Update build.yml

2026-06-07 15:51:38 +00:00 · 2021-12-28 11:16:23 -05:00 · 2021-12-28 10:55:38 -05:00 · 2021-12-28 10:20:45 -05:00 · 2021-12-28 10:20:25 -05:00 · 2021-12-28 09:57:14 -05:00
39 changed files with 1731 additions and 671 deletions
--- a/.github/actions/decrypt.sh
+++ b/.github/actions/decrypt.sh
@@ -13,4 +13,5 @@ fi
 gpg --quiet --batch --yes --decrypt --passphrase="${PASSCODE}" \
    --output "${credsfile}" "${gpgfile}"

-tar xf "${credsfile}" --directory "${gampath}"
+tar xvvf "${credsfile}" --directory "${gampath}"
+ls -l "${gampath}"
--- a/.github/actions/linux-before-install.sh
+++ b/.github/actions/linux-before-install.sh
@@ -55,7 +55,7 @@ else
    tar xf openssl-$BUILD_OPENSSL_VERSION.tar.gz
    cd openssl-$BUILD_OPENSSL_VERSION
    echo "Compiling OpenSSL $BUILD_OPENSSL_VERSION..."
-    ./config shared --prefix=$HOME/ssl
+    ./Configure --libdir=lib --prefix=$HOME/ssl
    echo "Running make for OpenSSL..."
    make -j$cpucount -s
    echo "Running make install for OpenSSL..."
@@ -70,7 +70,7 @@ else
    cd Python-$BUILD_PYTHON_VERSION
    echo "Compiling Python $BUILD_PYTHON_VERSION..."
    safe_flags="--with-openssl=$HOME/ssl --enable-shared --prefix=$HOME/python --with-ensurepip=upgrade"
-    unsafe_flags="--enable-optimizations --with-lto"
+    unsafe_flags="--enable-optimizations --with-lto --with-openssl=~/ssl --with-openssl-rpath=~~/ssl/lib"
    if [ ! -e Makefile ]; then
      echo "running configure with safe and unsafe"
      ./configure $safe_flags $unsafe_flags > /dev/null
@@ -94,19 +94,9 @@ else
  python=~/python/bin/python3
  pip=~/python/bin/pip3

-  if ([ "${ImageOS}" == "ubuntu16" ]) && [ "${HOSTTYPE}" == "x86_64" ]; then
-    echo "Installing deps for StaticX..."
-    if [ ! -d patchelf-$PATCHELF_VERSION ]; then
-      echo "Downloading PatchELF $PATCHELF_VERSION"
-      wget https://github.com/NixOS/patchelf/archive/$PATCHELF_VERSION.tar.gz 
-      tar xf $PATCHELF_VERSION.tar.gz
-      cd patchelf-$PATCHELF_VERSION/
-      ./bootstrap.sh
-      ./configure
-      make
-      sudo make install
-    fi
-    $pip install staticx
+  if ([ "${ImageOS}" == "ubuntu20" ]) && [ "${HOSTTYPE}" == "x86_64" ]; then
+    "${python}" -m pip install --upgrade patchelf-wrapper
+    "${python}" -m pip install --upgrade staticx
  fi

  cd $whereibelong
--- a/.github/actions/linux-install.sh
+++ b/.github/actions/linux-install.sh
@@ -1,8 +1,10 @@
-export gampath="dist/gam"
+export distpath="dist/"
+export gampath="${distpath}gam"
 rm -rf $gampath
-mkdir -p $gampath
-export gampath=$(readlink -e $gampath)
-$python -OO -m PyInstaller --clean --noupx --strip -F --distpath $gampath gam.spec
+#mkdir -p $gampath
+#export gampath=$(readlink -e $gampath)
+$pip install wheel
+$python -OO -m PyInstaller --clean --noupx --strip --distpath $gampath gam.spec
 export gam="${gampath}/gam"
 export GAMVERSION=`$gam version simple`
 cp LICENSE $gampath
@@ -11,14 +13,14 @@ this_glibc_ver=$(ldd --version | awk '/ldd/{print $NF}')
 GAM_ARCHIVE="gam-${GAMVERSION}-${GAMOS}-${PLATFORM}-glibc${this_glibc_ver}.tar.xz"
 rm $gampath/lastupdatecheck.txt
 # tar will cd to dist and tar up gam/
-tar -C dist/ --create --file $GAM_ARCHIVE --xz gam
+tar -C ${distpath} --create --file $GAM_ARCHIVE --xz gam
 echo "PyInstaller GAM info:"
 du -h $gam
 time $gam version extended
-if ([ "${ImageOS}" == "ubuntu16" ]) && [ "${HOSTTYPE}" == "x86_64" ]; then
+if ([ "${ImageOS}" == "ubuntu20" ]) && [ "${HOSTTYPE}" == "x86_64" ]; then
  GAM_LEGACY_ARCHIVE=gam-${GAMVERSION}-${GAMOS}-${PLATFORM}-legacy.tar.xz
-  $python -OO -m staticx -l /lib/x86_64-linux-gnu/libresolv.so.2 -l /lib/x86_64-linux-gnu/libnss_dns.so.2 $gam $gam-staticx
-  strip $gam-staticx
+  $python -OO -m staticx $gam $gam-staticx
+  #strip $gam-staticx
  rm $gampath/gam
  mv $gam-staticx $gam
  chmod 755 $gam
--- a/.github/actions/macos-before-install.sh
+++ b/.github/actions/macos-before-install.sh
@@ -22,18 +22,14 @@ cd ~

 # Use official Python.org version of Python which is backwards compatible
 # with older MacOS versions
-if [ "$PLATFORM" == "x86_64" ]; then
-  export pyfile=python-$BUILD_PYTHON_VERSION-macosx10.9.pkg
-else
-  export pyfile=python-$BUILD_PYTHON_VERSION-macos11.0.pkg
-fi
+export pyfile=python-$BUILD_PYTHON_VERSION-macos11.pkg

 wget https://www.python.org/ftp/python/$BUILD_PYTHON_VERSION/$pyfile
 echo "installing Python $BUILD_PYTHON_VERSION..."
 sudo installer -pkg ./$pyfile -target /

 # This fixes https://github.com/pyinstaller/pyinstaller/issues/5062
-codesign --remove-signature /Library/Frameworks/Python.framework/Versions/3.9/Python
+#codesign --remove-signature /Library/Frameworks/Python.framework/Versions/3.10/Python

 #if [ ! -f python-$MIN_PYTHON_VERSION-macosx10.9.pkg ]; then
 #  wget --quiet https://www.python.org/ftp/python/$MIN_PYTHON_VERSION/python-$MIN_PYTHON_VERSION-macosx10.9.pkg
--- a/.github/actions/macos-install.sh
+++ b/.github/actions/macos-install.sh
@@ -1,22 +1,19 @@
 echo "MacOS Version Info According to Python:"
-python -c "import platform; print(platform.mac_ver())"
-echo "Xcode versionn:"
+macver=$(python -c "import platform; print(platform.mac_ver()[0])")
+echo $macver
+echo "Xcode version:"
 xcodebuild -version
-export gampath=dist/gam
+export distpath="dist/"
+export gampath="${distpath}gam"
 rm -rf $gampath
-if [ "$PLATFORM" == "x86_64" ]; then
-    export specfile="gam.spec"
-else
-    export specfile="gam-universal2.spec"
-fi
-$python -OO -m PyInstaller --clean --noupx --strip -F --distpath "${gampath}" "${specfile}"
+export specfile="gam.spec"
+$python -OO -m PyInstaller --distpath "${gampath}" "${specfile}"
 export gam="${gampath}/gam"
 $gam version extended
 export GAMVERSION=`$gam version simple`
 cp LICENSE "${gampath}"
 cp GamCommands.txt "${gampath}"
-MACOSVERSION=$(defaults read loginwindow SystemVersionStampAsString)
-GAM_ARCHIVE="gam-${GAMVERSION}-${GAMOS}-${PLATFORM}-MacOS${MACOSVERSION}.tar.xz"
+GAM_ARCHIVE="gam-${GAMVERSION}-${GAMOS}-${PLATFORM}.tar.xz"
 rm "${gampath}/lastupdatecheck.txt"
 # tar will cd to dist/ and tar up gam/
 tar -C dist/ --create --file $GAM_ARCHIVE --xz gam
--- a/.github/actions/windows-before-install.sh
+++ b/.github/actions/windows-before-install.sh
@@ -13,8 +13,8 @@ echo "This is a ${BITS}-bit build for ${PLATFORM}"
 export mypath=$(pwd)
 cd ~

-export python="python"
-export pip="pip"
+export python="c:\python\python.exe"
+export pip="c:\python\scripts\pip.exe"

 # pyscard needs swig, keep these two together
 choco install $CHOCOPTIONS swig
--- a/.github/actions/windows-install.sh
+++ b/.github/actions/windows-install.sh
@@ -4,11 +4,10 @@ elif [[ "$PLATFORM" == "x86" ]]; then
  export WIX_BITS="x86"
 fi
 echo "compiling GAM with pyinstaller..."
-export gampath="dist/gam"
+export distpath="dist/"
+export gampath="${distpath}gam"
 rm -rf $gampath
-mkdir -p $gampath
-export gampath=$(readlink -e $gampath)
-pyinstaller --clean --noupx -F --distpath $gampath gam.spec
+/c/python/scripts/pyinstaller --clean --noupx --distpath $gampath gam.spec
 export gam="${gampath}/gam"
 echo "running compiled GAM..."
 $gam version
@@ -18,8 +17,11 @@ cp LICENSE $gampath
 cp GamCommands.txt $gampath
 cp gam-setup.bat $gampath
 GAM_ARCHIVE=gam-$GAMVERSION-$GAMOS-$PLATFORM.zip
-/c/Program\ Files/7-Zip/7z.exe a -tzip $GAM_ARCHIVE $gampath -xr!.svn
-
+cwd=$(pwd)
+cd "${distpath}"
+/c/Program\ Files/7-Zip/7z.exe a -tzip $GAM_ARCHIVE gam -xr!.svn
+mv "${GAM_ARCHIVE}" "${cwd}"
+cd "${cwd}"
 echo "Running WIX candle $WIX_BITS..."
 /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.11/bin/candle.exe -arch $WIX_BITS gam.wxs
 echo "Done with WIX candle..."
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,13 +12,13 @@ defaults:
    working-directory: src

 env:
-  BUILD_PYTHON_VERSION: "3.9.4"
-  MIN_PYTHON_VERSION: "3.9.4"
-  BUILD_OPENSSL_VERSION: "1.1.1k"
-  MIN_OPENSSL_VERSION: "1.1.1i"
-  PATCHELF_VERSION: "0.12"
+  BUILD_PYTHON_VERSION: "3.10.1"
+  MIN_PYTHON_VERSION: "3.10.1"
+  BUILD_OPENSSL_VERSION: "3.0.1"
+  MIN_OPENSSL_VERSION: "1.1.1l"
+  PATCHELF_VERSION: "0.13"
  # PYINSTALLER_VERSION can be full commit hash or version like v4.20
-  PYINSTALLER_VERSION: "227eac14955c02db21d4702429896d4b74beed5e"
+  #PYINSTALLER_VERSION: "86eeca8b4ba8012ab2df19ca206cafbe263b6a81"

 jobs:
  build:
@@ -26,73 +26,61 @@ jobs:
    strategy:
      matrix:
        include:
-          - os: ubuntu-16.04
+          - os: ubuntu-18.04
            jid: 1
            goal: "build"
            gamos: "linux"
            platform: "x86_64"
-          - os: ubuntu-18.04
+          - os: ubuntu-20.04
            jid: 2
            goal: "build"
            gamos: "linux"
            platform: "x86_64"
-          - os: ubuntu-20.04
+          - os: macos-11.0
            jid: 3
            goal: "build"
-            gamos: "linux"
-            platform: "x86_64"
-#          - os: [self-hosted, linux, ARM]
-#            jid: 10
-#            goal: "build"
-#            gamos: "linux"
-#            platform: "arm"
-#          - os: [self-hosted, linux, ARM64]
-#            jid: 11
-#            goal: "build"
-#            gamos: "linux"
-#            platform: "arm64"
-          - os: macos-10.15
+            gamos: "macos"
+            platform: "universal2"
+          - os: windows-2022
            jid: 4
            goal: "build"
-            gamos: "macos"
+            gamos: "windows"
+            pyarch: "x64" 
            platform: "x86_64"
-#          - os: macos-11.0
-#            jid: 12
-#            goal: "build"
-#            gamos: "macos"
-#            platform: "universal2"
-          - os: windows-2019
+          - os: windows-2022
            jid: 5
            goal: "build"
            gamos: "windows"
-            python: 3.9.4
-            pyarch: "x64" 
-            platform: "x86_64"
-          - os: windows-2019
-            jid: 6
-            goal: "build"
-            gamos: "windows"
            platform: "x86"
-            python: 3.9.4
            pyarch: "x86"
-          - os: ubuntu-20.04
-            goal: "test"
-            python: "3.6"
-            jid: 7
-            gamos: "linux"
-            platform: "x86_64"
          - os: ubuntu-20.04
            goal: "test"
            python: "3.7"
-            jid: 8
+            jid: 6
            gamos: "linux"
            platform: "x86_64"
          - os: ubuntu-20.04
            goal: "test"
            python: "3.8"
-            jid: 9
+            jid: 7
            gamos: "linux"
            platform: "x86_64"
+          - os: ubuntu-20.04
+            goal: test
+            python: "3.9"
+            jid: 8
+            gamos: linux
+            platform: x86_64
+          - os: [self-hosted, linux, arm64]
+            jid: 9
+            goal: "self-build"
+            platform: "aarch64"
+            gamos: linux
+          - os: [self-hosted, linux, arm]
+            jid: 10
+            goal: "self-build"
+            platform: "armv7l"
+            gamos: linux

    steps:

@@ -108,7 +96,7 @@ jobs:
          path: |
            ~/python
            ~/ssl
-          key: ${{ matrix.os }}-${{ matrix.jid }}-20210407
+          key: ${{ matrix.os }}-${{ matrix.jid }}-20211228

      - name: Set env variables
        env:
@@ -123,15 +111,42 @@ jobs:
          echo "PLATFORM=${PLATFORM}" >> $GITHUB_ENV
          uname -a

-      - name: Use pre-compiled Python for testing and Windows
+      - name: Use pre-compiled Python for testing
        if: matrix.python != ''
        uses: actions/setup-python@v2
        with:
          python-version: ${{ matrix.python }}
          architecture: ${{ matrix.pyarch }}

-      - name: Set env variables for pre-compiled Python
+      - name: Install Python on Windows
+        if: matrix.os == 'windows-2022'
+        run: |
+          if ( ${Env:PLATFORM} -eq "x86_64" )
+          {
+            Set-Variable -name py_arch -value "-amd64"
+          }
+          else
+          {
+            Set-Variable -name py_arch -value ""
+          }
+          Write-Output "py_arch: $py_arch"
+          Set-Variable -name python_file -value "python-${Env:BUILD_PYTHON_VERSION}${py_arch}.exe"
+          Write-Output "python_file: $python_file"
+          Set-Variable -name python_url -value "https://www.python.org/ftp/python/${Env:BUILD_PYTHON_VERSION}/${python_file}"
+          Write-Output "python_url: $python_url"
+          Invoke-WebRequest -Uri $python_url -OutFile $python_file
+          Start-Process -wait -FilePath $python_file -ArgumentList "/quiet","InstallAllUsers=0","TargetDir=c:\\python","AssociateFiles=1","PrependPath=1"
+        shell: pwsh
+  
+      - name: Install packages for test
        if: matrix.goal == 'test'
+        run: |
+          echo "RUNNING: apt update..."
+          sudo apt-get -qq --yes update > /dev/null
+          sudo apt-get -qq --yes install swig libpcsclite-dev
+
+      - name: Set env variables for pre-compiled Python
+        if: matrix.goal != 'build'
        run: |
             export python=$(which python3)
             export pip=$(which pip3)
@@ -142,48 +157,80 @@ jobs:
             echo "pip=${pip}" >> $GITHUB_ENV
             echo "gam=${gam}" >> $GITHUB_ENV
             echo "gampath=${gampath}" >> $GITHUB_ENV
-             echo "RUNNING: apt update..."
-             sudo apt-get -qq --yes update > /dev/null
-             sudo apt-get -qq --yes install swig libpcsclite-dev
+             $pip install --upgrade pip
+             "${python}" -V
+             "${pip}" -V

-      - name: Build and install Python, OpenSSL and PyInstaller
-        if: matrix.goal != 'test' && steps.cache-primes.outputs.cache-hit != 'true'
+      - name: Build and install Python and OpenSSL
+        if: matrix.goal == 'build' && steps.cache-primes.outputs.cache-hit != 'true'
        run: |
             set +e
             source ../.github/actions/${GAMOS}-before-install.sh
-             echo "PATH=$PATH" >> $GITHUB_ENV # keep gnutools for MacOS
             echo "python=$python" >> $GITHUB_ENV
             echo "pip=$pip" >> $GITHUB_ENV
             echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> $GITHUB_ENV
             echo -e "Python: $python\nPip: $pip\nLD_LIB...: $LD_LIBRARY_PATH"
-             export url="https://codeload.github.com/pyinstaller/pyinstaller/tar.gz/${PYINSTALLER_VERSION}"
-             echo "Downloading ${url}"
-             curl -o pyinstaller.tar.gz --compressed "${url}"
-             tar xf pyinstaller.tar.gz
-             cd "pyinstaller-${PYINSTALLER_VERSION}/bootloader"
-             if [ "${PLATFORM}" == "x86" ]; then
-               BITS="32"
-             else
-               BITS="64"
+             if [ $GAMOS == "macos" ]; then
+               export pipoptions='--no-binary ":all:"'
+               echo "PATH=$PATH" >> $GITHUB_ENV # keep gnutools for MacOS
+               export MACOSX_DEPLOYMENT_TARGET="10.9"
+               export CFLAGS="-arch arm64 -arch x86_64"
             fi
-             $python ./waf all --target-arch=${BITS}bit
-             cd ..
-             $python setup.py install
-             #$pip install pyinstaller
+             $pip install --upgrade pip $pipoptions
+             $pip install wheel $pipoptions

-      - name: Install pip requirements
-        if: matrix.os != 'self-hosted'
+      - name: Set Windows Powershell env variables
+        if: matrix.goal != 'test' && matrix.os == 'windows-2022' && matrix.platform == 'x86_64'
+        shell: powershell
+        run: |
+          choco install nasm --no-progress
+          $env:PATH="$ENV:PATH;c:\Program Files\NASM\"
+          cmd /c 'call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat" && set MAKE=nmake && set > %temp%\vcvars.txt'
+          Get-Content "$env:temp\vcvars.txt" | Foreach-Object {
+           if ($_ -match "^(.*?)=(.*)$") {
+             if ($matches[1] -eq "PATH" -or $matches[1] -eq "PLATFORM") {
+               continue
+             }
+             Set-Content "env:\$($matches[1])" $matches[2]
+             Add-Content -Path $env:GITHUB_ENV -Value "$($matches[1])=$($matches[2])"
+           }
+          }
+
+      - name: Install PyInstaller
+        if: matrix.goal != 'test'
        run: |
             set +e
-             $pip list --outdated --format=freeze | grep -v '^\-e' | cut -d = -f 1  | xargs -n1 $pip install -U --force-reinstall
+             git clone https://github.com/pyinstaller/pyinstaller.git
+             cd pyinstaller
+             # remove pre-compiled bootloaders so we fail if bootloader compile fails
+             rm -rf PyInstaller/bootloader/*-*/*
+             cd bootloader
+             export DefaultWindowsSDKVersion="10.0.20348.0"
+             if [ "${PLATFORM}" == "x86" ]; then
+               TARGETARCH="--target-arch=32bit"
+             fi
+             $python ./waf all $TARGETARCH
+             cat build/config.log
+             cd ..
+             $pip install .

-             $pip install --upgrade -r requirements.txt
+      - name: Install pip requirements
+        run: |
+             set +e
+             if [ $GAMOS == "macos" ]; then
+               #export pipoptions='--no-binary ":all:"'
+               export MACOSX_DEPLOYMENT_TARGET="10.9"
+               export CFLAGS="-arch arm64 -arch x86_64"
+             fi
+             $pip list --outdated --format=freeze | grep -v '^\-e' | cut -d = -f 1  | xargs -n1 $pip install -U --force-reinstall $pipoptions
+             $pip install --upgrade -r requirements.txt $pipoptions

      - name: Build GAM with PyInstaller
        if: matrix.goal != 'test'
        run: |
             set +e
             source ../.github/actions/${GAMOS}-install.sh
+             ls -alRF $gampath
             echo "gampath=$gampath" >> $GITHUB_ENV
             echo "gam=$gam" >> $GITHUB_ENV
             echo -e "GAM: ${gam}\nGAMPATH: ${gampath}\nGAMVERSION: ${GAMVERSION}"
@@ -201,6 +248,7 @@ jobs:
      - name: Basic Tests build jobs only
        if: matrix.goal != 'test'
        run: |
+             $pip install packaging
             export vline=$($gam version | grep "Python ")
             export python_line=($vline)
             export this_python=${python_line[1]}
@@ -213,7 +261,7 @@ jobs:

      - name: Live API tests push only
        if: github.event_name == 'push' || github.event_name == 'schedule'
-        env: # Or as an environment variable
+        env:
          PASSCODE: ${{ secrets.PASSCODE }}
        run: |
             source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.gpg creds.tar
@@ -225,6 +273,7 @@ jobs:
             $gam info domain
             $gam oauth refresh
             $gam info user
+             #$gam info user $gam_user grouptree
             export tstamp=$(date +%s%3N)
             export newbase=gha-test-$JID-$tstamp
             export newuser=$newbase@pdl.jaylee.us
@@ -237,10 +286,12 @@ jobs:
             for i in {01..10}; do
               echo "${newbase}-bulkuser-$i" >> sample.csv;
             done
-             $gam create user $newuser firstname GHA lastname $JID password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID
+             $gam create user $newuser firstname GHA lastname $JID password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB-
             $gam user $gam_user sendemail recipient $newuser subject "test message $newbase" message "GHA test message"
             $gam user $gam_user sendemail recipient exchange@pdl.jaylee.us subject "test ${tstamp}" message "test message"
             $gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
+             $gam update cigroup $newgroup memberrestriction 'member.type == 1 || member.customer_id == groupCustomerId()'
+             $gam info cigroup $newgroup
             $gam user $newuser add license gsuitebusiness
             $gam update group $newgroup add owner $gam_user
             $gam update group $newgroup add member $newuser
@@ -251,6 +302,7 @@ jobs:
             $gam csv sample.csv gam user $gam_user sendemail recipient ~~email~~@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
             $gam csv sample.csv gam update group $newgroup add member ~email
             $gam info group $newgroup
+             $gam info cigroup $newgroup membertree
             $gam user $gam_user check serviceaccount
             # confirm mailbox is provisoned before continuing
             $gam user $newuser waitformailbox
@@ -314,7 +366,8 @@ jobs:
             $gam print browsers
             export sn="$JID$JID$JID$JID-$(openssl rand -base64 32 | sed 's/[^a-zA-Z0-9]//g')"
             $gam create device serialnumber $sn devicetype android
-             $gam print cros allfields nolists
+             $gam print cros allfields orderby serialnumber
+             #$gam show crostelemetry storagepercentonly
             $gam report usageparameters customer
             $gam report usage customer parameters gmail:num_emails_sent,accounts:num_1day_logins
             $gam report customer todrive
@@ -322,7 +375,7 @@ jobs:
             $gam report admin start -3d todrive
             $gam print devices nopersonaldevices nodeviceusers filter "serial:$JID$JID$JID$JID-" | $gam csv - gam delete device id ~name
             $gam print userinvitations
-             $gam print userinvitations | $gam csv - gam create userinvitation ~name
+             $gam print userinvitations | $gam csv - gam send userinvitation ~name
             export CUSTOMER_ID="C01wfv983"
             export GA_DOMAIN="pdl.jaylee.us"
             touch $gampath/enabledasa.txt
@@ -342,3 +395,13 @@ jobs:
               echo "file uploaded as ${fileid}, setting ACL..."
               $gam user $gam_user add drivefileacl $fileid anyone role reader withlink
             done
+
+      - name: Archive production artifacts
+        uses: actions/upload-artifact@v2
+        if: github.event_name == 'push' && matrix.goal != 'test'
+        with:
+          name: gam-binaries
+          path: |
+            src/*.tar.xz
+            src/*.zip
+            src/*.msi
--- a/README.md
+++ b/README.md
@@ -1,23 +1,38 @@
-GAM is a command line tool for Google Workspace (fka G Suite) Administrators to manage domain and user settings quickly and easily.
+GAM is a command line tool for Google Workspace admins to manage domain and user settings quickly and easily.

 ![Build Status](https://github.com/jay0lee/GAM/workflows/Build%20and%20test%20GAM/badge.svg)
+
 # Quick Start
+
 ## Linux / MacOS
+
 Open a terminal and run:
-```
+
+```sh
 bash <(curl -s -S -L https://git.io/install-gam)
 ```
+
 this will download GAM, install it and start setup.
+
 ## Windows
+
 Download the MSI Installer from the [GitHub Releases] page. Install the MSI and you'll be prompted to setup GAM.
+
 # Documentation
+
 The GAM documentation is hosted in the [GitHub Wiki]
+
 # Mailing List / Discussion group
+
 The GAM mailing list / discussion group is hosted on [Google Groups].  You can join the list and interact via email, or just post from the web itself.
+
 # Chat Room
+
 There is a public chat room hosted in Google Chat. [Instructions to join](https://git.io/gam-chat).
+
 # Author
-GAM is maintained by <a href="mailto:jay0lee@gmail.com">Jay Lee</a>. Please direct "how do I?" questions to [Google Groups].
+
+GAM is maintained by [Jay Lee](mailto:jay0lee@gmail.com). Please direct "how do I?" questions to [Google Groups].

 [GAM release]: https://git.io/gamreleases
 [GitHub Releases]: https://github.com/jay0lee/GAM/releases
--- a/src/GamCommands.txt
+++ b/src/GamCommands.txt
@@ -158,6 +158,7 @@ If an item contains spaces, it should be surrounded by ".
 <CalendarColorIndex> ::= <Number in range 1-24>
 <CalendarItem> ::= <EmailAddress>|<String>
 <ChatRoom> ::= <String>
+<ChatSpace> ::= <String>
 <ClientID> ::= <String>
 <ColorValue> ::= <ColorName>|<ColorHex>
 <CollaboratorItem> ::= <EmailAddress>|<UniqueID>|<String>
@@ -203,10 +204,12 @@ If an item contains spaces, it should be surrounded by ".
 <MaximumNumberOfSeats> ::= <Number>
 <MobileID> ::= <String>
 <Name> ::= <String>
+<Namespace> ::= <String>
 <NotificationID> ::= <String>
 <NumberOfSeats> ::= <Number>
-<OrgUnitID> ::= <String>
+<OrgUnitID> ::= id:<String>
 <OrgUnitPath> ::= /|(/<String)+
+<OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
 <ParameterKey> ::= <String>
 <ParameterValue> ::= <String>
 <Password> ::= <String>
@@ -220,9 +223,12 @@ If an item contains spaces, it should be surrounded by ".
 <QueryContact> ::= <String> See: https://developers.google.com/google-apps/contacts/v3/reference#contacts-query-parameters-reference
 <QueryCrOS> ::= <String> See: https://support.google.com/chrome/a/answer/1698333?hl=en
 <QueryDriveFile> ::= <String> See: https://developers.google.com/drive/v2/web/search-parameters
+<QueryDynamicGroup> ::= <String> See: https://cloud.google.com/identity/docs/reference/rest/v1beta1/groups#dynamicgroupquery
 <QueryGmail> ::= <String> See: https://support.google.com/mail/answer/7190
 <QueryGroup> ::= <String> See: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
+<QueryMemberRestrictions> ::= <String> See: https://cloud.google.com/identity/docs/reference/rest/v1beta1/SecuritySettings#MemberRestriction
 <QueryMobile> ::= <String> See: https://support.google.com/a/answer/7549103
+<QueryTeamDrive> ::= <String> See: https://developers.google.com/drive/api/v3/search-shareddrives
 <QueryUser> ::= <String> See: https://developers.google.com/admin-sdk/directory/v1/guides/search-users
 <QueryVaultCorpus> ::= <String> See: https://developers.google.com/vault/reference/rest/v1/matters.holds#CorpusQuery
 <RequestID> ::= <String>
@@ -321,6 +327,7 @@ If an item contains spaces, it should be surrounded by ".
 	description|
 	editable|
 	explicitlytrashed|
+	driveid|
 	fileextension|
 	filesize|
 	foldercolorrgb|
@@ -331,6 +338,7 @@ If an item contains spaces, it should be surrounded by ".
 	lastmodifyinguser|
 	lastmodifyingusername|
 	lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+	linksharemetadata|
 	md5|md5checksum|md5sum|
 	mime|mimetype|
 	modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
@@ -343,11 +351,13 @@ If an item contains spaces, it should be surrounded by ".
 	parents|
 	permissions|
 	quotabytesused|quotaused|
+	resourcekey|
 	restricted|
 	shareable|
 	shared|
 	sharedwithmedate|sharedwithmetime|
 	sharinguser|
+	shortcutdetails|
 	size|
 	spaces|
 	starred|
@@ -586,10 +596,11 @@ Items, separated by spaces, with spaces, commas or single quotes in the items th
 <GroupRoleList> ::= "<GroupRole>(,<GroupRole>)*"
 <GuardianStateList> ::= "<GuardianState>(,<GuardianState>)*"
 <LabelNameList> ::= "<LabelName>(,<LabelName)*"
-<LanguageList> ::= "<Language>(,<Language)*"
+<LanguageList> ::= "<Language>[+|-](,<Language>[+|-])*"
 <MatterItemList> ::= "<MatterItem>(,<MatterItem>)*"
 <MembersFieldNameList> ::= "<MembersFieldName>(,<MembersFieldName>)*"
 <MobileList> ::= "<MobileId>(,<MobileId>)*"
+<NamespaceList> ::= "<Namespace>(,<Namespace)*"
 <OrgUnitList> ::= "<OrgUnitPath>(,<OrgUnitPath>)*"
 <PrinterIDList> ::= "<PrinterID>)(,<PrinterID>)*"
 <ProductIDList> ::= "(<ProductID>|SKUID>)(,<ProductID>|SKUID>)*"
@@ -685,25 +696,29 @@ Specify a collection of Users by directly specifying them or by specifiying item
 	(name <String>)

 <DriveFileAddAttribute> ::=
-	(localfile <FileName>)|
+	(localfile <FileName>|-)|
 	(convert)|(ocr)|(ocrlanguage <Language>)|
 	(restricted|restrict)|(starred|star)|(trashed|trash)|(viewed|view)|
 	(contentrestrictions readonly false)|
 	(contentrestrictions readonly true [reason <String>])|
 	copyrequireswriterpermission|
 	(lastviewedbyme <Time>)|(modifieddate|modifiedtime <Time>)|(description <String>)|(mimetype <MimeType>)|
-	(parentid <DriveFolderID>)|(parentname <DriveFolderName>)|(anyownerparentname <DriveFolderName>)|writerscantshare|writerscanshare
-	(shortcut <DriveFileID>)
+	(parentid <DriveFolderID>)|(parentname <DriveFolderName>)|(anyownerparentname <DriveFolderName>)|
+	(securityupdate <Boolean>)|
+	(shortcut <DriveFileID>)|
+	writerscantshare|writerscanshare
 <DriveFileUpdateAttribute> ::=
-	(localfile <FileName>)|
+	(localfile <FileName>|-)|
 	(convert)|(ocr)|(ocrlanguage <Language>)|
 	(restricted|restrict <Boolean>)|(starred|star <Boolean>)|(trashed|trash <Boolean>)|(viewed|view <Boolean>)|
 	(contentrestrictions readonly false)|
 	(contentrestrictions readonly true [reason <String>])|
 	(copyrequireswriterpermission <Boolean>)|
 	(lastviewedbyme <Time>)|(modifieddate <Time>)|(description <String>)|(mimetype <MimeType>)|
-	(parentid <DriveFolderID>)|(parentname <DriveFolderName>)|(anyownerparentname <DriveFolderName>)|writerscantshare|writerscanshare
-	(shortcut <DriveFileID>)
+	(parentid <DriveFolderID>)|(parentname <DriveFolderName>)|(anyownerparentname <DriveFolderName>)|
+	(securityupdate <Boolean>)|
+	(shortcut <DriveFileID>)|
+	writerscantshare|writerscanshare
 <GroupSettingsAttribute> ::=
 	(allowexternalmembers <Boolean>)|
 	(allowwebposting <Boolean>)|
@@ -711,6 +726,7 @@ Specify a collection of Users by directly specifying them or by specifiying item
 	(customfootertext <String>)|
 	(customreplyto <EmailAddress>)|
 	(defaultmessagedenynotificationtext <String>)|
+	(defaultsender default_self|group)|
 	(description <String>)|
 	(enablecollaborativeinbox|collaborative <Boolean>)|
 	(includeinglobaladdresslist|gal <Boolean>)|
@@ -788,7 +804,6 @@ Specify a collection of Users by directly specifying them or by specifiying item
 	field <FieldName> (type bool|date|double|email|int64|phone|string) [multivalued|multivalue] [indexed] [restricted] [range <Number> <Number>] endfield

 <UserBasicAttribute> ::=
-	(agreed2terms|agreedtoterms <Boolean>)|
 	(changepassword|changepasswordatnextlogin <Boolean>)|
 	(base64-md5|base64-sha1|crypt|sha|sha1|sha-1|md5|nohash)|
 	(customerid <String>)|
@@ -841,6 +856,8 @@ An argument containing instances of ~~xxx~~ has xxx replaced by the value of fie
 Example: gam csv Users.csv gam update user "~primaryEmail" address type work unstructured "~~Street~~, ~~City~~, ~~State~~ ~~ZIP~~"
 Each user (~primaryEmail, e.g. foo@bar.com) would have their work address updated

+gam create gcpfolder <String>
+
 gam create project [<EmailAddress>] [<ProjectID>]
 gam create project [admin <EmailAddress>] [project <ProjectID>] [parent <String>]
 gam use project [<EmailAddress>] [<ProjectID>]
@@ -894,23 +911,27 @@ gam delete resoldsubscription <CustomerID> <SKUID> cancel|downgrade|transfer_to_
 gam info resoldsubscriptions <CustomerID> [customer_auth_token <String>]

 <ActivityApplicationName> ::=
-	access|accesstransparency|
+	access_transparency|
 	admin|
-	calendar|calendars|
+	calendar|
 	chat|
-	drive|doc|docs|
-	enterprisegroups|groupsenterprise|
+	chrome|
+	context_aware_access|
+	data_studio|
+	drive|
 	gcp|
-	google+|gplus|
-	group|groups|
-	hangoutsmeet|meet|
+	gplus|
+	groups|
+	groups_enterprise|
 	jamboard|
-	login|logins|
+	keep|
+	login|
+	meet|
 	mobile|
-	oauthtoken|token|tokens|
 	rules|
 	saml|
-	useraccounts
+	token|
+	user_accounts

 <ReportsApp> ::=
 	accounts|
@@ -949,6 +970,7 @@ gam report <ActivityApplicationName> [todrive]
 	[(user all|<UserItem>)|(orgunit|org|ou <OrgUnitPath>)]
 	[start <Time>] [end <Time>]
 	[filter|filters <String>] [event <String>] [ip <String>]
+	[groupidfilter <String>]

 gam create admin <UserItem> <RoleItem> customer|(org_unit <OrgUnitItem>)
 gam delete admin <RoleAssignmentId>
@@ -997,7 +1019,8 @@ gam info customer

 gam create datatransfer|transfer <OldOwnerID> <DataTransferServiceList> <NewOwnerID> (<ParameterKey> <ParameterValue>)*
 gam info datatransfer|transfer <TransferID>
-gam print datatransfers|transfers [todrive] [olduser|oldowner <UserItem>] [newuser|newowner <UserItem>] [status <String>]
+gam print datatransfers|transfers [todrive] [olduser|oldowner <UserItem>] [newuser|newowner <UserItem>]
+	[status completed|failed|inprogress]

 gam print transferapps

@@ -1166,6 +1189,14 @@ gam print browsertokens [todrive]
 	[fields <BrowserTokenFieldNameList>]
 	[sortheaders]

+gam print chatspaces [todrive]
+gam print chatmembers space <ChatSpace> [todrive]
+gam create chatmessage space <ChatSpace> [thread <String>]
+	(text <String>)|(textfile <FileName> [charset <CharSet>])
+gam delete chatmessage name <String>
+gam update chatmessage name <String>
+	(text <String>)|(textfile <FileName> [charset <CharSet>])
+
 <CrOSAction> ::=
 	deprovision_same_model_replace|
 	deprovision_different_model_replace|
@@ -1294,7 +1325,7 @@ gam print chromehistory releases [todrive]

 gam delete chromepolicy <SchemaName>+ ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)]
 gam update chromepolicy (<SchemaName> (<Field> <Value>)+)+ ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)]
-gam show chromepolicy ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)]
+gam show chromepolicy ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)] [namespace <NamespaceList>]
 gam show chromeschema [filter <String>]

 <DeviceID> ::= devices/<String>
@@ -1358,18 +1389,21 @@ gam print printermodels [todrive] [filter <String>]

 gam create cigroup <EmailAddress> <CIGroupAttribute>*
 	[makeowner] [alias|aliases <AliasList>] [dynamic <QueryDynamicGroup>]
-gam update cigroup <GroupItem> [email <EmailAddress>] <CIGroupAttribute>* [security]
+gam update cigroup <GroupItem> [email <EmailAddress>] <CIGroupAttribute>*
+	[security] [dynamic <QueryDynamicGroup>]
+	[memberrestrictions <QueryMemberRestrictions>]
 gam update cigroup <GroupItem> add [owner|manager|member] [notsuspended|suspended] [expires never|<Time>] <UserTypeEntity>
 gam update cigroup <GroupItem> delete|remove [owner|manager|member] [notsuspended|suspended] <UserTypeEntity>
 gam update cigroup <GroupItem> sync [owner|manager|member] [notsuspended|suspended] [expires never|<Time>] <UserTypeEntity>
 gam update cigroup <GroupItem> update [owner|manager|member] [notsuspended|suspended] [expires never|<Time>] <UserTypeEntity>
 gam update cigroup <GroupItem> clear [member] [manager] [owner] [notsuspended|suspended]
 gam delete cigroup <GroupItem>
-gam info cigroup <GroupItem> [nousers] [nojoindate] [showupdatedate]
+gam info cigroup <GroupItem> [nousers] [nojoindate] [showupdatedate] [membertree] [nosecurity|nosecuritysettings]

 gam print cigroups [todrive]
 	[enterprisemember <UserItem>]
 	[members|memberscount] [managers|managerscount] [owners|ownerscount]
+	[memberrestrictions]
 	[delimiter <Character>] [sortheaders]

 gam info cimember <UserItem> <GroupItem>
@@ -1438,7 +1472,11 @@ gam create user <EmailAddress> <UserAttribute>* [verifynotinvitable]
 gam update user <UserItem> <UserAttribute>* [clearschema <SchemaName>] [clearschema <SchemaName>.<FieldName>] [verifynotinvitable]
 gam delete user <UserItem>
 gam undelete user <UserItem> [org|ou <OrgUnitPath>]
-gam info user [<UserItem>] [noaliases] [nogroups] [nolicenses|nolicences] [noschemas] [schemas|custom <SchemaNameList>] [userview] [skus|sku <SKUIDList>]
+gam info user [<UserItem>]
+	[quick] [noaliases] [nogroups] [nolicenses|nolicences] [noschemas]
+	[skus|sku <SKUIDList>] [grouptree]
+	[userview] <UserFieldName>* [fields <UserFieldNameList>]
+	[schemas|custom all|<SchemaNameList>]

 Print fields for selected users; use domain, query/queries and deleted_only to select users to print;
 if none of these options are specified, all users are printed.
@@ -1446,10 +1484,12 @@ The first column will always be primaryEmail; the remaining field names will be
 otherwise, the remaining field names will appear in the order specified.

 gam print users [todrive]
-	([domain <DomainName>] [(query <QueryUser>)|(queries <QueryUserList>)] [deleted_only|only_deleted])
+	([domain <DomainName>] [(query <QueryUser>)|(queries <QueryUserList>)]
+	[limittoou <OrgUnitPath>] [deleted_only|only_deleted])
 	[groups] [license|licenses|licence|licences] [emailpart|emailparts|username]
-	[orderby <UserOrderByFieldName> [ascending|descending]] [userview]
-	[allfields|basic|full | ((<UserFieldName>* | fields <UserFieldNameList>) [schemas|custom all|<SchemaNameList>])]
+	[orderby <UserOrderByFieldName> [ascending|descending]]
+	[userview] [allfields|basic|full | (<UserFieldName>* | fields <UserFieldNameList>)]
+	[schemas|custom all|<SchemaNameList>])]
 	[delimiter <Character>] [sortheaders]

 gam create verify|verification <DomainName>
@@ -1600,6 +1640,7 @@ gam <UserTypeEntity> update labelsettings <LabelName> [name <Name>] [messagelist
 gam <UserTypeEntity> update label|labels [search <RegularExpression>] [replace <LabelReplacement>] [merge]
 gam <UserTypeEntity> delete|del label|labels <LabelName>|regex:<RegularExpression>|--ALL_LABELS--
 gam <UserTypeEntity> show labels|label [onlyuser] [showcounts]
+gam <UserTypeEntity> print labels|label [todrive] [onlyuser] [showcounts]

 gam <UserTypeEntity> delete messages query <QueryGmail> [doit] [max_to_delete|max_to_process <Number>]
 gam <UserTypeEntity> modify messages query <QueryGmail> [doit] [max_to_modify|max_to_process <Number>] (addlabel <LabelName>)* (removelabel <LabelName>)*
@@ -1623,9 +1664,9 @@ gam <UserTypeEntity> sendemail [recipient|to <EmailAddress>] [from <EmailAddress
 	[subject <String>] [(message <String>)|(file <FileName> [charset <Charset>])]
 	(header <String> <String>)*

-gam <UserTypeEntity> create|add delegate|delegates <EmailAddress>
-gam <UserTypeEntity> delegate|delegates to <EmailAddress>
-gam <UserTypeEntity> delete|del delegate|delegates <EmailAddress>
+gam <UserTypeEntity> create|add delegate|delegates [convertalias] <EmailAddress>
+gam <UserTypeEntity> delegate|delegates to [convertalias] <EmailAddress>
+gam <UserTypeEntity> delete|del delegate|delegates [convertalias] <EmailAddress>
 gam <UserTypeEntity> show delegates|delegate [csv]
 gam <UserTypeEntity> print delegates [todrive]

@@ -1690,8 +1731,8 @@ gam <UserTypeEntity> update teamdrive <TeamDriveID> [asadmin] [name <Name>]
 	(<TeamDriveRestrictionsSubfieldName> <Boolean>)*
 gam <UserTypeEntity> delete teamdrive <TeamDriveID>
 gam <UserTypeEntity> show teamdriveinfo <TeamDriveID> [asadmin]
-gam <UserTypeEntity> show teamdrives [asadmin]
-gam <UserTypeEntity> print teamdrives [todrive] [asadmin]
+gam <UserTypeEntity> show teamdrives [query <QueryTeamDrive>] [asadmin]
+gam <UserTypeEntity> print teamdrives [query <QueryTeamDrive>] [todrive] [asadmin]
 gam <UserTypeEntity> show teamdrivethemes

 gam <UserTypeEntity> vacation <FalseValues>
--- a/src/cbcm-v1.1beta1.json
+++ b/src/cbcm-v1.1beta1.json
@@ -368,7 +368,7 @@
              "required": true,
              "type": "string"
            }
-	  },
+          },
          "path": "{customer}/chrome/enrollmentTokens",
          "request": {
            "$ref": "CreateEnrollmentTokenRequest"
@@ -379,7 +379,7 @@
          "scopes": [
            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
          ]
-	},
+        },
        "revoke": {
          "description": "Revokes a browser enrollment token in a domain.",
          "flatPath": "{customer}/chrome/enrollmentTokens/{tokenPermanentId}:revoke",
@@ -387,7 +387,7 @@
          "id": "cbcm.enrollmentTokens.revoke",
          "parameterOrder": [
            "customer",
-	    "tokenPermanentId"
+            "tokenPermanentId"
          ],
          "parameters": {
            "customer": {
@@ -402,12 +402,12 @@
              "required": true,
              "type": "string"
            }
-	  },
+          },
          "path": "{customer}/chrome/enrollmentTokens/{tokenPermanentId}:revoke",
          "scopes": [
            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
          ]
-	}
+        }
      }
    }
  },
@@ -491,23 +491,23 @@
          "description": "Immutable ID of the G Suite account.",
          "type": "string"
        },
-	"orgUnitPath": {
+        "orgUnitPath": {
          "description": "The full path of the organizational unit or its unique ID.",
          "type": "string"
        },
-	"creatorId": {
+        "creatorId": {
          "description": "Creator ID.",
          "type": "string"
        },
-	"createTime": {
+        "createTime": {
          "description": "Creation Time.",
          "type": "string"
        },
-	"revokerId": {
+        "revokerId": {
          "description": "Revoker ID.",
          "type": "string"
        },
-	"revokeTime": {
+        "revokeTime": {
          "description": "Revoke Time",
          "type": "string"
        }
@@ -538,16 +538,18 @@
    },
    "CreateEnrollmentTokenRequest": {
      "id": "CreateEnrollmentTokenRequest",
+      "type": "object",
      "properties": {
-	"org_unit_path": {
+        "org_unit_path": {
          "description": "The full path of the organizational unit or its unique ID.",
          "type": "string"
        },
-	"expire_time": {
+        "expire_time": {
          "description": "Expiration Time.",
          "type": "string"
        },
-	"token_type": {
+        "token_type": {
+          "id": "token_type",
          "annotations": {
            "required": [
              "cbcm.enrollmentTokens.create"
@@ -559,6 +561,8 @@
      }
    },
    "MoveChromeBrowsersRequest": {
+      "id": "MoveChromeBrowsersRequest",
+      "type": "object",
      "properties": {
        "org_unit_path": {
          "annotations": {
@@ -576,7 +580,10 @@
            ]
          },
          "description": "List of unique device IDs of Chrome Browser Devices to move. A maximum of 600 browsers may be moved per request.",
-          "type": "array"
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
        }
      }
    }
--- a/src/gam-install.sh
+++ b/src/gam-install.sh
@@ -28,8 +28,8 @@ upgrade_only=false
 gamversion="latest"
 adminuser=""
 regularuser=""
-gam_glibc_vers="2.31 2.27 2.23"
-gam_macos_vers="10.15.6 10.14.6 10.13.6"
+gam_glibc_vers="2.31 2.27"
+#gam_macos_vers="10.15.6 10.14.6 10.13.6"

 while getopts "hd:a:o:b:lp:u:r:v:" OPTION
 do
@@ -128,19 +128,7 @@ case $gamos in
      this_macos_ver=$osversion
    fi
    echo "You are running MacOS $this_macos_ver"
-    use_macos_ver=""
-    for gam_macos_ver in $gam_macos_vers; do
-      if version_gt $this_macos_ver $gam_macos_ver; then
-        use_macos_ver="MacOS$gam_macos_ver"
-        echo_green "Using GAM compiled on $use_macos_ver"
-        break
-      fi
-    done
-    if [ "$use_macos_ver" == "" ]; then
-      echo_red "Sorry, you need to be running at least MacOS $gam_macos_ver to run GAM"
-      exit
-    fi
-    gamfile="macos-x86_64.tar.xz"
+    gamfile="macos-universal2.tar.xz"
    ;;
  MINGW64_NT*)
    gamos="windows"
--- a/src/gam-universal2.spec
+++ b/src/gam-universal2.spec
@@ -1,46 +0,0 @@
-# -*- mode: python -*-
-
-import sys
-
-import importlib
-from PyInstaller.utils.hooks import copy_metadata
-
-sys.modules['FixTk'] = None
-
-# dynamically determine where httplib2/cacerts.txt lives
-proot = os.path.dirname(importlib.import_module('httplib2').__file__)
-extra_files = [(os.path.join(proot, 'cacerts.txt'), 'httplib2')]
-
-extra_files += copy_metadata('google-api-python-client')
-extra_files += [('cbcm-v1.1beta1.json', '.')]
-
-a = Analysis(['gam/__main__.py'],
-             hiddenimports=[],
-             hookspath=None,
-             excludes=['FixTk', 'tcl', 'tk', '_tkinter', 'tkinter', 'Tkinter'],
-             datas=extra_files,
-             runtime_hooks=None)
-
-for d in a.datas:
-    if 'pyconfig' in d[0]:
-        a.datas.remove(d)
-        break
-
-
-pyz = PYZ(a.pure)
-exe = EXE(pyz,
-          a.scripts,
-          a.binaries,
-          a.zipfiles,
-          a.datas,
-          name='gam',
-          debug=False,
-          strip=None,
-          upx=False,
-          console=True )
-
-app = BUNDLE(exe,
-             name='gam.app',
-             icon=None,
-             bundle_identifier=None,
-             info_plist={'LSArchitecturePriority': 'arm64,x86_64'})
--- a/src/gam.py
+++ b/src/gam.py
@@ -8,4 +8,4 @@ from gam.__main__ import main

 # Run from command line
 if __name__ == '__main__':
-    main(sys.argv)
+    main()
--- a/src/gam.spec
+++ b/src/gam.spec
@@ -5,8 +5,6 @@ import sys
 import importlib
 from PyInstaller.utils.hooks import copy_metadata

-sys.modules['FixTk'] = None
-
 # dynamically determine where httplib2/cacerts.txt lives
 proot = os.path.dirname(importlib.import_module('httplib2').__file__)
 extra_files = [(os.path.join(proot, 'cacerts.txt'), 'httplib2')]
@@ -34,6 +32,12 @@ for d in a.datas:


 pyz = PYZ(a.pure)
+
+if sys.platform == "darwin":
+     target_arch="universal2"
+else:
+     target_arch=None
+
 exe = EXE(pyz,
          a.scripts,
          a.binaries,
@@ -43,4 +47,5 @@ exe = EXE(pyz,
          debug=False,
          strip=None,
          upx=False,
-          console=True )
+          target_arch=target_arch,
+          console=True)
--- a/src/gam/init.py
+++ b/src/gam/init.py
--- a/src/gam/main.py
+++ b/src/gam/main.py
@@ -30,7 +30,7 @@ from gam import controlflow
 import gam


-def main(argv):
+def main():
    freeze_support()
    if sys.platform == 'darwin':
        # https://bugs.python.org/issue33725 in Python 3.8.0 seems
@@ -47,4 +47,4 @@ def main(argv):

 # Run from command line
 if __name__ == '__main__':
-    main(sys.argv)
+    main()
--- a/src/gam/auth/oauth.py
+++ b/src/gam/auth/oauth.py
@@ -395,7 +395,7 @@ class Credentials(google.oauth2.credentials.Credentials):
            self.refresh(request)

        self._id_token_data = google.oauth2.id_token.verify_oauth2_token(
-            self.id_token, request)
+            self.id_token, request, clock_skew_in_seconds=10)

    def get_token_value(self, field):
        """Retrieves data from the OAuth ID token.
--- a/src/gam/auth/yubikey.py
+++ b/src/gam/auth/yubikey.py
@@ -1,72 +1,155 @@
 from base64 import b64encode
+import datetime
+from secrets import SystemRandom
+import string
 import sys
 from threading import Timer

 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import padding
+from smartcard.Exceptions import CardConnectionException
 from ykman.device import connect_to_device
-from yubikit.piv import KEY_TYPE, SLOT, InvalidPinError, PivSession
+from ykman.piv import generate_self_signed_certificate, \
+                      generate_chuid
+from yubikit.piv import DEFAULT_MANAGEMENT_KEY, \
+                        InvalidPinError, \
+                        KEY_TYPE, \
+                        MANAGEMENT_KEY_TYPE, \
+                        PIN_POLICY, \
+                        PivSession, \
+                        OBJECT_ID, \
+                        SLOT, \
+                        TOUCH_POLICY
 from yubikit.core.smartcard import ApduError
 from gam import controlflow

 class YubiKey():

-    def __init__(self, service_account_info):
-        key_type = service_account_info.get('yubikey_key_type', 'RSA2048')
+    def __init__(self, service_account_info=None):
+        self.key_type = None
+        self.slot = None
+        self.serial_number = None
+        self.pin = None
+        self.key_id = None
+        if service_account_info:
+            key_type = service_account_info.get('yubikey_key_type', 'RSA2048')
+            try:
+                self.key_type = getattr(KEY_TYPE, key_type.upper())
+            except AttributeError:
+                controlflow.system_error_exit(6, f'{key_type} is not a valid value for yubikey_key_type')
+            slot = service_account_info.get('yubikey_slot', 'AUTHENTICATION')
+            try:
+                self.slot = getattr(SLOT, slot.upper())
+            except AttributeError:
+                controlflow.system_error_exit(6, f'{slot} is not a valid value for yubikey_slot')
+            self.serial_number = service_account_info.get('yubikey_serial_number')
+            self.pin = service_account_info.get('yubikey_pin')
+            self.key_id = service_account_info.get('private_key_id')
+
+    def _connect(self):
        try:
-            self.key_type = getattr(KEY_TYPE, key_type.upper())
-        except AttributeError:
-            controlflow.system_error_exit(6, f'{key_type} is not a valid value for yubikey_key_type')
-        slot = service_account_info.get('yubikey_slot', 'AUTHENTICATION')
-        try:
-            self.slot = getattr(SLOT, slot.upper())
-        except AttributeError:
-            controlflow.system_error_exit(6, f'{slot} is not a valid value for yubikey_slot')
-        self.serial_number = service_account_info.get('yubikey_serial_number')
-        self.pin = service_account_info.get('yubikey_pin')
-        self.key_id = service_account_info.get('private_key_id')
+            conn, _, _ = connect_to_device(self.serial_number)
+        except CardConnectionException as err:
+            controlflow.system_error_exit(9, f'YubiKey - {err}')
+        return conn

    def get_certificate(self):
        try:
-            conn, _, _ = connect_to_device(self.serial_number)
-            session = PivSession(conn)
-            if self.pin:
+            conn = self._connect()
+            with conn:
+                session = PivSession(conn)
+                if self.pin:
+                    try:
+                        session.verify_pin(self.pin)
+                    except InvalidPinError as err:
+                        controlflow.system_error_exit(7, f'YubiKey - {err}')
                try:
-                    session.verify_pin(self.pin)
-                except InvalidPinError as err:
-                    controlflow.system_error_exit(7, f'YubiKey - {err}')
-            try:
-                cert = session.get_certificate(self.slot)
-                cert_pem = cert.public_bytes(
-                     serialization.Encoding.PEM).decode()
-                publicKeyData = b64encode(cert_pem.encode())
-                if isinstance(publicKeyData, bytes):
-                    publicKeyData = publicKeyData.decode()
-                return publicKeyData
-            except ApduError as err:
-                controlflow.system_error_exit(8, f'YubiKey - {err}')
+                    cert = session.get_certificate(self.slot)
+                except ApduError as err:
+                    controlflow.system_error_exit(9, f'YubiKey - {err}')
+            cert_pem = cert.public_bytes(
+                serialization.Encoding.PEM).decode()
+            publicKeyData = b64encode(cert_pem.encode())
+            if isinstance(publicKeyData, bytes):
+                publicKeyData = publicKeyData.decode()
+            return publicKeyData
        except ValueError as err:
            controlflow.system_error_exit(9, f'YubiKey - {err}')

+
+    def get_serial_number(self):
+        try:
+            _, _, info = connect_to_device(self.serial_number)
+            return info.serial
+        except ValueError as err:
+            controlflow.system_error_exit(9, f'YubiKey - {err}')
+
+    def reset_piv(self):
+        '''Resets YubiKey PIV app and generates new key for GAM to use.'''
+        reply = str(input('This will wipe all PIV keys and configuration from your YubiKey. Are you sure? (y/N) ').lower().strip())
+        if reply != 'y':
+            sys.exit(1)
+        try:
+            conn = self._connect()
+            with conn:
+                piv = PivSession(conn)
+                piv.reset()
+                rnd = SystemRandom()
+                pin_puk_chars = string.ascii_letters + string.digits + string.punctuation
+                new_puk = ''.join(rnd.choice(pin_puk_chars) for _ in range(8))
+                new_pin = ''.join(rnd.choice(pin_puk_chars) for _ in range(8))
+                piv.change_puk('12345678', new_puk)
+                piv.change_pin('123456', new_pin)
+                print(f'PIN set to:  {new_pin}')
+                piv.authenticate(MANAGEMENT_KEY_TYPE.TDES,
+                                 DEFAULT_MANAGEMENT_KEY)
+
+                piv.verify_pin(new_pin)
+                print('YubiKey is generating a non-exportable private key...')
+                pubkey = piv.generate_key(SLOT.AUTHENTICATION,
+                                          KEY_TYPE.RSA2048,
+                                          PIN_POLICY.ALWAYS,
+                                          TOUCH_POLICY.NEVER)
+                now = datetime.datetime.utcnow()
+                valid_to = now + datetime.timedelta(days=36500)
+                subject = 'CN=GAM Created Key'
+                piv.authenticate(MANAGEMENT_KEY_TYPE.TDES,
+                                 DEFAULT_MANAGEMENT_KEY)
+                piv.verify_pin(new_pin)
+                cert = generate_self_signed_certificate(piv,
+                                                        SLOT.AUTHENTICATION,
+                                                        pubkey,
+                                                        subject,
+                                                        now,
+                                                        valid_to)
+                piv.put_certificate(SLOT.AUTHENTICATION,
+                                    cert)
+                piv.put_object(OBJECT_ID.CHUID,
+                               generate_chuid())
+        except ValueError as err:
+            controlflow.system_error_exit(8, f'YubiKey - {err}')
+
+
    def sign(self, message):
        if 'mplock' in globals():
            mplock.acquire()
        try:
-            conn, _, _ = connect_to_device(self.serial_number)
-            session = PivSession(conn)
-            if self.pin:
+            conn = self._connect()
+            with conn:
+                session = PivSession(conn)
+                if self.pin:
+                    try:
+                        session.verify_pin(self.pin)
+                    except InvalidPinError as err:
+                        controlflow.system_error_exit(7, f'YubiKey - {err}')
                try:
-                    session.verify_pin(self.pin)
-                except InvalidPinError as err:
-                    controlflow.system_error_exit(7, f'YubiKey - {err}')
-            try:
-                signed = session.sign(slot=self.slot,
+                    signed = session.sign(slot=self.slot,
                                      key_type=self.key_type,
                                      message=message,
                                      hash_algorithm=hashes.SHA256(),
                                      padding=padding.PKCS1v15())
-            except ApduError as err:
-                controlflow.system_error_exit(8, f'YubiKey = {err}')
+                except ApduError as err:
+                    controlflow.system_error_exit(8, f'YubiKey - {err}')
        except ValueError as err:
            controlflow.system_error_exit(9, f'YubiKey - {err}')
        if 'mplock' in globals():
--- a/src/gam/controlflow.py
+++ b/src/gam/controlflow.py
@@ -65,9 +65,12 @@ def csv_field_error_exit(field_name, field_names):
                                                       ','.join(field_names)))


-def invalid_json_exit(file_name):
+def invalid_json_exit(file_name, err=None):
    """Raises a system exit when invalid JSON content is encountered."""
-    system_error_exit(17, MESSAGE_INVALID_JSON.format(file_name))
+    err_msg = MESSAGE_INVALID_JSON.format(file_name)
+    if err:
+        err_msg += f'\n\n{err}'
+    system_error_exit(17, err_msg)


 def wait_on_failure(current_attempt_num,
--- a/src/gam/display.py
+++ b/src/gam/display.py
@@ -154,28 +154,39 @@ def write_csv_file(csvRows, titles, list_type, todrive):
                return True
        return False

+    def filterMatch(filterVal, columns, row):
+        for column in columns:
+            if filterVal[1] == 'regex':
+                if filterVal[2].search(str(row.get(column, ''))):
+                    return True
+            elif filterVal[1] == 'notregex':
+                if not filterVal[2].search(str(row.get(column, ''))):
+                    return True
+            elif filterVal[1] in ['date', 'time']:
+                if rowDateTimeFilterMatch(
+                    filterVal[1] == 'date', row.get(column, ''),
+                    filterVal[2], filterVal[3]):
+                    return True
+            elif filterVal[1] == 'count':
+                if rowCountFilterMatch(
+                    row.get(column, 0), filterVal[2], filterVal[3]):
+                    return True
+            else:  #boolean
+                if rowBooleanFilterMatch(
+                    row.get(column, False), filterVal[2]):
+                    return True
+        return False
+
    def rowFilterMatch(filters, columns, row):
        for c, filterVal in iter(filters.items()):
-            for column in columns[c]:
-                if filterVal[1] == 'regex':
-                    if filterVal[2].search(str(row.get(column, ''))):
-                        return True
-                elif filterVal[1] == 'notregex':
-                    if not filterVal[2].search(str(row.get(column, ''))):
-                        return True
-                elif filterVal[1] in ['date', 'time']:
-                    if rowDateTimeFilterMatch(
-                        filterVal[1] == 'date', row.get(column, ''),
-                        filterVal[2], filterVal[3]):
-                        return True
-                elif filterVal[1] == 'count':
-                    if rowCountFilterMatch(
-                        row.get(column, 0), filterVal[2], filterVal[3]):
-                        return True
-                else:  #boolean
-                    if rowBooleanFilterMatch(
-                        row.get(column, False), filterVal[2]):
-                        return True
+            if not filterMatch(filterVal, columns[c], row):
+                return False
+        return True
+
+    def rowDropFilterMatch(filters, columns, row):
+        for c, filterVal in iter(filters.items()):
+            if filterMatch(filterVal, columns[c], row):
+                return True
        return False

    if GC_Values[GC_CSV_ROW_FILTER] or GC_Values[GC_CSV_ROW_DROP_FILTER]:
@@ -210,7 +221,7 @@ def write_csv_file(csvRows, titles, list_type, todrive):
            if (((keepColumns is None) or
                 rowFilterMatch(GC_Values[GC_CSV_ROW_FILTER], keepColumns, row)) and
                ((dropColumns is None) or
-                 not rowFilterMatch(GC_Values[GC_CSV_ROW_DROP_FILTER], dropColumns, row))):
+                 not rowDropFilterMatch(GC_Values[GC_CSV_ROW_DROP_FILTER], dropColumns, row))):
                rows.append(row)
        csvRows = rows

@@ -231,7 +242,14 @@ def write_csv_file(csvRows, titles, list_type, todrive):
                'No columns selected with GAM_CSV_HEADER_FILTER and GAM_CSV_HEADER_DROP_FILTER\n'
            )
            return
-    csv.register_dialect('nixstdout', lineterminator='\n')
+    nixstdout_dialect = {'lineterminator': '\n',
+                         'quoting': csv.QUOTE_MINIMAL}
+    # fix issue with Python 3.10.0 and no escape char
+    # 3.10.1+ may fix this within Python so hopefully
+    # this is short-lived.
+    if sys.version_info.minor >= 10:
+        nixstdout_dialect['escapechar'] = '\\'
+    csv.register_dialect('nixstdout', **nixstdout_dialect)
    if todrive:
        write_to = io.StringIO()
    else:
@@ -239,8 +257,7 @@ def write_csv_file(csvRows, titles, list_type, todrive):
    writer = csv.DictWriter(write_to,
                            fieldnames=titles,
                            dialect='nixstdout',
-                            extrasaction='ignore',
-                            quoting=csv.QUOTE_MINIMAL)
+                            extrasaction='ignore')
    try:
        writer.writerow(dict((item, item) for item in writer.fieldnames))
        writer.writerows(csvRows)
@@ -283,7 +300,8 @@ and follow recommend steps to authorize GAM for Drive access.''')
        if GC_Values[GC_NO_BROWSER]:
            msg_txt = f'Drive file uploaded to:\n {file_url}'
            msg_subj = f'{GC_Values[GC_DOMAIN]} - {list_type}'
-            gam.send_email(msg_subj, msg_txt)
+            if not GC_Values[GC_NO_TDEMAIL]:
+                gam.send_email(msg_subj, msg_txt)
            print(msg_txt)
        else:
            webbrowser.open(file_url)
--- a/src/gam/gapi/init.py
+++ b/src/gam/gapi/init.py
@@ -281,6 +281,7 @@ def get_all_pages(service,
                  soft_errors=False,
                  throw_reasons=None,
                  retry_reasons=None,
+                  page_args_in_body=False,
                  **kwargs):
    """Aggregates and returns all pages of a Google service function response.

@@ -311,15 +312,22 @@ def get_all_pages(service,
    retry_reasons: A list of Google HTTP error reason strings indicating which
      error should be retried, using exponential backoff techniques, when the
      error reason is encountered.
+    page_args_in_body: Some APIs like Chrome Policy want pageToken and pageSize
+      in the body.
    **kwargs: Additional params to pass to the request method.

  Returns:
    A list of all items received from all paged responses.
  """
-    if 'maxResults' not in kwargs and 'pageSize' not in kwargs:
+    if page_args_in_body:
+        kwargs.setdefault('body', {})
+    if 'maxResults' not in kwargs and 'pageSize' not in kwargs and 'pageSize' not in kwargs.get('body', {}):
        page_key = _get_max_page_size_for_api_call(service, function, **kwargs)
        if page_key:
-            kwargs.update(page_key)
+            if page_args_in_body:
+                kwargs['body'].update(page_key)
+            else:
+                kwargs.update(page_key)
    all_items = []
    page_token = None
    total_items = 0
@@ -334,7 +342,10 @@ def get_all_pages(service,
        if not page_token:
            finalize_page_message(page_message)
            return all_items
-        kwargs['pageToken'] = page_token
+        if page_args_in_body:
+            kwargs['body']['pageToken'] = page_token
+        else:
+            kwargs['pageToken'] = page_token


 # TODO: Make this private once all execution related items that use this method
@@ -348,7 +359,7 @@ def handle_oauth_token_error(e, soft_errors):
      returns to the caller.
  """
    token_error = str(e).replace('.', '')
-    if token_error in errors.OAUTH2_TOKEN_ERRORS or e.startswith(
+    if token_error in errors.OAUTH2_TOKEN_ERRORS or token_error.startswith(
            'Invalid response'):
        if soft_errors:
            return
--- a/src/gam/gapi/init_test.py
+++ b/src/gam/gapi/init_test.py
@@ -8,6 +8,7 @@ from unittest.mock import patch
 from gam import SetGlobalVariables
 import gam.gapi as gapi
 from gam.gapi import errors
+import httplib2


 def create_http_error(status, reason, message):
@@ -21,10 +22,10 @@ def create_http_error(status, reason, message):
  Returns:
    googleapiclient.errors.HttpError
  """
-    response = {
+    response = httplib2.Response({
        'status': status,
        'content-type': 'application/json',
-    }
+    })
    content = {
        'error': {
            'code': status,
--- a/src/gam/gapi/chat.py
+++ b/src/gam/gapi/chat.py
@@ -0,0 +1,207 @@
+import sys
+
+import googleapiclient.errors
+
+import gam
+from gam.var import *
+from gam import controlflow
+from gam import display
+from gam import fileutils
+from gam import gapi
+from gam import utils
+from gam.gapi import errors as gapi_errors
+
+# Chat scope isn't in discovery doc so need to manually set
+CHAT_SCOPES = ['https://www.googleapis.com/auth/chat.bot']
+
+
+def build():
+    return gam.buildGAPIServiceObject('chat',
+                                      act_as=None,
+                                      scopes=CHAT_SCOPES)
+
+
+THROW_REASONS = [
+        gapi_errors.ErrorReason.FOUR_O_FOUR,     # Chat API not configured
+        ]
+
+def _chat_error_handler(chat, err):
+    if err.status_code == 404:
+        project_id = chat._http.credentials.project_id
+        url = f'https://console.cloud.google.com/apis/api/chat.googleapis.com/hangouts-chat?project={project_id}'
+        print('ERROR: you need to configure Google Chat for your API project. Please go to:')
+        print()
+        print(f'  {url}')
+        print()
+        print('and complete all fields.')
+    else:
+        raise err
+    sys.exit(1)
+
+
+def print_spaces():
+    chat = build()
+    todrive = False
+    i =3
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower()
+        if myarg == 'todrive':
+            todrive = True
+            i += 1
+        else:
+            controlflow.invalid_argument_exit(myarg, 'gam print chatspaces')
+    try:
+        spaces = gapi.get_all_pages(chat.spaces(), 'list', 'spaces', throw_reasons=THROW_REASONS)
+    except googleapiclient.errors.HttpError as err:
+        _chat_error_handler(chat, err)
+    if not spaces:
+        print('Bot not added to any Chat rooms or users yet.')
+    else:
+        display.write_csv_file(spaces, spaces[0].keys(), 'Chat Spaces', todrive)
+
+
+def print_members():
+    chat = build()
+    space = None
+    todrive = False
+    i = 3
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower()
+        if myarg == 'space':
+            space = sys.argv[i+1]
+            if space[:7] != 'spaces/':
+                space = f'spaces/{space}'
+            i += 2
+        elif myarg == 'todrive':
+            todrive = True
+            i += 1
+        else:
+            controlflow.invalid_argument_exit(myarg, "gam print chatmembers")
+    if not space:
+        controlflow.system_error_exit(2,
+                                      'space <ChatSpace> is required.')
+    try:
+        results = gapi.get_all_pages(chat.spaces().members(), 'list', 'memberships', parent=space)
+    except googleapiclient.errors.HttpError as err:
+        _chat_error_handler(chat, err)
+    members = []
+    titles = []
+    for result in results:
+        member = utils.flatten_json(result)
+        for key in member:
+            if key not in titles:
+                titles.append(key)
+        members.append(utils.flatten_json(result))
+    display.write_csv_file(members, titles, 'Chat Members', todrive)
+
+
+def create_message():
+    chat = build()
+    body = {}
+    i = 3
+    while i < len(sys.argv):
+      myarg = sys.argv[i].lower()
+      if myarg == 'text':
+          body['text'] = sys.argv[i+1].replace('\\r', '\r').replace('\\n', '\n')
+          i += 2
+      elif myarg == 'textfile':
+          filename = sys.argv[i + 1]
+          i, encoding = gam.getCharSet(i + 2)
+          body['text'] = fileutils.read_file(filename, encoding=encoding)
+      elif myarg == 'space':
+          space = sys.argv[i+1]
+          if space[:7] != 'spaces/':
+              space = f'spaces/{space}'
+          i += 2
+      elif myarg == 'thread':
+          body['thread'] = {'name': sys.argv[i+1]}
+          i += 2
+      else:
+          controlflow.invalid_argument_exit(myarg, "gam create chat")
+    if not space:
+        controlflow.system_error_exit(2,
+                                      'space <ChatSpace> is required.')
+    if 'text' not in body:
+        controlflow.system_error_exit(2,
+                                      'text <String> or textfile <FileName> is required.')
+    if len(body['text']) > 4096:
+        body['text'] = body['text'][:4095]
+        print('WARNING: trimmed message longer than 4k to be 4k in length.')
+    try:
+        resp = gapi.call(chat.spaces().messages(),
+                         'create',
+                          parent=space,
+                          body=body,
+                          throw_reasons=THROW_REASONS)
+    except googleapiclient.errors.HttpError as err:
+        _chat_error_handler(chat, err)
+    if 'thread' in body:
+        print(f'responded to thread {resp["thread"]["name"]}')
+    else:
+        print(f'started new thread {resp["thread"]["name"]}')
+    print(f'message {resp["name"]}')
+
+def delete_message():
+    chat = build()
+    name = None
+    i = 3
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower()
+        if myarg == 'name':
+            name = sys.argv[i+1]
+            i += 2
+        else:
+          controlflow.invalid_argument_exit(myarg, "gam delete chat")
+    if not name:
+        controlflow.system_error_exit(2,
+                                      'name <String> is required.')
+    try:
+        gapi.call(chat.spaces().messages(),
+                  'delete',
+                  name=name)
+    except googleapiclient.errors.HttpError as err:
+        _chat_error_handler(chat, err)
+
+
+def update_message():
+    chat = build()
+    body = {}
+    name = None
+    updateMask = 'text'
+    i = 3
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower()
+        if myarg == 'text':
+            body['text'] = sys.argv[i+1].replace('\\r', '\r').replace('\\n', '\n')
+            i += 2
+        elif myarg == 'textfile':
+            filename = sys.argv[i + 1]
+            i, encoding = gam.getCharSet(i + 2)
+            body['text'] = fileutils.read_file(filename, encoding=encoding)
+        elif myarg == 'name':
+            name = sys.argv[i+1]
+            i += 2
+        else:
+          controlflow.invalid_argument_exit(myarg, "gam update chat")
+    if not name:
+        controlflow.system_error_exit(2,
+                                      'name <String> is required.')
+    if 'text' not in body:
+        controlflow.system_error_exit(2,
+                                      'text <String> or textfile <FileName> is required.')
+    if len(body['text']) > 4096:
+        body['text'] = body['text'][:4095]
+        print('WARNING: trimmed message longer than 4k to be 4k in length.')
+    try:
+        resp = gapi.call(chat.spaces().messages(),
+                         'update',
+                         name=name,
+                         updateMask=updateMask,
+                         body=body)
+    except googleapiclient.errors.HttpError as err:
+        _chat_error_handler(chat, err)
+    if 'thread' in body:
+        print(f'updated response to thread {resp["thread"]["name"]}')
+    else:
+        print(f'updated message on thread {resp["thread"]["name"]}')
+    print(f'message {resp["name"]}')
--- a/src/gam/gapi/chromemanagement.py
+++ b/src/gam/gapi/chromemanagement.py
@@ -9,6 +9,7 @@ from gam.var import YYYYMMDD_FORMAT
 from gam import controlflow
 from gam import display
 from gam import gapi
+from gam import utils
 from gam.gapi.directory import orgunits as gapi_directory_orgunits
 from gam.gapi.directory.cros import _getFilterDate

@@ -201,6 +202,79 @@ def printAppDevices():
    display.write_csv_file(csvRows, titles, 'Chrome Installed Application Devices', todrive)


+def printShowCrosTelemetry(show=False):
+    cm = build()
+    parent = _get_customerid()
+    todrive = False
+    filter_ = None
+    readMask = []
+    diskpercentonly = False
+    supported_readmask_values = list(cm._rootDesc['schemas']['GoogleChromeManagementV1TelemetryDevice']['properties'].keys())
+    supported_readmask_values.sort()
+    supported_readmask_map = {item.lower():item for item in supported_readmask_values}
+    listLimit = 0
+    i = 3
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower().replace('_', '')
+        if myarg == 'fields':
+            field_list = sys.argv[i+1].lower().split(',')
+            for field_item in field_list:
+                if field_item not in supported_readmask_map:
+                    controlflow.expected_argument_exit('fields',
+                                                   ', '.join(supported_readmask_values),
+                                                   field_item)
+                else:
+                    readMask.append(supported_readmask_map[field_item])
+            i += 2
+        elif myarg == 'filter':
+            filter_ = sys.argv[i+1]
+            i += 2
+        elif myarg == 'todrive':
+            todrive = True
+            i += 1
+        elif myarg == 'storagepercentonly':
+            diskpercentonly = True
+            i += 1
+        else:
+            msg = f'{myarg} is not a valid argument to "gam print crostelemetry"'
+            controlflow.system_error_exit(3, msg)
+    if not readMask:
+        readMask = ','.join(supported_readmask_values)
+    else:
+        if 'deviceId' not in readMask:
+            readMask.append('deviceId')
+        readMask = ','.join(readMask)
+    gam.printGettingAllItems('Chrome Device Telemetry...', filter_)
+    page_message = gapi.got_total_items_msg('Chrome Device Telemetry', '...\n')
+    devices = gapi.get_all_pages(cm.customers().telemetry().devices(),
+                                 'list',
+                                 'devices',
+                                 page_message=page_message,
+                                 parent=parent,
+                                 filter=filter_,
+                                 readMask=readMask)
+    for device in devices:
+        if 'totalDiskBytes' in device.get('storageInfo', {}) and 'availableDiskBytes' in device.get('storageInfo', {}):
+            disk_avail = int(device['storageInfo']['availableDiskBytes'])
+            disk_size = int(device['storageInfo']['totalDiskBytes'])
+            if diskpercentonly:
+                device['storageInfo'] = {}
+            device['storageInfo']['percentDiskFree'] = int((disk_avail / disk_size) * 100)
+            device['storageInfo']['percentDiskUsed'] = 100 - device['storageInfo']['percentDiskFree']
+    if show:
+        for device in devices:
+            display.print_json(device)
+            print()
+            print()
+    else:
+        csvRows = []
+        titles = []
+        for device in devices:
+           display.add_row_titles_to_csv_file(utils.flatten_json(device),
+                                                   csvRows, titles)
+        display.write_csv_file(csvRows, titles, 'Telemetry Devices', todrive)
+
+
 CHROME_VERSIONS_TITLES = [
    'version', 'count', 'channel', 'deviceOsVersion', 'system'
    ]
--- a/src/gam/gapi/chromepolicy.py
+++ b/src/gam/gapi/chromepolicy.py
@@ -39,6 +39,8 @@ def printshow_policies():
    orgunit = None
    printer_id = None
    app_id = None
+    body = {}
+    namespaces = []
    i = 3
    while i < len(sys.argv):
        myarg = sys.argv[i].lower().replace('_', '')
@@ -51,59 +53,86 @@ def printshow_policies():
        elif myarg == 'appid':
            app_id = sys.argv[i+1]
            i += 2
+        elif myarg == 'namespace':
+            namespaces.extend(sys.argv[i+1].replace(',', ' ').split())
+            i += 2
        else:
            msg = f'{myarg} is not a valid argument to "gam print chromepolicy"'
            controlflow.system_error_exit(3, msg)
    if not orgunit:
        controlflow.system_error_exit(3, 'You must specify an orgunit')
-    body = {
-             'policyTargetKey': {
-               'targetResource': orgunit,
-             }
-           }
+    body['policyTargetKey'] = {'targetResource': orgunit}
    if printer_id:
        body['policyTargetKey']['additionalTargetKeys'] = {'printer_id': printer_id}
-        namespaces = ['chrome.printers']
+        if not namespaces:
+            namespaces = ['chrome.printers']
    elif app_id:
        body['policyTargetKey']['additionalTargetKeys'] = {'app_id': app_id}
-        namespaces = ['chrome.users.apps',
-                      'chrome.devices.managedGuest.apps',
-                      'chrome.devices.kiosk.apps']
-    else:
+        if not namespaces:
+            namespaces = ['chrome.users.apps',
+                          'chrome.devices.managedGuest.apps',
+                          'chrome.devices.kiosk.apps']
+    elif not namespaces:
        namespaces = [
            'chrome.users',
-#           Not yet implemented:
-#           'chrome.devices',
-#           'chrome.devices.managedGuest',
-#           'chrome.devices.kiosk',
+            'chrome.users.apps',
+            'chrome.devices',
+            'chrome.devices.kiosk',
+            'chrome.devices.managedGuest',
            ]
    throw_reasons = [gapi_errors.ErrorReason.FOUR_O_O,]
    orgunitPath = gapi_directory_orgunits.orgunit_from_orgunitid(orgunit[9:], None)
-    header = f'Organizational Unit: {orgunitPath}'
-    if printer_id:
-        header += f', printerid: {printer_id}'
-    elif app_id:
-        header += f', appid: {app_id}'
-    print(header)
+    print(f'Organizational Unit: {orgunitPath}')
    for namespace in namespaces:
+        spacing = '  '
        body['policySchemaFilter'] = f'{namespace}.*'
+        body['pageToken'] = None
        try:
            policies = gapi.get_all_pages(svc.customers().policies(), 'resolve',
                                          items='resolvedPolicies',
                                          throw_reasons=throw_reasons,
                                          customer=customer,
-                                          body=body)
+                                          body=body,
+                                          page_args_in_body=True)
        except googleapiclient.errors.HttpError:
            policies = []
-        for policy in sorted(policies, key=lambda k: k.get('value', {}).get('policySchema', '')):
+        # sort policies first by app/printer id then by schema name
+        policies = sorted(policies,
+                key=lambda k: (
+                    list(k.get('targetKey', {}).get('additionalTargetKeys', {}).values()),
+                    k.get('value', {}).get('policySchema', '')))
+        printed_ids = []
+        for policy in policies:
            print()
            name = policy.get('value', {}).get('policySchema', '')
-            print(name)
+            for key, val in policy['targetKey'].get('additionalTargetKeys', {}).items():
+                additional_id = f'{key} - {val}'
+                if additional_id not in printed_ids:
+                    print(f'  {additional_id}')
+                    printed_ids.append(additional_id)
+                    spacing = '    '
+            print(f'{spacing}{name}')
            values = policy.get('value', {}).get('value', {})
            for setting, value in values.items():
-                if isinstance(value, str) and value.find('_ENUM_') != -1:
+                # Handle TYPE_MESSAGE fields with durations, values, counts and timeOfDay as special cases
+                schema = CHROME_SCHEMA_TYPE_MESSAGE.get(name, {}).get(setting.lower())
+                if schema and setting == schema['casedField']:
+                    vtype = schema['type']
+                    if vtype in {'duration', 'value'}:
+                        value = value.get(vtype, '')
+                        if value:
+                            if value.endswith('s'):
+                                value = value[:-1]
+                            value = int(value) // schema['scale']
+                    elif vtype == 'count':
+                        pass
+                    else: ##timeOfDay
+                        hours = value.get(vtype, {}).get('hours', 0)
+                        minutes = value.get(vtype, {}).get('minutes', 0)
+                        value = f'{hours:02}:{minutes:02}'
+                elif isinstance(value, str) and value.find('_ENUM_') != -1:
                    value = value.split('_ENUM_')[-1]
-                print(f'  {setting}: {value}')
+                print(f'{spacing}{setting}: {value}')


 def build_schemas(svc=None, sfilter=None):
@@ -245,6 +274,49 @@ def delete_policy():
    gapi.call(svc.customers().policies().orgunits(), 'batchInherit', customer=customer, body=body)


+CHROME_SCHEMA_TYPE_MESSAGE = {
+  'chrome.users.AutoUpdateCheckPeriodNew': {
+    'autoupdatecheckperiodminutesnew':
+      {'casedField': 'autoUpdateCheckPeriodMinutesNew',
+       'type': 'duration', 'minVal': 1, 'maxVal': 720, 'scale': 60}},
+  'chrome.users.BrowserSwitcherDelayDuration':
+    {'browserswitcherdelayduration':
+       {'casedField': 'browserSwitcherDelayDuration',
+        'type': 'duration', 'minVal': 0, 'maxVal': 30, 'scale': 1}},
+  'chrome.users.FetchKeepaliveDurationSecondsOnShutdown':
+    {'fetchkeepalivedurationsecondsonshutdown':
+       {'casedField': 'fetchKeepaliveDurationSecondsOnShutdown',
+        'type': 'duration', 'minVal': 0, 'maxVal': 5, 'scale': 1}},
+  'chrome.users.MaxInvalidationFetchDelay':
+    {'maxinvalidationfetchdelay':
+       {'casedField': 'maxInvalidationFetchDelay',
+        'type': 'duration', 'minVal': 1, 'maxVal': 30, 'scale': 1, 'default': 10}},
+  'chrome.users.PrintingMaxSheetsAllowed':
+    {'printingmaxsheetsallowednullable':
+       {'casedField': 'printingMaxSheetsAllowedNullable',
+        'type': 'value', 'minVal': 1, 'maxVal': None, 'scale': 1}},
+  'chrome.users.PrintJobHistoryExpirationPeriodNew':
+    {'printjobhistoryexpirationperioddaysnew':
+       {'casedField': 'printJobHistoryExpirationPeriodDaysNew',
+        'type': 'duration', 'minVal': -1, 'maxVal': None, 'scale': 86400}},
+  'chrome.users.SecurityTokenSessionSettings':
+    {'securitytokensessionnotificationseconds':
+       {'casedField': 'securityTokenSessionNotificationSeconds',
+        'type': 'duration', 'minVal': 0, 'maxVal': 9999, 'scale': 1}},
+  'chrome.users.SessionLength':
+    {'sessiondurationlimit':
+       {'casedField': 'sessionDurationLimit',
+        'type': 'duration', 'minVal': 1, 'maxVal': 1440, 'scale': 60}},
+  'chrome.users.UpdatesSuppressed':
+    {'updatessuppresseddurationmin':
+       {'casedField': 'updatesSuppressedDurationMin',
+        'type': 'count', 'minVal': 1, 'maxVal': 1440, 'scale': 1},
+     'updatessuppressedstarttime':
+       {'casedField': 'updatesSuppressedStartTime',
+        'type': 'timeOfDay'}},
+  }
+
+
 def update_policy():
    svc = build()
    customer = _get_customerid()
@@ -266,7 +338,8 @@ def update_policy():
            app_id = sys.argv[i+1]
            i += 2
        elif myarg in schemas:
-            body['requests'].append({'policyValue': {'policySchema': schemas[myarg]['name'],
+            schemaName = schemas[myarg]['name']
+            body['requests'].append({'policyValue': {'policySchema': schemaName,
                                                     'value': {}},
                                     'updateMask': ''})
            i += 1
@@ -274,6 +347,39 @@ def update_policy():
                field = sys.argv[i].lower()
                if field in ['ou', 'org', 'orgunit', 'printerid', 'appid'] or '.' in field:
                    break # field is actually a new policy, orgunit or app/printer id
+                # Handle TYPE_MESSAGE fields with durations, values, counts and timeOfDay as special cases
+                schema = CHROME_SCHEMA_TYPE_MESSAGE.get(schemaName, {}).get(field)
+                if schema:
+                    i += 1
+                    casedField = schema['casedField']
+                    vtype = schema['type']
+                    if vtype != 'timeOfDay':
+                        if 'default' not in  schema:
+                            value = gam.getInteger(sys.argv[i], casedField,
+                                                   minVal=schema['minVal'], maxVal=schema['maxVal'])*schema['scale']
+                            i += 1
+                        elif i < len(sys.argv) and sys.argv[i].isdigit():
+                            value = gam.getInteger(sys.argv[i], casedField,
+                                                   minVal=schema['minVal'], maxVal=schema['maxVal'])*schema['scale']
+                            i += 1
+                        else: # Handle empty value for fields with default
+                            value = schema['default']*schema['scale']
+                            if i < len(sys.argv) and not sys.argv[i]:
+                                i += 1
+                    else:
+                        value = utils.get_hhmm(sys.argv[i])
+                        i += 1
+                    if vtype == 'duration':
+                        body['requests'][-1]['policyValue']['value'][casedField] = {vtype: f'{value}s'}
+                    elif vtype == 'value':
+                        body['requests'][-1]['policyValue']['value'][casedField] = {vtype: value}
+                    elif vtype == 'count':
+                        body['requests'][-1]['policyValue']['value'][casedField] = value
+                    else: ##timeOfDay
+                        hours, minutes = value.split(':')
+                        body['requests'][-1]['policyValue']['value'][casedField] = {vtype: {'hours': hours, 'minutes': minutes}}
+                    body['requests'][-1]['updateMask'] += f'{casedField},'
+                    continue
                expected_fields = ', '.join(schemas[myarg]['settings'])
                if field not in expected_fields:
                    msg = f'Expected {myarg} field of {expected_fields}. Got {field}.'
@@ -290,14 +396,17 @@ def update_policy():
                    value = gam.getBoolean(value, field)
                elif vtype in ['TYPE_ENUM']:
                    value = value.upper()
+                    prefix = schemas[myarg]['settings'][field]['enum_prefix']
                    enum_values = schemas[myarg]['settings'][field]['enums']
-                    if value not in enum_values:
+                    if value in enum_values:
+                        value = f'{prefix}{value}'
+                    elif value.replace(prefix, '') in enum_values:
+                        pass
+                    else:
                        expected_enums = ', '.join(enum_values)
                        msg = f'Expected {myarg} {field} value to be one of ' \
                              f'{expected_enums}, got {value}'
                        controlflow.system_error_exit(8, msg)
-                    prefix = schemas[myarg]['settings'][field]['enum_prefix']
-                    value = f'{prefix}{value}'
                elif vtype in ['TYPE_LIST']:
                    value = value.split(',')
                if myarg == 'chrome.users.chromebrowserupdates' and \
--- a/src/gam/gapi/cloudidentity/devices.py
+++ b/src/gam/gapi/cloudidentity/devices.py
@@ -405,7 +405,7 @@ def sync():
        controlflow.csv_field_error_exit(devicetype_column, input_file.fieldnames)
    if assettag_column and assettag_column not in input_file.fieldnames:
        controlflow.csv_field_error_exit(assettag_column, input_file.fieldnames)
-    local_devices = []
+    local_devices = {}
    for row in input_file:
        # upper() is very important to comparison since Google
        # always return uppercase serials
@@ -414,28 +414,43 @@ def sync():
            local_device['deviceType'] = static_devicetype
        else:
            local_device['deviceType'] = row[devicetype_column].strip()
+        sndt = f"{local_device['serialNumber']}-{local_device['deviceType']}"
        if assettag_column:
            local_device['assetTag'] = row[assettag_column].strip()
-        local_devices.append(local_device)
+            sndt += f"-{local_device['assetTag']}"
+        local_devices[sndt] = local_device
    fileutils.close_file(f)
    page_message = gapi.got_total_items_msg('Company Devices', '...\n')
    device_fields = ['serialNumber', 'deviceType', 'lastSyncTime', 'name']
    if assettag_column:
       device_fields.append('assetTag')
    fields = f'nextPageToken,devices({",".join(device_fields)})'
-    remote_devices = gapi.get_all_pages(ci.devices(), 'list', 'devices',
+    remote_devices = {}
+    remote_device_map = {}
+    result = gapi.get_all_pages(ci.devices(), 'list', 'devices',
            customer=customer, page_message=page_message,
            pageSize=100, filter=device_filter, view='COMPANY_INVENTORY', fields=fields)
-    remote_device_map = {}
-    for remote_device in remote_devices:
+    for remote_device in result:
        sn = remote_device['serialNumber']
        last_sync = remote_device.pop('lastSyncTime', NEVER_TIME_NOMS)
        name = remote_device.pop('name')
-        remote_device_map[sn] = {'name': name}
+        sndt = f"{remote_device['serialNumber']}-{remote_device['deviceType']}"
+        if assettag_column:
+            if 'assetTag' not in remote_device:
+                remote_device['assetTag'] = ''
+            sndt += f"-{remote_device['assetTag']}"
+        remote_devices[sndt] = remote_device
+        remote_device_map[sndt] = {'name': name}
        if last_sync == NEVER_TIME_NOMS:
-            remote_device_map[sn]['unassigned'] = True
-    devices_to_add = [device for device in local_devices if device not in remote_devices]
-    missing_devices = [device for device in remote_devices if device not in local_devices]
+            remote_device_map[sndt]['unassigned'] = True
+    devices_to_add = []
+    for sndt, device in iter(local_devices.items()):
+      if sndt not in remote_devices:
+        devices_to_add.append(device)
+    missing_devices = []
+    for sndt, device in iter(remote_devices.items()):
+      if sndt not in local_devices:
+        missing_devices.append(device)
    print(f'Need to add {len(devices_to_add)} and remove {len(missing_devices)} devices...')
    for add_device in devices_to_add:
        print(f'Creating {add_device["serialNumber"]}')
@@ -447,8 +462,11 @@ def sync():
            print(f' {add_device["serialNumber"]} already exists')
    for missing_device in missing_devices:
        sn = missing_device['serialNumber']
-        name = remote_device_map[sn]['name']
-        unassigned = remote_device_map[sn].get('unassigned')
+        sndt = f"{sn}-{missing_device['deviceType']}"
+        if assettag_column:
+          sndt += f"-{missing_device['assetTag']}"
+        name = remote_device_map[sndt]['name']
+        unassigned = remote_device_map[sndt].get('unassigned')
        action = unassigned_missing_action if unassigned else assigned_missing_action
        if action == 'donothing':
            pass
--- a/src/gam/gapi/cloudidentity/groups.py
+++ b/src/gam/gapi/cloudidentity/groups.py
@@ -3,7 +3,7 @@ import sys
 import googleapiclient

 import gam
-from gam.var import *
+from gam.var import * # pylint: disable=unused-wildcard-import
 from gam import controlflow
 from gam import display
 from gam import gapi
@@ -12,9 +12,17 @@ from gam.gapi import errors as gapi_errors
 from gam.gapi import cloudidentity as gapi_cloudidentity
 from gam.gapi.directory import customer as gapi_directory_customer

+# This allows easy switching between v1 and v1beta1
+# v1
+CIGROUP_API_BETA = 'cloudidentity'
+CIGROUP_MEMBERKEY = 'preferredMemberKey'
+# v1beta1
+#CIGROUP_API_BETA = 'cloudidentity_beta'
+#CIGROUP_MEMBERKEY = 'memberKey'
+

 def create():
-    ci = gapi_cloudidentity.build('cloudidentity_beta')
+    ci = gapi_cloudidentity.build()
    initialGroupConfig = 'EMPTY'
    gapi_directory_customer.setTrueCustomerId()
    parent = f'customers/{GC_Values[GC_CUSTOMER_ID]}'
@@ -44,7 +52,6 @@ def create():
                body['additionalGroupKeys'].append({'id': alias})
            i += 2
        elif myarg in ['dynamic']:
-            # As of 2020/06/25 this doesn't work (yet?)
            body['dynamicGroupMetadata'] = {
                'queries': [{
                    'query': sys.argv[i + 1],
@@ -66,7 +73,7 @@ def create():


 def delete():
-    ci = gapi_cloudidentity.build('cloudidentity_beta')
+    ci = gapi_cloudidentity.build()
    group = sys.argv[3]
    name = group_email_to_id(ci, group)
    print(f'Deleting group {group}')
@@ -74,11 +81,13 @@ def delete():


 def info():
-    ci = gapi_cloudidentity.build('cloudidentity_beta')
+    ci = gapi_cloudidentity.build(CIGROUP_API_BETA)
    group = gam.normalizeEmailAddressOrUID(sys.argv[3])
    getUsers = True
+    getSecuritySettings = True
    showJoinDate = True
    showUpdateDate = False
+    showMemberTree = False
    i = 4
    while i < len(sys.argv):
        myarg = sys.argv[i].lower().replace('_', '')
@@ -91,12 +100,24 @@ def info():
        elif myarg == 'showupdatedate':
            showUpdateDate = True
            i += 1
+        elif myarg == 'membertree':
+            showMemberTree = True
+            i += 1
+        elif myarg in ['nosecurity', 'nosecuritysettings']:
+            getSecuritySettings = False
        else:
            controlflow.invalid_argument_exit(myarg, 'gam info cigroup')
    name = group_email_to_id(ci, group)
    basic_info = gapi.call(ci.groups(), 'get', name=name)
    display.print_json(basic_info)
-    if getUsers:
+    if getSecuritySettings:
+        sec_info = gapi.call(ci.groups(),
+                             'getSecuritySettings',
+                             name=f'{name}/securitySettings',
+                             readMask='*')
+        print(' Security settings:')
+        display.print_json(sec_info, spacing=' ')
+    if getUsers and not showMemberTree:
        if not showJoinDate and not showUpdateDate:
            view = 'BASIC'
            pageSize = 1000
@@ -110,10 +131,11 @@ def info():
                                     fields='*',
                                     pageSize=pageSize,
                                     view=view)
-        print('Members:')
+        print(' Members:')
        for member in members:
            role = get_single_role(member.get('roles', [])).lower()
-            email = member.get('memberKey', {}).get('id')
+            email = member.get(CIGROUP_MEMBERKEY, {}).get('id')
+            member_type = member.get('type', 'USER').lower()
            jc_string = ''
            if showJoinDate:
                joined = member.get('createTime', 'Unknown')
@@ -121,15 +143,39 @@ def info():
            if showUpdateDate:
                updated = member.get('updateTime', 'Unknown')
                jc_string += f'  updated {updated}'
-            print(
-                f'{role}: {email}{jc_string}'
-                # f' {member.get("role", ROLE_MEMBER).lower()}: {member.get("email", member["id"])} ({member["type"].lower()})'
-            )
+            print(f'  {role}: {email} ({member_type}){jc_string}')
        print(f'Total {len(members)} users in group')
+    elif showMemberTree:
+        print(' Membership Tree:')
+        cached_group_members = {}
+        print_member_tree(ci, name, cached_group_members, 2, True)
+
+
+def print_member_tree(ci, group_id, cached_group_members, spaces, show_role):
+    if not group_id in cached_group_members:
+        cached_group_members[group_id] = gapi.get_all_pages(ci.groups().memberships(),
+                                                            'list',
+                                                            'memberships',
+                                                            parent=group_id,
+                                                            view='FULL',
+                                                            fields='*',
+                                                            pageSize=1000)
+    for member in cached_group_members[group_id]:
+        member_id = member.get('name', '')
+        member_id = member_id.split('/')[-1]
+        email = member.get(CIGROUP_MEMBERKEY, {}).get('id')
+        member_type = member.get('type', 'USER').lower()
+        if show_role:
+            role = get_single_role(member.get('roles', [])).lower()
+            print(f'{" " * spaces}{role}: {email} ({member_type})')
+        else:
+            print(f'{" " * spaces}{email} ({member_type})')
+        if member_type == 'group':
+            print_member_tree(ci, f'groups/{member_id}', cached_group_members, spaces + 2, False)


 def info_member():
-    ci = gapi_cloudidentity.build('cloudidentity_beta')
+    ci = gapi_cloudidentity.build()
    member = gam.normalizeEmailAddressOrUID(sys.argv[3])
    group = gam.normalizeEmailAddressOrUID(sys.argv[4])
    group_name = gapi.call(ci.groups(),
@@ -159,9 +205,15 @@ GROUP_ROLES_MAP = {


 def print_():
-    ci = gapi_cloudidentity.build('cloudidentity_beta')
+    ci = gapi_cloudidentity.build(CIGROUP_API_BETA)
    i = 3
-    members = membersCountOnly = managers = managersCountOnly = owners = ownersCountOnly = False
+    members = False
+    membersCountOnly = False
+    managers = False
+    managersCountOnly = False
+    owners = False
+    ownersCountOnly = False
+    memberRestrictions = False
    gapi_directory_customer.setTrueCustomerId()
    parent = f'customers/{GC_Values[GC_CUSTOMER_ID]}'
    usemember = None
@@ -204,6 +256,15 @@ def print_():
            if myarg == 'managerscount':
                managersCountOnly = True
            i += 1
+        elif myarg in ['memberrestrictions']:
+            memberRestrictions = True
+            display.add_titles_to_csv_file(
+                    ['memberRestrictionQuery',],
+                    titles)
+            display.add_titles_to_csv_file(
+                    ['memberRestrictionEvaluation',],
+                    titles)
+            i += 1
        else:
            controlflow.invalid_argument_exit(sys.argv[i], 'gam print cigroups')
    if roles:
@@ -247,7 +308,7 @@ def print_():
        except googleapiclient.errors.HttpError:
            controlflow.system_error_exit(
                2,
-                f'enterprisemember requires Enterprise license')
+                'enterprisemember requires Enterprise license')
        entityList = []
        for entity in result:
            if entity['relationType'] == 'DIRECT':
@@ -282,12 +343,12 @@ def print_():
            )
            page_message = gapi.got_total_items_first_last_msg('Members')
            validRoles, _, _ = gam._getRoleVerification(
-                '.'.join(roles), 'nextPageToken,members(email,id,role)')
+                ','.join(roles), 'nextPageToken,members(email,id,role)')
            groupMembers = gapi.get_all_pages(ci.groups().memberships(),
                                              'list',
                                              'memberships',
                                              page_message=page_message,
-                                              message_attribute=['memberKey', 'id'],
+                                              message_attribute=[CIGROUP_MEMBERKEY, 'id'],
                                              soft_errors=True,
                                              parent=groupKey_id,
                                              view='BASIC')
@@ -301,8 +362,8 @@ def print_():
                ownersList = []
                ownersCount = 0
            for member in groupMembers:
-                member_email = member['memberKey']['id']
-                role = get_single_role(member.get('roles'))
+                member_email = member[CIGROUP_MEMBERKEY]['id']
+                role = get_single_role(member.get('roles', []))
                if not validRoles or role in validRoles:
                    if role == ROLE_MEMBER:
                        if members:
@@ -335,6 +396,16 @@ def print_():
                group['OwnersCount'] = ownersCount
                if not ownersCountOnly:
                    group['Owners'] = memberDelimiter.join(ownersList)
+        if memberRestrictions:
+           name = f'{groupKey_id}/securitySettings'
+           print(f'Getting member restrictions for {groupEmail} ({i}/{count}')
+           sec_info = gapi.call(ci.groups(),
+                                'getSecuritySettings',
+                                name=name,
+                                readMask='*')
+           if 'memberRestriction' in sec_info:
+               group['memberRestrictionQuery'] = sec_info['memberRestriction'].get('query', '')
+               group['memberRestrictionEvaluation'] = sec_info['memberRestriction'].get('evaluation', {}).get('state', '')
        csvRows.append(group)
    if sortHeaders:
        display.sort_csv_titles([
@@ -343,8 +414,58 @@ def print_():
    display.write_csv_file(csvRows, titles, 'Groups', todrive)


+def _get_groups_list(ci=None, member=None, parent=None):
+    if not ci:
+        ci = gapi_cloudidentity.build()
+    if not parent:
+            gapi_directory_customer.setTrueCustomerId()
+            parent = f'customers/{GC_Values[GC_CUSTOMER_ID]}'
+    gam.printGettingAllItems('Groups', member)
+    page_message = gapi.got_total_items_first_last_msg('Groups')
+    if member:
+        fields = 'nextPageToken,memberships(groupKey(id),relationType)'
+        try:
+            groups_to_get = gapi.get_all_pages(ci.groups().memberships(),
+                                               'searchTransitiveGroups',
+                                               'memberships',
+                                               throw_reasons=[gapi_errors.ErrorReason.FOUR_O_O],
+                                               message_attribute=['groupKey', 'id'],
+                                               page_message=page_message,
+                                               parent='groups/-',
+                                               query=member,
+                                               pageSize=1000,
+                                               fields=fields)
+        except googleapiclient.errors.HttpError:
+            controlflow.system_error_exit(
+                    2,
+                    'enterprisemember requires Enterprise license')
+        return [group['groupKey']['id'] for group in groups_to_get if group['relationType'] == 'DIRECT']
+    else:
+        groups_to_get = gapi.get_all_pages(
+            ci.groups(),
+            'list',
+            'groups',
+            message_attribute=['groupKey', 'id'],
+            page_message=page_message,
+            parent=parent,
+            view='BASIC',
+            pageSize=1000,
+            fields='nextPageToken,groups(groupKey(id))')
+        return [group['groupKey']['id'] for group in groups_to_get]
+
+
+def get_membership_graph(member):
+    ci = gapi_cloudidentity.build(CIGROUP_API_BETA)
+    query = f"member_key_id == '{member}' && 'cloudidentity.googleapis.com/groups.discussion_forum' in labels"
+    result = gapi.call(ci.groups().memberships(),
+                     'getMembershipGraph',
+                     parent='groups/-',
+                     query=query)
+    return result.get('response')
+
+
 def print_members():
-    ci = gapi_cloudidentity.build('cloudidentity_beta')
+    ci = gapi_cloudidentity.build(CIGROUP_API_BETA)
    todrive = False
    gapi_directory_customer.setTrueCustomerId()
    parent = f'customers/{GC_Values[GC_CUSTOMER_ID]}'
@@ -381,36 +502,7 @@ def print_members():
            controlflow.invalid_argument_exit(sys.argv[i],
                                              'gam print cigroup-members')
    if not groups_to_get:
-        gam.printGettingAllItems('Groups', usemember)
-        page_message = gapi.got_total_items_first_last_msg('Groups')
-        if usemember:
-            try:
-                groups_to_get = gapi.get_all_pages(ci.groups().memberships(),
-                                                   'searchTransitiveGroups',
-                                                   'memberships',
-                                                   throw_reasons=[gapi_errors.ErrorReason.FOUR_O_O],
-                                                   message_attribute=['groupKey', 'id'],
-                                                   page_message=page_message,
-                                                   parent='groups/-', query=usemember,
-                                                   pageSize=1000,
-                                                   fields='nextPageToken,memberships(groupKey(id),relationType)')
-            except googleapiclient.errors.HttpError:
-                controlflow.system_error_exit(
-                        2,
-                        f'enterprisemember requires Enterprise license')
-            groups_to_get = [group['groupKey']['id'] for group in groups_to_get if group['relationType'] == 'DIRECT']
-        else:
-            groups_to_get = gapi.get_all_pages(
-                ci.groups(),
-                'list',
-                'groups',
-                message_attribute=['groupKey', 'id'],
-                page_message=page_message,
-                parent=parent,
-                view='BASIC',
-                pageSize=1000,
-                fields='nextPageToken,groups(groupKey(id))')
-            groups_to_get = [group['groupKey']['id'] for group in groups_to_get]
+        groups_to_get = _get_groups_list(ci, usemember, parent)
    i = 0
    count = len(groups_to_get)
    for group_email in groups_to_get:
@@ -430,8 +522,8 @@ def print_members():
            view='FULL',
            pageSize=500,
            page_message=page_message,
-            message_attribute=['memberKey', 'id'])
-        #fields='nextPageToken,memberships(memberKey,roles,createTime,updateTime)')
+            message_attribute=[CIGROUP_MEMBERKEY, 'id'])
+        #fields=f'nextPageToken,memberships({CIGROUP_MEMBERKEY},roles,createTime,updateTime)')
        if roles:
            group_members = filter_members_to_roles(group_members, roles)
        for member in group_members:
@@ -489,7 +581,7 @@ def update():
            ]
        return (role, expireTime, users_email)

-    ci = gapi_cloudidentity.build('cloudidentity_beta')
+    ci = gapi_cloudidentity.build(CIGROUP_API_BETA)
    group = sys.argv[3]
    myarg = sys.argv[4].lower()
    items = []
@@ -516,7 +608,7 @@ def update():
                    items.append(item)
            elif len(users_email) > 0:
                body = {
-                    'memberKey': {
+                    CIGROUP_MEMBERKEY: {
                        'id': users_email[0]
                    },
                    'roles': [{
@@ -736,12 +828,12 @@ def update():
                    page_message=page_message,
                    throw_reasons=gapi_errors.MEMBERS_THROW_REASONS,
                    parent=parent,
-                    fields='nextPageToken,memberships(memberKey,roles)')
+                    fields=f'nextPageToken,memberships({CIGROUP_MEMBERKEY},roles)')
                result = filter_members_to_roles(result, roles)
                if not result:
                    print('Group already has 0 members')
                    return
-                users_email = [member['memberKey']['id'] for member in result]
+                users_email = [member[CIGROUP_MEMBERKEY]['id'] for member in result]
                sys.stderr.write(
                    f'Group: {group}, Will remove {len(users_email)} {", ".join(roles).lower()}s.\n'
                )
@@ -759,6 +851,7 @@ def update():
    else:
        i = 4
        body = {}
+        sec_body = {}
        while i < len(sys.argv):
            myarg = sys.argv[i].lower().replace('_', '')
            if myarg == 'name':
@@ -773,17 +866,49 @@ def update():
                    'cloudidentity.googleapis.com/groups.discussion_forum': ''
                }
                i += 1
+            elif myarg in ['dynamic']:
+                body['dynamicGroupMetadata'] = {
+                    'queries': [{
+                        'query': sys.argv[i + 1],
+                        'resourceType': 'USER'
+                    }]
+                }
+                i += 2
+            elif myarg in ['memberrestriction', 'memberrestrictions']:
+                query = sys.argv[i + 1]
+                member_types = {
+                  'USER': '1',
+                  'SERVICE_ACCOUNT': '2',
+                  'GROUP': '3',
+                  }
+                for key, val in member_types.items():
+                    query = query.replace(key, val)
+                sec_body['memberRestriction'] = {'query': query}
+                i += 2
            else:
                controlflow.invalid_argument_exit(sys.argv[i],
                                                  'gam update cigroup')
-        updateMask = ','.join(body.keys())
-        name = group_email_to_id(ci, group)
-        print(f'Updating group {group}')
-        gapi.call(ci.groups(),
-                  'patch',
-                  updateMask=updateMask,
-                  name=name,
-                  body=body)
+        if body:
+            updateMask = ','.join(body.keys())
+            name = group_email_to_id(ci, group)
+            print(f'Updating group {group}')
+            gapi.call(ci.groups(),
+                      'patch',
+                      updateMask=updateMask,
+                      name=name,
+                      body=body)
+        if sec_body:
+            updateMask = 'member_restriction.query'
+            # it seems like a bug that API requires /securitySettings
+            # appended to name. We'll see if Google servers change this
+            # at some point.
+            name = f'{group_email_to_id(ci, group)}/securitySettings'
+            print(f'Updating group {group} security settings')
+            gapi.call(ci.groups(),
+                    'updateSecuritySettings',
+                    name=name,
+                    updateMask=updateMask,
+                    body=sec_body)


 def group_email_to_id(ci, group, i=0, count=0):
--- a/src/gam/gapi/directory/groups.py
+++ b/src/gam/gapi/directory/groups.py
@@ -266,6 +266,8 @@ GROUP_ATTRIBUTES_ARGUMENT_TO_PROPERTY_MAP = {
        'customReplyTo',
    'defaultmessagedenynotificationtext':
        'defaultMessageDenyNotificationText',
+    'defaultsender':
+        'defaultSender',
    'enablecollaborativeinbox':
        'enableCollaborativeInbox',
    'favoriterepliesontop':
@@ -979,6 +981,9 @@ def update():
                sys.stderr.write(
                    f'Group: {group}, Will add {len(to_add)} and remove {len(to_remove)} {role}s.\n'
                )
+                for user in to_remove:
+                    items.append(
+                        ['gam', 'update', 'group', group, 'remove', user])
                for user in to_add:
                    item = ['gam', 'update', 'group', group, 'add']
                    if role:
@@ -987,9 +992,6 @@ def update():
                        item.append(delivery)
                    item.append(user)
                    items.append(item)
-                for user in to_remove:
-                    items.append(
-                        ['gam', 'update', 'group', group, 'remove', user])
        elif myarg in ['delete', 'remove']:
            _, users_email, _ = _getRoleAndUsers()
            if not exists(cd, group):
@@ -1219,7 +1221,7 @@ def getGroupAttrValue(myarg, value, gs_object, gs_body, function):
         params) in list(gs_object['schemas']['Groups']['properties'].items()):
        if attrib in ['kind', 'etag', 'email']:
            continue
-        if myarg == attrib.lower():
+        if myarg == attrib.lower().replace('_', ''):
            if params['type'] == 'integer':
                try:
                    if value[-1:].upper() == 'M':
--- a/src/gam/gapi/directory/users.py
+++ b/src/gam/gapi/directory/users.py
@@ -3,6 +3,7 @@ from time import sleep
 import gam
 from gam import gapi
 from gam.gapi import directory as gapi_directory
+from gam.gapi import errors as gapi_errors


 def get_primary(email):
@@ -53,10 +54,16 @@ def wait_for_mailbox(users):
        i += 1
        user = gam.normalizeEmailAddressOrUID(user)
        while True:
-            result = gapi.call(cd.users(),
-                               'get',
-                               'fields=isMailboxSetup',
-                               userKey=user)
+            try:
+                result = gapi.call(cd.users(),
+                                   'get',
+                                   'fields=isMailboxSetup',
+                                   userKey=user,
+                                   throw_reasons=[gapi_errors.ErrorReason.USER_NOT_FOUND])
+            except gapi_errors.GapiUserNotFoundError:
+                print(f'{user} mailboxIsSetup: False (user does not exist yet)')
+                sleep(3)
+                continue
            mailbox_is_setup = result.get('isMailboxSetup')
            print(f'{user} mailboxIsSetup: {mailbox_is_setup}')
            if mailbox_is_setup:
--- a/src/gam/gapi/errors.py
+++ b/src/gam/gapi/errors.py
@@ -60,6 +60,10 @@ class GapiGroupNotFoundError(Exception):
    pass


+class GapiInternalServerError(Exception):
+    pass
+
+
 class GapiInvalidError(Exception):
    pass

@@ -119,11 +123,13 @@ class ErrorReason(Enum):
    FIVE_O_THREE = '503'
    FOUR_O_NINE = '409'
    FOUR_O_O = '400'
+    FOUR_O_FOUR = '404'
    FOUR_O_THREE = '403'
    FOUR_TWO_NINE = '429'
    GATEWAY_TIMEOUT = 'gatewayTimeout'
    GROUP_NOT_FOUND = 'groupNotFound'
    INTERNAL_ERROR = 'internalError'
+    INTERNAL_SERVER_ERROR = 'internalServerError'
    INVALID = 'invalid'
    INVALID_ARGUMENT = 'invalidArgument'
    INVALID_MEMBER = 'invalidMember'
@@ -198,6 +204,8 @@ ERROR_REASON_TO_EXCEPTION = {
        GapiGatewayTimeoutError,
    ErrorReason.GROUP_NOT_FOUND:
        GapiGroupNotFoundError,
+    ErrorReason.INTERNAL_SERVER_ERROR:
+        GapiInternalServerError,
    ErrorReason.INVALID:
        GapiInvalidError,
    ErrorReason.INVALID_ARGUMENT:
@@ -335,6 +343,10 @@ def get_gapi_error_detail(e,
            if 'Requested entity was not found' in message or 'does not exist' in message:
                error = _create_http_error_dict(404, ErrorReason.NOT_FOUND.value,
                                                message)
+        elif http_status == 500:
+            if 'Failed to convert server response to JSON' in message:
+                error = _create_http_error_dict(500, ErrorReason.INTERNAL_SERVER_ERROR.value,
+                                                message)
    else:
        if 'error_description' in error:
            if error['error_description'] == 'Invalid Value':
--- a/src/gam/gapi/errors_test.py
+++ b/src/gam/gapi/errors_test.py
@@ -7,6 +7,7 @@ from unittest.mock import patch

 import googleapiclient.errors
 from gam.gapi import errors
+import httplib2


 def create_simple_http_error(status, reason, message):
@@ -15,10 +16,10 @@ def create_simple_http_error(status, reason, message):


 def create_http_error(status, content):
-    response = {
+    response = httplib2.Response({
        'status': status,
        'content-type': 'application/json',
-    }
+    })
    content_as_bytes = json.dumps(content).encode('UTF-8')
    return googleapiclient.errors.HttpError(response, content_as_bytes)

@@ -73,6 +74,7 @@ class ErrorsTest(unittest.TestCase):
    def test_get_gapi_error_extracts_user_not_found(self):
        err = create_simple_http_error(404, 'notFound',
                                       'Resource Not Found: userKey.')
+        print(err)
        http_status, reason, message = errors.get_gapi_error_detail(err)
        self.assertEqual(http_status, 404)
        self.assertEqual(reason, errors.ErrorReason.USER_NOT_FOUND.value)
@@ -158,7 +160,7 @@ class ErrorsTest(unittest.TestCase):

    def test_get_gapi_error_extracts_single_error_with_message(self):
        status_code = 999
-        response = {'status': status_code}
+        response = httplib2.Response({'status': status_code})
        # This error does not have an "errors" key describing each error.
        content = {'error': {'code': status_code, 'message': 'unknown error'}}
        content_as_bytes = json.dumps(content).encode('UTF-8')
@@ -172,7 +174,7 @@ class ErrorsTest(unittest.TestCase):
    def test_get_gapi_error_exits_code_4_on_malformed_error_with_unknown_description(
        self):
        status_code = 999
-        response = {'status': status_code}
+        response = httplib2.Response({'status': status_code})
        # This error only has an error_description_field and an unknown description.
        content = {'error_description': 'something errored'}
        content_as_bytes = json.dumps(content).encode('UTF-8')
@@ -184,7 +186,7 @@ class ErrorsTest(unittest.TestCase):

    def test_get_gapi_error_exits_on_invalid_error_description(self):
        status_code = 400
-        response = {'status': status_code}
+        response = httplib2.Response({'status': status_code})
        content = {'error_description': 'Invalid Value'}
        content_as_bytes = json.dumps(content).encode('UTF-8')
        err = googleapiclient.errors.HttpError(response, content_as_bytes)
@@ -196,7 +198,7 @@ class ErrorsTest(unittest.TestCase):

    def test_get_gapi_error_exits_code_4_on_unexpected_error_contents(self):
        status_code = 900
-        response = {'status': status_code}
+        response = httplib2.Response({'status': status_code})
        content = {'notErrorContentThatIsExpected': 'foo'}
        content_as_bytes = json.dumps(content).encode('UTF-8')
        err = googleapiclient.errors.HttpError(response, content_as_bytes)
--- a/src/gam/gapi/reports.py
+++ b/src/gam/gapi/reports.py
@@ -285,7 +285,7 @@ def showReport():
    customerId = GC_Values[GC_CUSTOMER_ID]
    if customerId == MY_CUSTOMER:
        customerId = None
-    filters = parameters = actorIpAddress = startTime = endTime = eventName = orgUnitId = None
+    filters = parameters = actorIpAddress = groupIdFilter = startTime = endTime = eventName = orgUnitId = None
    tryDate = datetime.date.today().strftime(YYYYMMDD_FORMAT)
    to_drive = False
    userKey = 'all'
@@ -330,6 +330,9 @@ def showReport():
        elif myarg == 'ip':
            actorIpAddress = sys.argv[i + 1]
            i += 2
+        elif myarg == 'groupidfilter':
+            groupIdFilter = sys.argv[i + 1]
+            i += 2
        elif myarg == 'todrive':
            to_drive = True
            i += 1
@@ -489,7 +492,8 @@ def showReport():
                                        endTime=endTime,
                                        eventName=eventName,
                                        filters=filters,
-                                        orgUnitID=orgUnitId)
+                                        orgUnitID=orgUnitId,
+                                        groupIdFilter=groupIdFilter)
        if activities:
            titles = ['name']
            csvRows = []
--- a/src/gam/utils.py
+++ b/src/gam/utils.py
@@ -254,6 +254,18 @@ def get_delta_time(argstr):
    return deltaTime


+def get_hhmm(argstr):
+    argstr = argstr.strip()
+    if argstr:
+        try:
+            dateTime = datetime.datetime.strptime(argstr, HHMM_FORMAT)
+            return argstr
+        except ValueError:
+            controlflow.system_error_exit(
+                2, f'expected a <{HHMM_FORMAT_REQUIRED}>; got {argstr}')
+    controlflow.system_error_exit(2, f'expected a <{HHMM_FORMAT_REQUIRED}>')
+
+
 def get_yyyymmdd(argstr, minLen=1, returnTimeStamp=False, returnDateTime=False):
    argstr = argstr.strip()
    if argstr:
--- a/src/gam/var.py
+++ b/src/gam/var.py
@@ -8,7 +8,7 @@ import platform
 import re

 GAM_AUTHOR = 'Jay Lee <jay0lee@gmail.com>'
-GAM_VERSION = '6.01'
+GAM_VERSION = '6.12'
 GAM_LICENSE = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'

 GAM_URL = 'https://git.io/gam'
@@ -56,6 +56,11 @@ SKUS = {
        'aliases': ['identitypremium', 'cloudidentitypremium'],
        'displayName': 'Cloud Identity Premium'
    },
+    '1010350001': {
+        'product': '101035',
+        'aliases': ['cloudsearch'],
+        'displayName': 'Google Cloud Search',
+    },
    '1010310002': {
        'product': '101031',
        'aliases': ['gsefe', 'e4e', 'gsuiteenterpriseeducation'],
@@ -119,7 +124,7 @@ SKUS = {
    'Google-Apps': {
        'product': 'Google-Apps',
        'aliases': ['standard', 'free'],
-        'displayName': 'G Suite Free/Standard'
+        'displayName': 'G Suite Legacy'
    },
    'Google-Apps-For-Business': {
        'product': 'Google-Apps',
@@ -271,6 +276,7 @@ PRODUCTID_NAME_MAPPINGS = {
    '101031': 'G Suite Workspace for Education',
    '101033': 'Google Voice',
    '101034': 'G Suite Archived',
+    '101035': 'Cloud Search',
    '101037': 'G Suite Workspace for Education',
    'Google-Apps': 'Google Workspace',
    'Google-Chrome-Device-Management': 'Google Chrome Device Management',
@@ -280,12 +286,8 @@ PRODUCTID_NAME_MAPPINGS = {

 # Legacy APIs that use v1 discovery. Newer APIs should all use v2.
 V1_DISCOVERY_APIS = {
-    'admin',
-    'calendar',
    'drive',
    'oauth2',
-    'reseller',
-    'siteVerification',
 }

 API_NAME_MAPPING = {
@@ -293,7 +295,7 @@ API_NAME_MAPPING = {
    'reports': 'admin',
    'datatransfer': 'admin',
    'drive3': 'drive',
-    'cloudresourcemanagerv1': 'cloudresourcemanager',
+    'calendar': 'calendar-json',
    'cloudidentity_beta': 'cloudidentity',
 }

@@ -307,8 +309,7 @@ API_VER_MAPPING = {
    'classroom': 'v1',
    'cloudidentity': 'v1',
    'cloudidentity_beta': 'v1beta1',
-    'cloudresourcemanager': 'v2',
-    'cloudresourcemanagerv1': 'v1',
+    'cloudresourcemanager': 'v3',
    'contactdelegation': 'v1',
    'datatransfer': 'datatransfer_v1',
    'directory': 'directory_v1',
@@ -457,6 +458,7 @@ DRIVEFILE_FIELDS_CHOICES_MAP = {
    'createddate': 'createdDate',
    'createdtime': 'createdDate',
    'description': 'description',
+    'driveid': 'driveId',
    'editable': 'editable',
    'explicitlytrashed': 'explicitlyTrashed',
    'fileextension': 'fileExtension',
@@ -472,6 +474,7 @@ DRIVEFILE_FIELDS_CHOICES_MAP = {
    'lastviewedbymedate': 'lastViewedByMeDate',
    'lastviewedbymetime': 'lastViewedByMeDate',
    'lastviewedbyuser': 'lastViewedByMeDate',
+    'linksharemetadata': 'linkShareMetadata',
    'md5': 'md5Checksum',
    'md5checksum': 'md5Checksum',
    'md5sum': 'md5Checksum',
@@ -490,6 +493,7 @@ DRIVEFILE_FIELDS_CHOICES_MAP = {
    'owners': 'owners',
    'parents': 'parents',
    'permissions': 'permissions',
+    'resourcekey': 'resourceKey',
    'quotabytesused': 'quotaBytesUsed',
    'quotaused': 'quotaBytesUsed',
    'shareable': 'shareable',
@@ -497,6 +501,7 @@ DRIVEFILE_FIELDS_CHOICES_MAP = {
    'sharedwithmedate': 'sharedWithMeDate',
    'sharedwithmetime': 'sharedWithMeDate',
    'sharinguser': 'sharingUser',
+    'shortcutdetails': 'shortcutDetails',
    'spaces': 'spaces',
    'thumbnaillink': 'thumbnailLink',
    'title': 'title',
@@ -613,17 +618,22 @@ GOOGLEDOC_VALID_EXTENSIONS_MAP = {
 }

 MACOS_CODENAMES = {
-    6: 'Snow Leopard',
-    7: 'Lion',
-    8: 'Mountain Lion',
-    9: 'Mavericks',
-    10: 'Yosemite',
-    11: 'El Capitan',
-    12: 'Sierra',
-    13: 'High Sierra',
-    14: 'Mojave',
-    15: 'Catalina'
-}
+    10: {
+        6:  'Snow Leopard',
+        7:  'Lion',
+        8:  'Mountain Lion',
+        9:  'Mavericks',
+        10: 'Yosemite',
+        11: 'El Capitan',
+        12: 'Sierra',
+        13: 'High Sierra',
+        14: 'Mojave',
+        15: 'Catalina',
+        16: 'Big Sur'
+        },
+    11: 'Big Sur',
+    12: 'Monterey',
+    }

 _MICROSOFT_FORMATS_LIST = [{
    'mime':
@@ -888,8 +898,6 @@ RT_TAG_REPLACE_PATTERN = re.compile(r'{(.*?)}')
 LOWERNUMERIC_CHARS = string.ascii_lowercase + string.digits
 ALPHANUMERIC_CHARS = LOWERNUMERIC_CHARS + string.ascii_uppercase
 URL_SAFE_CHARS = ALPHANUMERIC_CHARS + '-._~'
-PASSWORD_SAFE_CHARS = ALPHANUMERIC_CHARS + string.punctuation + ' '
-FILENAME_SAFE_CHARS = ALPHANUMERIC_CHARS + '-_.() '

 FILTER_ADD_LABEL_TO_ARGUMENT_MAP = {
    'IMPORTANT': 'important',
@@ -1104,7 +1112,8 @@ GROUP_SETTINGS_LIST_ATTRIBUTES = set([
    'whoCanUnmarkFavoriteReplyOnAnyTopic',
    'whoCanViewGroup',
    'whoCanViewMembership',
-    # Miscellaneous hoices
+    # Miscellaneous choices
+    'default_sender',
    'messageModerationLevel',
    'replyTo',
    'spamModerationLevel',
@@ -1239,10 +1248,12 @@ GC_DOMAIN = 'domain'
 GC_DRIVE_DIR = 'drive_dir'
 # Enable Delegated Admin Service Accounts
 GC_ENABLE_DASA = 'enabledasa'
-# If no_browser is False, writeCSVfile won't open a browser when todrive is set
+# If no_browser is True, writeCSVfile won't open a browser when todrive is set
 # and doRequestOAuth prints a link and waits for the verification code when
 # oauth2.txt is being created
 GC_NO_BROWSER = 'no_browser'
+# If no_tdemail is True, writeCSVfile won't send an email
+GC_NO_TDEMAIL = 'no_tdemail'
 # oauth_browser forces usage of web server OAuth flow that proved problematic.
 GC_OAUTH_BROWSER = 'oauth_browser'
 # Disable GAM API caching
@@ -1297,6 +1308,7 @@ GC_Defaults = {
    GC_DRIVE_DIR: '',
    GC_ENABLE_DASA: False,
    GC_NO_BROWSER: False,
+    GC_NO_TDEMAIL: False,
    GC_NO_CACHE: False,
    GC_NO_SHORT_URLS: False,
    GC_NO_UPDATE_CHECK: False,
@@ -1382,6 +1394,9 @@ GC_VAR_INFO = {
    GC_NO_BROWSER: {
        GC_VAR_TYPE: GC_TYPE_BOOLEAN
    },
+    GC_NO_TDEMAIL: {
+        GC_VAR_TYPE: GC_TYPE_BOOLEAN
+    },
    GC_NO_CACHE: {
        GC_VAR_TYPE: GC_TYPE_BOOLEAN
    },
@@ -1514,7 +1529,7 @@ USER_EXTERNALID_TYPES = [
 ]
 USER_GENDER_TYPES = ['female', 'male', 'unknown']
 USER_IM_TYPES = ['home', 'work', 'other']
-USER_KEYWORD_TYPES = ['occupation', 'outlook']
+USER_KEYWORD_TYPES = ['occupation', 'outlook', 'mission']
 USER_LOCATION_TYPES = ['default', 'desk']
 USER_ORGANIZATION_TYPES = ['domain_only', 'school', 'unknown', 'work']
 USER_PHONE_TYPES = [
@@ -1529,7 +1544,7 @@ USER_RELATION_TYPES = [
 ]
 USER_WEBSITE_TYPES = [
    'app_install_page', 'blog', 'ftp', 'home', 'home_page', 'other', 'profile',
-    'reservations', 'work'
+    'reservations', 'resume', 'work'
 ]

 WEBCOLOR_MAP = {
@@ -1931,6 +1946,9 @@ DELTA_DATE_FORMAT_REQUIRED = '(+|-)<Number>(d|w|y)'
 DELTA_TIME_PATTERN = re.compile(r'^([+-])(\d+)([mhdwy])$')
 DELTA_TIME_FORMAT_REQUIRED = '(+|-)<Number>(m|h|d|w|y)'

+HHMM_FORMAT = '%H:%M'
+HHMM_FORMAT_REQUIRED = 'hh:mm'
+
 YYYYMMDD_FORMAT = '%Y-%m-%d'
 YYYYMMDD_FORMAT_REQUIRED = 'yyyy-mm-dd'

--- a/src/requirements.txt
+++ b/src/requirements.txt
@@ -1,11 +1,13 @@
+yubikey-manager>=4.0.0
 cryptography
 distro; sys_platform == 'linux'
 filelock
-google-api-python-client==2.0.2
+google-api-python-client>=2.1
 google-auth-httplib2
 google-auth-oauthlib>=0.4.1
-google-auth>=1.11.2
+google-auth>=2.3.2
 httplib2>=0.17.0
+importlib.metadata; python_version < '3.8'
 passlib>=1.7.2
 python-dateutil
-yubikey-manager>=4.0.0
+pathvalidate
--- a/src/setup.cfg
+++ b/src/setup.cfg
@@ -0,0 +1,49 @@
+[metadata]
+name = GAM for Google Workspace
+version = 6.0.7
+description = Command line management for Google Workspaces
+long_description = file: readme.md
+long_description_content_type = text/markdown
+url = https://github.com/jay0lee/GAM
+author = Jay Lee
+author_email = jay0lee@gmail.com
+license = Apache
+license_files = LICENSE
+keywords = google, oauth2, gsuite, google-apps, google-admin-sdk, google-drive, google-cloud, google-calendar, gam, google-api, oauth2-client, google-workspace
+classifiers =
+    Programming Language :: Python :: 3
+    Programming Language :: Python :: 3 :: Only
+    Programming Language :: Python :: 3.6
+    Programming Language :: Python :: 3.7
+    Programming Language :: Python :: 3.8
+    Programming Language :: Python :: 3.9
+    License :: OSI Approved :: Apache License
+
+[options]
+packages = find:
+python_requires = >=3.6
+install_requires =
+    cryptography
+    distro; sys_platform == 'linux'
+    filelock
+    google-api-python-client >= 2.1
+    google-auth-httplib2
+    google-auth-oauthlib >= 0.4.1
+    google-auth >= 1.11.2
+    httplib2 >= 0.17.0
+    importlib.metadata; python_version < '3.8'
+    passlib >= 1.7.2
+    python-dateutil
+    yubikey-manager >= 4.0.0
+    pathvalidate
+
+# used during pip install .[test]
+[options.extras_require]
+test = pre-commit
+
+[options.entry_points]
+console_scripts =
+    gam = gam.__main__:main
+
+[bdist_wheel]
+universal = True
--- a/src/setup.py
+++ b/src/setup.py
@@ -0,0 +1,3 @@
+from setuptools import setup
+
+setup()
--- a/src/tools/a_atleast_b.py
+++ b/src/tools/a_atleast_b.py
@@ -1,13 +1,11 @@
 #!/usr/bin/env python3

-#from packaging import version
-from distutils.version import LooseVersion
+from packaging import version
 import sys

 a = sys.argv[1]
 b = sys.argv[2]
-#result = version.parse(a) >= version.parse(b)
-result = LooseVersion(a) >= LooseVersion(b)
+result = version.parse(a) >= version.parse(b)
 if result:
    print('OK: %s is equal or newer than %s' % (a, b))
 else: