[Chromoting] Add new Chromoting enterprise policies

chrome/app/policy/policy_templates.json

 {
 # policy_templates.json - Metafile for policy templates
 #
 # The content of this file is evaluated as a Python expression.
 #
 # This file is used as input to generate the following policy templates:
 # ADM, ADMX+ADML, MCX/plist and html documentation.
 #
 # Policy templates are user interface definitions or documents about the
 # policies that can be used to configure Chrome. Each policy is a name-value
@@ skipping 94 matching lines @@
 #   templates and documentation. The policy definition list that Chrome sees
 #   will include policies marked with 'future'. If a WIP policy isn't meant to
 #   be seen by the policy providers either, the 'supported_on' key should be set
 #   to an empty list.
 #
 # IDs:
 #   Since a Protocol Buffer definition is generated from this file, unique and
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 153
+#   For your editing convenience: highest ID currently used: 156
 #
 # Placeholders:
 #   The following placeholder strings are automatically substituted:
 #     $1 -> Google Chrome / Chromium
 #     $2 -> Google Chrome OS / Chromium OS
 #     $3 -> Google Chrome Frame / Chromium Frame
 #     $6 is reserved for doc_writer
 #
 # Device Policy:
 #   An additional flag device_only (optional, defaults to False) indicates
@@ skipping 321 matching lines @@
           'id': 95,
           'caption': '''Enable firewall traversal from remote access host''',
           'desc': '''Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine.
 
           If this setting is enabled, then remote clients can discover and connect to this machines even if they are separated by a firewall.
 
           If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network.
 
           If this policy is left not set the setting will be enabled.''',
         },
+        {
+          'name': 'RemoteAccessHostDomain',
+          'type': 'string',
+          'schema': { 'type': 'string' },
+          'supported_on': ['chrome.*:22-', 'chrome_os:0.22-'],
+          'features': {'dynamic_refresh': True},
+          'example_value': 'my-awesome-domain.com',
+          'id': 154,
+          'caption': '''Configure the required host domain name''',

[Mattias Nissler (ping if slow), 2012/08/03 09:05:52]

Can you add "for Chromoting" or something alike so admins get a hint on what
this applies to when they go through the list of policies?

[garykac, 2012/08/03 17:28:24]

I don't think this is necessary because all of these policies are contained
within the RemoteAccess group (which starts on line 415).

I haven't used the admin UI to set policy, but I believe that admins won't see
these options unless they open up the RemoteAccess group, which should provide
the required context.

Does that seem sufficient to you?

[Mattias Nissler (ping if slow), 2012/08/06 08:49:45]

No. The grouping is nice, but unfortunately only shows up in documentation and
group policy templates. For example, application manifest on the Mac doesn't
have grouping. Thus, the policy descriptions need to make sense even with out
the group description context.

[garykac, 2012/08/06 14:36:32]

Ah. That's unfortunate.

I've updated the captions and descriptions to include "remote access".

+          'desc': '''Configures the required host domain name and prevents users from changing it.
+
+          If this setting is enabled, then hosts can be shared only using accounts registered on the specified domain name.

[Mattias Nissler (ping if slow), 2012/08/03 09:05:52]

Same here. If you don't have the Chromoting context, it's very hard to
understand what "host sharing" actually refers to.

[garykac, 2012/08/03 17:28:24]

same

+
+          If this setting is disabled or not set, then hosts can be shared using any account.''',
+        },
+        {
+          'name': 'RemoteAccessHostRequireTwoFactor',
+          'type': 'main',
+          'schema': { 'type': 'boolean' },
+          'supported_on': ['chrome.*:22-', 'chrome_os:0.22-'],
+          'features': {'dynamic_refresh': True},
+          'example_value': False,
+          'id': 155,
+          'caption': '''Enable two-factor authentication on host''',

[Mattias Nissler (ping if slow), 2012/08/03 09:05:52]

ditto

[garykac, 2012/08/03 17:28:24]

same

+          'desc': '''Enables two-factor authentication on the host instead of a user-specified PIN.
+
+          If this setting is enabled, then users must provide a valid two-factor code when accessing the host.
+
+          If this setting is disabled or not set, then two-factor will not be enabled and the default behavior of having a user-defined PIN will be used.''',
+        },
+        {
+          'name': 'RemoteAccessHostTalkGadgetPrefix',
+          'type': 'string',
+          'schema': { 'type': 'string' },
+          'supported_on': ['chrome.*:22-', 'chrome_os:0.22-'],
+          'features': {'dynamic_refresh': True},
+          'example_value': 'chromoting-host',
+          'id': 156,
+          'caption': '''Configure the TalkGadget prefix for hosts''',
+          'desc': '''Configures the host TalkGadget prefix and prevents users from changing it.

[Mattias Nissler (ping if slow), 2012/08/03 09:05:52]

ditto

[garykac, 2012/08/03 17:28:25]

same

+
+          If specified, this prefix is prepended to the base TalkGadget name to create a full domain name for the TalkGadget. The base TalkGadget domain name is '.talkgadget.google.com'.
+
+          If this setting is enabled, then hosts will use the custom domain name when accessing the TalkGadget instead of the default domain name.
+
+          If this setting is disabled or not set, then the default TalkGadget domain name ('chromoting-host.talkgadget.google.com') will be used.
+
+          Remote access clients are not affected by this policy setting. They will always use 'chromoting-client.talkgadget.google.com' to access the TalkGadget.''',
+        },
       ],
     },
     {
       'name': 'PrintingEnabled',
       'type': 'main',
       'schema': { 'type': 'boolean' },
       'supported_on': ['chrome.*:8-', 'chrome_os:0.11-'],
       'features': {'dynamic_refresh': True},
       'example_value': True,
       'id': 12,
@@ skipping 2724 matching lines @@
       'desc': '''Text appended in parentheses to the policy name to indicate that it has been deprecated''',
       'text': 'deprecated',
     },
     'doc_recommended': {
       'desc': '''Text appended in parentheses next to the policies top-level container to indicate that those policies are of the Recommended level''',
       'text': 'Recommended',
     },
   },
   'placeholders': [],
 }