113 lines
6.2 KiB
Go
113 lines
6.2 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package syspolicy
|
|
|
|
import "tailscale.com/util/syspolicy/setting"
|
|
|
|
type Key = setting.Key
|
|
|
|
const (
|
|
// Keys with a string value
|
|
ControlURL Key = "LoginURL" // default ""; if blank, ipn uses ipn.DefaultControlURL.
|
|
LogTarget Key = "LogTarget" // default ""; if blank logging uses logtail.DefaultHost.
|
|
Tailnet Key = "Tailnet" // default ""; if blank, no tailnet name is sent to the server.
|
|
// ExitNodeID is the exit node's node id. default ""; if blank, no exit node is forced.
|
|
// Exit node ID takes precedence over exit node IP.
|
|
// To find the node ID, go to /api.md#device.
|
|
ExitNodeID Key = "ExitNodeID"
|
|
ExitNodeIP Key = "ExitNodeIP" // default ""; if blank, no exit node is forced. Value is exit node IP.
|
|
|
|
// Keys with a string value that specifies an option: "always", "never", "user-decides".
|
|
// The default is "user-decides" unless otherwise stated. Enforcement of
|
|
// these policies is typically performed in ipnlocal.applySysPolicy(). GUIs
|
|
// typically hide menu items related to policies that are enforced.
|
|
EnableIncomingConnections Key = "AllowIncomingConnections"
|
|
EnableServerMode Key = "UnattendedMode"
|
|
ExitNodeAllowLANAccess Key = "ExitNodeAllowLANAccess"
|
|
EnableTailscaleDNS Key = "UseTailscaleDNSSettings"
|
|
EnableTailscaleSubnets Key = "UseTailscaleSubnets"
|
|
// CheckUpdates is the key to signal if the updater should periodically
|
|
// check for updates.
|
|
CheckUpdates Key = "CheckUpdates"
|
|
// ApplyUpdates is the key to signal if updates should be automatically
|
|
// installed. Its value is "InstallUpdates" because of an awkwardly-named
|
|
// visibility option "ApplyUpdates" on MacOS.
|
|
ApplyUpdates Key = "InstallUpdates"
|
|
// EnableRunExitNode controls if the device acts as an exit node. Even when
|
|
// running as an exit node, the device must be approved by a tailnet
|
|
// administrator. Its name is slightly awkward because RunExitNodeVisibility
|
|
// predates this option but is preserved for backwards compatibility.
|
|
EnableRunExitNode Key = "AdvertiseExitNode"
|
|
|
|
// Keys with a string value that controls visibility: "show", "hide".
|
|
// The default is "show" unless otherwise stated. Enforcement of these
|
|
// policies is typically performed by the UI code for the relevant operating
|
|
// system.
|
|
AdminConsoleVisibility Key = "AdminConsole"
|
|
NetworkDevicesVisibility Key = "NetworkDevices"
|
|
TestMenuVisibility Key = "TestMenu"
|
|
UpdateMenuVisibility Key = "UpdateMenu"
|
|
ResetToDefaultsVisibility Key = "ResetToDefaults"
|
|
// RunExitNodeVisibility controls if the "run as exit node" menu item is
|
|
// visible, without controlling the setting itself. This is preserved for
|
|
// backwards compatibility but prefer EnableRunExitNode in new deployments.
|
|
RunExitNodeVisibility Key = "RunExitNode"
|
|
PreferencesMenuVisibility Key = "PreferencesMenu"
|
|
ExitNodeMenuVisibility Key = "ExitNodesPicker"
|
|
// AutoUpdateVisibility is the key to signal if the menu item for automatic
|
|
// installation of updates should be visible. It is only used by macsys
|
|
// installations and uses the Sparkle naming convention, even though it does
|
|
// not actually control updates, merely the UI for that setting.
|
|
AutoUpdateVisibility Key = "ApplyUpdates"
|
|
// SuggestedExitNodeVisibility controls the visibility of suggested exit nodes in the client GUI.
|
|
// When this system policy is set to 'hide', an exit node suggestion won't be presented to the user as part of the exit nodes picker.
|
|
SuggestedExitNodeVisibility Key = "SuggestedExitNode"
|
|
|
|
// Keys with a string value formatted for use with time.ParseDuration().
|
|
KeyExpirationNoticeTime Key = "KeyExpirationNotice" // default 24 hours
|
|
|
|
// Boolean Keys that are only applicable on Windows. Booleans are stored in the registry as
|
|
// DWORD or QWORD (either is acceptable). 0 means false, and anything else means true.
|
|
// The default is 0 unless otherwise stated.
|
|
LogSCMInteractions Key = "LogSCMInteractions"
|
|
FlushDNSOnSessionUnlock Key = "FlushDNSOnSessionUnlock"
|
|
|
|
// PostureChecking indicates if posture checking is enabled and the client shall gather
|
|
// posture data.
|
|
// Key is a string value that specifies an option: "always", "never", "user-decides".
|
|
// The default is "user-decides" unless otherwise stated.
|
|
PostureChecking Key = "PostureChecking"
|
|
// DeviceSerialNumber is the serial number of the device that is running Tailscale.
|
|
// This is used on iOS/tvOS to allow IT administrators to manually give us a serial number via MDM.
|
|
// We are unable to programmatically get the serial number from IOKit due to sandboxing restrictions.
|
|
DeviceSerialNumber Key = "DeviceSerialNumber"
|
|
|
|
// ManagedByOrganizationName indicates the name of the organization managing the Tailscale
|
|
// install. It is displayed inside the client UI in a prominent location.
|
|
ManagedByOrganizationName Key = "ManagedByOrganizationName"
|
|
// ManagedByCaption is an info message displayed inside the client UI as a caption when
|
|
// ManagedByOrganizationName is set. It can be used to provide a pointer to support resources
|
|
// for Tailscale within the organization.
|
|
ManagedByCaption Key = "ManagedByCaption"
|
|
// ManagedByURL is a valid URL pointing to a support help desk for Tailscale within the
|
|
// organization. A button in the client UI provides easy access to this URL.
|
|
ManagedByURL Key = "ManagedByURL"
|
|
|
|
// AuthKey is an auth key that will be used to login whenever the backend starts. This can be used to
|
|
// automatically authenticate managed devices, without requiring user interaction.
|
|
AuthKey Key = "AuthKey"
|
|
|
|
// MachineCertificateSubject is the exact name of a Subject that needs
|
|
// to be present in an identity's certificate chain to sign a RegisterRequest,
|
|
// formatted as per pkix.Name.String(). The Subject may be that of the identity
|
|
// itself, an intermediate CA or the root CA.
|
|
//
|
|
// Example: "CN=Tailscale Inc Test Root CA,OU=Tailscale Inc Test Certificate Authority,O=Tailscale Inc,ST=ON,C=CA"
|
|
MachineCertificateSubject Key = "MachineCertificateSubject"
|
|
|
|
// Keys with a string array value.
|
|
// AllowedSuggestedExitNodes's string array value is a list of exit node IDs that restricts which exit nodes are considered when generating suggestions for exit nodes.
|
|
AllowedSuggestedExitNodes Key = "AllowedSuggestedExitNodes"
|
|
)
|