Code samples for network policies

AI-generated Key Takeaways

The Policy API and Policy Networks Service are used to manage network settings, including defining, removing, and updating WiFi, Ethernet, VPN networks, and certificates for Chrome devices.
The API offers endpoints for defining and removing networks and certificates, with requests specifying target organizational units and network details.
Interacting with saved networks involves using the Policy API with additional target keys to specify the desired network resource for modifications.
Policy schemas provide detailed information about available network settings and can be accessed through the schema service using filters.
Example use cases include adding a certificate authority for Imprivata and changing a network password using the batchModify endpoint with specific policy values and update masks.

The requests below illustrate policy management with the Policy API using network policies as an example. Before you begin, make sure you review the Chrome Policy API Overview and the Policy schemas guide.

All the requests presented below use the following variables:

$TOKEN - OAuth 2 token
$CUSTOMER - Id of the customer or literal my_customer
$ORG_UNIT - Id of the target organizational unit
$NETWORK_ID - Unique identifier of the object you wish to interact with

Policy Networks Service

The Policy Networks Service is an API to assist the Chrome Policy Api in managing network settings.

The API consists of four endpoints:

Define Network

The Define Network endpoint is used to create a new network. This endpoint is used for WiFi, Ethernet, and VPN networks.

In this example, we define a simple WiFi Network. To define a more complex network, examine what fields are available in the chrome.networks.wifi namespace.

The details policy_schema must be present for all types of networks.

curl -H "Content-Type: application/json" -H "Authorization:Bearer $TOKEN"   -d "{target_resource: 'orgunits/$ORG_UNIT', \
    name: 'Network Name', \
    settings: [
      {policy_schema: 'chrome.networks.wifi.AllowForChromeUsers', value: {'allowForChromeUsers': true}}, \
      {policy_schema: 'chrome.networks.wifi.Details',value: {'details': {'security': 'None', 'ssid': 'ssid'}}}
    ]}" \
    "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/networks:defineNetwork"

A successful response will contain the created network, including the networkId that references it.

{
  "networkId": "Network Name-Wifi",
  "targetResource": "orgunits/$ORG_UNIT",
  "settings": [
    {
      "policySchema": "chrome.networks.wifi.Details",
      "value": {
        "details": {
          "ssid": "ssid",
          "security": "None",
          "proxySettings": {
            "type": "Direct"
          },
          "allowIpConfiguration": false,
          "allowNameServersConfiguration": false,
          "nameServerSelection": "NAME_SERVERS_ENUM_AUTOMATIC"
        }
      }
    },
    {
      "policySchema": "chrome.networks.wifi.AllowForChromeDevices",
      "value": {
        "allowForChromeDevices": false
      }
    },
    {
      "policySchema": "chrome.networks.wifi.AllowForChromeUsers",
      "value": {
        "allowForChromeUsers": true
      }
    }
  ]
}

Remove Network

The Remove Network endpoint is used to delete a network. This endpoint is used for WiFi, Ethernet, and VPN networks.

In this example, we remove a WiFi network.

curl -H "Content-Type: application/json" -H "Authorization:Bearer $TOKEN" -d "{target_resource: 'orgunits/$ORG_UNIT', network_id: '$NETWORK_ID'}" \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/networks:removeNetwork"

A successful response is empty.

{}

Define Certificate

The Define Certificate endpoint is used to create a new certificate.

In this example, we define a certificate, and allow chrome devices to use it.

curl -H "Content-Type: application/json" -H "Authorization:Bearer $TOKEN" -d " \
{
  target_resource: 'orgunits/$ORG_UNIT', 
  certificate: 'raw string representation of a .pem or .crt certificate file.', 
  settings: [{
      policy_schema: 'chrome.networks.certificates.AllowForChromeDevices', 
      value: {'allowForChromeDevices': true} 
  }]
}" "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/networks:defineCertificate"

A successful response will contain a reference to the created certificate (networkId).

{
  "networkId": "{c045f8df-79f1-49d3-92b9-0e61516e6a6b}",
  "targetResource": "orgunits/$ORG_UNIT"
}

Remove Certificate

The Remove Certificate endpoint is used to remove a certificate definition.

In this example, we remove a certificate.

curl -H "Content-Type: application/json" -H "Authorization:Bearer $TOKEN" -d "{target_resource: 'orgunits/$ORG_UNIT', network_id: '$NETWORK_ID'}" \
"https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/networks:removeCertificate"

A successful response is empty.

{}

Interacting with your saved networks

To interact with a certificate or network, use Policy API. Requests must include an additional target key, representing the resource you wish to interact with.

Omitting an additional target key is only acceptable in a resolve request. This will result in all networks matching the requested namespace being returned.

Full network schemas can be obtained through the schema service using filters.
To see all VPN settings, try this:

curl -H "Authorization:Bearer $TOKEN" \
  "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policySchemas?filter=chrome.networks.vpn"

Here is an example of adding Imprivata as a certificate authority.

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        requests: [{
                policyTargetKey: {
                        targetResource: "orgunits/$ORG_UNIT",
                        additionalTargetKeys: {"network_id": "$NETWORK_ID"}
                        },
                policyValue: {
                        policySchema: "chrome.networks.certificates.AllowForChromeImprivata",
                        value: {allowForChromeImprivata: true}
                        },
                updateMask: {paths: "allowForChromeImprivata"}
       }]
      }' \
  "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"

Here is an example of changing a network password.

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
        requests: [{
                policyTargetKey: {
                        targetResource: "orgunits/$ORG_UNIT",
                        additionalTargetKeys: {"network_id": "$NETWORK_ID"}
                        },
                policyValue: {
                        policySchema: "chrome.networks.wifi.Details",
                        value: {details: {
                                  ssid: 'ssid',
                                  security: 'WEP-PSK'
                                  passphrase: 'Your passphrase.'
                               }
                        }
                },
                updateMask: {paths: "details"}
        }]
      }' \
  "https://chromepolicy.googleapis.com/v1/customers/$CUSTOMER/policies/orgunits:batchModify"

Code samples for network policies Stay organized with collections Save and categorize content based on your preferences.