Updated gam delete chromepolicy to delete apps

2026-06-03 22:01:39 +00:00 · 2025-12-04 12:39:47 -08:00
parent 1dab9633aa
commit 3c09743f34
2 changed files with 25 additions and 1 deletions
--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
@@ -1,3 +1,8 @@
+7.29.04
+
+Updated `gam delete chromepolicy chrome.users.apps.InstallType ou <OrgUnitItem> appid <AppID>`
+to allow deleting an app, i.e., explicitly remove it from management. `<OrgUnitItem>` must specify where it was added for management.
+
 7.29.03

 Remove debugging message from `gam <UserTypeEntity> move drivefile <DriveFileEntity>`.
--- a/src/gam/init.py
+++ b/src/gam/init.py
@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """

 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.29.03'
+__version__ = '7.29.04'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'

 #pylint: disable=wrong-import-position
@@ -29119,6 +29119,25 @@ def doDeleteChromePolicy():
      return
  kvList = setPolicyKVList([entityType, targetName, Ent.CHROME_POLICY, ','.join(schemaNameList)], printer_id, app_id)
  updatePolicyRequests(body, targetResource, printer_id, app_id)
+  if orgUnit and app_id:
+    for request in body['requests']:
+      if request['policySchema'] == 'chrome.users.apps.InstallType':
+        # Deleting an app must be done at the Organizational Unit at which the app was explicitly added for management.
+        # When calling resolve, the field addedSourceKey contains the Organization Unit where it was added for management.
+        # In other words, delete should only be called for apps where the Organizational Unit in addedSourceKey is equal to the one in policyTargetKey.
+        # In order to delete an app (explicitly remove it from management) you should send a batchInherit request in which
+        # the policySchema is the schema for the given app type, with an asterisk (*) in place of a specific policy.
+        try:
+          result = callGAPI(cp.customers().policies(), 'resolve', 'resolvedPolicies',
+                            throwReasons=[GAPI.NOT_FOUND, GAPI.PERMISSION_DENIED, GAPI.INVALID_ARGUMENT,
+                                          GAPI.SERVICE_NOT_AVAILABLE, GAPI.QUOTA_EXCEEDED],
+                            customer=customer, body={'policySchemaFilter': request['policySchema'], 'policyTargetKey': request['policyTargetKey']})
+          if result:
+            policy = result['resolvedPolicies'][0]
+            if request['policyTargetKey']['targetResource'] == policy['addedSourceKey'].get('targetResource', ''):
+              request['policySchema'] = 'chrome.users.apps.*'
+        except (GAPI.notFound, GAPI.permissionDenied, GAPI.invalidArgument, GAPI.serviceNotAvailable, GAPI.quotaExceeded) as e:
+          continue
  try:
    callGAPI(service, function,
             throwReasons=[GAPI.NOT_FOUND, GAPI.PERMISSION_DENIED,