googleapis · quartzmo · Sep 25, 2025 · Sep 25, 2025
@@ -1659,7 +1659,7 @@
               "type": "string"
             },
             "query": {
-              "description": "Query string search. Should be of the form \"\". Complete documentation is at https: //developers.google.com/admin-sdk/directory/v1/guides/search-groups",
+              "description": "Query string search. Should be of the form \"\". Complete documentation is at https://developers.google.com/workspace/admin/directory/v1/guides/search-groups",
               "location": "query",
               "type": "string"
             },
@@ -4298,7 +4298,7 @@
               "type": "string"
             },
             "query": {
-              "description": "Query string search. Should be of the form \"\". Complete documentation is at https: //developers.google.com/admin-sdk/directory/v1/guides/search-users",
+              "description": "Query string search. Should be of the form \"\". Complete documentation is at https://developers.google.com/workspace/admin/directory/v1/guides/search-users",
               "location": "query",
               "type": "string"
             },
@@ -4671,7 +4671,7 @@
       }
     }
   },
-  "revision": "20250804",
+  "revision": "20250916",
   "rootUrl": "https://admin.googleapis.com/",
   "schemas": {
     "Alias": {
@@ -5841,7 +5841,7 @@
           "type": "string"
         },
         "osVersionCompliance": {
-          "description": "Output only. Compliance status of the OS version.",
+          "description": "Output only. Device policy compliance status of the OS version.",
           "enum": [
             "complianceUnspecified",
             "compliant",

@@ -1260,7 +1260,7 @@
       }
     }
   },
-  "revision": "20250909",
+  "revision": "20250916",
   "rootUrl": "https://androidmanagement.googleapis.com/",
   "schemas": {
     "AdbShellCommandEvent": {
@@ -2147,7 +2147,8 @@
         },
         "extensionConfig": {
           "$ref": "ExtensionConfig",
-          "description": "Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline.This field can be set for at most one app.The signing key certificate fingerprint of the app on the device must match one of the entries in ApplicationPolicy.signingKeyCerts or ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) or the signing key certificate fingerprints obtained from Play Store for the app to be able to communicate with Android Device Policy. If the app is not on Play Store and if ApplicationPolicy.signingKeyCerts and ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) are not set, a NonComplianceDetail with INVALID_VALUE is reported."
+          "deprecated": true,
+          "description": "Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline.This field can be set for at most one app. If there is any app with COMPANION_APP role, this field cannot be set.The signing key certificate fingerprint of the app on the device must match one of the entries in ApplicationPolicy.signingKeyCerts or ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) or the signing key certificate fingerprints obtained from Play Store for the app to be able to communicate with Android Device Policy. If the app is not on Play Store and if ApplicationPolicy.signingKeyCerts and ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) are not set, a NonComplianceDetail with INVALID_VALUE is reported."
         },
         "installConstraint": {
           "description": "Optional. The constraints for installing the app. You can specify a maximum of one InstallConstraint. Multiple constraints are rejected.",
@@ -2173,14 +2174,24 @@
             "KIOSK",
             "CUSTOM"
           ],
+          "enumDeprecated": [
+            false,
+            false,
+            false,
+            false,
+            false,
+            false,
+            true,
+            false
+          ],
           "enumDescriptions": [
             "Unspecified. Defaults to AVAILABLE.",
             "The app is automatically installed and can be removed by the user.",
             "The app is automatically installed regardless of a set maintenance window and can't be removed by the user.",
             "The app is blocked and can't be installed. If the app was installed under a previous policy, it will be uninstalled. This also blocks its instant app functionality.",
             "The app is available to install.",
             "The app is automatically installed and can't be removed by the user and will prevent setup from completion until installation is complete.",
-            "The app is automatically installed in kiosk mode: it's set as the preferred home intent and whitelisted for lock task mode. Device setup won't complete until the app is installed. After installation, users won't be able to remove the app. You can only set this installType for one app per policy. When this is present in the policy, status bar will be automatically disabled.",
+            "The app is automatically installed in kiosk mode: it's set as the preferred home intent and whitelisted for lock task mode. Device setup won't complete until the app is installed. After installation, users won't be able to remove the app. You can only set this installType for one app per policy. When this is present in the policy, status bar will be automatically disabled.If there is any app with KIOSK role, then this install type cannot be set for any app.",
             "The app can only be installed and updated via AMAPI SDK command (https://developers.google.com/android/management/extensibility-sdk-integration).Note: This only affects fully managed devices. Play related fields minimumVersionCode, accessibleTrackIds, autoUpdateMode, installConstraint and installPriority cannot be set for the app. The app isn't available in the Play Store. The app installed on the device has applicationSource set to CUSTOM. The signing key certificate fingerprint of the app on the device must match one of the entries in ApplicationPolicy.signingKeyCerts . Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported. Changing the installType to and from CUSTOM uninstalls the existing app if its signing key certificate fingerprint doesn't match the one from the new app source. Removing the app from applications doesn't uninstall the existing app if it conforms to playStoreMode. See also customAppConfig. This is different from the Google Play Custom App Publishing (https://developers.google.com/android/work/play/custom-app-api/get-started) feature."
           ],
           "type": "string"
@@ -2240,8 +2251,15 @@
           ],
           "type": "string"
         },
+        "roles": {
+          "description": "Optional. Roles the app has.Apps having certain roles can be exempted from power and background execution restrictions, suspension and hibernation on Android 14 and above. The user control can also be disallowed for apps with certain roles on Android 11 and above. Refer to the documentation of each RoleType for more details.The app is notified about the roles that are set for it if the app has a notification receiver service with . The app is notified whenever its roles are updated or after the app is installed when it has nonempty list of roles. The app can use this notification to bootstrap itself after the installation. See Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) and Manage app roles (https://developers.google.com/android/management/app-roles) guides for more details on the requirements for the service.For the exemptions to be applied and the app to be notified about the roles, the signing key certificate fingerprint of the app on the device must match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts. Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported.There must not be duplicate roles with the same roleType. Multiple apps cannot hold a role with the same roleType. A role with type ROLE_TYPE_UNSPECIFIED is not allowed.",
+          "items": {
+            "$ref": "Role"
+          },
+          "type": "array"
+        },
         "signingKeyCerts": {
-          "description": "Optional. Signing key certificates of the app.This field is required in the following cases: The app has installType set to CUSTOM (i.e. a custom app). The app has extensionConfig set (i.e. an extension app) but ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) is not set and the app does not exist on the Play Store.If this field is not set for a custom app, the policy is rejected. If it is not set when required for a non-custom app, a NonComplianceDetail with INVALID_VALUE is reported.For other cases, this field is optional and the signing key certificates obtained from Play Store are used.See following policy settings to see how this field is used: choosePrivateKeyRules ApplicationPolicy.InstallType.CUSTOM ApplicationPolicy.extensionConfig",
+          "description": "Optional. Signing key certificates of the app.This field is required in the following cases: The app has installType set to CUSTOM (i.e. a custom app). The app has roles set to a nonempty list and the app does not exist on the Play Store. The app has extensionConfig set (i.e. an extension app) but ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) is not set and the app does not exist on the Play Store.If this field is not set for a custom app, the policy is rejected. If it is not set when required for a non-custom app, a NonComplianceDetail with INVALID_VALUE is reported.For other cases, this field is optional and the signing key certificates obtained from Play Store are used.See following policy settings to see how this field is used: choosePrivateKeyRules ApplicationPolicy.InstallType.CUSTOM ApplicationPolicy.extensionConfig ApplicationPolicy.roles",
           "items": {
             "$ref": "ApplicationSigningKeyCert"
           },
@@ -2255,8 +2273,8 @@
             "USER_CONTROL_DISALLOWED"
           ],
           "enumDescriptions": [
-            "Uses the default behaviour of the app to determine if user control is allowed or disallowed. User control is allowed by default for most apps but disallowed for following types of apps: extension apps (see extensionConfig for more details) kiosk apps (see KIOSK install type for more details) other critical system apps",
-            "User control is allowed for the app. Kiosk apps can use this to allow user control. For extension apps (see extensionConfig for more details), user control is disallowed even if this value is set. For kiosk apps (see KIOSK install type for more details), this value can be used to allow user control.",
+            "Uses the default behaviour of the app to determine if user control is allowed or disallowed. User control is allowed by default for most apps but disallowed for following types of apps: extension apps (see extensionConfig for more details) kiosk apps (see KIOSK install type for more details) apps with roles set to a nonempty list other critical system apps",
+            "User control is allowed for the app. Kiosk apps can use this to allow user control. For extension apps (see extensionConfig for more details), user control is disallowed even if this value is set.For apps with roles set to a nonempty list (except roles containing only KIOSK role), this value cannot be set.For kiosk apps (see KIOSK install type and KIOSK role type for more details), this value can be used to allow user control.",
             "User control is disallowed for the app. This is supported on Android 11 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 11."
           ],
           "type": "string"
@@ -3958,6 +3976,7 @@
       "id": "ExtensionConfig",
       "properties": {
         "notificationReceiver": {
+          "deprecated": true,
           "description": "Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates. The service must be exported in the extension app's AndroidManifest.xml and extend NotificationReceiverService (https://developers.google.com/android/management/reference/amapi/com/google/android/managementapi/notification/NotificationReceiverService) (see Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) guide for more details).",
           "type": "string"
         },
@@ -6848,6 +6867,31 @@
       },
       "type": "object"
     },
+    "Role": {
+      "description": "Role an app can have.",
+      "id": "Role",
+      "properties": {
+        "roleType": {
+          "description": "Required. The type of the role an app can have.",
+          "enum": [
+            "ROLE_TYPE_UNSPECIFIED",
+            "COMPANION_APP",
+            "KIOSK",
+            "MOBILE_THREAT_DEFENSE_ENDPOINT_DETECTION_RESPONSE",
+            "SYSTEM_HEALTH_MONITORING"
+          ],
+          "enumDescriptions": [
+            "The role type is unspecified. This value must not be used.",
+            "The role type for companion apps. This role enables the app as a companion app with the capability of interacting with Android Device Policy offline. This is the recommended way to configure an app as a companion app. For legacy way, see extensionConfig.On Android 14 and above, the app with this role is exempted from power and background execution restrictions, suspension and hibernation. On Android 11 and above, the user control is disallowed for the app with this role. userControlSettings cannot be set to USER_CONTROL_ALLOWED for the app with this role.Android Device Policy notifies the companion app of any local command status updates if the app has a service with . See Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) guide for more details on the requirements for the service.",
+            "The role type for kiosk apps. An app can have this role only if it has installType set to REQUIRED_FOR_SETUP or CUSTOM. Before adding this role to an app with CUSTOM install type, the app must already be installed on the device.The app having this role type is set as the preferred home intent and allowlisted for lock task mode. When there is an app with this role type, status bar will be automatically disabled.This is preferable to setting installType to KIOSK.On Android 11 and above, the user control is disallowed but userControlSettings can be set to USER_CONTROL_ALLOWED to allow user control for the app with this role.",
+            "The role type for Mobile Threat Defense (MTD) / Endpoint Detection \u0026 Response (EDR) apps.On Android 14 and above, the app with this role is exempted from power and background execution restrictions, suspension and hibernation. On Android 11 and above, the user control is disallowed and userControlSettings cannot be set to USER_CONTROL_ALLOWED for the app with this role.",
+            "The role type for system health monitoring apps.On Android 14 and above, the app with this role is exempted from power and background execution restrictions, suspension and hibernation. On Android 11 and above, the user control is disallowed and userControlSettings cannot be set to USER_CONTROL_ALLOWED for the app with this role."
+          ],
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
     "ScreenBrightnessSettings": {
       "description": "Controls for the screen brightness settings.",
       "id": "ScreenBrightnessSettings",