1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 option optimize_for = LITE_RUNTIME;
9 package enterprise_management;
11 message DevicePolicyRefreshRateProto {
13 optional int64 device_policy_refresh_rate = 1;
16 message UserWhitelistProto {
17 // If a UserWhitelistProto is included in the ChromeDeviceSettingsProto but
18 // the user_whitelist field is empty then no user can sign-in.
19 repeated string user_whitelist = 1;
22 message AllowNewUsersProto {
23 // Determines whether we allow arbitrary users to log into the device.
24 // This interacts with the UserWhitelistProto as follows:
25 // allow_new_users | user_whitelist | anyone can log in
26 //-----------------+--------------------+------------------
27 // present, true | not present | Yes
28 //-----------------+--------------------+------------------
29 // present, true | present | Yes
30 //-----------------+--------------------+------------------
31 // present, false | not present | (Broken) Yes
32 //-----------------+--------------------+------------------
33 // present, false | present | No, W/L enforced
34 //-----------------+--------------------+------------------
35 // not present | not present | Yes
36 //-----------------+--------------------+------------------
37 // not present | present, empty | Yes
38 //-----------------+--------------------+------------------
39 // not present | present, non-empty | No, W/L enforced
40 //-----------------+--------------------+------------------
41 optional bool allow_new_users = 1 [default = true];
44 message GuestModeEnabledProto {
45 // Determines if guests are allowed to log in to the device.
46 optional bool guest_mode_enabled = 1 [default = true];
49 message ShowUserNamesOnSigninProto {
50 // Determines if we show pods for existing users on the sign in screen.
51 optional bool show_user_names = 1 [default = true];
54 message DataRoamingEnabledProto {
55 // Determines if cellular data roaming is enabled.
56 optional bool data_roaming_enabled = 1 [default = false];
59 message DeviceProxySettingsProto {
60 // One of "direct", "auto_detect", "pac_script", "fixed_servers", "system"
61 optional string proxy_mode = 1;
62 optional string proxy_server = 2;
63 optional string proxy_pac_url = 3;
64 optional string proxy_bypass_list = 4;
67 // This is used by chromeos, make sure to do cleanup there before marking it as
69 message CameraEnabledProto {
70 optional bool camera_enabled = 1;
73 message MetricsEnabledProto {
74 optional bool metrics_enabled = 1;
77 message ReleaseChannelProto {
78 // One of "stable-channel", "beta-channel", or "dev-channel"
79 optional string release_channel = 1;
81 // If |release_channel_delegated| is set to true and the |release_channel|
82 // field is not set or left empty, the user can select the channel. If the
83 // |release_channel| is specified it will always override users choice!
84 optional bool release_channel_delegated = 2;
87 message DeviceOpenNetworkConfigurationProto {
88 // The network configuration blob. This is a JSON string as specified by ONC.
89 optional string open_network_configuration = 1;
92 // Policies to turn on portions of the device status reports.
93 message DeviceReportingProto {
94 optional bool report_version_info = 1;
95 optional bool report_activity_times = 2;
96 optional bool report_boot_mode = 3;
97 optional bool report_location = 4;
98 optional bool report_network_interfaces = 5;
99 optional bool report_users = 6;
100 optional bool report_hardware_status = 7;
101 optional bool report_session_status = 8 [default = true];
103 // Frequency to report device status, default to 3 hours.
104 optional int64 device_status_frequency = 9 [default = 10800000];
107 message EphemeralUsersEnabledProto {
108 // Determines whether users should be treated as ephemeral. In ephemeral users
109 // mode, no cryptohome is created for the user, but a tmpfs mount is used
110 // instead such that upon logout all user state is discarded.
111 optional bool ephemeral_users_enabled = 1;
114 // Details of an extension to install as part of the AppPack.
115 message OBSOLETE_AppPackEntryProto {
116 optional string OBSOLETE_extension_id = 1 [deprecated = true];
117 optional string OBSOLETE_update_url = 2 [deprecated = true];
119 // This field was added but never used and there are no plans to support it
120 // eventually either.
121 optional bool OBSOLETE_online_only = 3 [deprecated = true];
124 message OBSOLETE_AppPackProto {
125 // List of extensions to install as part of the AppPack.
126 repeated OBSOLETE_AppPackEntryProto app_pack = 1 [deprecated = true];
129 // This is a special policy for kiosk/retail mode that specifies what apps
130 // should be pinned to the launcher. For regular accounts, pinned apps are
131 // controlled through user policy.
132 message OBSOLETE_PinnedAppsProto {
133 // App IDs for the apps to pin.
134 repeated string OBSOLETE_app_id = 1 [deprecated = true];
137 message OBSOLETE_ForcedLogoutTimeoutsProto {
138 // All timeouts are specified in milliseconds.
140 // Specifies the timeout before an idle user session is terminated.
141 // If this field is omitted or set to 0, no logout on idle will be performed.
142 optional int64 OBSOLETE_idle_logout_timeout = 1 [deprecated = true];
144 // Specifies the duration of a warning countdown before the user is logged out
145 // because of idleness as specified by the |idle_logout_timeout| value.
146 // This field is only used if |idle_logout_timeout| != 0 is specified.
147 optional int64 OBSOLETE_idle_logout_warning_duration = 2 [deprecated = true];
150 message OBSOLETE_ScreenSaverProto {
151 // Specifies the extension ID which is to be used as a screen saver on the
152 // login screen if no user activity is present. Only respected if the device
153 // is in RETAIL mode.
154 optional string OBSOLETE_screen_saver_extension_id = 1 [deprecated = true];
156 // Specifies the timeout before the screen saver is activated. If this field
157 // is omitted or set to 0, no screen-saver will be started.
158 // Measured in milliseconds.
159 optional int64 OBSOLETE_screen_saver_timeout = 2 [deprecated = true];
162 // Enterprise controls for auto-update behavior of Chrome OS.
163 message AutoUpdateSettingsProto {
164 // True if we don't want the device to auto-update (target_version_prefix is
165 // ignored in this case).
166 optional bool update_disabled = 1;
168 // Specifies the prefix of the target version we want the device to
169 // update to, if it's on a older version. If the device is already on
170 // a version with the given prefix, then there's no effect. If the device is
171 // on a higher version, it will remain on the higher version as we
172 // don't support rollback yet. The format of this version can be one
174 // ---------------------------------------------------------------------
175 // "" (or not set at all): update to latest version available.
176 // 1412.: update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2)
177 // 1412.2.: update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2)
178 // 1412.24.34: update to this specific version only
179 // ---------------------------------------------------------------------
180 optional string target_version_prefix = 2;
182 // The Chrome browser version (e.g. "17.*") corresponding to the
183 // target_version_prefix above. The target_version_prefix is the internal OS
184 // version that external users normally are not aware of. This display_name
185 // can be used by the devices to display a message to end-users about the auto
187 optional string target_version_display_name = 3;
189 // Specifies the number of seconds up to which a device may randomly
190 // delay its download of an update from the time the update was first pushed
191 // out to the server. The device may wait a portion of this time in terms
192 // of wall-clock-time and the remaining portion in terms of the number of
193 // update checks. In any case, the scatter is upper bounded by a constant
194 // amount of time so that a device does not ever get stuck waiting to download
195 // an update forever.
196 optional int64 scatter_factor_in_seconds = 4;
198 // Enumerates network connection types.
199 enum ConnectionType {
200 CONNECTION_TYPE_ETHERNET = 0;
201 CONNECTION_TYPE_WIFI = 1;
202 CONNECTION_TYPE_WIMAX = 2;
203 CONNECTION_TYPE_BLUETOOTH = 3;
204 CONNECTION_TYPE_CELLULAR = 4;
207 // The types of connections that are OK to use for OS updates. OS updates
208 // potentially put heavy strain on the connection due to their size and may
209 // incur additional cost. Therefore, they are by default not enabled for
210 // connection types that are considered expensive, which include WiMax,
211 // Bluetooth and Cellular at the moment.
212 repeated ConnectionType allowed_connection_types = 5;
214 // This has been replaced by |reboot_after_update| below.
215 optional bool OBSOLETE_reboot_after_update = 6 [deprecated = true];
217 // True if AU payloads can be downloaded via HTTP. False otherwise.
218 optional bool http_downloads_enabled = 7 [default = false];
220 // True if the device should reboot automatically when an update has been
221 // applied and a reboot is required to complete the update process.
223 // Note: Currently, automatic reboots are only enabled while the login screen
224 // is being shown or a kiosk app session is in progress. This will change in
225 // the future and the policy will always apply, regardless of whether a
226 // session of any particular type is in progress or not.
227 optional bool reboot_after_update = 8;
229 // True if AU payloads may be shared with and consumed from other devices
230 // on the LAN, using p2p. False otherwise.
231 optional bool p2p_enabled = 9 [default = false];
234 message OBSOLETE_StartUpUrlsProto {
235 // Specifies the URLs to be loaded on login to the anonymous account used if
236 // the device is in RETAIL mode.
237 repeated string OBSOLETE_start_up_urls = 1 [deprecated = true];
240 message SystemTimezoneProto {
241 // Specifies an owner-determined timezone that applies to the login screen and
242 // all users. Valid values are listed in "timezone_settings.cc". Additionally,
243 // timezones from the "IANA Time Zone Database" (e.g. listed on wikipedia)
244 // that are equivalent to one of the timezones in "timezone_settings.cc" are
245 // valid. In case of an invalid value, the setting is still activated with a
246 // fallback timezone (currently "GMT"). In case of an empty string or if no
247 // value is provided, the timezone device setting is inactive. In that case,
248 // the currently active timezone will remain in use however users can change
249 // the timezone and the change is persistent. Thus a change by one user
250 // affects the login-screen and all other users.
251 optional string timezone = 1;
254 message SystemUse24HourClockProto {
255 // Specifies an owner-determined clock format that applies to the login
256 // screen and is used as a default for all user sessions. Users can still
257 // override the format to use for their account.
259 // True and false select a 24 and 12 hour clock format, respectively. The
260 // default format for the case the setting is not present is 24 hour clock.
261 optional bool use_24hour_clock = 1;
264 // Parameters for Kiosk App device-local accounts.
265 message KioskAppInfoProto {
266 // Indicates the Kiosk App for the corresponding device-local account. The
267 // string value should be a valid 32-character Chrome App identifier and
268 // specifies the Kiosk App to download and run.
269 optional string app_id = 1;
271 // Optional extension update URL to download the Kiosk App package from. If
272 // not specified, the app will be downloaded from the standard Chrome Web
274 optional string update_url = 2;
277 // Describes a single device-local account.
278 message DeviceLocalAccountInfoProto {
279 // Deprecated: Account identifier for a public session device-local account.
280 // Old code didn't have the |type| field, so it can't handle new types of
281 // device-local accounts gracefully (i.e. ignoring unsupported types). New
282 // code should instead set type to ACCOUNT_TYPE_PUBLIC_SESSION and write the
283 // identifier to the |account_id| field below. If the |type| field is present,
284 // |deprecated_public_session_id| will be ignored.
285 optional string deprecated_public_session_id = 1;
287 // Identifier for the device-local account. This is an opaque identifier that
288 // is used to distinguish different device-local accounts configured. All
289 // configured accounts on a device must have unique identifiers.
290 optional string account_id = 2;
292 // Indicates the type of device-local account.
294 // A login-less, policy-configured browsing session.
295 ACCOUNT_TYPE_PUBLIC_SESSION = 0;
296 // An account that serves as a container for a single full-screen app.
297 ACCOUNT_TYPE_KIOSK_APP = 1;
301 optional AccountType type = 3;
303 // Kiosk App parameters, relevant if |type| is ACCOUNT_TYPE_KIOSK_APP.
304 optional KioskAppInfoProto kiosk_app = 4;
307 message DeviceLocalAccountsProto {
308 // The list of device-local accounts (i.e. accounts without an associated
309 // cloud-backed profile) that are available on the device.
310 repeated DeviceLocalAccountInfoProto account = 1;
312 // The identifier of the device-local account to which the device
313 // should be logged in automatically. Should be equal to one of the
314 // ids in DeviceLocalAccountInfoProto.
315 optional string auto_login_id = 2;
317 // The amount of time, in milliseconds, that should elapse at the signin
318 // screen without user interaction before automatically logging in.
319 optional int64 auto_login_delay = 3;
321 // Whether the keyboard shortcut to prevent zero-delay auto-login should be
322 // enabled or not. By default, the user has 3 seconds to press a shortcut
323 // to prevent auto-login, which is useful to sign-in to a regular user session
324 // and configure the machine. If this policy is set to false then this
325 // shortcut is disabled and there is no way to skip auto-login.
326 optional bool enable_auto_login_bailout = 4 [default = true];
328 // Whether network configuration should be offered or not when the device
329 // does not have access to the Internet. If the policy is omitted or set to
330 // true, the network configuration will be offered. Otherwise, only an error
331 // message is displayed.
332 // Note: If both this policy and enable_auto_login_bailout policy above is
333 // set to false, there are chances that the device might become totally
334 // unusable when there is no Internet access and has to go through the
336 // If the device is offline at startup then the network configuration screen
337 // is always shown, before auto-login kicks in.
338 optional bool prompt_for_network_when_offline = 5 [default = true];
341 message AllowRedeemChromeOsRegistrationOffersProto {
342 // Chrome OS Registration service provides way for chromeos device users
343 // to redeem electronic offers provided by service provider.
344 // This value determines if users are allowed to redeem offers through
345 // Chrome OS Registration service.
346 optional bool allow_redeem_offers = 1 [default = true];
349 message StartUpFlagsProto {
350 // The list of flags to be applied to chrome on start-up (back up store for
351 // owner set flags in about:flags).
352 repeated string flags = 1;
355 message UptimeLimitProto {
356 // This has been replaced by |uptime_limit| below.
357 optional int64 OBSOLETE_uptime_limit = 1 [deprecated = true];
359 // Sets the length of device uptime after which an automatic reboot is
360 // scheduled. An automatic reboot is scheduled at the selected time but may be
361 // delayed on the device by up to 24 hours, e.g. if a user is currently using
362 // the device or an app/extension has requested reboots to be inhibited
363 // temporarily. The policy value should be specified in seconds.
365 // Note: Currently, automatic reboots are only enabled while the login screen
366 // is being shown or a kiosk app session is in progress. This will change in
367 // the future and the policy will always apply, regardless of whether a
368 // session of any particular type is in progress or not.
369 optional int64 uptime_limit = 2;
372 message VariationsParameterProto {
373 // The string for the restrict parameter to be appended to the Variations URL
374 // when pinging the Variations server.
375 optional string parameter = 1;
378 message AttestationSettingsProto {
379 // Attestation involves proving that a cryptographic key is protected by a
380 // legitimate Chrome OS TPM and reporting the operating mode of the platform.
381 // This setting enables enterprise attestation features at a device level. If
382 // this is enabled a machine key will be generated and certified by the Chrome
383 // OS CA. If this setting is disabled, even users with attestation settings
384 // enabled will not be able to use those features on the device.
385 optional bool attestation_enabled = 1 [default = false];
387 // Chrome OS devices can use remote attestation (Verified Access) to get a
388 // certificate issued by the Chrome OS CA that asserts the device is eligible
389 // to play protected content. This process involves sending hardware
390 // endorsement information to the Chrome OS CA which uniquely identifies the
391 // device. This setting allows this feature to be disabled for the device
392 // regardless of any user-specific settings.
393 optional bool content_protection_enabled = 2 [default = true];
396 message AccessibilitySettingsProto {
397 // Sets the default state of the large cursor accessibility feature on the
398 // login screen. If this policy is set to true, the large cursor will be
399 // enabled when the login screen is shown. If this policy is set to false, the
400 // large cursor will be disabled when the login screen is shown. Users can
401 // temporarily override this setting by enabling or disabling the large
402 // cursor. However, the user's choice is not persistent and the default is
403 // restored whenever the login screen is shown anew or the user remains idle
404 // on the login screen for a minute. If this policy is left unset, the large
405 // cursor is disabled when the login screen is first shown. Users can enable
406 // or disable the large cursor anytime and its status on the login screen is
407 // persisted between users.
408 optional bool login_screen_default_large_cursor_enabled = 1;
410 // Sets the default state of the spoken feedback accessibility feature on the
411 // login screen. If this policy is set to true, spoken feedback will be
412 // enabled when the login screen is shown. If this policy is set to false,
413 // spoken feedback will be disabled when the login screen is shown. Users can
414 // temporarily override this setting by enabling or disabling spoken feedback.
415 // However, the user's choice is not persistent and the default is restored
416 // whenever the login screen is shown anew or the user remains idle on the
417 // login screen for a minute. If this policy is left unset, spoken feedback is
418 // disabled when the login screen is first shown. Users can enable or disable
419 // spoken feedback anytime and its status on the login screen is persisted
421 optional bool login_screen_default_spoken_feedback_enabled = 2;
423 // Sets the default state of the high contrast mode accessibility feature on
424 // the login screen. If this policy is set to true, high contrast mode will be
425 // enabled when the login screen is shown. If this policy is set to false,
426 // high contrast mode will be disabled when the login screen is shown. Users
427 // can temporarily override this setting by enabling or disabling high
428 // contrast mode. However, the user's choice is not persistent and the default
429 // is restored whenever the login screen is shown anew or the user remains
430 // idle on the login screen for a minute. If this policy is left unset, high
431 // contrast mode is disabled when the login screen is first shown. Users can
432 // enable or disable high contrast mode anytime and its status on the login
433 // screen is persisted between users.
434 optional bool login_screen_default_high_contrast_enabled = 3;
436 // Enumerates the screen magnifier types.
437 enum ScreenMagnifierType {
438 // Screen magnifier disabled.
439 SCREEN_MAGNIFIER_TYPE_NONE = 0;
440 // Full-screen magnifier enabled.
441 SCREEN_MAGNIFIER_TYPE_FULL = 1;
444 // Sets the default type of screen magnifier that is enabled on the login
445 // screen. If this policy is set, it controls the type of screen magnifier
446 // that is enabled when the login screen is shown. Users can temporarily
447 // override this setting by enabling or disabling the screen magnifier.
448 // However, the user's choice is not persistent and the default is restored
449 // whenever the login screen is shown anew or the user remains idle on the
450 // login screen for a minute. If this policy is left unset, the screen
451 // magnifier is disabled when the login screen is first shown. Users can
452 // enable or disable the screen magnifier anytime and its status on the login
453 // screen is persisted between users.
454 optional ScreenMagnifierType login_screen_default_screen_magnifier_type = 4;
456 // Sets the default state of the on-screen keyboard accessibility feature on
457 // the login screen. If this policy is set to true, the on-screen keyboard
458 // will be enabled when the login screen is shown. If this policy is set to
459 // false, the on-screen keyboard will be disabled when the login screen is
460 // shown. Users can temporarily override this setting by enabling or disabling
461 // the on-screen keyboard. However, the user's choice is not persistent and
462 // the default is restored whenever the login screen is shown anew or the user
463 // remains idle on the login screen for a minute. If this policy is left
464 // unset, the on-screen keyboard is disabled when the login screen is first
465 // shown. Users can enable or disable the on-screen keyboard anytime and its
466 // status on the login screen is persisted between users.
467 optional bool login_screen_default_virtual_keyboard_enabled = 5;
470 message SupervisedUsersSettingsProto {
471 // Defines whether supervised users can be created on the device.
472 optional bool supervised_users_enabled = 1;
475 message LoginScreenPowerManagementProto {
476 // Configures power management on the login screen. The policy should be
477 // specified as a string that expresses the individual settings in JSON
478 // format, conforming to the following schema:
483 // "description": "Power management settings applicable only when
484 // running on AC power",
491 // "description": "The length of time without user input after
492 // which the screen is dimmed, in milliseconds",
493 // "type": "integer",
497 // "description": "The length of time without user input after
498 // which the screen is turned off, in
500 // "type": "integer",
504 // "description": "The length of time without user input after
505 // which the idle action is taken, in
507 // "type": "integer",
513 // "description": "Action to take when the idle delay is reached",
514 // "enum": [ "Suspend", "Shutdown", "DoNothing" ]
519 // "description": "Power management settings applicable only when
520 // running on battery power",
527 // "description": "The length of time without user input after
528 // which the screen is dimmed, in milliseconds",
529 // "type": "integer",
533 // "description": "The length of time without user input after
534 // which the screen is turned off, in
536 // "type": "integer",
540 // "description": "The length of time without user input after
541 // which the idle action is taken, in
543 // "type": "integer",
549 // "description": "Action to take when the idle delay is reached",
550 // "enum": [ "Suspend", "Shutdown", "DoNothing" ]
554 // "LidCloseAction": {
555 // "description": "Action to take when the lid is closed",
556 // "enum": [ "Suspend", "Shutdown", "DoNothing" ]
558 // "UserActivityScreenDimDelayScale": {
559 // "description": "Percentage by which the screen dim delay is scaled
560 // when user activity is observed while the screen is
561 // dimmed or soon after the screen has been turned off",
562 // "type": "integer",
567 optional string login_screen_power_management = 1;
570 message AutoCleanupSettigsProto {
571 // Deprecated. There is only one disk-full cleanup strategy: LRU.
572 optional string clean_up_strategy = 1;
575 // Settings that control low-level functions of the system.
576 message SystemSettingsProto {
577 // Whether developer mode is allowed on the device. If the device owner sets
578 // this flag to true, the system will refuse to boot and show an error screen
579 // when the developer switch is turned on.
580 optional bool block_devmode = 1;
583 // Settings that control login for SAML users.
584 message SAMLSettingsProto {
585 // Whether cookies set by a SAML IdP should be transferred to users' profiles
586 // every time a user authenticates via SAML during login. If false, cookies
587 // are transferred during each user's first login only.
588 optional bool transfer_saml_cookies = 1;
591 message RebootOnShutdownProto {
592 // Determines whether the device automatically reboots whenever the user shuts
593 // it down. If this flag is set to true, shutdown is forbidden and UI elements
594 // trigger a device reboot instead of a power off. This policy affects
595 // shutdowns triggered from the UI only. If the user shuts down the device
596 // using the power button, it will not automatically reboot, even if the
597 // policy is enabled.
598 optional bool reboot_on_shutdown = 1 [default = false];
601 // Settings that control whether a device would send heartbeat messages to GCM,
602 // and how frequently to send these.
603 message DeviceHeartbeatSettingsProto {
604 // Whether the device should send heartbeat messages. The default is false.
605 optional bool heartbeat_enabled = 1 [default = false];
607 // How frequently devices send heartbeats back to server. The unit is in
608 // milliseconds. The default is 2 minutes.
609 optional int64 heartbeat_frequency = 2 [default = 120000];
612 message ChromeDeviceSettingsProto {
613 optional DevicePolicyRefreshRateProto device_policy_refresh_rate = 1;
614 optional UserWhitelistProto user_whitelist = 2;
615 optional GuestModeEnabledProto guest_mode_enabled = 3;
616 optional DeviceProxySettingsProto device_proxy_settings = 4;
617 optional CameraEnabledProto camera_enabled = 5;
618 optional ShowUserNamesOnSigninProto show_user_names = 6;
619 optional DataRoamingEnabledProto data_roaming_enabled = 7;
620 optional AllowNewUsersProto allow_new_users = 8;
621 optional MetricsEnabledProto metrics_enabled = 9;
622 optional ReleaseChannelProto release_channel = 10;
623 optional DeviceOpenNetworkConfigurationProto open_network_configuration = 11;
624 optional DeviceReportingProto device_reporting = 12;
625 optional EphemeralUsersEnabledProto ephemeral_users_enabled = 13;
626 optional OBSOLETE_AppPackProto app_pack = 14 [deprecated = true];
627 optional OBSOLETE_ForcedLogoutTimeoutsProto forced_logout_timeouts = 15
629 optional OBSOLETE_ScreenSaverProto login_screen_saver = 16
631 optional AutoUpdateSettingsProto auto_update_settings = 17;
632 optional OBSOLETE_StartUpUrlsProto start_up_urls = 18 [deprecated = true];
633 optional OBSOLETE_PinnedAppsProto pinned_apps = 19 [deprecated = true];
634 optional SystemTimezoneProto system_timezone = 20;
635 optional DeviceLocalAccountsProto device_local_accounts = 21;
636 optional AllowRedeemChromeOsRegistrationOffersProto allow_redeem_offers = 22;
637 optional StartUpFlagsProto start_up_flags = 23;
638 optional UptimeLimitProto uptime_limit = 24;
639 optional VariationsParameterProto variations_parameter = 25;
640 optional AttestationSettingsProto attestation_settings = 26;
641 optional AccessibilitySettingsProto accessibility_settings = 27;
642 optional SupervisedUsersSettingsProto supervised_users_settings = 28;
643 optional LoginScreenPowerManagementProto login_screen_power_management = 29;
644 optional SystemUse24HourClockProto use_24hour_clock = 30;
645 optional AutoCleanupSettigsProto auto_clean_up_settings = 31;
646 optional SystemSettingsProto system_settings = 32;
647 optional SAMLSettingsProto saml_settings = 33;
648 optional RebootOnShutdownProto reboot_on_shutdown = 34;
649 optional DeviceHeartbeatSettingsProto device_heartbeat_settings = 35;