idle is to enable screen locking on
// suspend and have Google Chrome OS suspend after the idle delay. This policy
// should only be used when screen locking should occur a significant amount of
// time sooner than suspend or when suspend on idle is not desired at all.
//
// The policy value should be specified in milliseconds. Values are clamped to
// be less than the idle delay.
//
// Supported on: chrome_os
message ScreenLockDelayBatteryProto {
optional PolicyOptions policy_options = 1;
optional int64 ScreenLockDelayBattery = 2;
}
// Idle warning delay when running on battery power
//
// Specifies the length of time without user input after which a warning dialog
// is shown when running on battery power.
//
// When this policy is set, it specifies the length of time that the user must
// remain idle before Google Chrome OS shows a warning dialog telling the user
// that the idle action is about to be taken.
//
// When this policy is unset, no warning dialog is shown.
//
// The policy value should be specified in milliseconds. Values are clamped to
// be less than or equal the idle delay.
//
// The warning message is only shown if the idle action is to logout or shut
// down.
//
// Supported on: chrome_os
message IdleWarningDelayBatteryProto {
optional PolicyOptions policy_options = 1;
optional int64 IdleWarningDelayBattery = 2;
}
// Idle delay when running on battery power
//
// Specifies the length of time without user input after which the idle action
// is taken when running on battery power.
//
// When this policy is set, it specifies the length of time that the user must
// remain idle before Google Chrome OS takes the idle action, which can be
// configured separately.
//
// When this policy is unset, a default length of time is used.
//
// The policy value should be specified in milliseconds.
//
// Supported on: chrome_os
message IdleDelayBatteryProto {
optional PolicyOptions policy_options = 1;
optional int64 IdleDelayBattery = 2;
}
// Action to take when the idle delay is reached
//
// Note that this policy is deprecated and will be removed in the future.
//
// This policy provides a fallback value for the more-specific IdleActionAC and
// IdleActionBattery policies. If this policy is set, its value gets used if the
// respective more-specific policy is not set.
//
// When this policy is unset, behavior of the more-specific policies remains
// unaffected.
//
// Valid values:
// 0: Suspend
// 1: Log the user out
// 2: Shut down
// 3: Do nothing
//
// Supported on: chrome_os
message IdleActionProto {
optional PolicyOptions policy_options = 1;
optional int64 IdleAction = 2;
}
// Action to take when the idle delay is reached while running on AC power
//
// When this policy is set, it specifies the action that Google Chrome OS takes
// when the user remains idle for the length of time given by the idle delay,
// which can be configured separately.
//
// When this policy is unset, the default action is taken, which is suspend.
//
// If the action is suspend, Google Chrome OS can separately be configured to
// either lock or not lock the screen before suspending.
//
// Valid values:
// 0: Suspend
// 1: Log the user out
// 2: Shut down
// 3: Do nothing
//
// Supported on: chrome_os
message IdleActionACProto {
optional PolicyOptions policy_options = 1;
optional int64 IdleActionAC = 2;
}
// Action to take when the idle delay is reached while running on battery power
//
// When this policy is set, it specifies the action that Google Chrome OS takes
// when the user remains idle for the length of time given by the idle delay,
// which can be configured separately.
//
// When this policy is unset, the default action is taken, which is suspend.
//
// If the action is suspend, Google Chrome OS can separately be configured to
// either lock or not lock the screen before suspending.
//
// Valid values:
// 0: Suspend
// 1: Log the user out
// 2: Shut down
// 3: Do nothing
//
// Supported on: chrome_os
message IdleActionBatteryProto {
optional PolicyOptions policy_options = 1;
optional int64 IdleActionBattery = 2;
}
// Action to take when the user closes the lid
//
// When this policy is set, it specifies the action that Google Chrome OS takes
// when the user closes the device's lid.
//
// When this policy is unset, the default action is taken, which is suspend.
//
// If the action is suspend, Google Chrome OS can separately be configured to
// either lock or not lock the screen before suspending.
//
// Valid values:
// 0: Suspend
// 1: Log the user out
// 2: Shut down
// 3: Do nothing
//
// Supported on: chrome_os
message LidCloseActionProto {
optional PolicyOptions policy_options = 1;
optional int64 LidCloseAction = 2;
}
// Specify whether audio activity affects power management
//
// If this policy is set to True or is unset, the user is not considered to be
// idle while audio is playing. This prevents the idle timeout from being
// reached and the idle action from being taken. However, screen dimming, screen
// off and screen lock will be performed after the configured timeouts,
// irrespective of audio activity.
//
// If this policy is set to False, audio activity does not prevent the user from
// being considered idle.
//
// Supported on: chrome_os
message PowerManagementUsesAudioActivityProto {
optional PolicyOptions policy_options = 1;
optional bool PowerManagementUsesAudioActivity = 2;
}
// Specify whether video activity affects power management
//
// If this policy is set to True or is unset, the user is not considered to be
// idle while video is playing. This prevents the idle delay, screen dim delay,
// screen off delay and screen lock delay from being reached and the
// corresponding actions from being taken.
//
// If this policy is set to False, video activity does not prevent the user from
// being considered idle.
//
// Supported on: chrome_os
message PowerManagementUsesVideoActivityProto {
optional PolicyOptions policy_options = 1;
optional bool PowerManagementUsesVideoActivity = 2;
}
// Percentage by which to scale the idle delay in presentation mode (deprecated)
//
// This policy has been retired as of Google Chrome OS version 29. Please use
// the PresentationScreenDimDelayScale policy instead.
//
// Supported on:
message PresentationIdleDelayScaleProto {
optional PolicyOptions policy_options = 1;
optional int64 PresentationIdleDelayScale = 2;
}
// Percentage by which to scale the screen dim delay in presentation mode
//
// Specifies the percentage by which the screen dim delay is scaled when the
// device is in presentation mode.
//
// If this policy is set, it specifies the percentage by which the screen dim
// delay is scaled when the device is in presentation mode. When the screen dim
// delay is scaled, the screen off, screen lock and idle delays get adjusted to
// maintain the same distances from the screen dim delay as originally
// configured.
//
// If this policy is unset, a default scale factor is used.
//
// This policy only takes effect if the PowerSmartDimEnabled is disabled.
// Otherwise, this policy is ignored because the screen dim delay is deteremined
// by a machine-learning model.
//
// The scale factor must be 100% or more. Values that would make the screen dim
// delay in presentation mode shorter than the regular screen dim delay are not
// allowed.
//
// Supported on: chrome_os
message PresentationScreenDimDelayScaleProto {
optional PolicyOptions policy_options = 1;
optional int64 PresentationScreenDimDelayScale = 2;
}
// Allow wake locks
//
// Specifies whether wake locks are allowed. Wake locks can be requested by
// extensions via the power management extension API and by ARC apps.
//
// If this policy is set to true or left not set, wake locks will be honored for
// power management.
//
// If this policy is set to false, wake lock requests will get ignored.
//
// Supported on: chrome_os
message AllowWakeLocksProto {
optional PolicyOptions policy_options = 1;
optional bool AllowWakeLocks = 2;
}
// Allow screen wake locks
//
// Specifies whether screen wake locks are allowed. Screen wake locks can be
// requested by extensions via the power management extension API and by ARC
// apps.
//
// If this policy is set to true or left not set, screen wake locks will be
// honored for power management, unless AllowWakeLocks is set to false.
//
// If this policy is set to false, screen wake lock requests will be demoted to
// system wake lock requests.
//
// Supported on: chrome_os
message AllowScreenWakeLocksProto {
optional PolicyOptions policy_options = 1;
optional bool AllowScreenWakeLocks = 2;
}
// Percentage by which to scale the screen dim delay if the user becomes active
// after dimming
//
// Specifies the percentage by which the screen dim delay is scaled when user
// activity is observed while the screen is dimmed or soon after the screen has
// been turned off.
//
// If this policy is set, it specifies the percentage by which the screen dim
// delay is scaled when user activity is observed while the screen is dimmed or
// soon after the screen has been turned off. When the dim delay is scaled, the
// screen off, screen lock and idle delays get adjusted to maintain the same
// distances from the screen dim delay as originally configured.
//
// If this policy is unset, a default scale factor is used.
//
// This policy only takes effect if the PowerSmartDimEnabled policy is disabled.
// Otherwise, this policy is ignored because the screen dim delay is deteremined
// by a machine-learning model.
//
// The scale factor must be 100% or more.
//
// Supported on: chrome_os
message UserActivityScreenDimDelayScaleProto {
optional PolicyOptions policy_options = 1;
optional int64 UserActivityScreenDimDelayScale = 2;
}
// Wait for initial user activity
//
// Specifies whether power management delays and the session length limit should
// only start running after the first user activity has been observed in a
// session.
//
// If this policy is set to True, power management delays and the session length
// limit do not start running until after the first user activity has been
// observed in a session.
//
// If this policy is set to False or left unset, power management delays and the
// session length limit start running immediately on session start.
//
// Supported on: chrome_os
message WaitForInitialUserActivityProto {
optional PolicyOptions policy_options = 1;
optional bool WaitForInitialUserActivity = 2;
}
// Power management settings when the user becomes idle
//
// This policy controls multiple settings for the power management strategy when
// the user becomes idle.
//
// There are four types of action:
// * The screen will be dimmed if the user remains idle for the time specified
// by |ScreenDim|.
// * The screen will be turned off if the user remains idle for the time
// specified by |ScreenOff|.
// * A warning dialog will be shown if the user remains idle for the time
// specified by |IdleWarning|, telling the user that the idle action is about to
// be taken. The warning message is only shown if the idle action is to logout
// or shut down.
// * The action specified by |IdleAction| will be taken if the user remains idle
// for the time specified by |Idle|.
//
// For each of above actions, the delay should be specified in milliseconds, and
// needs to be set to a value greater than zero to trigger the corresponding
// action. In case the delay is set to zero, Google Chrome OS will not take the
// corresponding action.
//
// For each of the above delays, when the length of time is unset, a default
// value will be used.
//
// Note that |ScreenDim| values will be clamped to be less than or equal to
// |ScreenOff|, |ScreenOff| and |IdleWarning| will be clamped to be less than or
// equal to |Idle|.
//
// |IdleAction| can be one of four possible actions:
// * |Suspend|
// * |Logout|
// * |Shutdown|
// * |DoNothing|
//
// When the |IdleAction| is unset, the default action is taken, which is
// suspend.
//
// There are also separate settings for AC power and battery.
//
// Value schema:
// {
// "properties": {
// "AC": {
// "description": "Delays and actions to take when the device is
// idle and running on AC power",
// "id": "PowerManagementDelays",
// "properties": {
// "Delays": {
// "properties": {
// "Idle": {
// "description": "The length of time without user
// input after which the idle action is taken, in milliseconds",
// "minimum": 0,
// "type": "integer"
// },
// "IdleWarning": {
// "description": "The length of time without user
// input after which a warning dialog is shown, in milliseconds",
// "minimum": 0,
// "type": "integer"
// },
// "ScreenDim": {
// "description": "The length of time without user
// input after which the screen is dimmed, in milliseconds",
// "minimum": 0,
// "type": "integer"
// },
// "ScreenOff": {
// "description": "The length of time without user
// input after which the screen is turned off, in milliseconds",
// "minimum": 0,
// "type": "integer"
// }
// },
// "type": "object"
// },
// "IdleAction": {
// "description": "Action to take when the idle delay is
// reached",
// "enum": [
// "Suspend",
// "Logout",
// "Shutdown",
// "DoNothing"
// ],
// "type": "string"
// }
// },
// "type": "object"
// },
// "Battery": {
// "$ref": "PowerManagementDelays",
// "description": "Delays and actions to take when the device is
// idle and running on battery"
// }
// },
// "type": "object"
// }
//
// Supported on: chrome_os
message PowerManagementIdleSettingsProto {
optional PolicyOptions policy_options = 1;
optional string PowerManagementIdleSettings = 2;
}
// Screen lock delays
//
// Specifies the length of time without user input after which the screen is
// locked when running on AC power or battery.
//
// When the length of time is set to a value greater than zero, it represents
// the length of time that the user must remain idle before Google Chrome OS
// locks the screen.
//
// When the length of time is set to zero, Google Chrome OS does not lock the
// screen when the user becomes idle.
//
// When the length of time is unset, a default length of time is used.
//
// The recommended way to lock the screen on idle is to enable screen locking on
// suspend and have Google Chrome OS suspend after the idle delay. This policy
// should only be used when screen locking should occur a significant amount of
// time sooner than suspend or when suspend on idle is not desired at all.
//
// The policy value should be specified in milliseconds. Values are clamped to
// be less than the idle delay.
//
// Value schema:
// {
// "properties": {
// "AC": {
// "description": "The length of time without user input after which
// the screen is locked when running on AC power, in milliseconds",
// "minimum": 0,
// "type": "integer"
// },
// "Battery": {
// "description": "The length of time without user input after which
// the screen is locked when running on battery, in milliseconds",
// "minimum": 0,
// "type": "integer"
// }
// },
// "type": "object"
// }
//
// Supported on: chrome_os
message ScreenLockDelaysProto {
optional PolicyOptions policy_options = 1;
optional string ScreenLockDelays = 2;
}
// Set the Terms of Service for a device-local account
//
// Sets the Terms of Service that the user must accept before starting a device-
// local account session.
//
// If this policy is set, Google Chrome OS will download the Terms of Service
// and present them to the user whenever a device-local account session is
// starting. The user will only be allowed into the session after accepting the
// Terms of Service.
//
// If this policy is not set, no Terms of Service are shown.
//
// The policy should be set to a URL from which Google Chrome OS can download
// the Terms of Service. The Terms of Service must be plain text, served as MIME
// type text/plain. No markup is allowed.
//
// Supported on: chrome_os
message TermsOfServiceURLProto {
optional PolicyOptions policy_options = 1;
optional string TermsOfServiceURL = 2;
}
// Show accessibility options in system tray menu
//
// If this policy is set to true, Accessibility options always appear in system
// tray menu.
//
// If this policy is set to false, Accessibility options never appear in system
// tray menu.
//
// If you set this policy, users cannot change or override it.
//
// If this policy is left unset, Accessibility options will not appear in the
// system tray menu, but the user can cause the Accessibility options to appear
// via the Settings page.
//
// When accessiblity features are enabled by other means (e.g by a key
// combination), Accessibility options will always appear in system tray menu.
//
// Supported on: chrome_os
message ShowAccessibilityOptionsInSystemTrayMenuProto {
optional PolicyOptions policy_options = 1;
optional bool ShowAccessibilityOptionsInSystemTrayMenu = 2;
}
// Enable large cursor
//
// Enable the large cursor accessibility feature.
//
// If this policy is set to true, the large cursor will always be enabled.
//
// If this policy is set to false, the large cursor will always be disabled.
//
// If you set this policy, users cannot change or override it.
//
// If this policy is left unset, the large cursor is disabled initially but can
// be enabled by the user anytime.
//
// Supported on: chrome_os
message LargeCursorEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool LargeCursorEnabled = 2;
}
// Enable spoken feedback
//
// Enable the spoken feedback accessibility feature.
//
// If this policy is set to true, spoken feedback will always be enabled.
//
// If this policy is set to false, spoken feedback will always be disabled.
//
// If you set this policy, users cannot change or override it.
//
// If this policy is left unset, spoken feedback is disabled initially but can
// be enabled by the user anytime.
//
// Supported on: chrome_os
message SpokenFeedbackEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SpokenFeedbackEnabled = 2;
}
// Enable high contrast mode
//
// Enable the high contrast mode accessibility feature.
//
// If this policy is set to true, high contrast mode will always be enabled.
//
// If this policy is set to false, high contrast mode will always be disabled.
//
// If you set this policy, users cannot change or override it.
//
// If this policy is left unset, high contrast mode is disabled initially but
// can be enabled by the user anytime.
//
// Supported on: chrome_os
message HighContrastEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool HighContrastEnabled = 2;
}
// Enable on-screen keyboard
//
// Enable the on-screen keyboard accessibility feature.
//
// If this policy is set to true, the on-screen keyboard will always be enabled.
//
// If this policy is set to false, the on-screen keyboard will always be
// disabled.
//
// If you set this policy, users cannot change or override it.
//
// If this policy is left unset, the on-screen keyboard is disabled initially
// but can be enabled by the user anytime.
//
// Supported on: chrome_os
message VirtualKeyboardEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool VirtualKeyboardEnabled = 2;
}
// Enable sticky keys
//
// Enable the sticky keys accessibility feature.
//
// If this policy is set to true, the sticky keys will always be enabled.
//
// If this policy is set to false, the sticky keys will always be disabled.
//
// If you set this policy, users cannot change or override it.
//
// If this policy is left unset, the sticky keys is disabled initially but can
// be enabled by the user anytime.
//
// Supported on: chrome_os
message StickyKeysEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool StickyKeysEnabled = 2;
}
// Enable select to speak
//
// Enable the select to speak accessibility feature.
//
// If this policy is set to true, the select to speak will always be enabled.
//
// If this policy is set to false, the select to speak will always be disabled.
//
// If you set this policy, users cannot change or override it.
//
// If this policy is left unset, the select to speak is disabled initially but
// can be enabled by the user anytime.
//
// Supported on: chrome_os
message SelectToSpeakEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SelectToSpeakEnabled = 2;
}
// Media keys default to function keys
//
// Changes the default behaviour of the top row keys to function keys.
//
// If this policy is set to true, the keyboard's top row of keys will produce
// function key commands per default. The search key has to be pressed to revert
// their behavior back to media keys.
//
// If this policy is set to false or left unset, the keyboard will produce media
// key commands per default and function key commands when the search key is
// held.
//
// Supported on: chrome_os
message KeyboardDefaultToFunctionKeysProto {
optional PolicyOptions policy_options = 1;
optional bool KeyboardDefaultToFunctionKeys = 2;
}
// Set screen magnifier type
//
// If this policy is set, it controls the type of screen magnifier that is
// enabled. Setting the policy to "None" disables the screen magnifier.
//
// If you set this policy, users cannot change or override it.
//
// If this policy is left unset, the screen magnifier is disabled initially but
// can be enabled by the user anytime.
//
// Valid values:
// 0: Screen magnifier disabled
// 1: Full-screen magnifier enabled
// 2: Docked magnifier enabled
//
// Supported on: chrome_os
message ScreenMagnifierTypeProto {
optional PolicyOptions policy_options = 1;
optional int64 ScreenMagnifierType = 2;
}
// Hide the web store from the New Tab Page and app launcher
//
// Hide the Chrome Web Store app and footer link from the New Tab Page and
// Google Chrome OS app launcher.
//
// When this policy is set to true, the icons are hidden.
//
// When this policy is set to false or is not configured, the icons are visible.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message HideWebStoreIconProto {
optional PolicyOptions policy_options = 1;
optional bool HideWebStoreIcon = 2;
}
// Set the restriction on the fetching of the Variations seed
//
// Add a parameter to the fetching of the Variations seed in Google Chrome.
//
// If specified, will add a query parameter called 'restrict' to the URL used to
// fetch the Variations seed. The value of the parameter will be the value
// specified in this policy.
//
// If not specified, will not modify the Variations seed URL.
//
// Supported on: android, fuchsia, linux, mac, win
message VariationsRestrictParameterProto {
optional PolicyOptions policy_options = 1;
optional string VariationsRestrictParameter = 2;
}
// Enable remote attestation for the user
//
// If true, the user can use the hardware on Chrome devices to remote attest its
// identity to the privacy CA via the Enterprise Platform Keys API using
// chrome.enterprise.platformKeys.challengeUserKey().
//
// If it is set to false, or if it is not set, calls to the API will fail with
// an error code.
//
// Supported on: chrome_os
message AttestationEnabledForUserProto {
optional PolicyOptions policy_options = 1;
optional bool AttestationEnabledForUser = 2;
}
// Extensions allowed to to use the remote attestation API
//
// This policy specifies the allowed extensions to use the Enterprise Platform
// Keys API function chrome.enterprise.platformKeys.challengeUserKey() for
// remote attestation. Extensions must be added to this list to use the API.
//
// If an extension is not in the list, or the list is not set, the call to the
// API will fail with an error code.
//
// Supported on: chrome_os
message AttestationExtensionWhitelistProto {
optional PolicyOptions policy_options = 1;
optional StringList AttestationExtensionWhitelist = 2;
}
// Suppress the Google Chrome Frame turndown prompt
//
// Suppresses the turndown prompt that appears when a site is rendered by Google
// Chrome Frame.
//
// Supported on:
message SuppressChromeFrameTurndownPromptProto {
optional PolicyOptions policy_options = 1;
optional bool SuppressChromeFrameTurndownPrompt = 2;
}
// Default behavior for sites not in any content pack
//
// This policy is for internal use by Google Chrome itself.
//
// Valid values:
// 0: Allow access to sites outside of content packs
// 1: Warn when visiting sites outside of content packs
// 2: Block access to sites outside of content packs
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ContentPackDefaultFilteringBehaviorProto {
optional PolicyOptions policy_options = 1;
optional int64 ContentPackDefaultFilteringBehavior = 2;
}
// Managed user manual exception hosts
//
// A dictionary mapping hostnames to a boolean flag specifying whether access to
// the host should be allowed (true) or blocked (false).
//
// This policy is for internal use by Google Chrome itself.
//
// Value schema:
// {
// "additionalProperties": {
// "type": "boolean"
// },
// "type": "object"
// }
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ContentPackManualBehaviorHostsProto {
optional PolicyOptions policy_options = 1;
optional string ContentPackManualBehaviorHosts = 2;
}
// Managed user manual exception URLs
//
// A dictionary mapping URLs to a boolean flag specifying whether access to the
// host should be allowed (true) or blocked (false).
//
// This policy is for internal use by Google Chrome itself.
//
// Value schema:
// {
// "additionalProperties": {
// "type": "boolean"
// },
// "type": "object"
// }
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ContentPackManualBehaviorURLsProto {
optional PolicyOptions policy_options = 1;
optional string ContentPackManualBehaviorURLs = 2;
}
// Enable creation of supervised users
//
// If set to false, supervised-user creation by this user will be disabled. Any
// existing supervised users will still be available.
//
// If set to true or not configured, supervised users can be created and managed
// by this user.
//
// Supported on:
message SupervisedUserCreationEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SupervisedUserCreationEnabled = 2;
}
// Enable the supervised user content provider
//
// If true and the user is a supervised user then other Android apps can query
// the user's web restrictions through a content provider.
//
// If false or unset then the content provider returns no information.
//
// Supported on:
message SupervisedUserContentProviderEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SupervisedUserContentProviderEnabled = 2;
}
// Managed Bookmarks
//
// Configures a list of managed bookmarks.
//
// The policy consists of a list of bookmarks whereas each bookmark is a
// dictionary containing the keys "name" and "url" which hold the bookmark's
// name and its target. A subfolder may be configured by defining a bookmark
// without an "url" key but with an additional "children" key which itself
// contains a list of bookmarks as defined above (some of which may be folders
// again). Google Chrome amends incomplete URLs as if they were submitted via
// the Omnibox, for example "google.com" becomes "https://google.com/".
//
// These bookmarks are placed in a folder that can't be modified by the user
// (but the user can choose to hide it from the bookmark bar). By default the
// folder name is "Managed bookmarks" but it can be customized by adding to the
// list of bookmarks a dictionary containing the key "toplevel_name" with the
// desired folder name as the value.
//
// Managed bookmarks are not synced to the user account and can't be modified by
// extensions.
//
// Value schema:
// {
// "items": {
// "id": "BookmarkType",
// "properties": {
// "children": {
// "items": {
// "$ref": "BookmarkType"
// },
// "type": "array"
// },
// "name": {
// "type": "string"
// },
// "toplevel_name": {
// "type": "string"
// },
// "url": {
// "type": "string"
// }
// },
// "type": "object"
// },
// "type": "array"
// }
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message ManagedBookmarksProto {
optional PolicyOptions policy_options = 1;
optional string ManagedBookmarks = 2;
}
// Enable the data compression proxy feature
//
// Enable or disable the data compression proxy and prevents users from changing
// this setting.
//
// If you enable or disable this setting, users cannot change or override this
// setting.
//
// If this policy is left not set, the data compression proxy feature will be
// available for the user to choose whether to use it or not.
//
// Supported on: android
message DataCompressionProxyEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool DataCompressionProxyEnabled = 2;
}
// User avatar image
//
// This policy allows you to configure the avatar image representing the user on
// the login screen. The policy is set by specifying the URL from which Google
// Chrome OS can download the avatar image and a cryptographic hash used to
// verify the integrity of the download. The image must be in JPEG format, its
// size must not exceed 512kB. The URL must be accessible without any
// authentication.
//
// The avatar image is downloaded and cached. It will be re-downloaded whenever
// the URL or the hash changes.
//
// If this policy is set, Google Chrome OS will download and use the avatar
// image.
//
// If you set this policy, users cannot change or override it.
//
// If the policy is left not set, the user can choose the avatar image
// representing them on the login screen.
//
// Supported on: chrome_os
message UserAvatarImageProto {
optional PolicyOptions policy_options = 1;
optional string UserAvatarImage = 2;
}
// Wallpaper image
//
// This policy allows you to configure the wallpaper image that is shown on the
// desktop and on the login screen background for the user. The policy is set by
// specifying the URL from which Google Chrome OS can download the wallpaper
// image and a cryptographic hash used to verify the integrity of the download.
// The image must be in JPEG format, its file size must not exceed 16MB. The URL
// must be accessible without any authentication.
//
// The wallpaper image is downloaded and cached. It will be re-downloaded
// whenever the URL or the hash changes.
//
// If this policy is set, Google Chrome OS will download and use the wallpaper
// image.
//
// If you set this policy, users cannot change or override it.
//
// If the policy is left not set, the user can choose an image to be shown on
// the desktop and on the login screen background.
//
// Supported on: chrome_os
message WallpaperImageProto {
optional PolicyOptions policy_options = 1;
optional string WallpaperImage = 2;
}
// Enable deprecated web platform features for a limited time
//
// Specify a list of deprecated web platform features to re-enable temporarily.
//
// This policy gives administrators the ability to re-enable deprecated web
// platform features for a limited time. Features are identified by a string tag
// and the features corresponding to the tags included in the list specified by
// this policy will get re-enabled.
//
// If this policy is left not set, or the list is empty or does not match one of
// the supported string tags, all deprecated web platform features will remain
// disabled.
//
// While the policy itself is supported on the above platforms, the feature it
// is enabling may be available on fewer platforms. Not all deprecated Web
// Platform features can be re-enabled. Only the ones explicitly listed below
// can be for a limited period of time, which is different per feature. The
// general format of the string tag will be
// [DeprecatedFeatureName]_EffectiveUntil[yyyymmdd]. As reference, you can find
// the intent behind the Web Platform feature changes at
// https://bit.ly/blinkintents.
//
// Valid values:
// ExampleDeprecatedFeature_EffectiveUntil20080902: Enable
// ExampleDeprecatedFeature API through 2008/09/02
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message EnableDeprecatedWebPlatformFeaturesProto {
optional PolicyOptions policy_options = 1;
optional StringList EnableDeprecatedWebPlatformFeatures = 2;
}
// Allow Smart Lock to be used
//
// If you enable this setting, users will be allowed to use Smart Lock if the
// requirements for the feature are satisfied.
//
// If you disable this setting, users will not be allowed to use Smart Lock.
//
// If this policy is left not set, the default is not allowed for enterprise-
// managed users and allowed for non-managed users.
//
// Supported on: chrome_os
message EasyUnlockAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool EasyUnlockAllowed = 2;
}
// Set the recommended locales for a managed session
//
// Sets one or more recommended locales for a managed session, allowing users to
// easily choose one of these locales.
//
// The user can choose a locale and a keyboard layout before starting a managed
// session. By default, all locales supported by Google Chrome OS are listed in
// alphabetic order. You can use this policy to move a set of recommended
// locales to the top of the list.
//
// If this policy is not set, the current UI locale will be pre-selected.
//
// If this policy is set, the recommended locales will be moved to the top of
// the list and will be visually separated from all other locales. The
// recommended locales will be listed in the order in which they appear in the
// policy. The first recommended locale will be pre-selected.
//
// If there is more than one recommended locale, it is assumed that users will
// want to select among these locales. Locale and keyboard layout selection will
// be prominently offered when starting a managed session. Otherwise, it is
// assumed that most users will want to use the pre-selected locale. Locale and
// keyboard layout selection will be less prominently offered when starting a
// managed session.
//
// When this policy is set and automatic login is enabled (see the
// |DeviceLocalAccountAutoLoginId| and |DeviceLocalAccountAutoLoginDelay|
// policies), the automatically started managed session will use the first
// recommended locale and the most popular keyboard layout matching this locale.
//
// The pre-selected keyboard layout will always be the most popular layout
// matching the pre-selected locale.
//
// This policy can only be set as recommended. You can use this policy to move a
// set of recommended locales to the top but users are always allowed to choose
// any locale supported by Google Chrome OS for their session.
//
// Supported on: chrome_os
message SessionLocalesProto {
optional PolicyOptions policy_options = 1;
optional StringList SessionLocales = 2;
}
// Enable guest mode in browser
//
// If this policy is set to true or not configured, Google Chrome will enable
// guest logins. Guest logins are Google Chrome profiles where all windows are
// in incognito mode.
//
// If this policy is set to false, Google Chrome will not allow guest profiles
// to be started.
//
// Supported on: fuchsia, linux, mac, win
message BrowserGuestModeEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool BrowserGuestModeEnabled = 2;
}
// Enforce browser guest mode
//
// If this policy is set to enabled, Google Chrome will enforce guest sessions
// and prevents profile logins. Guest logins are Google Chrome profiles where
// all windows are in incognito mode.
//
// If this policy is set to disabled or not set or browser guest mode is
// disabled by BrowserGuestModeEnabled policy, Google Chrome will allow using
// new and existing profiles.
//
// Supported on: fuchsia, linux, mac, win
message BrowserGuestModeEnforcedProto {
optional PolicyOptions policy_options = 1;
optional bool BrowserGuestModeEnforced = 2;
}
// Enable add person in user manager
//
// If this policy is set to true or not configured, Google Chrome will allow Add
// Person from the user manager.
//
// If this policy is set to false, Google Chrome will not allow creation of new
// profiles from the user manager.
//
// Supported on: fuchsia, linux, mac, win
message BrowserAddPersonEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool BrowserAddPersonEnabled = 2;
}
// Enable force sign in for Google Chrome
//
// This policy is deprecated, consider using BrowserSignin instead.
//
// If this policy is set to true, user has to sign in to Google Chrome with
// their profile before using the browser. And the default value of
// BrowserGuestModeEnabled will be set to false. Note that existing unsigned
// profiles will be locked and inaccessible after enabling this policy. For more
// information, see help center article.
//
// If this policy is set to false or not configured, user can use the browser
// without sign in to Google Chrome.
//
// Supported on: android, mac, win
message ForceBrowserSigninProto {
optional PolicyOptions policy_options = 1;
optional bool ForceBrowserSignin = 2;
}
// Browser sign in settings
//
// This policy controls the sign-in behavior of the browser. It allows you to
// specify if the user can sign in to Google Chrome with their account and use
// account related services like Chrome sync.
//
// If the policy is set to "Disable browser sign-in" then the user can not sign
// in to the browser and use account based services. In this case browser level
// features like Chrome sync can not be used and will be unavailable. If the
// user was signed in and the policy is set "Disabled" they will be signed out
// the next time they run Chrome but their local profile data like bookmarks,
// passwords etc. will stay preserved. The user will still be able to sign into
// and use Google web services like Gmail.
//
// If the policy is set to "Enable browser sign-in," then the user is allowed to
// sign in to the browser and is automatically signed in to the browser when
// signed in to Google web services like Gmail. Being signed in to the browser
// means the user's account information will be kept by the browser. However, it
// does not mean that Chrome sync will be turned on per default; the user must
// separately opt-in to use this feature. Enabling this policy will prevent the
// user from turning off the setting that allows browser sign-in. To control the
// availability of Chrome sync, use the "SyncDisabled" policy.
//
// If the policy is set to "Force browser sign-in" the user is presented with an
// account selection dialog and has to choose and sign in to an account to use
// the browser. This ensures that for managed accounts the policies associated
// with the account are applied and enforced. By default this turns on Chrome
// sync for the account, except for the case when sync was disabled by the
// domain admin or via the "SyncDisabled" policy. The default value of
// BrowserGuestModeEnabled will be set to false. Note that existing unsigned
// profiles will be locked and inaccessible after enabling this policy. For more
// information, see help center article:
// https://support.google.com/chrome/a/answer/7572556. This option does not
// support Linux and will fallback to "Enable browser sign-in" if used.
//
// If this policy is not set then the user can decide if they want to enable the
// browser sign in option and use it as they see fit.
//
// Valid values:
// 0: Disable browser sign-in
// 1: Enable browser sign-in
// 2: Force users to sign-in to use the browser
//
// Supported on: android, fuchsia, linux, mac, win
message BrowserSigninProto {
optional PolicyOptions policy_options = 1;
optional int64 BrowserSignin = 2;
}
// Minimum SSL version enabled
//
// If this policy is not configured then Google Chrome uses a default minimum
// version which is TLS 1.0.
//
// Otherwise it may be set to one of the following values: "tls1", "tls1.1" or
// "tls1.2". When set, Google Chrome will not use SSL/TLS versions less than the
// specified version. An unrecognized value will be ignored.
//
// Valid values:
// tls1: TLS 1.0
// tls1.1: TLS 1.1
// tls1.2: TLS 1.2
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message SSLVersionMinProto {
optional PolicyOptions policy_options = 1;
optional string SSLVersionMin = 2;
}
// Minimum TLS version to fallback to
//
// Warning: The TLS version fallback will be removed from Google Chrome after
// version 52 (around September 2016) and this policy will stop working then.
//
// When a TLS handshake fails, Google Chrome would previously retry the
// connection with a lesser version of TLS in order to work around bugs in HTTPS
// servers. This setting configures the version at which this fallback process
// will stop. If a server performs version negotiation correctly (i.e. without
// breaking the connection) then this setting doesn't apply. Regardless, the
// resulting connection must still comply with SSLVersionMin.
//
// If this policy is not configured or if it is set to "tls1.2" then Google
// Chrome no longer performs this fallback. Note this does not disable support
// for older TLS versions, only whether Google Chrome will work around buggy
// servers which cannot negotiate versions correctly.
//
// Otherwise, if compatibility with a buggy server must be maintained, this
// policy may be set to "tls1.1". This is a stopgap measure and the server
// should be rapidly fixed.
//
// Valid values:
// tls1.1: TLS 1.1
// tls1.2: TLS 1.2
//
// Supported on:
message SSLVersionFallbackMinProto {
optional PolicyOptions policy_options = 1;
optional string SSLVersionFallbackMin = 2;
}
// Maximum SSL version enabled
//
// Warning: The max TLS version policy will be entirely removed from Google
// Chrome around version 75 (around June 2019).
//
// If this policy is not configured then Google Chrome uses the default maximum
// version.
//
// Otherwise it may be set to one of the following values: "tls1.2" or "tls1.3".
// When set, Google Chrome will not use SSL/TLS versions greater than the
// specified version. An unrecognized value will be ignored.
//
// Valid values:
// tls1.2: TLS 1.2
// tls1.3: TLS 1.3
//
// Supported on:
message SSLVersionMaxProto {
optional PolicyOptions policy_options = 1;
optional string SSLVersionMax = 2;
}
// Disable Certificate Transparency enforcement for a list of URLs
//
// Disables enforcing Certificate Transparency requirements to the listed URLs.
//
// This policy allows certificates for the hostnames in the specified URLs to
// not be disclosed via Certificate Transparency. This allows certificates that
// would otherwise be untrusted, because they were not properly publicly
// disclosed, to continue to be used, but makes it harder to detect misissued
// certificates for those hosts.
//
// A URL pattern is formatted according to
// https://www.chromium.org/administrators/url-blacklist-filter-format. However,
// because certificates are valid for a given hostname independent of the
// scheme, port, or path, only the hostname portion of the URL is considered.
// Wildcard hosts are not supported.
//
// If this policy is not set, any certificate that is required to be disclosed
// via Certificate Transparency will be treated as untrusted if it is not
// disclosed according to the Certificate Transparency policy.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message CertificateTransparencyEnforcementDisabledForUrlsProto {
optional PolicyOptions policy_options = 1;
optional StringList CertificateTransparencyEnforcementDisabledForUrls = 2;
}
// Disable Certificate Transparency enforcement for a list of
// subjectPublicKeyInfo hashes
//
// Disables enforcing Certificate Transparency requirements for a list of
// subjectPublicKeyInfo hashes.
//
// This policy allows disabling Certificate Transparency disclosure requirements
// for certificate chains that contain certificates with one of the specified
// subjectPublicKeyInfo hashes. This allows certificates that would otherwise be
// untrusted, because they were not properly publicly disclosed, to continue to
// be used for Enterprise hosts.
//
// In order for Certificate Transparency enforcement to be disabled when this
// policy is set, one of the following conditions must be met:
// 1. The hash is of the server certificate's subjectPublicKeyInfo.
// 2. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in
// the certificate chain, that CA certificate is constrained via the X.509v3
// nameConstraints extension, one or more directoryName nameConstraints are
// present in the permittedSubtrees, and the directoryName contains an
// organizationName attribute.
// 3. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in
// the certificate chain, the CA certificate has one or more organizationName
// attributes in the certificate Subject, and the server's certificate contains
// the same number of organizationName attributes, in the same order, and with
// byte-for-byte identical values.
//
// A subjectPublicKeyInfo hash is specified by concatenating the hash algorithm
// name, the "/" character, and the Base64 encoding of that hash algorithm
// applied to the DER-encoded subjectPublicKeyInfo of the specified certificate.
// This Base64 encoding is the same format as an SPKI Fingerprint, as defined in
// RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only
// supported hash algorithm at this time is "sha256".
//
// If this policy is not set, any certificate that is required to be disclosed
// via Certificate Transparency will be treated as untrusted if it is not
// disclosed according to the Certificate Transparency policy.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message CertificateTransparencyEnforcementDisabledForCasProto {
optional PolicyOptions policy_options = 1;
optional StringList CertificateTransparencyEnforcementDisabledForCas = 2;
}
// Disable Certificate Transparency enforcement for a list of Legacy Certificate
// Authorities
//
// Disables enforcing Certificate Transparency requirements for a list of Legacy
// Certificate Authorities.
//
// This policy allows disabling Certificate Transparency disclosure requirements
// for certificate chains that contain certificates with one of the specified
// subjectPublicKeyInfo hashes. This allows certificates that would otherwise be
// untrusted, because they were not properly publicly disclosed, to continue to
// be used for Enterprise hosts.
//
// In order for Certificate Transparency enforcement to be disabled when this
// policy is set, the hash must be of a subjectPublicKeyInfo appearing in a CA
// certificate that is recognized as a Legacy Certificate Authority (CA). A
// Legacy CA is a CA that has been publicly trusted by default one or more
// operating systems supported by Google Chrome, but is not trusted by the
// Android Open Source Project or Google Chrome OS.
//
// A subjectPublicKeyInfo hash is specified by concatenating the hash algorithm
// name, the "/" character, and the Base64 encoding of that hash algorithm
// applied to the DER-encoded subjectPublicKeyInfo of the specified certificate.
// This Base64 encoding is the same format as an SPKI Fingerprint, as defined in
// RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only
// supported hash algorithm at this time is "sha256".
//
// If this policy is not set, any certificate that is required to be disclosed
// via Certificate Transparency will be treated as untrusted if it is not
// disclosed according to the Certificate Transparency policy.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message CertificateTransparencyEnforcementDisabledForLegacyCasProto {
optional PolicyOptions policy_options = 1;
optional StringList CertificateTransparencyEnforcementDisabledForLegacyCas = 2;
}
// Enable RC4 cipher suites in TLS
//
// Warning: RC4 will be completely removed from Google Chrome after version 52
// (around September 2016) and this policy will stop working then.
//
// If the policy is not set, or is set to false, then RC4 cipher suites in TLS
// will not be enabled. Otherwise it may be set to true to retain compatibility
// with an outdated server. This is a stopgap measure and the server should be
// reconfigured.
//
// Supported on:
message RC4EnabledProto {
optional PolicyOptions policy_options = 1;
optional bool RC4Enabled = 2;
}
// Enable DHE cipher suites in TLS
//
// Warning: DHE will be completely removed from Google Chrome after version 57
// (around March 2017) and this policy will stop working then.
//
// If the policy is not set, or is set to false, then DHE cipher suites in TLS
// will not be enabled. Otherwise it may be set to true to enable DHE cipher
// suites and retain compatibility with an outdated server. This is a stopgap
// measure and the server should be reconfigured.
//
// Servers are encouraged to migrated to ECDHE cipher suites. If these are
// unavailable, ensure a cipher suite using RSA key exchange is enabled.
//
// Supported on:
message DHEEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool DHEEnabled = 2;
}
// Enable Tap to Search
//
// Enables the availability of Tap to Search in Google Chrome's content view.
//
// If you enable this setting, Tap to Search will be available to the user and
// they can choose to turn the feature on or off.
//
// If you disable this setting, Tap to Search will be disabled completely.
//
// If this policy is left not set, it is equivalent to being enabled, see
// description above.
//
// Supported on: android
message ContextualSearchEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ContextualSearchEnabled = 2;
}
// Maximize the first browser window on first run
//
// If this policy is set to true, Google Chrome will unconditionally maximize
// the first window shown on first run.
// If this policy is set to false or not configured, the decision whether to
// maximize the first window shown will be based on the screen size.
//
// Supported on: chrome_os
message ForceMaximizeOnFirstRunProto {
optional PolicyOptions policy_options = 1;
optional bool ForceMaximizeOnFirstRun = 2;
}
// Allow proceeding from the SSL warning page
//
// Chrome shows a warning page when users navigate to sites that have SSL
// errors. By default or when this policy is set to true, users are allowed to
// click through these warning pages.
// Setting this policy to false disallows users to click through any warning
// page.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message SSLErrorOverrideAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool SSLErrorOverrideAllowed = 2;
}
// Allow QUIC protocol
//
// If this policy is set to true or not set usage of QUIC protocol in Google
// Chrome is allowed.
// If this policy is set to false usage of QUIC protocol is disallowed.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message QuicAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool QuicAllowed = 2;
}
// Key Permissions
//
// Grants access to corporate keys to extensions.
//
// Keys are designated for corporate usage if they're generated using the
// chrome.enterprise.platformKeys API on a managed account. Keys imported or
// generated in another way are not designated for corporate usage.
//
// Access to keys designated for corporate usage is solely controlled by this
// policy. The user can neither grant nor withdraw access to corporate keys to
// or from extensions.
//
// By default an extension cannot use a key designated for corporate usage,
// which is equivalent to setting allowCorporateKeyUsage to false for that
// extension.
//
// Only if allowCorporateKeyUsage is set to true for an extension, it can use
// any platform key marked for corporate usage to sign arbitrary data. This
// permission should only be granted if the extension is trusted to secure
// access to the key against attackers.
//
// Value schema:
// {
// "additionalProperties": {
// "properties": {
// "allowCorporateKeyUsage": {
// "description": "If set to true, this extension can use all
// keys that are designated for corporate usage to sign arbitrary data. If set
// to false, it cannot access any such keys and the user cannot grant such
// permission either.",
// "type": "boolean"
// }
// },
// "type": "object"
// },
// "type": "object"
// }
//
// Supported on: chrome_os
message KeyPermissionsProto {
optional PolicyOptions policy_options = 1;
optional string KeyPermissions = 2;
}
// Enable showing the welcome page on the first browser launch following OS
// upgrade
//
// If this policy is set to true or not configured, the browser will re-show the
// welcome page on the first launch following an OS upgrade.
//
// If this policy is set to false, the browser will not re-show the welcome page
// on the first launch following an OS upgrade.
//
// Supported on:
message WelcomePageOnOSUpgradeEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool WelcomePageOnOSUpgradeEnabled = 2;
}
// Use hardware acceleration when available
//
// If this policy is set to true or left unset, hardware acceleration will be
// enabled unless a certain GPU feature is blacklisted.
//
// If this policy is set to false, hardware acceleration will be disabled.
//
// Supported on: fuchsia, linux, mac, win
message HardwareAccelerationModeEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool HardwareAccelerationModeEnabled = 2;
}
// Make Unified Desktop available and turn on by default
//
// If this policy is set to true, Unified Desktop is allowed and
// enabled by default, which allows applications to span multiple displays.
// The user may disable Unified Desktop for individual displays by unchecking
// it in the display settings.
//
// If this policy is set to false or unset, Unified Desktop will be
// disabled. In this case, the user cannot enable the feature.
//
// Supported on: chrome_os
message UnifiedDesktopEnabledByDefaultProto {
optional PolicyOptions policy_options = 1;
optional bool UnifiedDesktopEnabledByDefault = 2;
}
// Enable ARC
//
// When this policy is set to true, ARC will be enabled for the user
// (subject to additional policy settings checks - ARC will still be
// unavailable if either ephemeral mode or multiple sign-in is enabled
// in the current user session).
//
// If this setting is disabled or not configured then enterprise users are
// unable to use ARC.
//
// Supported on: chrome_os
message ArcEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ArcEnabled = 2;
}
// Configure ARC
//
// Specifies a set of policies that will be handed over to the ARC runtime. The
// value must be valid JSON.
//
// This policy can be used to configure which Android apps are automatically
// installed on the device.
//
// To pin apps to the launcher, see PinnedLauncherApps.
//
// Supported on: chrome_os
message ArcPolicyProto {
optional PolicyOptions policy_options = 1;
optional string ArcPolicy = 2;
}
// Suppress the unsupported OS warning
//
// Suppresses the warning that appears when Google Chrome is running on a
// computer or operating system that is no longer supported.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message SuppressUnsupportedOSWarningProto {
optional PolicyOptions policy_options = 1;
optional bool SuppressUnsupportedOSWarning = 2;
}
// Enable ending processes in Task Manager
//
// If set to false, the 'End process' button is disabled in the Task Manager.
//
// If set to true or not configured, the user can end processes in the Task
// Manager.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message TaskManagerEndProcessEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool TaskManagerEndProcessEnabled = 2;
}
// Permit locking the screen
//
// If this policy is set to false, users will not be able to lock the screen
// (only signing out from the user session will be possible). If this setting is
// set to true or not set, users who authenticated with a password can lock the
// screen.
//
// Supported on: chrome_os
message AllowScreenLockProto {
optional PolicyOptions policy_options = 1;
optional bool AllowScreenLock = 2;
}
// Set certificate availability for ARC-apps
//
// If set to SyncDisabled or not configured, Google Chrome OS certificates are
// not available for ARC-apps.
//
// If set to CopyCaCerts, all ONC-installed CA certificates with Web TrustBit
// are available for ARC-apps.
//
// Valid values:
// 0: Disable usage of Google Chrome OS certificates to ARC-apps
// 1: Enable Google Chrome OS CA certificates to ARC-apps
//
// Supported on: chrome_os
message ArcCertificatesSyncModeProto {
optional PolicyOptions policy_options = 1;
optional int64 ArcCertificatesSyncMode = 2;
}
// Define domains allowed to access G Suite
//
// Enables Google Chrome's restricted log in feature in G Suite and prevents
// users from changing this setting.
//
// If you define this setting, the user will only be able to access Google
// Apps using accounts from the specified domains (note that to allow
// gmail.com/googlemail.com accounts, you should add "consumer_accounts"
// (without quotes) to the list of domains).
//
// This setting will prevent the user from logging in, and adding a Secondary
// Account, on a managed device that requires Google authentication, if that
// account does not belong to the aforementioned list of allowed domains.
//
// If you leave this setting empty/not-configured, the user will be able to
// access G Suite with any account.
//
// This policy causes the X-GoogApps-Allowed-Domains header to be appended to
// all HTTP and HTTPS requests to all google.com domains, as described in
// https://support.google.com/a/answer/1668854.
//
// Users cannot change or override this setting.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message AllowedDomainsForAppsProto {
optional PolicyOptions policy_options = 1;
optional string AllowedDomainsForApps = 2;
}
// Enable PAC URL stripping (for https://)
//
// Strips privacy and security sensitive parts of https:// URLs before passing
// them on to PAC scripts (Proxy Auto Config) used by Google Chrome during proxy
// resolution.
//
// When True, the security feature is enabled, and https:// URLs are
// stripped before submitting them to a PAC script. In this manner the PAC
// script is not able to view data that is ordinarily protected by an
// encrypted channel (such as the URL's path and query).
//
// When False, the security feature is disabled, and PAC scripts are
// implicitly granted the ability to view all components of an https://
// URL. This applies to all PAC scripts regardless of origin (including
// those fetched over an insecure transport, or discovered insecurely
// through WPAD).
//
// This defaults to True (security feature enabled).
//
// It is recommended that this be set to True. The only reason to set it to
// False is if it causes a compatibility problem with existing PAC scripts.
//
// The policy will be removed in M75.
//
// Supported on:
message PacHttpsUrlStrippingEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool PacHttpsUrlStrippingEnabled = 2;
}
// Enable Google Cast
//
// If this policy is set to true or is not set, Google Cast will be enabled, and
// users will be able to launch it from the app menu, page context menus, media
// controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.
//
// If this policy set to false, Google Cast will be disabled.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message EnableMediaRouterProto {
optional PolicyOptions policy_options = 1;
optional bool EnableMediaRouter = 2;
}
// Show the Google Cast toolbar icon
//
// If this policy is set to true, the Cast toolbar icon will always be shown on
// the toolbar or the overflow menu, and users will not be able to remove it.
//
// If this policy is set to false or is not set, users will be able to pin or
// remove the icon via its contextual menu.
//
// If the policy "EnableMediaRouter" is set to false, then this policy's value
// would have no effect, and the toolbar icon would not be shown.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ShowCastIconInToolbarProto {
optional PolicyOptions policy_options = 1;
optional bool ShowCastIconInToolbar = 2;
}
// Allow Google Cast to connect to Cast devices on all IP addresses.
//
// If this policy is set to true, Google Cast will connect to Cast devices on
// all IP addresses, not just RFC1918/RFC4193 private addresses.
//
// If this policy is set to false, Google Cast will connect to Cast devices on
// RFC1918/RFC4193 private addresses only.
//
// If this policy is not set, Google Cast will connect to Cast devices on
// RFC1918/RFC4193 private addresses only, unless the CastAllowAllIPs feature is
// enabled.
//
// If the policy "EnableMediaRouter" is set to false, then this policy's value
// would have no effect.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message MediaRouterCastAllowAllIPsProto {
optional PolicyOptions policy_options = 1;
optional bool MediaRouterCastAllowAllIPs = 2;
}
// Enable Android Backup Service
//
// This policy was removed in Google Chrome OS 68 and replaced by
// ArcBackupRestoreServiceEnabled.
//
// Supported on:
message ArcBackupRestoreEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ArcBackupRestoreEnabled = 2;
}
// Enable Android Google Location Service
//
// This policy was removed in Google Chrome OS 68 and replaced by
// ArcGoogleLocationServicesEnabled.
//
// Supported on:
message ArcLocationServiceEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ArcLocationServiceEnabled = 2;
}
// Show content suggestions on the New Tab page
//
// If this is set to true or not set, the New Tab page may show content
// suggestions based on the user's browsing history, interests, or location.
//
// If this is set to false, automatically-generated content suggestions are not
// shown on the New Tab page.
//
// Supported on: android
message NTPContentSuggestionsEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool NTPContentSuggestionsEnabled = 2;
}
// Restrict the range of local UDP ports used by WebRTC
//
// If the policy is set, the UDP port range used by WebRTC is restricted to the
// specified port interval (endpoints included).
//
// If the policy is not set, or if it is set to the empty string or an invalid
// port range, WebRTC is allowed to use any available local UDP port.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message WebRtcUdpPortRangeProto {
optional PolicyOptions policy_options = 1;
optional string WebRtcUdpPortRange = 2;
}
// Set an external source of URL restrictions
//
// When this policy is set to a non-empty string the WebView will read URL
// restrictions from the content provider with the given authority name.
//
// Supported on: webview_android
message WebRestrictionsAuthorityProto {
optional PolicyOptions policy_options = 1;
optional string WebRestrictionsAuthority = 2;
}
// Enable component updates in Google Chrome
//
// Enables component updates for all components in Google Chrome when not set or
// set to True.
//
// If set to False, updates to components are disabled. However, some components
// are exempt from this policy: updates to any component that does not contain
// executable code, or does not significantly alter the behavior of the browser,
// or is critical for its security will not be disabled.
// Examples of such components include the certificate revocation lists and Safe
// Browsing data.
// See https://developers.google.com/safe-browsing for more info on Safe
// Browsing.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message ComponentUpdatesEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ComponentUpdatesEnabled = 2;
}
// Native Printing
//
// Configures a list of printers.
//
// This policy allows administrators to provide printer configurations for
// their users.
//
// display_name and description are free-form strings that can be customized for
// ease of printer selection. manufacturer and model serve to ease printer
// identification by end users. They represent the manufacturer and model of the
// printer. uri should be an address reachable from a client computer including
// the scheme, port, and queue. uuid is optional. If provided, it is used to
// help deduplicate zeroconf printers.
//
// Either effective_model should contain the name of the printer or autoconf
// should be set to true. The printers with both or without any properties will
// be ignored.
//
// Printer setup is completed upon the first use of a printer. PPDs are not
// downloaded until the printer is used. After that time, frequently used PPDs
// are cached.
//
// This policy has no effect on whether users can configure printers on
// individual devices. It is intended to be supplementary to the configuration
// of printers by individual users.
//
// For Active Directory managed devices this policy supports expansion of
// ${MACHINE_NAME[,pos[,count]]} to the Active Directory machine name or a
// substring of it. For example, if the machine name is CHROMEBOOK, then
// ${MACHINE_NAME,6,4} would be replaced by the 4 characters starting after the
// 6th position, i.e. BOOK. Note that the position is zero-based.
//
// Supported on: chrome_os
message NativePrintersProto {
optional PolicyOptions policy_options = 1;
optional StringList NativePrinters = 2;
}
// Enterprise printer configuration file
//
// Provides configurations for enterprise printers.
//
// This policy allows you to provide printer configurations to Google Chrome OS
// devices. The format is the same as the NativePrinters dictionary, with an
// additional required "id" or "guid" field per printer for whitelisting or
// blacklisting.
//
// The size of the file must not exceed 5MB and must be encoded in JSON. It is
// estimated that a file containing approximately 21,000 printers will encode as
// a 5MB file. The cryptographic hash is used to verify the integrity of the
// download.
//
// The file is downloaded and cached. It will be re-downloaded whenever the URL
// or the hash changes.
//
// If this policy is set, Google Chrome OS will download the file for printer
// configurations and make printers available in accordance with
// NativePrintersBulkAccessMode, NativePrintersBulkWhitelist, and
// NativePrintersBulkBlacklist.
//
// If you set this policy, users cannot change or override it.
//
// This policy has no effect on whether users can configure printers on
// individual devices. It is intended to be supplementary to the configuration
// of printers by individual users.
//
// Supported on: chrome_os
message NativePrintersBulkConfigurationProto {
optional PolicyOptions policy_options = 1;
optional string NativePrintersBulkConfiguration = 2;
}
// Printer configuration access policy.
//
// Controls which printers from the NativePrintersBulkConfiguration are
// available to users.
//
// Designates which access policy is used for bulk printer configuration. If
// AllowAll is selected, all printers are shown. If BlacklistRestriction is
// selected, NativePrintersBulkBlacklist is used to restrict access to the
// specified printers. If WhitelistPrintersOnly is selected,
// NativePrintersBulkWhitelist designates only those printers which are
// selectable.
//
// If this policy is not set, AllowAll is assumed.
//
// Valid values:
// 0: All printers are shown except those in the blacklist.
// 1: Only printers in the whitelist are shown to users
// 2: Allow all printers from the configuration file.
//
// Supported on: chrome_os
message NativePrintersBulkAccessModeProto {
optional PolicyOptions policy_options = 1;
optional int64 NativePrintersBulkAccessMode = 2;
}
// Disabled enterprise printers
//
// Specifies the printers which a user cannot use.
//
// This policy is only used if BlacklistRestriction is chosen for
// NativePrintersBulkAccessMode.
//
// If this policy is used, all printers are provided to the user except for the
// ids listed in this policy. The ids must correspond to the "id" or "guid"
// fields in the file specified in NativePrintersBulkConfiguration.
//
// Supported on: chrome_os
message NativePrintersBulkBlacklistProto {
optional PolicyOptions policy_options = 1;
optional StringList NativePrintersBulkBlacklist = 2;
}
// Enabled enterprise printers
//
// Specifies the printers which a user can use.
//
// This policy is only used if WhitelistPrintersOnly is chosen for
// NativePrintersBulkAccessMode.
//
// If this policy is used, only the printers with ids matching the values in
// this policy are available to the user. The ids must correspond to the "id" or
// "guid" fields in the file specified in NativePrintersBulkConfiguration.
//
// Supported on: chrome_os
message NativePrintersBulkWhitelistProto {
optional PolicyOptions policy_options = 1;
optional StringList NativePrintersBulkWhitelist = 2;
}
// Configure allowed quick unlock modes
//
// A whitelist controlling which quick unlock modes the user can configure and
// use to unlock the lock screen.
//
// This value is a list of strings; valid list entries are: "all", "PIN",
// "FINGERPRINT". Adding "all" to the list means that every quick unlock mode is
// available to the user, including ones implemented in the future. Otherwise,
// only the quick unlock modes present in the list will be available.
//
// For example, to allow every quick unlock mode, use ["all"]. To allow only PIN
// unlock, use ["PIN"]. To allow PIN and fingerprint, use ["PIN",
// "FINGERPRINT"]. To disable all quick unlock modes, use [].
//
// By default, no quick unlock modes are available for managed devices.
//
// Supported on: chrome_os
message QuickUnlockModeWhitelistProto {
optional PolicyOptions policy_options = 1;
optional StringList QuickUnlockModeWhitelist = 2;
}
// Set how often user has to enter password to use quick unlock
//
// This setting controls how often the lock screen will request the password to
// be entered in order to continue using quick unlock. Each time the lock screen
// is entered, if the last password entry was more than this setting, the quick
// unlock will not be available on entering the lock screen. Should the user
// stay on the lock screen past this period of time, a password will be
// requested next time the user enters the wrong code, or re-enters the lock
// screen, whichever comes first.
//
// If this setting is configured, users using quick unlock will be requested to
// enter their passwords on the lock screen depending on this setting.
//
// If this setting is not configured, users using quick unlock will be requested
// to enter their password on the lock screen every day.
//
// Valid values:
// 0: Password entry is required every six hours
// 1: Password entry is required every twelve hours
// 2: Password entry is required every two days (48 hours)
// 3: Password entry is required every week (168 hours)
//
// Supported on: chrome_os
message QuickUnlockTimeoutProto {
optional PolicyOptions policy_options = 1;
optional int64 QuickUnlockTimeout = 2;
}
// Set the minimum length of the lock screen PIN
//
// If the policy is set, the configured minimal PIN length is
// enforced. (The absolute minimum PIN length is 1; values less than 1
// are treated as 1.)
//
// If the policy is not set, a minimal PIN length of 6 digits is
// enforced. This is the recommended minimum.
//
// Supported on: chrome_os
message PinUnlockMinimumLengthProto {
optional PolicyOptions policy_options = 1;
optional int64 PinUnlockMinimumLength = 2;
}
// Set the maximum length of the lock screen PIN
//
// If the policy is set, the configured maximal PIN length is enforced. A value
// of 0 or less means no maximum length; in that case the user may set a PIN as
// long as they want. If this setting is less than PinUnlockMinimumLength but
// greater than 0, the maximum length is the same as the minimum length.
//
// If the policy is not set, no maximum length is enforced.
//
// Supported on: chrome_os
message PinUnlockMaximumLengthProto {
optional PolicyOptions policy_options = 1;
optional int64 PinUnlockMaximumLength = 2;
}
// Enable users to set weak PINs for the lock screen PIN
//
// If false, users will be unable to set PINs which are weak and easy to guess.
//
// Some example weak PINs: PINs containing only one digit (1111), PINs whose
// digits are increasing by 1 (1234), PINs whose digits are decreasing by 1
// (4321), and PINs which are commonly used.
//
// By default, users will get a warning, not error, if the PIN is considered
// weak.
//
// Supported on: chrome_os
message PinUnlockWeakPinsAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool PinUnlockWeakPinsAllowed = 2;
}
// Allow SMS Messages to be synced from phone to Chromebook.
//
// If this setting is enabled, users will be allowed to set up their devices to
// sync SMS messages between their phones and Chromebooks. Note that if this
// policy is allowed, users must explicitly opt into this feature by completing
// a setup flow. Once the setup flow is complete, users will be able to send and
// receive SMS messages on their Chromebooks.
//
// If this setting is disabled, users will not be allowed to set up SMS syncing.
//
// If this policy is left not set, the default is not allowed for managed users
// and allowed for non-managed users.
//
// Supported on: chrome_os
message SmsMessagesAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool SmsMessagesAllowed = 2;
}
// Allow Smart Lock Signin to be used.
//
// If this setting is enabled, users will be allowed to sign into their account
// with Smart Lock. This is more permissive than usual Smart Lock behavior which
// only allows users to unlock their screen.
//
// If this setting is disabled, users will not be allowed to use Smart Lock
// Signin.
//
// If this policy is left not set, the default is not allowed for enterprise-
// managed users and allowed for non-managed users.
//
// Supported on: chrome_os
message SmartLockSigninAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool SmartLockSigninAllowed = 2;
}
// Allow Instant Tethering to be used.
//
// If this setting is enabled, users will be allowed to use Instant Tethering,
// which allows their Google phone to share its mobile data with their device.
//
// If this setting is disabled, users will not be allowed to use Instant
// Tethering.
//
// If this policy is left not set, the default is not allowed for enterprise-
// managed users and allowed for non-managed users.
//
// Supported on: chrome_os
message InstantTetheringAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool InstantTetheringAllowed = 2;
}
// Allow queries to a Google time service
//
// Setting this policy to false stops Google Chrome from occasionally sending
// queries to a Google server to retrieve an accurate timestamp. These queries
// will be enabled if this policy is set to True or is not set.
//
// Supported on: fuchsia, linux, mac, win
message BrowserNetworkTimeQueriesEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool BrowserNetworkTimeQueriesEnabled = 2;
}
// Use System Default Printer as Default
//
// Causes Google Chrome to use the system default printer as the default choice
// in Print Preview instead of the most recently used printer.
//
// If you disable this setting or do not set a value, Print Preview will use the
// most recently used printer as the default destination choice.
//
// If you enable this setting, Print Preview will use the OS system default
// printer as the default destination choice.
//
// Supported on: fuchsia, linux, mac, win
message PrintPreviewUseSystemDefaultPrinterProto {
optional PolicyOptions policy_options = 1;
optional bool PrintPreviewUseSystemDefaultPrinter = 2;
}
// Migration strategy for ecryptfs
//
// Specifies the action that should be taken when the user's home directory was
// created with ecryptfs encryption.
//
// If you set this policy to 'DisallowArc', Android apps will be disabled for
// the user and no migration from ecryptfs to ext4 encryption will be performed.
// Android apps will not be prevented from running when the home directory is
// already ext4-encrypted.
//
// If you set this policy to 'Migrate', ecryptfs-encrypted home directories will
// be automatically migrated to ext4 encryption on sign-in without asking for
// user consent.
//
// If you set this policy to 'Wipe', ecryptfs-encrypted home directories will be
// deleted on sign-in and new ext4-encrypted home directories will be created
// instead. Warning: This removes the user's local data.
//
// If you set this policy to 'MinimalMigrate', ecryptfs-encrypted home
// directories will be deleted on sign-in and new ext4-encrypted home
// directories will be created instead. However, it will be attempted to
// preserve login tokens so that the user does not have to sign in again.
// Warning: This removes the user's local data.
//
// If you set this policy to an option that is no longer supported ('AskUser' or
// 'AskForEcryptfsArcUsers'), it will be treated as if you had selected
// 'Migrate' instead.
//
// This policy does not apply to kiosk users. If this policy is left not set,
// the device will behave as if 'DisallowArc' was chosen.
//
// Valid values:
// 0: Disallow data migration and ARC.
// 1: Migrate automatically, don’t ask for user consent.
// 2: Wipe the user’s ecryptfs home directory and start with a fresh
// ext4-encrypted home directory.
// 4: Similar to Wipe (value 2), but tries to preserve login tokens so the
// user does not have to sign in again.
//
// Supported on: chrome_os
message EcryptfsMigrationStrategyProto {
optional PolicyOptions policy_options = 1;
optional int64 EcryptfsMigrationStrategy = 2;
}
// Select task scheduler configuration
//
// Instructs Google Chrome OS to use the task scheduler configuration identified
// by the specified name.
//
// This policy can be set to "conservative" and "performance", which select task
// scheduler configurations that are tuned for stability vs. maximum
// performance, respectively.
//
// If the policy is left unset, the user can make their own choice.
//
// Valid values:
// conservative: Optimize for stability.
// performance: Optimize for performance.
//
// Supported on: chrome_os
message SchedulerConfigurationProto {
optional PolicyOptions policy_options = 1;
optional string SchedulerConfiguration = 2;
}
// Whitelist note-taking apps allowed on the Google Chrome OS lock screen
//
// Specifies list of apps that can be enabled as a note-taking app on the Google
// Chrome OS lock screen.
//
// If the preferred note-taking app is enabled on the lock screen, the lock
// screen will contain UI element for launching the preferred note taking app.
// When launched, the app will be able to create an app window on top of the
// lock screen, and create data items (notes) in the lock screen context. The
// app will be able to import created notes to the primary user session, when
// the session is unlocked. Currently, only Chrome note-taking apps are
// supported on the lock screen.
//
// If the policy is set, the user will be allowed to enable an app on the lock
// screen only if the app's extension ID is contained in the policy list value.
// As a consequence, setting this policy to an empty list will disable note-
// taking on the lock screen entirely.
// Note that the policy containing an app ID does not necessarily mean that the
// user will be able to enable the app as a note-taking app on the lock screen -
// for example, on Chrome 61, the set of available apps is additionally
// restricted by the platform.
//
// If the policy is left unset, there will be no restrictions on the set of apps
// the user can enable on the lock screen imposed by the policy.
//
// Supported on: chrome_os
message NoteTakingAppsLockScreenWhitelistProto {
optional PolicyOptions policy_options = 1;
optional StringList NoteTakingAppsLockScreenWhitelist = 2;
}
// Enable casting content to the device
//
// Allow content to be cast to the device using Google Cast.
//
// If this policy is set to False, users will not be able to cast content to
// their device. If this policy is set to True, users are allowed to cast
// content. If this policy is not set, users are not allowed to cast content to
// enrolled Chrome OS devices, but can cast to non enrolled devices.
//
// Supported on: chrome_os
message CastReceiverEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool CastReceiverEnabled = 2;
}
// Google Chrome cloud policy overrides Platform policy.
//
//
// If the policy is set to true, cloud policy takes precedence if it conflicts
// with platform policy.
// If the policy is set to false or not configured, platform policy takes
// precedence if it conflicts with cloud policy.
//
// This policy is only available as a mandatory machine platform policy and it
// only affects machine scope cloud policies.
//
// Supported on: fuchsia, linux, mac, win
message CloudPolicyOverridesPlatformPolicyProto {
optional PolicyOptions policy_options = 1;
optional bool CloudPolicyOverridesPlatformPolicy = 2;
}
// Ask where to save each file before downloading
//
//
// If the policy is enabled, the user will be asked where to save each file
// before downloading.
// If the policy is disabled, downloads will start immediately, and the user
// will not be asked where to save the file.
// If the policy is not configured, the user will be able to change this
// setting.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message PromptForDownloadLocationProto {
optional PolicyOptions policy_options = 1;
optional bool PromptForDownloadLocation = 2;
}
// Enable Site Isolation for specified origins
//
//
// If the policy is enabled, each of the named origins in a
// comma-separated list will run in its own process. This will also isolate
// origins named by subdomains; e.g. specifying https://example.com/ will
// also cause https://foo.example.com/ to be isolated as part of the
// https://example.com/ site.
// If the policy is not configured or disabled, the user will be able to change
// this setting.
//
// NOTE: This policy does not apply on Android. To enable IsolateOrigins on
// Android, use the IsolateOriginsAndroid policy setting.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message IsolateOriginsProto {
optional PolicyOptions policy_options = 1;
optional string IsolateOrigins = 2;
}
// Enable Site Isolation for every site
//
//
// This setting, SitePerProcess, may be used to disallow users from opting out
// of the default behavior of isolating all sites. Note that the IsolateOrigins
// policy may also be useful for isolating additional, finer-grained origins.
// If the policy is enabled, users will be unable to opt out of the default
// behavior where each site runs in its own process.
// If the policy is not configured or disabled, the user will be able to opt out
// of site isolation
// (e.g. using "Disable site isolation" entry in chrome://flags). Setting the
// policy to disabled and/or not configuring the policy does not turn off Site
// Isolation.
// On Google Chrome OS version 76 and earlier, it is recommended to also set the
// DeviceLoginScreenSitePerProcess device policy to the same value. If the
// values specified by the two policies don't match, a delay may be incurred
// when entering a user session while the value specified by user policy is
// being applied.
//
// NOTE: This policy does not apply on Android. To enable SitePerProcess on
// Android, use the SitePerProcessAndroid policy setting.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message SitePerProcessProto {
optional PolicyOptions policy_options = 1;
optional bool SitePerProcess = 2;
}
// Enable Site Isolation for specified origins on Android devices
//
//
// If the policy is enabled, each of the named origins in a
// comma-separated list will run in its own process. This will also isolate
// origins named by subdomains; e.g. specifying https://example.com/ will
// also cause https://foo.example.com/ to be isolated as part of the
// https://example.com/ site.
// If the policy is disabled, no explicit Site Isolation will happen and field
// trials of IsolateOriginsAndroid and SitePerProcessAndroid will be disabled.
// Users will still be able to enable IsolateOrigins manually, via command line
// flag.
// If the policy is not configured, the user will be able to change this
// setting.
//
// NOTE: On Android, Site Isolation is experimental. Support will improve over
// time, but currently it may cause performance problems.
//
// NOTE: This policy applies only to Chrome on Android running on devices with
// strictly more than 1GB of RAM. To apply the policy on non-Android platforms,
// use IsolateOrigins.
//
// Supported on: android
message IsolateOriginsAndroidProto {
optional PolicyOptions policy_options = 1;
optional string IsolateOriginsAndroid = 2;
}
// Enable Site Isolation for every site
//
//
// You might want to look at the IsolateOriginsAndroid policy setting to get the
// best of both worlds, isolation and limited impact for users, by using
// IsolateOriginsAndroid with a list of the sites you want to isolate. This
// setting, SitePerProcessAndroid, isolates all sites.
// If the policy is enabled, each site will run in its own process.
// If the policy is disabled, no explicit Site Isolation will happen and field
// trials of IsolateOriginsAndroid and SitePerProcessAndroid will be disabled.
// Users will still be able to enable SitePerProcess manually.
// If the policy is not configured, the user will be able to change this
// setting.
//
// NOTE: On Android, Site Isolation is experimental. Support will improve over
// time, but currently it may cause performance problems.
//
// NOTE: This policy applies only to Chrome on Android running on devices with
// strictly more than 1GB of RAM. To apply the policy on non-Android platforms,
// use SitePerProcess.
//
// Supported on: android
message SitePerProcessAndroidProto {
optional PolicyOptions policy_options = 1;
optional bool SitePerProcessAndroid = 2;
}
// Allow WebDriver to Override Incompatible Policies
//
// This policy allows users of the WebDriver feature to override
// policies which can interfere with its operation.
//
// Currently this policy disables SitePerProcess and IsolateOrigins policies.
//
// If the policy is enabled, WebDriver will be able to override incomaptible
// policies.
// If the policy is disabled or not configured, WebDriver will not be allowed
// to override incompatible policies.
//
// Supported on: fuchsia, linux, mac, win
message WebDriverOverridesIncompatiblePoliciesProto {
optional PolicyOptions policy_options = 1;
optional bool WebDriverOverridesIncompatiblePolicies = 2;
}
// Origins or hostname patterns for which restrictions on
// insecure origins should not apply
//
// Deprecated in M69. Use
// OverrideSecurityRestrictionsOnInsecureOrigin instead.
//
// The policy specifies a list of origins (URLs) or hostname patterns (such
// as "*.example.com") for which security restrictions on insecure origins
// will not apply.
//
// The intent is to allow organizations to whitelist origins for legacy
// applications that cannot deploy TLS, or to set up a staging server for
// internal web development so that their developers can test out features
// requiring secure contexts without having to deploy TLS on the staging
// server. This policy will also prevent the origin from being labeled
// "Not Secure" in the omnibox.
//
// Setting a list of URLs in this policy has the same effect as setting the
// command-line flag '--unsafely-treat-insecure-origin-as-secure' to a
// comma-separated list of the same URLs. If the policy is set, it will
// override the command-line flag.
//
// This policy is deprecated in M69 in favor of
// OverrideSecurityRestrictionsOnInsecureOrigin. If both policies are
// present, OverrideSecurityRestrictionsOnInsecureOrigin will override this
// policy.
//
// For more information on secure contexts, see
// https://www.w3.org/TR/secure-contexts/
//
// Supported on: fuchsia, linux, mac, win
message UnsafelyTreatInsecureOriginAsSecureProto {
optional PolicyOptions policy_options = 1;
optional StringList UnsafelyTreatInsecureOriginAsSecure = 2;
}
// Set default download directory
//
// Configures the default directory that Google Chrome will use for downloading
// files.
//
// If you set this policy, it will change the default directory that Google
// Chrome downloads files to. This policy is not mandatory, so the user will be
// able to change the directory.
//
// If you do not set this policy, Google Chrome will use its usual default
// directory (platform-specific).
//
// See https://www.chromium.org/administrators/policy-list-3/user-data-
// directory-variables for a list of variables that can be used.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
//
// Note: this policy must have a RECOMMENDED PolicyMode set in PolicyOptions.
message DefaultDownloadDirectoryProto {
optional PolicyOptions policy_options = 1;
optional string DefaultDownloadDirectory = 2;
}
// Abusive Experience Intervention Enforce
//
// Allows you to set whether sites with abusive experiences should be prevented
// from opening new windows or tabs.
//
// If this policy is set to True, sites with abusive experiences will be
// prevented from opening new windows or tabs.
// However this behavior will not trigger if SafeBrowsingEnabled policy is set
// to False.
// If this policy is set to False, sites with abusive experiences will be
// allowed to open new windows or tabs.
// If this policy is left not set, True will be used.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message AbusiveExperienceInterventionEnforceProto {
optional PolicyOptions policy_options = 1;
optional bool AbusiveExperienceInterventionEnforce = 2;
}
// Force enable spellcheck languages
//
// Force-enables spellcheck languages. Unrecognized languages in the list will
// be ignored.
//
// If you enable this policy, spellcheck will be enabled for the languages
// specified, in addition to the languages for which the user has enabled
// spellcheck.
//
// If you do not set this policy, or disable it, there will be no change to the
// user's spellcheck preferences.
//
// If the SpellcheckEnabled policy is set to false, this policy will have no
// effect.
//
// If a language is included in both this policy and the
// SpellcheckLanguageBlacklist policy, this policy is prioritized and the
// spellcheck language is enabled.
//
// The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-
// CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he,
// hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl,
// sq, sr, sv, ta, tg, tr, uk, vi.
//
// Supported on: chrome_os, linux, win
message SpellcheckLanguageProto {
optional PolicyOptions policy_options = 1;
optional StringList SpellcheckLanguage = 2;
}
// Force disable spellcheck languages
//
// Force-disables spellcheck languages. Unrecognized languages in that list will
// be ignored.
//
// If you enable this policy, spellcheck will be disabled for the languages
// specified. The user can still enable or disable spellcheck for languages not
// in the list.
//
// If you do not set this policy, or disable it, there will be no change to the
// user's spellcheck preferences.
//
// If the SpellcheckEnabled policy is set to false, this policy will have no
// effect.
//
// If a language is included in both this policy and the SpellcheckLanguage
// policy, the latter is prioritized and the spellcheck language will be
// enabled.
//
// The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-
// CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he,
// hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl,
// sq, sr, sv, ta, tg, tr, uk, vi.
//
// Supported on: chrome_os, linux, win
message SpellcheckLanguageBlacklistProto {
optional PolicyOptions policy_options = 1;
optional StringList SpellcheckLanguageBlacklist = 2;
}
// Enable third party software injection blocking
//
// If the policy is set to false then third party software will be allowed to
// inject executable code into Chrome's processes. If the policy is unset or set
// to true then third party software will be prevented from injecting executable
// code into Chrome's processes.
//
// Regardless of the value of this policy, the browser will not currently block
// third party software from injecting executable code into its processes on a
// machine that is joined to a Microsoft® Active Directory® domain.
//
// Supported on: win
message ThirdPartyBlockingEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ThirdPartyBlockingEnabled = 2;
}
// Enable spellcheck
//
// If this policy is not set, the user can enable or disable spellcheck in the
// language settings.
//
// If this policy is set to true, spellcheck is enabled and the user cannot
// disable it. On Microsoft® Windows, Google Chrome OS and Linux, spellcheck
// languages can be individually toggled on or off, so the user can still
// effectively disable spellcheck by toggling off every spellcheck language. To
// avoid that, the SpellcheckLanguage policy can be used to force specific
// spellcheck languages to be enabled.
//
// If this policy is set to false, spellcheck is disabled and the user cannot
// enable it. The SpellcheckLanguage and SpellcheckLanguageBlacklist policies
// have no effect when this policy is set to false.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message SpellcheckEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SpellcheckEnabled = 2;
}
// Ads setting for sites with intrusive ads
//
// Allows you to set whether ads should be blocked on sites with intrusive ads.
//
// If this policy is set to 2, ads will be blocked on sites with intrusive ads.
// However this behavior will not trigger if SafeBrowsingEnabled policy is set
// to False.
// If this policy is set to 1, ads will not be blocked on sites with intrusive
// ads.
// If this policy is left not set, 2 will be used.
//
// Valid values:
// 1: Allow ads on all sites
// 2: Do not allow ads on sites with intrusive ads
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message AdsSettingForIntrusiveAdsSitesProto {
optional PolicyOptions policy_options = 1;
optional int64 AdsSettingForIntrusiveAdsSites = 2;
}
// Restrict accounts that are visible in Google Chrome
//
// Contains a list of patterns which are used to control the visiblity of
// accounts in Google Chrome.
//
// Each Google account on the device will be compared to patterns stored in this
// policy to determine the account visibility in Google Chrome. The account will
// be visible if its name matches any pattern on the list. Otherwise, the
// account will be hidden.
//
// Use the wildcard character '*' to match zero or more arbitrary characters.
// The escape character is '\', so to match actual '*' or '\' characters, put a
// '\' in front of them.
//
// If this policy is not set, all Google accounts on the device will be visible
// in Google Chrome.
//
// Supported on: android
message RestrictAccountsToPatternsProto {
optional PolicyOptions policy_options = 1;
optional StringList RestrictAccountsToPatterns = 2;
}
// Password protection warning trigger
//
// Allows you to control the triggering of password protection warning. Password
// protection alerts users when they reuse their protected password on
// potentially suspicious sites.
//
// You can use 'PasswordProtectionLoginURLs' and
// 'PasswordProtectionChangePasswordURL' policies to configure which password to
// protect.
//
// If this policy is set to 'PasswordProtectionWarningOff', no password
// protection warning will be shown.
// If this policy is set to 'PasswordProtectionWarningOnPasswordReuse', password
// protection warning will be shown when the user reuses their protected
// password on a non-whitelisted site.
// If this policy is set to 'PasswordProtectionWarningOnPhishingReuse', password
// protection warning will be shown when the user reuses their protected
// password on a phishing site.
// If this policy is left unset, password protection service will only protect
// Google passwords but the user will be able to change this setting.
//
// Valid values:
// 0: Password protection warning is off
// 1: Password protection warning is triggered by password reuse
// 2: Password protection warning is triggered by password reuse on phishing
// page
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message PasswordProtectionWarningTriggerProto {
optional PolicyOptions policy_options = 1;
optional int64 PasswordProtectionWarningTrigger = 2;
}
// Notify a user that a browser relaunch or device restart is recommended or
// required
//
// Notify users that Google Chrome must be relaunched or Google Chrome OS must
// be restarted to apply a pending update.
//
// This policy setting enables notifications to inform the user that a browser
// relaunch or device restart is recommended or required. If not set, Google
// Chrome indicates to the user that a relaunch is needed via subtle changes to
// its menu, while Google Chrome OS indicates such via a notification in the
// system tray. If set to 'Recommended', a recurring warning will be shown to
// the user that a relaunch is recommended. The user can dismiss this warning to
// defer the relaunch. If set to 'Required', a recurring warning will be shown
// to the user indicating that a browser relaunch will be forced once the
// notification period passes. The default period is seven days for Google
// Chrome and four days for Google Chrome OS, and may be configured via the
// RelaunchNotificationPeriod policy setting.
//
// The user's session is restored following the relaunch/restart.
//
// Valid values:
// 1: Show a recurring prompt to the user indicating that a relaunch is
// recommended
// 2: Show a recurring prompt to the user indicating that a relaunch is
// required
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RelaunchNotificationProto {
optional PolicyOptions policy_options = 1;
optional int64 RelaunchNotification = 2;
}
// Set the time period for update notifications
//
// Allows you to set the time period, in milliseconds, over which users are
// notified that Google Chrome must be relaunched or that a Google Chrome OS
// device must be restarted to apply a pending update.
//
// Over this time period, the user will be repeatedly informed of the need for
// an update. For Google Chrome OS devices, a restart notification appears in
// the system tray according to the RelaunchHeadsUpPeriod policy. For Google
// Chrome browsers, the app menu changes to indicate that a relaunch is needed
// once one third of the notification period passes. This notification changes
// color once two thirds of the notification period passes, and again once the
// full notification period has passed. The additional notifications enabled by
// the RelaunchNotification policy follow this same schedule.
//
// If not set, the default period of 345600000 milliseconds (four days) is used
// for Google Chrome OS devices and 604800000 milliseconds (one week) for Google
// Chrome.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message RelaunchNotificationPeriodProto {
optional PolicyOptions policy_options = 1;
optional int64 RelaunchNotificationPeriod = 2;
}
// Set the time of the first user relaunch notification
//
// Allows you to set the time period, in milliseconds, between the first
// notification that a Google Chrome OS device must be restarted to apply a
// pending update and the end of the time period specified by the
// RelaunchNotificationPeriod policy.
//
// If not set, the default period of 86400000 milliseconds (one day) is used for
// Google Chrome OS devices.
//
// Supported on: chrome_os
message RelaunchHeadsUpPeriodProto {
optional PolicyOptions policy_options = 1;
optional int64 RelaunchHeadsUpPeriod = 2;
}
// User is enabled to run Crostini
//
// Enable this user to run Crostini.
//
// If the policy is set to false, Crostini is not enabled for the user.
// If set to true or left unset, Crostini is enabled for the user as long as
// other settings also allow it.
// All three policies, VirtualMachinesAllowed, CrostiniAllowed, and
// DeviceUnaffiliatedCrostiniAllowed need to be true when they apply for
// Crostini to be allowed to run.
// When this policy is changed to false, it applies to starting new Crostini
// containers but does not shut down containers which are already running.
//
// Supported on: chrome_os
message CrostiniAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool CrostiniAllowed = 2;
}
// User is enabled to export / import Crostini containers via the UI
//
// If the policy is set to false, the export / import UI will not be available
// to users, however it is still possible to use 'lxc' commands directly in the
// virtual machine to export and import container images.
//
// Supported on: chrome_os
message CrostiniExportImportUIAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool CrostiniExportImportUIAllowed = 2;
}
// Configure the list of domains on which Safe Browsing will not trigger
// warnings.
//
// Configure the list of domains which Safe Browsing will trust. This means:
// Safe Browsing will not check for dangerous resources (e.g. phishing, malware,
// or unwanted software) if their URLs match these domains.
// Safe Browsing's download protection service will not check downloads hosted
// on these domains.
// Safe Browsing's password protection service will not check for password reuse
// if the page URL matches these domains.
//
// If this setting is enabled, then Safe Browsing will trust these domains.
// If this setting is disabled or not set, then default Safe Browsing protection
// is applied to all resources.
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message SafeBrowsingWhitelistDomainsProto {
optional PolicyOptions policy_options = 1;
optional StringList SafeBrowsingWhitelistDomains = 2;
}
// Configure the list of enterprise login URLs where password protection service
// should capture fingerprint of password.
//
// Configure the list of enterprise login URLs (HTTP and HTTPS schemes only).
// Fingerprint of password will be captured on these URLs and used for password
// reuse detection.
// In order for Google Chrome to correctly capture password fingerprints, please
// make sure your login pages follow the guidelines on
// https://www.chromium.org/developers/design-documents/create-amazing-password-
// forms.
//
// If this setting is enabled, then password protection service will capture
// fingerprint of password on these URLs for password reuse detection purpose.
// If this setting is disabled or not set, then password protection service will
// only capture password fingerprint on https://accounts.google.com.
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message PasswordProtectionLoginURLsProto {
optional PolicyOptions policy_options = 1;
optional StringList PasswordProtectionLoginURLs = 2;
}
// Configure the change password URL.
//
// Configure the change password URL (HTTP and HTTPS schemes only). Password
// protection service will send users to this URL to change their password after
// seeing a warning in the browser.
// In order for Google Chrome to correctly capture the new password fingerprint
// on this change password page, please make sure your change password page
// follows the guidelines on https://www.chromium.org/developers/design-
// documents/create-amazing-password-forms.
//
// If this setting is enabled, then password protection service will send users
// to this URL to change their password after seeing a warning in the browser.
// If this setting is disabled or not set, then password protection service will
// send users to https://myaccount.google.com to change their password.
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message PasswordProtectionChangePasswordURLProto {
optional PolicyOptions policy_options = 1;
optional string PasswordProtectionChangePasswordURL = 2;
}
// Enable Safe Browsing Extended Reporting
//
// Enables Google Chrome's Safe Browsing Extended Reporting and prevents users
// from changing this setting.
//
// Extended Reporting sends some system information and page content to Google
// servers to help detect dangerous apps and sites.
//
// If the setting is set to true, then reports will be created and sent whenever
// necessary (such as when a security interstitial is shown).
//
// If the setting is set to false, reports will never be sent.
//
// If this policy is set to true or false, the user will not be able to modify
// the setting.
//
// If this policy is left unset, the user will be able to change the setting and
// decide whether to send reports or not.
//
// See https://developers.google.com/safe-browsing for more info on Safe
// Browsing.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message SafeBrowsingExtendedReportingEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SafeBrowsingExtendedReportingEnabled = 2;
}
// The enrollment token of cloud policy on desktop
//
//
// This policy is deprecated in M72. Please use CloudManagementEnrollmentToken
// instead.
//
// Supported on: fuchsia, linux, mac, win
message MachineLevelUserCloudPolicyEnrollmentTokenProto {
optional PolicyOptions policy_options = 1;
optional string MachineLevelUserCloudPolicyEnrollmentToken = 2;
}
// The enrollment token of cloud policy on desktop
//
//
// If this policy is set, Google Chrome will try to register itself and apply
// associated cloud policy for all profiles.
//
// The value of this policy is an Enrollment token that can be retrieved from
// the Google Admin console.
//
// Supported on: fuchsia, linux, mac, win
message CloudManagementEnrollmentTokenProto {
optional PolicyOptions policy_options = 1;
optional string CloudManagementEnrollmentToken = 2;
}
// Enable mandatory cloud management enrollment
//
//
// If this policy is set to True, cloud management enrollment is mandatory and
// blocks Chrome launch process if failed.
//
// If this policy is left unset or set to False, cloud management enrollment is
// optional and does not blocks Chrome launch process if failed.
//
// This policy is used by machine scope cloud policy enrollment on desktop and
// can be set by Registry or GPO on Windows, plist on Mac and JSON policy file
// on Linux.
//
// Supported on: fuchsia, linux, mac, win
message CloudManagementEnrollmentMandatoryProto {
optional PolicyOptions policy_options = 1;
optional bool CloudManagementEnrollmentMandatory = 2;
}
// Allow media autoplay
//
// Allows you to control if videos can play automatically (without user consent)
// with audio content in Google Chrome.
//
// If the policy is set to True, Google Chrome is allowed to autoplay media.
// If the policy is set to False, Google Chrome is not allowed to autoplay
// media. The AutoplayWhitelist policy can be used to override this for certain
// URL patterns.
// By default, Google Chrome is not allowed to autoplay media. The
// AutoplayWhitelist policy can be used to override this for certain URL
// patterns.
//
// Note that if Google Chrome is running and this policy changes, it will be
// applied only to new opened tabs. Therefore some tabs might still observe the
// previous behavior.
//
// Supported on: chrome_os, linux, mac, win
message AutoplayAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool AutoplayAllowed = 2;
}
// Allow media autoplay on a whitelist of URL patterns
//
// Controls the whitelist of URL patterns that autoplay will always be enabled
// on.
//
// If autoplay is enabled then videos can play automatically (without user
// consent) with audio content in Google Chrome.
//
// A valid URL patterns specifications are:
//
// - [*.]domain.tld (matches domain.tld and all sub-domains)
//
// - host (matches an exact hostname)
//
// - scheme://host:port (supported schemes: http,https)
//
// - scheme://[*.]domain.tld:port (supported schemes: http,https)
//
// - file://path (The path has to be an absolute path and start with a '/')
//
// - a.b.c.d (matches an exact IPv4 ip)
//
// - [a:b:c:d:e:f:g:h] (matches an exact IPv6 ip)
//
// If the AutoplayAllowed policy is set to True then this policy will have no
// effect.
//
// If the AutoplayAllowed policy is set to False then any URL patterns set in
// this policy will still be allowed to play.
//
// Note that if Google Chrome is running and this policy changes, it will be
// applied only to new opened tabs. Therefore some tabs might still observe the
// previous behavior.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message AutoplayWhitelistProto {
optional PolicyOptions policy_options = 1;
optional StringList AutoplayWhitelist = 2;
}
// Allow sites to simultaneously navigate and open pop-ups
//
// Deprecated in M68. Use DefaultPopupsSetting instead.
//
// For a full explanation, see
// https://www.chromestatus.com/features/5675755719622656.
// If this policy is enabled, sites will be allowed to simultaneously navigate
// and open new windows/tabs.
// If this policy is disabled or not set, sites will be disallowed from
// simultaneously navigating and opening a new window/tab.
//
// Supported on:
message TabUnderAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool TabUnderAllowed = 2;
}
// Allow access to native CUPS printers
//
// Allows you to control if users can access non-enterprise printers
//
// If the policy is set to True, or not set at all, users will be able to add,
// configure, and print using their own native printers.
//
// If the policy is set to False, users will not be able to add and configure
// their own native printers. They will also not be able to print using any
// previously configured native printers.
//
// Supported on: chrome_os
message UserNativePrintersAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool UserNativePrintersAllowed = 2;
}
// Enable Chrome Cleanup on Windows
//
// If disabled, prevents Chrome Cleanup from scanning the system for unwanted
// software and performing cleanups. Manually triggering Chrome Cleanup from
// chrome://settings/cleanup is disabled.
//
// If enabled or unset, Chrome Cleanup periodically scans the system for
// unwanted software and should any be found, will ask the user if they wish to
// remove it. Manually triggering Chrome Cleanup from chrome://settings is
// enabled.
//
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: win
message ChromeCleanupEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ChromeCleanupEnabled = 2;
}
// Control how Chrome Cleanup reports data to Google
//
// If unset, should Chrome Cleanup detect unwanted software, it may report
// metadata about the scan to Google in accordance with policy set by
// SafeBrowsingExtendedReportingEnabled. Chrome Cleanup will then ask the user
// if they wish to clean up the unwanted software. The user can choose to share
// results of the cleanup with Google to assist with future unwanted software
// detection. These results contain file metadata, automatically installed
// extensions and registry keys as described by the Chrome Privacy Whitepaper.
//
// If disabled, should Chrome Cleanup detect unwanted software, it will not
// report metadata about the scan to Google, overriding any policy set by
// SafeBrowsingExtendedReportingEnabled. Chrome Cleanup will ask the user if
// they wish to clean up the unwanted software. Results of the cleanup will not
// be reported to Google and the user will not have the option to do so.
//
// If enabled, should Chrome Cleanup detect unwanted software, it may report
// metadata about the scan to Google in accordance with policy set by
// SafeBrowsingExtendedReportingEnabled. Chrome Cleanup will ask the user if
// they wish to clean up the unwanted software. Results of the cleanup will be
// reported to Google and the user will not have the option to prevent it.
//
// This policy is available only on Windows instances that are joined to a
// Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise
// instances that enrolled for device management.
//
// Supported on: win
message ChromeCleanupReportingEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ChromeCleanupReportingEnabled = 2;
}
// Configure the allowed languages in a user session
//
// Configures the languages that can be used as the preferred languages by
// Google Chrome OS.
//
// If this policy is set, the user can only add one of the languages listed in
// this policy to the list of preferred languages. If this policy is not set or
// set to an empty list, user can specify any languages as preferred. If this
// policy is set to a list with invalid values, all invalid values will be
// ignored. If a user previously added some languages that are not allowed by
// this policy to the list of preferred languages they will be removed. If the
// user had previously configured Google Chrome OS to be displayed in one of the
// languages not allowed by this policy, the display language will be switched
// to an allowed UI language next time user signs in. Otherwise, Google Chrome
// OS will switch to the first valid value specified by this policy, or to a
// fallback locale (currently en-US), if this policy only contains invalid
// entries.
//
// Supported on: chrome_os
message AllowedLanguagesProto {
optional PolicyOptions policy_options = 1;
optional StringList AllowedLanguages = 2;
}
// Configure the allowed input methods in a user session
//
// Configures which keyboard layouts are allowed for Google Chrome OS user
// sessions.
//
// If this policy is set, the user can only select one of the input methods
// specified by this policy. If this policy is not set or set to an empty list,
// the user can select all supported input methods. If the current input method
// is not allowed by this policy, the input method will be switched to the
// hardware keyboard layout (if allowed) or the first valid entry in this list.
// All invalid or unsupported input methods in this list will be ignored.
//
// Supported on: chrome_os
message AllowedInputMethodsProto {
optional PolicyOptions policy_options = 1;
optional StringList AllowedInputMethods = 2;
}
// Log events for Android app installs
//
// Enables reporting of key events during Android app installation to Google.
// Events are captured only for apps whose installation was triggered via
// policy.
//
// If the policy is set to true, events will be logged.
// If the policy is set to false or unset, events will not be logged.
//
// Supported on: chrome_os
message ArcAppInstallEventLoggingEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ArcAppInstallEventLoggingEnabled = 2;
}
// Time Limit
//
// Allows you to lock the user's session based on the client time or the usage
// quota of the day.
//
// The |time_window_limit| specifies a daily window in which the user's session
// should be locked. We only support one rule for each day of the week,
// therefore the |entries| array may vary from 0-7 in size. |starts_at| and
// |ends_at| are the beginning and the end of the window limit, when |ends_at|
// is smaller than |starts_at| it means that the |time_limit_window| ends on the
// following day. |last_updated_millis| is the UTC timestamp for the last time
// this entry was updated, it is sent as a string because the timestamp wouldn't
// fit in an integer.
//
// The |time_usage_limit| specifies a daily screen quota, so when the user
// reaches it, the user's session is locked. There is a property for each day of
// the week, and it should be set only if there is an active quota for that day.
// |usage_quota_mins| is the amount of time that the managed device can be use
// in a day and |reset_at| is the time when the usage quota is renewed. The
// default value for |reset_at| is midnight ({'hour': 0, 'minute': 0}).
// |last_updated_millis| is the UTC timestamp for the last time this entry was
// updated, it is sent as a string because the timestamp wouldn't fit in an
// integer.
//
// |overrides| is provided to invalidate temporarily one or more of the previous
// rules.
// * If neither time_window_limit nor time_usage_limit is active |LOCK| can be
// used to lock the device.
// * |LOCK| temporarily locks a user session until the next time_window_limit or
// time_usage_limit starts.
// * |UNLOCK| unlocks a user's session locked by time_window_limit or
// time_usage_limit.
// |created_time_millis| is the UTC timestamp for the override creation, it is
// sent as a String because the timestamp wouldn't fit in an integer It is used
// to determine whether this override should still be applied. If the current
// active time limit feature (time usage limit or time window limit) started
// after the override was created, it should not take action. Also if the
// override was created before the last change of the active time_window_limit
// or time_usage_window it should not be applied.
//
// Multiple overrides may be sent, the newest valid entry is the one that is
// going to be applied.
//
// Value schema:
// {
// "properties": {
// "overrides": {
// "items": {
// "properties": {
// "action": {
// "enum": [
// "LOCK",
// "UNLOCK"
// ],
// "type": "string"
// },
// "action_specific_data": {
// "properties": {
// "duration_mins": {
// "minimum": 0,
// "type": "integer"
// }
// },
// "type": "object"
// },
// "created_at_millis": {
// "type": "string"
// }
// },
// "type": "object"
// },
// "type": "array"
// },
// "time_usage_limit": {
// "properties": {
// "friday": {
// "$ref": "TimeUsageLimitEntry"
// },
// "monday": {
// "id": "TimeUsageLimitEntry",
// "properties": {
// "last_updated_millis": {
// "type": "string"
// },
// "usage_quota_mins": {
// "minimum": 0,
// "type": "integer"
// }
// },
// "type": "object"
// },
// "reset_at": {
// "$ref": "Time"
// },
// "saturday": {
// "$ref": "TimeUsageLimitEntry"
// },
// "sunday": {
// "$ref": "TimeUsageLimitEntry"
// },
// "thursday": {
// "$ref": "TimeUsageLimitEntry"
// },
// "tuesday": {
// "$ref": "TimeUsageLimitEntry"
// },
// "wednesday": {
// "$ref": "TimeUsageLimitEntry"
// }
// },
// "type": "object"
// },
// "time_window_limit": {
// "properties": {
// "entries": {
// "items": {
// "properties": {
// "effective_day": {
// "$ref": "WeekDay"
// },
// "ends_at": {
// "$ref": "Time"
// },
// "last_updated_millis": {
// "type": "string"
// },
// "starts_at": {
// "id": "Time",
// "properties": {
// "hour": {
// "maximum": 23,
// "minimum": 0,
// "type": "integer"
// },
// "minute": {
// "maximum": 59,
// "minimum": 0,
// "type": "integer"
// }
// },
// "type": "object"
// }
// },
// "type": "object"
// },
// "type": "array"
// }
// },
// "type": "object"
// }
// },
// "type": "object"
// }
//
// Supported on: chrome_os
message UsageTimeLimitProto {
optional PolicyOptions policy_options = 1;
optional string UsageTimeLimit = 2;
}
// Control Android backup and restore service
//
// This policy controls the initial state of Android backup and restore.
//
// When this policy is not configured or set to BackupAndRestoreDisabled,
// Android backup and restore is initially disabled.
//
// When this policy is set to BackupAndRestoreEnabled, Android backup and
// restore is initially enabled.
//
// When this policy is set to BackupAndRestoreUnderUserControl, the user is
// asked to choose whether to use Android backup and restore. If the user
// enables backup and restore, Android app data is uploaded to Android backup
// servers and restored from them upon app re-installations for compatible apps.
//
// Note that this policy controls the state of Android backup and restore during
// initial setup only. The user can open Android settings afterward and turn
// Android backup and restore on/off.
//
// Valid values:
// 0: Backup and restore disabled
// 1: User decides whether to enable backup and restore
// 2: Backup and restore enabled
//
// Supported on: chrome_os
message ArcBackupRestoreServiceEnabledProto {
optional PolicyOptions policy_options = 1;
optional int64 ArcBackupRestoreServiceEnabled = 2;
}
// Control Android Google location services
//
// This policy controls the initial state of Google location services.
//
// When this policy is not configured or set to GoogleLocationServicesDisabled,
// Google location services are initially disabled.
//
// When this policy is set to GoogleLocationServicesEnabled, Google location
// services are initially enabled.
//
// When this policy is set to GoogleLocationServicesUnderUserControl, the user
// is asked to choose whether to use Google location services. This will allow
// Android apps to use the services to query the device location, and also will
// enable submitting of anonymous location data to Google.
//
// Note that this policy controls the state of Google location services during
// initial setup only. The user can open Android settings afterward and turn
// Google location services on/off.
//
// Note that this policy is ignored and Google location services are always
// disabled when the DefaultGeolocationSetting policy is set to
// BlockGeolocation.
//
// Valid values:
// 0: Google location services disabled
// 1: User decides whether to enable Google location services
// 2: Google location services enabled
//
// Supported on: chrome_os
message ArcGoogleLocationServicesEnabledProto {
optional PolicyOptions policy_options = 1;
optional int64 ArcGoogleLocationServicesEnabled = 2;
}
// Enable displaying Sync Consent during sign-in
//
// This policy controls if Sync Consent can be shown to the user during first
// sign-in. It should be set to false if Sync Consent is never needed for the
// user.
// If set to false, Sync Consent will not be displayed.
// If set to true or unset, Sync Consent can be displayed.
//
// Supported on: chrome_os
message EnableSyncConsentProto {
optional PolicyOptions policy_options = 1;
optional bool EnableSyncConsent = 2;
}
// Enable contextual suggestions of related web pages
//
// This feature never launched, therefore the policy is deprecated. If this is
// set to true or unset, Google Chrome will suggest pages related to the current
// page.
// These suggestions are fetched remotely from Google servers.
//
// If this setting is set to false, suggestions will not be fetched or
// displayed.
//
// Supported on:
message ContextualSuggestionsEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool ContextualSuggestionsEnabled = 2;
}
// Enable showing full-tab promotional content
//
// Allows you to control the presentation of full-tab promotional and/or
// educational content in Google Chrome.
//
// If not configured or enabled (set to true), Google Chrome may show full-tab
// content to users to provide product information.
//
// If disabled (set to false), Google Chrome will not show full-tab content to
// users to provide product information.
//
// This setting controls the presentation of the welcome pages that help users
// sign into Google Chrome, choose it as their default browser, or otherwise
// inform them of product features.
//
// Supported on: fuchsia, linux, mac, win
message PromotionalTabsEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool PromotionalTabsEnabled = 2;
}
// Control SafeSites adult content filtering.
//
// This policy controls the application of the SafeSites URL filter.
// This filter uses the Google Safe Search API to classify URLs as pornographic
// or not.
//
// When this policy is not configured or set to "Do not filter sites for adult
// content", sites will not be filtered.
//
// When this policy is set to "Filter top level sites for adult content", sites
// classified as pornographic will be filtered.
//
// Valid values:
// 0: Do not filter sites for adult content
// 1: Filter top level sites (but not embedded iframes) for adult content
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message SafeSitesFilterBehaviorProto {
optional PolicyOptions policy_options = 1;
optional int64 SafeSitesFilterBehavior = 2;
}
// Origins or hostname patterns for which restrictions on
// insecure origins should not apply
//
//
// The policy specifies a list of origins (URLs) or hostname patterns (such
// as "*.example.com") for which security restrictions on insecure origins
// will not apply.
//
// The intent is to allow organizations to set whitelist origins for legacy
// applications that cannot deploy TLS, or to set up a staging server for
// internal web development so that their developers can test out features
// requiring secure contexts without having to deploy TLS on the staging
// server. This policy will also prevent the origin from being labeled
// "Not Secure" in the omnibox.
//
// Setting a list of URLs in this policy has the same effect as setting the
// command-line flag '--unsafely-treat-insecure-origin-as-secure' to a
// comma-separated list of the same URLs. If the policy is set, it will
// override the command-line flag.
//
// This policy will override UnsafelyTreatInsecureOriginAsSecure, if present.
//
// For more information on secure contexts, see
// https://www.w3.org/TR/secure-contexts/.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message OverrideSecurityRestrictionsOnInsecureOriginProto {
optional PolicyOptions policy_options = 1;
optional StringList OverrideSecurityRestrictionsOnInsecureOrigin = 2;
}
// Enables or disables tab lifecycles
//
// The tab lifecyles feature reclaims CPU and eventually memory associated with
// running tabs that have not been used in a long period of time, by first
// throttling them, then freezing them and finally discarding them.
//
// If the policy is set to false then tab lifecycles are disabled, and all tabs
// will be left running normally.
//
// If the policy is set to true or left unspecified then tab lifecycles are
// enabled.
//
// Supported on: win
message TabLifecyclesEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool TabLifecyclesEnabled = 2;
}
// Enable URL-keyed anonymized data collection
//
// Enable URL-keyed anonymized data collection in Google Chrome and prevents
// users from changing this setting.
//
// URL-keyed anonymized data collection sends URLs of pages the user visits to
// Google to make searches and browsing better.
//
// If you enable this policy, URL-keyed anonymized data collection is always
// active.
//
// If you disable this policy, URL-keyed anonymized data collection is never
// active.
//
// If this policy is left not set, URL-keyed anonymized data collection will be
// enabled but the user will be able to change it.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message UrlKeyedAnonymizedDataCollectionEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool UrlKeyedAnonymizedDataCollectionEnabled = 2;
}
// Contorls Network File Shares for ChromeOS availability
//
// This policy controls whether the Network File Shares feature for Google
// Chrome OS is allowed for a user.
//
// When this policy is not configured or set to True, users will be able to use
// Network File Shares.
//
// When this policy is set to False, users will be unable to use Network File
// Shares.
//
// Supported on: chrome_os
message NetworkFileSharesAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool NetworkFileSharesAllowed = 2;
}
// Allow collection of WebRTC event logs from Google services
//
//
// If the policy is set to true, Google Chrome is allowed to collect WebRTC
// event logs from Google services (e.g. Google Meet), and upload those logs to
// Google.
//
// If the policy is set to false, or is unset, Google Chrome may not collect nor
// upload such logs.
//
// These logs contain diagnostic information helpful when debugging issues with
// audio or video calls in Chrome, such as the time and size of sent and
// received RTP packets, feedback about congestion on the network, and metadata
// about time and quality of audio and video frames. These logs do not contain
// audio or video contents from the call.
//
// This data collection by Chrome can only be triggered by Google's web
// services, such as Google Hangouts or Google Meet.
//
// Google may associate these logs, by means of a session ID, with other logs
// collected by the Google service itself; this is intended to make debugging
// easier.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message WebRtcEventLogCollectionAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool WebRtcEventLogCollectionAllowed = 2;
}
// Enable smart dim model to extend the time until the screen is dimmed
//
// Specifies whether a smart dim model is allowed to extend the time until the
// screen is dimmed.
//
// When the screen is about to be dimmed, the smart dim model evaluates if
// dimming the screen should be deferred. If the smart dim model defers dimming
// the screen, it effectively extends the time until the screen is dimmed. In
// this case, the screen off, screen lock and idle delays get adjusted to
// maintain the same distances from the screen dim delay as originally
// configured.
// If this policy is set to True or left not set, the smart dim model will be
// enabled and allowed to extend the time until the screen is dimmed. If this
// policy is set to False, the smart dim model will not influence screen
// dimming.
//
// Supported on: chrome_os
message PowerSmartDimEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool PowerSmartDimEnabled = 2;
}
// Allow coalescing of HTTP/2 connections for these hosts even when client
// certificates are used
//
// This policy allows HTTP/2 connection coalescing when client certificates are
// in use. In order to coalesce, both the hostname of the potential new
// connection and the hostname of an existing connection must match one or more
// patterns described by this policy. The policy is a list of hosts using the
// URLBlacklist filter format: "example.com" matches "example.com" and all
// subdomains (e.g. "sub.example.com"), while ".example.net" matches exactly
// "example.net".
//
// Coalescing requests to different hosts over connections that use client
// certificates can create security and privacy issues, as the ambient authority
// will be conveyed to all requests, even if the user did not explicitly
// authorize this. This policy is temporary and will be removed in a future
// release. See https://crbug.com/855690.
//
// If this policy is left unset, then the default behavior of not allowing any
// HTTP/2 connection coalescing on connections using client certificates will be
// used.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message CoalesceH2ConnectionsWithClientCertificatesForHostsProto {
optional PolicyOptions policy_options = 1;
optional StringList CoalesceH2ConnectionsWithClientCertificatesForHosts = 2;
}
// Controls Network File Share discovery via NetBIOS
//
// This policy controls whether the Network File Shares feature for Google
// Chrome OS should use the NetBIOS Name Query Request protocol to discover
// shares on the network.
// When this policy is set to True, share discovery will use the NetBIOS Name
// Query Request protocol protocol to discover shares on the network.
// When this policy is set to False, share discovery will not use the NetBIOS
// Name Query Request protocol protocol to discover shares.
// If the policy is left not set, the default is disabled for enterprise-managed
// users and enabled for non-managed users.
//
// Supported on: chrome_os
message NetBiosShareDiscoveryEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool NetBiosShareDiscoveryEnabled = 2;
}
// Configure list of force-installed Web Apps
//
// Specifies a list of websites that are installed silently, without user
// interaction, and which cannot be uninstalled nor disabled by the user.
//
// Each list item of the policy is an object with a mandatory member: "url" and
// two optional members: "default_launch_container" and
// "create_desktop_shortcut". "url" should be the URL of the web app to install,
// "launch_container" should be either "window" or "tab" to indicate how the Web
// App will be opened once installed, and "create_desktop_shortcut" should be
// true if a desktop shortcut should be created on Linux and Windows. If
// "default_launch_container" is omitted, the app will open in a tab by default.
// Regardless of the value of "default_launch_container", users are able to
// change which container the app will open in. If "create_desktop_shortcuts" is
// omitted, no desktop shortcuts will be created. See PinnedLauncherApps policy
// for pinning apps to the ChromeOS shelf.
//
// Value schema:
// {
// "items": {
// "properties": {
// "create_desktop_shortcut": {
// "type": "boolean"
// },
// "default_launch_container": {
// "enum": [
// "tab",
// "window"
// ],
// "type": "string"
// },
// "url": {
// "type": "string"
// }
// },
// "required": [
// "url"
// ],
// "type": "object"
// },
// "type": "array"
// }
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message WebAppInstallForceListProto {
optional PolicyOptions policy_options = 1;
optional string WebAppInstallForceList = 2;
}
// Report OS and Google Chrome Version Information
//
// This policy controls whether to report version information, such as OS
// version, OS platform, OS architecture, Google Chrome version and Google
// Chrome channel.
//
// When this policy is left unset or set to True, version information is
// gathered.
// When this policy is set to False, version information is not gathered.
//
// This policy is only effective when the Chrome Reporting Extension is enabled,
// and the machine is enrolled with MachineLevelUserCloudPolicyEnrollmentToken.
//
// Supported on: fuchsia, linux, mac, win
message ReportVersionDataProto {
optional PolicyOptions policy_options = 1;
optional bool ReportVersionData = 2;
}
// Report Google Chrome Policy Information
//
// This policy controls whether to report policy data and time of policy fetch.
//
// When this policy is left unset or set to True, policy data and time of policy
// fetch are gathered.
// When this policy is set to False, policy data and time of policy fetch are
// not gathered.
//
// This policy is only effective when the Chrome Reporting Extension is enabled,
// and the machine is enrolled with MachineLevelUserCloudPolicyEnrollmentToken.
//
// Supported on: fuchsia, linux, mac, win
message ReportPolicyDataProto {
optional PolicyOptions policy_options = 1;
optional bool ReportPolicyData = 2;
}
// Report Machine Identification information
//
// This policy controls whether to report information that can be used to
// identify machines, such as machine name and network addresses.
//
// When this policy is left unset or set to True, information that can be used
// to identify machines is gathered.
// When this policy is set to False, information that can be used to identify
// machines is not gathered.
//
// This policy is only effective when the Chrome Reporting Extension is enabled,
// and the machine is enrolled with MachineLevelUserCloudPolicyEnrollmentToken.
//
// Supported on: fuchsia, linux, mac, win
message ReportMachineIDDataProto {
optional PolicyOptions policy_options = 1;
optional bool ReportMachineIDData = 2;
}
// Report User Identification information
//
// This policy controls whether to report information that can be used to
// identify users, such as OS login, Google Chrome Profile login, Google Chrome
// Profile name, Google Chrome Profile path and Google Chrome executable path.
//
// When this policy is left unset or set to True, information that can be used
// to identify users is gathered.
// When this policy is set to False, information that can be used to identify
// users is not gathered.
//
// This policy is only effective when the Chrome Reporting Extension is enabled,
// and the machine is enrolled with MachineLevelUserCloudPolicyEnrollmentToken.
//
// Supported on: fuchsia, linux, mac, win
message ReportUserIDDataProto {
optional PolicyOptions policy_options = 1;
optional bool ReportUserIDData = 2;
}
// Report Extensions and Plugins information
//
// This policy controls whether to report extensions and plugins information.
//
// When this policy is left unset or set to True, extension and plugins data are
// gathered.
// When this policy is set to False, extensions and plugins data are not
// gathered.
//
// This policy is only effective when the Chrome Reporting Extension is enabled,
// and the machine is enrolled with MachineLevelUserCloudPolicyEnrollmentToken.
//
// Supported on: fuchsia, linux, mac, win
message ReportExtensionsAndPluginsDataProto {
optional PolicyOptions policy_options = 1;
optional bool ReportExtensionsAndPluginsData = 2;
}
// Report Safe Browsing information
//
// This policy controls whether to report Safe Browsing information including
// the number of Safe Browsing warning and the number of safe browsering warning
// click through.
//
// When this policy is left unset or set to True, Safe Browsing data are
// gathered.
// When this policy is set to False, Safe Browsing data are not gathered.
//
// This policy is only effective when the Chrome Reporting Extension is enabled,
// and the machine is enrolled with MachineLevelUserCloudPolicyEnrollmentToken.
//
// Supported on: fuchsia, linux, mac, win
message ReportSafeBrowsingDataProto {
optional PolicyOptions policy_options = 1;
optional bool ReportSafeBrowsingData = 2;
}
// Enables Google Chrome cloud reporting
//
// This policy controls Google Chrome cloud reporting which uploads information
// about the browser operation to Google Admin console.
//
// When this policy is left unset or set to False, there is no data collected or
// uploaded.
// When this policy is set to True, the data is collected and uploaded to Google
// Admin console.
// To control what data is uploaded, please use policies in the group Chrome
// Reporting Extension.
//
// This policy is only effective when the machine is enrolled with
// MachineLevelUserCloudPolicyEnrollmentToken.
//
// This policy force installs Chrome Reporting Extension for the reporting and
// overrides any extension policies related to that extension.
//
// Supported on: fuchsia, linux, mac, win
message CloudReportingEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool CloudReportingEnabled = 2;
}
// Enables managed extensions to use the Enterprise Hardware Platform API
//
// When this policy is set to enabled, extensions installed by enterprise policy
// are allowed to use the Enterprise Hardware Platform API.
// When this policy is set to disabled or not set, no extensions are allowed to
// use the Enterprise Hardware Platform API.
// This policy also applies to component extensions such as the Hangout Services
// extension.
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message EnterpriseHardwarePlatformAPIEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool EnterpriseHardwarePlatformAPIEnabled = 2;
}
// Allow the user to manage VPN connections
//
// Allow the user to manage VPN connections.
//
// If this policy is set to false, all Google Chrome OS user interfaces that
// would allow the user to disconnect or modify VPN connections are disabled.
//
// If this policy is unset or set to true, users can disconnect or modify VPN
// connections as usual.
//
// If the VPN connection is created via a VPN app, the UI inside the app remains
// unaffected by this policy. Therefore, the user might still be able to use the
// app to modify the VPN connection.
//
// This policy is meant to be used together with the "Always on VPN" feature,
// that lets the admin decide to establish a VPN connection on boot.
//
// Supported on: chrome_os
message VpnConfigAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool VpnConfigAllowed = 2;
}
// Controls enabling NTLM as an authentication protocol for SMB mounts
//
// This policy controls whether the Network File Shares feature for Google
// Chrome OS will use NTLM for authentication.
//
// When this policy is set to True, NTLM will be used for authentication to SMB
// shares if necessary.
// When this policy is set to False, NTLM authentication to SMB shares will be
// disabled.
//
// If the policy is left not set, the default is disabled for enterprise-managed
// users and enabled for non-managed users.
//
// Supported on: chrome_os
message NTLMShareAuthenticationEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool NTLMShareAuthenticationEnabled = 2;
}
// List of preconfigured network file shares.
//
// Specifies a list of preconfigued network file shares.
//
// Each list item of the policy is an object with two members: "share_url" and
// "mode". "share_url" should be the URL of the share and "mode" should be
// either "drop_down" or "pre_mount". "drop_down" mode indicates that
// "share_url" will be added to the share discovery drop down. "pre_mount" mode
// indicates that "share_url" will be mounted.
//
// Value schema:
// {
// "items": {
// "properties": {
// "mode": {
// "enum": [
// "drop_down",
// "pre_mount"
// ],
// "type": "string"
// },
// "share_url": {
// "type": "string"
// }
// },
// "required": [
// "share_url",
// "mode"
// ],
// "type": "object"
// },
// "type": "array"
// }
//
// Supported on: chrome_os
message NetworkFileSharesPreconfiguredSharesProto {
optional PolicyOptions policy_options = 1;
optional string NetworkFileSharesPreconfiguredShares = 2;
}
// Screen brightness percent
//
// Specifies screen brightness percent.
// When this policy is set initial screen brightness is adjusted to the policy
// value, but the user can change it later on. Auto-brightness features are
// disabled.
// When this policy is unset user screen controls and auto-brightness features
// are not affected.
// The policy values should be specified in percents in range 0-100.
//
// Value schema:
// {
// "properties": {
// "BrightnessAC": {
// "description": "Screen brightness percent when running on AC
// power",
// "maximum": 100,
// "minimum": 0,
// "type": "integer"
// },
// "BrightnessBattery": {
// "description": "Screen brightness percent when running on battery
// power",
// "maximum": 100,
// "minimum": 0,
// "type": "integer"
// }
// },
// "type": "object"
// }
//
// Supported on: chrome_os
message ScreenBrightnessPercentProto {
optional PolicyOptions policy_options = 1;
optional string ScreenBrightnessPercent = 2;
}
// Alternative browser to launch for configured websites.
//
// This policy controls which command to use to open URLs in an alternative
// browser.
//
// When this policy is left unset, a platform-specific default is used: Internet
// Explorer for Windows, or Safari for Mac OS X. On Linux, launching an
// alternative browser will fail when this is unset.
//
// When this policy is set to one of ${ie}, ${firefox}, ${safari} or
// ${opera}, that browser will launch if it is installed. ${ie} is only
// available on Windows, and ${safari} is only available on Windows and Mac
// OS X.
//
// When this policy is set to a file path, that file is used as an executable
// file.
//
// Supported on: fuchsia, linux, mac, win
message AlternativeBrowserPathProto {
optional PolicyOptions policy_options = 1;
optional string AlternativeBrowserPath = 2;
}
// Command-line parameters for the alternative browser.
//
// This policy controls command-line parameters to launch to the alternative
// browser.
//
// When this policy is left unset, only the URL is passed as a command-line
// parameters.
//
// When this policy is set to a list of strings, each string is passed to the
// alternative browser as a separate command-line parameters. On Windows, the
// parameters are joined with spaces. On Mac OS X and Linux, a parameter may
// contain spaces, and still be treated as a single parameter.
//
// If an element contains ${url}, it gets replaced with the URL of the page to
// open.
//
// If no element contains ${url}, the URL is appended at the end of the command
// line.
//
// Environment variables are expanded. On Windows, %ABC% is replaced with the
// value of the ABC environment variable. On Mac OS X and Linux, ${ABC} is
// replaced with the value of the ABC environment variable.
//
// Supported on: fuchsia, linux, mac, win
message AlternativeBrowserParametersProto {
optional PolicyOptions policy_options = 1;
optional StringList AlternativeBrowserParameters = 2;
}
// Path to Chrome for switching from the alternative browser.
//
// This policy controls the command to use to open URLs in Google Chrome when
// switching from Internet Explorer.
//
// If the 'Legacy Browser Support' add-in for Internet Explorer is not
// installed, this policy has no effect.
//
// When this policy is left unset, Internet Explorer will auto-detect Google
// Chrome's own executable path when launching Google Chrome from Internet
// Explorer.
//
// When this policy is set, it will be used to launch Google Chrome when
// launching Google Chrome from Internet Explorer.
//
// This policy can be set to an executable file path, or ${chrome} to auto-
// detect Chrome's install location.
//
// Supported on: win
message BrowserSwitcherChromePathProto {
optional PolicyOptions policy_options = 1;
optional string BrowserSwitcherChromePath = 2;
}
// Command-line parameters for switching from the alternative browser.
//
// This policy controls command-line parameters for Chrome from Internet
// Explorer.
//
// If the 'Legacy Browser Support' add-in for Internet Explorer is not
// installed, this policy has no effect.
//
// When this policy is left unset, Internet Explorer only passes the URL to
// Chrome as a command-line parameter.
//
// When this policy is set to a list of strings, the strings are joined with
// spaces and passed to Chrome as command-line parameters.
//
// If an element contains ${url}, it gets replaced with the URL of the page to
// open.
//
// If no element contains ${url}, the URL is appended at the end of the command
// line.
//
// Environment variables are expanded. On Windows, %ABC% is replaced with the
// value of the ABC environment variable.
//
// Supported on: win
message BrowserSwitcherChromeParametersProto {
optional PolicyOptions policy_options = 1;
optional StringList BrowserSwitcherChromeParameters = 2;
}
// Websites to open in alternative browser
//
// This policy controls the list of websites to open in an alternative browser.
//
// Note that elements can also be added to this list through the
// BrowserSwitcherUseIeSitelist and BrowserSwitcherExternalSitelistUrl policies.
//
// When this policy is left unset, no websites are added to the list.
//
// When this policy is set, each item is treated as a rule for something to open
// in an alternative browser. Google Chrome uses those rules when choosing if a
// URL should open in an alternative browser.
//
// When the Internet Explorer add-in is present and enabled, Internet Explorer
// switches back to Google Chrome when the rules do not match.
//
// If rules contradict eachother, Google Chrome uses the most specific rule.
//
// Supported on: fuchsia, linux, mac, win
message BrowserSwitcherUrlListProto {
optional PolicyOptions policy_options = 1;
optional StringList BrowserSwitcherUrlList = 2;
}
// Websites that should never trigger a browser switch.
//
// This policy controls the list of websites that will never cause a browser
// switch.
//
// Note that elements can also be added to this list through the
// BrowserSwitcherExternalGreylistUrl policy.
//
// When this policy is left unset, no websites are added to the list.
//
// When this policy is set, each item is treated as a rule, similar to the
// BrowserSwitcherUrlList policy. However, the logic is reversed: rules that
// match will not open an alternative browser.
//
// Unlike BrowserSwitcherUrlList, rules apply to both directions. That is, when
// the Internet Explorer add-in is present and enabled, it also controls whether
// Internet Explorer should open these URLs in Google Chrome.
//
// Supported on: fuchsia, linux, mac, win
message BrowserSwitcherUrlGreylistProto {
optional PolicyOptions policy_options = 1;
optional StringList BrowserSwitcherUrlGreylist = 2;
}
// Use Internet Explorer's SiteList policy for Legacy Browser Support.
//
// This policy controls whether to load rules from Internet Explorer's SiteList
// policy.
//
// When this policy is left unset, or set to false, Google Chrome does not use
// Internet Explorer's SiteList policy as a source of rules for switching
// browsers.
//
// When this policy is set to true, Google Chrome reads Internet Explorer's
// SiteList to obtain the site list's URL. Google Chrome then downloads the site
// list from that URL, and applies the rules as if they had been configured with
// the BrowserSwitcherUrlList policy.
//
// For more information on Internet Explorer's SiteList policy:
// https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-
// enterprise-mode
//
// Supported on: win
message BrowserSwitcherUseIeSitelistProto {
optional PolicyOptions policy_options = 1;
optional bool BrowserSwitcherUseIeSitelist = 2;
}
// URL of an XML file that contains URLs to load in an alternative browser.
//
// This policy is a URL, that points to an XML file in the same format as
// Internet Explorer's SiteList policy. This loads rules from an XML file,
// without sharing those rules with Internet Explorer.
//
// When this policy is left unset, or not set to a valid URL, Google Chrome does
// not use it as a source of rules for switching browsers.
//
// When this policy is set to a valid URL, Google Chrome downloads the site list
// from that URL, and applies the rules as if they had been configured with the
// BrowserSwitcherUrlList policy.
//
// For more information on Internet Explorer's SiteList policy:
// https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-
// enterprise-mode
//
// Supported on: fuchsia, linux, mac, win
message BrowserSwitcherExternalSitelistUrlProto {
optional PolicyOptions policy_options = 1;
optional string BrowserSwitcherExternalSitelistUrl = 2;
}
// URL of an XML file that contains URLs that should never trigger a browser
// switch.
//
// This policy is a URL, that points to an XML file in the same format as
// Internet Explorer's SiteList policy. This loads rules from an XML file,
// without sharing those rules with Internet Explorer.
//
// The rules in this XML file apply in the same way as
// BrowserSwitcherUrlGreylist. That is, these rules prevent Google Chrome from
// opening the alternative browser, and also prevent the alternative browser
// from opening Google Chrome.
//
// When this policy is left unset, or not set to a valid URL, Google Chrome does
// not use it as a source of rules that don't trigger a browser switch.
//
// When this policy is set to a valid URL, Google Chrome downloads the site list
// from that URL, and applies the rules as if they had been configured with the
// BrowserSwitcherUrlGreylist policy.
//
// For more information on Internet Explorer's SiteList policy:
// https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-
// enterprise-mode
//
// Supported on: fuchsia, linux, mac, win
message BrowserSwitcherExternalGreylistUrlProto {
optional PolicyOptions policy_options = 1;
optional string BrowserSwitcherExternalGreylistUrl = 2;
}
// Delay before launching alternative browser (milliseconds)
//
// This policy controls how long to wait before launching an alternative
// browser, in milliseconds.
//
// When this policy is left unset, or set to 0, navigating to a designated URL
// immediately opens it in an alternative browser.
//
// When this policy is set to a number, Chrome shows a message for that many
// milliseconds, and then opens the alternative browser.
//
// Supported on: fuchsia, linux, mac, win
message BrowserSwitcherDelayProto {
optional PolicyOptions policy_options = 1;
optional int64 BrowserSwitcherDelay = 2;
}
// Enable the Legacy Browser Support feature.
//
// This policy controls whether to enable Legacy Browser Support.
//
// When this policy is left unset, or is set to false, Chrome will not attempt
// to launch designated URLs in an alternate browser.
//
// When this policy is set to true, Chrome will attempt to launch some URLs in
// an alternate browser (such as Internet Explorer). This feature is configured
// using the policies in the Legacy Browser support group.
//
// This feature is a replacement for the 'Legacy Browser Support' extension.
// Configuration from the extension will carry over to this feature, but it is
// strongly advised to use the Chrome policies instead. This ensures better
// compatibility in the future.
//
// Supported on: fuchsia, linux, mac, win
message BrowserSwitcherEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool BrowserSwitcherEnabled = 2;
}
// Keep last tab open in Chrome.
//
// This policy controls whether to close Chrome completely when the last tab
// would switch to another browser.
//
// When this policy is left unset, or is set to true, Chrome will keep at least
// one tab open, after switching to an alternate browser.
//
// When this policy is set to false, Chrome will close the tab after switching
// to an alternate browser, even if it was the last tab. This will cause Chrome
// to exit completely.
//
// Supported on: fuchsia, linux, mac, win
message BrowserSwitcherKeepLastChromeTabProto {
optional PolicyOptions policy_options = 1;
optional bool BrowserSwitcherKeepLastChromeTab = 2;
}
// PluginVm image
//
// This policy specifies the PluginVm image for a user. The policy is set by
// specifying the URL from which the device can download the image and a SHA-256
// hash used to verify the integrity of the download.
//
// The policy should be specified as a string that expresses the URL and hash in
// the JSON format.
//
// Value schema:
// {
// "properties": {
// "hash": {
// "description": "The SHA-256 hash of the <ph
// name=\"PLUGIN_VM_NAME\">PluginVm</ph> image.",
// "type": "string"
// },
// "url": {
// "description": "The URL from which the <ph
// name=\"PLUGIN_VM_NAME\">PluginVm</ph> image can be downloaded.",
// "type": "string"
// }
// },
// "type": "object"
// }
//
// Supported on: chrome_os
message PluginVmImageProto {
optional PolicyOptions policy_options = 1;
optional string PluginVmImage = 2;
}
// Parent Access Code Configuration
//
// This policy specifies configuration that is used to generate and verify
// Parent Access Code.
//
// |current_config| is always used for generating access code and should be used
// for validating access code only when it cannot be validated with
// |future_config|.
// |future_config| is the primary config used for validating access code.
// |old_configs| should be used for validating access code only when it cannot
// be validated with |future_config| nor |current_config|.
//
// The expected way of using this policy is to gradually rotate access code
// configuration. New configuration is always put into |future_config| and at
// the same
// time the existing value is moved into |current_config|. |current_config|'s
// previous values are moved into |old_configs| and removed after rotation cycle
// is finished.
//
// This policy applies only to child user.
// When this policy is set Parent Access Code can be verified on child user's
// device.
// When this policy is unset it is not possible to verify Parent Access Code on
// child user's device.
//
// Value schema:
// {
// "properties": {
// "current_config": {
// "description": "Configuration used to generate and verify Parent
// Access Code.",
// "id": "Config",
// "properties": {
// "access_code_ttl": {
// "description": "Time that access code is valid for (in
// seconds).",
// "maximum": 3600,
// "minimum": 60,
// "type": "integer"
// },
// "clock_drift_tolerance": {
// "description": "The allowed difference between the clock
// on child and parent devices (in seconds).",
// "maximum": 1800,
// "minimum": 0,
// "type": "integer"
// },
// "shared_secret": {
// "description": "Secret shared between child and parent
// devices.",
// "type": "string"
// }
// },
// "type": "object"
// },
// "future_config": {
// "$ref": "Config"
// },
// "old_configs": {
// "items": {
// "$ref": "Config"
// },
// "type": "array"
// }
// },
// "sensitiveValue": true,
// "type": "object"
// }
//
// Supported on: chrome_os
message ParentAccessCodeConfigProto {
optional PolicyOptions policy_options = 1;
optional string ParentAccessCodeConfig = 2;
}
// Allow users to manage installed client certificates.
//
// This policy controls whether user are able to import and remove client
// certificates via Certificate Manager.
//
// If this policy is set to ''Allow users to manage all certificates'' or left
// not set, users will be able to manage certificates.
//
// If this policy is set to ''Allow users to manage user certificates'', users
// will be able to manage user certificates, but not device-wide certificates.
//
// If this policy is set to ''Disallow users to manage certificates'', users
// will not be able to manage certificates, they can only view certificates.
//
// Valid values:
// 0: Allow users to manage all certificates
// 1: Allow users to manage user certificates
// 2: Disallow users from managing certificates
//
// Supported on: chrome_os
message ClientCertificateManagementAllowedProto {
optional PolicyOptions policy_options = 1;
optional int64 ClientCertificateManagementAllowed = 2;
}
// Force networking code to run in the browser process
//
// This policy forces networking code to run in the browser process.
//
// This policy is disabled by default, and if enabled, leaves users open to the
// security issues once the networking process is sandboxed.
//
// This policy is intended to give enterprises a chance to migrate to 3rd party
// software that does not depend on hooking the networking APIs. Proxy servers
// are recommended over LSPs and Win32 API patching.
//
// If this policy is not set, networking code may run out of the browser process
// depending on field trials of the NetworkService experiment.
//
// Supported on: win
message ForceNetworkInProcessProto {
optional PolicyOptions policy_options = 1;
optional bool ForceNetworkInProcess = 2;
}
// "Allow Google Assistant to access screen context"
//
// This policy gives Google Assistant permission to access screen context and
// send the info to server.
// If the policy is enabled, Google Assistant will be allowed to access screen
// context.
// If the policy is disabled, Google Assistant will not be allowed to access
// screen context.
// If not set, users can decide whether to allow Google Assistant to access
// screen context or not
//
// Supported on: chrome_os
message VoiceInteractionContextEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool VoiceInteractionContextEnabled = 2;
}
// Allow Google Assistant to listen for the voice activation phrase
//
// This policy gives Google Assistant permission to listen for the voice
// activation phrase.
//
// If the policy is enabled, Google Assistant would listen for the voice
// activation phrase.
// If the policy is disabled, Google Assistant would not listen for the voice
// activation phrase.
// If the policy is not set, users can decide whether to allow Google Assistant
// to listen for the voice activation phrase.
//
// Supported on: chrome_os
message VoiceInteractionHotwordEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool VoiceInteractionHotwordEnabled = 2;
}
// Allows a page to show popups during its unloading
//
// This policy allows an admin to specify that a page may show popups during its
// unloading.
//
// When the policy is set to enabled, pages are allowed to show popups while
// they are being unloaded.
//
// When the policy is set to disabled or not set, pages are not allowed to show
// popups while they are being unloaded, as per the spec
// (https://html.spec.whatwg.org/#apis-for-creating-and-navigating-browsing-
// contexts-by-name).
//
// This policy will be removed in Chrome 82.
//
// See https://www.chromestatus.com/feature/5989473649164288 .
//
// Supported on: android, chrome_os, fuchsia, linux, mac, win
message AllowPopupsDuringPageUnloadProto {
optional PolicyOptions policy_options = 1;
optional bool AllowPopupsDuringPageUnload = 2;
}
// Enable Signed HTTP Exchange (SXG) support
//
// Enable support for Signed HTTP Exchange (SXG).
//
// If this policy is unset or set to Enabled, Google Chrome will accept web
// contents served as Signed HTTP Exchanges.
//
// If this policy is set to Disabled, Signed HTTP Exchanges cannot be loaded.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message SignedHTTPExchangeEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SignedHTTPExchangeEnabled = 2;
}
// Enables a page for in-session change of password for SAML users
//
// Enables a page at chrome://password-change that lets SAML users change their
// SAML passwords while in-session, which ensures that the SAML password and the
// device lockscreen password are kept in-sync.
//
// This policy also enables notifications that warn SAML users if their SAML
// passwords are soon to expire so that they can deal with this immediately by
// doing an in-session password change.
// But, these notifications will only be shown if password expiry information is
// sent to the device by the SAML identity provider during the SAML login flow.
//
// If this policy is set, the user cannot change or override it.
//
// Supported on: chrome_os
message SamlInSessionPasswordChangeEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool SamlInSessionPasswordChangeEnabled = 2;
}
// Allow user feedback
//
// Allow user feedback.
// If the policy is set to false, users can not send feedback to Google.
//
// If the policy is unset or set to true, users can send feedback to Google via
// Menu->Help->Report an Issue or key combination.
//
// Supported on: chrome_os, fuchsia, linux, mac, win
message UserFeedbackAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool UserFeedbackAllowed = 2;
}
// How many days in advance to notify SAML users when their password is due to
// expire
//
// This policy has no effect unless SamlInSessionPasswordChangeEnabled is true.
// If that policy is true, and this policy is set to (for example) 14, that
// means SAML users will be notified 14 days in advance that their password is
// due to expire on a certain date.
// Then they can deal with this immediately by doing an in-session password
// change and updating their password before it expires.
// But, these notifications will only be shown if password expiry information is
// sent to the device by the SAML identity provider during the SAML login flow.
// Setting this policy to zero means the users will not be notified in advance -
// they will only be notified once the password has already expired.
//
// If this policy is set, the user cannot change or override it.
//
// Supported on: chrome_os
message SamlPasswordExpirationAdvanceWarningDaysProto {
optional PolicyOptions policy_options = 1;
optional int64 SamlPasswordExpirationAdvanceWarningDays = 2;
}
// Enable Kerberos functionality
//
// Controls whether the Kerberos functionality is enabled. Kerberos is an
// authentication protocol that can be used to authenticate to web apps and file
// shares.
//
// If this policy is enabled, Kerberos functionality is enabled. Kerberos
// accounts can be added either through the 'Configure Kerberos accounts' policy
// or through the Kerberos Accounts settings in the People settings page.
//
// If this policy disabled or not set, the Kerberos Accounts settings are
// disabled. No Kerberos accounts can be added and Kerberos authentication
// cannot be used. All existing Kerberos accounts are deleted, all stored
// passwords are deleted.
//
// Supported on: chrome_os
message KerberosEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool KerberosEnabled = 2;
}
// Enable 'Remember password' feature
//
// Controls whether the 'Remember password' feature is enabled in the Kerberos
// authentication dialog. Passwords are stored encryped on disk, only accessible
// to the Kerberos system daemon and during a user session.
//
// If this policy is enabled or not set, users can decide whether Kerberos
// passwords are remembered, so that they do not have to be entered again.
// Kerberos tickets are automatically fetched unless additional authentication
// is required (two-factor authentication).
//
// If this policy is disabled, passwords are never remembered and all previously
// stored passwords are removed. Users have to enter their password every time
// they need to authenticate with the Kerberos system. Depending on server
// settings, this usually happens between every 8 hours to several months.
//
// Supported on: chrome_os
message KerberosRememberPasswordEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool KerberosRememberPasswordEnabled = 2;
}
// Users can add Kerberos accounts
//
// Controls whether users may add Kerberos accounts.
//
// If this policy is enabled or not set, users may add Kerberos accounts via the
// Kerberos Accounts settings in the People settings page. Users have full
// control over accounts they added and may modify or remove them.
//
// If this policy is disabled, users may not add Kerberos accounts. Accounts can
// only be added via the 'Configure Kerberos accounts' policy. This is an
// effective way to lock down accounts.
//
// Supported on: chrome_os
message KerberosAddAccountsAllowedProto {
optional PolicyOptions policy_options = 1;
optional bool KerberosAddAccountsAllowed = 2;
}
// Configure Kerberos accounts
//
// Adds prefilled Kerberos accounts. If the Kerberos credentials match the login
// credentials, an account can be configured to reuse the login credentials by
// specifying '${{LOGIN_EMAIL}}' and '${{PASSWORD}}' for principal and password,
// respectively, so that the Kerberos ticket can be retrieved automatically
// unless two-factor authentication is configured. Users cannot modify accounts
// added via this policy.
//
// If this policy is enabled, the list of accounts defined by the policy is
// added to the Kerberos Accounts settings.
//
// If this policy is disabled or not set, no accounts are added to the Kerberos
// Accounts settings and all accounts previously added with this policy are
// removed. Users may still add accounts manually if the 'Users can add Kerberos
// accounts' policy is enabled.
//
// Value schema:
// {
// "items": {
// "properties": {
// "krb5conf": {
// "description": "Kerberos configuration (one line per array
// item), see
// https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html.",
// "items": {
// "type": "string"
// },
// "type": "array"
// },
// "password": {
// "description": "Kerberos password. The placeholder
// ${{PASSWORD}} is replaced by the login password.",
// "sensitiveValue": true,
// "type": "string"
// },
// "principal": {
// "description": "User principal 'user@realm'. The placeholder
// ${{LOGIN_ID}} is replaced by the username 'user'. The placeholder
// ${{LOGIN_EMAIL}} is replaced by the full principal 'user@realm'.",
// "pattern":
// "^(?:[^@]+@[^@]+)|(?:\\${LOGIN_ID})|(?:\\${LOGIN_EMAIL})$",
// "type": "string"
// },
// "remember_password": {
// "description": "Whether to remember the Kerberos password. If
// not set or set to false, the password is not remembered. Ignored if the
// password is not specified.",
// "type": "boolean"
// }
// },
// "required": [
// "principal"
// ],
// "type": "object"
// },
// "type": "array"
// }
//
// Supported on: chrome_os
message KerberosAccountsProto {
optional PolicyOptions policy_options = 1;
optional string KerberosAccounts = 2;
}
// Enable security warnings for command-line flags
//
// If disabled, prevents security warnings from appearing when Chrome is
// launched with some potentially dangerous command-line flags.
//
// If enabled or unset, security warnings are displayed when some command-line
// flags are used to launch Chrome.
//
// On Windows, this policy is only available on instances that are joined to a
// Microsoft® Active Directory® domain or Windows 10 Pro or Enterprise
// instances that are enrolled for device management.
//
// Supported on: fuchsia, linux, mac, win
message CommandLineFlagSecurityWarningsEnabledProto {
optional PolicyOptions policy_options = 1;
optional bool CommandLineFlagSecurityWarningsEnabled = 2;
}
// Suppress launching of browser window
//
// This policy controls whether the browser window should be launched at the
// start of the session.
//
// If this policy is enabled, the browser window will not be launched.
//
// If this policy is disabled or not set, the browser window is allowed to
// launch. Note that the browser window might not launch due to other policies
// or command-line flags.
//
// Supported on: chrome_os
message StartupBrowserWindowLaunchSuppressedProto {
optional PolicyOptions policy_options = 1;
optional bool StartupBrowserWindowLaunchSuppressed = 2;
}
// External print servers
//
// Provides configurations of available print servers.
//
// This policy allows you to provide configuration of external print servers to
// Google Chrome OS devices as JSON file.
//
// The size of the file must not exceed 1MB and must contain an array of records
// (JSON objects). Each record must contain fields "url" and "display_name".
//
// The file is downloaded and cached. The cryptographic hash is used to verify
// the integrity of the download. The file will be re-downloaded whenever the
// URL or the hash changes.
//
// When this policy is set to correct value, devices will try to query specified
// print servers for available printers using IPP protocol.
//
// If this policy is unset or set to incorrect value, no server printers are
// visible by users.
//
// Currently, the number of print servers is limited to 16. Only the first 16
// print servers from the list will be queried.
//
// Value schema:
// {
// "properties": {
// "hash": {
// "description": "The SHA-256 hash of the file.",
// "type": "string"
// },
// "url": {
// "description": "URL to a JSON file with a list of print
// servers.",
// "type": "string"
// }
// },
// "type": "object"
// }
//
// Supported on: chrome_os
message ExternalPrintServersProto {
optional PolicyOptions policy_options = 1;
optional string ExternalPrintServers = 2;
}
// --------------------------------------------------
// Big wrapper PB containing the above groups.
message ChromeSettingsProto {
optional HomepageLocationProto HomepageLocation = 3;
optional HomepageIsNewTabPageProto HomepageIsNewTabPage = 4;
optional NewTabPageLocationProto NewTabPageLocation = 362;
optional DefaultBrowserSettingEnabledProto DefaultBrowserSettingEnabled = 5;
optional ApplicationLocaleValueProto ApplicationLocaleValue = 6;
optional AlternateErrorPagesEnabledProto AlternateErrorPagesEnabled = 7;
optional SearchSuggestEnabledProto SearchSuggestEnabled = 8;
optional DnsPrefetchingEnabledProto DnsPrefetchingEnabled = 9;
optional NetworkPredictionOptionsProto NetworkPredictionOptions = 275;
optional WPADQuickCheckEnabledProto WPADQuickCheckEnabled = 263;
optional DisableSpdyProto DisableSpdy = 10;
optional DisabledSchemesProto DisabledSchemes = 87;
optional Http09OnNonDefaultPortsEnabledProto Http09OnNonDefaultPortsEnabled = 347;
optional JavascriptEnabledProto JavascriptEnabled = 11;
optional IncognitoEnabledProto IncognitoEnabled = 12;
optional IncognitoModeAvailabilityProto IncognitoModeAvailability = 95;
optional SavingBrowserHistoryDisabledProto SavingBrowserHistoryDisabled = 13;
optional AllowDeletingBrowserHistoryProto AllowDeletingBrowserHistory = 189;
optional AllowDinosaurEasterEggProto AllowDinosaurEasterEgg = 311;
optional RemoteAccessClientFirewallTraversalProto RemoteAccessClientFirewallTraversal = 96;
optional RemoteAccessHostClientDomainProto RemoteAccessHostClientDomain = 318;
optional RemoteAccessHostClientDomainListProto RemoteAccessHostClientDomainList = 371;
optional RemoteAccessHostFirewallTraversalProto RemoteAccessHostFirewallTraversal = 97;
optional RemoteAccessHostDomainProto RemoteAccessHostDomain = 156;
optional RemoteAccessHostDomainListProto RemoteAccessHostDomainList = 370;
optional RemoteAccessHostRequireTwoFactorProto RemoteAccessHostRequireTwoFactor = 157;
optional RemoteAccessHostTalkGadgetPrefixProto RemoteAccessHostTalkGadgetPrefix = 158;
optional RemoteAccessHostRequireCurtainProto RemoteAccessHostRequireCurtain = 159;
optional RemoteAccessHostAllowClientPairingProto RemoteAccessHostAllowClientPairing = 236;
optional RemoteAccessHostAllowGnubbyAuthProto RemoteAccessHostAllowGnubbyAuth = 259;
optional RemoteAccessHostAllowRelayedConnectionProto RemoteAccessHostAllowRelayedConnection = 265;
optional RemoteAccessHostUdpPortRangeProto RemoteAccessHostUdpPortRange = 266;
optional RemoteAccessHostMatchUsernameProto RemoteAccessHostMatchUsername = 287;
optional RemoteAccessHostTokenUrlProto RemoteAccessHostTokenUrl = 288;
optional RemoteAccessHostTokenValidationUrlProto RemoteAccessHostTokenValidationUrl = 289;
optional RemoteAccessHostTokenValidationCertificateIssuerProto RemoteAccessHostTokenValidationCertificateIssuer = 290;
optional RemoteAccessHostDebugOverridePoliciesProto RemoteAccessHostDebugOverridePolicies = 291;
optional RemoteAccessHostAllowUiAccessForRemoteAssistanceProto RemoteAccessHostAllowUiAccessForRemoteAssistance = 346;
optional RemoteAccessHostAllowFileTransferProto RemoteAccessHostAllowFileTransfer = 536;
optional PrintingEnabledProto PrintingEnabled = 14;
optional CloudPrintProxyEnabledProto CloudPrintProxyEnabled = 15;
optional PrintingAllowedColorModesProto PrintingAllowedColorModes = 476;
optional PrintingAllowedDuplexModesProto PrintingAllowedDuplexModes = 477;
optional PrintingAllowedPinModesProto PrintingAllowedPinModes = 527;
optional PrintingAllowedPageSizesProto PrintingAllowedPageSizes = 478;
optional PrintingColorDefaultProto PrintingColorDefault = 479;
optional PrintingDuplexDefaultProto PrintingDuplexDefault = 480;
optional PrintingPinDefaultProto PrintingPinDefault = 528;
optional PrintingSizeDefaultProto PrintingSizeDefault = 481;
optional PrintingSendUsernameAndFilenameEnabledProto PrintingSendUsernameAndFilenameEnabled = 508;
optional ForceSafeSearchProto ForceSafeSearch = 164;
optional ForceGoogleSafeSearchProto ForceGoogleSafeSearch = 284;
optional ForceYouTubeSafetyModeProto ForceYouTubeSafetyMode = 285;
optional ForceYouTubeRestrictProto ForceYouTubeRestrict = 350;
optional SafeBrowsingEnabledProto SafeBrowsingEnabled = 16;
optional MetricsReportingEnabledProto MetricsReportingEnabled = 17;
optional PasswordManagerEnabledProto PasswordManagerEnabled = 18;
optional PasswordManagerAllowShowPasswordsProto PasswordManagerAllowShowPasswords = 19;
optional AutoFillEnabledProto AutoFillEnabled = 20;
optional AutofillAddressEnabledProto AutofillAddressEnabled = 461;
optional AutofillCreditCardEnabledProto AutofillCreditCardEnabled = 394;
optional DisabledPluginsProto DisabledPlugins = 21;
optional EnabledPluginsProto EnabledPlugins = 80;
optional DisabledPluginsExceptionsProto DisabledPluginsExceptions = 81;
optional AlwaysOpenPdfExternallyProto AlwaysOpenPdfExternally = 349;
optional DisablePluginFinderProto DisablePluginFinder = 68;
optional SyncDisabledProto SyncDisabled = 22;
optional RoamingProfileSupportEnabledProto RoamingProfileSupportEnabled = 360;
optional RoamingProfileLocationProto RoamingProfileLocation = 361;
optional SigninAllowedProto SigninAllowed = 192;
optional EnableDeprecatedWebBasedSigninProto EnableDeprecatedWebBasedSignin = 267;
optional UserDataDirProto UserDataDir = 65;
optional DiskCacheDirProto DiskCacheDir = 90;
optional DiskCacheSizeProto DiskCacheSize = 112;
optional MediaCacheSizeProto MediaCacheSize = 113;
optional DownloadRestrictionsProto DownloadRestrictions = 373;
optional DownloadDirectoryProto DownloadDirectory = 66;
optional SafeBrowsingForTrustedSourcesEnabledProto SafeBrowsingForTrustedSourcesEnabled = 377;
optional ClearSiteDataOnExitProto ClearSiteDataOnExit = 67;
optional CaptivePortalAuthenticationIgnoresProxyProto CaptivePortalAuthenticationIgnoresProxy = 297;
optional ProxyModeProto ProxyMode = 23;
optional ProxyServerModeProto ProxyServerMode = 24;
optional ProxyServerProto ProxyServer = 25;
optional ProxyPacUrlProto ProxyPacUrl = 26;
optional ProxyBypassListProto ProxyBypassList = 27;
optional ProxySettingsProto ProxySettings = 118;
optional AuthSchemesProto AuthSchemes = 28;
optional DisableAuthNegotiateCnameLookupProto DisableAuthNegotiateCnameLookup = 29;
optional EnableAuthNegotiatePortProto EnableAuthNegotiatePort = 30;
optional AuthServerWhitelistProto AuthServerWhitelist = 31;
optional AuthNegotiateDelegateWhitelistProto AuthNegotiateDelegateWhitelist = 32;
optional AuthNegotiateDelegateByKdcPolicyProto AuthNegotiateDelegateByKdcPolicy = 530;
optional GSSAPILibraryNameProto GSSAPILibraryName = 33;
optional AuthAndroidNegotiateAccountTypeProto AuthAndroidNegotiateAccountType = 307;
optional AllowCrossOriginAuthPromptProto AllowCrossOriginAuthPrompt = 91;
optional NtlmV2EnabledProto NtlmV2Enabled = 395;
optional ExtensionInstallBlacklistProto ExtensionInstallBlacklist = 34;
optional ExtensionInstallWhitelistProto ExtensionInstallWhitelist = 35;
optional ExtensionInstallForcelistProto ExtensionInstallForcelist = 36;
optional ExtensionInstallSourcesProto ExtensionInstallSources = 150;
optional ExtensionAllowInsecureUpdatesProto ExtensionAllowInsecureUpdates = 518;
optional ExtensionAllowedTypesProto ExtensionAllowedTypes = 170;
optional ExtensionSettingsProto ExtensionSettings = 280;
optional ExtensionInstallListsMergeEnabledProto ExtensionInstallListsMergeEnabled = 546;
optional ShowHomeButtonProto ShowHomeButton = 37;
optional DeveloperToolsDisabledProto DeveloperToolsDisabled = 38;
optional DeveloperToolsAvailabilityProto DeveloperToolsAvailability = 445;
optional RestoreOnStartupProto RestoreOnStartup = 39;
optional RestoreOnStartupURLsProto RestoreOnStartupURLs = 40;
optional BlockThirdPartyCookiesProto BlockThirdPartyCookies = 41;
optional DefaultSearchProviderEnabledProto DefaultSearchProviderEnabled = 42;
optional DefaultSearchProviderNameProto DefaultSearchProviderName = 43;
optional DefaultSearchProviderKeywordProto DefaultSearchProviderKeyword = 44;
optional DefaultSearchProviderSearchURLProto DefaultSearchProviderSearchURL = 45;
optional DefaultSearchProviderSuggestURLProto DefaultSearchProviderSuggestURL = 46;
optional DefaultSearchProviderInstantURLProto DefaultSearchProviderInstantURL = 47;
optional DefaultSearchProviderIconURLProto DefaultSearchProviderIconURL = 48;
optional DefaultSearchProviderEncodingsProto DefaultSearchProviderEncodings = 49;
optional DefaultSearchProviderAlternateURLsProto DefaultSearchProviderAlternateURLs = 163;
optional DefaultSearchProviderSearchTermsReplacementKeyProto DefaultSearchProviderSearchTermsReplacementKey = 173;
optional DefaultSearchProviderImageURLProto DefaultSearchProviderImageURL = 231;
optional DefaultSearchProviderNewTabURLProto DefaultSearchProviderNewTabURL = 239;
optional DefaultSearchProviderSearchURLPostParamsProto DefaultSearchProviderSearchURLPostParams = 232;
optional DefaultSearchProviderSuggestURLPostParamsProto DefaultSearchProviderSuggestURLPostParams = 233;
optional DefaultSearchProviderInstantURLPostParamsProto DefaultSearchProviderInstantURLPostParams = 234;
optional DefaultSearchProviderImageURLPostParamsProto DefaultSearchProviderImageURLPostParams = 235;
optional DefaultCookiesSettingProto DefaultCookiesSetting = 50;
optional DefaultImagesSettingProto DefaultImagesSetting = 51;
optional DefaultJavaScriptSettingProto DefaultJavaScriptSetting = 52;
optional DefaultPluginsSettingProto DefaultPluginsSetting = 53;
optional DefaultPopupsSettingProto DefaultPopupsSetting = 54;
optional DefaultNotificationsSettingProto DefaultNotificationsSetting = 55;
optional DefaultGeolocationSettingProto DefaultGeolocationSetting = 56;
optional DefaultMediaStreamSettingProto DefaultMediaStreamSetting = 151;
optional DefaultWebBluetoothGuardSettingProto DefaultWebBluetoothGuardSetting = 322;
optional DefaultKeygenSettingProto DefaultKeygenSetting = 315;
optional DefaultWebUsbGuardSettingProto DefaultWebUsbGuardSetting = 436;
optional WebUsbAllowDevicesForUrlsProto WebUsbAllowDevicesForUrls = 488;
optional WebUsbAskForUrlsProto WebUsbAskForUrls = 441;
optional WebUsbBlockedForUrlsProto WebUsbBlockedForUrls = 442;
optional AutoSelectCertificateForUrlsProto AutoSelectCertificateForUrls = 104;
optional CookiesAllowedForUrlsProto CookiesAllowedForUrls = 79;
optional CookiesBlockedForUrlsProto CookiesBlockedForUrls = 69;
optional CookiesSessionOnlyForUrlsProto CookiesSessionOnlyForUrls = 70;
optional ImagesAllowedForUrlsProto ImagesAllowedForUrls = 71;
optional ImagesBlockedForUrlsProto ImagesBlockedForUrls = 72;
optional JavaScriptAllowedForUrlsProto JavaScriptAllowedForUrls = 73;
optional JavaScriptBlockedForUrlsProto JavaScriptBlockedForUrls = 74;
optional KeygenAllowedForUrlsProto KeygenAllowedForUrls = 316;
optional KeygenBlockedForUrlsProto KeygenBlockedForUrls = 317;
optional PluginsAllowedForUrlsProto PluginsAllowedForUrls = 75;
optional PluginsBlockedForUrlsProto PluginsBlockedForUrls = 76;
optional PopupsAllowedForUrlsProto PopupsAllowedForUrls = 77;
optional RegisteredProtocolHandlersProto RegisteredProtocolHandlers = 270;
optional PopupsBlockedForUrlsProto PopupsBlockedForUrls = 78;
optional NotificationsAllowedForUrlsProto NotificationsAllowedForUrls = 107;
optional NotificationsBlockedForUrlsProto NotificationsBlockedForUrls = 108;
optional NativeMessagingBlacklistProto NativeMessagingBlacklist = 253;
optional NativeMessagingWhitelistProto NativeMessagingWhitelist = 254;
optional NativeMessagingUserLevelHostsProto NativeMessagingUserLevelHosts = 255;
optional Disable3DAPIsProto Disable3DAPIs = 57;
optional PolicyRefreshRateProto PolicyRefreshRate = 58;
optional MaxInvalidationFetchDelayProto MaxInvalidationFetchDelay = 230;
optional ChromeFrameRendererSettingsProto ChromeFrameRendererSettings = 59;
optional RenderInChromeFrameListProto RenderInChromeFrameList = 60;
optional RenderInHostListProto RenderInHostList = 61;
optional AdditionalLaunchParametersProto AdditionalLaunchParameters = 143;
optional SkipMetadataCheckProto SkipMetadataCheck = 240;
optional ChromeFrameContentTypesProto ChromeFrameContentTypes = 62;
optional ChromeOsLockOnIdleSuspendProto ChromeOsLockOnIdleSuspend = 63;
optional ChromeOsMultiProfileUserBehaviorProto ChromeOsMultiProfileUserBehavior = 246;
optional SecondaryGoogleAccountSigninAllowedProto SecondaryGoogleAccountSigninAllowed = 408;
optional InstantEnabledProto InstantEnabled = 64;
optional AppRecommendationZeroStateEnabledProto AppRecommendationZeroStateEnabled = 565;
optional TranslateEnabledProto TranslateEnabled = 82;
optional AllowOutdatedPluginsProto AllowOutdatedPlugins = 83;
optional AlwaysAuthorizePluginsProto AlwaysAuthorizePlugins = 88;
optional RunAllFlashInAllowModeProto RunAllFlashInAllowMode = 393;
optional BookmarkBarEnabledProto BookmarkBarEnabled = 84;
optional EditBookmarksEnabledProto EditBookmarksEnabled = 85;
optional ShowAppsShortcutInBookmarkBarProto ShowAppsShortcutInBookmarkBar = 269;
optional AllowFileSelectionDialogsProto AllowFileSelectionDialogs = 86;
optional SecurityKeyPermitAttestationProto SecurityKeyPermitAttestation = 404;
optional GCFUserDataDirProto GCFUserDataDir = 89;
optional ImportBookmarksProto ImportBookmarks = 99;
optional ImportHistoryProto ImportHistory = 100;
optional ImportHomepageProto ImportHomepage = 101;
optional ImportSearchEngineProto ImportSearchEngine = 102;
optional ImportSavedPasswordsProto ImportSavedPasswords = 103;
optional ImportAutofillFormDataProto ImportAutofillFormData = 279;
optional MaxConnectionsPerProxyProto MaxConnectionsPerProxy = 94;
optional HideWebStorePromoProto HideWebStorePromo = 98;
optional URLBlacklistProto URLBlacklist = 105;
optional URLWhitelistProto URLWhitelist = 106;
optional PolicyListMultipleSourceMergeListProto PolicyListMultipleSourceMergeList = 556;
optional PolicyDictionaryMultipleSourceMergeListProto PolicyDictionaryMultipleSourceMergeList = 567;
optional OpenNetworkConfigurationProto OpenNetworkConfiguration = 109;
optional CloudPrintSubmitEnabledProto CloudPrintSubmitEnabled = 111;
optional EnterpriseWebStoreURLProto EnterpriseWebStoreURL = 114;
optional EnterpriseWebStoreNameProto EnterpriseWebStoreName = 115;
optional EnableOriginBoundCertsProto EnableOriginBoundCerts = 116;
optional EnableMemoryInfoProto EnableMemoryInfo = 117;
optional DisablePrintPreviewProto DisablePrintPreview = 119;
optional PrintHeaderFooterProto PrintHeaderFooter = 482;
optional DefaultPrinterSelectionProto DefaultPrinterSelection = 310;
optional DisableSSLRecordSplittingProto DisableSSLRecordSplitting = 120;
optional EnableOnlineRevocationChecksProto EnableOnlineRevocationChecks = 131;
optional RequireOnlineRevocationChecksForLocalAnchorsProto RequireOnlineRevocationChecksForLocalAnchors = 237;
optional EnableSha1ForLocalAnchorsProto EnableSha1ForLocalAnchors = 342;
optional EnableCommonNameFallbackForLocalAnchorsProto EnableCommonNameFallbackForLocalAnchors = 368;
optional EnableSymantecLegacyInfrastructureProto EnableSymantecLegacyInfrastructure = 415;
optional BuiltinCertificateVerifierEnabledProto BuiltinCertificateVerifierEnabled = 577;
optional ForceEphemeralProfilesProto ForceEphemeralProfiles = 247;
optional SAMLOfflineSigninTimeLimitProto SAMLOfflineSigninTimeLimit = 256;
optional ReportArcStatusEnabledProto ReportArcStatusEnabled = 351;
optional ReportCrostiniUsageEnabledProto ReportCrostiniUsageEnabled = 486;
optional DeviceLocalAccountManagedSessionEnabledProto DeviceLocalAccountManagedSessionEnabled = 465;
optional BackgroundModeEnabledProto BackgroundModeEnabled = 140;
optional DriveDisabledProto DriveDisabled = 141;
optional DriveDisabledOverCellularProto DriveDisabledOverCellular = 142;
optional PinnedLauncherAppsProto PinnedLauncherApps = 146;
optional RestrictSigninToPatternProto RestrictSigninToPattern = 149;
optional DisableSafeBrowsingProceedAnywayProto DisableSafeBrowsingProceedAnyway = 152;
optional SafeBrowsingExtendedReportingOptInAllowedProto SafeBrowsingExtendedReportingOptInAllowed = 301;
optional SpellCheckServiceEnabledProto SpellCheckServiceEnabled = 153;
optional ExternalStorageDisabledProto ExternalStorageDisabled = 154;
optional ExternalStorageReadOnlyProto ExternalStorageReadOnly = 345;
optional AudioOutputAllowedProto AudioOutputAllowed = 161;
optional AudioCaptureAllowedProto AudioCaptureAllowed = 162;
optional AudioCaptureAllowedUrlsProto AudioCaptureAllowedUrls = 210;
optional VideoCaptureAllowedProto VideoCaptureAllowed = 169;
optional VideoCaptureAllowedUrlsProto VideoCaptureAllowedUrls = 211;
optional DisableScreenshotsProto DisableScreenshots = 155;
optional TouchVirtualKeyboardEnabledProto TouchVirtualKeyboardEnabled = 271;
optional ShowLogoutButtonInTrayProto ShowLogoutButtonInTray = 166;
optional BuiltInDnsClientEnabledProto BuiltInDnsClientEnabled = 167;
optional ShelfAutoHideBehaviorProto ShelfAutoHideBehavior = 168;
optional UserDisplayNameProto UserDisplayName = 171;
optional SessionLengthLimitProto SessionLengthLimit = 172;
optional FullscreenAllowedProto FullscreenAllowed = 242;
optional ScreenDimDelayACProto ScreenDimDelayAC = 174;
optional ScreenOffDelayACProto ScreenOffDelayAC = 175;
optional ScreenLockDelayACProto ScreenLockDelayAC = 176;
optional IdleWarningDelayACProto IdleWarningDelayAC = 199;
optional IdleDelayACProto IdleDelayAC = 177;
optional ScreenDimDelayBatteryProto ScreenDimDelayBattery = 178;
optional ScreenOffDelayBatteryProto ScreenOffDelayBattery = 179;
optional ScreenLockDelayBatteryProto ScreenLockDelayBattery = 180;
optional IdleWarningDelayBatteryProto IdleWarningDelayBattery = 200;
optional IdleDelayBatteryProto IdleDelayBattery = 181;
optional IdleActionProto IdleAction = 182;
optional IdleActionACProto IdleActionAC = 228;
optional IdleActionBatteryProto IdleActionBattery = 224;
optional LidCloseActionProto LidCloseAction = 183;
optional PowerManagementUsesAudioActivityProto PowerManagementUsesAudioActivity = 184;
optional PowerManagementUsesVideoActivityProto PowerManagementUsesVideoActivity = 185;
optional PresentationIdleDelayScaleProto PresentationIdleDelayScale = 186;
optional PresentationScreenDimDelayScaleProto PresentationScreenDimDelayScale = 222;
optional AllowWakeLocksProto AllowWakeLocks = 493;
optional AllowScreenWakeLocksProto AllowScreenWakeLocks = 205;
optional UserActivityScreenDimDelayScaleProto UserActivityScreenDimDelayScale = 212;
optional WaitForInitialUserActivityProto WaitForInitialUserActivity = 249;
optional PowerManagementIdleSettingsProto PowerManagementIdleSettings = 260;
optional ScreenLockDelaysProto ScreenLockDelays = 261;
optional TermsOfServiceURLProto TermsOfServiceURL = 188;
optional ShowAccessibilityOptionsInSystemTrayMenuProto ShowAccessibilityOptionsInSystemTrayMenu = 190;
optional LargeCursorEnabledProto LargeCursorEnabled = 213;
optional SpokenFeedbackEnabledProto SpokenFeedbackEnabled = 214;
optional HighContrastEnabledProto HighContrastEnabled = 215;
optional VirtualKeyboardEnabledProto VirtualKeyboardEnabled = 257;
optional StickyKeysEnabledProto StickyKeysEnabled = 563;
optional SelectToSpeakEnabledProto SelectToSpeakEnabled = 575;
optional KeyboardDefaultToFunctionKeysProto KeyboardDefaultToFunctionKeys = 262;
optional ScreenMagnifierTypeProto ScreenMagnifierType = 216;
optional HideWebStoreIconProto HideWebStoreIcon = 191;
optional VariationsRestrictParameterProto VariationsRestrictParameter = 198;
optional AttestationEnabledForUserProto AttestationEnabledForUser = 202;
optional AttestationExtensionWhitelistProto AttestationExtensionWhitelist = 203;
optional SuppressChromeFrameTurndownPromptProto SuppressChromeFrameTurndownPrompt = 223;
optional ContentPackDefaultFilteringBehaviorProto ContentPackDefaultFilteringBehavior = 206;
optional ContentPackManualBehaviorHostsProto ContentPackManualBehaviorHosts = 207;
optional ContentPackManualBehaviorURLsProto ContentPackManualBehaviorURLs = 208;
optional SupervisedUserCreationEnabledProto SupervisedUserCreationEnabled = 225;
optional SupervisedUserContentProviderEnabledProto SupervisedUserContentProviderEnabled = 314;
optional ManagedBookmarksProto ManagedBookmarks = 229;
optional DataCompressionProxyEnabledProto DataCompressionProxyEnabled = 243;
optional UserAvatarImageProto UserAvatarImage = 251;
optional WallpaperImageProto WallpaperImage = 264;
optional EnableDeprecatedWebPlatformFeaturesProto EnableDeprecatedWebPlatformFeatures = 272;
optional EasyUnlockAllowedProto EasyUnlockAllowed = 274;
optional SessionLocalesProto SessionLocales = 276;
optional BrowserGuestModeEnabledProto BrowserGuestModeEnabled = 277;
optional BrowserGuestModeEnforcedProto BrowserGuestModeEnforced = 576;
optional BrowserAddPersonEnabledProto BrowserAddPersonEnabled = 278;
optional ForceBrowserSigninProto ForceBrowserSignin = 348;
optional BrowserSigninProto BrowserSignin = 489;
optional SSLVersionMinProto SSLVersionMin = 281;
optional SSLVersionFallbackMinProto SSLVersionFallbackMin = 282;
optional SSLVersionMaxProto SSLVersionMax = 363;
optional CertificateTransparencyEnforcementDisabledForUrlsProto CertificateTransparencyEnforcementDisabledForUrls = 337;
optional CertificateTransparencyEnforcementDisabledForCasProto CertificateTransparencyEnforcementDisabledForCas = 437;
optional CertificateTransparencyEnforcementDisabledForLegacyCasProto CertificateTransparencyEnforcementDisabledForLegacyCas = 438;
optional RC4EnabledProto RC4Enabled = 312;
optional DHEEnabledProto DHEEnabled = 336;
optional ContextualSearchEnabledProto ContextualSearchEnabled = 283;
optional ForceMaximizeOnFirstRunProto ForceMaximizeOnFirstRun = 300;
optional SSLErrorOverrideAllowedProto SSLErrorOverrideAllowed = 302;
optional QuicAllowedProto QuicAllowed = 303;
optional KeyPermissionsProto KeyPermissions = 304;
optional WelcomePageOnOSUpgradeEnabledProto WelcomePageOnOSUpgradeEnabled = 305;
optional HardwareAccelerationModeEnabledProto HardwareAccelerationModeEnabled = 306;
optional UnifiedDesktopEnabledByDefaultProto UnifiedDesktopEnabledByDefault = 309;
optional ArcEnabledProto ArcEnabled = 319;
optional ArcPolicyProto ArcPolicy = 320;
optional SuppressUnsupportedOSWarningProto SuppressUnsupportedOSWarning = 326;
optional TaskManagerEndProcessEnabledProto TaskManagerEndProcessEnabled = 329;
optional AllowScreenLockProto AllowScreenLock = 331;
optional ArcCertificatesSyncModeProto ArcCertificatesSyncMode = 332;
optional AllowedDomainsForAppsProto AllowedDomainsForApps = 333;
optional PacHttpsUrlStrippingEnabledProto PacHttpsUrlStrippingEnabled = 334;
optional EnableMediaRouterProto EnableMediaRouter = 335;
optional ShowCastIconInToolbarProto ShowCastIconInToolbar = 364;
optional MediaRouterCastAllowAllIPsProto MediaRouterCastAllowAllIPs = 439;
optional ArcBackupRestoreEnabledProto ArcBackupRestoreEnabled = 339;
optional ArcLocationServiceEnabledProto ArcLocationServiceEnabled = 365;
optional NTPContentSuggestionsEnabledProto NTPContentSuggestionsEnabled = 340;
optional WebRtcUdpPortRangeProto WebRtcUdpPortRange = 341;
optional WebRestrictionsAuthorityProto WebRestrictionsAuthority = 343;
optional ComponentUpdatesEnabledProto ComponentUpdatesEnabled = 344;
optional NativePrintersProto NativePrinters = 352;
optional NativePrintersBulkConfigurationProto NativePrintersBulkConfiguration = 384;
optional NativePrintersBulkAccessModeProto NativePrintersBulkAccessMode = 385;
optional NativePrintersBulkBlacklistProto NativePrintersBulkBlacklist = 386;
optional NativePrintersBulkWhitelistProto NativePrintersBulkWhitelist = 387;
optional QuickUnlockModeWhitelistProto QuickUnlockModeWhitelist = 354;
optional QuickUnlockTimeoutProto QuickUnlockTimeout = 355;
optional PinUnlockMinimumLengthProto PinUnlockMinimumLength = 356;
optional PinUnlockMaximumLengthProto PinUnlockMaximumLength = 357;
optional PinUnlockWeakPinsAllowedProto PinUnlockWeakPinsAllowed = 358;
optional SmsMessagesAllowedProto SmsMessagesAllowed = 471;
optional SmartLockSigninAllowedProto SmartLockSigninAllowed = 490;
optional InstantTetheringAllowedProto InstantTetheringAllowed = 369;
optional BrowserNetworkTimeQueriesEnabledProto BrowserNetworkTimeQueriesEnabled = 372;
optional PrintPreviewUseSystemDefaultPrinterProto PrintPreviewUseSystemDefaultPrinter = 375;
optional EcryptfsMigrationStrategyProto EcryptfsMigrationStrategy = 378;
optional SchedulerConfigurationProto SchedulerConfiguration = 524;
optional NoteTakingAppsLockScreenWhitelistProto NoteTakingAppsLockScreenWhitelist = 379;
optional CastReceiverEnabledProto CastReceiverEnabled = 380;
optional CloudPolicyOverridesPlatformPolicyProto CloudPolicyOverridesPlatformPolicy = 383;
optional PromptForDownloadLocationProto PromptForDownloadLocation = 397;
optional IsolateOriginsProto IsolateOrigins = 400;
optional SitePerProcessProto SitePerProcess = 401;
optional IsolateOriginsAndroidProto IsolateOriginsAndroid = 447;
optional SitePerProcessAndroidProto SitePerProcessAndroid = 448;
optional WebDriverOverridesIncompatiblePoliciesProto WebDriverOverridesIncompatiblePolicies = 416;
optional UnsafelyTreatInsecureOriginAsSecureProto UnsafelyTreatInsecureOriginAsSecure = 402;
optional DefaultDownloadDirectoryProto DefaultDownloadDirectory = 403;
optional AbusiveExperienceInterventionEnforceProto AbusiveExperienceInterventionEnforce = 406;
optional SpellcheckLanguageProto SpellcheckLanguage = 407;
optional SpellcheckLanguageBlacklistProto SpellcheckLanguageBlacklist = 538;
optional ThirdPartyBlockingEnabledProto ThirdPartyBlockingEnabled = 409;
optional SpellcheckEnabledProto SpellcheckEnabled = 410;
optional AdsSettingForIntrusiveAdsSitesProto AdsSettingForIntrusiveAdsSites = 411;
optional RestrictAccountsToPatternsProto RestrictAccountsToPatterns = 412;
optional PasswordProtectionWarningTriggerProto PasswordProtectionWarningTrigger = 413;
optional RelaunchNotificationProto RelaunchNotification = 421;
optional RelaunchNotificationPeriodProto RelaunchNotificationPeriod = 422;
optional RelaunchHeadsUpPeriodProto RelaunchHeadsUpPeriod = 569;
optional CrostiniAllowedProto CrostiniAllowed = 483;
optional CrostiniExportImportUIAllowedProto CrostiniExportImportUIAllowed = 525;
optional SafeBrowsingWhitelistDomainsProto SafeBrowsingWhitelistDomains = 424;
optional PasswordProtectionLoginURLsProto PasswordProtectionLoginURLs = 425;
optional PasswordProtectionChangePasswordURLProto PasswordProtectionChangePasswordURL = 426;
optional SafeBrowsingExtendedReportingEnabledProto SafeBrowsingExtendedReportingEnabled = 431;
optional MachineLevelUserCloudPolicyEnrollmentTokenProto MachineLevelUserCloudPolicyEnrollmentToken = 430;
optional CloudManagementEnrollmentTokenProto CloudManagementEnrollmentToken = 512;
optional CloudManagementEnrollmentMandatoryProto CloudManagementEnrollmentMandatory = 507;
optional AutoplayAllowedProto AutoplayAllowed = 432;
optional AutoplayWhitelistProto AutoplayWhitelist = 433;
optional TabUnderAllowedProto TabUnderAllowed = 434;
optional UserNativePrintersAllowedProto UserNativePrintersAllowed = 435;
optional ChromeCleanupEnabledProto ChromeCleanupEnabled = 443;
optional ChromeCleanupReportingEnabledProto ChromeCleanupReportingEnabled = 444;
optional AllowedLanguagesProto AllowedLanguages = 446;
optional AllowedInputMethodsProto AllowedInputMethods = 458;
optional ArcAppInstallEventLoggingEnabledProto ArcAppInstallEventLoggingEnabled = 449;
optional UsageTimeLimitProto UsageTimeLimit = 450;
optional ArcBackupRestoreServiceEnabledProto ArcBackupRestoreServiceEnabled = 451;
optional ArcGoogleLocationServicesEnabledProto ArcGoogleLocationServicesEnabled = 452;
optional EnableSyncConsentProto EnableSyncConsent = 453;
optional ContextualSuggestionsEnabledProto ContextualSuggestionsEnabled = 454;
optional PromotionalTabsEnabledProto PromotionalTabsEnabled = 456;
optional SafeSitesFilterBehaviorProto SafeSitesFilterBehavior = 457;
optional OverrideSecurityRestrictionsOnInsecureOriginProto OverrideSecurityRestrictionsOnInsecureOrigin = 459;
optional TabLifecyclesEnabledProto TabLifecyclesEnabled = 462;
optional UrlKeyedAnonymizedDataCollectionEnabledProto UrlKeyedAnonymizedDataCollectionEnabled = 463;
optional NetworkFileSharesAllowedProto NetworkFileSharesAllowed = 464;
optional WebRtcEventLogCollectionAllowedProto WebRtcEventLogCollectionAllowed = 466;
optional PowerSmartDimEnabledProto PowerSmartDimEnabled = 467;
optional CoalesceH2ConnectionsWithClientCertificatesForHostsProto CoalesceH2ConnectionsWithClientCertificatesForHosts = 468;
optional NetBiosShareDiscoveryEnabledProto NetBiosShareDiscoveryEnabled = 469;
optional WebAppInstallForceListProto WebAppInstallForceList = 470;
optional ReportVersionDataProto ReportVersionData = 472;
optional ReportPolicyDataProto ReportPolicyData = 473;
optional ReportMachineIDDataProto ReportMachineIDData = 474;
optional ReportUserIDDataProto ReportUserIDData = 475;
optional ReportExtensionsAndPluginsDataProto ReportExtensionsAndPluginsData = 501;
optional ReportSafeBrowsingDataProto ReportSafeBrowsingData = 502;
optional CloudReportingEnabledProto CloudReportingEnabled = 495;
optional EnterpriseHardwarePlatformAPIEnabledProto EnterpriseHardwarePlatformAPIEnabled = 485;
optional VpnConfigAllowedProto VpnConfigAllowed = 487;
optional NTLMShareAuthenticationEnabledProto NTLMShareAuthenticationEnabled = 491;
optional NetworkFileSharesPreconfiguredSharesProto NetworkFileSharesPreconfiguredShares = 492;
optional ScreenBrightnessPercentProto ScreenBrightnessPercent = 494;
optional AlternativeBrowserPathProto AlternativeBrowserPath = 496;
optional AlternativeBrowserParametersProto AlternativeBrowserParameters = 497;
optional BrowserSwitcherChromePathProto BrowserSwitcherChromePath = 532;
optional BrowserSwitcherChromeParametersProto BrowserSwitcherChromeParameters = 533;
optional BrowserSwitcherUrlListProto BrowserSwitcherUrlList = 498;
optional BrowserSwitcherUrlGreylistProto BrowserSwitcherUrlGreylist = 499;
optional BrowserSwitcherUseIeSitelistProto BrowserSwitcherUseIeSitelist = 500;
optional BrowserSwitcherExternalSitelistUrlProto BrowserSwitcherExternalSitelistUrl = 513;
optional BrowserSwitcherExternalGreylistUrlProto BrowserSwitcherExternalGreylistUrl = 566;
optional BrowserSwitcherDelayProto BrowserSwitcherDelay = 526;
optional BrowserSwitcherEnabledProto BrowserSwitcherEnabled = 519;
optional BrowserSwitcherKeepLastChromeTabProto BrowserSwitcherKeepLastChromeTab = 521;
optional PluginVmImageProto PluginVmImage = 506;
optional ParentAccessCodeConfigProto ParentAccessCodeConfig = 509;
optional ClientCertificateManagementAllowedProto ClientCertificateManagementAllowed = 520;
optional ForceNetworkInProcessProto ForceNetworkInProcess = 523;
optional VoiceInteractionContextEnabledProto VoiceInteractionContextEnabled = 529;
optional VoiceInteractionHotwordEnabledProto VoiceInteractionHotwordEnabled = 531;
optional AllowPopupsDuringPageUnloadProto AllowPopupsDuringPageUnload = 535;
optional SignedHTTPExchangeEnabledProto SignedHTTPExchangeEnabled = 544;
optional SamlInSessionPasswordChangeEnabledProto SamlInSessionPasswordChangeEnabled = 547;
optional UserFeedbackAllowedProto UserFeedbackAllowed = 572;
optional SamlPasswordExpirationAdvanceWarningDaysProto SamlPasswordExpirationAdvanceWarningDays = 557;
optional KerberosEnabledProto KerberosEnabled = 559;
optional KerberosRememberPasswordEnabledProto KerberosRememberPasswordEnabled = 560;
optional KerberosAddAccountsAllowedProto KerberosAddAccountsAllowed = 561;
optional KerberosAccountsProto KerberosAccounts = 562;
optional CommandLineFlagSecurityWarningsEnabledProto CommandLineFlagSecurityWarningsEnabled = 568;
optional StartupBrowserWindowLaunchSuppressedProto StartupBrowserWindowLaunchSuppressed = 570;
optional ExternalPrintServersProto ExternalPrintServers = 574;
}