- JSON representation
- UsageLogEvent
- KeyguardDismissedEvent
- KeyguardDismissAuthAttemptEvent
- KeyguardSecuredEvent
- FilePulledEvent
- FilePushedEvent
- CertAuthorityInstalledEvent
- CertAuthorityRemovedEvent
- CertValidationFailureEvent
- CryptoSelfTestCompletedEvent
- KeyDestructionEvent
- KeyGeneratedEvent
- KeyImportEvent
- KeyIntegrityViolationEvent
- LoggingStartedEvent
- LoggingStoppedEvent
- LogBufferSizeCriticalEvent
- MediaMountEvent
- MediaUnmountEvent
- OsShutdownEvent
- OsStartupEvent
- RemoteLockEvent
- WipeFailureEvent
- ConnectEvent
- DnsEvent
- StopLostModeUserAttemptEvent
- LostModeOutgoingPhoneCallEvent
- LostModeLocationEvent
- Location
- EnrollmentCompleteEvent
Batched event logs of events
from the device.
| JSON representation |
|---|
{
"device"
:
string
,
"user"
:
string
,
"retrievalTime"
:
string
,
"usageLogEvents"
:
[
{
object (
|
| Fields | |
|---|---|
device
|
If present, the name of the device in the form ‘enterprises/{enterpriseId}/devices/{deviceId}’ |
user
|
If present, the resource name of the user that owns this device in the form ‘enterprises/{enterpriseId}/users/{userId}’. |
retrievalTime
|
The device timestamp when the batch of events were collected from the device. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
usageLogEvents[]
|
The list of UsageLogEvent that were reported by the device, sorted chronologically by the event time. |
UsageLogEvent
An event logged on the device.
| JSON representation |
|---|
{ "eventId" : string , "eventTime" : string , "eventType" : enum ( |
eventId
string ( int64
format)
Unique id of the event.
eventTime
string (
Timestamp
format)
Device timestamp when the event was logged.
Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z"
, "2014-10-02T15:01:23.045123456Z"
or "2014-10-02T15:01:23+05:30"
.
eventType
enum (
EventType
)
The particular usage log event type that was reported on the device. Use this to determine which event
field to access.
event
. Types of events logged on the device. See each event type for more detail on when it is sent and restrictions on when event is logged and what fields are included. event
can be only one of the following:adbShellCommandEvent
object (
AdbShellCommandEvent
)
A shell command was issued over ADB via “adb shell command”. Part of
.SECURITY_LOGS
adbShellInteractiveEvent
object (
AdbShellInteractiveEvent
)
An ADB interactive shell was opened via “adb shell”. Part of
.SECURITY_LOGS
appProcessStartEvent
object (
AppProcessStartEvent
)
An app process was started. Part of
.SECURITY_LOGS
keyguardDismissedEvent
object (
KeyguardDismissedEvent
)
The keyguard was dismissed. Part of
.SECURITY_LOGS
keyguardDismissAuthAttemptEvent
object (
KeyguardDismissAuthAttemptEvent
)
An attempt was made to unlock the device. Part of
.SECURITY_LOGS
keyguardSecuredEvent
object (
KeyguardSecuredEvent
)
The device was locked either by user or timeout. Part of
.SECURITY_LOGS
filePulledEvent
object (
FilePulledEvent
)
A file was downloaded from the device. Part of
.SECURITY_LOGS
filePushedEvent
object (
FilePushedEvent
)
A file was uploaded onto the device. Part of
.SECURITY_LOGS
certValidationFailureEvent
object (
CertValidationFailureEvent
)
An X.509v3 certificate failed to validate, currently this validation is performed on the Wi-FI access point and failure may be due to a mismatch upon server certificate validation. However it may in the future include other validation events of an X.509v3 certificate. Part of
.SECURITY_LOGS
cryptoSelfTestCompletedEvent
object (
CryptoSelfTestCompletedEvent
)
Validates whether Android’s built-in cryptographic library (BoringSSL) is valid. Should always succeed on device boot, if it fails, the device should be considered untrusted. Part of
.SECURITY_LOGS
keyDestructionEvent
object (
KeyDestructionEvent
)
A cryptographic key including user installed, admin installed and system maintained private key is removed from the device either by the user or management. Part of
.SECURITY_LOGS
keyGeneratedEvent
object (
KeyGeneratedEvent
)
A cryptographic key including user installed, admin installed and system maintained private key is installed on the device either by the user or management. Part of
.SECURITY_LOGS
keyImportEvent
object (
KeyImportEvent
)
A cryptographic key including user installed, admin installed and system maintained private key is imported on the device either by the user or management. Part of
.SECURITY_LOGS
keyIntegrityViolationEvent
object (
KeyIntegrityViolationEvent
)
A cryptographic key including user installed, admin installed and system maintained private key is determined to be corrupted due to storage corruption, hardware failure or some OS issue. Part of
.SECURITY_LOGS
loggingStartedEvent
object (
LoggingStartedEvent
)
policy has been enabled. Part of usageLog
.SECURITY_LOGS
loggingStoppedEvent
object (
LoggingStoppedEvent
)
policy has been disabled. Part of usageLog
.SECURITY_LOGS
logBufferSizeCriticalEvent
object (
LogBufferSizeCriticalEvent
)
The audit log buffer has reached 90% of its capacity, therefore older events may be dropped. Part of
.SECURITY_LOGS
mediaMountEvent
object (
MediaMountEvent
)
Removable media was mounted. Part of
.SECURITY_LOGS
mediaUnmountEvent
object (
MediaUnmountEvent
)
Removable media was unmounted. Part of
.SECURITY_LOGS
osShutdownEvent
object (
OsShutdownEvent
)
Device was shutdown. Part of
.SECURITY_LOGS
osStartupEvent
object (
OsStartupEvent
)
Device was started. Part of
.SECURITY_LOGS
remoteLockEvent
object (
RemoteLockEvent
)
The device or profile has been remotely locked via the
command. Part of LOCK
.SECURITY_LOGS
wipeFailureEvent
object (
WipeFailureEvent
)
The work profile or company-owned device failed to wipe when requested. This could be user initiated or admin initiated e.g. delete
was received. Part of
.SECURITY_LOGS
connectEvent
object (
ConnectEvent
)
A TCP connect event was initiated through the standard network stack. Part of
.NETWORK_ACTIVITY_LOGS
dnsEvent
object (
DnsEvent
)
A DNS lookup event was initiated through the standard network stack. Part of
.NETWORK_ACTIVITY_LOGS
stopLostModeUserAttemptEvent
object (
StopLostModeUserAttemptEvent
)
An attempt to take a device out of lost mode.
lostModeOutgoingPhoneCallEvent
object (
LostModeOutgoingPhoneCallEvent
)
An outgoing phone call has been made when a device in lost mode.
lostModeLocationEvent
object (
LostModeLocationEvent
)
A lost mode location update when a device in lost mode.
enrollmentCompleteEvent
object (
EnrollmentCompleteEvent
)
Device has completed enrollment. Part of
.AMAPI_LOGS
backupServiceToggledEvent
object (
BackupServiceToggledEvent
)
An admin has enabled or disabled backup service. Part of
.SECURITY_LOGS
KeyguardDismissedEvent
This type has no fields.
The keyguard was dismissed. Intentionally empty.
KeyguardDismissAuthAttemptEvent
An attempt was made to unlock the device.
| JSON representation |
|---|
{ "success" : boolean , "strongAuthMethodUsed" : boolean } |
| Fields | |
|---|---|
success
|
Whether the unlock attempt was successful. |
strongAuthMethodUsed
|
Whether a strong form of authentication (password, PIN, or pattern) was used to unlock device. |
KeyguardSecuredEvent
This type has no fields.
The device was locked either by user or timeout. Intentionally empty.
FilePulledEvent
A file was downloaded from the device.
| JSON representation |
|---|
{ "filePath" : string } |
| Fields | |
|---|---|
filePath
|
The path of the file being pulled. |
FilePushedEvent
A file was uploaded onto the device.
| JSON representation |
|---|
{ "filePath" : string } |
| Fields | |
|---|---|
filePath
|
The path of the file being pushed. |
CertAuthorityInstalledEvent
A new root certificate was installed into the system's trusted credential storage. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
| JSON representation |
|---|
{ "certificate" : string , "userId" : integer , "success" : boolean } |
| Fields | |
|---|---|
certificate
|
Subject of the certificate. |
userId
|
The user in which the certificate install event happened. Only available for devices running Android 11 and above. |
success
|
Whether the installation event succeeded. |
CertAuthorityRemovedEvent
A root certificate was removed from the system's trusted credential storage. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
| JSON representation |
|---|
{ "certificate" : string , "userId" : integer , "success" : boolean } |
| Fields | |
|---|---|
certificate
|
Subject of the certificate. |
userId
|
The user in which the certificate removal event occurred. Only available for devices running Android 11 and above. |
success
|
Whether the removal succeeded. |
CertValidationFailureEvent
An X.509v3 certificate failed to validate, currently this validation is performed on the Wi-FI access point and failure may be due to a mismatch upon server certificate validation. However it may in the future include other validation events of an X.509v3 certificate.
| JSON representation |
|---|
{ "failureReason" : string } |
| Fields | |
|---|---|
failureReason
|
The reason why certification validation failed. |
CryptoSelfTestCompletedEvent
Validates whether Android’s built-in cryptographic library (BoringSSL) is valid. Should always succeed on device boot, if it fails, the device should be considered untrusted.
| JSON representation |
|---|
{ "success" : boolean } |
| Fields | |
|---|---|
success
|
Whether the test succeeded. |
KeyDestructionEvent
A cryptographic key including user installed, admin installed and system maintained private key is removed from the device either by the user or management. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
| JSON representation |
|---|
{ "keyAlias" : string , "applicationUid" : integer , "success" : boolean } |
| Fields | |
|---|---|
keyAlias
|
Alias of the key. |
applicationUid
|
UID of the application which owns the key. |
success
|
Whether the operation was successful. |
KeyGeneratedEvent
A cryptographic key including user installed, admin installed and system maintained private key is installed on the device either by the user or management.This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
| JSON representation |
|---|
{ "keyAlias" : string , "applicationUid" : integer , "success" : boolean } |
| Fields | |
|---|---|
keyAlias
|
Alias of the key. |
applicationUid
|
UID of the application which generated the key. |
success
|
Whether the operation was successful. |
KeyImportEvent
A cryptographic key including user installed, admin installed and system maintained private key is imported on the device either by the user or management. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
| JSON representation |
|---|
{ "keyAlias" : string , "applicationUid" : integer , "success" : boolean } |
| Fields | |
|---|---|
keyAlias
|
Alias of the key. |
applicationUid
|
UID of the application which imported the key |
success
|
Whether the operation was successful. |
KeyIntegrityViolationEvent
A cryptographic key including user installed, admin installed and system maintained private key is determined to be corrupted due to storage corruption, hardware failure or some OS issue. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
| JSON representation |
|---|
{ "keyAlias" : string , "applicationUid" : integer } |
| Fields | |
|---|---|
keyAlias
|
Alias of the key. |
applicationUid
|
UID of the application which owns the key |
LoggingStartedEvent
This type has no fields.
policy has been enabled. Intentionally empty.usageLog
LoggingStoppedEvent
This type has no fields.
policy has been disabled. Intentionally empty.usageLog
LogBufferSizeCriticalEvent
This type has no fields.
The
buffer on the device has reached 90% of its capacity, therefore older events may be dropped. Intentionally empty.usageLog
MediaMountEvent
Removable media was mounted.
| JSON representation |
|---|
{ "mountPoint" : string , "volumeLabel" : string } |
| Fields | |
|---|---|
mountPoint
|
Mount point. |
volumeLabel
|
Volume label. Redacted to empty string on organization-owned managed profile devices. |
MediaUnmountEvent
Removable media was unmounted.
| JSON representation |
|---|
{ "mountPoint" : string , "volumeLabel" : string } |
| Fields | |
|---|---|
mountPoint
|
Mount point. |
volumeLabel
|
Volume label. Redacted to empty string on organization-owned managed profile devices. |
OsShutdownEvent
This type has no fields.
Device was shutdown. Intentionally empty.
OsStartupEvent
Device was started.
| JSON representation |
|---|
{ "verifiedBootState" : enum ( |
| Fields | |
|---|---|
verifiedBootState
|
Verified Boot state. |
verityMode
|
dm-verity mode. |
RemoteLockEvent
The device or profile has been remotely locked via the
command.LOCK
| JSON representation |
|---|
{ "adminPackageName" : string , "adminUserId" : integer , "targetUserId" : integer } |
| Fields | |
|---|---|
adminPackageName
|
Package name of the admin app requesting the change. |
adminUserId
|
User ID of the admin app from the which the change was requested. |
targetUserId
|
User ID in which the change was requested in. |
WipeFailureEvent
This type has no fields.
The work profile or company-owned device failed to wipe when requested. This could be user initiated or admin initiated e.g. delete
was received. Intentionally empty.
ConnectEvent
A TCP connect event was initiated through the standard network stack.
| JSON representation |
|---|
{ "destinationIpAddress" : string , "destinationPort" : integer , "packageName" : string } |
| Fields | |
|---|---|
destinationIpAddress
|
The destination IP address of the connect call. |
destinationPort
|
The destination port of the connect call. |
packageName
|
The package name of the UID that performed the connect call. |
DnsEvent
A DNS lookup event was initiated through the standard network stack.
| JSON representation |
|---|
{ "hostname" : string , "ipAddresses" : [ string ] , "totalIpAddressesReturned" : string , "packageName" : string } |
| Fields | |
|---|---|
hostname
|
The hostname that was looked up. |
ipAddresses[]
|
The (possibly truncated) list of the IP addresses returned for DNS lookup (max 10 IPv4 or IPv6 addresses). |
totalIpAddressesReturned
|
The number of IP addresses returned from the DNS lookup event. May be higher than the amount of ipAddresses if there were too many addresses to log. |
packageName
|
The package name of the UID that performed the DNS lookup. |
StopLostModeUserAttemptEvent
A lost mode event indicating the user has attempted to stop lost mode.
| JSON representation |
|---|
{
"status"
:
enum (
|
| Fields | |
|---|---|
status
|
The status of the attempt to stop lost mode. |
LostModeOutgoingPhoneCallEvent
This type has no fields.
An event indicating an outgoing phone call has been made when a device is in lost mode. Intentionally empty.
LostModeLocationEvent
A lost mode event containing the device location and battery level as a percentage.
| JSON representation |
|---|
{
"location"
:
{
object (
|
| Fields | |
|---|---|
location
|
The device location |
batteryLevel
|
The battery level as a number between 0 and 100 inclusive |
Location
The device location containing the latitude and longitude.
| JSON representation |
|---|
{ "latitude" : number , "longitude" : number } |
| Fields | |
|---|---|
latitude
|
The latitude position of the location |
longitude
|
The longitude position of the location |
EnrollmentCompleteEvent
This type has no fields.
Represents that the device has completed enrollment. User should be in the launcher at this point, device at this point will be compliant and all setup steps have been completed. Intentionally empty.
