1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 syntax = "proto2"; 6 7 option optimize_for = LITE_RUNTIME; 8 9 package enterprise_management; 10 11 // Request from device to server to register device. 12 message DeviceRegisterRequest { 13 // Reregister device without erasing server state. It can be used 14 // to refresh dmtoken etc. Client MUST set this value to true if it 15 // reuses an existing device id. 16 optional bool reregister = 1; 17 18 // Device register type. This field does not exist for TT release. 19 // When a client requests for policies, server should verify the 20 // client has been registered properly. For example, a client must 21 // register with type DEVICE in order to retrieve device policies. 22 enum Type { 23 TT = 0; // Register for TT release. 24 USER = 1; // Register for Chrome OS user polices. 25 DEVICE = 2; // Register for device policies. 26 BROWSER = 3; // Register for Chrome user policies. 27 ANDROID_BROWSER = 4; // Register for Android Chrome browser user policies. 28 IOS_BROWSER = 5; // Register for iOS Chrome browser user policies. 29 } 30 // NOTE: we also use this field to detect client version. If this 31 // field is missing, then the request comes from TT. We will remove 32 // Chrome OS TT support once it is over. 33 optional Type type = 2 [default = TT]; 34 35 // Machine hardware id, such as serial number. 36 // This field is required if register type == DEVICE. 37 optional string machine_id = 3; 38 39 // Machine model name, such as "ZGA", "Cr-48", "Nexus One". If the 40 // model name is not available, client SHOULD send generic name like 41 // "Android", or "Chrome OS". 42 optional string machine_model = 4; 43 44 // When true, indicates that the |machine_id| has been identified as auto- 45 // enrollment candidate on the client and the server can use it to verify 46 // that the client is to be enrolled in the correct mode. 47 // Defaults to false when not present. 48 optional bool auto_enrolled = 5; 49 50 // Indicates a requisition of the registering entity that the server can act 51 // upon. This allows clients to pass hints e.g. at device enrollment time 52 // about the intended use of the device. 53 optional string requisition = 6; 54 55 // The current server-backed state key for the client, if applicable. This can 56 // be used by the server to link the registration request to an existing 57 // device record for re-enrollment. 58 optional bytes server_backed_state_key = 7; 59 } 60 61 // Response from server to device register request. 62 message DeviceRegisterResponse { 63 // Device management token for this registration. This token MUST be 64 // part of HTTP Authorization header for all future requests from 65 // device to server. 66 required string device_management_token = 1; 67 68 // Device display name. By default, server generates the name in 69 // the format of "Machine Model - Machine Id". However, domain 70 // admin can update it using CPanel, so do NOT treat it as constant. 71 optional string machine_name = 2; 72 73 // Enum listing the possible modes the device should be locked into when the 74 // registration is finished. 75 enum DeviceMode { 76 // In ENTERPRISE mode the device has no local owner and device settings are 77 // controlled through the cloud policy infrastructure. Auto-enrollment is 78 // supported in that mode. 79 ENTERPRISE = 0; 80 // Devices in RETAIL mode also have no local owner and get their device 81 // settings from the cloud, but additionally this mode enables the demo 82 // account on the device. 83 RETAIL = 1; 84 } 85 optional DeviceMode enrollment_type = 3 [default = ENTERPRISE]; 86 } 87 88 // Request from device to server to unregister device. 89 // GoogleDMToken MUST be in HTTP Authorization header. 90 message DeviceUnregisterRequest { 91 } 92 93 // Response from server to device for unregister request. 94 message DeviceUnregisterResponse { 95 } 96 97 // Request from device to server to upload device EMCert 98 // (enterprise machine cert used for remote attestation). 99 // GoogleDMToken MUST be in HTTP Authorization header. 100 message DeviceCertUploadRequest { 101 // EMCert in X.509 format. 102 optional bytes device_certificate = 1; 103 } 104 105 // Response from server to device for cert upload request. 106 message DeviceCertUploadResponse { 107 } 108 109 // Request to access a Google service with the given scope. 110 message DeviceServiceApiAccessRequest { 111 // The list of auth scopes the device requests from DMServer. 112 repeated string auth_scope = 1; 113 114 // OAuth2 client ID to which the returned authorization code is bound. 115 optional string oauth2_client_id = 2; 116 } 117 118 message DeviceServiceApiAccessResponse { 119 // The OAuth2 authorization code for the requested scope(s). 120 // This can be exchanged for a refresh token. 121 optional string auth_code = 1; 122 } 123 124 message PolicyFetchRequest { 125 // This is the policy type, which maps to D3 policy type internally. 126 // By convention, we use "/" as separator to create policy namespace. 127 // The policy type names are case insensitive. 128 // 129 // Possible values for Chrome OS are: 130 // google/chromeos/device => ChromeDeviceSettingsProto 131 // google/chromeos/user => ChromeSettingsProto 132 // google/chromeos/publicaccount => ChromeSettingsProto 133 // google/chrome/extension => ExternalPolicyData 134 // google/android/user => ChromeSettingsProto 135 // google/ios/user => ChromeSettingsProto 136 optional string policy_type = 1; 137 138 // This is the last policy timestamp that client received from server. 139 optional int64 timestamp = 2; 140 141 // Tell server what kind of security signature is required. 142 enum SignatureType { 143 NONE = 0; 144 SHA1_RSA = 1; 145 } 146 optional SignatureType signature_type = 3 [default = NONE]; 147 148 // The version number of the public key that is currently stored 149 // on the client. This should be the last number the server had 150 // supplied as new_public_key_version in PolicyData. 151 // This field is unspecified if the client does not yet have a 152 // public key. 153 optional int32 public_key_version = 4; 154 155 // Machine hardware id, such as serial number. 156 // This field is should be set only if the serial number for the device is 157 // missing from the server, as indicated by the valid_serial_number_missing 158 // field in the last policy fetch response. 159 optional string machine_id = 5; 160 161 // This field is used for devices to send the additional ID to fetch settings. 162 // Retrieving some settings requires more than just device or user ID. 163 // For example, to retrieve public account, devices need to pass in 164 // public account ID in addition to device ID. To retrieve extension or 165 // plug-in settings, devices need to pass in extension/plug-in ID in 166 // addition to user ID. 167 // policy_type represents the type of settings (e.g. public account, 168 // extension) devices request to fetch. 169 optional string settings_entity_id = 6; 170 171 // If this fetch is due to a policy invalidation, this field contains the 172 // version provided with the invalidation. The server interprets this value 173 // and the value of invalidation_payload to fetch the up-to-date policy. 174 optional int64 invalidation_version = 7; 175 176 // If this fetch is due to a policy invalidation, this field contains the 177 // payload delivered with the invalidation. The server interprets this value 178 // and the value of invalidation_version to fetch the up-to-date policy. 179 optional bytes invalidation_payload = 8; 180 181 // Hash string for the chrome policy verification public key which is embedded 182 // into Chrome binary. Matching private key will be used by the server 183 // to sign per-domain policy keys during key rotation. If server does not 184 // have the key which matches this hash string, that could indicate malicious 185 // or out-of-date Chrome client. 186 optional string verification_key_hash = 9; 187 } 188 189 // This message is included in serialized form in PolicyFetchResponse 190 // below. It may also be signed, with the signature being created for 191 // the serialized form. 192 message PolicyData { 193 // See PolicyFetchRequest.policy_type. 194 optional string policy_type = 1; 195 196 // [timestamp] is milliseconds since Epoch in UTC timezone. It is 197 // included here so that the time at which the server issued this 198 // response cannot be faked (as protection against replay attacks). 199 // It is the timestamp generated by DMServer, NOT the time admin 200 // last updated the policy or anything like that. 201 optional int64 timestamp = 2; 202 203 // The DM token that was used by the client in the HTTP POST header 204 // for authenticating the request. It is included here again so that 205 // the client can verify that the response is meant for him (and not 206 // issued by a replay or man-in-the-middle attack). 207 optional string request_token = 3; 208 209 // The serialized value of the actual policy protobuf. This can be 210 // deserialized to an instance of, for example, ChromeSettingsProto, 211 // ChromeDeviceSettingsProto, or ExternalPolicyData. 212 optional bytes policy_value = 4; 213 214 // The device display name assigned by the server. It is only 215 // filled if the display name is available. 216 // 217 // The display name of the machine as generated by the server or set 218 // by the Administrator in the CPanel GUI. This is the same thing as 219 // |machine_name| in DeviceRegisterResponse but it might have 220 // changed since then. 221 optional string machine_name = 5; 222 223 // Version number of the server's current public key. (The key that 224 // was used to sign this response. Numbering should start at 1 and be 225 // increased by 1 at each key rotation.) 226 optional int32 public_key_version = 6; 227 228 // The user this policy is intended for. In case of device policy, the name 229 // of the owner (who registered the device). 230 optional string username = 7; 231 232 // In this field the DMServer should echo back the "deviceid" HTTP parameter 233 // from the request. 234 optional string device_id = 8; 235 236 // Indicates which state this association with DMServer is in. This can be 237 // used to tell the client that it is not receiving policy even though the 238 // registration with the server is kept active. 239 enum AssociationState { 240 // Association is active and policy is pushed. 241 ACTIVE = 0; 242 // Association is alive, but the corresponding domain is not managed. 243 UNMANAGED = 1; 244 // Client got dropped on the server side. 245 DEPROVISIONED = 2; 246 } 247 optional AssociationState state = 9 [default = ACTIVE]; 248 249 // Indicates if the the server cannot find a valid serial number for the 250 // device. If this flag is set, the device should send the valid serial 251 // number with a device policy fetch request. Note that this only 252 // applies to device policy. 253 optional bool valid_serial_number_missing = 10; 254 255 // Indicates which public account or extension/plug-in this policy data is 256 // for. See PolicyFetchRequest.settings_entity_id for more details. 257 optional string settings_entity_id = 11; 258 259 // Indicates the identity the device service account is associated with. 260 // This is only sent as part of device policy fetch. 261 optional string service_account_identity = 12; 262 263 // The object source which hosts policy objects within the invalidation 264 // service. This value is combined with invalidation_name to form the object 265 // id used to register for invalidations to this policy. 266 optional int32 invalidation_source = 13; 267 268 // The name which uniquely identifies this policy within the invalidation 269 // service object source. This value is combined with invalidation_source to 270 // form the object id used to register for invalidations to this policy. 271 optional bytes invalidation_name = 14; 272 273 // Server-provided identifier of the fetched policy. This is to be used 274 // by the client when requesting Policy Posture assertion through an API 275 // call or SAML flow. 276 optional string policy_token = 15; 277 278 // Indicates the management mode of the device. Note that old policies do not 279 // have this field. 280 enum ManagementMode { 281 // The device is not managed. The policies are set locally by the owner of 282 // the device. 283 NOT_MANAGED = 0; 284 // The device is enterprise-managed. The policies come from the enterprise 285 // server. 286 ENTERPRISE_MANAGED = 1; 287 // The device is consumer-managed. The policies currently can only be set 288 // locally by the owner of the device. 289 CONSUMER_MANAGED = 2; 290 } 291 optional ManagementMode management_mode = 16; 292 } 293 294 message PolicyFetchResponse { 295 // Since a single policy request may ask for multiple policies, we 296 // provide separate error code for each individual policy fetch. 297 298 // We will use standard HTTP Status Code as error code. 299 optional int32 error_code = 1; 300 301 // Human readable error message for customer support purpose. 302 optional string error_message = 2; 303 304 // This is a serialized |PolicyData| protobuf (defined above). 305 optional bytes policy_data = 3; 306 307 // Signature of the policy data above. 308 optional bytes policy_data_signature = 4; 309 310 // If the public key has been rotated on the server, the new public 311 // key is sent here. It is already used for |policy_data_signature| 312 // above, whereas |new_public_key_signature| is created using the 313 // old key (so the client can trust the new key). If this is the 314 // first time when the client requests policies (so it doesn't have 315 // on old public key), then |new_public_key_signature| is empty. 316 optional bytes new_public_key = 5; 317 optional bytes new_public_key_signature = 6; 318 319 // If new_public_key is specified, this field contains a signature 320 // of a PolicyPublicKeyAndDomain protobuf, signed using a key only 321 // available to DMServer. The public key portion of this well-known key is 322 // embedded into the Chrome binary. The hash of that embedded key is passed 323 // to DMServer as verification_key_hash field in PolicyFetchRequest. DMServer 324 // will pick a private key on the server which matches the hash (matches 325 // public key on the client). If DMServer is unable to find matching key, it 326 // will return an error instead of policy data. 327 // In case hash was not specified, DMServer will leave verification signature 328 // field empty (legacy behavior). 329 // In addition to the checks between new_public_key 330 // and new_public_key_signature described above, Chrome also verifies 331 // new_public_key with the embedded public key and 332 // new_public_key_verification_signature. 333 optional bytes new_public_key_verification_signature = 7; 334 } 335 336 // Protobuf used to generate the new_public_key_verification_signature field. 337 message PolicyPublicKeyAndDomain { 338 // The public key to sign (taken from the |new_public_key| field in 339 // PolicyFetchResponse). 340 optional bytes new_public_key = 1; 341 342 // The domain associated with this key (should match the domain portion of 343 // the username field of the policy). 344 optional string domain = 2; 345 } 346 347 // Request from device to server for reading policies. 348 message DevicePolicyRequest { 349 // The policy fetch request. If this field exists, the request must 350 // comes from a non-TT client. The repeated field allows client to 351 // request multiple policies for better performance. 352 repeated PolicyFetchRequest request = 3; 353 } 354 355 // Response from server to device for reading policies. 356 message DevicePolicyResponse { 357 // The policy fetch response. 358 repeated PolicyFetchResponse response = 3; 359 } 360 361 message TimePeriod { 362 // [timestamp] is milli seconds since Epoch in UTC timezone. 363 optional int64 start_timestamp = 1; 364 optional int64 end_timestamp = 2; 365 } 366 367 message ActiveTimePeriod { 368 optional TimePeriod time_period = 1; 369 370 // The active duration during the above time period. 371 // The unit is milli-second. 372 optional int32 active_duration = 2; 373 } 374 375 // This captures launch events for one app/extension or other installments. 376 message InstallableLaunch { 377 optional string install_id = 1; 378 379 // Time duration where this report covers. These are required 380 // and the record will be ignored if not set. 381 optional TimePeriod duration = 2; 382 383 // Client will send at most 50 timestamps to DM. All the rest 384 // launch activities will be summed into the total count. 385 // We will distribute the count evenly among the time span when 386 // doing time based aggregation. 387 repeated int64 timestamp = 3; 388 optional int64 total_count = 4; 389 } 390 391 // Used to report the device location. 392 message DeviceLocation { 393 enum ErrorCode { 394 ERROR_CODE_NONE = 0; 395 ERROR_CODE_POSITION_UNAVAILABLE = 1; 396 } 397 398 // Latitude in decimal degrees north (WGS84 coordinate frame). 399 optional double latitude = 1; 400 401 // Longitude in decimal degrees west (WGS84 coordinate frame). 402 optional double longitude = 2; 403 404 // Altitude in meters (above WGS84 datum). 405 optional double altitude = 3; 406 407 // Accuracy of horizontal position in meters. 408 optional double accuracy = 4; 409 410 // Accuracy of altitude in meters. 411 optional double altitude_accuracy = 5; 412 413 // Heading in decimal degrees clockwise from true north. 414 optional double heading = 6; 415 416 // Horizontal component of device velocity in meters per second. 417 optional double speed = 7; 418 419 // Time of position measurement in milisecons since Epoch in UTC time. 420 optional int64 timestamp = 8; 421 422 // Error code, see enum above. 423 optional ErrorCode error_code = 9; 424 425 // Human-readable error message. 426 optional string error_message = 10; 427 } 428 429 // Details about a network interface. 430 message NetworkInterface { 431 // Indicates the type of network device. 432 enum NetworkDeviceType { 433 TYPE_ETHERNET = 0; 434 TYPE_WIFI = 1; 435 TYPE_WIMAX = 2; 436 TYPE_BLUETOOTH = 3; 437 TYPE_CELLULAR = 4; 438 } 439 440 // Network device type. 441 optional NetworkDeviceType type = 1; 442 443 // MAC address (if applicable) of the corresponding network device. This is 444 // formatted as an ASCII string with 12 hex digits. Example: A0B1C2D3E4F5. 445 optional string mac_address = 2; 446 447 // MEID (if applicable) of the corresponding network device. Formatted as 448 // ASCII string composed of 14 hex digits. Example: A10000009296F2. 449 optional string meid = 3; 450 451 // IMEI (if applicable) of the corresponding network device. 15-16 decimal 452 // digits encoded as ASCII string. Example: 355402040158759. 453 optional string imei = 4; 454 } 455 456 // Details about a device user. 457 message DeviceUser { 458 // Types of device users which can be reported. 459 enum UserType { 460 // A user managed by the same domain as the device. 461 USER_TYPE_MANAGED = 0; 462 463 // A user not managed by the same domain as the device. 464 USER_TYPE_UNMANAGED = 1; 465 } 466 467 // The type of the user. 468 required UserType type = 1; 469 470 // Email address of the user. Present only if the user type is managed. 471 optional string email = 2; 472 } 473 474 // Report device level status. 475 message DeviceStatusReportRequest { 476 // The OS version reported by the device is a platform version 477 // e.g. 1435.0.2011_12_16_1635. 478 optional string os_version = 1; 479 optional string firmware_version = 2; 480 481 // "Verified", "Dev". Same as verified mode. 482 // If the mode is unknown, this field should not be set. 483 optional string boot_mode = 3; 484 485 // Device active times collection since last report rpc call. 486 // No longer used -- use active_period instead. 487 repeated TimePeriod active_time = 4 [deprecated = true]; 488 489 // The browser version string as shown in the About dialog. 490 // e.g. 17.0.963.18. 491 optional string browser_version = 5; 492 493 // A list of periods when the device was active, aggregated by day. 494 repeated ActiveTimePeriod active_period = 6; 495 496 // The device location. 497 optional DeviceLocation device_location = 7; 498 499 // List of network interfaces. 500 repeated NetworkInterface network_interface = 8; 501 502 // List of recent device users, in descending order by last login time. 503 repeated DeviceUser user = 9; 504 } 505 506 // Report session (a user on one device) level status. 507 message SessionStatusReportRequest { 508 // Installed apps for this user on this device. 509 repeated string installed_app_id = 1; 510 511 // Installed extensions for this user on this device. 512 repeated string installed_extension_id = 2; 513 514 // One stat per app for top 30 apps. 515 repeated InstallableLaunch app_launch_stat = 3; 516 } 517 518 // Response from DMServer to update devices' status. 519 // It is possible that status report fails but policy request succeed. In such 520 // case, the DeviceStatusReportResponse will contain an error code and the 521 // device should re-send status report data in the next policy request. The 522 // device should re-send report data if policy request fails, even if 523 // DeviceStatusReportResponse contains no error code. 524 message DeviceStatusReportResponse { 525 optional int32 error_code = 1; 526 527 // Human readable error message for customer support purpose. 528 optional string error_message = 2; 529 } 530 531 // Response from DMServer to update user devices' status. 532 // It is possible that status report fails but policy request succeed. In such 533 // case, the SessionStatusReportResponse will contain an error code and the 534 // device should re-send status report data in the next policy request. The 535 // device should re-send report data if policy request fails, even if 536 // SessionStatusReportResponse contains no error code. 537 message SessionStatusReportResponse { 538 optional int32 error_code = 1; 539 540 // Human readable error message for customer support purpose. 541 optional string error_message = 2; 542 } 543 544 // Request from device to server to determine whether the device should 545 // go through enterprise enrollment. Unlike the other requests, this request is 546 // not authenticated. 547 message DeviceAutoEnrollmentRequest { 548 // SHA-256 hash of the device's serial number, mod |modulus|. 549 // Should always be present. 550 optional int64 remainder = 1; 551 552 // Modulus of the hash used by the client. Should always be present. This 553 // is the number of buckets the client thinks the server has. For now, 554 // it is a power of 2, but due to the strict constraint on how many serial 555 // numbers a bucket can contain, it may become non power of 2. If that 556 // happens, client-side needs to change its assumption. 557 optional int64 modulus = 2; 558 } 559 560 // Response from server to auto-enrollment detection request. 561 message DeviceAutoEnrollmentResponse { 562 // If this field is present, the other fields are ignored and the client 563 // should send a new DeviceAutoEnrollmentRequest with a new |remainder| 564 // computed using this new |modulus|. If this field is empty, the client's 565 // request was accepted. 566 // DMServer guarantees that if the modulus sent by client in 567 // DeviceAutoEnrollmentRequest matches server's expectation, this field 568 // is unset. 569 optional int64 expected_modulus = 1; 570 571 // List of hashes in the client's hash bucket. If the client's hash matches 572 // any in this list, the client device should do enterprise enrollment. 573 // If it matches none, enrollment should be optional. 574 // Each entry has exactly 256 bits (32 bytes). 575 repeated bytes hash = 2; 576 } 577 578 // Sent by the client to the server. The device management server keeps a 579 // mapping of device identifiers to device state. Devices query this table after 580 // hard reset in order recover state. This request is keyed just by the opaque 581 // server-backed state key; there is no further authentication. 582 message DeviceStateRetrievalRequest { 583 // Opaque, client-determined, unpredictable, stable and unique device 584 // identifier to retrieve state for. This field contains 32 bytes of data that 585 // looks essentially random to the server. It may be generated e.g. by running 586 // a concatenation of suitable device identifiers through a cryptographic hash 587 // algorithm such as SHA-256. 588 optional bytes server_backed_state_key = 1; 589 } 590 591 // Sent by the client to the server when in registered state to update the 592 // device-determined device state keys. 593 message DeviceStateKeyUpdateRequest { 594 // The client-determined state keys. To the server, these look like 32 bytes 595 // of random data. The client should generate these keys using a deterministic 596 // algorithm that takes stable device identifiers as an input and produces a 597 // key as the output, possibly by running the identifiers through a 598 // cryptographic hash function such as SHA-256. 599 repeated bytes server_backed_state_key = 1; 600 } 601 602 // Server to client message carrying the device state response. Because the 603 // request is not authenticated, the only protection against state extraction 604 // from server is the unpredictability of the server-backed state ID. Thus, the 605 // response should not contain any sensitive data. If the server doesn't know 606 // the requested identifier, it just return a message with restore_mode set to 607 // RESTORE_MODE_NONE. 608 message DeviceStateRetrievalResponse { 609 // Restorative action to take after device reset. 610 enum RestoreMode { 611 // No state restoration. 612 RESTORE_MODE_NONE = 0; 613 // Enterprise enrollment requested, but user may skip. 614 RESTORE_MODE_REENROLLMENT_REQUESTED = 1; 615 // Enterprise enrollment is enforced and cannot be skipped. 616 RESTORE_MODE_REENROLLMENT_ENFORCED = 2; 617 }; 618 // The server-indicated restore mode. 619 optional RestoreMode restore_mode = 1 [default = RESTORE_MODE_NONE]; 620 621 // Primary domain the device is associated with. 622 optional string management_domain = 2; 623 } 624 625 // Sent by the client to the server to pair the Host device with the Controller 626 // device. The HTTP request contains an end-user OAuth token and only succeeds 627 // if both Host and Controller devices belong to the end-user domain. 628 message DevicePairingRequest { 629 630 // The device ID of the Host device. 631 optional string host_device_id = 1; 632 633 // The device ID of the Controller device. 634 optional string controller_device_id = 2; 635 } 636 637 // Response from the server to the device pairing request. 638 message DevicePairingResponse { 639 640 // The client should check HTTP status code first. If HTTP status code is not 641 // 200 (e.g. 500 internal error), then it means the pairing fails. If HTTP 642 // status code is 200, then the client should check the status code within the 643 // response. 644 enum StatusCode { 645 SUCCESS = 0; 646 647 // A generic failure code for pairing. 648 FAILED = 1; 649 650 // The Host device cannot be found in the user's domain. 651 HOST_DEVICE_NOT_FOUND = 2; 652 653 // The Controller device cannot be found in the user's domain. 654 CONTROLLER_DEVICE_NOT_FOUND = 3; 655 656 // The Host device is deprovisioned. 657 HOST_DEVICE_DEPROVISIONED = 4; 658 659 // The Controller device is deprovisioned. 660 CONTROLLER_DEVICE_DEPROVISIONED = 5; 661 } 662 663 optional StatusCode status_code = 1 [default = FAILED]; 664 } 665 666 // Sent by the client to the server to check if the devices are paired. The HTTP 667 // request contains controller service account OAuth token as well as the 668 // DMToken from the Host device. 669 message CheckDevicePairingRequest { 670 671 // The device ID of the Host device. 672 optional string host_device_id = 1; 673 674 // The device ID of the Controller device. 675 optional string controller_device_id = 2; 676 } 677 678 // Response from the server to the check device pairing request. 679 message CheckDevicePairingResponse { 680 681 // The client should check HTTP status code first. If HTTP status code is not 682 // 200 (e.g. 500 internal error), then it means the pairing status is unknown. 683 // If HTTP status code is 200, then the client should check the status code 684 // within the response. 685 enum StatusCode { 686 PAIRED = 0; 687 688 // The Host and Controller devices are not paired. 689 NOT_PAIRED = 1; 690 691 // The Host device cannot be found in the Host device domain. 692 HOST_DEVICE_NOT_FOUND = 2; 693 694 // The Controller device cannot be found in the Host device domain. 695 CONTROLLER_DEVICE_NOT_FOUND = 3; 696 697 // The Host device is deprovisioned. 698 HOST_DEVICE_DEPROVISIONED = 4; 699 700 // The Controller device is deprovisioned. 701 CONTROLLER_DEVICE_DEPROVISIONED = 5; 702 703 // Invalid controller identity. 704 INVALID_CONTROLLER_DEVICE_IDENTITY = 6; 705 } 706 707 optional StatusCode status_code = 1 [default = NOT_PAIRED]; 708 } 709 710 // Request from the DMAgent on the device to the DMServer. This is 711 // container for all requests from device to server. The overall HTTP 712 // request MUST be in the following format: 713 // 714 // * HTTP method is POST 715 // * Data mime type is application/x-protobuffer 716 // * HTTP parameters are (all required, all case sensitive): 717 // * request: MUST BE one of 718 // * api_authorization 719 // * cert_upload 720 // * check_device_pairing 721 // * device_pairing 722 // * device_state_retrieval 723 // * enterprise_check 724 // * ping 725 // * policy 726 // * register 727 // * status 728 // * unregister 729 // 730 // * devicetype: MUST BE "1" for Android or "2" for Chrome OS. 731 // * apptype: MUST BE Android or Chrome. 732 // * deviceid: MUST BE no more than 64-char in [\x21-\x7E]. 733 // * agent: MUST BE a string of characters. 734 // * HTTP Authorization header MUST be in the following formats: 735 // * For register and ping requests 736 // Authorization: GoogleLogin auth=<auth cookie for Mobile Sync> 737 // 738 // * For unregister, policy, status, and cert_upload requests 739 // Authorization: GoogleDMToken token=<dm token from register> 740 // 741 // * The Authorization header isn't used for enterprise_check 742 // request, nor for register requests using OAuth. In the latter case, 743 // the OAuth token is passed in the "oauth" parameter. 744 // 745 // DeviceManagementRequest should only contain one request which matches the 746 // HTTP query parameter - request, as listed below. Other requests within the 747 // container will be ignored. 748 // cert_upload: cert_upload_request 749 // check_device_pairing: check_device_pairing_request 750 // device_pairing: device_pairing_request 751 // device_state_retrieval: device_state_retrieval_request 752 // enterprise_check: auto_enrollment_request 753 // ping: policy_request 754 // policy: policy_request 755 // register: register_request 756 // status: device_status_report_request or session_status_report_request 757 // unregister: unregister_request 758 // 759 // 760 message DeviceManagementRequest { 761 // Register request. 762 optional DeviceRegisterRequest register_request = 1; 763 764 // Unregister request. 765 optional DeviceUnregisterRequest unregister_request = 2; 766 767 // Policy request. 768 optional DevicePolicyRequest policy_request = 3; 769 770 // Update status. 771 optional DeviceStatusReportRequest device_status_report_request = 4; 772 optional SessionStatusReportRequest session_status_report_request = 5; 773 774 // Auto-enrollment detection. 775 optional DeviceAutoEnrollmentRequest auto_enrollment_request = 6; 776 777 // EMCert upload (for remote attestation) 778 optional DeviceCertUploadRequest cert_upload_request = 7; 779 780 // Request for OAuth2 authorization codes to access Google services. 781 optional DeviceServiceApiAccessRequest service_api_access_request = 8; 782 783 // Device-state retrieval. 784 optional DeviceStateRetrievalRequest device_state_retrieval_request = 9; 785 786 // Device state key update. 787 optional DeviceStateKeyUpdateRequest device_state_key_update_request = 10; 788 789 // Pair two devices. 790 optional DevicePairingRequest device_pairing_request = 11; 791 792 // Check if two devices are paired. 793 optional CheckDevicePairingRequest check_device_pairing_request = 12; 794 } 795 796 // Response from server to device. 797 // 798 // The server uses the following numbers as HTTP status codes 799 // to report top-level errors. 800 // 801 // 200 OK: valid response is returned to client. 802 // 400 Bad Request: invalid argument. 803 // 401 Unauthorized: invalid auth cookie or DM token. 804 // 403 Forbidden: device management is not allowed. 805 // 404 Not Found: the request URL is invalid. 806 // 410 Device Not Found: the device id is not found. 807 // 491 Request Pending: the request is pending approval. 808 // 500 Internal Server Error: most likely a bug in DM server. 809 // 503 Service Unavailable: most likely a backend error. 810 // 901 Device Not Found: the device id is not found. 811 // 902 Policy Not Found: the policy is not found. 812 message DeviceManagementResponse { 813 // Error message. 814 optional string error_message = 2; 815 816 // Register response 817 optional DeviceRegisterResponse register_response = 3; 818 819 // Unregister response 820 optional DeviceUnregisterResponse unregister_response = 4; 821 822 // Policy response. 823 optional DevicePolicyResponse policy_response = 5; 824 825 // Device status report response. 826 optional DeviceStatusReportResponse device_status_report_response = 6; 827 828 // Session status report response. 829 optional SessionStatusReportResponse session_status_report_response = 7; 830 831 // Auto-enrollment detection response. 832 optional DeviceAutoEnrollmentResponse auto_enrollment_response = 8; 833 834 // EMCert upload response. 835 optional DeviceCertUploadResponse cert_upload_response = 9; 836 837 // Response to OAuth2 authorization code request. 838 optional DeviceServiceApiAccessResponse service_api_access_response = 10; 839 840 // Device-state retrieval. 841 optional DeviceStateRetrievalResponse device_state_retrieval_response = 11; 842 843 // Response to device pairing request. 844 optional DevicePairingResponse device_pairing_response = 12; 845 846 // Response to check device pairing request. 847 optional CheckDevicePairingResponse check_device_pairing_response = 13; 848 } 849