Code samples for the Chrome Policy API

Please refer to Chrome Policy API page for a high level overview of api features.

To learn more about App Id formats, please refer to App Ids for App Policies.

All the requests presented below use the following variables:

  • $TOKEN - OAuth 2 token
  • $CUSTOMER - Id of the customer or literal my_customer

Force install an app in a specific Organizational Unit

In this example, we are setting the Google Drawings app to be force installed:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        requests: [{
                policyTargetKey: {
                        targetResource: "orgunits/04fatzly4jbjho9",
                        additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
                        },
                policyValue: {
                        policySchema: "chrome.users.apps.InstallType",
                        value: {appInstallType: "FORCED"}
                        },
                updateMask: {paths: "appInstallType"}
                }]
      }' \
  "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"

A successful response should be empty:

{}

This example is for a User App. A Managed Guest Session request would be identical except that the policy schema would be "chrome.devices.managedguest.apps.InstallType". The equivalent Kiosk App policy request is as follows:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        requests: [{
                policyTargetKey: {
                        targetResource: "orgunits/04fatzly4jbjho9",
                        additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
                        },
                policyValue: {
                        policySchema: "chrome.devices.kiosk.apps.ForceInstall",
                        value: {forceInstall: false}
                        },
                updateMask: {paths: "forceInstall"}
                }]
      }' \
  "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"

A successful response should be empty:

{}

Deleting an app

Deleting an app must be done at the Organizational Unit at which the app was installed. This can be done by sending a batchInherit request in which the policySchema is the schema for the given app type, with an asterisk (*) in place of a specific policy. In this example, we are deleting the Google Drawings app, which is installed at the "04fatzly4jbjho9" Organizational Unit:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        requests: [{
                policyTargetKey: {
                        targetResource: "orgunits/04fatzly4jbjho9",
                        additionalTargetKeys: {"app_id": "chrome:gbchcmhmhahfdphkhkmpfmihenigjmpp"}
                        },
                policySchema: "chrome.users.apps.*",
                }]
      }' \
  "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchInherit"

A successful response should be empty:

{}

Requests to delete Kiosk apps and Managed Guest Session apps would use the "chrome.devices.kiosk.apps.*" and "chrome.devices.managedguest.apps.*" schemas, respectively.

Get App installation policy for an app in an Organizational Unit

To get a policy for a specific app, you must specify both the policy and App Id in the request. In this example, we are reading the value of the InstallType policy for the Google Drawings app:

Request:

  curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        policyTargetKey: {
          targetResource: "orgunits/04fatzly4jbjho9",
          additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
        },
        policySchemaFilter: "chrome.users.apps.InstallType"
    }' \
  "https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"

Response:

{
  "resolvedPolicies": [
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "FORCED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    }
  ]
}

Get App installation policy for all apps in an Organizational Unit

If the App Id is omitted from the request in the previous example, it will become a request for the value of the InstallType policy for all apps under that OU:

Request:

  curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        policyTargetKey: {
          targetResource: "orgunits/04fatzly4jbjho9",
        },
        policySchemaFilter: "chrome.users.apps.InstallType"
    }' \
  "https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"

Response:

{
  "resolvedPolicies": [
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "FORCED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:fhcfdhnmhdkemdfdncjmgnanbekfmbab"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "ALLOWED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    ...
  ]
}

List all policies for an app in an Organizational Unit

Just as you can omit the App Id from the request to retrieve policies for all apps, you can also get all policies for a single app by using a wildcard in the policy. In this example, we are getting the values of all policies for the Google Drawings app:

Request:

  curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        policyTargetKey: {
          targetResource: "orgunits/04fatzly4jbjho9",
          additionalTargetKeys: {"app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"}
        },
        policySchemaFilter: "chrome.users.apps.*"
    }' \
  "https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"

Response:

{
  "resolvedPolicies": [
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "FORCED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.IncludeInChromeWebStoreCollection",
        "value": {
          "includeInCollection": true
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    ...
  ]
}

List all policies for all apps in an Organizational Unit

The App Id can be omitted and a wildcard can be used in the policy in order to request all app settings for all apps under an OU:

Request:

  curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        policyTargetKey: {
          targetResource: "orgunits/04fatzly4jbjho9"
        },
        policySchemaFilter: "chrome.users.apps.*"
    }' \
  "https://chromepolicy.googleapis.com/v1/$CUSTOMER/C02l1chq7/policies:resolve"

Response:

{
  "resolvedPolicies": [
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "FORCED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:mkaakpdehdafacodkgkpghoibnmamcme"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.IncludeInChromeWebStoreCollection",
        "value": {
          "includeInCollection": true
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:fhcfdhnmhdkemdfdncjmgnanbekfmbab"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.InstallType",
        "value": {
          "appInstallType": "ALLOWED"
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    {
      "targetKey": {
        "targetResource": "orgunits/04fatzly4jbjho9",
        "additionalTargetKeys": {
          "app_id": "chrome:fhcfdhnmhdkemdfdncjmgnanbekfmbab"
        }
      },
      "value": {
        "policySchema": "chrome.users.apps.CertificateManagement",
        "value": {
          "allowAccessToKeys": true
        }
      },
      "sourceKey": {
        "targetResource": "orgunits/04fatzly4jbjho9"
      }
    },
    ...
  ]
}