- JSON representation
- UsageLogEvent
- KeyguardDismissedEvent
- KeyguardDismissAuthAttemptEvent
- KeyguardSecuredEvent
- FilePulledEvent
- FilePushedEvent
- CertAuthorityInstalledEvent
- CertAuthorityRemovedEvent
- CertValidationFailureEvent
- CryptoSelfTestCompletedEvent
- KeyDestructionEvent
- KeyGeneratedEvent
- KeyImportEvent
- KeyIntegrityViolationEvent
- LoggingStartedEvent
- LoggingStoppedEvent
- LogBufferSizeCriticalEvent
- MediaMountEvent
- MediaUnmountEvent
- OsShutdownEvent
- OsStartupEvent
- RemoteLockEvent
- WipeFailureEvent
- ConnectEvent
- DnsEvent
- StopLostModeUserAttemptEvent
- LostModeOutgoingPhoneCallEvent
- LostModeLocationEvent
- Location
- EnrollmentCompleteEvent
Batched event logs of events
from the device.
JSON representation |
---|
{
"device": string,
"user": string,
"retrievalTime": string,
"usageLogEvents": [
{
object ( |
Fields | |
---|---|
device |
If present, the name of the device in the form ‘enterprises/{enterpriseId}/devices/{deviceId}’ |
user |
If present, the resource name of the user that owns this device in the form ‘enterprises/{enterpriseId}/users/{userId}’. |
retrievalTime |
The device timestamp when the batch of events were collected from the device. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
usageLogEvents[] |
The list of UsageLogEvent that were reported by the device, sorted chronologically by the event time. |
UsageLogEvent
An event logged on the device.
JSON representation |
---|
{ "eventId": string, "eventTime": string, "eventType": enum ( |
Fields | |
---|---|
eventId |
Unique id of the event. |
eventTime |
Device timestamp when the event was logged. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
eventType |
The particular usage log event type that was reported on the device. Use this to determine which |
Union field event . Types of events logged on the device. See each event type for more detail on when it is sent and restrictions on when event is logged and what fields are included. event can be only one of the following: |
|
adbShellCommandEvent |
A shell command was issued over ADB via “adb shell command”. Part of |
adbShellInteractiveEvent |
An ADB interactive shell was opened via “adb shell”. Part of |
appProcessStartEvent |
An app process was started. Part of |
keyguardDismissedEvent |
The keyguard was dismissed. Part of |
keyguardDismissAuthAttemptEvent |
An attempt was made to unlock the device. Part of |
keyguardSecuredEvent |
The device was locked either by user or timeout. Part of |
filePulledEvent |
A file was downloaded from the device. Part of |
filePushedEvent |
A file was uploaded onto the device. Part of |
certAuthorityInstalledEvent |
A new root certificate was installed into the system's trusted credential storage. Part of |
certAuthorityRemovedEvent |
A root certificate was removed from the system's trusted credential storage. Part of |
certValidationFailureEvent |
An X.509v3 certificate failed to validate, currently this validation is performed on the Wi-FI access point and failure may be due to a mismatch upon server certificate validation. However it may in the future include other validation events of an X.509v3 certificate. Part of |
cryptoSelfTestCompletedEvent |
Validates whether Android’s built-in cryptographic library (BoringSSL) is valid. Should always succeed on device boot, if it fails, the device should be considered untrusted. Part of |
keyDestructionEvent |
A cryptographic key including user installed, admin installed and system maintained private key is removed from the device either by the user or management. Part of |
keyGeneratedEvent |
A cryptographic key including user installed, admin installed and system maintained private key is installed on the device either by the user or management. Part of |
keyImportEvent |
A cryptographic key including user installed, admin installed and system maintained private key is imported on the device either by the user or management. Part of |
keyIntegrityViolationEvent |
A cryptographic key including user installed, admin installed and system maintained private key is determined to be corrupted due to storage corruption, hardware failure or some OS issue. Part of |
loggingStartedEvent |
|
loggingStoppedEvent |
|
logBufferSizeCriticalEvent |
The audit log buffer has reached 90% of its capacity, therefore older events may be dropped. Part of |
mediaMountEvent |
Removable media was mounted. Part of |
mediaUnmountEvent |
Removable media was unmounted. Part of |
osShutdownEvent |
Device was shutdown. Part of |
osStartupEvent |
Device was started. Part of |
remoteLockEvent |
The device or profile has been remotely locked via the |
wipeFailureEvent |
The work profile or company-owned device failed to wipe when requested. This could be user initiated or admin initiated e.g. |
connectEvent |
A TCP connect event was initiated through the standard network stack. Part of |
dnsEvent |
A DNS lookup event was initiated through the standard network stack. Part of |
stopLostModeUserAttemptEvent |
An attempt to take a device out of lost mode. |
lostModeOutgoingPhoneCallEvent |
An outgoing phone call has been made when a device in lost mode. |
lostModeLocationEvent |
A lost mode location update when a device in lost mode. |
enrollmentCompleteEvent |
Device has completed enrollment. Part of |
KeyguardDismissedEvent
This type has no fields.
The keyguard was dismissed. Intentionally empty.
KeyguardDismissAuthAttemptEvent
An attempt was made to unlock the device.
JSON representation |
---|
{ "success": boolean, "strongAuthMethodUsed": boolean } |
Fields | |
---|---|
success |
Whether the unlock attempt was successful. |
strongAuthMethodUsed |
Whether a strong form of authentication (password, PIN, or pattern) was used to unlock device. |
KeyguardSecuredEvent
This type has no fields.
The device was locked either by user or timeout. Intentionally empty.
FilePulledEvent
A file was downloaded from the device.
JSON representation |
---|
{ "filePath": string } |
Fields | |
---|---|
filePath |
The path of the file being pulled. |
FilePushedEvent
A file was uploaded onto the device.
JSON representation |
---|
{ "filePath": string } |
Fields | |
---|---|
filePath |
The path of the file being pushed. |
CertAuthorityInstalledEvent
A new root certificate was installed into the system's trusted credential storage. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "certificate": string, "userId": integer, "success": boolean } |
Fields | |
---|---|
certificate |
Subject of the certificate. |
userId |
The user in which the certificate install event happened. Only available for devices running Android 11 and above. |
success |
Whether the installation event succeeded. |
CertAuthorityRemovedEvent
A root certificate was removed from the system's trusted credential storage. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "certificate": string, "userId": integer, "success": boolean } |
Fields | |
---|---|
certificate |
Subject of the certificate. |
userId |
The user in which the certificate removal event occurred. Only available for devices running Android 11 and above. |
success |
Whether the removal succeeded. |
CertValidationFailureEvent
An X.509v3 certificate failed to validate, currently this validation is performed on the Wi-FI access point and failure may be due to a mismatch upon server certificate validation. However it may in the future include other validation events of an X.509v3 certificate.
JSON representation |
---|
{ "failureReason": string } |
Fields | |
---|---|
failureReason |
The reason why certification validation failed. |
CryptoSelfTestCompletedEvent
Validates whether Android’s built-in cryptographic library (BoringSSL) is valid. Should always succeed on device boot, if it fails, the device should be considered untrusted.
JSON representation |
---|
{ "success": boolean } |
Fields | |
---|---|
success |
Whether the test succeeded. |
KeyDestructionEvent
A cryptographic key including user installed, admin installed and system maintained private key is removed from the device either by the user or management. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "keyAlias": string, "applicationUid": integer, "success": boolean } |
Fields | |
---|---|
keyAlias |
Alias of the key. |
applicationUid |
UID of the application which owns the key. |
success |
Whether the operation was successful. |
KeyGeneratedEvent
A cryptographic key including user installed, admin installed and system maintained private key is installed on the device either by the user or management.This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "keyAlias": string, "applicationUid": integer, "success": boolean } |
Fields | |
---|---|
keyAlias |
Alias of the key. |
applicationUid |
UID of the application which generated the key. |
success |
Whether the operation was successful. |
KeyImportEvent
A cryptographic key including user installed, admin installed and system maintained private key is imported on the device either by the user or management. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "keyAlias": string, "applicationUid": integer, "success": boolean } |
Fields | |
---|---|
keyAlias |
Alias of the key. |
applicationUid |
UID of the application which imported the key |
success |
Whether the operation was successful. |
KeyIntegrityViolationEvent
A cryptographic key including user installed, admin installed and system maintained private key is determined to be corrupted due to storage corruption, hardware failure or some OS issue. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "keyAlias": string, "applicationUid": integer } |
Fields | |
---|---|
keyAlias |
Alias of the key. |
applicationUid |
UID of the application which owns the key |
LoggingStartedEvent
This type has no fields.
policy has been enabled. Intentionally empty.usageLog
LoggingStoppedEvent
This type has no fields.
policy has been disabled. Intentionally empty.usageLog
LogBufferSizeCriticalEvent
This type has no fields.
The
buffer on the device has reached 90% of its capacity, therefore older events may be dropped. Intentionally empty.usageLog
MediaMountEvent
Removable media was mounted.
JSON representation |
---|
{ "mountPoint": string, "volumeLabel": string } |
Fields | |
---|---|
mountPoint |
Mount point. |
volumeLabel |
Volume label. Redacted to empty string on organization-owned managed profile devices. |
MediaUnmountEvent
Removable media was unmounted.
JSON representation |
---|
{ "mountPoint": string, "volumeLabel": string } |
Fields | |
---|---|
mountPoint |
Mount point. |
volumeLabel |
Volume label. Redacted to empty string on organization-owned managed profile devices. |
OsShutdownEvent
This type has no fields.
Device was shutdown. Intentionally empty.
OsStartupEvent
Device was started.
JSON representation |
---|
{ "verifiedBootState": enum ( |
Fields | |
---|---|
verifiedBootState |
Verified Boot state. |
verityMode |
dm-verity mode. |
RemoteLockEvent
The device or profile has been remotely locked via the
command.LOCK
JSON representation |
---|
{ "adminPackageName": string, "adminUserId": integer, "targetUserId": integer } |
Fields | |
---|---|
adminPackageName |
Package name of the admin app requesting the change. |
adminUserId |
User ID of the admin app from the which the change was requested. |
targetUserId |
User ID in which the change was requested in. |
WipeFailureEvent
This type has no fields.
The work profile or company-owned device failed to wipe when requested. This could be user initiated or admin initiated e.g. delete
was received. Intentionally empty.
ConnectEvent
A TCP connect event was initiated through the standard network stack.
JSON representation |
---|
{ "destinationIpAddress": string, "destinationPort": integer, "packageName": string } |
Fields | |
---|---|
destinationIpAddress |
The destination IP address of the connect call. |
destinationPort |
The destination port of the connect call. |
packageName |
The package name of the UID that performed the connect call. |
DnsEvent
A DNS lookup event was initiated through the standard network stack.
JSON representation |
---|
{ "hostname": string, "ipAddresses": [ string ], "totalIpAddressesReturned": string, "packageName": string } |
Fields | |
---|---|
hostname |
The hostname that was looked up. |
ipAddresses[] |
The (possibly truncated) list of the IP addresses returned for DNS lookup (max 10 IPv4 or IPv6 addresses). |
totalIpAddressesReturned |
The number of IP addresses returned from the DNS lookup event. May be higher than the amount of ipAddresses if there were too many addresses to log. |
packageName |
The package name of the UID that performed the DNS lookup. |
StopLostModeUserAttemptEvent
A lost mode event indicating the user has attempted to stop lost mode.
JSON representation |
---|
{
"status": enum ( |
Fields | |
---|---|
status |
The status of the attempt to stop lost mode. |
LostModeOutgoingPhoneCallEvent
This type has no fields.
An event indicating an outgoing phone call has been made when a device is in lost mode. Intentionally empty.
LostModeLocationEvent
A lost mode event containing the device location and battery level as a percentage.
JSON representation |
---|
{
"location": {
object ( |
Fields | |
---|---|
location |
The device location |
batteryLevel |
The battery level as a number between 0 and 100 inclusive |
Location
The device location containing the latitude and longitude.
JSON representation |
---|
{ "latitude": number, "longitude": number } |
Fields | |
---|---|
latitude |
The latitude position of the location |
longitude |
The longitude position of the location |
EnrollmentCompleteEvent
This type has no fields.
Represents that the device has completed enrollment. User should be in the launcher at this point, device at this point will be compliant and all setup steps have been completed. Intentionally empty.