1// Copyright 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5syntax = "proto2"; 6 7option optimize_for = LITE_RUNTIME; 8 9package enterprise_management; 10 11message DevicePolicyRefreshRateProto { 12 // In milliseconds. 13 optional int64 device_policy_refresh_rate = 1; 14} 15 16message UserWhitelistProto { 17 // If a UserWhitelistProto is included in the ChromeDeviceSettingsProto but 18 // the user_whitelist field is empty then no user can sign-in. 19 repeated string user_whitelist = 1; 20} 21 22message AllowNewUsersProto { 23 // Determines whether we allow arbitrary users to log into the device. 24 // This interacts with the UserWhitelistProto as follows: 25 // allow_new_users | user_whitelist | anyone can log in 26 //-----------------+--------------------+------------------ 27 // present, true | not present | Yes 28 //-----------------+--------------------+------------------ 29 // present, true | present | Yes 30 //-----------------+--------------------+------------------ 31 // present, false | not present | (Broken) Yes 32 //-----------------+--------------------+------------------ 33 // present, false | present | No, W/L enforced 34 //-----------------+--------------------+------------------ 35 // not present | not present | Yes 36 //-----------------+--------------------+------------------ 37 // not present | present, empty | Yes 38 //-----------------+--------------------+------------------ 39 // not present | present, non-empty | No, W/L enforced 40 //-----------------+--------------------+------------------ 41 optional bool allow_new_users = 1 [default = true]; 42} 43 44message GuestModeEnabledProto { 45 // Determines if guests are allowed to log in to the device. 46 optional bool guest_mode_enabled = 1 [default = true]; 47} 48 49message ShowUserNamesOnSigninProto { 50 // Determines if we show pods for existing users on the sign in screen. 51 optional bool show_user_names = 1 [default = true]; 52} 53 54message DataRoamingEnabledProto { 55 // Determines if cellular data roaming is enabled. 56 optional bool data_roaming_enabled = 1 [default = false]; 57} 58 59message DeviceProxySettingsProto { 60 // One of "direct", "auto_detect", "pac_script", "fixed_servers", "system" 61 optional string proxy_mode = 1; 62 optional string proxy_server = 2; 63 optional string proxy_pac_url = 3; 64 optional string proxy_bypass_list = 4; 65} 66 67// This is used by chromeos, make sure to do cleanup there before marking it as 68// obsolette. 69message CameraEnabledProto { 70 optional bool camera_enabled = 1; 71} 72 73message MetricsEnabledProto { 74 optional bool metrics_enabled = 1; 75} 76 77message ReleaseChannelProto { 78 // One of "stable-channel", "beta-channel", or "dev-channel" 79 optional string release_channel = 1; 80 81 // If |release_channel_delegated| is set to true and the |release_channel| 82 // field is not set or left empty, the user can select the channel. If the 83 // |release_channel| is specified it will always override users choice! 84 optional bool release_channel_delegated = 2; 85} 86 87message DeviceOpenNetworkConfigurationProto { 88 // The network configuration blob. This is a JSON string as specified by ONC. 89 optional string open_network_configuration = 1; 90} 91 92// Policies to turn on portions of the device status reports. 93message DeviceReportingProto { 94 optional bool report_version_info = 1; 95 optional bool report_activity_times = 2; 96 optional bool report_boot_mode = 3; 97 optional bool report_location = 4; 98 optional bool report_network_interfaces = 5; 99 optional bool report_users = 6; 100} 101 102message EphemeralUsersEnabledProto { 103 // Determines whether users should be treated as ephemeral. In ephemeral users 104 // mode, no cryptohome is created for the user, but a tmpfs mount is used 105 // instead such that upon logout all user state is discarded. 106 optional bool ephemeral_users_enabled = 1; 107} 108 109// Details of an extension to install as part of the AppPack. 110message AppPackEntryProto { 111 optional string extension_id = 1; 112 optional string update_url = 2; 113 114 // This field was added but never used and there are no plans to support it 115 // eventually either. 116 optional bool OBSOLETE_online_only = 3 [deprecated = true]; 117} 118 119message AppPackProto { 120 // List of extensions to install as part of the AppPack. 121 repeated AppPackEntryProto app_pack = 1; 122} 123 124// This is a special policy for kiosk/retail mode that specifies what apps 125// should be pinned to the launcher. For regular accounts, pinned apps are 126// controlled through user policy. 127message PinnedAppsProto { 128 // App IDs for the apps to pin. 129 repeated string app_id = 1; 130} 131 132message ForcedLogoutTimeoutsProto { 133 // All timeouts are specified in milliseconds. 134 135 // Specifies the timeout before an idle user session is terminated. 136 // If this field is omitted or set to 0, no logout on idle will be performed. 137 optional int64 idle_logout_timeout = 1; 138 139 // Specifies the duration of a warning countdown before the user is logged out 140 // because of idleness as specified by the |idle_logout_timeout| value. 141 // This field is only used if |idle_logout_timeout| != 0 is specified. 142 optional int64 idle_logout_warning_duration = 2; 143} 144 145message ScreenSaverProto { 146 // Specifies the extension ID which is to be used as a screen saver on the 147 // login screen if no user activity is present. Only respected if the device 148 // is in RETAIL mode. 149 optional string screen_saver_extension_id = 1; 150 151 // Specifies the timeout before the screen saver is activated. If this field 152 // is omitted or set to 0, no screen-saver will be started. 153 // Measured in milliseconds. 154 optional int64 screen_saver_timeout = 2; 155} 156 157// Enterprise controls for auto-update behavior of Chrome OS. 158message AutoUpdateSettingsProto { 159 // True if we don't want the device to auto-update (target_version_prefix is 160 // ignored in this case). 161 optional bool update_disabled = 1; 162 163 // Specifies the prefix of the target version we want the device to 164 // update to, if it's on a older version. If the device is already on 165 // a version with the given prefix, then there's no effect. If the device is 166 // on a higher version, it will remain on the higher version as we 167 // don't support rollback yet. The format of this version can be one 168 // of the following: 169 // --------------------------------------------------------------------- 170 // "" (or not set at all): update to latest version available. 171 // 1412.: update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2) 172 // 1412.2.: update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2) 173 // 1412.24.34: update to this specific version only 174 // --------------------------------------------------------------------- 175 optional string target_version_prefix = 2; 176 177 // The Chrome browser version (e.g. "17.*") corresponding to the 178 // target_version_prefix above. The target_version_prefix is the internal OS 179 // version that external users normally are not aware of. This display_name 180 // can be used by the devices to display a message to end-users about the auto 181 // update setting. 182 optional string target_version_display_name = 3; 183 184 // Specifies the number of seconds up to which a device may randomly 185 // delay its download of an update from the time the update was first pushed 186 // out to the server. The device may wait a portion of this time in terms 187 // of wall-clock-time and the remaining portion in terms of the number of 188 // update checks. In any case, the scatter is upper bounded by a constant 189 // amount of time so that a device does not ever get stuck waiting to download 190 // an update forever. 191 optional int64 scatter_factor_in_seconds = 4; 192 193 // Enumerates network connection types. 194 enum ConnectionType { 195 CONNECTION_TYPE_ETHERNET = 0; 196 CONNECTION_TYPE_WIFI = 1; 197 CONNECTION_TYPE_WIMAX = 2; 198 CONNECTION_TYPE_BLUETOOTH = 3; 199 CONNECTION_TYPE_CELLULAR = 4; 200 } 201 202 // The types of connections that are OK to use for OS updates. OS updates 203 // potentially put heavy strain on the connection due to their size and may 204 // incur additional cost. Therefore, they are by default not enabled for 205 // connection types that are considered expensive, which include WiMax, 206 // Bluetooth and Cellular at the moment. 207 repeated ConnectionType allowed_connection_types = 5; 208 209 // This has been replaced by |reboot_after_update| below. 210 optional bool OBSOLETE_reboot_after_update = 6 [deprecated = true]; 211 212 // True if AU payloads can be downloaded via HTTP. False otherwise. 213 optional bool http_downloads_enabled = 7 [default = false]; 214 215 // True if the device should reboot automatically when an update has been 216 // applied and a reboot is required to complete the update process. 217 // 218 // Note: Currently, automatic reboots are only enabled while the login screen 219 // is being shown or a kiosk app session is in progress. This will change in 220 // the future and the policy will always apply, regardless of whether a 221 // session of any particular type is in progress or not. 222 optional bool reboot_after_update = 8; 223 224 // True if AU payloads may be shared with and consumed from other devices 225 // on the LAN, using p2p. False otherwise. 226 optional bool p2p_enabled = 9 [default = false]; 227} 228 229message StartUpUrlsProto { 230 // Specifies the URLs to be loaded on login to the anonymous account used if 231 // the device is in RETAIL mode. 232 repeated string start_up_urls = 1; 233} 234 235message SystemTimezoneProto { 236 // Specifies an owner-determined timezone that applies to the login screen and 237 // all users. Valid values are listed in "timezone_settings.cc". Additionally, 238 // timezones from the "IANA Time Zone Database" (e.g. listed on wikipedia) 239 // that are equivalent to one of the timezones in "timezone_settings.cc" are 240 // valid. In case of an invalid value, the setting is still activated with a 241 // fallback timezone (currently "GMT"). In case of an empty string or if no 242 // value is provided, the timezone device setting is inactive. In that case, 243 // the currently active timezone will remain in use however users can change 244 // the timezone and the change is persistent. Thus a change by one user 245 // affects the login-screen and all other users. 246 optional string timezone = 1; 247} 248 249message SystemUse24HourClockProto { 250 // Specifies an owner-determined clock format that applies to the login 251 // screen and is used as a default for all user sessions. Users can still 252 // override the format to use for their account. 253 // 254 // True and false select a 24 and 12 hour clock format, respectively. The 255 // default format for the case the setting is not present is 24 hour clock. 256 optional bool use_24hour_clock = 1; 257} 258 259// Parameters for Kiosk App device-local accounts. 260message KioskAppInfoProto { 261 // Indicates the Kiosk App for the corresponding device-local account. The 262 // string value should be a valid 32-character Chrome App identifier and 263 // specifies the Kiosk App to download and run. 264 optional string app_id = 1; 265 266 // Obsolete: Kiosk Apps can only be installed from the Chrome Web Store. 267 optional string OBSOLETE_update_url = 2 [deprecated = true]; 268} 269 270// Describes a single device-local account. 271message DeviceLocalAccountInfoProto { 272 // Deprecated: Account identifier for a public session device-local account. 273 // Old code didn't have the |type| field, so it can't handle new types of 274 // device-local accounts gracefully (i.e. ignoring unsupported types). New 275 // code should instead set type to ACCOUNT_TYPE_PUBLIC_SESSION and write the 276 // identifier to the |account_id| field below. If the |type| field is present, 277 // |deprecated_public_session_id| will be ignored. 278 optional string deprecated_public_session_id = 1; 279 280 // Identifier for the device-local account. This is an opaque identifier that 281 // is used to distinguish different device-local accounts configured. All 282 // configured accounts on a device must have unique identifiers. 283 optional string account_id = 2; 284 285 // Indicates the type of device-local account. 286 enum AccountType { 287 // A login-less, policy-configured browsing session. 288 ACCOUNT_TYPE_PUBLIC_SESSION = 0; 289 // An account that serves as a container for a single full-screen app. 290 ACCOUNT_TYPE_KIOSK_APP = 1; 291 }; 292 293 // The account type. 294 optional AccountType type = 3; 295 296 // Kiosk App parameters, relevant if |type| is ACCOUNT_TYPE_KIOSK_APP. 297 optional KioskAppInfoProto kiosk_app = 4; 298} 299 300message DeviceLocalAccountsProto { 301 // The list of device-local accounts (i.e. accounts without an associated 302 // cloud-backed profile) that are available on the device. 303 repeated DeviceLocalAccountInfoProto account = 1; 304 305 // The identifier of the device-local account to which the device 306 // should be logged in automatically. Should be equal to one of the 307 // ids in DeviceLocalAccountInfoProto. 308 optional string auto_login_id = 2; 309 310 // The amount of time, in milliseconds, that should elapse at the signin 311 // screen without user interaction before automatically logging in. 312 optional int64 auto_login_delay = 3; 313 314 // Whether the keyboard shortcut to prevent zero-delay auto-login should be 315 // enabled or not. By default, the user has 3 seconds to press a shortcut 316 // to prevent auto-login, which is useful to sign-in to a regular user session 317 // and configure the machine. If this policy is set to false then this 318 // shortcut is disabled and there is no way to skip auto-login. 319 optional bool enable_auto_login_bailout = 4 [default = true]; 320 321 // Whether network configuration should be offered or not when the device 322 // does not have access to the Internet. If the policy is omitted or set to 323 // true, the network configuration will be offered. Otherwise, only an error 324 // message is displayed. 325 // Note: If both this policy and enable_auto_login_bailout policy above is 326 // set to false, there are chances that the device might become totally 327 // unusable when there is no Internet access and has to go through the 328 // recovery process. 329 // If the device is offline at startup then the network configuration screen 330 // is always shown, before auto-login kicks in. 331 optional bool prompt_for_network_when_offline = 5 [default = true]; 332} 333 334message AllowRedeemChromeOsRegistrationOffersProto { 335 // Chrome OS Registration service provides way for chromeos device users 336 // to redeem electronic offers provided by service provider. 337 // This value determines if users are allowed to redeem offers through 338 // Chrome OS Registration service. 339 optional bool allow_redeem_offers = 1 [default = true]; 340} 341 342message StartUpFlagsProto { 343 // The list of flags to be applied to chrome on start-up (back up store for 344 // owner set flags in about:flags). 345 repeated string flags = 1; 346} 347 348message UptimeLimitProto { 349 // This has been replaced by |uptime_limit| below. 350 optional int64 OBSOLETE_uptime_limit = 1 [deprecated = true]; 351 352 // Sets the length of device uptime after which an automatic reboot is 353 // scheduled. An automatic reboot is scheduled at the selected time but may be 354 // delayed on the device by up to 24 hours, e.g. if a user is currently using 355 // the device or an app/extension has requested reboots to be inhibited 356 // temporarily. The policy value should be specified in seconds. 357 // 358 // Note: Currently, automatic reboots are only enabled while the login screen 359 // is being shown or a kiosk app session is in progress. This will change in 360 // the future and the policy will always apply, regardless of whether a 361 // session of any particular type is in progress or not. 362 optional int64 uptime_limit = 2; 363} 364 365message VariationsParameterProto { 366 // The string for the restrict parameter to be appended to the Variations URL 367 // when pinging the Variations server. 368 optional string parameter = 1; 369} 370 371message AttestationSettingsProto { 372 // Attestation involves proving that a cryptographic key is protected by a 373 // legitimate Chrome OS TPM and reporting the operating mode of the platform. 374 // This setting enables enterprise attestation features at a device level. If 375 // this is enabled a machine key will be generated and certified by the Chrome 376 // OS CA. If this setting is disabled, even users with attestation settings 377 // enabled will not be able to use those features on the device. 378 optional bool attestation_enabled = 1 [default = false]; 379 380 // Chrome OS devices can use remote attestation (Verified Access) to get a 381 // certificate issued by the Chrome OS CA that asserts the device is eligible 382 // to play protected content. This process involves sending hardware 383 // endorsement information to the Chrome OS CA which uniquely identifies the 384 // device. This setting allows this feature to be disabled for the device 385 // regardless of any user-specific settings. 386 optional bool content_protection_enabled = 2 [default = true]; 387} 388 389message AccessibilitySettingsProto { 390 // Sets the default state of the large cursor accessibility feature on the 391 // login screen. If this policy is set to true, the large cursor will be 392 // enabled when the login screen is shown. If this policy is set to false, the 393 // large cursor will be disabled when the login screen is shown. Users can 394 // temporarily override this setting by enabling or disabling the large 395 // cursor. However, the user's choice is not persistent and the default is 396 // restored whenever the login screen is shown anew or the user remains idle 397 // on the login screen for a minute. If this policy is left unset, the large 398 // cursor is disabled when the login screen is first shown. Users can enable 399 // or disable the large cursor anytime and its status on the login screen is 400 // persisted between users. 401 optional bool login_screen_default_large_cursor_enabled = 1; 402 403 // Sets the default state of the spoken feedback accessibility feature on the 404 // login screen. If this policy is set to true, spoken feedback will be 405 // enabled when the login screen is shown. If this policy is set to false, 406 // spoken feedback will be disabled when the login screen is shown. Users can 407 // temporarily override this setting by enabling or disabling spoken feedback. 408 // However, the user's choice is not persistent and the default is restored 409 // whenever the login screen is shown anew or the user remains idle on the 410 // login screen for a minute. If this policy is left unset, spoken feedback is 411 // disabled when the login screen is first shown. Users can enable or disable 412 // spoken feedback anytime and its status on the login screen is persisted 413 // between users. 414 optional bool login_screen_default_spoken_feedback_enabled = 2; 415 416 // Sets the default state of the high contrast mode accessibility feature on 417 // the login screen. If this policy is set to true, high contrast mode will be 418 // enabled when the login screen is shown. If this policy is set to false, 419 // high contrast mode will be disabled when the login screen is shown. Users 420 // can temporarily override this setting by enabling or disabling high 421 // contrast mode. However, the user's choice is not persistent and the default 422 // is restored whenever the login screen is shown anew or the user remains 423 // idle on the login screen for a minute. If this policy is left unset, high 424 // contrast mode is disabled when the login screen is first shown. Users can 425 // enable or disable high contrast mode anytime and its status on the login 426 // screen is persisted between users. 427 optional bool login_screen_default_high_contrast_enabled = 3; 428 429 // Enumerates the screen magnifier types. 430 enum ScreenMagnifierType { 431 // Screen magnifier disabled. 432 SCREEN_MAGNIFIER_TYPE_NONE = 0; 433 // Full-screen magnifier enabled. 434 SCREEN_MAGNIFIER_TYPE_FULL = 1; 435 }; 436 437 // Sets the default type of screen magnifier that is enabled on the login 438 // screen. If this policy is set, it controls the type of screen magnifier 439 // that is enabled when the login screen is shown. Users can temporarily 440 // override this setting by enabling or disabling the screen magnifier. 441 // However, the user's choice is not persistent and the default is restored 442 // whenever the login screen is shown anew or the user remains idle on the 443 // login screen for a minute. If this policy is left unset, the screen 444 // magnifier is disabled when the login screen is first shown. Users can 445 // enable or disable the screen magnifier anytime and its status on the login 446 // screen is persisted between users. 447 optional ScreenMagnifierType login_screen_default_screen_magnifier_type = 4; 448 449 // Sets the default state of the on-screen keyboard accessibility feature on 450 // the login screen. If this policy is set to true, the on-screen keyboard 451 // will be enabled when the login screen is shown. If this policy is set to 452 // false, the on-screen keyboard will be disabled when the login screen is 453 // shown. Users can temporarily override this setting by enabling or disabling 454 // the on-screen keyboard. However, the user's choice is not persistent and 455 // the default is restored whenever the login screen is shown anew or the user 456 // remains idle on the login screen for a minute. If this policy is left 457 // unset, the on-screen keyboard is disabled when the login screen is first 458 // shown. Users can enable or disable the on-screen keyboard anytime and its 459 // status on the login screen is persisted between users. 460 optional bool login_screen_default_virtual_keyboard_enabled = 5; 461} 462 463message SupervisedUsersSettingsProto { 464 // Defines whether supervised users can be created on the device. 465 optional bool supervised_users_enabled = 1; 466} 467 468message LoginScreenPowerManagementProto { 469 // Configures power management on the login screen. The policy should be 470 // specified as a string that expresses the individual settings in JSON 471 // format, conforming to the following schema: 472 // { 473 // "type": "object", 474 // "properties": { 475 // "AC": { 476 // "description": "Power management settings applicable only when 477 // running on AC power", 478 // "type": "object", 479 // "properties": { 480 // "Delays": { 481 // "type": "object", 482 // "properties": { 483 // "ScreenDim": { 484 // "description": "The length of time without user input after 485 // which the screen is dimmed, in milliseconds", 486 // "type": "integer", 487 // "minimum": 0 488 // }, 489 // "ScreenOff": { 490 // "description": "The length of time without user input after 491 // which the screen is turned off, in 492 // milliseconds", 493 // "type": "integer", 494 // "minimum": 0 495 // }, 496 // "Idle": { 497 // "description": "The length of time without user input after 498 // which the idle action is taken, in 499 // milliseconds", 500 // "type": "integer", 501 // "minimum": 0 502 // } 503 // } 504 // }, 505 // "IdleAction": { 506 // "description": "Action to take when the idle delay is reached", 507 // "enum": [ "Suspend", "Shutdown", "DoNothing" ] 508 // } 509 // } 510 // }, 511 // "Battery": { 512 // "description": "Power management settings applicable only when 513 // running on battery power", 514 // "type": "object", 515 // "properties": { 516 // "Delays": { 517 // "type": "object", 518 // "properties": { 519 // "ScreenDim": { 520 // "description": "The length of time without user input after 521 // which the screen is dimmed, in milliseconds", 522 // "type": "integer", 523 // "minimum": 0 524 // }, 525 // "ScreenOff": { 526 // "description": "The length of time without user input after 527 // which the screen is turned off, in 528 // milliseconds", 529 // "type": "integer", 530 // "minimum": 0 531 // }, 532 // "Idle": { 533 // "description": "The length of time without user input after 534 // which the idle action is taken, in 535 // milliseconds", 536 // "type": "integer", 537 // "minimum": 0 538 // } 539 // } 540 // }, 541 // "IdleAction": { 542 // "description": "Action to take when the idle delay is reached", 543 // "enum": [ "Suspend", "Shutdown", "DoNothing" ] 544 // } 545 // } 546 // }, 547 // "LidCloseAction": { 548 // "description": "Action to take when the lid is closed", 549 // "enum": [ "Suspend", "Shutdown", "DoNothing" ] 550 // }, 551 // "UserActivityScreenDimDelayScale": { 552 // "description": "Percentage by which the screen dim delay is scaled 553 // when user activity is observed while the screen is 554 // dimmed or soon after the screen has been turned off", 555 // "type": "integer", 556 // "minimum": 0 557 // } 558 // } 559 // } 560 optional string login_screen_power_management = 1; 561} 562 563message AutoCleanupSettigsProto { 564 // Deprecated. There is only one disk-full cleanup strategy: LRU. 565 optional string clean_up_strategy = 1; 566} 567 568// Settings that control low-level functions of the system. 569message SystemSettingsProto { 570 // Whether developer mode is allowed on the device. If the device owner sets 571 // this flag to true, the system will refuse to boot and show an error screen 572 // when the developer switch is turned on. 573 optional bool block_devmode = 1; 574} 575 576// Settings that control login for SAML users. 577message SAMLSettingsProto { 578 // Whether cookies set by a SAML IdP should be transferred to users' profiles 579 // every time a user authenticates via SAML during login. If false, cookies 580 // are transferred during each user's first login only. 581 optional bool transfer_saml_cookies = 1; 582} 583 584message ChromeDeviceSettingsProto { 585 optional DevicePolicyRefreshRateProto device_policy_refresh_rate = 1; 586 optional UserWhitelistProto user_whitelist = 2; 587 optional GuestModeEnabledProto guest_mode_enabled = 3; 588 optional DeviceProxySettingsProto device_proxy_settings = 4; 589 optional CameraEnabledProto camera_enabled = 5; 590 optional ShowUserNamesOnSigninProto show_user_names = 6; 591 optional DataRoamingEnabledProto data_roaming_enabled = 7; 592 optional AllowNewUsersProto allow_new_users = 8; 593 optional MetricsEnabledProto metrics_enabled = 9; 594 optional ReleaseChannelProto release_channel = 10; 595 optional DeviceOpenNetworkConfigurationProto open_network_configuration = 11; 596 optional DeviceReportingProto device_reporting = 12; 597 optional EphemeralUsersEnabledProto ephemeral_users_enabled = 13; 598 optional AppPackProto app_pack = 14; 599 optional ForcedLogoutTimeoutsProto forced_logout_timeouts = 15; 600 optional ScreenSaverProto login_screen_saver = 16; 601 optional AutoUpdateSettingsProto auto_update_settings = 17; 602 optional StartUpUrlsProto start_up_urls = 18; 603 optional PinnedAppsProto pinned_apps = 19; 604 optional SystemTimezoneProto system_timezone = 20; 605 optional DeviceLocalAccountsProto device_local_accounts = 21; 606 optional AllowRedeemChromeOsRegistrationOffersProto allow_redeem_offers = 22; 607 optional StartUpFlagsProto start_up_flags = 23; 608 optional UptimeLimitProto uptime_limit = 24; 609 optional VariationsParameterProto variations_parameter = 25; 610 optional AttestationSettingsProto attestation_settings = 26; 611 optional AccessibilitySettingsProto accessibility_settings = 27; 612 optional SupervisedUsersSettingsProto supervised_users_settings = 28; 613 optional LoginScreenPowerManagementProto login_screen_power_management = 29; 614 optional SystemUse24HourClockProto use_24hour_clock = 30; 615 optional AutoCleanupSettigsProto auto_clean_up_settings = 31; 616 optional SystemSettingsProto system_settings = 32; 617 optional SAMLSettingsProto saml_settings = 33; 618} 619