The requests below illustrate policy management with the Policy API using app policies as an example. Before you begin, make sure you review the Chrome Policy API Overview and the Policy schemas guide.
All the requests presented below use the following variables:
$TOKEN- OAuth 2 token$CUSTOMER- Id of the customer or literalmy_customer
Force install an app
The following examples are for an Organizational Unit. A Group request would be the same except for the targetResource, which would have "groups/" instead of "orgunits/" before the id.
Here, we are setting the Google Drawings app to be force installed:
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{
requests: [{
policyTargetKey: {
targetResource: "orgunits/04fatzly4jbjho9",
additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
},
policyValue: {
policySchema: "chrome.users.apps.InstallType",
value: {appInstallType: "FORCED"}
},
updateMask: {paths: "appInstallType"}
}]
}' \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"
A successful response should be empty:
{}
This example is for a User App. A Managed Guest Session request would be
identical except that the policy schema would be
chrome.devices.managedguest.apps.InstallType. The equivalent Kiosk App policy
request is as follows:
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{
requests: [{
policyTargetKey: {
targetResource: "orgunits/04fatzly4jbjho9",
additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
},
policyValue: {
policySchema: "chrome.devices.kiosk.apps.ForceInstall",
value: {forceInstall: false}
},
updateMask: {paths: "forceInstall"}
}]
}' \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"
A successful response should be empty:
{}
Deleting an app
Deleting an app must be done at the Organizational Unit at which the app was
explicitly added for management. When calling resolve, the field
addedSourceKey contains the Organization Unit where it was added for
management. In other words, delete should only be called for apps where the
Organizational Unit in addedSourceKey is equal to the one in
policyTargetKey.
In order to delete an app (explicitly remove it from management) you should send
a batchInherit request in which the policySchema is the schema for the given
app type, with an asterisk (*) in place of a specific policy. In this example,
we are deleting the Google Drawings app, which is installed at the
"04fatzly4jbjho9" Organizational Unit:
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{
requests: [{
policyTargetKey: {
targetResource: "orgunits/04fatzly4jbjho9",
additionalTargetKeys: {"app_id": "chrome:gbchcmhmhahfdphkhkmpfmihenigjmpp"}
},
policySchema: "chrome.users.apps.*",
}]
}' \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchInherit"
A successful response should be empty:
{}
Requests to delete Kiosk apps and Managed Guest Session apps would use the
chrome.devices.kiosk.apps.\* and chrome.devices.managedguest.apps.\*
schemas, respectively.
Get App installation policy for an app in an Organizational Unit
To get a policy for a specific app, you must specify both the policy and App Id in the request. In this example, we are reading the value of the InstallType policy for the Google Drawings app:
Request
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{
policyTargetKey: {
targetResource: "orgunits/04fatzly4jbjho9",
additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
},
policySchemaFilter: "chrome.users.apps.InstallType"
}' \
"https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"
Response
{
"resolvedPolicies": [
{
"targetKey": {
"targetResource": "orgunits/04fatzly4jbjho9",
"additionalTargetKeys": {
"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
}
},
"value": {
"policySchema": "chrome.users.apps.InstallType",
"value": {
"appInstallType": "FORCED"
}
},
"sourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
},
"addedSourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
}
}
]
}
Get App installation policy for all apps in an Organizational Unit
If the App Id is omitted from the request in the previous example, it will become a request for the value of the InstallType policy for all apps under that OU.
Request
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{
policyTargetKey: {
targetResource: "orgunits/04fatzly4jbjho9",
},
policySchemaFilter: "chrome.users.apps.InstallType"
}' \
"https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"
Response
{
"resolvedPolicies": [
{
"targetKey": {
"targetResource": "orgunits/04fatzly4jbjho9",
"additionalTargetKeys": {
"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
}
},
"value": {
"policySchema": "chrome.users.apps.InstallType",
"value": {
"appInstallType": "FORCED"
}
},
"sourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
},
"addedSourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
}
},
{
"targetKey": {
"targetResource": "orgunits/04fatzly4jbjho9",
"additionalTargetKeys": {
"app_id": "chrome:fhcfdhnmhdkemdfdncjmgnanbekfmbab"
}
},
"value": {
"policySchema": "chrome.users.apps.InstallType",
"value": {
"appInstallType": "ALLOWED"
}
},
"sourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
},
"addedSourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
}
},
...
]
}
List all policies for an app in an Organizational Unit
Just as you can omit the App Id from the request to retrieve policies for all apps, you can also get all policies for a single app by using a wildcard in the policy. In this example, we are getting the values of all policies for the Google Drawings app.
Request
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{
policyTargetKey: {
targetResource: "orgunits/04fatzly4jbjho9",
additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
},
policySchemaFilter: "chrome.users.apps.*"
}' \
"https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"
Response
{
"resolvedPolicies": [
{
"targetKey": {
"targetResource": "orgunits/04fatzly4jbjho9",
"additionalTargetKeys": {
"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
}
},
"value": {
"policySchema": "chrome.users.apps.InstallType",
"value": {
"appInstallType": "FORCED"
}
},
"sourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
},
"addedSourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
}
},
{
"targetKey": {
"targetResource": "orgunits/04fatzly4jbjho9",
"additionalTargetKeys": {
"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
}
},
"value": {
"policySchema": "chrome.users.apps.IncludeInChromeWebStoreCollection",
"value": {
"includeInCollection": true
}
},
"sourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
},
"addedSourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
}
},
...
]
}
List all policies for all apps in an Organizational Unit
The App Id can be omitted and a wildcard can be used in the policy in order to request all app settings for all apps under an OU.
Request
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{
policyTargetKey: {
targetResource: "orgunits/04fatzly4jbjho9"
},
policySchemaFilter: "chrome.users.apps.*"
}' \
"https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"
Response
{
"resolvedPolicies": [
{
"targetKey": {
"targetResource": "orgunits/04fatzly4jbjho9",
"additionalTargetKeys": {
"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
}
},
"value": {
"policySchema": "chrome.users.apps.InstallType",
"value": {
"appInstallType": "FORCED"
}
},
"sourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
},
"addedSourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
}
},
{
"targetKey": {
"targetResource": "orgunits/04fatzly4jbjho9",
"additionalTargetKeys": {
"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
}
},
"value": {
"policySchema": "chrome.users.apps.IncludeInChromeWebStoreCollection",
"value": {
"includeInCollection": true
}
},
"sourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
},
"addedSourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
}
},
{
"targetKey": {
"targetResource": "orgunits/04fatzly4jbjho9",
"additionalTargetKeys": {
"app_id": "chrome:fhcfdhnmhdkemdfdncjmgnanbekfmbab"
}
},
"value": {
"policySchema": "chrome.users.apps.InstallType",
"value": {
"appInstallType": "ALLOWED"
}
},
"sourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
},
"addedSourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
}
},
{
"targetKey": {
"targetResource": "orgunits/04fatzly4jbjho9",
"additionalTargetKeys": {
"app_id": "chrome:fhcfdhnmhdkemdfdncjmgnanbekfmbab"
}
},
"value": {
"policySchema": "chrome.users.apps.CertificateManagement",
"value": {
"allowAccessToKeys": true
}
},
"sourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
},
"addedSourceKey": {
"targetResource": "orgunits/04fatzly4jbjho9"
}
},
...
]
}
Clearing the Kiosk Appsconfig AutoLaunchApp
In order to clear the AutoLaunchApp, the appId can be set to "None".
Note that when setting the appId to "None", all other AutoLaunchApp settings will be set to their default values. Any AutoLaunchApp settings aside from the appId that are sent in the request will be ignored in this case.
Request
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{
requests: [{
policyTargetKey: {
targetResource: "orgunits/04fatzly4jbjho9"
},
policyValue: {
policySchema: "chrome.devices.kiosk.appsconfig.AutoLaunchApp",
value: {appId: "None"}
},
updateMask: {paths: "appId"}
}]
}' \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"
Response
A successful response is empty.
{}