The requests below illustrate policy management with the Policy API using network policies as an example. Before you begin, make sure you review the Chrome Policy API Overview and the Policy schemas guide.
All the requests presented below use the following variables:
$TOKEN
- OAuth 2 token$CUSTOMER
- Id of the customer or literalmy_customer
$ORG_UNIT
- Id of the target organizational unit$NETWORK_ID
- Unique identifier of the object you wish to interact with
Policy Networks Service
The Policy Networks Service is an API to assist the Chrome Policy Api in managing network settings.
The API consists of four endpoints:
Define Network
The Define Network endpoint is used to create a new network. This endpoint is used for WiFi, Ethernet, and VPN networks.
In this example, we define a simple WiFi Network. To define a more complex network, examine what fields are available in the chrome.networks.wifi namespace.
The details policy_schema must be present for all types of networks.
curl -H "Content-Type: application/json" -H "Authorization:Bearer $TOKEN" -d "{target_resource: 'orgunits/$ORG_UNIT', \
name: 'Network Name', \
settings: [
{policy_schema: 'chrome.networks.wifi.AllowForChromeUsers', value: {'allowForChromeUsers': true}}, \
{policy_schema: 'chrome.networks.wifi.Details',value: {'details': {'security': 'None', 'ssid': 'ssid'}}}
]}" \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/networks:defineNetwork"
A successful response will contain the created network, including the networkId that references it.
{
"networkId": "Network Name-Wifi",
"targetResource": "orgunits/$ORG_UNIT",
"settings": [
{
"policySchema": "chrome.networks.wifi.Details",
"value": {
"details": {
"ssid": "ssid",
"security": "None",
"proxySettings": {
"type": "Direct"
},
"allowIpConfiguration": false,
"allowNameServersConfiguration": false,
"nameServerSelection": "NAME_SERVERS_ENUM_AUTOMATIC"
}
}
},
{
"policySchema": "chrome.networks.wifi.AllowForChromeDevices",
"value": {
"allowForChromeDevices": false
}
},
{
"policySchema": "chrome.networks.wifi.AllowForChromeUsers",
"value": {
"allowForChromeUsers": true
}
}
]
}
Remove Network
The Remove Network endpoint is used to delete a network. This endpoint is used for WiFi, Ethernet, and VPN networks.
In this example, we remove a WiFi network.
curl -H "Content-Type: application/json" -H "Authorization:Bearer $TOKEN" -d "{target_resource: 'orgunits/$ORG_UNIT', network_id: '$NETWORK_ID'}" \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/networks:removeNetwork"
A successful response is empty.
{}
Define Certificate
The Define Certificate endpoint is used to create a new certificate.
In this example, we define a certificate, and allow chrome devices to use it.
curl -H "Content-Type: application/json" -H "Authorization:Bearer $TOKEN" -d " \
{
target_resource: 'orgunits/$ORG_UNIT',
certificate: 'raw string representation of a .pem or .crt certificate file.',
settings: [{
policy_schema: 'chrome.networks.certificates.AllowForChromeDevices',
value: {'allowForChromeDevices': true}
}]
}" "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/networks:defineCertificate"
A successful response will contain a reference to the created certificate (networkId).
{
"networkId": "{c045f8df-79f1-49d3-92b9-0e61516e6a6b}",
"targetResource": "orgunits/$ORG_UNIT"
}
Remove Certificate
The Remove Certificate endpoint is used to remove a certificate definition.
In this example, we remove a certificate.
curl -H "Content-Type: application/json" -H "Authorization:Bearer $TOKEN" -d "{target_resource: 'orgunits/$ORG_UNIT', network_id: '$NETWORK_ID'}" \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/networks:removeCertificate"
A successful response is empty.
{}
Interacting with your saved networks
To interact with a certificate or network, use Policy API. Requests must include an additional target key, representing the resource you wish to interact with.
Omitting an additional target key is only acceptable in a resolve request. This will result in all networks matching the requested namespace being returned.
Full network schemas can be obtained through the schema service using filters.
To see all VPN settings, try this:
curl -H "Authorization:Bearer $TOKEN" \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policySchemas?filter=chrome.networks.vpn"
Here is an example of adding Imprivata as a certificate authority.
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{
requests: [{
policyTargetKey: {
targetResource: "orgunits/$ORG_UNIT",
additionalTargetKeys: {"network_id": "$NETWORK_ID"}
},
policyValue: {
policySchema: "chrome.networks.certificates.AllowForChromeImprivata",
value: {allowForChromeImprivata: true}
},
updateMask: {paths: "allowForChromeImprivata"}
}]
}' \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"
Here is an example of changing a network password.
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{
requests: [{
policyTargetKey: {
targetResource: "orgunits/$ORG_UNIT",
additionalTargetKeys: {"network_id": "$NETWORK_ID"}
},
policyValue: {
policySchema: "chrome.networks.wifi.Details",
value: {details: {
ssid: 'ssid',
security: 'WEP-PSK'
passphrase: 'Your passphrase.'
}
}
},
updateMask: {paths: "details"}
}]
}' \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"