-
Notifications
You must be signed in to change notification settings - Fork 88
Chrome Browser Cloud Management
- Chrome Browser Cloud Management
- https://support.google.com/chrome/a/answer/9681204
- https://support.google.com/chrome/a/answer/9949706
<BrowserTokenPermanentID> ::= <String>
<OrgUnitPath> ::= /|(/<String)+
<QueryBrowser> ::= <String> See: https://support.google.com/chrome/a/answer/9681204#retrieve_all_chrome_devices_for_an_account
<QueryBrowserList> ::= "<QueryBrowser>(,<QueryBrowser>)*"
<QueryBrowserToken> ::= <String> https://support.google.com/chrome/a/answer/9949706, scroll down to Filter Query Language
<QueryBrowserTokenList> ::= "<QueryBrowserToken>(,<QueryBrowserToken>)*"
<DeviceID> ::= <String>
<DeviceIDList> ::= "<DeviceID>(,<DeviceID>)*"
<BrowserEntity> ::=
<DeviceIDList> |
(query:<QueryBrowser>)|(query:orgunitpath:<OrgUnitPath>)|(query <QueryBrowser>) |
(browserou <OrgUnitItem>) | (browserous <OrgUnitList>) |
<FileSelector> | <CSVFileSelector>
See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
<BrowserAttribute> ::=
(annotatedassetid|asset|assetid <String>)|
(annotatedlocation|location <String>)|
(annotatednotes|notes <String>)|(updatenotes <String>)|
(annotateduser|user <String>
<BrowserFieldName> ::=
annotatedassetid|asset|assetid|
annotatedlocation|location|
annotatednotes|notes|
annotateduser|user|
browsers|
browserversions|
deviceid|
deviceidentifiershistory|
extensioncount|
lastactivitytime|
lastdeviceuser|
lastdeviceusers|
lastpolicyfetchtime|
lastregistrationtime|
laststatusreporttime|
machinename|
machinepolicies|
orgunitpath|org|orgunit|ou|
osarchitecture|
osplatform|
osplatformversion|
osversion|
policycount|
safebrowsingclickthroughcount|
serialnumber|
virtualdeviceid
<BrowserFieldNameList> ::= "<BrowseFieldName>(,<BrowserFieldName>)*"
<BrowserOrderByFieldName> ::=
annotatedassetid|assetassetid|
annotatedlocation|location|
annotatednotes|notes|
annotateduser|user|
browserversionchannel|
browserversionsortable|
deviceid|id|
enrollmentdate|
extensioncount|
lastactivity|
lastsignedinuser|
lastsync|
machinename|
orgunit|ou|org|
osversion|
osversionsortable|
platformmajorversion|
policycount
<BrowserTokenFieldName> ::=
createtime|
creatorid|
customerid|
expiretime|
org|
orgunit|
orgunitpath|
revoketime|
revokerid|
state|
token|
tokenpermanentid
<BrowserTokenFieldNameList> ::= "<BrowseTokenFieldName>(,<BrowserTokenFieldName>)*"
There are four attributes that can be set for a browser.
gam update browser <BrowserDeviceEntity> <BrowserAttibute>+
If you specify the updatenotes <String>
option and it contains the string #notes#
, the existing notes value will replace #notes#
.
This requires an additional API to get the existing value.
If you have a CSV file, UpdateBrowsers.csv with two columns: deviceId,notes this command will add a new line of notes to the front of the existing notes:
gam csv UpdateBrowsers.csv gam update browser "~deviceId" updatenotes "~~notes~~\n#notes#"
gam move browsers ou|org|orgunit <OrgUnitPath>
((ids <DeviceIDList>) |
(queries <QueryBrowserList> [querytime<String> <Time>]) |
(browserou <OrgUnitItem>) | (browserous <OrgUnitList>) |
<FileSelector> | <CSVFileSelector>)
[batchsize <Integer>]
Batches of devices are processed to minimize the number of API calls; batch_size
controls the number of deviceIds handled in each batch
batch_size
defaults to the value from gam.cfg
, its maximum value is 600.
Google performs error checking of the browser deviceIDs, if any deviceID in a batch is invalid, none of the browsers in the batch are moved.
gam move browsers ou /Students/2021 browserou /Students/2020
Deletes a browser; the browser will be removed from Google's admin console and no longer sync policy or reporting. However, existing policies will still be applied until the device registration and dm tokens are removed.
gam delete browser <BrowserDeviceEntity>
gam info browser <BrowserEntity>
[basic|full|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
[formatjson]
Select the fields to be displayed:
-
annotated
- Display these fields: deviceId,annotatedAssetId,annotatedLocation,annotatedNotes,annotatedUser -
basic
- Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePolicies; this is the default -
allfields/full
- Display all fields -
<BrowserFieldName>* [fields <BrowserFieldNameList>]
- Display a selected list of fields
By default, Gam displays the information as an indented list of keys and values:
-
formatjson
- Display the fields in JSON format.
gam show browsers
([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
[querytime<String> <Time>]
[orderby <BrowserOrderByFieldName> [ascending|descending]]
[basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
[formatjson]
Use these options to select Chrome browsers; if none are chosen, all Chrome browsers in the account are selected:
-
ou|org|orgunit|browserou <OrgUnitPath>
- Limit browsers to those in the specified OU; this option can be used in conjunction with query -
(query <QueryBrowser>)|(queries <QueryBrowserList>)
- Limit browsers to those that match a query -
select <BrowserEntity>
- Select a specific set of browsers to display
Select the fields to be displayed:
-
annotated
- Display these fields: deviceId,annotatedAssetId,annotatedLocation,annotatedNotes,annotatedUser -
basic
- Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePloicies; this is the default -
allfields/full
- Display all fields -
<BrowserFieldName>* [fields <BrowserFieldNameList>]
- Display a selected list of fields- Note that
ou, org and orgunit
are both command line options and field names; usefields
to include them in the selected list of fields
- Note that
By default, Gam displays the information as an indented list of keys and values:
-
formatjson
- Display the fields in JSON format.
Use the querytime<String> <Time>
option to allow times, usually relative, to be substituted into the query <QueryBrowser>
and queries <QueryBrowserList>
options.
The querytime<String> <Time>
value replaces the string #querytime<String>#
in any queries.
The characters following querytime
can be any combination of lowercase letters and numbers.
gam print browsers [todrive <ToDriveAttribute>*]
([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
[querytime<String> <Time>]
[orderby <BrowserOrderByFieldName> [ascending|descending]]
[basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
[sortheaders] [formatjson [quotechar <Character>]]
Use these options to select Chrome browsers; if none are chosen, all Chrome browsers in the account are selected:
-
ou|org|orgunit|browserou <OrgUnitPath>
- Limit browsers to those in the specified OU; this option can be used in conjunction with query -
(query <QueryBrowser>)|(queries <QueryBrowserList>)
- Limit browsers to those that match a query -
select <BrowserEntity>
- Select a specific set of browsers to display
Use the querytime<String> <Time>
option to allow times, usually relative, to be substituted into the query <QueryBrowser>
and queries <QueryBrowserList>
options.
The querytime<String> <Time>
value replaces the string #querytime<String>#
in any queries.
The characters following querytime
can be any combination of lowercase letters and numbers.
For example, query for Chrome browsers last synced more than a year ago:
querytime1year -1y query "sync:..#querytime1year#"
The first column will always be deviceId; the remaining field names will be sorted if allfields
, basic
, full
or sortheders
is specified;
otherwise, the remaining field names will appear in the order specified.
Select the fields to be displayed:
-
annotated
- Display these fields: deviceId,annotatedAssetId,annotatedLocation,annotatedNotes,annotatedUser -
basic
- Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePloicies; this is the default -
allfields/full
- Display all fields -
<BrowserFieldName>* [fields <BrowserFieldNameList>]
- Display a selected list of fields- Note that
ou, org and orgunit
are both command line options and field names; usefields
to include them in the selected list of fields
- Note that
By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
-
formatjson
- Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote "
. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the formatjson
option, double quotes are used extensively in the data resulting in hard to read/process output.
The quotechar <Character>
option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
quotechar
defaults to gam.cfg/csv_output_quote_char
. When uploading CSV files to Google, double quote "
should be used.
Print information about Chrome browsers synced more than 30 days ago:
gam print browsers query "sync:..#querytime1#" querytime1 -30d
Print information about Chrome browsers synced in the last 30 days:
gam print browsers query "sync:#querytime1#.." querytime1 -30d
Print information about Chrome browsers synced between 45 days ago and 30 days ago:
gam print browsers query "sync:#querytime1#..#querytime2#" querytime1 -45d querytime2 -30d
These are the fields that can be used in a query:
Field Description
arch The CPU architecture for the Chrome browser device. (e.g. x86_64)
asset_id The annotated asset ID for the Chrome browser device.
browser_version A reported Chrome browser installed on the Chrome browser device (e.g. 73)
enrollment_token The enrollment token used to register the Chrome browser device.
last_activity The last time the Chrome browser device has shown activity (policy fetch or reporting).
location The annotated location for the Chrome browser device.
machine_name The machine name for the Chrome browser device.
machine_user The last reported user of the Chrome browser device.
note The annotated note for the Chrome browser device.
num_extensions The number of extensions reported by the Chrome browser device.
num_policies The number of policies reported by the Chrome browser device.
os The combine OS platform and major OS version for the Chrome browser device (e.g. "Windows 10")
os_platform The OS platform for the Chrome browser device. (e.g. Windows)
os_version The OS version for the chrome browser device. (e.g. 10.0.16299.904)
register The registration time for the Chrome browser device.
report The last report time for the Chrome browser device
sync The last policy sync time for the Chrome browser device.
user The annotated user for the Chrome browser device.
For fields that accept time (register, report, sync, last_activity) the time format is YYYY-MM-DDThh:mm:ss (e.g. 2020-01-01T12:00:00). You may also specify open or closed ranges for the time:
datetime exactly on the given date or time, e.g., 2011-03-23 2011-04-26T14:23:05
datetime..datetime within (inclusive) the given interval of date or time, e.g., 2011-03-23..2011-04-26
datetime.. on or after the given date or time; e.g., 2011-04-26T14:23:05..
..datetime on or before the given date or time; e.g., ..2011-04-26T14:23:05
To search within a specific field only (for example, to search for a specific user), you can enter an operator followed by an argument -- for example, user:jsmith
. You can use single words or quoted lists of words as an argument when running an operator query.
To run an operator query, follow these guidelines for each field:
Enter user: as the operator. For example, to match the name Joe, but not Joey, enter the following:
gam print browsers query "user:joe"
To match the name Tom Sawyer or A. Tom Sawyer, but not Tom A. Sawyer, enter with quotation marks:
gam print browsers query "user:'tom sawyer'"
Enter location: as the operator. For example, to match Seattle, enter the following:
gam print browsers query "location:seattle"
Notes Enter note: as the operator. For example, to match loaned from John, enter the following with quotation marks:
gam print browsers query "note:'loaned from john'"
This field is not displayed on the Chrome OS settings page. However, you can search for devices that were registered on a given date, or within a given time range.
Enter register: as the operator, and enter a date and time (or time range) as the argument. For example, to search for all devices registered on April 15, 2020, enter the following:
gam print browsers query "register:2020-04-15"
For additional examples using dates, times, and ranges, see "Format for date searches" below.
Enter sync: as the operator and a date or time range as the argument. For example, to search for all devices that were last synced with policy settings on April 15, 2020, enter the following:
gam print browsers query "sync:2020-04-15"
For additional examples using dates, times, and ranges, see "Format for date searches" below.
-
YYYY-MM-DD
- A single date -
YYYY-MM-DD..YYYY-MM-DD
- A date range -
..YYYY-MM-DD
- All dates on or before a date -
YYYY-MM-DD..
- All dates on or after a date
Enter asset_id: as the operator. For example, to match the partial Asset ID 1234, enter the following:
gam print browsers query "asset_id:1234"
Create a browser enrollment token. The Google API that supports this call always returns an error.
gam create browsertoken
[ou|org|orgunit|browserou <OrgUnitPath>] [expire|expires <Time>]
[formatjson]
By default, the enrollment token is created for the root OU; use ou|org|orgunit|browserou <OrgUnitPath>
to create the token for a specific OU.
By default, Gam displays the created token as an indented list of keys and values:
-
formatjson
- Display the token in JSON format.
Revoke a browser enrollment token.
An enrollment token is revoked by referencing its tokenPermanentId
which can be obtained
from gam show|print browsertokens
.
gam revoke browsertoken <BrowserTokenPermanentID>
gam show browsertokens
([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowserToken)|(queries <QueryBrowserTokenList>)))
[querytime<String> <Time>]
[orderby <BrowserTokenFieldName> [ascending|descending]]
[allfields] <BrowserTokenFieldName>* [fields <BrowserTokenFieldNameList>]
[formatjson]
Use these options to select Chrome browsers; if none are chosen, all Chrome browsers in the account are selected:
-
ou|org|orgunit|browserou <OrgUnitPath>
- Limit browsers to those in the specified OU; this option can be used in conjunction with query -
(query <QueryBrowserToken>)|(queries <QueryBrowserTokenList>)
- Limit browsers to those that match a query
Use the querytime<String> <Time>
option to allow times, usually relative, to be substituted into the query <QueryBrowserToken>
and queries <QueryBrowserTokenList>
options.
The querytime<String> <Time>
value replaces the string #querytime<String>#
in any queries.
The characters following querytime
can be any combination of lowercase letters and numbers.
Select the fields to be displayed:
-
allfields
- Display all fields; this is the default -
<BrowserTokenFieldName>* [fields <BrowserTokenFieldNameList>]
- Displaya selected list of fields
By default, Gam displays the information as an indented list of keys and values:
-
formatjson
- Display the fields in JSON format.
gam print browsertokens [todrive <ToDriveAttribute>*]
([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowserToken)|(queries <QueryBrowserTokenList>)))
[querytime<String> <Time>]
[orderby <BrowserTokenFieldName> [ascending|descending]]
[allfields] <BrowserTokenFieldName>* [fields <BrowserTokenFieldNameList>]
[sortheaders] [formatjson [quotechar <Character>]]
Use these options to select Chrome browsers; if none are chosen, all Chrome browsers in the account are selected:
-
ou|org|orgunit|browserou <OrgUnitPath>
- Limit browsers to those in the specified OU; this option can be used in conjunction with query -
(query <QueryBrowserToken>)|(queries <QueryBrowserTokenList>)
- Limit browser s to those that match a query
Use the querytime<String> <Time>
option to allow times, usually relative, to be substituted into the query <QueryBrowserToken>
and queries <QueryBrowserTokenList>
options.
The querytime<String> <Time>
value replaces the string #querytime<String>#
in any queries.
The characters following querytime
can be any combination of lowercase letters and numbers.
The first column will always be deviceId; the remaining field names will be sorted if allfields
, basic
, full
or sortheders
is specified;
otherwise, the remaining field names will appear in the order specified.
Select the fields to be displayed:
-
allfields
- Display all fields; this is the default -
<BrowserTokenFieldName>* [fields <BrowserTokenFieldNameList>]
- Displaya selected list of fields
By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
-
formatjson
- Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote "
. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the formatjson
option, double quotes are used extensively in the data resulting in hard to read/process output.
The quotechar <Character>
option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
quotechar
defaults to gam.cfg/csv_output_quote_char
. When uploading CSV files to Google, double quote "
should be used.
Need more help? Ask on the GAM Discussion Group
Update History
Installation
- How to Install GAM7
- How to Uograde GAMADV-XTD3 to GAM7
- How to Upgrade Legacy GAM to GAM7
- How to Update GAM7
- Install GAM as Python Library
- GAM7 on Chrome OS Devices
- GAM7 on Android Devices
- Google Network Addresses
- HTTPS Proxy
- SSL Root CA Certificates
- How to Uninstall GAM7
Configuration
- Authorization
- GAM Configuration
- Running GAM7 securely on a Google Compute Engine
- Using GAM7 with a delegated admin service account
- Using GAM7 with a YubiKey
Notes and Information
- Upgrade Benefits
- Questions? Visit the GAM Discussion Forum
- GAM Public Chat Room
- Scripts
- Other Resources
- Drive REST API v3
- BNF Syntax
- GAM Return Codes
- Python Regular Expressions
- Rclone
Definitions
Command Processing
- Bulk Processing
- Command Line Parsing
- Command Logging and Progress
- Command data from Google Docs/Sheets/Storage
- CSV Special Characters
- CSV Input Filtering
- CSV Output Filtering
- Meta Commands and File Redirection
- Permission matches
- Tag Replace
- Todrive
Collections
Client Access
- Addresses
- Administrators
- Alert Center
- Aliases
- Calendars
- Calendars - Access
- Calendars - Events
- Chrome Auto Update Expiration Counts
- Chrome Browser Cloud Management
- Chrome Device Needs Attention Counts
- Chrome Installed Apps
- Chrome Policies
- Chrome Printers
- Chrome Profile Management
- Chrome Version Counts
- Chrome Version History
- ChromeOS Devices
- Classroom - Courses
- Classroom - Guardians
- Classroom - Invitations
- Classroom - Membership
- Cloud Channel
- Cloud Identity Devices
- Cloud Identity Groups
- Cloud Identity Groups - Membership
- Cloud Identity Policies
- Cloud Storage
- Context Aware Access Levels
- Customer
- Domains
- Domains - Verification
- Domain People - Contacts & Profiles
- Domain Shared Contacts - Global Address List
- Email Audit Monitor
- Find File Owner
- Google Data Transfers
- Groups
- Groups - Membership
- Inbound SSO
- Licenses
- Mobile Devices
- Organizational Units
- Reports
- Reseller
- Resources
- Send Email
- Schemas
- Shared Drives
- Sites
- Users
- Unmanaged Accounts
- Users - Signout and Turn off 2-Step Verification
- Vault - Takeout
- Version and Help
Special Service Account Access
Service Account Access
- Users - Analytics Admin
- Users - Application Specific Passwords
- Users - Backup Verification Codes
- Users - Calendars
- Users - Calendars - Access
- Users - Calendars - Events
- Users - Chat
- Users - Classification Labels
- Users - Classroom - Profile
- Users - Deprovision
- Users - Contacts
- Users - Contacts - Delegates
- Users - Drive - File Selection
- Users - Drive - Activity/Settings
- Users - Drive - Cleanup
- Users - Drive - Comments
- Users - Drive - Copy/Move
- Users - Drive - Files-Display
- Users - Drive - Files-Manage
- Users - Drive - Orphans
- Users - Drive - Ownership
- Users - Drive - Permissions
- Users - Drive - Query
- Users - Drive - Revisions
- Users - Drive - Shortcuts
- Users - Drive - Transfer
- Users - Forms
- Users - Gmail - Client Side Encryption
- Users - Gmail - Delegates
- Users - Gmail - Filters
- Users - Gmail - Forwarding
- Users - Gmail - Labels
- Users - Gmail - Messages/Threads
- Users - Gmail - Profile
- Users - Gmail - S/MIME
- Users - Gmail - SendAs/Signature/Vacation
- Users - Gmail - Settings
- Users - Group Membership
- Users - Keep
- Users - Looker Studio
- Users - Meet
- Users - Classroom - Profile
- Users - People - Contacts & Profiles
- Users - Photo
- Users - Profile Sharing
- Users - Shared Drives
- Users - Spreadsheets
- Users - Tasks
- Users - Tokens
- Users - YouTube