1// Copyright 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5syntax = "proto2"; 6 7option optimize_for = LITE_RUNTIME; 8 9package enterprise_management; 10 11import "private_membership_rlwe.proto"; 12 13// Everything below this comment will be synchronized between client and server 14// repos ( go/cros-proto-sync ). 15 16// DEPRECATED: This enum needs to be shared between DeviceRegisterRequest and 17// LicenseAvailability protos. With java_api_version 1, this means that enum 18// needs to be wrapped into a message. 19message LicenseType { 20 // Enumerates different license types. 21 enum LicenseTypeEnum { 22 // Unknown/undefined 23 UNDEFINED = 0; 24 // Chrome Device Management Perpetual 25 CDM_PERPETUAL = 1; 26 // Chrome Device Management Annual 27 CDM_ANNUAL = 2; 28 // Chrome Kiosk 29 KIOSK = 3; 30 } 31 32 optional LicenseTypeEnum license_type_deprecated = 1 [deprecated = true]; 33} 34 35// Data along with a cryptographic signature verifying their authenticity. 36message SignedData { 37 // The data to be signed. 38 optional bytes data = 1; 39 // The signature of the data field. 40 optional bytes signature = 2; 41 // How many bytes were added to the end of original data before signature 42 // (e.g. a nonce to avoid proxy attacks of the signing service). 43 optional int32 extra_data_bytes = 3; 44} 45 46// Request from device to server to check user account type for enrollment. 47message CheckUserAccountRequest { 48 // Email address of a user. 49 // The user may not exist in GAIA. 50 optional string user_email = 1; 51} 52 53// Request from device to server to register a device, user or browser. 54message DeviceRegisterRequest { 55 reserved 5, 10; 56 57 // Reregister device without erasing server state. It can be used 58 // to refresh dmtoken etc. Client MUST set this value to true if it 59 // reuses an existing device id. 60 optional bool reregister = 1; 61 62 // Register type. This field does not exist for TT release. 63 // When a client requests for policies, server should verify the 64 // client has been registered properly. For example, a client must 65 // register with type DEVICE in order to retrieve device policies. 66 enum Type { 67 reserved 5; 68 69 TT = 0; // Register for TT release. 70 USER = 1; // Register for Chrome OS user polices. 71 DEVICE = 2; // Register for Chrome OS device policies. 72 BROWSER = 3; // Register for desktop Chrome browser user policies. 73 ANDROID_BROWSER = 4; // Register for Android Chrome browser user policies. 74 } 75 // NOTE: we also use this field to detect client version. If this 76 // field is missing, then the request comes from TT. We will remove 77 // Chrome OS TT support once it is over. 78 optional Type type = 2 [default = TT]; 79 80 // Machine hardware id, such as serial number. 81 // This field is required if register type == DEVICE. 82 optional string machine_id = 3; 83 84 // Machine model name, such as "ZGA", "Cr-48", "Nexus One". If the 85 // model name is not available, client SHOULD send generic name like 86 // "Android", or "Chrome OS". 87 optional string machine_model = 4; 88 89 // Indicates a requisition of the registering entity that the server can act 90 // upon. This allows clients to pass hints e.g. at device enrollment time 91 // about the intended use of the device. 92 optional string requisition = 6; 93 94 // The current server-backed state key for the client, if applicable. This can 95 // be used by the server to link the registration request to an existing 96 // device record for re-enrollment. 97 optional bytes server_backed_state_key = 7; 98 99 // Enumerates different flavors of registration. 100 enum Flavor { 101 // User manually enrolls a device for device management. 102 FLAVOR_ENROLLMENT_MANUAL = 0; 103 // User re-starts enrollment manually to recover from loss of policy. 104 FLAVOR_ENROLLMENT_MANUAL_RENEW = 1; 105 // Device enrollment forced by local device configuration, such as OEM 106 // partition flags to force enrollment. 107 FLAVOR_ENROLLMENT_LOCAL_FORCED = 2; 108 // Enrollment advertised by local device configuration, such as OEM 109 // partition flags indicating to prompt for enrollment, but allowing the 110 // user to skip. 111 FLAVOR_ENROLLMENT_LOCAL_ADVERTISED = 3; 112 // Device state downloaded from the server during OOBE indicates that 113 // re-enrollment is mandatory. 114 FLAVOR_ENROLLMENT_SERVER_FORCED = 4; 115 // Device state downloaded from the server during OOBE indicates that the 116 // device should prompt for (re-)enrollment, but the user is allowed to 117 // skip. 118 FLAVOR_ENROLLMENT_SERVER_ADVERTISED = 5; 119 // Device detected in steady state that it is supposed to be enrolled, but 120 // the policy is missing. 121 FLAVOR_ENROLLMENT_RECOVERY = 6; 122 // User policy registration for a logged-in user. 123 FLAVOR_USER_REGISTRATION = 7; 124 // Attestation-based with the option to use a different authentication 125 // mechanism. 126 FLAVOR_ENROLLMENT_ATTESTATION = 8; 127 // Forced attestation-based enrollment (cannot fallback to another flavor). 128 FLAVOR_ENROLLMENT_ATTESTATION_LOCAL_FORCED = 9; 129 // Device state downloaded from the server during OOBE indicates that 130 // re-enrollment is mandatory and should be attestation-based. 131 FLAVOR_ENROLLMENT_ATTESTATION_SERVER_FORCED = 10; 132 // Device state downloaded from the server indicated that re-enrollment is 133 // mandatory, but it failed and we are doing a fallback to manual 134 // enrollment. 135 FLAVOR_ENROLLMENT_ATTESTATION_MANUAL_FALLBACK = 11; 136 // Enrollment triggered by USB pre-configuration 137 FLAVOR_ENROLLMENT_ATTESTATION_USB_ENROLLMENT = 12; 138 // Device state downloaded from the server during OOBE indicates that 139 // initial enrollment is mandatory. 140 FLAVOR_ENROLLMENT_INITIAL_SERVER_FORCED = 13; 141 // Device state downloaded from the server during OOBE indicates that 142 // initial enrollment is mandatory and should be attestation-based. 143 FLAVOR_ENROLLMENT_ATTESTATION_INITIAL_SERVER_FORCED = 14; 144 // Device state downloaded from the server indicated that initial enrollment 145 // is mandatory, but it failed and we are doing a fallback to manual 146 // enrollment. 147 FLAVOR_ENROLLMENT_ATTESTATION_INITIAL_MANUAL_FALLBACK = 15; 148 } 149 150 // Indicates the registration flavor. This is passed to the server FYI when 151 // registering for policy so the server can distinguish registration triggers. 152 optional Flavor flavor = 8; 153 154 // If specified, represents the license type selected by user on the device. 155 optional LicenseType license_type = 9; 156 157 // Enumerates different expected lifetimes of registration. 158 enum Lifetime { 159 // Default case. 160 LIFETIME_UNDEFINED = 0; 161 // No expiration, most of the registrations have this lifetime. 162 LIFETIME_INDEFINITE = 1; 163 // Lifetime for ephemeral user policy registration. 164 LIFETIME_EPHEMERAL_USER = 2; 165 } 166 167 // Indicates the expected lifetime of registration. 168 optional Lifetime lifetime = 11 [default = LIFETIME_INDEFINITE]; 169 170 // The 4-character brand code of the device. 171 optional string brand_code = 12; 172 173 // Previous DMToken that should be reused for re-registration. 174 optional string reregistration_dm_token = 13; 175 176 // MAC address for onboard network (ethernet) interface. 177 // The format is twelve (12) hexadecimal digits without any delimiter 178 // (uppercase letters). 179 // This field might be set only if register type == DEVICE. 180 optional string ethernet_mac_address = 14; 181 182 // Built-in MAC address for the docking station that the device can be 183 // connected to. 184 // The format is twelve (12) hexadecimal digits without any delimiter 185 // (uppercase letters). 186 // This field might be set only if register type == DEVICE. 187 optional string dock_mac_address = 15; 188 189 // The date the device was manufactured in yyyy-mm-dd format. 190 // This field might be set only if register type == DEVICE. 191 optional string manufacture_date = 16; 192 193 // Currently using in token enrollment to ensure domain in request matches 194 // domain from token. 195 optional string expected_enrollment_domain = 17; 196 197 // Identification of the device that is not already available. 198 optional DeviceRegisterIdentification device_register_identification = 18; 199 200 // Next id: 19. 201} 202 203// Identification of a device used during its registration. 204message DeviceRegisterIdentification { 205 // The attested device ID for devices using Zero-Touch (see go/zt-sn). 206 optional string attested_device_id = 1; 207} 208 209// Response from server to device 210message CheckUserAccountResponse { 211 // Enum listing the possible user account status. 212 enum UserAccountType { 213 UNKNOWN_USER_ACCOUNT_TYPE = 0; 214 215 // There is no GAIA user exist mapping to the specific user email. 216 NOT_EXIST = 1; 217 218 // The GAIA user mapping to the specific user email is not a dasher user. 219 CONSUMER = 2; 220 // The GAIA user is a dasher user. See http://go/is-dasher-user 221 DASHER = 3; 222 } 223 224 // The domain abstracted from the specific email has been verified by dasher. 225 optional bool domain_verified = 1; 226 227 // The account type mapping from the specific user email. 228 optional UserAccountType user_account_type = 2; 229} 230 231// Response from server to device register request. 232message DeviceRegisterResponse { 233 // Device management token for this registration. This token MUST be 234 // part of HTTP Authorization header for all future requests from 235 // device to server. 236 required string device_management_token = 1; 237 238 // Device display name. By default, server generates the name in 239 // the format of "Machine Model - Machine Id". However, domain 240 // admin can update it using Admin console, so do NOT treat it as constant. 241 optional string machine_name = 2; 242 243 // Enum listing the possible modes the device should be locked into when the 244 // registration is finished. 245 enum DeviceMode { 246 // In ENTERPRISE mode the device has no local owner and device settings are 247 // controlled through the cloud policy infrastructure. Auto-enrollment is 248 // supported in that mode. 249 ENTERPRISE = 0; 250 // DEPRECATED: Devices in RETAIL mode also have no local owner and get their 251 // device settings from the cloud, but additionally this mode enables the 252 // demo account on the device. 253 RETAIL_DEPRECATED = 1; 254 // Devices in CHROME_AD mode are in enterprises with AD. Device settings 255 // are controlled through the AD policy infrastructure. 256 CHROME_AD = 2; 257 // Devices in DEMO mode have no local owner and get their device settings 258 // from the cloud. They are controlled by demo mode domain and provide 259 // customized demo experience to the users. 260 DEMO = 3; 261 } 262 optional DeviceMode enrollment_type = 3 [default = ENTERPRISE]; 263 264 // An opaque configuration string for devices that require it. CHROME_AD 265 // devices, for example, may use this string for AD discovery. Must be at 266 // most a few kBytes. 267 optional string configuration_seed = 4; 268 269 // List of user affiliation IDs. The list is used to define if the user 270 // registering for policy is affiliated on the device. 271 // Only sent if DeviceRegisterRequest.Type == USER 272 repeated string user_affiliation_ids = 5; 273 274 // The unique directory api ID of the device which was generated on the 275 // server-side. 276 optional string directory_api_id = 6; 277} 278 279// Request from device to server to unregister device. 280// GoogleDMToken MUST be in HTTP Authorization header. 281message DeviceUnregisterRequest {} 282 283// Response from server to device for unregister request. 284message DeviceUnregisterResponse {} 285 286// Request from device to server to upload a device certificate or an enrollment 287// identifier. 288// GoogleDMToken MUST be in HTTP Authorization header. 289message DeviceCertUploadRequest { 290 enum CertificateType { 291 // Default value for when a type is not specified. 292 CERTIFICATE_TYPE_UNSPECIFIED = 0; 293 // Enterprise machine certificate used for remote attestation. 294 ENTERPRISE_MACHINE_CERTIFICATE = 1; 295 // Enrollment certificate used to obtain an enrollment identifier. 296 ENTERPRISE_ENROLLMENT_CERTIFICATE = 2; 297 } 298 299 // Certificate in X.509 format. 300 optional bytes device_certificate = 1; 301 // Type of certificate. If omitted, will be guessed from the other fields. 302 optional CertificateType certificate_type = 2; 303 // Enrollment identifier if provided. 304 optional bytes enrollment_id = 3; 305} 306 307// Response from server to device for cert upload request. 308message DeviceCertUploadResponse {} 309 310// Request to access a Google service with the given scope. 311message DeviceServiceApiAccessRequest { 312 // The list of auth scopes the device requests from DMServer. 313 repeated string auth_scopes = 1; 314 315 // OAuth2 client ID to which the returned authorization code is bound. 316 optional string oauth2_client_id = 2; 317 318 // Enumerates different flavors of registration. 319 enum DeviceType { 320 // Authcode will be used by Chrome OS 321 // (this is typically requested during device enrollment) 322 CHROME_OS = 0; 323 // Authcode will be used by Android (ARC) subsystem 324 // (this is typically requested during ARC Kiosk session setup) 325 ANDROID_OS = 1; 326 // Authcode will be used by Chrome OS Demo Mode. This auth code can be used 327 // to access Google Docs. 328 // Please see go/cros-demo-mode and go/demo-mode-account-brainstorm. 329 CHROME_OS_DEMO_MODE = 2; 330 // Authcode will be used by the enterprise-managed Chrome Browser to 331 // register for policy invalidations. This is requested during enrollment. 332 CHROME_BROWSER = 3; 333 } 334 335 // Device type indicates the intended use of the auth code. 336 optional DeviceType device_type = 3; 337} 338 339// Response from server to API access request. 340message DeviceServiceApiAccessResponse { 341 // The OAuth2 authorization code for the requested scope(s). 342 // This can be exchanged for a refresh token. 343 optional string auth_code = 1; 344} 345 346// Device Identifier for non-Chrome OS platform. 347message BrowserDeviceIdentifier { 348 // Name of the computer. 349 optional string computer_name = 1; 350 // Device serial number (definition depending on the platform). 351 optional string serial_number = 2; 352} 353 354message PolicyFetchRequest { 355 reserved 5; 356 357 // This is the policy type, which maps to D3 policy type internally. 358 // By convention, we use "/" as separator to create policy namespace. 359 // The policy type names are case insensitive. 360 // 361 // Possible values for Chrome OS are: 362 // google/chromeos/device => ChromeDeviceSettingsProto 363 // google/chromeos/user => ChromeSettingsProto 364 // google/chromeos/publicaccount => ChromeSettingsProto 365 // google/chrome/machine-level-user => ChromeSettingsProto 366 // google/chrome/extension => ExternalPolicyData 367 // google/chrome/machine-level-extension => ExternalPolicyData 368 // google/chromeos/signinextension => ExternalPolicyData 369 // google/android/user => ChromeSettingsProto 370 // google/chromeos/remotecommand => RemoteCommand (*) 371 // 372 // Types marked with an (*) are not policies, but data signed with the policy 373 // key. It is illegal to try to fetch policies with those types. 374 optional string policy_type = 1; 375 376 // This is the last policy timestamp that client received from server. The 377 // expectation is that this field is filled by the value of 378 // PolicyData.timestamp from the last policy received by the client. 379 optional int64 timestamp = 2; 380 381 // Tell server what kind of security signature is required. 382 // TODO(b/147782972): Move to toplevel in sync with Chrome OS client code. 383 enum SignatureType { 384 NONE = 0; 385 SHA1_RSA = 1; 386 SHA256_RSA = 2; 387 } 388 optional SignatureType signature_type = 3 [default = NONE]; 389 390 // The version number of the public key that is currently stored 391 // on the client. This should be the last number the server had 392 // supplied as new_public_key_version in PolicyData. 393 // This field is unspecified if the client does not yet have a 394 // public key. 395 optional int32 public_key_version = 4; 396 397 // This field is used for devices to send the additional ID to fetch settings. 398 // Retrieving some settings requires more than just device or user ID. 399 // For example, to retrieve public account, devices need to pass in 400 // public account ID in addition to device ID. To retrieve extension or 401 // plug-in settings, devices need to pass in extension/plug-in ID in 402 // addition to user ID. 403 // policy_type represents the type of settings (e.g. public account, 404 // extension) devices request to fetch. 405 optional string settings_entity_id = 6; 406 407 // If this fetch is due to a policy invalidation, this field contains the 408 // version provided with the invalidation. The server interprets this value 409 // and the value of invalidation_payload to fetch the up-to-date policy. 410 optional int64 invalidation_version = 7; 411 412 // If this fetch is due to a policy invalidation, this field contains the 413 // payload delivered with the invalidation. The server interprets this value 414 // and the value of invalidation_version to fetch the up-to-date policy. 415 optional bytes invalidation_payload = 8; 416 417 // Hash string for the chrome policy verification public key which is embedded 418 // into Chrome binary. Matching private key will be used by the server 419 // to sign per-domain policy keys during key rotation. If server does not 420 // have the key which matches this hash string, that could indicate malicious 421 // or out-of-date Chrome client. 422 optional string verification_key_hash = 9; 423 424 // Encoded information from a policy invalidation notification. This is opaque 425 // to the client and should be forwarded from the invalidation notification. 426 optional string policy_invalidation_info = 10; 427 428 // Whether or not the client only supports the new PolicyData invalidation 429 // topics. If true, only the policy_invalidation_topic and 430 // command_invalidation_topic fields will be set in the PolicyData response. 431 optional bool invalidation_topics_only = 11; 432 433 // If this is an affiliated user, this is the device's DMToken. 434 optional string device_dm_token = 12; 435 436 // Device identifier for helping identify non-Chrome OS devices. 437 optional BrowserDeviceIdentifier browser_device_identifier = 13; 438} 439 440// This message customizes how the device behaves when it is disabled by its 441// owner. The message will be sent as part of the DeviceState fetched during 442// normal operation and as part of the DeviceStateRetrievalResponse fetched when 443// the device is wiped/reinstalled. 444message DisabledState { 445 // A message to the finder/thief that should be shown on the screen. 446 optional string message = 1; 447} 448 449message DeviceState { 450 // Modes of operation that the device can be in. 451 enum DeviceMode { 452 // The device is operating normally. Sessions can be started and the device 453 // can be used. 454 DEVICE_MODE_NORMAL = 0; 455 // The device has been disabled by its owner. The device will show a warning 456 // screen and will not allow any sessions to be started. 457 DEVICE_MODE_DISABLED = 1; 458 } 459 // The mode of operation that the device should be in. 460 optional DeviceMode device_mode = 1 [default = DEVICE_MODE_NORMAL]; 461 462 // State that is relevant only when the |device_mode| is 463 // |DEVICE_MODE_DISABLED|. 464 optional DisabledState disabled_state = 2; 465} 466 467message CustomerLogo { 468 // The SCS url for the logo set by the admin for a particular OU. 469 // This is in the form https://admin.googleusercontent.com/<scs_url_key>. 470 optional string logo_url = 1; 471} 472 473// This message is included in serialized form in PolicyFetchResponse below. It 474// may also be signed, with the signature being created for the serialized form. 475message PolicyData { 476 reserved 10; 477 478 // See PolicyFetchRequest.policy_type. 479 optional string policy_type = 1; 480 481 // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). It is 482 // included here so that the time at which the server issued this response 483 // cannot be faked (as protection against replay attacks). It is the timestamp 484 // generated by DMServer, NOT the time admin last updated the policy or 485 // anything like that. 486 optional int64 timestamp = 2; 487 488 // The DM token that was used by the client in the HTTP POST header for 489 // authenticating the request. It is included here again so that the client 490 // can verify that the response is meant for them (and not issued by a replay 491 // or man-in-the-middle attack). 492 // Note that the existence or non-existence of the DM token is not the correct 493 // way to determine whether the device is managed. Cf. |management_mode| below 494 // for details. 495 optional string request_token = 3; 496 497 // The serialized value of the actual policy protobuf. This can be 498 // deserialized to an instance of, for example, ChromeSettingsProto, 499 // ChromeDeviceSettingsProto, or ExternalPolicyData. 500 optional bytes policy_value = 4; 501 502 // The device display name assigned by the server. It is only 503 // filled if the display name is available. 504 // 505 // The display name of the machine as generated by the server or set 506 // by the Administrator in the Admin console GUI. This is the same thing as 507 // |machine_name| in DeviceRegisterResponse but it might have 508 // changed since then. 509 optional string machine_name = 5; 510 511 // Version number of the server's current public key. (The key that 512 // was used to sign this response. Numbering should start at 1 and be 513 // increased by 1 at each key rotation.) 514 optional int32 public_key_version = 6; 515 516 // The user this policy is intended for. In case of device policy, the name 517 // of the owner (who registered the device). 518 optional string username = 7; 519 520 // In this field the DMServer should echo back the "deviceid" HTTP parameter 521 // from the request. This is also used for user and device local accounts ids, 522 // see client_id in code. 523 optional string device_id = 8; 524 525 // Indicates which state this association with DMServer is in. This can be 526 // used to tell the client that it is not receiving policy even though the 527 // registration with the server is kept active. 528 enum AssociationState { 529 // Association is active and policy is pushed. 530 ACTIVE = 0; 531 // Association is alive, but the corresponding domain is not managed. 532 UNMANAGED = 1; 533 // The device has been deprovisioned by the administrator and is no longer 534 // managed. 535 DEPROVISIONED = 2; 536 } 537 optional AssociationState state = 9 [default = ACTIVE]; 538 539 // Indicates which public account or extension/plug-in this policy data is 540 // for. See PolicyFetchRequest.settings_entity_id for more details. 541 optional string settings_entity_id = 11; 542 543 // Indicates the identity the device service account is associated with. 544 // This is only sent as part of device policy fetch. 545 optional string service_account_identity = 12; 546 547 // TODO(crbug/1073504): Clean up after legacy Tango shutdown. 548 // The object source which hosts policy objects within the invalidation 549 // service. This value is combined with invalidation_name to form the object 550 // id used to register for invalidations to this policy. 551 optional int32 invalidation_source = 13; 552 553 // TODO(crbug/1073504): Clean up after legacy Tango shutdown. 554 // The name which uniquely identifies this policy within the invalidation 555 // service object source. This value is combined with invalidation_source to 556 // form the object id used to register for invalidations to this policy. 557 optional bytes invalidation_name = 14; 558 559 // Server-provided identifier of the fetched policy. This is to be used 560 // by the client when requesting Policy Posture assertion through an API 561 // call or SAML flow. For details, see http://go/chrome-nac-server-design. 562 optional string policy_token = 15; 563 564 // Indicates the management mode of the device. Note that old policies do not 565 // have this field. If this field is not set but request_token is set, assume 566 // the management mode is ENTERPRISE_MANAGED. If both this field and 567 // request_token are not set, assume the management mode is LOCAL_OWNER. 568 enum ManagementMode { 569 // The device is owned locally. The policies are set by the local owner of 570 // the device. 571 LOCAL_OWNER = 0; 572 // The device is enterprise-managed (either via DM server or through Active 573 // Directory). See the comment above for backward compatibility. 574 ENTERPRISE_MANAGED = 1; 575 // Obsolete. Don't use. 576 OBSOLETE_CONSUMER_MANAGED = 2; 577 } 578 optional ManagementMode management_mode = 16; 579 580 // Indicates the state that the device should be in. 581 optional DeviceState device_state = 17; 582 583 // TODO(crbug/1073504): Clean up after legacy Tango shutdown. 584 // The object source which hosts command queue objects within the 585 // invalidation service. This value is combined with 586 // command_invalidation_name to form the object ID used to 587 // register for invalidations to the command queue. 588 optional int32 command_invalidation_source = 18; 589 590 // TODO(crbug/1073504): Clean up after legacy Tango shutdown. 591 // The name which uniquely identifies this device’s queue within 592 // the invalidation service object source. This value is combined 593 // with command_invalidation_source to form the object ID used to 594 // register for invalidations to the command queue. 595 optional bytes command_invalidation_name = 19; 596 597 // The free-text location info the admin enters to associate the device 598 // with a location. 599 optional string annotated_location = 20; 600 601 // The free-text asset identifier the admin enters to associate the device 602 // with a user-generated identifier. 603 optional string annotated_asset_id = 21; 604 605 // The unique directory api ID of the device which was generated on the 606 // server-side. 607 optional string directory_api_id = 22; 608 609 // List of device affiliation IDs. If there exists an overlap between user 610 // affiliation IDs and device affiliation IDs, we consider that the user is 611 // affiliated on the device. Otherwise the user is not affiliated on the 612 // device. Should be fetched with device policy. Ignored if fetched with 613 // other polices. 614 repeated string device_affiliation_ids = 23; 615 616 // List of user affiliation IDs. The list is used to define if current user 617 // is affiliated on the device. See device_affiliation_ids for details. 618 // Should be fetched with user policy. Ignored if fetched with other polices. 619 repeated string user_affiliation_ids = 24; 620 621 // Used as the display domain when the primary domain gets renamed. This field 622 // is present only for device policies. 623 optional string display_domain = 25; 624 625 // Invalidation topic for devices. Clients register for FCM messages using 626 // this topic in order to receive notifications for device policy changes. 627 optional string policy_invalidation_topic = 26; 628 629 // Invalidation topic for commands. Clients register for FCM messages using 630 // this topic in order to receive notifications that one or more commands are 631 // available for execution. 632 optional string command_invalidation_topic = 27; 633 634 // Whether the device needs to upload an enrollment identifier to the cloud. 635 // TODO(b/136188860) migrates to enrollment_certificate_needed under 636 // client_action_required. 637 optional bool enrollment_id_needed = 28; 638 639 // Gaia id of the user the policy is intended for. 640 // Should be fetched with user policy. 641 optional string gaia_id = 29; 642 643 // Indicate this device's market segment. 644 enum MarketSegment { 645 MARKET_SEGMENT_UNSPECIFIED = 0; 646 ENROLLED_EDUCATION = 1; 647 ENROLLED_ENTERPRISE = 2; 648 } 649 650 // This field should only be set for Device Policy response. 651 // See go/cros-rlz-segments 652 optional MarketSegment market_segment = 30; 653 654 // This field is currently only set for Device Policy response. 655 // This represents the logo set by the admin for the OU that the device 656 // belongs to. This is domain metadata included in a device policy response, 657 // but it is not an explicit device policy. 658 optional CustomerLogo customer_logo = 31; 659 660 // b/129771193 661 // This setting is from SingleSignOnSettingsProto#change_password_uri 662 // http://google3/ccc/hosted/policies/services/common/sso_settings.proto?l=48&rcl=241246111 663 // This field is currently only set for User Policy response. 664 optional string change_password_uri = 32; 665 666 // This field is used for asking client to perform some actions. For instance, 667 // server asks client to re-upload enrollment certificate. In long term, new 668 // added field which asks client to perform an action in policy data should be 669 // put in ClientActionRequired message. 670 optional ClientActionRequired client_action_required = 33; 671 672 // Obfuscated customerId the device is enrolled into. 673 // Only set for device policy. 674 optional string obfuscated_customer_id = 34; 675 676 // The different types of user segments for metrics logging. 677 enum MetricsLogSegment { 678 UNSPECIFIED = 0; 679 K12 = 1; 680 UNIVERSITY = 2; 681 NONPROFIT = 3; 682 ENTERPRISE = 4; 683 } 684 685 // Indicates the segment the user's metrics should be logged under, 686 // UNSPECIFIED if not relevant. 687 // This field should only be set for User Policy response. 688 optional MetricsLogSegment metrics_log_segment = 35; 689 690 // This field will be populated with primary domain name for domain verified 691 // customer, and primary admin email for domainless customer. The client side 692 // will use this field to display who manages this device/browser/user. 693 optional string managed_by = 36; 694} 695 696message ClientActionRequired { 697 // Whether device needs to upload an enterprise enrollment certificate to 698 // cloud. 699 optional bool enrollment_certificate_needed = 1; 700} 701 702message PolicyFetchResponse { 703 // Since a single policy request may ask for multiple policies, DM server 704 // provides separate error codes (making use of standard HTTP Status Codes) 705 // for each individual policy fetch. 706 optional int32 error_code = 1; 707 708 // Human readable error message for customer support purpose. 709 optional string error_message = 2; 710 711 // This is a serialized |PolicyData| protobuf (defined above). 712 optional bytes policy_data = 3; 713 714 // Signature of the policy data above. 715 optional bytes policy_data_signature = 4; 716 717 // If the public key has been rotated on the server, the new public 718 // key is sent here. It is already used for |policy_data_signature| 719 // above, whereas |new_public_key_signature| is created using the 720 // old key (so the client can trust the new key). If this is the 721 // first time when the client requests policies (so it doesn't have 722 // on old public key), then |new_public_key_signature| is empty. 723 optional bytes new_public_key = 5; 724 optional bytes new_public_key_signature = 6; 725 726 // DEPRECATED: Exists only to support older clients. This signature is similar 727 // to new_public_key_verification_data_signature, but is computed over 728 // DEPRECATEDPolicyPublicKeyAndDomain (which is equivalent to 729 // PublicKeyVerificationData proto with version field unset). 730 optional bytes new_public_key_verification_signature_deprecated = 7 731 [deprecated = true]; 732 733 // This is a serialized |PublicKeyVerificationData| protobuf (defined 734 // below). See comments for |new_public_key_verification_data_signature| field 735 // for details on how this data is signed. 736 // Please note that |new_public_key| is also included inside this data 737 // field. Thus we have new public key signed with old version of private key 738 // (if client indicated to us that it has old key version), and 739 // new public key data signed by master verification key (if client told 740 // us that it has public verification key - see |verification_key_id| field 741 // of |PolicyFetchRequest|). In most cases, both signatures will be provided. 742 // However, client might not have old policy signing key - for example, when 743 // new profile is being set up. In this case, only verification signature 744 // is supplied. 745 // Or, client might not have verification public key (legacy Chrome build 746 // before verification key was introduced, or outdated build which has 747 // old/compromised verification key). In that case, verification signature 748 // cannot be provided. 749 // If client is missing both public keys (old signing key and verification 750 // key), then we are unable to produce any valid signature and client must 751 // drop such PolicyFetchResponse. 752 optional bytes new_public_key_verification_data = 8; 753 754 // If new_public_key is specified, this field contains the signature of a 755 // PublicKeyVerificationData protobuf, signed using a key only available to 756 // DMServer. The public key portion of this well-known key is embedded into 757 // the Chrome binary. The hash of that embedded key is passed to DMServer as 758 // verification_key_hash field in PolicyFetchRequest. DMServer picks a private 759 // key on the server which matches the hash (matches public key on the 760 // client). If DMServer is unable to find matching key, it returns an error 761 // instead of policy data. In case a hash was not specified, DMServer leaves 762 // the verification signature field empty (legacy behavior). 763 // This signature is provided to better protect first key delivery (since the 764 // browser does not possess the previous signing key, DMServer cannot compute 765 // new_public_key_signature). 766 // See http://go/chrome-nac-server-design for more information. 767 optional bytes new_public_key_verification_data_signature = 9; 768 769 // DEPRECATED! Client-side should verify and rely on the policy_type inside 770 // the signed policy_data. 771 optional string policy_type = 10 [deprecated = true]; 772 773 // The type of signature used to generate policy_data_signature. 774 optional PolicyFetchRequest.SignatureType policy_data_signature_type = 11; 775} 776 777// DEPRECATED: Protobuf used to generate the deprecated 778// new_public_key_verification_signature field. 779message DEPRECATEDPolicyPublicKeyAndDomain { 780 // The public key to sign (taken from the |new_public_key| field in 781 // PolicyFetchResponse). 782 optional bytes new_public_key = 1; 783 784 // The domain associated with this key (should match the domain portion of the 785 // username field of the policy). 786 optional string domain = 2; 787} 788 789// This message contains the information which is signed by the verification key 790// during policy key rotation. It is included in serialized form in 791// PolicyFetchResponse above. A signature of the serialized form is included in 792// the new_public_key_verification_data_signature field. 793message PublicKeyVerificationData { 794 // The new public policy key after a key rotation. 795 optional bytes new_public_key = 1; 796 797 // The domain of the device/user. 798 optional string domain = 2; 799 800 // The version number of the new_public_key. This must be monotonically 801 // increasing (within a domain). 802 optional int32 new_public_key_version = 3; 803} 804 805// Request from device to server for reading policies. 806message DevicePolicyRequest { 807 // The policy fetch requests. If this field exists, the requests must come 808 // from a non-TT client. The repeated field allows clients to request 809 // multiple policies for better performance. 810 repeated PolicyFetchRequest requests = 3; 811} 812 813// Response from server to device for reading policies. 814message DevicePolicyResponse { 815 // The policy fetch responses. 816 repeated PolicyFetchResponse responses = 3; 817} 818 819message TimePeriod { 820 // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). 821 optional int64 start_timestamp = 1; 822 optional int64 end_timestamp = 2; 823} 824 825message ActiveTimePeriod { 826 optional TimePeriod time_period = 1; 827 828 // The active duration during the above time period. 829 // The unit is milli-second. 830 optional int32 active_duration = 2; 831 832 // Email address of the active user. Present only if the user type is managed 833 // and affiliated. 834 optional string user_email = 3; 835} 836 837// Details about a network interface. 838message NetworkInterface { 839 // Indicates the type of network device. 840 enum NetworkDeviceType { 841 reserved 2; 842 843 TYPE_ETHERNET = 0; 844 TYPE_WIFI = 1; 845 TYPE_BLUETOOTH = 3; 846 TYPE_CELLULAR = 4; 847 } 848 849 // Network device type. 850 optional NetworkDeviceType type = 1; 851 852 // MAC address (if applicable) of the corresponding network device. This is 853 // formatted as an ASCII string with 12 hex digits. Example: A0B1C2D3E4F5. 854 optional string mac_address = 2; 855 856 // MEID (if applicable) of the corresponding network device. Formatted as 857 // ASCII string composed of 14 hex digits. Example: A10000009296F2. 858 optional string meid = 3; 859 860 // IMEI (if applicable) of the corresponding network device. 15-16 decimal 861 // digits encoded as ASCII string. Example: 355402040158759. 862 optional string imei = 4; 863 864 // The device path associated with this network interface. 865 optional string device_path = 5; 866} 867 868// Information about configured/visible networks - this is separate from 869// NetworkInterface because a configured network may not be associated with 870// any specific interface, or may be visible across multiple interfaces. 871message NetworkState { 872 // The current state of this network. 873 // CARRIER (1), DISCONNECT (8) and ACTIVATION_FAILURE (10) are not used by the 874 // client. 875 enum ConnectionState { 876 IDLE = 0; 877 CARRIER = 1; 878 ASSOCIATION = 2; 879 CONFIGURATION = 3; 880 READY = 4; 881 PORTAL = 5; 882 OFFLINE = 6; 883 ONLINE = 7; 884 DISCONNECT = 8; 885 FAILURE = 9; 886 ACTIVATION_FAILURE = 10; 887 UNKNOWN = 11; 888 } 889 890 // For networks associated with a device, the path of the device. 891 optional string device_path = 1; 892 893 // Current state of this connection as reported by shill. 894 optional ConnectionState connection_state = 2; 895 896 // For wireless networks, the signal_strength in dBm. 897 optional int32 signal_strength = 3; 898 899 // The IP address this interface is bound to, if any. 900 optional string ip_address = 4; 901 902 // The gateway IP for this interface, if any. 903 optional string gateway = 5; 904} 905 906// Details about a device user. 907message DeviceUser { 908 // Types of device users which can be reported. 909 enum UserType { 910 // A user managed by the same domain as the device. 911 USER_TYPE_MANAGED = 0; 912 913 // A user not managed by the same domain as the device. 914 USER_TYPE_UNMANAGED = 1; 915 } 916 917 // The type of the user. 918 required UserType type = 1; 919 920 // Email address of the user. Present only if the user type is managed. 921 optional string email = 2; 922} 923 924// Information about a single disk volume. 925message VolumeInfo { 926 optional string volume_id = 1; 927 928 // The unit is bytes. 929 optional int64 storage_total = 2; 930 optional int64 storage_free = 3; 931} 932 933// Information about a single CPU utilization. 934message CpuUtilizationInfo { 935 // CPU utilization (0-100). 936 optional int32 cpu_utilization_pct = 1; 937 // The timestamp representing time at which the information was collected. 938 // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). 939 optional int64 timestamp = 2; 940} 941 942// Information about a single free RAM. 943message SystemFreeRamInfo { 944 // Free RAM [in bytes] (unreliable due to GC). 945 optional int64 size_in_bytes = 1; 946 // The timestamp representing time at which the information was collected. 947 // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). 948 optional int64 timestamp = 2; 949} 950 951// Information about a single CPU temperature channel. 952message CPUTempInfo { 953 // Temperature channel label. 954 optional string cpu_label = 1; 955 // CPU temperature in Celsius. 956 optional int32 cpu_temp = 2; 957 // Unix timestamp. 958 optional int64 timestamp = 3; 959} 960 961// Contains the Stateful Partition Information for user data storage in the 962// device. 963message StatefulPartitionInfo { 964 // Available space for user data storage in the device in bytes. 965 optional int64 available_space = 1; 966 // Total space for user data storage in the device in bytes. 967 optional int64 total_space = 2; 968} 969 970// Chrome release channel, shared for different reports. 971enum Channel { 972 CHANNEL_UNKNOWN = 0; 973 CHANNEL_CANARY = 1; 974 CHANNEL_DEV = 2; 975 CHANNEL_BETA = 3; 976 CHANNEL_STABLE = 4; 977} 978 979// Frequently changing data for battery. 980message BatterySample { 981 optional int64 timestamp = 1; 982 // Battery voltage 983 optional int64 voltage = 2; 984 // Battery remaining capacity (mA-hours) 985 optional int64 remaining_capacity = 3; 986 // Temperature in Celsius. 987 optional int32 temperature = 4; 988 // The battery discharge rate measured in mW. Positive if the battery is being 989 // discharged, negative if it's being charged. 990 optional int32 discharge_rate = 5; 991 // Battery charge percentage 992 optional int32 charge_rate = 6; 993 // Battery current (mA) 994 optional int64 current = 7; 995 // Battery status read from sysfs 996 optional string status = 8; 997} 998 999// Status of the single battery 1000message BatteryInfo { 1001 optional string serial = 1; 1002 optional string manufacturer = 2; 1003 optional string battery_health = 3; 1004 // Design capacity (mA-hours) 1005 optional int64 design_capacity = 4; 1006 // Full charge capacity (mA-hours) 1007 optional int64 full_charge_capacity = 5; 1008 optional int32 cycle_count = 6; 1009 // Last sampling data. 1010 repeated BatterySample samples = 7; 1011 // Designed minimum output voltage (mV) 1012 optional int32 design_min_voltage = 9; 1013 // The date the battery was manufactured in yyyy-mm-dd format. 1014 optional string manufacture_date = 10; 1015 // Technology of the battery. 1016 optional string technology = 11; 1017} 1018 1019// Status of the power subsystem 1020message PowerStatus { 1021 enum PowerSource { 1022 POWER_UNKNOWN = 0; 1023 POWER_AC = 1; 1024 POWER_BATTERY = 2; 1025 } 1026 optional PowerSource power_source = 1; 1027 repeated BatteryInfo batteries = 2; 1028} 1029 1030// LifeTime estimation for eMMC devices 1031message DiskLifetimeEstimation { 1032 // Lifetime estimations for SLC and MLC areas of eMMC. 1033 // Values range from 00h to 0Bh -- indicating the percentage of device 1034 // lifetime used. 1035 optional int32 slc = 1; 1036 optional int32 mlc = 2; 1037} 1038 1039// Status of the single storage device 1040// Next id: 27 1041message DiskInfo { 1042 optional string serial = 1; 1043 optional string manufacturer = 2; 1044 optional string model = 3; 1045 // Size in bytes 1046 optional int64 size = 4; 1047 // eMMC / NVMe / ATA / SCSI. 1048 optional string type = 5; 1049 optional string health = 6; 1050 // volume_id for volumes on this disk. 1051 repeated string volumes = 7; 1052 // Read/write statistics for this disk. 1053 optional uint64 bytes_read_since_last_boot = 8; 1054 optional uint64 bytes_written_since_last_boot = 9; 1055 optional uint64 read_time_seconds_since_last_boot = 10; 1056 optional uint64 write_time_seconds_since_last_boot = 11; 1057 // Counts the time the disk and queue were busy, so unlike the fields above, 1058 // parallel requests are not counted multiple times. 1059 optional uint64 io_time_seconds_since_last_boot = 12; 1060 // Time spent discarding since last boot. Discarding is writing to clear 1061 // blocks which are no longer in use. Supported on kernels 4.18+. 1062 optional uint64 discard_time_seconds_since_last_boot = 13; 1063 1064 // The manufacturer of the block device. 1065 oneof vendor_id { 1066 // NVME vendors: 1067 // https://pcisig.com/membership/member-companies 1068 uint32 nvme_subsystem_vendor = 14; 1069 // EMMC oemids 1070 // https://screenshot.googleplex.com/eZWNnV8qGnc 1071 uint32 emmc_oemid = 15; 1072 uint32 other_vendor = 16; 1073 } 1074 1075 // The manufacturer-specific product identifier. 1076 oneof product_id { 1077 uint32 nvme_subsystem_device = 17; 1078 uint32 emmc_pnm = 18; 1079 uint32 other_product = 19; 1080 } 1081 1082 // The revision of the device's hardware. 1083 oneof hardware_revision { 1084 uint32 nvme_hardware_rev = 20; 1085 uint32 emmc_hardware_rev = 21; 1086 uint32 other_hardware_rev = 22; 1087 } 1088 1089 // The revision of the device's firmware. 1090 oneof firmware_revision { 1091 uint64 nvme_firmware_rev = 23; 1092 uint64 emmc_firmware_rev = 24; 1093 uint32 other_firmware_rev = 25; 1094 } 1095 1096 // The purpose of the device on the system. 1097 enum DevicePurpose { 1098 PURPOSE_UNKNOWN = 0; 1099 PURPOSE_BOOT = 1; 1100 PURPOSE_SWAP = 2; 1101 } 1102 optional DevicePurpose purpose = 26; 1103} 1104 1105// Status of the storage subsystem. 1106message StorageStatus { 1107 repeated DiskInfo disks = 1; 1108 optional DiskLifetimeEstimation lifetime_estimation = 2; 1109} 1110 1111// Sampling for single temperature measurements 1112message ThermalSample { 1113 optional int64 timestamp = 1; 1114 optional int32 temperature = 2; 1115} 1116 1117// Temperature measurement series for thermal point. 1118message ThermalInfo { 1119 reserved 2; 1120 optional string label = 1; 1121 repeated ThermalSample samples = 3; 1122} 1123 1124// Status for various on-board components 1125message BoardStatus { 1126 repeated ThermalInfo thermal_infos = 1; 1127} 1128 1129// Status about a system's various elements. 1130message SystemStatus { 1131 // The product SKU (stock keeping unit) number. 1132 optional string vpd_sku_number = 1; 1133 // The date the device was first activated. 1134 // Format: YYYY-WW. 1135 optional string first_power_date = 2; 1136 // The date the device was manufactured (finalized in factory). 1137 // Format: YYYY-MM-DD. 1138 optional string manufacture_date = 3; 1139 // Contents of CrosConfig in /arc/build-properties/marketing-name. E.g. "HP 1140 // Chromebook x360 14" 1141 optional string marketing_name = 4; 1142 // The BIOS version. E.g. "Google_Sarien.12200.58.0" 1143 optional string bios_version = 5; 1144 // The product name of the motherboard. E.g. "Sarien" 1145 optional string board_name = 6; 1146 // The version of the motherboard. E.g. "rev16" 1147 optional string board_version = 7; 1148 // The chassis type of the device. The values reported by chassis type are 1149 // mapped in 1150 // www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.0.0.pdf. 1151 // E.g. "9" 1152 optional uint64 chassis_type = 8; 1153 // The product name (model) of the system. E.g. "Sarien" 1154 optional string product_name = 9; 1155 // The product serial number. 1156 optional string vpd_serial_number = 10; 1157} 1158 1159// Status of a single C-state. C-states are various modes the CPU can transition 1160// to in order to use more or less power. 1161message CpuCStateInfo { 1162 // Name of the state. 1163 optional string name = 1; 1164 // Time spent in the state since the last reboot, in microseconds. 1165 optional uint64 time_in_state_since_last_boot_us = 2; 1166} 1167 1168// Status of a single logical CPU. 1169message LogicalCpuInfo { 1170 // Maximum frequency the CPU is allowed to run at, by policy. 1171 optional uint32 scaling_max_frequency_khz = 1; 1172 // Current frequency the CPU is running at. 1173 optional uint32 scaling_current_frequency_khz = 2; 1174 // Idle time since last boot. 1175 optional uint32 idle_time_seconds = 3; 1176 // Information about the logical CPU's time in various C-states. 1177 repeated CpuCStateInfo c_states = 4; 1178} 1179 1180// Status of a single physical CPU on the device. 1181message CpuInfo { 1182 // The CPU model name. 1183 optional string model_name = 1; 1184 1185 // The CPU architecture. 1186 enum Architecture { 1187 ARCHITECTURE_UNSPECIFIED = 0; 1188 X86_64 = 1; 1189 AARCH64 = 2; 1190 ARMV7L = 3; 1191 } 1192 optional Architecture architecture = 2; 1193 1194 // The max CPU clock speed in kHz. 1195 optional uint32 max_clock_speed_khz = 3; 1196 1197 repeated LogicalCpuInfo logical_cpus = 4; 1198} 1199 1200// Overall CPU information for the device. 1201message GlobalCpuInfo { 1202 // Total number of threads on the device. 1203 optional uint32 num_total_threads = 1; 1204} 1205 1206// Status for a single display. A display screen with resolution 1920x1080 1207// would have resolution_width: 1920 and resolution_height: 1080. 1208message DisplayInfo { 1209 // Resolution width 1210 optional uint32 resolution_width = 1; 1211 // Resolution height 1212 optional uint32 resolution_height = 2; 1213 // Refresh rate (Hz) 1214 optional uint32 refresh_rate = 3; 1215 // Set to true if display is internal, otherwise set to false. 1216 optional bool is_internal = 4; 1217} 1218 1219// Status of a single graphics adapter (GPU). 1220message GraphicsAdapterInfo { 1221 // Adapter name. Example: Mesa DRI Intel(R) UHD Graphics 620 (Kabylake GT2) 1222 optional string name = 1; 1223 // Driver version 1224 optional string driver_version = 2; 1225 // Represents the graphics card device id 1226 optional uint64 device_id = 3; 1227 // GPU consumption of system RAM (bytes) 1228 optional uint64 system_ram_usage = 4; 1229} 1230 1231// Status of the graphics subsystem. 1232message GraphicsStatus { 1233 optional GraphicsAdapterInfo adapter = 1; 1234 repeated DisplayInfo displays = 2; 1235} 1236 1237// Status of a crash report. 1238message CrashReportInfo { 1239 // The status options should align with crash_reporter::ReportUploadState. 1240 enum CrashReportUploadStatus { 1241 UPLOAD_STATUS_UNKNOWN = 0; 1242 UPLOAD_STATUS_NOT_UPLOADED = 1; 1243 UPLOAD_STATUS_PENDING = 2; 1244 UPLOAD_STATUS_PENDING_USER_REQUESTED = 3; 1245 UPLOAD_STATUS_UPLOADED = 4; 1246 } 1247 1248 // ID as provided by chrome://crashes. 1249 optional string remote_id = 1; 1250 1251 // The timestamp when the crash is captured. 1252 // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). 1253 optional int64 capture_timestamp = 2; 1254 1255 // Human readable string that identifies what caused the crash. 1256 optional string cause = 3; 1257 1258 // The upload status of crash report. 1259 optional CrashReportUploadStatus upload_status = 4; 1260} 1261 1262// Timezone information for the device. This reflects what set timezone of the 1263// device, not necessarily the actual location of the device. 1264message TimezoneInfo { 1265 // The timezone of the device in POSIX standard. (MST7MDT,M3.2.0,M11.1.0) 1266 optional string posix = 1; 1267 // The timezone region of the device in the Olsen format (America/Denver). 1268 optional string region = 2; 1269} 1270 1271// Memory information for the device. 1272message MemoryInfo { 1273 // Total memory, in KiB. 1274 optional uint32 total_memory_kib = 1; 1275 // Free memory, in KiB. 1276 optional uint32 free_memory_kib = 2; 1277 // Available memory, in KiB. 1278 optional uint32 available_memory_kib = 3; 1279 // Number of page faults since the last boot. 1280 optional uint32 page_faults_since_last_boot = 4; 1281} 1282 1283// Information about the device's backlights. 1284message BacklightInfo { 1285 // Path to this backlight on the system. Useful if the caller needs to 1286 // correlate with other information. 1287 optional string path = 1; 1288 // Maximum brightness for the backlight. 1289 optional uint32 max_brightness = 2; 1290 // Current brightness of the backlight, between 0 and max_brightness. 1291 optional uint32 brightness = 3; 1292} 1293 1294// Information about the device's fan. 1295message FanInfo { 1296 // Fan speed in RPM. 1297 optional uint32 speed_rpm = 1; 1298} 1299 1300// Information about a device's Bluetooth adapter, which is used to detect and 1301// connect to Bluetooth devices. 1302message BluetoothAdapterInfo { 1303 // The name of the adapter. 1304 optional string name = 1; 1305 // The MAC address of the adapter. 1306 optional string address = 2; 1307 // Indicates whether the adapter is on or off. 1308 optional bool powered = 3; 1309 // The number of devices connected to this adapter. 1310 optional uint32 num_connected_devices = 4; 1311} 1312 1313// Report device level status. 1314message DeviceStatusReportRequest { 1315 reserved 4, 7, 13, 20; 1316 1317 // The OS version reported by the device is a platform version 1318 // e.g. 1435.0.2011_12_16_1635. 1319 optional string os_version = 1; 1320 optional string firmware_version = 2; 1321 1322 // "Verified", "Dev". Same as verified mode. 1323 // If the mode is unknown, this field should not be set. 1324 optional string boot_mode = 3; 1325 1326 // The browser version string as shown in the About dialog. 1327 // e.g. 17.0.963.18. 1328 optional string browser_version = 5; 1329 1330 // A list of periods when the device was active, aggregated by day by user. 1331 repeated ActiveTimePeriod active_periods = 6; 1332 1333 // List of network interfaces. 1334 repeated NetworkInterface network_interfaces = 8; 1335 1336 // List of recent device users, in descending order by last login time. 1337 repeated DeviceUser users = 9; 1338 1339 // Disk space + other info about mounted/connected volumes. 1340 repeated VolumeInfo volume_infos = 10; 1341 1342 // List of visible/configured networks 1343 repeated NetworkState network_states = 11; 1344 1345 // Samples of CPU utilization (0-100), sampled once every 120 seconds. 1346 // To deprecate: Use CpuUtilizationInfo instead. 1347 repeated int32 cpu_utilization_pct_samples = 12; 1348 1349 // Total RAM on the device. 1350 // To deprecate: Use SystemFreeRamInfo instead. 1351 optional int64 system_ram_total = 14; 1352 1353 // Samples of free RAM [in bytes] (unreliable due to GC). 1354 repeated int64 system_ram_free_samples = 15; 1355 1356 // Samples of CPU temperatures in Celsius, plus associated labels 1357 // identifying which CPU produced the temperature measurement. 1358 repeated CPUTempInfo cpu_temp_infos = 16; 1359 1360 // This field is set only when an OS update is needed because of the required 1361 // platform version of an updated kiosk app is different from the current 1362 // OS version. 1363 optional OsUpdateStatus os_update_status = 17; 1364 1365 // Set only when there is an auto launched with zero delay Chrome or ARC kiosk 1366 // app and it is currently running. Otherwise, this field is empty. 1367 optional AppStatus running_kiosk_app = 18; 1368 1369 // Sound output volume level in range [0,100]. 1370 optional int32 sound_volume = 19; 1371 1372 // TPM version information. 1373 optional TpmVersionInfo tpm_version_info = 21; 1374 1375 // Release channel (stable, beta, etc.). 1376 optional Channel channel = 22; 1377 1378 // TPM status information. 1379 optional TpmStatusInfo tpm_status_info = 23; 1380 1381 // Whether hardware write protect switch is on. 1382 optional bool write_protect_switch = 24; 1383 1384 // Status of the power subsystem. 1385 optional PowerStatus power_status = 25; 1386 1387 // Status of the storage subsystem. 1388 optional StorageStatus storage_status = 26; 1389 1390 // Status of various main board components. 1391 optional BoardStatus board_status = 27; 1392 1393 // Information about a system's various non-hardware elements. This includes 1394 // information from cached VPD, CrosConfig, and DMI. 1395 optional SystemStatus system_status = 28; 1396 1397 // Stateful Partition Information for user data. 1398 optional StatefulPartitionInfo stateful_partition_info = 29; 1399 1400 // Samples of CPU utilization (0-100), sampled once every 120 seconds. 1401 repeated CpuUtilizationInfo cpu_utilization_infos = 30; 1402 1403 // Samples of free RAM [in bytes] (unreliable due to GC). 1404 repeated SystemFreeRamInfo system_ram_free_infos = 31; 1405 1406 // Information about a devices physical CPU(s). 1407 repeated CpuInfo cpu_info = 32; 1408 1409 // Status of the graphics adapter(s) and display(s). 1410 optional GraphicsStatus graphics_status = 33; 1411 1412 // Information about the crash report(s) generated from the local device. 1413 repeated CrashReportInfo crash_report_infos = 34; 1414 1415 // Information of the device's current timezone. 1416 optional TimezoneInfo timezone_info = 35; 1417 1418 // Information about the device's memory. 1419 optional MemoryInfo memory_info = 36; 1420 1421 // Information about the device's backlights. 1422 repeated BacklightInfo backlight_info = 37; 1423 1424 // Information about the device's fans. 1425 repeated FanInfo fan_info = 38; 1426 1427 // Overall information about the device's CPUs. 1428 optional GlobalCpuInfo global_cpu_info = 39; 1429 1430 // Information about the device's Bluetooth adapters. 1431 repeated BluetoothAdapterInfo bluetooth_adapter_info = 40; 1432} 1433 1434message OsUpdateStatus { 1435 enum UpdateStatus { 1436 OS_UP_TO_DATE = 0; 1437 OS_IMAGE_DOWNLOAD_NOT_STARTED = 1; 1438 OS_IMAGE_DOWNLOAD_IN_PROGRESS = 2; 1439 OS_UPDATE_NEED_REBOOT = 3; 1440 } 1441 1442 optional UpdateStatus update_status = 1; 1443 1444 // New platform version of the os image being downloaded and applied. It 1445 // is only set when update status is OS_IMAGE_DOWNLOAD_IN_PROGRESS or 1446 // OS_UPDATE_NEED_REBOOT. Note this could be a dummy "0.0.0.0" for 1447 // OS_UPDATE_NEED_REBOOT status for some edge cases, e.g. update engine is 1448 // restarted without a reboot. 1449 optional string new_platform_version = 2; 1450 1451 // New required platform version from the pending updated kiosk app. 1452 optional string new_required_platform_version = 3; 1453 1454 // The timestamp of the last update check. 1455 // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). 1456 optional int64 last_checked_timestamp = 4; 1457 1458 // The timestamp of the last reboot. 1459 // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). 1460 optional int64 last_reboot_timestamp = 5; 1461} 1462 1463// Provides status information for an installed app/extension. 1464message AppStatus { 1465 // ID of the installed app/extension for a Chrome app. 1466 // Package name for ARC kiosk app. 1467 optional string app_id = 1; 1468 1469 // Currently installed version of the app for a Chrome app. 1470 // Empty for ARC kiosk app. 1471 optional string extension_version = 2; 1472 1473 // Self-reported status summary (via chrome.reporting APIs) 1474 optional string status = 3; 1475 1476 // If true, the application is currently in a self-reported error state. 1477 optional bool error = 4; 1478 1479 // App required Chrome version, specified in app’s manifest file. 1480 // Empty for ARC kiosk app. 1481 optional string required_platform_version = 5; 1482} 1483 1484// Provides all application types information. 1485message AppInfo { 1486 enum AppType { 1487 TYPE_UNKNOWN = 0; 1488 TYPE_ARC = 1; // Android app. 1489 TYPE_BUILTIN = 2; // Built-in app. 1490 TYPE_CROSTINI = 3; // Linux (via Crostini) app. 1491 TYPE_EXTENSION = 4; // Extension-backed app. 1492 TYPE_WEB = 5; // Web app. 1493 TYPE_PLUGINVM = 6; // Plugin VM app. 1494 TYPE_BOREALIS = 7; // Borealis app. 1495 } 1496 1497 enum Status { 1498 STATUS_UNKNOWN = 0; 1499 STATUS_INSTALLED = 1; // Installed and launachable. 1500 STATUS_DISABLED = 2; // Disabled or terminated. 1501 STATUS_UNINSTALLED = 3; // Uninstalled by user. 1502 } 1503 1504 // ID of the application as defined by the OS, except for web apps, where it 1505 // is the start url. 1506 optional string app_id = 1; 1507 1508 // Type of application (Chrome native, extension, Crostini, web app). 1509 optional AppType app_type = 2; 1510 1511 // Name of the application as defined by the OS. 1512 optional string app_name = 3; 1513 1514 // Identify if the app is installed, disabled, or uninstalled. 1515 optional Status status = 4; 1516 1517 // The time the app was installed, if available. 1518 optional int64 install_time = 5; 1519 1520 // Version of the application, if applicable. 1521 optional string version = 7; 1522 1523 // A list of time periods when the app was active. These times are aggregated 1524 // per day, are pruned on the device after reporting successfully, and are 1525 // stored only for 30 days in the past. 1526 repeated TimePeriod active_time_periods = 8; 1527} 1528 1529// LINT.IfChange 1530// Provides Android application permission. 1531message AndroidAppPermission { 1532 // Name of application permission. 1533 optional string name = 1; 1534 1535 // Identify whether the application permission is granted. 1536 optional bool granted = 2; 1537 1538 // Identify whether the application permission is managed. 1539 optional bool managed = 3; 1540} 1541 1542// Provides Android application information. 1543message AndroidAppInfo { 1544 enum AndroidAppStatus { 1545 STATUS_UNKNOWN = 0; 1546 STATUS_ENABLED = 1; 1547 STATUS_SUSPENDED = 2; 1548 STATUS_DISABLED = 3; 1549 } 1550 1551 enum InstalledSource { 1552 SOURCE_UNKNOWN = 0; 1553 SOURCE_BY_ADMIN = 1; 1554 SOURCE_BY_USER = 2; 1555 SOURCE_NOT_INSTALLED = 3; 1556 } 1557 1558 // ID of the Android application. 1559 optional string app_id = 1; 1560 1561 // Name of the Android application. 1562 optional string app_name = 2; 1563 1564 // Name of the Android application package. 1565 optional string package_name = 3; 1566 1567 // Status of the Android application. It is set as STATUS_SUSPENDED if the 1568 // application is suspended by specific policies. 1569 optional AndroidAppStatus status = 4; 1570 1571 // Identify how the Android application is installed. 1572 optional InstalledSource installed_source = 5; 1573 1574 // Package version of the Android application. 1575 optional int32 version = 6; 1576 1577 // Permissions of the Android application. 1578 repeated AndroidAppPermission permissions = 7; 1579} 1580// LINT.ThenChange(//depot/google3/java/com/google/chrome/cros/spanner/devicemanagement/schema/chrome_os.proto) 1581 1582// Chrome user profile level status. 1583// Deprecated : Use ChromeUserProfileInfo instead. 1584message ChromeUserProfileReport { 1585 // A string to uniquely identify this profile within the browser. 1586 optional string id = 1; 1587 // A JSON encoded string containing both the “email” and “id” (obfuscated 1588 // GaiaID) of the user signed in to the Chrome browser, if any. 1589 optional string chrome_signed_in_user = 2; 1590 // The list of extensions installed in the browser. This string contains 1591 // the json encoded data as returned by the chrome.management.getAll() API. 1592 optional string extension_data = 3; 1593 // The list of plugins installed in the browser, one plugin name per repeated 1594 // string. This string contains the JSON encoded data as returned by 1595 // the navigator.plugins . 1596 optional string plugins = 4; 1597 // The list of browser policies set for this user profile and their sources. 1598 // This string contains the json encoded data as generated by the 1599 // chrome://policy page “Export to JSON” button. 1600 optional string policy_data = 5; 1601 // The last time the user level policies where fetched. 1602 // [policy_fetched_timestamp] is milliseconds since Epoch in UTC timezone 1603 // (Java time). For V1, we may need to rely on the DM server for this info. 1604 optional int64 policy_fetched_timestamp = 6; 1605 // The number of safe browsing warning pages the user has seen since the last 1606 // report was successfully uploaded. 1607 optional uint64 safe_browsing_warnings = 7; 1608 // The number of safe browsing warning pages the user has clicked through 1609 // since the last report was successfully uploaded. 1610 optional uint64 safe_browsing_warnings_click_through = 8; 1611 // The name of the loaded profile, which was entered by the user when creating 1612 // the profile. Empty when in incognito mode. 1613 optional string name = 9; 1614 // A list of extensions requested for installation. 1615 repeated ExtensionRequest extension_requests = 10; 1616} 1617 1618// Sign in information of Profile. 1619message ChromeSignedInUser { 1620 // The email of the signed in user. 1621 optional string email = 1; 1622 // The obfuscated GaiaID of the signed in user. 1623 optional string obfudscated_gaia_id = 2; 1624} 1625 1626// Extension request information. 1627message ExtensionRequest { 1628 // ID of the installed app/extension for a Chrome app or extension. 1629 optional string id = 1; 1630 1631 // When the user commits to requesting the extension. 1632 // [request_timestamp] is milliseconds since Epoch in UTC timezone 1633 // (Java time). 1634 optional int64 request_timestamp = 2; 1635} 1636 1637// Extension information. 1638message Extension { 1639 reserved 7, 12; 1640 1641 // ID of the installed app/extension for a Chrome app or extension. 1642 optional string id = 1; 1643 // Currently installed version of the extension. 1644 optional string version = 2; 1645 // The name of the extension. 1646 optional string name = 3; 1647 // The description of the extension that is provided by extension author. 1648 optional string description = 4; 1649 1650 // The type of extension. 1651 enum ExtensionType { 1652 TYPE_UNKNOWN = 0; 1653 TYPE_EXTENSION = 1; 1654 TYPE_HOSTED_APP = 2; 1655 TYPE_PACKAGED_APP = 3; 1656 TYPE_LEGACY_PACKAGED_APP = 4; 1657 TYPE_THEME = 5; 1658 TYPE_USER_SCRIPT = 6; 1659 TYPE_PLATFORM_APP = 7; 1660 TYPE_LOGIN_SCREEN_EXTENSION = 8; 1661 } 1662 optional ExtensionType app_type = 5; 1663 1664 // URL of the homepage. 1665 optional string homepage_url = 6; 1666 1667 // The installation source of the extension. 1668 enum InstallType { 1669 // An extension that is installed by user or installed by default but not 1670 // component extension. 1671 TYPE_NORMAL = 0; 1672 // An extension that is loaded as unpacked extension from chrome extension 1673 // page or --load-extension command line switch. 1674 TYPE_DEVELOPMENT = 1; 1675 // An extension that is loaded from the settings in Window Registry or 1676 // a preferences JSON file on Mac and Linux. 1677 TYPE_SIDELOAD = 2; 1678 // An extension that is loaded from policy settings. 1679 TYPE_ADMIN = 3; 1680 // Chrome component extension and unknown sources. 1681 TYPE_OTHER = 4; 1682 } 1683 optional InstallType install_type = 8; 1684 1685 // True if the extension is currently enabled. 1686 optional bool enabled = 9; 1687 1688 // The list of api based permissions the extension requires. 1689 repeated string permissions = 10; 1690 1691 // The list of host based permissions the extension requires. 1692 repeated string host_permissions = 11; 1693 1694 // True if the extension comes from web store. 1695 optional bool from_webstore = 13; 1696} 1697 1698// Plugin information. 1699message Plugin { 1700 // The human friendly name of plugin. 1701 optional string name = 1; 1702 1703 // Currently installed version of the plugin. 1704 optional string version = 2; 1705 1706 // The file name from the path of the plugin. 1707 optional string filename = 3; 1708 1709 // More details of the plugin. 1710 optional string description = 4; 1711} 1712 1713// Policy information. 1714message Policy { 1715 // The name of the policy. 1716 optional string name = 1; 1717 1718 // The level of a policy determines its enforceability and whether users can 1719 // override it or not. 1720 enum PolicyLevel { 1721 LEVEL_UNKNOWN = 0; 1722 // Recommended policies are a default value configured by admins and users 1723 // can choose to override it. 1724 LEVEL_RECOMMENDED = 1; 1725 1726 // Mandatory policies must be enforced and users can't circumvent them. 1727 LEVEL_MANDATORY = 2; 1728 } 1729 optional PolicyLevel level = 2; 1730 1731 // The scope of a policy flags whether it's applied to the current user or to 1732 // the machine. 1733 enum PolicyScope { 1734 SCOPE_UNKNOWN = 0; 1735 // User policies apply to current Session/Profile if it's cloud policy. 1736 // Or apply to current OS user on Windows. 1737 SCOPE_USER = 1; 1738 1739 // Machine policies apply to any users of the current machine. 1740 SCOPE_MACHINE = 2; 1741 } 1742 optional PolicyScope scope = 3; 1743 1744 // The source of a policy indicates where its value is originating from. 1745 enum PolicySource { 1746 SOURCE_UNKNOWN = 0; 1747 // A policy is set by Chrome when it's running in an 1748 // enterprise environment. 1749 SOURCE_ENTERPRISE_DEFAULT = 1; 1750 1751 // A policy is set by Google's cloud management tool. 1752 SOURCE_CLOUD = 2; 1753 1754 // A policy is set by active directory on ChromeOS. 1755 SOURCE_ACTIVE_DIRECTORY = 3; 1756 1757 // A policy is overridden by ChromeOS if it's running in a public session or 1758 // kiosk mode. 1759 SOURCE_DEVICE_LOCAL_ACCOUNT_OVERRIDE = 4; 1760 1761 // A policy is set by OS built-in tool on desktop. 1762 SOURCE_PLATFORM = 5; 1763 1764 // A policy is set by Google's cloud management tool but has higher 1765 // priority. 1766 SOURCE_PRIORITY_CLOUD = 6; 1767 1768 // A policy is set by multiple sources and value has been merged. 1769 SOURCE_MERGED = 7; 1770 1771 // A policy is set by command line switch for testing purpose. 1772 SOURCE_COMMAND_LINE = 8; 1773 } 1774 optional PolicySource source = 4; 1775 1776 // The value of policy. 1777 optional string value = 5; 1778 1779 // The error message of policy. 1780 optional string error = 6; 1781} 1782 1783// Extension policy information. 1784message ExtensionPolicy { 1785 // The id of extension that policies apply to. 1786 optional string extension_id = 1; 1787 1788 // The list of policies that extension currently uses. 1789 repeated Policy policies = 2; 1790} 1791 1792// Cloud policy last fetch time. 1793message PolicyFetchTimestamp { 1794 // The type of cloud policy. 1795 optional string type = 1; 1796 // The last time the policies where fetched for the policy type. 1797 // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). 1798 optional int64 timestamp = 2; 1799} 1800 1801// Chrome user profile level status, used by activated Profiles. Profile name is 1802// not listed here as they are in the ChromeUserProfileBasicInfo. 1803message ChromeUserProfileInfo { 1804 reserved 6; 1805 1806 // A string to uniquely identify this profile within the browser. 1807 optional string id = 1; 1808 1809 // The name of the profile, which was entered by the user when creating 1810 // the profile. Empty when in incognito mode 1811 optional string name = 2; 1812 1813 // A boolean to indicates if it's a full report which contains all Profile 1814 // details. Only activated Profile is able to upload full report, idle Profile 1815 // only uploads its |id| and |name|. 1816 optional bool is_full_report = 3; 1817 1818 // Gaia account information if the Profile is signed in. 1819 optional ChromeSignedInUser chrome_signed_in_user = 4; 1820 1821 // A list of extensions installed in the browser. 1822 repeated Extension extensions = 5; 1823 1824 // A list of extensions requested for installation. 1825 repeated ExtensionRequest extension_requests = 10; 1826 1827 // A list of Chrome browser policies set for this user profile. 1828 repeated Policy chrome_policies = 7; 1829 1830 // A list of extensions' policies set for this user profile. The policies is 1831 // only added if the extension is installed. 1832 repeated ExtensionPolicy extension_policies = 8; 1833 1834 // The last time the cloud policies where fetched for each policy type. 1835 // Only one policy type which is google/chrome/machine-level-user uploads 1836 // timestamp currently. More details in b/132973694 1837 repeated PolicyFetchTimestamp policy_fetched_timestamps = 9; 1838} 1839 1840// Report browser level status. 1841message BrowserReport { 1842 // The Chrome browser version, as seen from within Chrome code as opposed to 1843 // user agent. 1844 optional string browser_version = 1; 1845 1846 // Release channel (stable, beta, etc.). 1847 optional Channel channel = 2; 1848 1849 // Required. The path to the browser executable so that we can uniquely 1850 // identify it. 1851 optional string executable_path = 3; 1852 1853 // Profile specific reports, one per profile. 1854 // Deprecated by ChromeUserProfileInfo and only used by old Chrome browser. 1855 repeated ChromeUserProfileReport chrome_user_profile_reports = 4; 1856 1857 // A list of all Profiles that are created in the current browser instance. 1858 // Only activated Profiles are able to upload full details while the idle ones 1859 // contain id and name only. Please note that some activated Profiles may not 1860 // upload full details due to the limitation of the report size. 1861 // These details will be uploaded in the following reports. 1862 repeated ChromeUserProfileInfo chrome_user_profile_infos = 6; 1863 1864 // A list of plugins installed in the browser. 1865 repeated Plugin plugins = 7; 1866 1867 // The installed version of the browser if it differs from |browser_version|, 1868 // or absent otherwise. When present, it indicates that an update (of a higher 1869 // or lower version) has been installed and will be the active version 1870 // following a browser restart. 1871 optional string installed_browser_version = 8; 1872} 1873 1874// Report Operating system related information. 1875message OSReport { 1876 // A string contains OS name. 1877 optional string name = 1; 1878 1879 // A string contains OS architecture. 1880 optional string arch = 2; 1881 1882 // A string contains OS version. 1883 optional string version = 3; 1884} 1885 1886// An enum shows which information a partial CBCM report contains. 1887enum PartialReportType { 1888 UNSPECIFIED = 0; 1889 EXTENSION_REQUEST = 1; 1890} 1891 1892// Report the status of a Chrome installation on non-Chrome OS platform. 1893message ChromeDesktopReportRequest { 1894 // The name of the machine within its local network. The string is a JSON 1895 // encoded structure with a single computername field. 1896 // This field is replaced by computer_name and only used by old Chrome 1897 // browser. 1898 optional string machine_name = 1; 1899 // OS info. The string is a an encoded JSON object as returned by 1900 // chrome.runtime.getPlatformInfo. 1901 // This field is replaced by OSReport and only used by old Chrome browser. 1902 optional string os_info = 2; 1903 // The user name from the OS point of view. The string is a JSON encoded 1904 // structure with a single username field containing "DOMAIN\username". 1905 // This field is replaced by os_user_name and only used by old Chrome browser. 1906 optional string os_user = 3; 1907 // Browser related info. 1908 optional BrowserReport browser_report = 4; 1909 // The device serial number (this might differ with the client ID, depending 1910 // on the platform) 1911 optional string serial_number = 5; 1912 // A string represents the name of computer. 1913 optional string computer_name = 6; 1914 // Operating system related information. 1915 optional OSReport os_report = 7; 1916 // A string contains OS user name. 1917 optional string os_user_name = 8; 1918 // Device identifier for helping identify non-Chrome OS devices. 1919 // TODO(crbug.com/1105938): This will also replace the computer_name and 1920 // serial_number fields. 1921 optional BrowserDeviceIdentifier browser_device_identifier = 9; 1922 // A list of flags indicates that the report only contains particular 1923 // information. When list is empty or unset, the report should contains all 1924 // information. 1925 repeated PartialReportType partial_report_types = 10; 1926} 1927 1928// Report user level status on Chrome OS platform. Chrome OS equivalent of 1929// ChromeDesktopReportRequest. 1930message ChromeOsUserReportRequest { 1931 // Browser related info. 1932 optional BrowserReport browser_report = 1; 1933 // Android applications installed in primary profile. 1934 repeated AndroidAppInfo android_app_infos = 2; 1935 // A list of flags indicates that the report only contains particular 1936 // information. When list is empty or unset, the report should contains all 1937 // information. 1938 repeated PartialReportType partial_report_types = 3; 1939} 1940 1941// A validation issue from validating a policy value that was contained in 1942// the payload of the policy fetch response. 1943message PolicyValueValidationIssue { 1944 // Policy name of the faulty value. 1945 optional string policy_name = 1; 1946 1947 //# LINT.IfChange 1948 enum ValueValidationIssueSeverity { 1949 // Default value for when a severity is not specified. 1950 VALUE_VALIDATION_ISSUE_SEVERITY_UNSPECIFIED = 0; 1951 1952 // This result is a warning. The policy blob has not been rejected. 1953 VALUE_VALIDATION_ISSUE_SEVERITY_WARNING = 1; 1954 1955 // This result is an error. The policy blob was rejected completely and not 1956 // updated on the device. 1957 VALUE_VALIDATION_ISSUE_SEVERITY_ERROR = 2; 1958 } // LINT.ThenChange( 1959 // //depot/google3/chrome/cros/reporting/api/proto/policy_validation_report.proto) 1960 1961 // Severity of this policy value validation result. 1962 optional ValueValidationIssueSeverity severity = 2; 1963 1964 // Message containing detailed information about the value validation warning 1965 // or error (e.g. type and specific location). This message is intended as 1966 // debug information for developers (not localized). 1967 optional string debug_message = 3; 1968} 1969 1970// This message is used to upload the result of cloud policy validation after a 1971// PolicyFetchRequest. 1972message PolicyValidationReportRequest { 1973 // |policy_type| sent in PolicyFetchRequest on the request which 1974 // returned policy with validation errors. 1975 optional string policy_type = 1; 1976 1977 // |policy_token| from the PolicyFetchResponse. This is used to identify the 1978 // specific policy fetch event that triggered this validation report. 1979 optional string policy_token = 2; 1980 1981 // Specifies the result type of the validation. 1982 // Each enum value can correspond to one of three client behaviors (noted as 1983 // 'Client behavior' in the comment for each enum value): 1984 // - Unknown: 1985 // It is not known if the fetched policy blob was accepted or rejected. 1986 // - Policy blob accepted: 1987 // The client has accepted and applied the fetched policy blob. 1988 // - Policy blob rejected: 1989 // The client has completely rejected the fetched policy blob. 1990 // LINT.IfChange 1991 enum ValidationResultType { 1992 // An enum value was received which is not known in this version of the 1993 // proto. 1994 // Client behavior: Unknown. 1995 VALIDATION_RESULT_TYPE_ERROR_UNSPECIFIED = 0; 1996 // Policy validated successfully. 1997 // Client behavior: Policy blob accepted. 1998 // Note: This result is here for completeness, the client will not send 1999 // reports with this enum value. 2000 VALIDATION_RESULT_TYPE_SUCCESS = 1; 2001 // Bad signature on the initial key. 2002 // Client behavior: Policy blob rejected. 2003 VALIDATION_RESULT_TYPE_BAD_INITIAL_SIGNATURE = 2; 2004 // Bad signature. 2005 // Client behavior: Policy blob rejected. 2006 VALIDATION_RESULT_TYPE_BAD_SIGNATURE = 3; 2007 // Policy blob contains error code. 2008 // Client behavior: Policy blob rejected. 2009 VALIDATION_RESULT_TYPE_ERROR_CODE_PRESENT = 4; 2010 // Policy payload failed to decode. 2011 // Client behavior: Policy blob rejected. 2012 VALIDATION_RESULT_TYPE_PAYLOAD_PARSE_ERROR = 5; 2013 // Unexpected policy type. 2014 // Client behavior: Policy blob rejected. 2015 VALIDATION_RESULT_TYPE_WRONG_POLICY_TYPE = 6; 2016 // Unexpected settings entity id. 2017 // Client behavior: Policy blob rejected. 2018 VALIDATION_RESULT_TYPE_WRONG_SETTINGS_ENTITY_ID = 7; 2019 // Timestamp is missing or is older than the timestamp of the previous 2020 // policy. 2021 // Client behavior: Policy blob rejected. 2022 VALIDATION_RESULT_TYPE_BAD_TIMESTAMP = 8; 2023 // DM token is empty or doesn't match. 2024 // Client behavior: Policy blob rejected. 2025 VALIDATION_RESULT_TYPE_BAD_DM_TOKEN = 9; 2026 // Device id is empty or doesn't match. 2027 // Client behavior: Policy blob rejected. 2028 VALIDATION_RESULT_TYPE_BAD_DEVICE_ID = 10; 2029 // Username doesn't match. 2030 // Client behavior: Policy blob rejected. 2031 VALIDATION_RESULT_TYPE_BAD_USER = 11; 2032 // Policy payload protobuf parse error. 2033 // Client behavior: Policy blob rejected. 2034 VALIDATION_RESULT_TYPE_POLICY_PARSE_ERROR = 12; 2035 // Policy key signature could not be verified using the hard-coded 2036 // verification key. 2037 // Client behavior: Policy blob rejected. 2038 VALIDATION_RESULT_TYPE_BAD_KEY_VERIFICATION_SIGNATURE = 13; 2039 // There were validation warnings during validation of policy values in the 2040 // payload. See |policy_value_validation_results|. 2041 // Client behavior: Policy blob accepted. 2042 VALIDATION_RESULT_TYPE_VALUE_WARNING = 14; 2043 // There were validation errors during validation of policy values in the 2044 // payload. There may also have been warnings. See 2045 // |policy_value_validation_results| - that list will contain at least one 2046 // payload validation errors, and zero or more payload validation warnings. 2047 // Client behavior: Policy blob rejected. 2048 VALIDATION_RESULT_TYPE_VALUE_ERROR = 15; 2049 } // LINT.ThenChange( 2050 // //depot/google3/chrome/cros/reporting/api/proto/policy_validation_report.proto) 2051 2052 // The validation result. 2053 optional ValidationResultType validation_result_type = 3; 2054 2055 // Value validation issues in the policy payload. Will be filled if 2056 // |validation_result_type| is VALIDATION_RESULT_TYPE_VALUE_WARNING 2057 // or VALIDATION_RESULT_TYPE_VALUE_ERROR. 2058 repeated PolicyValueValidationIssue policy_value_validation_issues = 4; 2059} 2060 2061// Response from DMServer to a policy validation report. 2062message PolicyValidationReportResponse {} 2063 2064message AndroidStatus { 2065 // JSON string of ARC status report. 2066 optional string status_payload = 1; 2067 // DroidGuard response obtained from DroidGuard server. 2068 optional string droid_guard_info = 2; 2069} 2070 2071enum CrostiniAppType { 2072 // The default terminal App. 2073 CROSTINI_APP_TYPE_TERMINAL = 0; 2074 // A registered interactive Crostini App which is 2075 // not the default terminal app. 2076 CROSTINI_APP_TYPE_INTERACTIVE = 1; 2077 // Detected non-registered container applications. 2078 CROSTINI_APP_TYPE_OTHER = 2; 2079} 2080 2081message CrostiniApp { 2082 // The default display name of the App. 2083 optional string app_name = 1; 2084 // The type of the App. 2085 optional CrostiniAppType app_type = 2; 2086 2087 // Time stamp of last launch of the App with a three day granularity. 2088 // The timestamp is milliseconds since Epoch in UTC timezone (Java time). 2089 optional int64 last_launch_time_window_start_timestamp = 3; 2090 2091 // If available, the name of the Debian package belonging to this App. 2092 optional string package_name = 4; 2093 // If available, the version of the Debian package belonging to this App. 2094 optional string package_version = 5; 2095 // If available, a hash of the package belonging to this App. 2096 optional string package_hash = 6; 2097} 2098 2099message CrostiniStatus { 2100 // Time stamp of last launch of a Crostini app with three day granularity, 2101 // The timestamp is milliseconds since Epoch in UTC timezone (Java time). 2102 optional int64 last_launch_time_window_start_timestamp = 1; 2103 2104 // The VM image version at the time of the last launch. 2105 optional string last_launch_vm_image_version = 2; 2106 // The VM kernel version at the time of the last launch. 2107 optional string last_launch_vm_kernel_version = 3; 2108 2109 // Contains information about each installed app at the time of the 2110 // report. 2111 repeated CrostiniApp installed_apps = 4; 2112} 2113 2114// Report current active session (a user on one device) level status. 2115message SessionStatusReportRequest { 2116 reserved 1, 2, 3, 6; 2117 2118 // If this is a kiosk session, this is the device local account ID. 2119 optional string device_local_account_id = 4; 2120 2121 // Information about kiosk app for kiosk session. 2122 repeated AppStatus installed_apps = 5; 2123 2124 // Information about ARC status. 2125 optional AndroidStatus android_status = 7; 2126 2127 // If this is a regular user session, this is the user's DMToken. 2128 optional string user_dm_token = 8; 2129 2130 // Time zone id of the active user. Not set for enterprise users. 2131 // Format of the id is as specified in tz database e.g. Pacific/Honolulu. For 2132 // more details check third_party/icu/source/i18n/unicode/timezone.h. 2133 optional string time_zone = 9; 2134 2135 // Information about Crostini status. 2136 optional CrostiniStatus crostini_status = 10; 2137 2138 // Information about all applications for this user on this device, including 2139 // uninstalled and disabled apps. 2140 repeated AppInfo app_infos = 11; 2141} 2142 2143// Response from DMServer to update devices' status. 2144// It is possible that status report fails but policy request succeed. In such 2145// case, the DeviceStatusReportResponse will contain an error code and the 2146// device should re-send status report data in the next policy request. The 2147// device should re-send report data if policy request fails, even if 2148// DeviceStatusReportResponse contains no error code. 2149message DeviceStatusReportResponse { 2150 optional int32 error_code = 1; 2151 2152 // Human readable error message for customer support purpose. 2153 optional string error_message = 2; 2154} 2155 2156// Response from DMServer to a Chrome desktop report request. The report 2157// upload errors will be set in the containing DeviceManagementResponse or 2158// eventually at the HTTP level as mentioned in a TODO. 2159message ChromeDesktopReportResponse {} 2160 2161// Response from DMServer to a ChromeOS user report request. The report 2162// upload errors will be set in the containing DeviceManagementResponse or 2163// eventually at the HTTP level as mentioned in a TODO. 2164message ChromeOsUserReportResponse {} 2165 2166// Response from DMServer to update user devices' status. 2167// It is possible that status report fails but policy request succeed. In such 2168// case, the SessionStatusReportResponse will contain an error code and the 2169// device should re-send status report data in the next policy request. The 2170// device should re-send report data if policy request fails, even if 2171// SessionStatusReportResponse contains no error code. 2172message SessionStatusReportResponse { 2173 optional int32 error_code = 1; 2174 2175 // Human readable error message for customer support purpose. 2176 optional string error_message = 2; 2177} 2178 2179// Request from client to query device state using Private Set Membership (PSM). 2180// Please see go/cros-enterprise-psm and go/cros-client-psm for more details. 2181message PrivateSetMembershipRequest { 2182 // A request proto from the RLWE PSM protocol. 2183 optional PrivateSetMembershipRlweRequest rlwe_request = 1; 2184} 2185 2186message PrivateSetMembershipResponse { 2187 // A response proto from the RLWE PSM protocol. 2188 optional PrivateSetMembershipRlweResponse rlwe_response = 1; 2189} 2190 2191message PrivateSetMembershipRlweRequest { 2192 // First request sent by the client for checking membership. 2193 optional private_membership.rlwe.PrivateMembershipRlweOprfRequest 2194 oprf_request = 1; 2195 2196 // Second request sent by the client for checking membership. 2197 optional private_membership.rlwe.PrivateMembershipRlweQueryRequest 2198 query_request = 2; 2199} 2200 2201message PrivateSetMembershipRlweResponse { 2202 // First response sent by the server for checking membership. 2203 optional private_membership.rlwe.PrivateMembershipRlweOprfResponse 2204 oprf_response = 1; 2205 2206 // Second response sent by the server for checking membership. 2207 optional private_membership.rlwe.PrivateMembershipRlweQueryResponse 2208 query_response = 2; 2209} 2210 2211// Request from device to server to determine whether the device should 2212// go through enterprise enrollment. Unlike the other requests, this request is 2213// not authenticated. 2214message DeviceAutoEnrollmentRequest { 2215 // Device identifier hash, mod |modulus|. 2216 // The type of the device identifier hash depends on |enrollment_check_type|. 2217 // If |modulus| is 1, |remainder| should be 0. 2218 // |remainder| should always be present. 2219 optional int64 remainder = 1; 2220 2221 // Modulus of the hash used by the client. For now, it is a power of 2, but 2222 // due to the strict constraint on how many serial numbers a bucket can 2223 // contain, it may become non power of 2. If that happens, client-side needs 2224 // to change its assumption. 2225 // |modulus| should always be present, but setting |modulus| to 1 means that 2226 // no bits of the client's hash are uploaded. |remainder| should be 0 in this 2227 // case. 2228 optional int64 modulus = 2; 2229 2230 enum EnrollmentCheckType { 2231 // Unspecified. 2232 ENROLLMENT_CHECK_TYPE_UNSPECIFIED = 0; 2233 // Forced Re-Enrollment check with full SHA-256 hashes of the 2234 // server-backed state key. 2235 ENROLLMENT_CHECK_TYPE_FRE = 1; 2236 // Forced Enrollment check with SHA-256 hashes of (brand code + “_” + serial 2237 // number), truncated to first 8 bytes each. 2238 ENROLLMENT_CHECK_TYPE_FORCED_ENROLLMENT = 2; 2239 } 2240 2241 // Specifies the type of auto enrollment check that is being made. 2242 // This also defines the format of the device identifier hash used in this 2243 // exchange. 2244 optional EnrollmentCheckType enrollment_check_type = 3 2245 [default = ENROLLMENT_CHECK_TYPE_FRE]; 2246} 2247 2248// Response from server to auto-enrollment detection request. 2249message DeviceAutoEnrollmentResponse { 2250 // If this field is present, the other fields are ignored and the client 2251 // should send a new DeviceAutoEnrollmentRequest with a |remainder| 2252 // computed using this new |expected_modulus|. If this field is empty, the 2253 // client's request was accepted. 2254 // DMServer guarantees that if the modulus sent by client in 2255 // DeviceAutoEnrollmentRequest matches server's expectation, this field 2256 // is unset. 2257 optional int64 expected_modulus = 1; 2258 2259 // List of hashes. If the client's hash matches any in this list, the 2260 // client device should do enterprise enrollment. If it matches none, 2261 // enrollment should be optional. 2262 // The format of each entry depends on the |enrollment_check_type| that was 2263 // set in the DeviceAutoEnrollmentRequest. 2264 repeated bytes hashes = 2; 2265} 2266 2267// Sent by the client to the server. The device management server keeps a 2268// mapping of device identifiers to device state. Devices query this table after 2269// hard reset in order recover state. This request is keyed just by the opaque 2270// server-backed state key; there is no further authentication. 2271message DeviceStateRetrievalRequest { 2272 // Opaque, client-determined, unpredictable, stable and unique device 2273 // identifier to retrieve state for. This field contains 32 bytes of data that 2274 // looks essentially random to the server. It may be generated e.g. by running 2275 // a concatenation of suitable device identifiers through a cryptographic hash 2276 // algorithm such as SHA-256. 2277 optional bytes server_backed_state_key = 1; 2278} 2279 2280// Sent by the client to the server when in registered state to update the 2281// device-determined device state keys. 2282message DeviceStateKeyUpdateRequest { 2283 // The client-determined state keys. To the server, these look like 32 bytes 2284 // of random data. The client should generate these keys using a deterministic 2285 // algorithm that takes stable device identifiers as an input and produces a 2286 // key as the output, possibly by running the identifiers through a 2287 // cryptographic hash function such as SHA-256. 2288 repeated bytes server_backed_state_keys = 1; 2289} 2290 2291// Server to client message carrying the device state response. Because the 2292// request is not authenticated, the only protection against state extraction 2293// from server is the unpredictability of the server-backed state ID. Thus, the 2294// response should not contain any sensitive data. If the server doesn't know 2295// the requested identifier, it just returns a message with restore_mode set to 2296// RESTORE_MODE_NONE. 2297message DeviceStateRetrievalResponse { 2298 // Restorative action to take after device reset. 2299 enum RestoreMode { 2300 // No secondary state restoration. 2301 RESTORE_MODE_NONE = 0; 2302 // Enterprise enrollment requested, but user may skip. 2303 RESTORE_MODE_REENROLLMENT_REQUESTED = 1; 2304 // Enterprise enrollment is enforced and cannot be skipped. 2305 RESTORE_MODE_REENROLLMENT_ENFORCED = 2; 2306 // The device has been disabled by its owner. The device will show a warning 2307 // screen and prevent the user from proceeding further. 2308 RESTORE_MODE_DISABLED = 3; 2309 // Enterprise enrollment is enforced using Zero-Touch and cannot be skipped. 2310 RESTORE_MODE_REENROLLMENT_ZERO_TOUCH = 4; 2311 } 2312 // The server-indicated restore mode. 2313 optional RestoreMode restore_mode = 1 [default = RESTORE_MODE_NONE]; 2314 2315 // Primary domain the device is associated with. 2316 optional string management_domain = 2; 2317 2318 // State that is relevant only when the |restore_mode| is 2319 // |RESTORE_MODE_DISABLED|. 2320 optional DisabledState disabled_state = 3; 2321 2322 // Initial device state if |restore_mode| is |RESTORE_MODE_NONE|. 2323 optional DeviceInitialEnrollmentStateResponse initial_state_response = 4; 2324} 2325 2326// Request from device to server to retrieve the enrollment mode and domain for 2327// this device. The client will use this request when the 2328// DeviceAutoEnrollmentRequest exchange with |enrollment_check_type| set to 2329// |ENROLLMENT_CHECK_TYPE_FORCED_ENROLLMENT| indicated that it should be 2330// enrolled. This request is not authenticated. 2331message DeviceInitialEnrollmentStateRequest { 2332 // The serial number of the device. 2333 optional string serial_number = 1; 2334 2335 // The 4-character brand code of the device. 2336 optional string brand_code = 2; 2337} 2338 2339// Response from server DeviceInitialEnrollmentStateRequest. 2340message DeviceInitialEnrollmentStateResponse { 2341 // Initial action to take after OOBE. 2342 enum InitialEnrollmentMode { 2343 // No initial enrollment. 2344 INITIAL_ENROLLMENT_MODE_NONE = 0; 2345 // Enterprise enrollment is enforced and cannot be skipped. 2346 INITIAL_ENROLLMENT_MODE_ENROLLMENT_ENFORCED = 1; 2347 // Zero-Touch (attestation-based) enrollment is enforced and cannot be 2348 // skipped. 2349 INITIAL_ENROLLMENT_MODE_ZERO_TOUCH_ENFORCED = 2; 2350 // The device has been disabled by its owner. The device will show a warning 2351 // screen and prevent the user from proceeding further. 2352 INITIAL_ENROLLMENT_MODE_DISABLED = 3; 2353 } 2354 2355 // The server-indicated initial enrollment mode. 2356 optional InitialEnrollmentMode initial_enrollment_mode = 1 2357 [default = INITIAL_ENROLLMENT_MODE_NONE]; 2358 2359 // The domain the device should be enrolled into. 2360 optional string management_domain = 2; 2361 2362 // Whether the device comes packaged with a license or not. 2363 optional bool is_license_packaged_with_device = 3; 2364 2365 // State that is relevant only when the |initial_enrollment_mode| is 2366 // |INITIAL_ENROLLMENT_MODE_DISABLED|. 2367 optional DisabledState disabled_state = 4; 2368 2369 // License Packaging SKU type. 2370 // LINT.IfChange 2371 enum LicensePackagingSKU { 2372 // Not a License Packaged Device. 2373 NOT_EXIST = 0; 2374 // Enterprise SKU. 2375 CHROME_ENTERPRISE = 1; 2376 // Education SKU. 2377 CHROME_EDUCATION = 2; 2378 } 2379 // LINT.ThenChange(//depot/google3/google/chrome/licensepackaging/v1/service.proto) 2380 2381 // SKU Type for License Packaged Device. 2382 optional LicensePackagingSKU license_packaging_sku = 5; 2383} 2384 2385// Sent by the client to the server to pair the Host device with the Controller 2386// device. The HTTP request contains an end-user OAuth token and only succeeds 2387// if both Host and Controller devices belong to the end-user domain. 2388message DevicePairingRequest { 2389 // The device ID of the Host device. 2390 optional string host_device_id = 1; 2391 2392 // The device ID of the Controller device. 2393 optional string controller_device_id = 2; 2394} 2395 2396// Response from the server to the device pairing request. 2397message DevicePairingResponse { 2398 // The client should check HTTP status code first. If HTTP status code is not 2399 // 200 (e.g. 500 internal error), then it means the pairing fails. If HTTP 2400 // status code is 200, then the client should check the status code within the 2401 // response. 2402 enum StatusCode { 2403 SUCCESS = 0; 2404 2405 // A generic failure code for pairing. 2406 FAILED = 1; 2407 2408 // The Host device cannot be found in the user's domain. 2409 HOST_DEVICE_NOT_FOUND = 2; 2410 2411 // The Controller device cannot be found in the user's domain. 2412 CONTROLLER_DEVICE_NOT_FOUND = 3; 2413 2414 // The Host device is deprovisioned. 2415 HOST_DEVICE_DEPROVISIONED = 4; 2416 2417 // The Controller device is deprovisioned. 2418 CONTROLLER_DEVICE_DEPROVISIONED = 5; 2419 } 2420 2421 optional StatusCode status_code = 1 [default = FAILED]; 2422} 2423 2424// Sent by the client to the server to check if the devices are paired. The HTTP 2425// request contains controller service account OAuth token as well as the 2426// DMToken from the Host device. 2427message CheckDevicePairingRequest { 2428 // The device ID of the Host device. 2429 optional string host_device_id = 1; 2430 2431 // The device ID of the Controller device. 2432 optional string controller_device_id = 2; 2433} 2434 2435// Response from the server to the check device pairing request. 2436message CheckDevicePairingResponse { 2437 // The client should check HTTP status code first. If HTTP status code is not 2438 // 200 (e.g. 500 internal error), then it means the pairing status is unknown. 2439 // If HTTP status code is 200, then the client should check the status code 2440 // within the response. 2441 enum StatusCode { 2442 PAIRED = 0; 2443 2444 // The Host and Controller devices are not paired. 2445 NOT_PAIRED = 1; 2446 2447 // The Host device cannot be found in the Host device domain. 2448 HOST_DEVICE_NOT_FOUND = 2; 2449 2450 // The Controller device cannot be found in the Host device domain. 2451 CONTROLLER_DEVICE_NOT_FOUND = 3; 2452 2453 // The Host device is deprovisioned. 2454 HOST_DEVICE_DEPROVISIONED = 4; 2455 2456 // The Controller device is deprovisioned. 2457 CONTROLLER_DEVICE_DEPROVISIONED = 5; 2458 2459 // Invalid controller identity. 2460 INVALID_CONTROLLER_DEVICE_IDENTITY = 6; 2461 } 2462 2463 optional StatusCode status_code = 1 [default = NOT_PAIRED]; 2464} 2465 2466// This protobuf defines a single remote command from server to client for 2467// execution. 2468message RemoteCommand { 2469 // The names are used as part of metric names. If enumeration is updated 2470 // the names should also be updated: 2471 // - components/policy/core/common/cloud/enterprise_metrics.cc; 2472 // - components/policy/core/common/remote_commands/remote_commands_service.cc; 2473 // - Enterprise.RemoteCommandType in tools/metrics/histograms/histograms.xml; 2474 enum Type { 2475 // Simple echo command for testing, will be ignored in production code. 2476 COMMAND_ECHO_TEST = -1; 2477 2478 // Reboot the device. 2479 DEVICE_REBOOT = 0; 2480 2481 // Take a screenshot. 2482 DEVICE_SCREENSHOT = 1; 2483 2484 // Set device volume. 2485 DEVICE_SET_VOLUME = 2; 2486 2487 // Force a refresh of device status (attributes and logs). 2488 DEVICE_FETCH_STATUS = 3; 2489 2490 // Forwards a user command received from the management server to the ARC++ 2491 // side. The payload is opaque to Chrome OS. 2492 USER_ARC_COMMAND = 4; 2493 2494 // Wipe all the users off of the device. 2495 DEVICE_WIPE_USERS = 5; 2496 2497 // Start Chrome Remote Desktop session (limited to Kiosk sessions only). 2498 DEVICE_START_CRD_SESSION = 6; 2499 2500 // Wipe the device (perform a powerwash). 2501 DEVICE_REMOTE_POWERWASH = 7; 2502 2503 // Refresh the device machine certificate and re-upload it. 2504 DEVICE_REFRESH_ENTERPRISE_MACHINE_CERTIFICATE = 8; 2505 2506 // Retrieve a list of available diagnostics routines. 2507 DEVICE_GET_AVAILABLE_DIAGNOSTIC_ROUTINES = 9; 2508 2509 // Run a given diagnostics routine on the platform. 2510 DEVICE_RUN_DIAGNOSTIC_ROUTINE = 10; 2511 2512 // Send a command or get an update from an existing diagnostics routine. 2513 DEVICE_GET_DIAGNOSTIC_ROUTINE_UPDATE = 11; 2514 2515 // Clear the cache and cookies associated with a given profile. 2516 BROWSER_CLEAR_BROWSING_DATA = 12; 2517 2518 // Please update metrics after adding a new item - see the comment above. 2519 } 2520 2521 // The command type. 2522 optional Type type = 1; 2523 2524 // An opaque unique identifier for the command. The client processes 2525 // the commands in the order of the command list it receives. 2526 optional int64 command_id = 2; 2527 2528 // The age of the command (in milliseconds) when it is sent from server to 2529 // client, defined as current_server_time - command_generated_time. 2530 optional int64 age_of_command = 3; 2531 2532 // Extra parameters for this command, expected to be a JSON string. The exact 2533 // format of the JSON payload depends on the command type specified by the 2534 // |type| field: 2535 // |DEVICE_SCREENSHOT|: {"fileUploadUrl" : url_string}. 2536 // |DEVICE_SET_VOLUME|: {"volume": volume_value}, where volume_value must be 2537 // an integer between 0 and 100. 2538 // |DEVICE_RUN_DIAGNOSTIC_ROUTINE|: {"routine" : routine_enum, "params" : 2539 // params_dict}, where params_dict varies by routine. 2540 // |DEVICE_GET_DIAGNOSTIC_ROUTINE_UPDATE|: {"id" : id_integer, "command" : 2541 // command, "includeOutput" : include_output_bool}, where command must be a 2542 // valid chromeos::cros_healthd::mojom::DiagnosticRoutineCommandEnum. 2543 optional string payload = 4; 2544 2545 // An identifier for the target this command is for. This is the same as 2546 // the device_id in PolicyData. We rely on this identifier not being stable 2547 // across powerwashes. 2548 optional string target_device_id = 5; 2549} 2550 2551// This protobuf defines the execution result of a single remote command 2552// which will be sent back to the server. 2553message RemoteCommandResult { 2554 // If you change this, update policy.mojom/CommandResultType. 2555 enum ResultType { 2556 RESULT_IGNORED = 0; // The command was ignored as obsolete. 2557 RESULT_FAILURE = 1; // The command could not be executed or parsed. 2558 RESULT_SUCCESS = 2; // The command was successfully executed. Commands 2559 // such as powerwash will return success before they 2560 // are executed since state will be forgotten. 2561 } 2562 2563 // The result of the command. 2564 optional ResultType result = 1; 2565 2566 // The opaque unique identifier of the command. This value is copied from the 2567 // RemoteCommand protobuf that contained the command. 2568 optional int64 command_id = 2; 2569 2570 // The timestamp representing time at which the command was executed, if the 2571 // result is RESULT_SUCCESS. The timestamp is milliseconds since Epoch in UTC 2572 // timezone (Java time). 2573 optional int64 timestamp = 3; 2574 2575 // Extra information sent to server as result of execution, expected to be a 2576 // JSON string. 2577 optional string payload = 4; 2578} 2579 2580message DeviceRemoteCommandRequest { 2581 // The command ID of the last command received from the server until 2582 // now. Omitted if no commands have been received yet. 2583 optional int64 last_command_unique_id = 1; 2584 2585 // The execution results of previously fetched commands. 2586 // The client should send back a command result whenever possible. 2587 repeated RemoteCommandResult command_results = 2; 2588 2589 // Whether the server should send secure commands or not. 2590 optional bool send_secure_commands = 3; 2591 2592 // What type of signature to use. Only valid if send_secure_commmands is true. 2593 // If NONE is passed, SHA1_RSA will be used instead for compatibility. 2594 optional PolicyFetchRequest.SignatureType signature_type = 4; 2595} 2596 2597message DeviceRemoteCommandResponse { 2598 // The queue of pending, non secure commands. If this is present then there 2599 // shall be no secure commands in this response (and vice versa). 2600 repeated RemoteCommand commands = 1; 2601 2602 // The queue of pending, secure commands. If this is present then there shall 2603 // be no non secure commands in this response (and vice versa). 2604 // 2605 // The secure_commands.data field contains a serialized PolicyData with a 2606 // “google/chromeos/remotecommand” policy_type. The secure_commands.signature 2607 // field is a signature of the data field with the policy key for the domain 2608 // the device belongs to. 2609 repeated SignedData secure_commands = 2; 2610} 2611 2612// Sent by the client to the server to check if the current user is allowed 2613// to update attributes (asset id and location). The HTTP request contains an 2614// end-user OAuth token. 2615message DeviceAttributeUpdatePermissionRequest {} 2616 2617// Response from the server specifying whether the current user is allowed to 2618// update attributes (asset id and location). 2619message DeviceAttributeUpdatePermissionResponse { 2620 enum ResultType { 2621 ATTRIBUTE_UPDATE_DISALLOWED = 0; 2622 ATTRIBUTE_UPDATE_ALLOWED = 1; 2623 } 2624 2625 optional ResultType result = 1; 2626} 2627 2628// Sent by the client to the server to update device attributes (asset id and 2629// location). The HTTP request contains an end-user OAuth token. 2630message DeviceAttributeUpdateRequest { 2631 // The user-generated asset identifier. 2632 optional string asset_id = 1; 2633 2634 // The user input device location. 2635 optional string location = 2; 2636} 2637 2638// Response from the server to update device attributes (asset id and location). 2639message DeviceAttributeUpdateResponse { 2640 enum ResultType { 2641 ATTRIBUTE_UPDATE_ERROR = 0; 2642 ATTRIBUTE_UPDATE_SUCCESS = 1; 2643 } 2644 2645 optional ResultType result = 1; 2646} 2647 2648// Sent by the client to server to update the mapping from GCM id to device_id 2649// on the server side. 2650message GcmIdUpdateRequest { 2651 optional string gcm_id = 1; 2652} 2653 2654// Response for GcmIdUpdateRequest, an empty message for now. 2655message GcmIdUpdateResponse {} 2656 2657// Request from device to server to check for Android-for-Work service with 2658// DPC enforcement. Must be sent only for users who are not managed in Chrome 2659// OS. 2660// Provide user's OAuth token with your HTTP Request. 2661message CheckAndroidManagementRequest {} 2662 2663// Response from server to device for check for Android-for-Work service with 2664// DPC enforcement request. 2665// SC_CONFLICT HTTP code is returned if DPC enforcement is required. 2666message CheckAndroidManagementResponse {} 2667 2668// Request to register a new device (authenticated by enterprise enrollment 2669// certificate). See http://go/zero-touch-chrome for details. 2670// The response message will be the DeviceRegisterResponse. 2671message CertificateBasedDeviceRegisterRequest { 2672 // Signed request to register with a certificate. The signed_request.data 2673 // field contains a CertificateBasedDeviceRegistrationData with a nonce 2674 // (as added by the Chrome OS cryptohome client) appended. The 2675 // signed_request.signature field is a signature of the data field signed 2676 // with the enrollment certificate's private key. 2677 optional SignedData signed_request = 1; 2678} 2679 2680// Requested configuration to be passed along a registration request. 2681message DeviceRegisterConfiguration { 2682 // The device owner's email address. 2683 optional string device_owner = 1; 2684} 2685 2686message CertificateBasedDeviceRegistrationData { 2687 enum CertificateType { 2688 UNKNOWN = 0; 2689 ENTERPRISE_ENROLLMENT_CERTIFICATE = 1; 2690 } 2691 2692 optional CertificateType certificate_type = 1; 2693 // Device certificate in X.509 format. 2694 // We use CertificateFactory.generateCertificate() call and 2695 // the certificate provided must be DER-encoded and may be supplied in binary 2696 // or printable (Base64) encoding. If the certificate is provided in Base64 2697 // encoding, it must be bounded at the beginning by 2698 // -----BEGIN CERTIFICATE-----, and must be bounded at the end by 2699 // -----END CERTIFICATE-----. 2700 optional bytes device_certificate = 2; 2701 // regular device registration request 2702 optional DeviceRegisterRequest device_register_request = 3; 2703 // Additional configuration to register the device. 2704 optional DeviceRegisterConfiguration device_register_configuration = 4; 2705} 2706 2707// Request to enroll a Chrome browser. Fields match identically named fields 2708// in ChromeBrowserDeviceInfo. 2709message RegisterBrowserRequest { 2710 // The name of the machine within its local network. 2711 optional string machine_name = 1; 2712 // Platform, e.g., Windows or Mac. 2713 optional string os_platform = 2; 2714 // Platform specific version number, e.g., 6.1.7601.0 or 10.12.6 2715 optional string os_version = 3; 2716 // Device identifier for helping identify non-Chrome OS devices. 2717 // TODO(crbug.com/1105938): This will also replace the machine_name field. 2718 optional BrowserDeviceIdentifier browser_device_identifier = 4; 2719} 2720 2721// Gets an enrollment token to a managed Google Play account for using it with 2722// Active Directory. Sent when a new user logs in with Active Directory and 2723// opens Play Store for the first time. 2724message ActiveDirectoryEnrollPlayUserRequest { 2725 // A server-provider identifier for the previously established SAML session. 2726 // If left empty and SAML authentication is required, 2727 // ActiveDirectoryEnrollPlayUserResponse.saml_parameters.auth_redirect_url 2728 // will contain initial Redirect required to start the SAML flow. 2729 optional string auth_session_id = 1; 2730} 2731 2732// The result when a new user logs in to Play Store with Active Directory. 2733// 904 Arc Disabled HTTP error code is returned if the reason of the failure is 2734// that ARC is not enabled for the domain. 2735// 403 Forbidden HTTP error code is returned if the device can't get Managed 2736// Google Play accounts. 2737message ActiveDirectoryEnrollPlayUserResponse { 2738 // The enrollment token which can be used to fetch a Managed Google Play 2739 // account. 2740 optional string enrollment_token = 1; 2741 // The user id which identifies the user enrolled by this token. This user id 2742 // is opaque to the client and is only used in the ActiveDirectoryPlayActivity 2743 // requests. 2744 optional string user_id = 2; 2745 // If SAML authentication is required, SAML flow parameters are specified in 2746 // this proto and both enrollment_token and user_id fields are left unset. 2747 optional SamlParametersProto saml_parameters = 3; 2748} 2749 2750message SamlParametersProto { 2751 // Initial Redirect URL to start the SAML flow. 2752 optional string auth_redirect_url = 1; 2753 // Auth Session ID which the client is supposed to use in the subsequent 2754 // DMServer request (to be sent after SAML flow completes). 2755 optional string auth_session_id = 2; 2756} 2757 2758// Gets a URL to the SAML IdP authentication flow for using it with public 2759// SAML session. Sent when a user logs in to a SAML public session account. 2760message PublicSamlUserRequest { 2761 // Identifier for the public saml account. Same as 2762 // DeviceLocalAccountInfoProto.account_id. 2763 optional string account_id = 1; 2764} 2765 2766// The result when a user logs in to a SAML public session account. 2767message PublicSamlUserResponse { 2768 // SAML flow parameters are specified in this proto. 2769 optional SamlParametersProto saml_parameters = 1; 2770} 2771 2772// Reports that a managed Google Play account is used. This makes the garbage 2773// collection of accounts possible by reporting the ones which are still in use. 2774message ActiveDirectoryPlayActivityRequest { 2775 // The user id received in ActiveDirectoryEnrollPlayUserResponse which 2776 // identifies the user. 2777 optional string user_id = 1; 2778} 2779 2780// Response to the Play account activity request. 2781message ActiveDirectoryPlayActivityResponse {} 2782 2783// DEPRECATED: Request to retrieve available device licenses. User auth token 2784// or auth cookie must be provided with DeviceManagementRequest when 2785// CheckDeviceLicenseRequest is being sent. 2786// See go/cdm-mixed-license-pool for more info 2787message CheckDeviceLicenseRequest {} 2788 2789// Represents availability of a single license type. 2790message LicenseAvailability { 2791 // License type. 2792 optional LicenseType license_type_deprecated = 1 [deprecated = true]; 2793 2794 // Remaining available licenses (can be 0). 2795 optional int32 available_licenses_deprecated = 2 [deprecated = true]; 2796} 2797 2798// DEPRECATED: Response to a check device license request. 2799message CheckDeviceLicenseResponse { 2800 enum LicenseSelectionMode { 2801 // Should not happen, included for compatibility. 2802 UNDEFINED = 0; 2803 // User is allowed to choose license. 2804 USER_SELECTION = 1; 2805 // Admin controls license selection preferences through management UI. 2806 ADMIN_SELECTION = 2; 2807 } 2808 2809 // Policy setting value for license selection mode. 2810 optional LicenseSelectionMode license_selection_mode_deprecated = 1 2811 [deprecated = true]; 2812 2813 // Provides available license counts for each purchased license type. 2814 // This field would list each subscription for the domain even if all licenses 2815 // have been used up (in which case available_licenses field is set to zero). 2816 // 2817 // If license_selection_mode == USER_SELECTION and license_availability 2818 // contains more than one entry then device should display a screen asking 2819 // user to choose license type and send selected license type value in the 2820 // DeviceRegisterRequest.license_type field. 2821 repeated LicenseAvailability license_availabilities_deprecated = 2 2822 [deprecated = true]; 2823} 2824 2825// Sign in an Active Directory user using SAML SSO. The device management server 2826// redirects the client to the Active Directory server in order to authenticate 2827// and identify the Active Directory user. Active Directory redirects the client 2828// back to the device management server with an assertion of the Active 2829// Directory user's identity. The device management server then redirects the 2830// client to Google's authentication service in order to provision the user on 2831// the device. 2832message ActiveDirectoryUserSigninRequest {} 2833 2834message ActiveDirectoryUserSigninResponse { 2835 // Initial Redirect URL to start the SAML flow. 2836 optional string auth_redirect_url = 1; 2837} 2838 2839// Contains information about the TPM used on the device. 2840message TpmVersionInfo { 2841 optional uint32 family = 1; 2842 optional uint64 spec_level = 2; 2843 optional uint32 manufacturer = 3; 2844 optional uint32 tpm_model = 4; 2845 optional uint64 firmware_version = 5; 2846 optional string vendor_specific = 6; 2847} 2848 2849// Contains status of the TPM unit. These fields come from GetTpmStatusReply 2850// proto message from Chrome OS side (dbus/cryptohome/rpc.proto). 2851message TpmStatusInfo { 2852 optional bool enabled = 1; 2853 optional bool owned = 2; 2854 // This field was previously named "initialized", but that's not a valid name 2855 // for a proto field since it generates isInitialized method for the Java 2856 // binding which collides with the isInitialized method that exists for all 2857 // Java protos. 2858 optional bool tpm_initialized = 3; 2859 optional bool attestation_prepared = 4; 2860 optional bool attestation_enrolled = 5; 2861 optional int32 dictionary_attack_counter = 6; 2862 optional int32 dictionary_attack_threshold = 7; 2863 optional bool dictionary_attack_lockout_in_effect = 8; 2864 optional int32 dictionary_attack_lockout_seconds_remaining = 9; 2865 optional bool boot_lockbox_finalized = 10; 2866} 2867 2868// System state included with some log events. 2869message SystemState { 2870 // VolumeInfo is reused from existing Chrome reporting. 2871 repeated VolumeInfo volume_infos = 1; 2872} 2873 2874// A single entry in the install log for an extension. 2875message ExtensionInstallReportLogEvent { 2876 // Enumerates the possible event types. 2877 enum EventType { 2878 // Not used. 2879 LOG_EVENT_TYPE_UNKNOWN = 0; 2880 // Requested by policy to install the extension. 2881 POLICY_REQUEST = 1; 2882 // Install success. 2883 SUCCESS = 2; 2884 // Request canceled. 2885 CANCELED = 3; 2886 // Connectivity state changed. 2887 CONNECTIVITY_CHANGE = 4; 2888 // Session state changed. 2889 SESSION_STATE_CHANGE = 5; 2890 // Extension installation failed. 2891 INSTALLATION_FAILED = 6; 2892 } 2893 2894 // Enumerates the possible changes in session state. 2895 enum SessionStateChangeType { 2896 // Not used. 2897 SESSION_STATE_CHANGE_TYPE_UNKNOWN = 0; 2898 // Session starting. 2899 LOGIN = 1; 2900 // Session ending. 2901 LOGOUT = 2; 2902 // Suspending. 2903 SUSPEND = 3; 2904 // Resuming. 2905 RESUME = 4; 2906 } 2907 2908 // Possible failure reasons. See InstallStageTracker::FailureReason for more 2909 // details. InstallStageTracker::FailureReason is the main enum and this is 2910 // a copy used for reporting purposes. 2911 enum FailureReason { 2912 FAILURE_REASON_UNKNOWN = 0; 2913 INVALID_ID = 1; 2914 MALFORMED_EXTENSION_SETTINGS = 2; 2915 REPLACED_BY_ARC_APP = 3; 2916 MALFORMED_EXTENSION_DICT = 4; 2917 NOT_SUPPORTED_EXTENSION_DICT = 5; 2918 MALFORMED_EXTENSION_DICT_FILE_PATH = 6; 2919 MALFORMED_EXTENSION_DICT_VERSION = 7; 2920 MALFORMED_EXTENSION_DICT_UPDATE_URL = 8; 2921 LOCALE_NOT_SUPPORTED = 9; 2922 NOT_PERFORMING_NEW_INSTALL = 10; 2923 TOO_OLD_PROFILE = 11; 2924 DO_NOT_INSTALL_FOR_ENTERPRISE = 12; 2925 ALREADY_INSTALLED = 13; 2926 CRX_FETCH_FAILED = 14; 2927 MANIFEST_FETCH_FAILED = 15; 2928 MANIFEST_INVALID = 16; 2929 NO_UPDATE = 17; 2930 CRX_INSTALL_ERROR_DECLINED = 18; 2931 CRX_INSTALL_ERROR_SANDBOXED_UNPACKER_FAILURE = 19; 2932 CRX_INSTALL_ERROR_OTHER = 20; 2933 NO_UPDATE_URL = 21; 2934 PENDING_ADD_FAILED = 22; 2935 DOWNLOADER_ADD_FAILED = 23; 2936 IN_PROGRESS = 24; 2937 CRX_FETCH_URL_EMPTY = 25; 2938 CRX_FETCH_URL_INVALID = 26; 2939 OVERRIDDEN_BY_SETTINGS = 27; 2940 } 2941 2942 // Stage of extension installing process. See InstallStageTracker::Stage for 2943 // more details. InstallStageTracker::Stage is the main enum and this is 2944 // a copy used for reporting purposes. The entries are in the order they occur 2945 // in the installation process. 2946 enum InstallationStage { 2947 INSTALLATION_STAGE_UNKNOWN = 0; 2948 CREATED = 1; 2949 PENDING = 2; 2950 DOWNLOADING = 3; 2951 INSTALLING = 4; 2952 COMPLETE = 5; 2953 } 2954 2955 // Type of current user. See user_manager::UserType for more details. 2956 // user_manager::UserType is the main enum and this is a copy used for 2957 // reporting purposes. 2958 enum UserType { 2959 USER_TYPE_UNKNOWN = 0; 2960 USER_TYPE_REGULAR = 1; 2961 USER_TYPE_GUEST = 2; 2962 USER_TYPE_PUBLIC_ACCOUNT = 3; 2963 USER_TYPE_SUPERVISED = 4; 2964 USER_TYPE_KIOSK_APP = 5; 2965 USER_TYPE_CHILD = 6; 2966 USER_TYPE_ARC_KIOSK_APP = 7; 2967 USER_TYPE_ACTIVE_DIRECTORY = 8; 2968 USER_TYPE_WEB_KIOSK_APP = 9; 2969 } 2970 2971 // Current stage of the extension downloading process. See 2972 // ExtensionDownloaderDelegate::Stage for more details. 2973 // ExtensionDownloaderDelegate::Stage is the main enum and this is a copy used 2974 // for reporting purposes. 2975 enum DownloadingStage { 2976 DOWNLOADING_STAGE_UNKNOWN = 0; 2977 DOWNLOAD_PENDING = 1; 2978 QUEUED_FOR_MANIFEST = 2; 2979 DOWNLOADING_MANIFEST = 3; 2980 DOWNLOADING_MANIFEST_RETRY = 4; 2981 PARSING_MANIFEST = 5; 2982 MANIFEST_LOADED = 6; 2983 QUEUED_FOR_CRX = 7; 2984 DOWNLOADING_CRX = 8; 2985 DOWNLOADING_CRX_RETRY = 9; 2986 FINISHED = 10; 2987 } 2988 2989 // Current stage of the extension creation process. See 2990 // InstallStageTracker::InstallCreationStage for more details. 2991 // InstallStageTracker::InstallCreationStage is the main enum and this is a 2992 // copy used for reporting purposes. 2993 enum InstallCreationStage { 2994 INSTALL_CREATION_STAGE_UNKNOWN = 0; 2995 CREATION_INITIATED = 1; 2996 NOTIFIED_FROM_MANAGEMENT_INITIAL_CREATION_FORCED = 2; 2997 NOTIFIED_FROM_MANAGEMENT_INITIAL_CREATION_NOT_FORCED = 3; 2998 NOTIFIED_FROM_MANAGEMENT = 4; 2999 NOTIFIED_FROM_MANAGEMENT_NOT_FORCED = 5; 3000 SEEN_BY_POLICY_LOADER = 6; 3001 SEEN_BY_EXTERNAL_PROVIDER = 7; 3002 } 3003 3004 // Status of cache when an attempt is made to fetch the extension from it 3005 // during the downloading process. See 3006 // ExtensionDownloaderDelegate::CacheStatus for more details. 3007 // ExtensionDownloaderDelegate::CacheStatus is the main enum and this is a 3008 // copy used for reporting purposes. 3009 enum DownloadCacheStatus { 3010 CACHE_UNKNOWN = 0; 3011 CACHE_DISABLED = 1; 3012 CACHE_MISS = 2; 3013 CACHE_OUTDATED = 3; 3014 CACHE_HIT = 4; 3015 CACHE_HIT_ON_MANIFEST_FETCH_FAILURE = 5; 3016 } 3017 3018 // All the ways SandboxedUnpacker can fail. See 3019 // extensions::SandboxedUnpackerFailureReason for more details. 3020 // extensions::SandboxedUnpackerFailureReason is the main enum and this is a 3021 // copy used for reporting purposes. 3022 enum SandboxedUnpackerFailureReason { 3023 SANDBOXED_UNPACKER_FAILURE_REASON_UNKNOWN = 0; 3024 COULD_NOT_GET_TEMP_DIRECTORY = 1; 3025 COULD_NOT_CREATE_TEMP_DIRECTORY = 2; 3026 FAILED_TO_COPY_EXTENSION_FILE_TO_TEMP_DIRECTORY = 3; 3027 COULD_NOT_GET_SANDBOX_FRIENDLY_PATH = 4; 3028 COULD_NOT_LOCALIZE_EXTENSION = 5; 3029 INVALID_MANIFEST = 6; 3030 UNPACKER_CLIENT_FAILED = 7; 3031 UTILITY_PROCESS_CRASHED_WHILE_TRYING_TO_INSTALL = 8; 3032 CRX_FILE_NOT_READABLE = 9; 3033 CRX_HEADER_INVALID = 10; 3034 CRX_MAGIC_NUMBER_INVALID = 11; 3035 CRX_VERSION_NUMBER_INVALID = 12; 3036 CRX_EXCESSIVELY_LARGE_KEY_OR_SIGNATURE = 13; 3037 CRX_ZERO_KEY_LENGTH = 14; 3038 CRX_ZERO_SIGNATURE_LENGTH = 15; 3039 CRX_PUBLIC_KEY_INVALID = 16; 3040 CRX_SIGNATURE_INVALID = 17; 3041 CRX_SIGNATURE_VERIFICATION_INITIALIZATION_FAILED = 18; 3042 CRX_SIGNATURE_VERIFICATION_FAILED = 19; 3043 ERROR_SERIALIZING_MANIFEST_JSON = 20; 3044 ERROR_SAVING_MANIFEST_JSON = 21; 3045 COULD_NOT_READ_IMAGE_DATA_FROM_DISK_UNUSED = 22; 3046 DECODED_IMAGES_DO_NOT_MATCH_THE_MANIFEST_UNUSED = 23; 3047 INVALID_PATH_FOR_BROWSER_IMAGE = 24; 3048 ERROR_REMOVING_OLD_IMAGE_FILE = 25; 3049 INVALID_PATH_FOR_BITMAP_IMAGE = 26; 3050 ERROR_RE_ENCODING_THEME_IMAGE = 27; 3051 ERROR_SAVING_THEME_IMAGE = 28; 3052 DEPRECATED_ABORTED_DUE_TO_SHUTDOWN = 29; 3053 COULD_NOT_READ_CATALOG_DATA_FROM_DISK_UNUSED = 30; 3054 INVALID_CATALOG_DATA = 31; 3055 INVALID_PATH_FOR_CATALOG_UNUSED = 32; 3056 ERROR_SERIALIZING_CATALOG = 33; 3057 ERROR_SAVING_CATALOG = 34; 3058 CRX_HASH_VERIFICATION_FAILED = 35; 3059 UNZIP_FAILED = 36; 3060 DIRECTORY_MOVE_FAILED = 37; 3061 CRX_FILE_IS_DELTA_UPDATE = 38; 3062 CRX_EXPECTED_HASH_INVALID = 39; 3063 DEPRECATED_ERROR_PARSING_DNR_RULESET = 40; 3064 ERROR_INDEXING_DNR_RULESET = 41; 3065 CRX_REQUIRED_PROOF_MISSING = 42; 3066 } 3067 3068 // Reason why extension failed due to failure reason MANIFEST_INVALID. See 3069 // extensions::ManifestInvalidError for more details. 3070 // extensions::ManifestInvalidError is the main enum and this is a 3071 // copy used for reporting purposes. 3072 enum ManifestInvalidError { 3073 MANIFEST_INVALID_ERROR_UNKNOWN = 0; 3074 XML_PARSING_FAILED = 1; 3075 INVALID_XLMNS_ON_GUPDATE_TAG = 2; 3076 MISSING_GUPDATE_TAG = 3; 3077 INVALID_PROTOCOL_ON_GUPDATE_TAG = 4; 3078 MISSING_APP_ID = 5; 3079 MISSING_UPDATE_CHECK_TAGS = 6; 3080 MULTIPLE_UPDATE_CHECK_TAGS = 7; 3081 INVALID_PRODVERSION_MIN = 8; 3082 EMPTY_CODEBASE_URL = 9; 3083 INVALID_CODEBASE_URL = 10; 3084 MISSING_VERSION_FOR_UPDATE_CHECK = 11; 3085 INVALID_VERSION = 12; 3086 BAD_UPDATE_SPECIFICATION = 13; 3087 BAD_APP_STATUS = 14; 3088 } 3089 3090 // Extended error code if the extension installation failed due to CRX install 3091 // error. See extensions::CrxInstallErrorDetail for more details. 3092 // extensions::CrxInstallErrorDetail is the main enum and this is a 3093 // copy used for reporting purposes. 3094 enum CrxInstallErrorDetail { 3095 CRX_INSTALL_ERROR_DETAIL_UNKNOWN = 0; 3096 CONVERT_USER_SCRIPT_TO_EXTENSION_FAILED = 1; 3097 UNEXPECTED_ID = 2; 3098 UNEXPECTED_VERSION = 3; 3099 MISMATCHED_VERSION = 4; 3100 CRX_ERROR_MANIFEST_INVALID = 5; 3101 INSTALL_NOT_ENABLED = 6; 3102 OFFSTORE_INSTALL_DISALLOWED = 7; 3103 INCORRECT_APP_CONTENT_TYPE = 8; 3104 NOT_INSTALLED_FROM_GALLERY = 9; 3105 INCORRECT_INSTALL_HOST = 10; 3106 DEPENDENCY_NOT_SHARED_MODULE = 11; 3107 DEPENDENCY_OLD_VERSION = 12; 3108 DEPENDENCY_NOT_ALLOWLISTED = 13; 3109 UNSUPPORTED_REQUIREMENTS = 14; 3110 EXTENSION_IS_BLOCKLISTED = 15; 3111 DISALLOWED_BY_POLICY = 16; 3112 KIOSK_MODE_ONLY = 17; 3113 OVERLAPPING_WEB_EXTENT = 18; 3114 CANT_DOWNGRADE_VERSION = 19; 3115 MOVE_DIRECTORY_TO_PROFILE_FAILED = 20; 3116 CANT_LOAD_EXTENSION = 21; 3117 USER_CANCELED = 22; 3118 USER_ABORTED = 23; 3119 UPDATE_NON_EXISTING_EXTENSION = 24; 3120 } 3121 3122 // Timestamp, in microseconds since epoch. Set for all log 3123 // events. 3124 optional int64 timestamp = 1; 3125 3126 // Event type. Set for all log events. 3127 optional EventType event_type = 2; 3128 3129 // Total and available space on the stateful partition, in bytes. Set for 3130 // event types INSTALLATION_FAILED and SUCCESS. 3131 optional int64 stateful_total = 3; 3132 optional int64 stateful_free = 4; 3133 3134 // Network state. Set for event type SESSION_STATE_CHANGE of type LOGIN and 3135 // CONNECTIVITY_CHANGE. 3136 optional bool online = 5; 3137 3138 // Type of session state change. Set for event type SESSION_STATE_CHANGE. 3139 optional SessionStateChangeType session_state_change_type = 6; 3140 3141 // Type of failure reason. Set for event type INSTALLATION_FAILED. 3142 optional FailureReason failure_reason = 7; 3143 3144 // Stage of installation process. 3145 optional InstallationStage installation_stage = 8; 3146 3147 // Stage of downloading process. 3148 optional DownloadingStage downloading_stage = 9; 3149 3150 // Type of the extension. Set for event type SUCCESS and sometimes (when 3151 // possible) for INSTALLATION_FAILED. 3152 optional Extension.ExtensionType extension_type = 10; 3153 3154 // Type of the current user. 3155 optional UserType user_type = 11; 3156 3157 // Whether the current user is new. 3158 optional bool is_new_user = 12; 3159 3160 // Whether the current failure is a admin side miconfiguration failure. Set 3161 // for event type INSTALLATION_FAILED. 3162 optional bool is_misconfiguration_failure = 13; 3163 3164 // Stage of install creation process. 3165 optional InstallCreationStage install_creation_stage = 14; 3166 3167 // Status of cache during downloading process. 3168 optional DownloadCacheStatus download_cache_status = 15; 3169 3170 // Detailed reason why unpacking of extension failed. 3171 optional SandboxedUnpackerFailureReason unpacker_failure_reason = 16; 3172 3173 // Detailed reason why extension failed due to failure reason 3174 // MANIFEST_INVALID. 3175 optional ManifestInvalidError manifest_invalid_error = 17; 3176 3177 // Extended error code if the extension installation failed due to CRX install 3178 // error. 3179 optional CrxInstallErrorDetail crx_install_error_detail = 18; 3180 3181 // Fetch error code when failure_reason is CRX_FETCH_FAILED or 3182 // MANIFEST_FETCH_FAILED. 3183 optional int32 fetch_error_code = 19; 3184 3185 // Number of fetch tries made when failure reason is CRX_FETCH_FAILED or 3186 // MANIFEST_FETCH_FAILED. 3187 optional int32 fetch_tries = 20; 3188} 3189 3190// A single entry in the push-install log for an app. 3191message AppInstallReportLogEvent { 3192 // Enumerates the possible event types. 3193 enum EventType { 3194 // Not used. 3195 LOG_EVENT_TYPE_UNKNOWN = 0; 3196 // Request received by device 3197 SERVER_REQUEST = 1; 3198 // Request forwarded to CloudDPC 3199 CLOUDDPC_REQUEST = 2; 3200 // Request forwarded to CloudDPS 3201 CLOUDDPS_REQUEST = 3; 3202 // Response received from CloudDPS 3203 CLOUDDPS_RESPONSE = 4; 3204 // Log line written by Phonesky 3205 PHONESKY_LOG = 5; 3206 // Install success 3207 SUCCESS = 6; 3208 // Request canceled 3209 CANCELED = 7; 3210 // Connectivity state changed 3211 CONNECTIVITY_CHANGE = 8; 3212 // Session state changed 3213 SESSION_STATE_CHANGE = 9; 3214 // Package installation started 3215 INSTALLATION_STARTED = 10; 3216 // Package installation finished 3217 INSTALLATION_FINISHED = 11; 3218 // Package installation failed 3219 INSTALLATION_FAILED = 12; 3220 // Direct install scheduled 3221 DIRECT_INSTALL = 13; 3222 // No more regular attempts to install 3223 CLOUDDPC_MAIN_LOOP_FAILED = 14; 3224 } 3225 3226 // Enumerates the possible changes in session state. 3227 enum SessionStateChangeType { 3228 // Not used. 3229 SESSION_STATE_CHANGE_TYPE_UNKNOWN = 0; 3230 // Session starting 3231 LOGIN = 1; 3232 // Session ending 3233 LOGOUT = 2; 3234 // Suspending 3235 SUSPEND = 3; 3236 // Resuming 3237 RESUME = 4; 3238 } 3239 3240 // Timestamp, in microseconds since epoch. Set for all log 3241 // events. 3242 optional int64 timestamp = 1; 3243 3244 // Event type. Set for all log events. 3245 optional EventType event_type = 2; 3246 3247 // Total and available space on the stateful partition, in bytes. Set for 3248 // event types SERVER_REQUEST, CLOUDDPS_RESPONSE, INSTALLATION_STARTED, 3249 // INSTALLATION_FINISHED, INSTALLATION_FAILED and SUCCESS. 3250 optional int64 stateful_total = 3; 3251 optional int64 stateful_free = 4; 3252 3253 // CloudDPS response. Set for event type CLOUDDPS_RESPONSE. 3254 optional int32 clouddps_response = 5; 3255 3256 // Log line written by Phonesky. Set for event type PHONESKY_LOG. 3257 optional string phonesky_log = 6; 3258 3259 // Network state. Set for event type SESSION_STATE_CHANGE of type LOGIN and 3260 // CONNECTIVITY_CHANGE. 3261 optional bool online = 7; 3262 3263 // Type of session state change. Set for event type SESSION_STATE_CHANGE. 3264 optional SessionStateChangeType session_state_change_type = 8; 3265 3266 // ARC++ Android id. 3267 optional int64 android_id = 9; 3268} 3269 3270// Log bucket for an extension. 3271message ExtensionInstallReport { 3272 // Extension id for the extension. 3273 optional string extension_id = 1; 3274 3275 // Whether the log is incomplete, e.g. due to the log ring buffer overflowing 3276 // or disk corruption. 3277 optional bool incomplete = 2; 3278 3279 // Log events for the extension. 3280 repeated ExtensionInstallReportLogEvent logs = 3; 3281} 3282 3283// Log bucket for an ARC++ app. 3284message AppInstallReport { 3285 // Package name of the app. 3286 optional string package = 1; 3287 3288 // Whether the log is incomplete, e.g. due to the log ring buffer overflowing 3289 // or disk corruption. 3290 optional bool incomplete = 2; 3291 3292 // Log events for the app. 3293 repeated AppInstallReportLogEvent logs = 3; 3294} 3295 3296// Push-install logs for all ARC++ apps. 3297message AppInstallReportRequest { 3298 // Log buckets for each app. 3299 repeated AppInstallReport app_install_reports = 1; 3300} 3301 3302// Installation logs for all extensions. 3303message ExtensionInstallReportRequest { 3304 // Log buckets for each extension. 3305 repeated ExtensionInstallReport extension_install_reports = 1; 3306} 3307 3308// Response from server after receiving a report on the status of app 3309// push-installs. 3310message AppInstallReportResponse {} 3311 3312// Request from device to stop using a previously issued service account. 3313// The identity of a freshly-issued service account will be returned by a 3314// subsequent device policy fetch (see the |service_account_identity| field in 3315// |PolicyData| and auth codes tied to the new service account can be retrieved 3316// by subsequent |DeviceServiceApiAccessRequest| requests. 3317message RefreshAccountRequest { 3318 enum AccountType { 3319 ACCOUNT_TYPE_UNSPECIFIED = 0; 3320 3321 // Refresh demo mode user account. 3322 // See go/cros-demo-mode and go/demo-mode-account-brainstorm. 3323 CHROME_OS_DEMO_MODE = 1; 3324 } 3325 3326 optional AccountType account_type = 1; 3327} 3328 3329// Response from server after receiving a request to refresh the service 3330// account. 3331message RefreshAccountResponse {} 3332 3333// Request from device to upload RSU lookup key. 3334message RsuLookupKeyUploadRequest { 3335 // Google brand code for the given device SKU. 3336 optional bytes board_id = 1; 3337 3338 // Hashed Cr50 device ID. 3339 optional bytes cr50_hashed_device_id = 2; 3340} 3341 3342// Response to {@code RsuLookupKeyUploadRequest}. 3343message RsuLookupKeyUploadResponse { 3344 // Whether RSU lookup key was received. 3345 optional bool rsu_lookup_key_updated = 1; 3346} 3347 3348// Provides information about an installed app. 3349message App { 3350 // Enum listing the available types of the apps. 3351 // Aligned with apps::mojom::AppType. 3352 enum AppType { 3353 // Unknown/undefined. 3354 UNKNOWN = 0; 3355 // ARC++/Android app. 3356 ARC = 1; 3357 // Built-in app. 3358 BUILT_IN = 2; 3359 // Linux/crostini app. 3360 CROSTINI = 3; 3361 // Chrome extension. 3362 EXTENSION = 4; 3363 // Progressive web app. 3364 WEB = 5; 3365 // Plugin VM app. 3366 PLUGIN_VM = 6; 3367 // Borealis VM app. 3368 BOREALIS = 7; 3369 } 3370 3371 // ID of the installed application. Package name for Android apps and 32 3372 // character long app id for other applications (PWAs, Extensions, Built-in 3373 // apps). 3374 optional string app_id = 1; 3375 3376 // Type of the application. 3377 optional AppType app_type = 2; 3378 3379 // Additional IDs of the installed application if exist. 3380 // For example it will contain Chrome style 32 character long ids for Android 3381 // apps, that use package name as their primary ID. 3382 repeated string additional_app_id = 3; 3383} 3384 3385// Information about app activity used for Per-App Time Limits feature. 3386message AppActivity { 3387 // Enumerates different states that the app can have. 3388 enum AppState { 3389 // State not known. 3390 UNKNOWN = 0; 3391 // Default state - no restrictions enforced. 3392 DEFAULT = 1; 3393 // Important app that cannot be blocked, because it is essential for the OS. 3394 ALWAYS_AVAILABLE = 2; 3395 // App blocked on the client. 3396 BLOCKED = 3; 3397 // App reached usage limit on the client. 3398 LIMIT_REACHED = 4; 3399 // App was uninstalled. It still might have some recent unreported activity. 3400 UNINSTALLED = 5; 3401 } 3402 3403 // App identifying information. 3404 optional App app_info = 1; 3405 3406 // A list of time periods when the app was active. 3407 repeated TimePeriod active_time_periods = 2; 3408 3409 // Timestamp when this activity data were populated. 3410 // Specified in milliseconds since Epoch in UTC timezone (Java time). 3411 optional int64 populated_at = 3; 3412 3413 // State of the app on client at the time of reporting. To maintain 3414 // consistency and help debugging between client and Family Link. 3415 optional AppState app_state = 4; 3416} 3417 3418// Models a window for screen time. 3419message ScreenTimeSpan { 3420 optional TimePeriod time_period = 1; 3421 3422 // The actual activity duration during a particular time period window 3423 // (in milliseconds). 3424 optional int64 active_duration_ms = 2; 3425} 3426 3427// Informs the server about the current state of a child user's session, to 3428// allow parent supervision. 3429message ChildStatusReportRequest { 3430 // The user's DMToken. 3431 optional string user_dm_token = 1; 3432 3433 // Timestamp of this status report in milliseconds since epoch. 3434 optional int64 timestamp_ms = 2; 3435 3436 // Time zone id of the active user (e.g. America/Sao_Paulo). 3437 // For more details check `third_party/icu/source/i18n/unicode/timezone.h`. 3438 optional string time_zone = 3; 3439 3440 // A list of time spans when the screen was on during the user's session. 3441 repeated ScreenTimeSpan screen_time_span = 4; 3442 3443 // Information about ARC status. 3444 optional AndroidStatus android_status = 5; 3445 3446 // The OS version reported by the device is a platform version 3447 // e.g. 1435.0.2011_12_16_1635. 3448 optional string os_version = 6; 3449 3450 // "Verified", "Dev". Same as verified mode. 3451 // If the mode is unknown, this field should not be set. 3452 optional string boot_mode = 7; 3453 3454 // A list of per-app activity used for Per-App Time Limits feature. 3455 // It might not be sent in every report. 3456 repeated AppActivity app_activity = 8; 3457 3458 // A list of applications which are hidden from the user. 3459 repeated App hidden_app = 9; 3460 3461 // Next id: 10. 3462} 3463 3464// Response from DMServer to update user devices' status. 3465// It is possible that status report fails but policy request succeed. In such 3466// case, the ChildStatusReportResponse will contain an error code and the 3467// device should re-send status report data in the next policy request. The 3468// device should re-send report data if policy request fails, even if 3469// ChildStatusReportResponse contains no error code. 3470message ChildStatusReportResponse { 3471 optional int32 error_code = 1; 3472 3473 // Human readable error message for customer support purpose. 3474 optional string error_message = 2; 3475} 3476 3477// Hashing Algorithm for Client Certificate Provisioning Flow. 3478enum HashingAlgorithm { 3479 // DO NOT USE 3480 HASHING_ALGORITHM_UNSPECIFIED = 0; 3481 3482 SHA1 = 1; 3483 SHA256 = 2; 3484} 3485 3486// Signing Algorithm for Client Certificate Provisioning Flow. 3487enum SigningAlgorithm { 3488 // DO NOT USE 3489 SIGNING_ALGORITHM_UNSPECIFIED = 0; 3490 3491 RSA_PKCS1_V1_5 = 1; 3492} 3493 3494// Client Certificate Provisioning Flow, Stage 1: Start a CSR request. 3495// No additional fields because cert_profile_id and public_key are passed in the 3496// outer message. 3497message StartCsrRequest {} 3498 3499message StartCsrResponse { 3500 // The client should register for FCM messages using this topic in order to 3501 // receive notifications for the certificate provisioning process. 3502 optional string invalidation_topic = 1; 3503 3504 // The verified access challenge. 3505 optional bytes va_challenge = 2; 3506 3507 // Algorithm to hash data with before signing. 3508 optional HashingAlgorithm hashing_algorithm = 5; 3509 3510 // Algorithm to sign data with for CSR creation. 3511 optional SigningAlgorithm signing_algorithm = 3; 3512 3513 // Data to sign for CSR creation. 3514 optional bytes data_to_sign = 4; 3515} 3516 3517// Client Certificate Provisioning Flow, Stage 2: Finish the CSR request. 3518message FinishCsrRequest { 3519 // Verified access challenge response. 3520 optional bytes va_challenge_response = 1; 3521 3522 // The signature generated using the private key. 3523 optional bytes signature = 2; 3524} 3525 3526message FinishCsrResponse {} 3527 3528// Client Certificate Provisioning Flow, Stage 3: Download the issued 3529// certificate. 3530message DownloadCertRequest {} 3531 3532message DownloadCertResponse { 3533 // PEM-encoded issued certificate. 3534 optional string pem_encoded_certificate = 1; 3535} 3536 3537// Start / continue client certificate provisioning process for the profile 3538// |cert_profile_id|. 3539message ClientCertificateProvisioningRequest { 3540 // The scope of the certificate. Similar to policy_type in PolicyFetchRequest. 3541 // google/chromeos/device => a certificate for a device is being requested. 3542 // google/chromeos/user => a certificate for a user is being requested. 3543 optional string certificate_scope = 1; 3544 3545 // The id of the client certificate profile, specified in the policy. 3546 optional string cert_profile_id = 2; 3547 3548 // The public key for which the certificate should be issued. It's a 3549 // DER-serialized X.509 SubjectPublicKeyInfo. 3550 optional bytes public_key = 3; 3551 3552 // Only filled if this is a request for a certificate for a user 3553 optional string device_dm_token = 4; 3554 3555 oneof request { 3556 StartCsrRequest start_csr_request = 5; 3557 FinishCsrRequest finish_csr_request = 6; 3558 DownloadCertRequest download_cert_request = 7; 3559 } 3560 3561 // Received as part of policy for client certificate profiles. The client 3562 // should not interpret this data and should forward it verbatim. DMServer 3563 // uses |policy_version| as a hint to verify that the policy view of DMServer 3564 // matches the view of Chrome OS device. 3565 optional bytes policy_version = 8; 3566} 3567 3568// Response for ClientCertificateProvisioningRequest. 3569message ClientCertificateProvisioningResponse { 3570 // Error conditions that the server side reports to the client that don't fit 3571 // into the standard HTTP error schema. 3572 // Note that HTTP errors can still be signaled for the client certificate 3573 // provisioning requests, e.g. bad DMToken or internal errors will be 3574 // propagated as HTTP errors. 3575 enum Error { 3576 UNDEFINED = 0; 3577 // The backend has not received a certificate within the time limit. 3578 TIMED_OUT = 1; 3579 // The identity of the client could not be verified. 3580 IDENTITY_VERIFICATION_ERROR = 2; 3581 // The CA encountered an error when processing the certification request. 3582 CA_ERROR = 3; 3583 // The client has sent inconsistent data. 3584 INCONSISTENT_DATA = 4; 3585 // The backend does not accept the public key sent by the client. 3586 BAD_PUBLIC_KEY = 5; 3587 } 3588 3589 // If filled, the request can currently not be processed and the client 3590 // is supposed to try again later using the same data. 3591 // The value is the number of milliseconds when the client should 3592 // automatically retry. 3593 optional int64 try_again_later = 1; 3594 3595 oneof response { 3596 Error error = 2; 3597 StartCsrResponse start_csr_response = 3; 3598 FinishCsrResponse finish_csr_response = 4; 3599 DownloadCertResponse download_cert_response = 5; 3600 } 3601} 3602 3603// Request from the DMAgent on the device to the DMServer. This is 3604// container for all requests from device to server. The overall HTTP 3605// request MUST be in the following format: 3606// 3607// * HTTP method is POST 3608// * Data mime type is application/x-protobuffer 3609// * See GoogleContentTypeEnum.java 3610// * HTTP parameters are (all required, all case sensitive): 3611// * request: MUST BE one of 3612// * api_authorization 3613// * cert_upload 3614// * check_device_pairing 3615// * device_pairing 3616// * device_state_retrieval 3617// * enterprise_check 3618// * enterprise_psm_check 3619// * chrome_desktop_report 3620// * chrome_os_user_report 3621// * ping 3622// * policy 3623// * register 3624// * status_upload 3625// * unregister 3626// * remote_commands 3627// * attribute_update_permission 3628// * attribute_update 3629// * gcm_id_update 3630// * check_android_management 3631// * certificate_based_register 3632// * active_directory_enroll_play_user 3633// * active_directory_play_activity 3634// * active_directory_user_signin 3635// * register_browser 3636// * policy_validation_report 3637// * device_initial_enrollment_state 3638// * refresh_account 3639// * client_cert_provisioning 3640// * devicetype: MUST BE "1" for Android, "2" for Chrome OS or "3" for Chrome 3641// browser. 3642// * apptype: MUST BE Android or Chrome. 3643// * deviceid: MUST BE no more than 64-char in [\x21-\x7E]. 3644// * agent: MUST BE no more than 64-char long. 3645// * HTTP Authorization header MUST be in the following formats: 3646// * For register, ping, check_android_management 3647// requests with user authentication 3648// Authorization: GoogleLogin auth=<auth cookie for Mobile Sync> 3649// 3650// * For register for Chrome browsers 3651// Authorization: GoogleEnrollmentToken token=<enrollment token> 3652// 3653// * For unregister, policy, status, cert_upload, remote_commands, 3654// gcm_id_update, active_directory_enroll_play_user, 3655// active_directory_play_activity, active_directory_user_signin, 3656// policy_validation_report, chrome_desktop_report, 3657// chrome_os_user_report, refresh_account, client_cert_provisioning requests 3658// Authorization: GoogleDMToken token=<dm token from register> 3659// 3660// * The Authorization header isn't used for enterprise_check, 3661// enterprise_psm_check, device_initial_enrollment_state or 3662// certificate_based_register requests, nor for register 3663// requests using OAuth. In the latter case, the OAuth 3664// token is passed in the "oauth" parameter. 3665// 3666// DeviceManagementRequest should only contain one request which matches the 3667// HTTP query parameter - request, as listed below. Other requests within the 3668// container will be ignored. 3669// chrome_desktop_report: chrome_desktop_report_request 3670// chrome_os_user_report: chrome_os_user_report_request 3671// cert_upload: cert_upload_request 3672// check_device_pairing: check_device_pairing_request 3673// device_pairing: device_pairing_request 3674// device_state_retrieval: device_state_retrieval_request 3675// enterprise_check: auto_enrollment_request 3676// ping: policy_request 3677// policy: policy_request 3678// register: register_request 3679// status: device_status_report_request or session_status_report_request or 3680// child_status_report_request 3681// unregister: unregister_request 3682// remote_commands: remote_command_request 3683// attribute_update_permission: device_attribute_update_permission_request 3684// attribute_update: device_attribute_update_request 3685// gcm_id_update: gcm_id_update_request 3686// check_android_management: check_android_management_request 3687// certificate_based_register: certificate_based_register_request 3688// active_directory_enroll_play_user: 3689// active_directory_enroll_play_user_request 3690// active_directory_play_activity: active_directory_play_activity_request 3691// active_directory_user_signin: active_directory_user_signin_request 3692// register_browser: register_browser_request 3693// app_install_report: app_install_report_request 3694// policy_validation_report: policy_validation_report_request 3695// device_initial_enrollment_state: device_initial_enrollment_state_request 3696// refresh_account: refresh_account_request 3697// client_cert_provisioning: client_certificate_provisioning_request 3698message DeviceManagementRequest { 3699 reserved 24; // unused previous version of chrome_desktop_report_request. 3700 3701 // Register request. 3702 optional DeviceRegisterRequest register_request = 1; 3703 3704 // Unregister request. 3705 optional DeviceUnregisterRequest unregister_request = 2; 3706 3707 // Policy request. 3708 optional DevicePolicyRequest policy_request = 3; 3709 3710 // Update status. 3711 optional DeviceStatusReportRequest device_status_report_request = 4; 3712 optional SessionStatusReportRequest session_status_report_request = 5; 3713 optional ChildStatusReportRequest child_status_report_request = 30; 3714 3715 // Auto-enrollment detection. 3716 optional DeviceAutoEnrollmentRequest auto_enrollment_request = 6; 3717 3718 // EMCert upload (for remote attestation) 3719 optional DeviceCertUploadRequest cert_upload_request = 7; 3720 3721 // Request for OAuth2 authorization codes to access Google services. 3722 optional DeviceServiceApiAccessRequest service_api_access_request = 8; 3723 3724 // Device-state retrieval. 3725 optional DeviceStateRetrievalRequest device_state_retrieval_request = 9; 3726 3727 // Device state key update. 3728 optional DeviceStateKeyUpdateRequest device_state_key_update_request = 10; 3729 3730 // Pair two devices. 3731 optional DevicePairingRequest device_pairing_request = 11; 3732 3733 // Check if two devices are paired. 3734 optional CheckDevicePairingRequest check_device_pairing_request = 12; 3735 3736 // Remote command fetching. 3737 optional DeviceRemoteCommandRequest remote_command_request = 13; 3738 3739 // Check permission for updating device attribute. 3740 optional DeviceAttributeUpdatePermissionRequest 3741 device_attribute_update_permission_request = 14; 3742 3743 // Update device attribute. 3744 optional DeviceAttributeUpdateRequest device_attribute_update_request = 15; 3745 3746 // Update the GCM id to device_id mapping. 3747 optional GcmIdUpdateRequest gcm_id_update_request = 16; 3748 3749 // Check if user is a managed Android-for-Work user with DPC enforcement. 3750 optional CheckAndroidManagementRequest check_android_management_request = 17; 3751 3752 // Request to register with a registration certificate. 3753 optional CertificateBasedDeviceRegisterRequest 3754 certificate_based_register_request = 18; 3755 3756 // Gets an enrollment token to a Managed Google Play Account for using it with 3757 // Active Directory. 3758 optional ActiveDirectoryEnrollPlayUserRequest 3759 active_directory_enroll_play_user_request = 19; 3760 3761 // Reports that a Play account is used. 3762 optional ActiveDirectoryPlayActivityRequest 3763 active_directory_play_activity_request = 20; 3764 3765 // Request device license information. 3766 optional CheckDeviceLicenseRequest check_device_license_request_deprecated = 3767 21 [deprecated = true]; 3768 3769 // Initiate an Active Directory user signin. 3770 optional ActiveDirectoryUserSigninRequest 3771 active_directory_user_signin_request = 22; 3772 3773 // Request to register a browser independently of its users. 3774 optional RegisterBrowserRequest register_browser_request = 23; 3775 3776 // A report on the status of app push-installs. 3777 optional AppInstallReportRequest app_install_report_request = 25; 3778 3779 // A Chrome desktop report request. 3780 optional ChromeDesktopReportRequest chrome_desktop_report_request = 26; 3781 3782 // Result of validating fetched policy on the client. 3783 optional PolicyValidationReportRequest policy_validation_report_request = 27; 3784 3785 // Query for initial enrollment details. 3786 optional DeviceInitialEnrollmentStateRequest 3787 device_initial_enrollment_state_request = 28; 3788 3789 // Request from device to wipe an old account and get a new account. 3790 optional RefreshAccountRequest refresh_account_request = 29; 3791 3792 // Request from device to upload RSU lookup key. 3793 optional RsuLookupKeyUploadRequest rsu_lookup_key_upload_request = 31; 3794 3795 // Request from device for SAML IdP URL address. 3796 optional PublicSamlUserRequest public_saml_user_request = 32; 3797 3798 // A ChromeOS user report request. 3799 optional ChromeOsUserReportRequest chrome_os_user_report_request = 33; 3800 3801 // Request to start / continue client certificate provisioning process. 3802 optional ClientCertificateProvisioningRequest 3803 client_certificate_provisioning_request = 34; 3804 3805 // A report on the status of extension install process. 3806 optional ExtensionInstallReportRequest extension_install_report_request = 35; 3807 3808 // Request to check user account for smart enrollment. 3809 optional CheckUserAccountRequest check_user_account_request = 36; 3810 3811 // Request from device to check the state stored in PSM. Currently, it is used 3812 // for ZTE/LP device initial enrollment state check. 3813 optional PrivateSetMembershipRequest private_set_membership_request = 37; 3814 3815 // Next id: 38. 3816} 3817 3818// Response from server to device. 3819// 3820// For release clients, DMServer returns errors using HTTP Status Code, so that 3821// clients only need to check one place for all error codes. It is also easier 3822// to perform log analysis and customer support since HTTP Status Code is easily 3823// visible in the logs. 3824// 3825// The following list defines the error code returned by this API: 3826// 3827// 200 OK: valid response is returned to client. 3828// 400 Bad Request: invalid argument. 3829// 401 Unauthorized: invalid auth cookie or DM token. 3830// 402 Missing licenses. 3831// 403 Forbidden: device management is not allowed. 3832// 404 Not Found: the request URL is invalid. 3833// 405 Invalid serial number. 3834// 409 Device id conflict. 3835// 410 Device Not Found: the device id is not found. 3836// 412 Pending approval. 3837// 417 Consumer account with packaged license. 3838// 491 Request Pending: the request is pending approval. 3839// 500 Internal Server Error: most likely a bug in DM server. 3840// 503 Service Unavailable: most likely a backend error. 3841// 902 Policy Not Found: the policy is not found. 3842// 903 Deprovisioned: the device has been deprovisioned. 3843// 904 Arc Disabled: ARC is not enabled on the domain. 3844message DeviceManagementResponse { 3845 reserved 1, 24; 3846 3847 // Error message. 3848 optional string error_message = 2; 3849 3850 // Register response 3851 optional DeviceRegisterResponse register_response = 3; 3852 3853 // Unregister response 3854 optional DeviceUnregisterResponse unregister_response = 4; 3855 3856 // Policy response. 3857 optional DevicePolicyResponse policy_response = 5; 3858 3859 // Update status report response. 3860 optional DeviceStatusReportResponse device_status_report_response = 6; 3861 optional SessionStatusReportResponse session_status_report_response = 7; 3862 optional ChildStatusReportResponse child_status_report_response = 29; 3863 3864 // Auto-enrollment detection response. 3865 optional DeviceAutoEnrollmentResponse auto_enrollment_response = 8; 3866 3867 // EMCert upload response. 3868 optional DeviceCertUploadResponse cert_upload_response = 9; 3869 3870 // Response to OAuth2 authorization code request. 3871 optional DeviceServiceApiAccessResponse service_api_access_response = 10; 3872 3873 // Device-state retrieval. 3874 optional DeviceStateRetrievalResponse device_state_retrieval_response = 11; 3875 3876 // Response to device pairing request. 3877 optional DevicePairingResponse device_pairing_response = 12; 3878 3879 // Response to check device pairing request. 3880 optional CheckDevicePairingResponse check_device_pairing_response = 13; 3881 3882 // Response to remote command request. 3883 optional DeviceRemoteCommandResponse remote_command_response = 14; 3884 3885 // Response to check device attribute update permission. 3886 optional DeviceAttributeUpdatePermissionResponse 3887 device_attribute_update_permission_response = 15; 3888 3889 // Response to update device attribute. 3890 optional DeviceAttributeUpdateResponse device_attribute_update_response = 16; 3891 3892 // Response to GCM id update request. 3893 optional GcmIdUpdateResponse gcm_id_update_response = 17; 3894 3895 // Response to check Android management request. 3896 optional CheckAndroidManagementResponse check_android_management_response = 3897 18; 3898 3899 // Response to an Active Directory Play user enrollment request. 3900 optional ActiveDirectoryEnrollPlayUserResponse 3901 active_directory_enroll_play_user_response = 19; 3902 3903 // Response to a Play activity request. 3904 optional ActiveDirectoryPlayActivityResponse 3905 active_directory_play_activity_response = 20; 3906 3907 // Response to a check device license request. 3908 optional CheckDeviceLicenseResponse check_device_license_response_deprecated = 3909 21 [deprecated = true]; 3910 3911 // Response to a request initiating an Active Directory user signin. 3912 optional ActiveDirectoryUserSigninResponse 3913 active_directory_user_signin_response = 22; 3914 3915 // Response to a Chrome desktop report request. 3916 optional ChromeDesktopReportResponse chrome_desktop_report_response = 23; 3917 3918 // Response a report on the status of app push-installs 3919 optional AppInstallReportResponse app_install_report_response = 25; 3920 3921 // Response to a policy validation report. 3922 optional PolicyValidationReportResponse policy_validation_report_response = 3923 26; 3924 3925 // Response to initial enrollment details query. 3926 optional DeviceInitialEnrollmentStateResponse 3927 device_initial_enrollment_state_response = 27; 3928 3929 // Response to refresh account request. 3930 optional RefreshAccountResponse refresh_account_response = 28; 3931 3932 // Response to RSU lookup key upload request. 3933 optional RsuLookupKeyUploadResponse rsu_lookup_key_upload_response = 30; 3934 3935 // Response to public SAML session user request. 3936 optional PublicSamlUserResponse public_saml_user_response = 31; 3937 3938 // Response to a ChromeOS user report request. 3939 optional ChromeOsUserReportResponse chrome_os_user_report_response = 32; 3940 3941 // Response to a client certificate provisioning request. 3942 optional ClientCertificateProvisioningResponse 3943 client_certificate_provisioning_response = 33; 3944 3945 // Response to a checking user account type for smart enrollment. 3946 optional CheckUserAccountResponse check_user_account_response = 34; 3947 3948 // Response to a client private set membership request. 3949 optional PrivateSetMembershipResponse private_set_membership_response = 35; 3950 3951 // Next id: 36. 3952} 3953 3954// Device State Information stored in the server is retrieval at 3955// enrollment process. Learn more at go/cros-enterprise-psm 3956message DeviceStateRetrievalInfo { 3957 // Whether the device should retrieve initial state or not. 3958 optional bool has_initial_state = 1; 3959} 3960