From 2bc529f2033f14ecee352acd3e8389431f0fef09 Mon Sep 17 00:00:00 2001 From: didrocks <1823296+didrocks@users.noreply.github.com> Date: Thu, 12 Sep 2024 13:44:25 +0000 Subject: [PATCH] Refresh policy definition files --- ...-removable-storage-devices-as-read-only.md | 22 +++ .../Shell/Privacy/usb-protection-level.md | 26 +++ .../Desktop/Shell/Privacy/usb-protection.md | 25 +++ policies/Ubuntu/all/Ubuntu.adml | 101 ++++++++++ policies/Ubuntu/all/Ubuntu.admx | 175 ++++++++++++++++++ policies/Ubuntu/lts-only/Ubuntu.adml | 86 +++++++++ policies/Ubuntu/lts-only/Ubuntu.admx | 143 ++++++++++++++ 7 files changed, 578 insertions(+) create mode 100644 docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/LockDown/mount-removable-storage-devices-as-read-only.md create mode 100644 docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection-level.md create mode 100644 docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection.md diff --git a/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/LockDown/mount-removable-storage-devices-as-read-only.md b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/LockDown/mount-removable-storage-devices-as-read-only.md new file mode 100644 index 000000000..86609ed38 --- /dev/null +++ b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/LockDown/mount-removable-storage-devices-as-read-only.md @@ -0,0 +1,22 @@ +# Mount removable storage devices as read-only + +Prevent users from writing or modifying files on removable storage devices (i.e. flash disks, mobile phones, cameras). + +- Type: dconf +- Key: /org/gnome/desktop/lockdown/mount-removable-storage-devices-as-read-only +- Default: false + +Note: default system value is used for "Not Configured" and enforced if "Disabled". + +Supported on Ubuntu 20.04, 22.04, 24.04, 24.10. + + + +**Metadata** + +| Element | Value | +| --- | --- | +| Location | User Policies -> Ubuntu -> Desktop -> Shell -> LockDown -> Mount removable storage devices as read-only | +| Registry Key | Software\Policies\Ubuntu\dconf\org\gnome\desktop\lockdown\mount-removable-storage-devices-as-read-only | +| Element type | boolean | +| Class: | User | diff --git a/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection-level.md b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection-level.md new file mode 100644 index 000000000..e63443d6e --- /dev/null +++ b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection-level.md @@ -0,0 +1,26 @@ +# When USB devices should be rejected + +If set to “lockscreen”, only when the lock screen is present new USB devices will be rejected; if set to “always”, all new USB devices will always be rejected. + +- Type: dconf +- Key: /org/gnome/desktop/privacy/usb-protection-level +- Default: 'lockscreen' + +Note: default system value is used for "Not Configured" and enforced if "Disabled". + +Supported on Ubuntu 20.04, 22.04, 24.04, 24.10. + +**Valid values** + +* lockscreen +* always + + +**Metadata** + +| Element | Value | +| --- | --- | +| Location | User Policies -> Ubuntu -> Desktop -> Shell -> Privacy -> When USB devices should be rejected | +| Registry Key | Software\Policies\Ubuntu\dconf\org\gnome\desktop\privacy\usb-protection-level | +| Element type | dropdownList | +| Class: | User | diff --git a/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection.md b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection.md new file mode 100644 index 000000000..b034bd931 --- /dev/null +++ b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection.md @@ -0,0 +1,25 @@ +# Whether to protect USB devices + +If the USBGuard service is present and this setting is enabled, USB devices will be protected as configured in the usb-protection-level setting. + +- Type: dconf +- Key: /org/gnome/desktop/privacy/usb-protection +- Default for 20.04: false +- Default for 22.04: true +- Default for 24.04: true +- Default for 24.10: true + +Note: default system value is used for "Not Configured" and enforced if "Disabled". + +Supported on Ubuntu 20.04, 22.04, 24.04, 24.10. + + + +**Metadata** + +| Element | Value | +| --- | --- | +| Location | User Policies -> Ubuntu -> Desktop -> Shell -> Privacy -> Whether to protect USB devices | +| Registry Key | Software\Policies\Ubuntu\dconf\org\gnome\desktop\privacy\usb-protection | +| Element type | boolean | +| Class: | User | diff --git a/policies/Ubuntu/all/Ubuntu.adml b/policies/Ubuntu/all/Ubuntu.adml index ba2d7395f..a12d07109 100644 --- a/policies/Ubuntu/all/Ubuntu.adml +++ b/policies/Ubuntu/all/Ubuntu.adml @@ -14,6 +14,7 @@ Clock Notifications LockDown + Privacy Keyboard shortcuts Screensaver Peripherals @@ -360,6 +361,20 @@ Supported on Ubuntu 20.04, 22.04, 24.04, 24.10. Disable saving files to disk Disable saving files to disk Disable saving files to disk + Prevent users from writing or modifying files on removable storage devices (i.e. flash disks, mobile phones, cameras). + +- Type: dconf +- Key: /org/gnome/desktop/lockdown/mount-removable-storage-devices-as-read-only +- Default: false + +Note: default system value is used for "Not Configured" and enforced if "Disabled". + +Supported on Ubuntu 20.04, 22.04, 24.04, 24.10. + Mount removable storage devices as read-only + Mount removable storage devices as read-only + Mount removable storage devices as read-only + Mount removable storage devices as read-only + Mount removable storage devices as read-only Stop the user from modifying user accounts. By default, we allow adding and removing users, as well as changing other users settings. - Type: dconf @@ -374,6 +389,47 @@ Supported on Ubuntu 20.04, 22.04, 24.04, 24.10. Disable user administration Disable user administration Disable user administration + If the USBGuard service is present and this setting is enabled, USB devices will be protected as configured in the usb-protection-level setting. + +- Type: dconf +- Key: /org/gnome/desktop/privacy/usb-protection +- Default for 20.04: false +- Default for 22.04: true +- Default for 24.04: true +- Default for 24.10: true + +Note: default system value is used for "Not Configured" and enforced if "Disabled". + +Supported on Ubuntu 20.04, 22.04, 24.04, 24.10. + Whether to protect USB devices + Whether to protect USB devices + Whether to protect USB devices + Whether to protect USB devices + Whether to protect USB devices + If set to “lockscreen”, only when the lock screen is present new USB devices will be rejected; if set to “always”, all new USB devices will always be rejected. + +- Type: dconf +- Key: /org/gnome/desktop/privacy/usb-protection-level +- Default: 'lockscreen' + +Note: default system value is used for "Not Configured" and enforced if "Disabled". + +Supported on Ubuntu 20.04, 22.04, 24.04, 24.10. + When USB devices should be rejected + lockscreen + always + When USB devices should be rejected + lockscreen + always + When USB devices should be rejected + lockscreen + always + When USB devices should be rejected + lockscreen + always + When USB devices should be rejected + lockscreen + always Binding to launch GNOME Settings. - Type: dconf @@ -1953,6 +2009,21 @@ An Ubuntu Pro subscription on the client is required to apply this policy.Override value for 20.04: Disable saving files to disk + + Mount removable storage devices as read-only + + Override value for 24.10: + Mount removable storage devices as read-only + + Override value for 24.04: + Mount removable storage devices as read-only + + Override value for 22.04: + Mount removable storage devices as read-only + + Override value for 20.04: + Mount removable storage devices as read-only + Disable user administration @@ -1968,6 +2039,36 @@ An Ubuntu Pro subscription on the client is required to apply this policy.Override value for 20.04: Disable user administration + + Whether to protect USB devices + + Override value for 24.10: + Whether to protect USB devices + + Override value for 24.04: + Whether to protect USB devices + + Override value for 22.04: + Whether to protect USB devices + + Override value for 20.04: + Whether to protect USB devices + + + When USB devices should be rejected + + Override value for 24.10: + + + Override value for 24.04: + + + Override value for 22.04: + + + Override value for 20.04: + + Launch settings diff --git a/policies/Ubuntu/all/Ubuntu.admx b/policies/Ubuntu/all/Ubuntu.admx index de6f2a834..f49f67134 100644 --- a/policies/Ubuntu/all/Ubuntu.admx +++ b/policies/Ubuntu/all/Ubuntu.admx @@ -32,6 +32,9 @@ + + + @@ -1121,6 +1124,50 @@ + + + + {"20.04":{"empty":"false","meta":"b"},"22.04":{"empty":"false","meta":"b"},"24.04":{"empty":"false","meta":"b"},"24.10":{"empty":"false","meta":"b"},"all":{"empty":"false","meta":"b"}} + {"20.04":{"meta":"b"},"22.04":{"meta":"b"},"24.04":{"meta":"b"},"24.10":{"meta":"b"},"all":{"meta":"b"}} + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + @@ -1165,6 +1212,134 @@ + + + + {"20.04":{"empty":"false","meta":"b"},"22.04":{"empty":"false","meta":"b"},"24.04":{"empty":"false","meta":"b"},"24.10":{"empty":"false","meta":"b"},"all":{"empty":"false","meta":"b"}} + {"20.04":{"meta":"b"},"22.04":{"meta":"b"},"24.04":{"meta":"b"},"24.10":{"meta":"b"},"all":{"meta":"b"}} + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + + + + + {"20.04":{"empty":"''","meta":"s"},"22.04":{"empty":"''","meta":"s"},"24.04":{"empty":"''","meta":"s"},"24.10":{"empty":"''","meta":"s"},"all":{"empty":"''","meta":"s"}} + {"20.04":{"meta":"s"},"22.04":{"meta":"s"},"24.04":{"meta":"s"},"24.10":{"meta":"s"},"all":{"meta":"s"}} + + + + + lockscreen + + + + + always + + + + + true + false + + + + + lockscreen + + + + + always + + + + + true + false + + + + + lockscreen + + + + + always + + + + + true + false + + + + + lockscreen + + + + + always + + + + + true + false + + + + + lockscreen + + + + + always + + + + + diff --git a/policies/Ubuntu/lts-only/Ubuntu.adml b/policies/Ubuntu/lts-only/Ubuntu.adml index 903fc3585..b4ebd0a27 100644 --- a/policies/Ubuntu/lts-only/Ubuntu.adml +++ b/policies/Ubuntu/lts-only/Ubuntu.adml @@ -14,6 +14,7 @@ Clock Notifications LockDown + Privacy Keyboard shortcuts Screensaver Peripherals @@ -329,6 +330,19 @@ Supported on Ubuntu 20.04, 22.04, 24.04. Disable saving files to disk Disable saving files to disk Disable saving files to disk + Prevent users from writing or modifying files on removable storage devices (i.e. flash disks, mobile phones, cameras). + +- Type: dconf +- Key: /org/gnome/desktop/lockdown/mount-removable-storage-devices-as-read-only +- Default: false + +Note: default system value is used for "Not Configured" and enforced if "Disabled". + +Supported on Ubuntu 20.04, 22.04, 24.04. + Mount removable storage devices as read-only + Mount removable storage devices as read-only + Mount removable storage devices as read-only + Mount removable storage devices as read-only Stop the user from modifying user accounts. By default, we allow adding and removing users, as well as changing other users settings. - Type: dconf @@ -342,6 +356,42 @@ Supported on Ubuntu 20.04, 22.04, 24.04. Disable user administration Disable user administration Disable user administration + If the USBGuard service is present and this setting is enabled, USB devices will be protected as configured in the usb-protection-level setting. + +- Type: dconf +- Key: /org/gnome/desktop/privacy/usb-protection +- Default for 20.04: false +- Default for 22.04: true +- Default for 24.04: true + +Note: default system value is used for "Not Configured" and enforced if "Disabled". + +Supported on Ubuntu 20.04, 22.04, 24.04. + Whether to protect USB devices + Whether to protect USB devices + Whether to protect USB devices + Whether to protect USB devices + If set to “lockscreen”, only when the lock screen is present new USB devices will be rejected; if set to “always”, all new USB devices will always be rejected. + +- Type: dconf +- Key: /org/gnome/desktop/privacy/usb-protection-level +- Default: 'lockscreen' + +Note: default system value is used for "Not Configured" and enforced if "Disabled". + +Supported on Ubuntu 20.04, 22.04, 24.04. + When USB devices should be rejected + lockscreen + always + When USB devices should be rejected + lockscreen + always + When USB devices should be rejected + lockscreen + always + When USB devices should be rejected + lockscreen + always Binding to launch GNOME Settings. - Type: dconf @@ -1745,6 +1795,18 @@ An Ubuntu Pro subscription on the client is required to apply this policy.Override value for 20.04: Disable saving files to disk + + Mount removable storage devices as read-only + + Override value for 24.04: + Mount removable storage devices as read-only + + Override value for 22.04: + Mount removable storage devices as read-only + + Override value for 20.04: + Mount removable storage devices as read-only + Disable user administration @@ -1757,6 +1819,30 @@ An Ubuntu Pro subscription on the client is required to apply this policy.Override value for 20.04: Disable user administration + + Whether to protect USB devices + + Override value for 24.04: + Whether to protect USB devices + + Override value for 22.04: + Whether to protect USB devices + + Override value for 20.04: + Whether to protect USB devices + + + When USB devices should be rejected + + Override value for 24.04: + + + Override value for 22.04: + + + Override value for 20.04: + + Launch settings diff --git a/policies/Ubuntu/lts-only/Ubuntu.admx b/policies/Ubuntu/lts-only/Ubuntu.admx index c0bbf0fd8..c82b73f0e 100644 --- a/policies/Ubuntu/lts-only/Ubuntu.admx +++ b/policies/Ubuntu/lts-only/Ubuntu.admx @@ -32,6 +32,9 @@ + + + @@ -929,6 +932,42 @@ + + + + {"20.04":{"empty":"false","meta":"b"},"22.04":{"empty":"false","meta":"b"},"24.04":{"empty":"false","meta":"b"},"all":{"empty":"false","meta":"b"}} + {"20.04":{"meta":"b"},"22.04":{"meta":"b"},"24.04":{"meta":"b"},"all":{"meta":"b"}} + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + @@ -965,6 +1004,110 @@ + + + + {"20.04":{"empty":"false","meta":"b"},"22.04":{"empty":"false","meta":"b"},"24.04":{"empty":"false","meta":"b"},"all":{"empty":"false","meta":"b"}} + {"20.04":{"meta":"b"},"22.04":{"meta":"b"},"24.04":{"meta":"b"},"all":{"meta":"b"}} + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + true + false + + + + + + + {"20.04":{"empty":"''","meta":"s"},"22.04":{"empty":"''","meta":"s"},"24.04":{"empty":"''","meta":"s"},"all":{"empty":"''","meta":"s"}} + {"20.04":{"meta":"s"},"22.04":{"meta":"s"},"24.04":{"meta":"s"},"all":{"meta":"s"}} + + + + + lockscreen + + + + + always + + + + + true + false + + + + + lockscreen + + + + + always + + + + + true + false + + + + + lockscreen + + + + + always + + + + + true + false + + + + + lockscreen + + + + + always + + + + +