Code samples for app policies

The requests below illustrate policy management with the Policy API using app policies as an example. Before you begin, make sure you review the Chrome Policy API Overview and the Policy schemas guide.

All the requests presented below use the following variables:

  • $TOKEN - OAuth 2 token
  • $CUSTOMER - Id of the customer or literal my_customer

Force install an app

The following examples are for an Organizational Unit. A Group request would be the same except for the targetResource, which would have "groups/" instead of "orgunits/" before the id.

Here, we are setting the Google Drawings app to be force installed:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        requests: [{
                policyTargetKey: {
                        targetResource: "orgunits/04fatzly4jbjho9",
                        additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
                        },
                policyValue: {
                        policySchema: "chrome.users.apps.InstallType",
                        value: {appInstallType: "FORCED"}
                        },
                updateMask: {paths: "appInstallType"}
                }]
      }' \
  "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"

A successful response should be empty:

{}

This example is for a User App. A Managed Guest Session request would be identical except that the policy schema would be chrome.devices.managedguest.apps.InstallType. The equivalent Kiosk App policy request is as follows:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        requests: [{
                policyTargetKey: {
                        targetResource: "orgunits/04fatzly4jbjho9",
                        additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
                        },
                policyValue: {
                        policySchema: "chrome.devices.kiosk.apps.ForceInstall",
                        value: {forceInstall: false}
                        },
                updateMask: {paths: "forceInstall"}
                }]
      }' \
  "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"

A successful response should be empty:

{}

Deleting an app

Deleting an app must be done at the Organizational Unit at which the app was explicitly added for management. When calling resolve, the field addedSourceKey contains the Organization Unit where it was added for management. In other words, delete should only be called for apps where the Organizational Unit in addedSourceKey is equal to the one in policyTargetKey.

In order to delete an app (explicitly remove it from management) you should send a batchInherit request in which the policySchema is the schema for the given app type, with an asterisk (*) in place of a specific policy. In this example, we are deleting the Google Drawings app, which is installed at the "04fatzly4jbjho9" Organizational Unit:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        requests: [{
                policyTargetKey: {
                        targetResource: "orgunits/04fatzly4jbjho9",
                        additionalTargetKeys: {"app_id": "chrome:gbchcmhmhahfdphkhkmpfmihenigjmpp"}
                        },
                policySchema: "chrome.users.apps.*",
                }]
      }' \
  "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchInherit"

A successful response should be empty:

{}

Requests to delete Kiosk apps and Managed Guest Session apps would use the chrome.devices.kiosk.apps.\* and chrome.devices.managedguest.apps.\* schemas, respectively.

Get App installation policy for an app in an Organizational Unit

To get a policy for a specific app, you must specify both the policy and App Id in the request. In this example, we are reading the value of the InstallType policy for the Google Drawings app:

Request

  curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        policyTargetKey: {
          targetResource: "orgunits/04fatzly4jbjho9",
          additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
        },
        policySchemaFilter: "chrome.users.apps.InstallType"
    }' \
  "https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"

Response

{
  "resolvedPolicies": [
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "FORCED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      },
      "addedSourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    }
  ]
}

Get App installation policy for all apps in an Organizational Unit

If the App Id is omitted from the request in the previous example, it will become a request for the value of the InstallType policy for all apps under that OU.

Request

  curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        policyTargetKey: {
          targetResource: "orgunits/04fatzly4jbjho9",
        },
        policySchemaFilter: "chrome.users.apps.InstallType"
    }' \
  "https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"

Response

{
  "resolvedPolicies": [
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "FORCED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      },
      "addedSourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:fhcfdhnmhdkemdfdncjmgnanbekfmbab"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "ALLOWED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      },
      "addedSourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    ...
  ]
}

List all policies for an app in an Organizational Unit

Just as you can omit the App Id from the request to retrieve policies for all apps, you can also get all policies for a single app by using a wildcard in the policy. In this example, we are getting the values of all policies for the Google Drawings app.

Request

  curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        policyTargetKey: {
          targetResource: "orgunits/04fatzly4jbjho9",
          additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
        },
        policySchemaFilter: "chrome.users.apps.*"
    }' \
  "https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"

Response

{
  "resolvedPolicies": [
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "FORCED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      },
      "addedSourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.IncludeInChromeWebStoreCollection",
        "value": {
          "includeInCollection": true
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      },
      "addedSourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    ...
  ]
}

List all policies for all apps in an Organizational Unit

The App Id can be omitted and a wildcard can be used in the policy in order to request all app settings for all apps under an OU.

Request

  curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        policyTargetKey: {
          targetResource: "orgunits/04fatzly4jbjho9"
        },
        policySchemaFilter: "chrome.users.apps.*"
    }' \
  "https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"

Response

{
  "resolvedPolicies": [
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "FORCED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      },
      "addedSourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.IncludeInChromeWebStoreCollection",
        "value": {
          "includeInCollection": true
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      },
      "addedSourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:fhcfdhnmhdkemdfdncjmgnanbekfmbab"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "ALLOWED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      },
      "addedSourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:fhcfdhnmhdkemdfdncjmgnanbekfmbab"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.CertificateManagement",
        "value": {
          "allowAccessToKeys": true
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      },
      "addedSourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    ...
  ]
}

Clearing the Kiosk Appsconfig AutoLaunchApp

In order to clear the AutoLaunchApp, the appId can be set to "None".

Note that when setting the appId to "None", all other AutoLaunchApp settings will be set to their default values. Any AutoLaunchApp settings aside from the appId that are sent in the request will be ignored in this case.

Request

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        requests: [{
                policyTargetKey: {
                        targetResource: "orgunits/04fatzly4jbjho9"
                        },
                policyValue: {
                        policySchema: "chrome.devices.kiosk.appsconfig.AutoLaunchApp",
                        value: {appId: "None"}
                        },
                updateMask: {paths: "appId"}
                }]
      }' \
  "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"

Response

A successful response is empty.

{}