From 2bc529f2033f14ecee352acd3e8389431f0fef09 Mon Sep 17 00:00:00 2001
From: didrocks <1823296+didrocks@users.noreply.github.com>
Date: Thu, 12 Sep 2024 13:44:25 +0000
Subject: [PATCH] Refresh policy definition files
---
...-removable-storage-devices-as-read-only.md | 22 +++
.../Shell/Privacy/usb-protection-level.md | 26 +++
.../Desktop/Shell/Privacy/usb-protection.md | 25 +++
policies/Ubuntu/all/Ubuntu.adml | 101 ++++++++++
policies/Ubuntu/all/Ubuntu.admx | 175 ++++++++++++++++++
policies/Ubuntu/lts-only/Ubuntu.adml | 86 +++++++++
policies/Ubuntu/lts-only/Ubuntu.admx | 143 ++++++++++++++
7 files changed, 578 insertions(+)
create mode 100644 docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/LockDown/mount-removable-storage-devices-as-read-only.md
create mode 100644 docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection-level.md
create mode 100644 docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection.md
diff --git a/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/LockDown/mount-removable-storage-devices-as-read-only.md b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/LockDown/mount-removable-storage-devices-as-read-only.md
new file mode 100644
index 000000000..86609ed38
--- /dev/null
+++ b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/LockDown/mount-removable-storage-devices-as-read-only.md
@@ -0,0 +1,22 @@
+# Mount removable storage devices as read-only
+
+Prevent users from writing or modifying files on removable storage devices (i.e. flash disks, mobile phones, cameras).
+
+- Type: dconf
+- Key: /org/gnome/desktop/lockdown/mount-removable-storage-devices-as-read-only
+- Default: false
+
+Note: default system value is used for "Not Configured" and enforced if "Disabled".
+
+Supported on Ubuntu 20.04, 22.04, 24.04, 24.10.
+
+
+
+**Metadata**
+
+| Element | Value |
+| --- | --- |
+| Location | User Policies -> Ubuntu -> Desktop -> Shell -> LockDown -> Mount removable storage devices as read-only |
+| Registry Key | Software\Policies\Ubuntu\dconf\org\gnome\desktop\lockdown\mount-removable-storage-devices-as-read-only |
+| Element type | boolean |
+| Class: | User |
diff --git a/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection-level.md b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection-level.md
new file mode 100644
index 000000000..e63443d6e
--- /dev/null
+++ b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection-level.md
@@ -0,0 +1,26 @@
+# When USB devices should be rejected
+
+If set to “lockscreen”, only when the lock screen is present new USB devices will be rejected; if set to “always”, all new USB devices will always be rejected.
+
+- Type: dconf
+- Key: /org/gnome/desktop/privacy/usb-protection-level
+- Default: 'lockscreen'
+
+Note: default system value is used for "Not Configured" and enforced if "Disabled".
+
+Supported on Ubuntu 20.04, 22.04, 24.04, 24.10.
+
+**Valid values**
+
+* lockscreen
+* always
+
+
+**Metadata**
+
+| Element | Value |
+| --- | --- |
+| Location | User Policies -> Ubuntu -> Desktop -> Shell -> Privacy -> When USB devices should be rejected |
+| Registry Key | Software\Policies\Ubuntu\dconf\org\gnome\desktop\privacy\usb-protection-level |
+| Element type | dropdownList |
+| Class: | User |
diff --git a/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection.md b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection.md
new file mode 100644
index 000000000..b034bd931
--- /dev/null
+++ b/docs/reference/policies/User Policies/Ubuntu/Desktop/Shell/Privacy/usb-protection.md
@@ -0,0 +1,25 @@
+# Whether to protect USB devices
+
+If the USBGuard service is present and this setting is enabled, USB devices will be protected as configured in the usb-protection-level setting.
+
+- Type: dconf
+- Key: /org/gnome/desktop/privacy/usb-protection
+- Default for 20.04: false
+- Default for 22.04: true
+- Default for 24.04: true
+- Default for 24.10: true
+
+Note: default system value is used for "Not Configured" and enforced if "Disabled".
+
+Supported on Ubuntu 20.04, 22.04, 24.04, 24.10.
+
+
+
+**Metadata**
+
+| Element | Value |
+| --- | --- |
+| Location | User Policies -> Ubuntu -> Desktop -> Shell -> Privacy -> Whether to protect USB devices |
+| Registry Key | Software\Policies\Ubuntu\dconf\org\gnome\desktop\privacy\usb-protection |
+| Element type | boolean |
+| Class: | User |
diff --git a/policies/Ubuntu/all/Ubuntu.adml b/policies/Ubuntu/all/Ubuntu.adml
index ba2d7395f..a12d07109 100644
--- a/policies/Ubuntu/all/Ubuntu.adml
+++ b/policies/Ubuntu/all/Ubuntu.adml
@@ -14,6 +14,7 @@
Clock
Notifications
LockDown
+ Privacy
Keyboard shortcuts
Screensaver
Peripherals
@@ -360,6 +361,20 @@ Supported on Ubuntu 20.04, 22.04, 24.04, 24.10.
Disable saving files to disk
Disable saving files to disk
Disable saving files to disk
+ Prevent users from writing or modifying files on removable storage devices (i.e. flash disks, mobile phones, cameras).
+
+- Type: dconf
+- Key: /org/gnome/desktop/lockdown/mount-removable-storage-devices-as-read-only
+- Default: false
+
+Note: default system value is used for "Not Configured" and enforced if "Disabled".
+
+Supported on Ubuntu 20.04, 22.04, 24.04, 24.10.
+ Mount removable storage devices as read-only
+ Mount removable storage devices as read-only
+ Mount removable storage devices as read-only
+ Mount removable storage devices as read-only
+ Mount removable storage devices as read-only
Stop the user from modifying user accounts. By default, we allow adding and removing users, as well as changing other users settings.
- Type: dconf
@@ -374,6 +389,47 @@ Supported on Ubuntu 20.04, 22.04, 24.04, 24.10.
Disable user administration
Disable user administration
Disable user administration
+ If the USBGuard service is present and this setting is enabled, USB devices will be protected as configured in the usb-protection-level setting.
+
+- Type: dconf
+- Key: /org/gnome/desktop/privacy/usb-protection
+- Default for 20.04: false
+- Default for 22.04: true
+- Default for 24.04: true
+- Default for 24.10: true
+
+Note: default system value is used for "Not Configured" and enforced if "Disabled".
+
+Supported on Ubuntu 20.04, 22.04, 24.04, 24.10.
+ Whether to protect USB devices
+ Whether to protect USB devices
+ Whether to protect USB devices
+ Whether to protect USB devices
+ Whether to protect USB devices
+ If set to “lockscreen”, only when the lock screen is present new USB devices will be rejected; if set to “always”, all new USB devices will always be rejected.
+
+- Type: dconf
+- Key: /org/gnome/desktop/privacy/usb-protection-level
+- Default: 'lockscreen'
+
+Note: default system value is used for "Not Configured" and enforced if "Disabled".
+
+Supported on Ubuntu 20.04, 22.04, 24.04, 24.10.
+ When USB devices should be rejected
+ lockscreen
+ always
+ When USB devices should be rejected
+ lockscreen
+ always
+ When USB devices should be rejected
+ lockscreen
+ always
+ When USB devices should be rejected
+ lockscreen
+ always
+ When USB devices should be rejected
+ lockscreen
+ always
Binding to launch GNOME Settings.
- Type: dconf
@@ -1953,6 +2009,21 @@ An Ubuntu Pro subscription on the client is required to apply this policy.Override value for 20.04:
Disable saving files to disk
+
+ Mount removable storage devices as read-only
+
+ Override value for 24.10:
+ Mount removable storage devices as read-only
+
+ Override value for 24.04:
+ Mount removable storage devices as read-only
+
+ Override value for 22.04:
+ Mount removable storage devices as read-only
+
+ Override value for 20.04:
+ Mount removable storage devices as read-only
+
Disable user administration
@@ -1968,6 +2039,36 @@ An Ubuntu Pro subscription on the client is required to apply this policy.Override value for 20.04:
Disable user administration
+
+ Whether to protect USB devices
+
+ Override value for 24.10:
+ Whether to protect USB devices
+
+ Override value for 24.04:
+ Whether to protect USB devices
+
+ Override value for 22.04:
+ Whether to protect USB devices
+
+ Override value for 20.04:
+ Whether to protect USB devices
+
+
+ When USB devices should be rejected
+
+ Override value for 24.10:
+
+
+ Override value for 24.04:
+
+
+ Override value for 22.04:
+
+
+ Override value for 20.04:
+
+
Launch settings
diff --git a/policies/Ubuntu/all/Ubuntu.admx b/policies/Ubuntu/all/Ubuntu.admx
index de6f2a834..f49f67134 100644
--- a/policies/Ubuntu/all/Ubuntu.admx
+++ b/policies/Ubuntu/all/Ubuntu.admx
@@ -32,6 +32,9 @@
+
+
+
@@ -1121,6 +1124,50 @@
+
+
+
+ {"20.04":{"empty":"false","meta":"b"},"22.04":{"empty":"false","meta":"b"},"24.04":{"empty":"false","meta":"b"},"24.10":{"empty":"false","meta":"b"},"all":{"empty":"false","meta":"b"}}
+ {"20.04":{"meta":"b"},"22.04":{"meta":"b"},"24.04":{"meta":"b"},"24.10":{"meta":"b"},"all":{"meta":"b"}}
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+
@@ -1165,6 +1212,134 @@
+
+
+
+ {"20.04":{"empty":"false","meta":"b"},"22.04":{"empty":"false","meta":"b"},"24.04":{"empty":"false","meta":"b"},"24.10":{"empty":"false","meta":"b"},"all":{"empty":"false","meta":"b"}}
+ {"20.04":{"meta":"b"},"22.04":{"meta":"b"},"24.04":{"meta":"b"},"24.10":{"meta":"b"},"all":{"meta":"b"}}
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+
+
+
+
+ {"20.04":{"empty":"''","meta":"s"},"22.04":{"empty":"''","meta":"s"},"24.04":{"empty":"''","meta":"s"},"24.10":{"empty":"''","meta":"s"},"all":{"empty":"''","meta":"s"}}
+ {"20.04":{"meta":"s"},"22.04":{"meta":"s"},"24.04":{"meta":"s"},"24.10":{"meta":"s"},"all":{"meta":"s"}}
+
+
+ -
+
+ lockscreen
+
+
+ -
+
+ always
+
+
+
+
+ true
+ false
+
+
+ -
+
+ lockscreen
+
+
+ -
+
+ always
+
+
+
+
+ true
+ false
+
+
+ -
+
+ lockscreen
+
+
+ -
+
+ always
+
+
+
+
+ true
+ false
+
+
+ -
+
+ lockscreen
+
+
+ -
+
+ always
+
+
+
+
+ true
+ false
+
+
+ -
+
+ lockscreen
+
+
+ -
+
+ always
+
+
+
+
+
diff --git a/policies/Ubuntu/lts-only/Ubuntu.adml b/policies/Ubuntu/lts-only/Ubuntu.adml
index 903fc3585..b4ebd0a27 100644
--- a/policies/Ubuntu/lts-only/Ubuntu.adml
+++ b/policies/Ubuntu/lts-only/Ubuntu.adml
@@ -14,6 +14,7 @@
Clock
Notifications
LockDown
+ Privacy
Keyboard shortcuts
Screensaver
Peripherals
@@ -329,6 +330,19 @@ Supported on Ubuntu 20.04, 22.04, 24.04.
Disable saving files to disk
Disable saving files to disk
Disable saving files to disk
+ Prevent users from writing or modifying files on removable storage devices (i.e. flash disks, mobile phones, cameras).
+
+- Type: dconf
+- Key: /org/gnome/desktop/lockdown/mount-removable-storage-devices-as-read-only
+- Default: false
+
+Note: default system value is used for "Not Configured" and enforced if "Disabled".
+
+Supported on Ubuntu 20.04, 22.04, 24.04.
+ Mount removable storage devices as read-only
+ Mount removable storage devices as read-only
+ Mount removable storage devices as read-only
+ Mount removable storage devices as read-only
Stop the user from modifying user accounts. By default, we allow adding and removing users, as well as changing other users settings.
- Type: dconf
@@ -342,6 +356,42 @@ Supported on Ubuntu 20.04, 22.04, 24.04.
Disable user administration
Disable user administration
Disable user administration
+ If the USBGuard service is present and this setting is enabled, USB devices will be protected as configured in the usb-protection-level setting.
+
+- Type: dconf
+- Key: /org/gnome/desktop/privacy/usb-protection
+- Default for 20.04: false
+- Default for 22.04: true
+- Default for 24.04: true
+
+Note: default system value is used for "Not Configured" and enforced if "Disabled".
+
+Supported on Ubuntu 20.04, 22.04, 24.04.
+ Whether to protect USB devices
+ Whether to protect USB devices
+ Whether to protect USB devices
+ Whether to protect USB devices
+ If set to “lockscreen”, only when the lock screen is present new USB devices will be rejected; if set to “always”, all new USB devices will always be rejected.
+
+- Type: dconf
+- Key: /org/gnome/desktop/privacy/usb-protection-level
+- Default: 'lockscreen'
+
+Note: default system value is used for "Not Configured" and enforced if "Disabled".
+
+Supported on Ubuntu 20.04, 22.04, 24.04.
+ When USB devices should be rejected
+ lockscreen
+ always
+ When USB devices should be rejected
+ lockscreen
+ always
+ When USB devices should be rejected
+ lockscreen
+ always
+ When USB devices should be rejected
+ lockscreen
+ always
Binding to launch GNOME Settings.
- Type: dconf
@@ -1745,6 +1795,18 @@ An Ubuntu Pro subscription on the client is required to apply this policy.Override value for 20.04:
Disable saving files to disk
+
+ Mount removable storage devices as read-only
+
+ Override value for 24.04:
+ Mount removable storage devices as read-only
+
+ Override value for 22.04:
+ Mount removable storage devices as read-only
+
+ Override value for 20.04:
+ Mount removable storage devices as read-only
+
Disable user administration
@@ -1757,6 +1819,30 @@ An Ubuntu Pro subscription on the client is required to apply this policy.Override value for 20.04:
Disable user administration
+
+ Whether to protect USB devices
+
+ Override value for 24.04:
+ Whether to protect USB devices
+
+ Override value for 22.04:
+ Whether to protect USB devices
+
+ Override value for 20.04:
+ Whether to protect USB devices
+
+
+ When USB devices should be rejected
+
+ Override value for 24.04:
+
+
+ Override value for 22.04:
+
+
+ Override value for 20.04:
+
+
Launch settings
diff --git a/policies/Ubuntu/lts-only/Ubuntu.admx b/policies/Ubuntu/lts-only/Ubuntu.admx
index c0bbf0fd8..c82b73f0e 100644
--- a/policies/Ubuntu/lts-only/Ubuntu.admx
+++ b/policies/Ubuntu/lts-only/Ubuntu.admx
@@ -32,6 +32,9 @@
+
+
+
@@ -929,6 +932,42 @@
+
+
+
+ {"20.04":{"empty":"false","meta":"b"},"22.04":{"empty":"false","meta":"b"},"24.04":{"empty":"false","meta":"b"},"all":{"empty":"false","meta":"b"}}
+ {"20.04":{"meta":"b"},"22.04":{"meta":"b"},"24.04":{"meta":"b"},"all":{"meta":"b"}}
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+
@@ -965,6 +1004,110 @@
+
+
+
+ {"20.04":{"empty":"false","meta":"b"},"22.04":{"empty":"false","meta":"b"},"24.04":{"empty":"false","meta":"b"},"all":{"empty":"false","meta":"b"}}
+ {"20.04":{"meta":"b"},"22.04":{"meta":"b"},"24.04":{"meta":"b"},"all":{"meta":"b"}}
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+ true
+ false
+
+
+
+
+
+
+ {"20.04":{"empty":"''","meta":"s"},"22.04":{"empty":"''","meta":"s"},"24.04":{"empty":"''","meta":"s"},"all":{"empty":"''","meta":"s"}}
+ {"20.04":{"meta":"s"},"22.04":{"meta":"s"},"24.04":{"meta":"s"},"all":{"meta":"s"}}
+
+
+ -
+
+ lockscreen
+
+
+ -
+
+ always
+
+
+
+
+ true
+ false
+
+
+ -
+
+ lockscreen
+
+
+ -
+
+ always
+
+
+
+
+ true
+ false
+
+
+ -
+
+ lockscreen
+
+
+ -
+
+ always
+
+
+
+
+ true
+ false
+
+
+ -
+
+ lockscreen
+
+
+ -
+
+ always
+
+
+
+
+