| blob | 5f2f0f4a179874cee7498b95ddb8c16afa977a4c |
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 syntax = "proto2";
7 option optimize_for = LITE_RUNTIME;
9 package enterprise_management;
11 // Request from device to server to register device.
12 message DeviceRegisterRequest {
13 // Reregister device without erasing server state. It can be used
14 // to refresh dmtoken etc. Client MUST set this value to true if it
15 // reuses an existing device id.
16 optional bool reregister = 1;
18 // Device register type. This field does not exist for TT release.
19 // When a client requests for policies, server should verify the
20 // client has been registered properly. For example, a client must
21 // register with type DEVICE in order to retrieve device policies.
22 enum Type {
23 TT = 0; // Register for TT release.
24 USER = 1; // Register for Chrome OS user polices.
25 DEVICE = 2; // Register for device policies.
26 BROWSER = 3; // Register for Chrome user policies.
27 ANDROID_BROWSER = 4; // Register for Android Chrome browser user policies.
28 IOS_BROWSER = 5; // Register for iOS Chrome browser user policies.
29 }
30 // NOTE: we also use this field to detect client version. If this
31 // field is missing, then the request comes from TT. We will remove
32 // Chrome OS TT support once it is over.
33 optional Type type = 2 [default = TT];
35 // Machine hardware id, such as serial number.
36 // This field is required if register type == DEVICE.
37 optional string machine_id = 3;
39 // Machine model name, such as "ZGA", "Cr-48", "Nexus One". If the
40 // model name is not available, client SHOULD send generic name like
41 // "Android", or "Chrome OS".
42 optional string machine_model = 4;
44 // When true, indicates that the |machine_id| has been identified as auto-
45 // enrollment candidate on the client and the server can use it to verify
46 // that the client is to be enrolled in the correct mode.
47 // Defaults to false when not present.
48 optional bool auto_enrolled = 5;
50 // Indicates a requisition of the registering entity that the server can act
51 // upon. This allows clients to pass hints e.g. at device enrollment time
52 // about the intended use of the device.
53 optional string requisition = 6;
55 // The current server-backed state key for the client, if applicable. This can
56 // be used by the server to link the registration request to an existing
57 // device record for re-enrollment.
58 optional bytes server_backed_state_key = 7;
59 }
61 // Response from server to device register request.
62 message DeviceRegisterResponse {
63 // Device management token for this registration. This token MUST be
64 // part of HTTP Authorization header for all future requests from
65 // device to server.
66 required string device_management_token = 1;
68 // Device display name. By default, server generates the name in
69 // the format of "Machine Model - Machine Id". However, domain
70 // admin can update it using CPanel, so do NOT treat it as constant.
71 optional string machine_name = 2;
73 // Enum listing the possible modes the device should be locked into when the
74 // registration is finished.
75 enum DeviceMode {
76 // In ENTERPRISE mode the device has no local owner and device settings are
77 // controlled through the cloud policy infrastructure. Auto-enrollment is
78 // supported in that mode.
79 ENTERPRISE = 0;
80 // Devices in RETAIL mode also have no local owner and get their device
81 // settings from the cloud, but additionally this mode enables the demo
82 // account on the device.
83 RETAIL = 1;
84 }
85 optional DeviceMode enrollment_type = 3 [default = ENTERPRISE];
86 }
88 // Request from device to server to unregister device.
89 // GoogleDMToken MUST be in HTTP Authorization header.
90 message DeviceUnregisterRequest {
91 }
93 // Response from server to device for unregister request.
94 message DeviceUnregisterResponse {
95 }
97 // Request from device to server to upload device EMCert
98 // (enteprise machine cert used for remote attestation).
99 // GoogleDMToken MUST be in HTTP Authorization header.
100 message DeviceCertUploadRequest {
101 // EMCert in X.509 format.
102 optional bytes device_certificate = 1;
103 }
105 // Response from server to device for cert upload request.
106 message DeviceCertUploadResponse {
107 }
109 // Request to access a Google service with the given scope.
110 message DeviceServiceApiAccessRequest {
111 // The list of auth scopes the device requests from DMServer.
112 repeated string auth_scope = 1;
114 // OAuth2 client ID to which the returned authorization code is bound.
115 optional string oauth2_client_id = 2;
116 }
118 message DeviceServiceApiAccessResponse {
119 // The OAuth2 authorization code for the requested scope(s).
120 // This can be exchanged for a refresh token.
121 optional string auth_code = 1;
122 }
124 message PolicyFetchRequest {
125 // This is the policy type, which maps to D3 policy type internally.
126 // By convention, we use "/" as separator to create policy namespace.
127 // The policy type names are case insensitive.
128 //
129 // Possible values for Chrome OS are:
130 // google/chromeos/device => ChromeDeviceSettingsProto
131 // google/chromeos/user => ChromeSettingsProto
132 // google/chromeos/publicaccount => ChromeSettingsProto
133 // google/chrome/extension => ExternalPolicyData
134 // google/android/user => ChromeSettingsProto
135 // google/ios/user => ChromeSettingsProto
136 optional string policy_type = 1;
138 // This is the last policy timestamp that client received from server.
139 optional int64 timestamp = 2;
141 // Tell server what kind of security signature is required.
142 enum SignatureType {
143 NONE = 0;
144 SHA1_RSA = 1;
145 }
146 optional SignatureType signature_type = 3 [default = NONE];
148 // The version number of the public key that is currently stored
149 // on the client. This should be the last number the server had
150 // supplied as new_public_key_version in PolicyData.
151 // This field is unspecified if the client does not yet have a
152 // public key.
153 optional int32 public_key_version = 4;
155 // Machine hardware id, such as serial number.
156 // This field is should be set only if the serial number for the device is
157 // missing from the server, as indicated by the valid_serial_number_missing
158 // field in the last policy fetch response.
159 optional string machine_id = 5;
161 // This field is used for devices to send the additional ID to fetch settings.
162 // Retrieving some settings requires more than just device or user ID.
163 // For example, to retrieve public account, devices need to pass in
164 // public account ID in addition to device ID. To retrieve extension or
165 // plug-in settings, devices need to pass in extension/plug-in ID in
166 // addition to user ID.
167 // policy_type represents the type of settings (e.g. public account,
168 // extension) devices request to fetch.
169 optional string settings_entity_id = 6;
171 // If this fetch is due to a policy invalidation, this field contains the
172 // version provided with the invalidation. The server interprets this value
173 // and the value of invalidation_payload to fetch the up-to-date policy.
174 optional int64 invalidation_version = 7;
176 // If this fetch is due to a policy invalidation, this field contains the
177 // payload delivered with the invalidation. The server interprets this value
178 // and the value of invalidation_version to fetch the up-to-date policy.
179 optional bytes invalidation_payload = 8;
181 // Hash string for the chrome policy verification public key which is embedded
182 // into Chrome binary. Matching private key will be used by the server
183 // to sign per-domain policy keys during key rotation. If server does not
184 // have the key which matches this hash string, that could indicate malicious
185 // or out-of-date Chrome client.
186 optional string verification_key_hash = 9;
187 }
189 // This message is included in serialized form in PolicyFetchResponse
190 // below. It may also be signed, with the signature being created for
191 // the serialized form.
192 message PolicyData {
193 // See PolicyFetchRequest.policy_type.
194 optional string policy_type = 1;
196 // [timestamp] is milliseconds since Epoch in UTC timezone. It is
197 // included here so that the time at which the server issued this
198 // response cannot be faked (as protection against replay attacks).
199 // It is the timestamp generated by DMServer, NOT the time admin
200 // last updated the policy or anything like that.
201 optional int64 timestamp = 2;
203 // The DM token that was used by the client in the HTTP POST header
204 // for authenticating the request. It is included here again so that
205 // the client can verify that the response is meant for him (and not
206 // issued by a replay or man-in-the-middle attack).
207 optional string request_token = 3;
209 // The serialized value of the actual policy protobuf. This can be
210 // deserialized to an instance of, for example, ChromeSettingsProto,
211 // ChromeDeviceSettingsProto, or ExternalPolicyData.
212 optional bytes policy_value = 4;
214 // The device display name assigned by the server. It is only
215 // filled if the display name is available.
216 //
217 // The display name of the machine as generated by the server or set
218 // by the Administrator in the CPanel GUI. This is the same thing as
219 // |machine_name| in DeviceRegisterResponse but it might have
220 // changed since then.
221 optional string machine_name = 5;
223 // Version number of the server's current public key. (The key that
224 // was used to sign this response. Numbering should start at 1 and be
225 // increased by 1 at each key rotation.)
226 optional int32 public_key_version = 6;
228 // The user this policy is intended for. In case of device policy, the name
229 // of the owner (who registered the device).
230 optional string username = 7;
232 // In this field the DMServer should echo back the "deviceid" HTTP parameter
233 // from the request.
234 optional string device_id = 8;
236 // Indicates which state this association with DMServer is in. This can be
237 // used to tell the client that it is not receiving policy even though the
238 // registration with the server is kept active.
239 enum AssociationState {
240 // Association is active and policy is pushed.
241 ACTIVE = 0;
242 // Association is alive, but the corresponding domain is not managed.
243 UNMANAGED = 1;
244 // Client got dropped on the server side.
245 DEPROVISIONED = 2;
246 }
247 optional AssociationState state = 9 [default = ACTIVE];
249 // Indicates if the the server cannot find a valid serial number for the
250 // device. If this flag is set, the device should send the valid serial
251 // number with a device policy fetch request. Note that this only
252 // applies to device policy.
253 optional bool valid_serial_number_missing = 10;
255 // Indicates which public account or extension/plug-in this policy data is
256 // for. See PolicyFetchRequest.settings_entity_id for more details.
257 optional string settings_entity_id = 11;
259 // Indicates the identity the device service account is associated with.
260 // This is only sent as part of device policy fetch.
261 optional string service_account_identity = 12;
263 // The object source which hosts policy objects within the invalidation
264 // service. This value is combined with invalidation_name to form the object
265 // id used to register for invalidations to this policy.
266 optional int32 invalidation_source = 13;
268 // The name which uniquely identifies this policy within the invalidation
269 // service object source. This value is combined with invalidation_source to
270 // form the object id used to register for invalidations to this policy.
271 optional bytes invalidation_name = 14;
273 // Server-provided identifier of the fetched policy. This is to be used
274 // by the client when requesting Policy Posture assertion through an API
275 // call or SAML flow.
276 optional string policy_token = 15;
277 }
279 message PolicyFetchResponse {
280 // Since a single policy request may ask for multiple policies, we
281 // provide separate error code for each individual policy fetch.
283 // We will use standard HTTP Status Code as error code.
284 optional int32 error_code = 1;
286 // Human readable error message for customer support purpose.
287 optional string error_message = 2;
289 // This is a serialized |PolicyData| protobuf (defined above).
290 optional bytes policy_data = 3;
292 // Signature of the policy data above.
293 optional bytes policy_data_signature = 4;
295 // If the public key has been rotated on the server, the new public
296 // key is sent here. It is already used for |policy_data_signature|
297 // above, whereas |new_public_key_signature| is created using the
298 // old key (so the client can trust the new key). If this is the
299 // first time when the client requests policies (so it doesn't have
300 // on old public key), then |new_public_key_signature| is empty.
301 optional bytes new_public_key = 5;
302 optional bytes new_public_key_signature = 6;
304 // If new_public_key is specified, this field contains a signature
305 // of a PolicyPublicKeyAndDomain protobuf, signed using a key only
306 // available to DMServer. The public key portion of this well-known key is
307 // embedded into the Chrome binary. The hash of that embedded key is passed
308 // to DMServer as verification_key_hash field in PolicyFetchRequest. DMServer
309 // will pick a private key on the server which matches the hash (matches
310 // public key on the client). If DMServer is unable to find matching key, it
311 // will return an error instead of policy data.
312 // In case hash was not specified, DMServer will leave verification signature
313 // field empty (legacy behavior).
314 // In addition to the checks between new_public_key
315 // and new_public_key_signature described above, Chrome also verifies
316 // new_public_key with the embedded public key and
317 // new_public_key_verification_signature.
318 optional bytes new_public_key_verification_signature = 7;
319 }
321 // Protobuf used to generate the new_public_key_verification_signature field.
322 message PolicyPublicKeyAndDomain {
323 // The public key to sign (taken from the |new_public_key| field in
324 // PolicyFetchResponse).
325 optional bytes new_public_key = 1;
327 // The domain associated with this key (should match the domain portion of
328 // the username field of the policy).
329 optional string domain = 2;
330 }
332 // Request from device to server for reading policies.
333 message DevicePolicyRequest {
334 // The policy fetch request. If this field exists, the request must
335 // comes from a non-TT client. The repeated field allows client to
336 // request multiple policies for better performance.
337 repeated PolicyFetchRequest request = 3;
338 }
340 // Response from server to device for reading policies.
341 message DevicePolicyResponse {
342 // The policy fetch response.
343 repeated PolicyFetchResponse response = 3;
344 }
346 message TimePeriod {
347 // [timestamp] is milli seconds since Epoch in UTC timezone.
348 optional int64 start_timestamp = 1;
349 optional int64 end_timestamp = 2;
350 }
352 message ActiveTimePeriod {
353 optional TimePeriod time_period = 1;
355 // The active duration during the above time period.
356 // The unit is milli-second.
357 optional int32 active_duration = 2;
358 }
360 // This captures launch events for one app/extension or other installments.
361 message InstallableLaunch {
362 optional string install_id = 1;
364 // Time duration where this report covers. These are required
365 // and the record will be ignored if not set.
366 optional TimePeriod duration = 2;
368 // Client will send at most 50 timestamps to DM. All the rest
369 // launch activities will be summed into the total count.
370 // We will distribute the count evenly among the time span when
371 // doing time based aggregation.
372 repeated int64 timestamp = 3;
373 optional int64 total_count = 4;
374 }
376 // Used to report the device location.
377 message DeviceLocation {
378 enum ErrorCode {
379 ERROR_CODE_NONE = 0;
380 ERROR_CODE_POSITION_UNAVAILABLE = 1;
381 }
383 // Latitude in decimal degrees north (WGS84 coordinate frame).
384 optional double latitude = 1;
386 // Longitude in decimal degrees west (WGS84 coordinate frame).
387 optional double longitude = 2;
389 // Altitude in meters (above WGS84 datum).
390 optional double altitude = 3;
392 // Accuracy of horizontal position in meters.
393 optional double accuracy = 4;
395 // Accuracy of altitude in meters.
396 optional double altitude_accuracy = 5;
398 // Heading in decimal degrees clockwise from true north.
399 optional double heading = 6;
401 // Horizontal component of device velocity in meters per second.
402 optional double speed = 7;
404 // Time of position measurement in milisecons since Epoch in UTC time.
405 optional int64 timestamp = 8;
407 // Error code, see enum above.
408 optional ErrorCode error_code = 9;
410 // Human-readable error message.
411 optional string error_message = 10;
412 }
414 // Details about a network interface.
415 message NetworkInterface {
416 // Indicates the type of network device.
417 enum NetworkDeviceType {
418 TYPE_ETHERNET = 0;
419 TYPE_WIFI = 1;
420 TYPE_WIMAX = 2;
421 TYPE_BLUETOOTH = 3;
422 TYPE_CELLULAR = 4;
423 }
425 // Network device type.
426 optional NetworkDeviceType type = 1;
428 // MAC address (if applicable) of the corresponding network device. This is
429 // formatted as an ASCII string with 12 hex digits. Example: A0B1C2D3E4F5.
430 optional string mac_address = 2;
432 // MEID (if applicable) of the corresponding network device. Formatted as
433 // ASCII string composed of 14 hex digits. Example: A10000009296F2.
434 optional string meid = 3;
436 // IMEI (if applicable) of the corresponding network device. 15-16 decimal
437 // digits encoded as ASCII string. Example: 355402040158759.
438 optional string imei = 4;
439 }
441 // Details about a device user.
442 message DeviceUser {
443 // Types of device users which can be reported.
444 enum UserType {
445 // A user managed by the same domain as the device.
446 USER_TYPE_MANAGED = 0;
448 // A user not managed by the same domain as the device.
449 USER_TYPE_UNMANAGED = 1;
450 }
452 // The type of the user.
453 required UserType type = 1;
455 // Email address of the user. Present only if the user type is managed.
456 optional string email = 2;
457 }
459 // Report device level status.
460 message DeviceStatusReportRequest {
461 // The OS version reported by the device is a platform version
462 // e.g. 1435.0.2011_12_16_1635.
463 optional string os_version = 1;
464 optional string firmware_version = 2;
466 // "Verified", "Dev". Same as verified mode.
467 // If the mode is unknown, this field should not be set.
468 optional string boot_mode = 3;
470 // Device active times collection since last report rpc call.
471 // No longer used -- use active_period instead.
472 repeated TimePeriod active_time = 4 [deprecated = true];
474 // The browser version string as shown in the About dialog.
475 // e.g. 17.0.963.18.
476 optional string browser_version = 5;
478 // A list of periods when the device was active, aggregated by day.
479 repeated ActiveTimePeriod active_period = 6;
481 // The device location.
482 optional DeviceLocation device_location = 7;
484 // List of network interfaces.
485 repeated NetworkInterface network_interface = 8;
487 // List of recent device users, in descending order by last login time.
488 repeated DeviceUser user = 9;
489 }
491 // Report session (a user on one device) level status.
492 message SessionStatusReportRequest {
493 // Installed apps for this user on this device.
494 repeated string installed_app_id = 1;
496 // Installed extensions for this user on this device.
497 repeated string installed_extension_id = 2;
499 // One stat per app for top 30 apps.
500 repeated InstallableLaunch app_launch_stat = 3;
501 }
503 // Response from DMServer to update devices' status.
504 // It is possible that status report fails but policy request succeed. In such
505 // case, the DeviceStatusReportResponse will contain an error code and the
506 // device should re-send status report data in the next policy request. The
507 // device should re-send report data if policy request fails, even if
508 // DeviceStatusReportResponse contains no error code.
509 message DeviceStatusReportResponse {
510 optional int32 error_code = 1;
512 // Human readable error message for customer support purpose.
513 optional string error_message = 2;
514 }
516 // Response from DMServer to update user devices' status.
517 // It is possible that status report fails but policy request succeed. In such
518 // case, the SessionStatusReportResponse will contain an error code and the
519 // device should re-send status report data in the next policy request. The
520 // device should re-send report data if policy request fails, even if
521 // SessionStatusReportResponse contains no error code.
522 message SessionStatusReportResponse {
523 optional int32 error_code = 1;
525 // Human readable error message for customer support purpose.
526 optional string error_message = 2;
527 }
529 // Request from device to server to determine whether the device should
530 // go through enterprise enrollment. Unlike the other requests, this request is
531 // not authenticated.
532 message DeviceAutoEnrollmentRequest {
533 // SHA-256 hash of the device's serial number, mod |modulus|.
534 // Should always be present.
535 optional int64 remainder = 1;
537 // Modulus of the hash used by the client. Should always be present. This
538 // is the number of buckets the client thinks the server has. For now,
539 // it is a power of 2, but due to the strict constraint on how many serial
540 // numbers a bucket can contain, it may become non power of 2. If that
541 // happens, client-side needs to change its assumption.
542 optional int64 modulus = 2;
543 }
545 // Response from server to auto-enrollment detection request.
546 message DeviceAutoEnrollmentResponse {
547 // If this field is present, the other fields are ignored and the client
548 // should send a new DeviceAutoEnrollmentRequest with a new |remainder|
549 // computed using this new |modulus|. If this field is empty, the client's
550 // request was accepted.
551 // DMServer guarantees that if the modulus sent by client in
552 // DeviceAutoEnrollmentRequest matches server's expectation, this field
553 // is unset.
554 optional int64 expected_modulus = 1;
556 // List of hashes in the client's hash bucket. If the client's hash matches
557 // any in this list, the client device should do enterprise enrollment.
558 // If it matches none, enrollment should be optional.
559 // Each entry has exactly 256 bits (32 bytes).
560 repeated bytes hash = 2;
561 }
563 // Sent by the client to the server. The device management server keeps a
564 // mapping of device identifiers to device state. Devices query this table after
565 // hard reset in order recover state. This request is keyed just by the opaque
566 // server-backed state key; there is no further authentication.
567 message DeviceStateRetrievalRequest {
568 // Opaque, client-determined, unpredictable, stable and unique device
569 // identifier to retrieve state for. This field contains 32 bytes of data that
570 // looks essentially random to the server. It may be generated e.g. by running
571 // a concatenation of suitable device identifiers through a cryptographic hash
572 // algorithm such as SHA-256.
573 optional bytes server_backed_state_key = 1;
574 }
576 // Sent by the client to the server when in registered state to update the
577 // device-determined device state keys.
578 message DeviceStateKeyUpdateRequest {
579 // The client-determined state keys. To the server, these look like 32 bytes
580 // of random data. The client should generate these keys using a deterministic
581 // algorithm that takes stable device identifiers as an input and produces a
582 // key as the output, possibly by running the identifiers through a
583 // cryptographic hash function such as SHA-256.
584 repeated bytes server_backed_state_key = 1;
585 }
587 // Server to client message carrying the device state response. Because the
588 // request is not authenticated, the only protection against state extraction
589 // from server is the unpredictability of the server-backed state ID. Thus, the
590 // response should not contain any sensitive data. If the server doesn't know
591 // the requested identifier, it just return a message with restore_mode set to
592 // RESTORE_MODE_NONE.
593 message DeviceStateRetrievalResponse {
594 // Restorative action to take after device reset.
595 enum RestoreMode {
596 // No state restoration.
597 RESTORE_MODE_NONE = 0;
598 // Enterprise enrollment requested, but user may skip.
599 RESTORE_MODE_REENROLLMENT_REQUESTED = 1;
600 // Enterprise enrollment is enforced and cannot be skipped.
601 RESTORE_MODE_REENROLLMENT_ENFORCED = 2;
602 };
603 // The server-indicated restore mode.
604 optional RestoreMode restore_mode = 1 [default = RESTORE_MODE_NONE];
606 // Primary domain the device is associated with.
607 optional string management_domain = 2;
608 }
610 // Request from the DMAgent on the device to the DMServer. This is
611 // container for all requests from device to server. The overall HTTP
612 // request MUST be in the following format:
613 //
614 // * HTTP method is POST
615 // * Data mime type is application/x-protobuffer
616 // * HTTP parameters are (all required, all case sensitive):
617 // * request: MUST BE one of
618 // * cert_upload
619 // * enterprise_check
620 // * device_state_retrieval
621 // * ping
622 // * policy
623 // * register
624 // * status
625 // * unregister
626 // * api_authorization
627 //
628 // * devicetype: MUST BE "1" for Android or "2" for Chrome OS.
629 // * apptype: MUST BE Android or Chrome.
630 // * deviceid: MUST BE no more than 64-char in [\x21-\x7E].
631 // * agent: MUST BE no more than 64-char long.
632 // * HTTP Authorization header MUST be in the following formats:
633 // * For register and ping requests
634 // Authorization: GoogleLogin auth=<auth cookie for Mobile Sync>
635 //
636 // * For unregister, policy, status, and cert_upload requests
637 // Authorization: GoogleDMToken token=<dm token from register>
638 //
639 // * The Authorization header isn't used for enterprise_check
640 // request, nor for register requests using OAuth. In the latter case,
641 // the OAuth token is passed in the "oauth" parameter.
642 //
643 // DeviceManagementRequest should only contain one request which matches the
644 // HTTP query parameter - request, as listed below. Other requests within the
645 // container will be ignored.
646 // cert_upload: cert_upload_request
647 // enterprise_check: auto_enrollment_request
648 // device_state_retrieval: device_state_retrieval_request
649 // ping: policy_request
650 // policy: policy_request
651 // register: register_request
652 // status: device_status_report_request or session_status_report_request
653 // unregister: unregister_request
654 //
655 //
656 message DeviceManagementRequest {
657 // Register request.
658 optional DeviceRegisterRequest register_request = 1;
660 // Unregister request.
661 optional DeviceUnregisterRequest unregister_request = 2;
663 // Policy request.
664 optional DevicePolicyRequest policy_request = 3;
666 // Update status.
667 optional DeviceStatusReportRequest device_status_report_request = 4;
668 optional SessionStatusReportRequest session_status_report_request = 5;
670 // Auto-enrollment detection.
671 optional DeviceAutoEnrollmentRequest auto_enrollment_request = 6;
673 // EMCert upload (for remote attestation)
674 optional DeviceCertUploadRequest cert_upload_request = 7;
676 // Request for OAuth2 authorization codes to access Google services.
677 optional DeviceServiceApiAccessRequest service_api_access_request = 8;
679 // Device-state retrieval.
680 optional DeviceStateRetrievalRequest device_state_retrieval_request = 9;
682 // Device state key update.
683 optional DeviceStateKeyUpdateRequest device_state_key_update_request = 10;
684 }
686 // Response from server to device.
687 //
688 // The server uses the following numbers as HTTP status codes
689 // to report top-level errors.
690 //
691 // 200 OK: valid response is returned to client.
692 // 400 Bad Request: invalid argument.
693 // 401 Unauthorized: invalid auth cookie or DM token.
694 // 403 Forbidden: device management is not allowed.
695 // 404 Not Found: the request URL is invalid.
696 // 410 Device Not Found: the device id is not found.
697 // 491 Request Pending: the request is pending approval.
698 // 500 Internal Server Error: most likely a bug in DM server.
699 // 503 Service Unavailable: most likely a backend error.
700 // 901 Device Not Found: the device id is not found.
701 // 902 Policy Not Found: the policy is not found.
702 message DeviceManagementResponse {
703 // Error message.
704 optional string error_message = 2;
706 // Register response
707 optional DeviceRegisterResponse register_response = 3;
709 // Unregister response
710 optional DeviceUnregisterResponse unregister_response = 4;
712 // Policy response.
713 optional DevicePolicyResponse policy_response = 5;
715 // Device status report response.
716 optional DeviceStatusReportResponse device_status_report_response = 6;
718 // Session status report response.
719 optional SessionStatusReportResponse session_status_report_response = 7;
721 // Auto-enrollment detection response.
722 optional DeviceAutoEnrollmentResponse auto_enrollment_response = 8;
724 // EMCert upload response.
725 optional DeviceCertUploadResponse cert_upload_response = 9;
727 // Response to OAuth2 authorization code request.
728 optional DeviceServiceApiAccessResponse service_api_access_response = 10;
730 // Device-state retrieval.
731 optional DeviceStateRetrievalResponse device_state_retrieval_response = 11;
732 }