From ac22463cab802c7892df65f324e19f956eb74e18 Mon Sep 17 00:00:00 2001
From: uazo <29201891+uazo@users.noreply.github.com>
Date: Wed, 23 Oct 2024 02:59:29 +0000
Subject: [PATCH] [AUTO][FILECONTROL] - version 130.0.6723.73

---
 tools/under-control/src/RELEASE               |    2 +-
 .../resources/templates/common_schemas.yaml   |  382 +++++
 .../legacy_device_policy_proto_map.yaml       |   58 +
 .../manual_device_policy_proto_map.yaml       |  228 +++
 .../policy/resources/templates/messages.yaml  |  241 +++
 .../policy/resources/templates/policies.yaml  | 1355 +++++++++++++++++
 .../Accessibility/.group.details.yaml         |    3 +
 .../AccessibilityShortcutsEnabled.yaml        |   33 +
 .../Accessibility/AutoclickEnabled.yaml       |   34 +
 .../Accessibility/CaretHighlightEnabled.yaml  |   34 +
 .../Accessibility/ColorCorrectionEnabled.yaml |   35 +
 .../Accessibility/CursorHighlightEnabled.yaml |   35 +
 ...inScreenAccessibilityShortcutsEnabled.yaml |   35 +
 .../DeviceLoginScreenAutoclickEnabled.yaml    |   36 +
 ...eviceLoginScreenCaretHighlightEnabled.yaml |   34 +
 ...viceLoginScreenCursorHighlightEnabled.yaml |   34 +
 ...LoginScreenDefaultHighContrastEnabled.yaml |   33 +
 ...eLoginScreenDefaultLargeCursorEnabled.yaml |   31 +
 ...LoginScreenDefaultScreenMagnifierType.yaml |   40 +
 ...ginScreenDefaultSpokenFeedbackEnabled.yaml |   33 +
 ...inScreenDefaultVirtualKeyboardEnabled.yaml |   36 +
 .../DeviceLoginScreenDictationEnabled.yaml    |   34 +
 .../DeviceLoginScreenHighContrastEnabled.yaml |   34 +
 ...inScreenKeyboardFocusHighlightEnabled.yaml |   35 +
 .../DeviceLoginScreenLargeCursorEnabled.yaml  |   34 +
 .../DeviceLoginScreenMonoAudioEnabled.yaml    |   36 +
 .../DeviceLoginScreenScreenMagnifierType.yaml |   43 +
 ...DeviceLoginScreenSelectToSpeakEnabled.yaml |   34 +
 ...oginScreenShowOptionsInSystemTrayMenu.yaml |   30 +
 ...eviceLoginScreenSpokenFeedbackEnabled.yaml |   34 +
 .../DeviceLoginScreenStickyKeysEnabled.yaml   |   34 +
 ...viceLoginScreenVirtualKeyboardEnabled.yaml |   36 +
 .../Accessibility/DictationEnabled.yaml       |   33 +
 ...edNetworkVoicesInSelectToSpeakAllowed.yaml |   26 +
 .../FloatingAccessibilityMenuEnabled.yaml     |   25 +
 .../Accessibility/HighContrastEnabled.yaml    |   27 +
 .../KeyboardDefaultToFunctionKeys.yaml        |   25 +
 .../KeyboardFocusHighlightEnabled.yaml        |   34 +
 .../Accessibility/LargeCursorEnabled.yaml     |   27 +
 .../Accessibility/MonoAudioEnabled.yaml       |   34 +
 .../Accessibility/ScreenMagnifierType.yaml    |   34 +
 .../Accessibility/SelectToSpeakEnabled.yaml   |   32 +
 ...wAccessibilityOptionsInSystemTrayMenu.yaml |   29 +
 .../Accessibility/SpokenFeedbackEnabled.yaml  |   27 +
 .../Accessibility/StickyKeysEnabled.yaml      |   27 +
 .../UiAutomationProviderEnabled.yaml          |   60 +
 .../Accessibility/VirtualKeyboardEnabled.yaml |   35 +
 .../VirtualKeyboardFeatures.yaml              |   47 +
 .../.group.details.yaml                       |    3 +
 .../ChromadToCloudMigrationEnabled.yaml       |   31 +
 .../CloudAPAuthEnabled.yaml                   |   35 +
 .../DeviceAuthDataCacheLifetime.yaml          |   27 +
 .../DeviceGpoCacheLifetime.yaml               |   26 +
 .../DeviceKerberosEncryptionTypes.yaml        |   43 +
 .../DeviceMachinePasswordChangeRate.yaml      |   27 +
 ...eviceUserPolicyLoopbackProcessingMode.yaml |   38 +
 .../policy_atomic_groups.yaml                 |    9 +
 .../Arc/.group.details.yaml                   |    2 +
 .../AppRecommendationZeroStateEnabled.yaml    |   30 +
 .../Arc/ArcAppInstallEventLoggingEnabled.yaml |   25 +
 .../Arc/ArcAppToWebAppSharingEnabled.yaml     |   25 +
 .../Arc/ArcBackupRestoreEnabled.yaml          |   18 +
 .../Arc/ArcBackupRestoreServiceEnabled.yaml   |   37 +
 .../Arc/ArcCertificatesSyncMode.yaml          |   32 +
 .../policy_definitions/Arc/ArcEnabled.yaml    |   23 +
 .../Arc/ArcGoogleLocationServicesEnabled.yaml |   40 +
 .../Arc/ArcLocationServiceEnabled.yaml        |   18 +
 .../policy_definitions/Arc/ArcPolicy.yaml     |   59 +
 .../Arc/DeviceArcDataSnapshotHours.yaml       |   47 +
 .../Arc/UnaffiliatedArcAllowed.yaml           |   25 +
 .../Arc/UnaffiliatedDeviceArcAllowed.yaml     |   24 +
 .../Attestation/.group.details.yaml           |    2 +
 .../AttestationEnabledForDevice.yaml          |   28 +
 .../AttestationEnabledForUser.yaml            |   26 +
 .../AttestationExtensionAllowlist.yaml        |   21 +
 ...ttestationForContentProtectionEnabled.yaml |   25 +
 .../DeviceWebBasedAttestationAllowedUrls.yaml |   31 +
 .../Attestation/policy_atomic_groups.yaml     |    7 +
 .../Borealis/.group.details.yaml              |    2 +
 .../Borealis/DeviceBorealisAllowed.yaml       |   30 +
 .../Borealis/UserBorealisAllowed.yaml         |   26 +
 .../BrowserEventReporting/.group.details.yaml |    2 +
 .../ReportingEndpoints.yaml                   |   26 +
 .../policy_atomic_groups.yaml                 |    4 +
 .../BrowserIdle/.group.details.yaml           |    3 +
 .../BrowserIdle/IdleTimeout.yaml              |   29 +
 .../BrowserIdle/IdleTimeoutActions.yaml       |  101 ++
 .../BrowserIdle/policy_atomic_groups.yaml     |    5 +
 .../BrowserSwitcher/.group.details.yaml       |    5 +
 .../AlternativeBrowserParameters.yaml         |   29 +
 .../AlternativeBrowserPath.yaml               |   18 +
 .../BrowserSwitcherChromeParameters.yaml      |   25 +
 .../BrowserSwitcherChromePath.yaml            |   20 +
 .../BrowserSwitcher/BrowserSwitcherDelay.yaml |   19 +
 .../BrowserSwitcherEnabled.yaml               |   24 +
 .../BrowserSwitcherExternalGreylistUrl.yaml   |   21 +
 .../BrowserSwitcherExternalSitelistUrl.yaml   |   22 +
 .../BrowserSwitcherKeepLastChromeTab.yaml     |   24 +
 .../BrowserSwitcherParsingMode.yaml           |   36 +
 .../BrowserSwitcherUrlGreylist.yaml           |   27 +
 .../BrowserSwitcherUrlList.yaml               |   25 +
 .../BrowserSwitcherUseIeSitelist.yaml         |   28 +
 .../BrowserSwitcher/policy_atomic_groups.yaml |   15 +
 .../Bruschetta/.group.details.yaml            |    2 +
 .../BruschettaInstallerConfiguration.yaml     |   45 +
 .../Bruschetta/BruschettaVMConfiguration.yaml |  135 ++
 .../CastReceiver/.group.details.yaml          |    2 +
 .../CastReceiver/CastReceiverEnabled.yaml     |   25 +
 .../CastReceiver/CastReceiverName.yaml        |   21 +
 .../CastReceiver/policy_atomic_groups.yaml    |    5 +
 .../CertificateManagement/.group.details.yaml |    2 +
 .../CACertificateManagementAllowed.yaml       |   34 +
 .../CertificateManagement/CACertificates.yaml |   28 +
 .../CACertificatesWithConstraints.yaml        |   47 +
 .../CADistrustedCertificates.yaml             |   32 +
 .../CAHintCertificates.yaml                   |   28 +
 .../CAPlatformIntegrationEnabled.yaml         |   32 +
 .../RequiredClientCertificateForDevice.yaml   |   61 +
 .../RequiredClientCertificateForUser.yaml     |   60 +
 .../.group.details.yaml                       |    4 +
 .../ChromeFrameContentTypes.yaml              |   22 +
 .../.group.details.yaml                       |    5 +
 .../AdditionalLaunchParameters.yaml           |   19 +
 .../ChromeFrameRendererSettings.yaml          |   28 +
 .../RenderInChromeFrameList.yaml              |   25 +
 .../RenderInHostList.yaml                     |   24 +
 .../SkipMetadataCheck.yaml                    |   23 +
 .../CloudReporting/.group.details.yaml        |    8 +
 .../CloudExtensionRequestEnabled.yaml         |   37 +
 .../CloudProfileReportingEnabled.yaml         |   37 +
 .../CloudReporting/CloudReportingEnabled.yaml |   36 +
 .../CloudReportingUploadFrequency.yaml        |   32 +
 .../LegacyTechReportAllowlist.yaml            |   40 +
 .../ReportExtensionsAndPluginsData.yaml       |   32 +
 .../CloudReporting/ReportMachineIDData.yaml   |   31 +
 .../CloudReporting/ReportPolicyData.yaml      |   32 +
 .../ReportSafeBrowsingData.yaml               |   27 +
 .../CloudReporting/ReportUserIDData.yaml      |   32 +
 .../CloudReporting/ReportVersionData.yaml     |   33 +
 .../CloudReporting/policy_atomic_groups.yaml  |   12 +
 .../CloudUpload/.group.details.yaml           |    2 +
 .../GoogleWorkspaceCloudUpload.yaml           |   42 +
 .../MicrosoftOfficeCloudUpload.yaml           |   42 +
 .../ContentSettings/.group.details.yaml       |    3 +
 .../AutoSelectCertificateForUrls.yaml         |   55 +
 .../AutomaticFullscreenAllowedForUrls.yaml    |   39 +
 .../AutomaticFullscreenBlockedForUrls.yaml    |   39 +
 .../ClipboardAllowedForUrls.yaml              |   28 +
 .../ClipboardBlockedForUrls.yaml              |   27 +
 .../CookiesAllowedForUrls.yaml                |   38 +
 .../CookiesBlockedForUrls.yaml                |   30 +
 .../CookiesSessionOnlyForUrls.yaml            |   30 +
 .../DataUrlInSvgUseEnabled.yaml               |   29 +
 .../DefaultClipboardSetting.yaml              |   34 +
 .../DefaultCookiesSetting.yaml                |   38 +
 .../DefaultDirectSocketsSetting.yaml          |   35 +
 .../DefaultFileHandlingGuardSetting.yaml      |   33 +
 .../DefaultFileSystemReadGuardSetting.yaml    |   35 +
 .../DefaultFileSystemWriteGuardSetting.yaml   |   33 +
 .../DefaultGeolocationSetting.yaml            |   42 +
 .../ContentSettings/DefaultImagesSetting.yaml |   32 +
 .../DefaultInsecureContentSetting.yaml        |   34 +
 .../DefaultJavaScriptJitSetting.yaml          |   37 +
 .../DefaultJavaScriptOptimizerSetting.yaml    |   44 +
 .../DefaultJavaScriptSetting.yaml             |   33 +
 .../ContentSettings/DefaultKeygenSetting.yaml |   34 +
 .../DefaultLocalFontsSetting.yaml             |   34 +
 .../DefaultMediaStreamSetting.yaml            |   31 +
 .../DefaultNotificationsSetting.yaml          |   36 +
 .../DefaultPluginsSetting.yaml                |   37 +
 .../ContentSettings/DefaultPopupsSetting.yaml |   34 +
 .../DefaultSensorsSetting.yaml                |   33 +
 .../DefaultSerialGuardSetting.yaml            |   33 +
 ...tThirdPartyStoragePartitioningSetting.yaml |   35 +
 .../DefaultWebBluetoothGuardSetting.yaml      |   35 +
 .../DefaultWebHidGuardSetting.yaml            |   35 +
 .../DefaultWebPrintingSetting.yaml            |   30 +
 .../DefaultWebUsbGuardSetting.yaml            |   34 +
 .../DefaultWindowManagementSetting.yaml       |   35 +
 .../DefaultWindowPlacementSetting.yaml        |   34 +
 .../DirectSocketsAllowedForUrls.yaml          |   30 +
 .../DirectSocketsBlockedForUrls.yaml          |   30 +
 .../FileHandlingAllowedForUrls.yaml           |   31 +
 .../FileHandlingBlockedForUrls.yaml           |   30 +
 .../FileSystemReadAskForUrls.yaml             |   30 +
 .../FileSystemReadBlockedForUrls.yaml         |   29 +
 ...SyncAccessHandleAsyncInterfaceEnabled.yaml |   30 +
 .../FileSystemWriteAskForUrls.yaml            |   30 +
 .../FileSystemWriteBlockedForUrls.yaml        |   29 +
 ...ediaSetSelectAllScreensAllowedForUrls.yaml |   26 +
 .../ContentSettings/ImagesAllowedForUrls.yaml |   29 +
 .../ContentSettings/ImagesBlockedForUrls.yaml |   29 +
 .../InsecureContentAllowedForUrls.yaml        |   27 +
 .../InsecureContentBlockedForUrls.yaml        |   27 +
 .../JavaScriptAllowedForUrls.yaml             |   28 +
 .../JavaScriptBlockedForUrls.yaml             |   30 +
 .../JavaScriptJitAllowedForSites.yaml         |   31 +
 .../JavaScriptJitBlockedForSites.yaml         |   33 +
 .../JavaScriptOptimizerAllowedForSites.yaml   |   50 +
 .../JavaScriptOptimizerBlockedForSites.yaml   |   54 +
 .../ContentSettings/KeygenAllowedForUrls.yaml |   30 +
 .../ContentSettings/KeygenBlockedForUrls.yaml |   30 +
 .../LegacySameSiteCookieBehaviorEnabled.yaml  |   34 +
 ...iteCookieBehaviorEnabledForDomainList.yaml |   31 +
 .../LocalFontsAllowedForUrls.yaml             |   27 +
 .../LocalFontsBlockedForUrls.yaml             |   27 +
 .../NotificationsAllowedForUrls.yaml          |   27 +
 .../NotificationsBlockedForUrls.yaml          |   27 +
 .../PdfLocalFileAccessAllowedForDomains.yaml  |   38 +
 .../PluginsAllowedForUrls.yaml                |   26 +
 .../PluginsBlockedForUrls.yaml                |   26 +
 .../ContentSettings/PopupsAllowedForUrls.yaml |   29 +
 .../ContentSettings/PopupsBlockedForUrls.yaml |   29 +
 .../RegisteredProtocolHandlers.yaml           |   44 +
 .../SensorsAllowedForUrls.yaml                |   30 +
 .../SensorsBlockedForUrls.yaml                |   30 +
 .../SerialAllowAllPortsForUrls.yaml           |   28 +
 .../SerialAllowUsbDevicesForUrls.yaml         |   62 +
 .../ContentSettings/SerialAskForUrls.yaml     |   31 +
 .../ContentSettings/SerialBlockedForUrls.yaml |   30 +
 ...yStoragePartitioningBlockedForOrigins.yaml |   29 +
 .../WebHidAllowAllDevicesForUrls.yaml         |   30 +
 .../WebHidAllowDevicesForUrls.yaml            |   56 +
 ...ebHidAllowDevicesWithHidUsagesForUrls.yaml |   56 +
 .../ContentSettings/WebHidAskForUrls.yaml     |   38 +
 .../ContentSettings/WebHidBlockedForUrls.yaml |   37 +
 .../WebPrintingAllowedForUrls.yaml            |   25 +
 .../WebPrintingBlockedForUrls.yaml            |   25 +
 .../WebUsbAllowDevicesForUrls.yaml            |   58 +
 .../ContentSettings/WebUsbAskForUrls.yaml     |   31 +
 .../ContentSettings/WebUsbBlockedForUrls.yaml |   30 +
 .../WindowManagementAllowedForUrls.yaml       |   28 +
 .../WindowManagementBlockedForUrls.yaml       |   28 +
 .../WindowPlacementAllowedForUrls.yaml        |   27 +
 .../WindowPlacementBlockedForUrls.yaml        |   27 +
 .../ContentSettings/policy_atomic_groups.yaml |   95 ++
 .../Crostini/.group.details.yaml              |    2 +
 .../Crostini/CrostiniAllowed.yaml             |   28 +
 .../Crostini/CrostiniAnsiblePlaybook.yaml     |   34 +
 .../CrostiniArcAdbSideloadingAllowed.yaml     |   34 +
 .../CrostiniExportImportUIAllowed.yaml        |   24 +
 .../CrostiniPortForwardingAllowed.yaml        |   26 +
 .../Crostini/CrostiniRootAccessAllowed.yaml   |   26 +
 ...eviceCrostiniArcAdbSideloadingAllowed.yaml |   39 +
 .../DeviceUnaffiliatedCrostiniAllowed.yaml    |   31 +
 .../Crostini/SystemTerminalSshAllowed.yaml    |   26 +
 .../Crostini/VirtualMachinesAllowed.yaml      |   27 +
 .../DateAndTime/.group.details.yaml           |    2 +
 .../CalendarIntegrationEnabled.yaml           |   28 +
 .../DateAndTime/SystemTimezone.yaml           |   21 +
 .../SystemTimezoneAutomaticDetection.yaml     |   52 +
 .../DateAndTime/SystemUse24HourClock.yaml     |   31 +
 .../DateAndTime/policy_atomic_groups.yaml     |    6 +
 .../DefaultSearchProvider/.group.details.yaml |    3 +
 .../DefaultSearchProviderAlternateURLs.yaml   |   28 +
 .../DefaultSearchProviderEnabled.yaml         |   37 +
 .../DefaultSearchProviderEncodings.yaml       |   30 +
 .../DefaultSearchProviderIconURL.yaml         |   23 +
 .../DefaultSearchProviderImageURL.yaml        |   34 +
 ...faultSearchProviderImageURLPostParams.yaml |   34 +
 .../DefaultSearchProviderInstantURL.yaml      |   26 +
 ...ultSearchProviderInstantURLPostParams.yaml |   24 +
 .../DefaultSearchProviderKeyword.yaml         |   24 +
 .../DefaultSearchProviderName.yaml            |   25 +
 .../DefaultSearchProviderNewTabURL.yaml       |   24 +
 ...archProviderSearchTermsReplacementKey.yaml |   24 +
 .../DefaultSearchProviderSearchURL.yaml       |   25 +
 ...aultSearchProviderSearchURLPostParams.yaml |   24 +
 .../DefaultSearchProviderSuggestURL.yaml      |   24 +
 ...ultSearchProviderSuggestURLPostParams.yaml |   24 +
 .../policy_atomic_groups.yaml                 |   19 +
 .../DeskConnector/.group.details.yaml         |    2 +
 .../DeskAPIDeskSaveAndShareEnabled.yaml       |   27 +
 .../DeskAPIThirdPartyAccessEnabled.yaml       |   24 +
 .../DeskAPIThirdPartyAllowlist.yaml           |   20 +
 .../DeviceUpdate/.group.details.yaml          |    3 +
 .../DeviceUpdate/ChromeOsReleaseChannel.yaml  |   43 +
 .../ChromeOsReleaseChannelDelegated.yaml      |   27 +
 .../DeviceAutoUpdateDisabled.yaml             |   29 +
 .../DeviceAutoUpdateP2PEnabled.yaml           |   29 +
 .../DeviceAutoUpdateTimeRestrictions.yaml     |   55 +
 .../DeviceChannelDowngradeBehavior.yaml       |   39 +
 .../DeviceExtendedAutoUpdateEnabled.yaml      |   46 +
 .../DeviceUpdate/DeviceMinimumVersion.yaml    |   79 +
 .../DeviceMinimumVersionAueMessage.yaml       |   26 +
 .../DeviceQuickFixBuildToken.yaml             |   23 +
 .../DeviceRollbackAllowedMilestones.yaml      |   29 +
 .../DeviceRollbackToTargetVersion.yaml        |   35 +
 .../DeviceTargetVersionPrefix.yaml            |   28 +
 .../DeviceTargetVersionSelector.yaml          |   33 +
 .../DeviceUpdateAllowedConnectionTypes.yaml   |   22 +
 .../DeviceUpdateHttpDownloadsEnabled.yaml     |   26 +
 .../DeviceUpdateScatterFactor.yaml            |   23 +
 .../DeviceUpdateStagingSchedule.yaml          |   35 +
 .../MinimumRequiredChromeVersion.yaml         |   25 +
 .../DeviceUpdate/RebootAfterUpdate.yaml       |   32 +
 .../Display/.group.details.yaml               |    2 +
 .../Display/DeviceDisplayResolution.yaml      |   48 +
 .../Display/DisplayRotationDefault.yaml       |   39 +
 .../Display/policy_atomic_groups.yaml         |    5 +
 .../Drive/.group.details.yaml                 |    2 +
 .../Drive/DriveDisabled.yaml                  |   28 +
 .../Drive/DriveDisabledOverCellular.yaml      |   28 +
 .../Drive/DriveFileSyncAvailable.yaml         |   48 +
 .../MicrosoftOneDriveAccountRestrictions.yaml |   36 +
 .../Drive/MicrosoftOneDriveMount.yaml         |   44 +
 .../Drive/policy_atomic_groups.yaml           |    6 +
 .../Edu/.group.details.yaml                   |    2 +
 .../Edu/GraduationEnablementStatus.yaml       |   68 +
 .../Extensions/.group.details.yaml            |    6 +
 .../Extensions/BlockExternalExtensions.yaml   |   31 +
 ...eAppsWebViewPermissiveBehaviorAllowed.yaml |   63 +
 ...ScreenExtensionManifestV2Availability.yaml |   48 +
 .../ExtensionAllowInsecureUpdates.yaml        |   30 +
 .../Extensions/ExtensionAllowedTypes.yaml     |   61 +
 .../ExtensionDeveloperModeSettings.yaml       |   36 +
 ...roundLifetimeForPortConnectionsToUrls.yaml |   37 +
 .../Extensions/ExtensionInstallAllowlist.yaml |   28 +
 .../Extensions/ExtensionInstallBlocklist.yaml |   28 +
 .../Extensions/ExtensionInstallForcelist.yaml |   41 +
 .../Extensions/ExtensionInstallSources.yaml   |   27 +
 .../ExtensionInstallTypeBlocklist.yaml        |   30 +
 .../ExtensionManifestV2Availability.yaml      |   50 +
 .../ExtensionOAuthRedirectUrls.yaml           |   35 +
 .../Extensions/ExtensionSettings.yaml         |  148 ++
 .../ExtensionUnpublishedAvailability.yaml     |   40 +
 ...atoryExtensionsForIncognitoNavigation.yaml |   27 +
 .../Extensions/policy_atomic_groups.yaml      |   13 +
 .../FirstPartySets/.group.details.yaml        |    2 +
 .../FirstPartySets/FirstPartySetsEnabled.yaml |   36 +
 .../FirstPartySetsOverrides.yaml              |  125 ++
 .../FloatingSso/.group.details.yaml           |    2 +
 .../FloatingSsoDomainBlocklist.yaml           |   26 +
 .../FloatingSsoDomainBlocklistExceptions.yaml |   25 +
 .../FloatingSso/FloatingSsoEnabled.yaml       |   29 +
 .../FloatingSso/policy_atomic_groups.yaml     |    6 +
 .../Gaia/.group.details.yaml                  |    2 +
 .../Gaia/GaiaOfflineSigninTimeLimitDays.yaml  |   29 +
 .../GenerativeAI/.group.details.yaml          |    2 +
 .../GenerativeAI/CreateThemesSettings.yaml    |   43 +
 .../GenerativeAI/DevToolsGenAiSettings.yaml   |   43 +
 .../GenAILocalFoundationalModelSettings.yaml  |   36 +
 .../GenAIVcBackgroundSettings.yaml            |   38 +
 .../GenerativeAI/GenAIWallpaperSettings.yaml  |   38 +
 .../GenerativeAI/GenAiDefaultSettings.yaml    |   50 +
 .../GenerativeAI/HelpMeReadSettings.yaml      |   37 +
 .../GenerativeAI/HelpMeWriteSettings.yaml     |   43 +
 .../GenerativeAI/HistorySearchSettings.yaml   |   45 +
 .../GenerativeAI/TabCompareSettings.yaml      |   42 +
 .../GenerativeAI/TabOrganizerSettings.yaml    |   43 +
 .../GoogleAssistant/.group.details.yaml       |    2 +
 .../AssistantOnboardingMode.yaml              |   32 +
 .../AssistantVoiceMatchEnabledDuringOobe.yaml |   24 +
 .../GoogleAssistant/AssistantWebEnabled.yaml  |   35 +
 .../VoiceInteractionContextEnabled.yaml       |   26 +
 .../VoiceInteractionHotwordEnabled.yaml       |   25 +
 .../VoiceInteractionQuickAnswersEnabled.yaml  |   23 +
 .../GoogleCast/.group.details.yaml            |    4 +
 .../AccessCodeCastDeviceDuration.yaml         |   31 +
 .../GoogleCast/AccessCodeCastEnabled.yaml     |   34 +
 .../GoogleCast/EnableMediaRouter.yaml         |   27 +
 .../MediaRouterCastAllowAllIPs.yaml           |   34 +
 .../GoogleCast/ShowCastIconInToolbar.yaml     |   29 +
 ...ShowCastSessionsStartedByOtherDevices.yaml |   29 +
 .../HTTPAuthentication/.group.details.yaml    |    2 +
 .../AllHttpAuthSchemesAllowedForOrigins.yaml  |   26 +
 .../AllowCrossOriginAuthPrompt.yaml           |   30 +
 .../AuthAndroidNegotiateAccountType.yaml      |   19 +
 .../AuthNegotiateDelegateAllowlist.yaml       |   22 +
 .../AuthNegotiateDelegateByKdcPolicy.yaml     |   29 +
 .../HTTPAuthentication/AuthSchemes.yaml       |   34 +
 .../AuthServerAllowlist.yaml                  |   25 +
 .../BasicAuthOverHttpEnabled.yaml             |   30 +
 .../DisableAuthNegotiateCnameLookup.yaml      |   28 +
 .../EnableAuthNegotiatePort.yaml              |   27 +
 .../HTTPAuthentication/GSSAPILibraryName.yaml |   18 +
 .../IntegratedWebAuthenticationAllowed.yaml   |   25 +
 .../HTTPAuthentication/NtlmV2Enabled.yaml     |   31 +
 .../Kerberos/.group.details.yaml              |    2 +
 .../Kerberos/KerberosAccounts.yaml            |   75 +
 .../Kerberos/KerberosAddAccountsAllowed.yaml  |   27 +
 .../KerberosCustomPrefilledConfig.yaml        |   24 +
 .../Kerberos/KerberosDomainAutocomplete.yaml  |   21 +
 .../Kerberos/KerberosEnabled.yaml             |   27 +
 .../KerberosRememberPasswordEnabled.yaml      |   27 +
 .../KerberosUseCustomPrefilledConfig.yaml     |   27 +
 .../Kerberos/policy_atomic_groups.yaml        |    5 +
 .../Kiosk/.group.details.yaml                 |    2 +
 .../AllowKioskAppControlChromeVersion.yaml    |   33 +
 ...ceLocalAccountAutoLoginBailoutEnabled.yaml |   24 +
 .../DeviceLocalAccountAutoLoginDelay.yaml     |   22 +
 .../Kiosk/DeviceLocalAccountAutoLoginId.yaml  |   19 +
 ...calAccountPromptForNetworkWhenOffline.yaml |   25 +
 .../Kiosk/DeviceLocalAccounts.yaml            |   22 +
 .../Kiosk/DeviceWeeklyScheduledSuspend.yaml   |   35 +
 ...tiveWiFiCredentialsScopeChangeEnabled.yaml |   24 +
 .../KioskTroubleshootingToolsEnabled.yaml     |   29 +
 .../Kiosk/KioskVisionTelemetryEnabled.yaml    |   24 +
 .../Kiosk/KioskWebAppOfflineEnabled.yaml      |   30 +
 .../Kiosk/NewWindowsInKioskAllowed.yaml       |   24 +
 .../Kiosk/policy_atomic_groups.yaml           |    9 +
 .../LocallyManagedUsers/.group.details.yaml   |    2 +
 .../SupervisedUserContentProviderEnabled.yaml |   19 +
 .../SupervisedUserCreationEnabled.yaml        |   24 +
 .../SupervisedUsersEnabled.yaml               |   23 +
 .../policy_atomic_groups.yaml                 |    6 +
 .../Miscellaneous/.group.details.yaml         |    2 +
 .../AbusiveExperienceInterventionEnforce.yaml |   27 +
 .../AccessibilityImageLabelsEnabled.yaml      |   44 +
 ...essibilityPerformanceFilteringAllowed.yaml |   25 +
 .../AdHocCodeSigningForPWAsEnabled.yaml       |   35 +
 .../AdditionalDnsQueryTypesEnabled.yaml       |   32 +
 .../AdsSettingForIntrusiveAdsSites.yaml       |   32 +
 .../AdvancedProtectionAllowed.yaml            |   31 +
 ...AdvancedProtectionDeepScanningEnabled.yaml |   20 +
 ...acheForCacheControlNoStorePageEnabled.yaml |   37 +
 .../AllowChromeDataInBackups.yaml             |   25 +
 .../AllowDeletingBrowserHistory.yaml          |   28 +
 .../Miscellaneous/AllowDinosaurEasterEgg.yaml |   30 +
 .../AllowFileSelectionDialogs.yaml            |   26 +
 .../AllowNativeNotifications.yaml             |   24 +
 .../Miscellaneous/AllowOutdatedPlugins.yaml   |   30 +
 .../AllowPopupsDuringPageUnload.yaml          |   30 +
 .../Miscellaneous/AllowScreenLock.yaml        |   24 +
 .../AllowSyncXHRInPageDismissal.yaml          |   33 +
 .../AllowSystemNotifications.yaml             |   25 +
 .../AllowWebAuthnWithBrokenTlsCerts.yaml      |   32 +
 .../Miscellaneous/AllowedDomainsForApps.yaml  |   29 +
 .../AllowedDomainsForAppsList.yaml            |   32 +
 .../Miscellaneous/AllowedInputMethods.yaml    |   25 +
 .../Miscellaneous/AllowedLanguages.yaml       |   23 +
 .../AlternateErrorPagesEnabled.yaml           |   30 +
 .../Miscellaneous/AlwaysAuthorizePlugins.yaml |   26 +
 .../AlwaysOnVpnPreConnectUrlAllowlist.yaml    |   32 +
 .../AlwaysOpenPdfExternally.yaml              |   31 +
 ...ntAuthenticationInPrivateModesEnabled.yaml |   52 +
 .../Miscellaneous/AppCacheForceEnabled.yaml   |   26 +
 .../Miscellaneous/AppLaunchAutomation.yaml    |   83 +
 .../Miscellaneous/AppStoreRatingEnabled.yaml  |   23 +
 .../ApplicationBoundEncryptionEnabled.yaml    |   27 +
 .../Miscellaneous/ApplicationLocaleValue.yaml |   23 +
 .../ArcVmDataMigrationStrategy.yaml           |   37 +
 .../AttestationExtensionWhitelist.yaml        |   24 +
 .../Miscellaneous/AudioCaptureAllowed.yaml    |   30 +
 .../AudioCaptureAllowedUrls.yaml              |   25 +
 .../Miscellaneous/AudioOutputAllowed.yaml     |   25 +
 .../AudioProcessHighPriorityEnabled.yaml      |   30 +
 .../Miscellaneous/AudioSandboxEnabled.yaml    |   32 +
 .../AuthNegotiateDelegateWhitelist.yaml       |   18 +
 .../Miscellaneous/AuthServerWhitelist.yaml    |   19 +
 .../Miscellaneous/AutoCleanUpStrategy.yaml    |   38 +
 .../Miscellaneous/AutoFillEnabled.yaml        |   31 +
 .../AutoLaunchProtocolsFromOrigins.yaml       |   50 +
 .../Miscellaneous/AutoOpenAllowedForURLs.yaml |   32 +
 .../Miscellaneous/AutoOpenFileTypes.yaml      |   30 +
 .../Miscellaneous/AutofillAddressEnabled.yaml |   29 +
 .../AutofillCreditCardEnabled.yaml            |   29 +
 .../Miscellaneous/AutoplayAllowed.yaml        |   30 +
 .../Miscellaneous/AutoplayAllowlist.yaml      |   25 +
 .../Miscellaneous/AutoplayWhitelist.yaml      |   21 +
 .../BackForwardCacheEnabled.yaml              |   33 +
 .../Miscellaneous/BackgroundModeEnabled.yaml  |   32 +
 .../BatterySaverModeAvailability.yaml         |   50 +
 ...oadEventCancelByPreventDefaultEnabled.yaml |   35 +
 .../Miscellaneous/BlockThirdPartyCookies.yaml |   31 +
 .../Miscellaneous/BookmarkBarEnabled.yaml     |   30 +
 .../BrowserAddPersonEnabled.yaml              |   28 +
 ...serContextAwareAccessSignalsAllowlist.yaml |   31 +
 .../BrowserGuestModeEnabled.yaml              |   28 +
 .../BrowserGuestModeEnforced.yaml             |   25 +
 .../Miscellaneous/BrowserLabsEnabled.yaml     |   30 +
 .../BrowserLegacyExtensionPointsBlocked.yaml  |   27 +
 .../BrowserNetworkTimeQueriesEnabled.yaml     |   26 +
 .../Miscellaneous/BrowserSignin.yaml          |   46 +
 .../Miscellaneous/BrowserThemeColor.yaml      |   25 +
 .../Miscellaneous/BrowsingDataLifetime.yaml   |   56 +
 .../BuiltInDnsClientEnabled.yaml              |   31 +
 .../BuiltinCertificateVerifierEnabled.yaml    |   32 +
 .../Miscellaneous/CCTToSDialogEnabled.yaml    |   31 +
 .../Miscellaneous/CECPQ2Enabled.yaml          |   31 +
 .../CORSNonWildcardRequestHeadersSupport.yaml |   33 +
 ...CSSCustomStateDeprecatedSyntaxEnabled.yaml |   36 +
 ...ptivePortalAuthenticationIgnoresProxy.yaml |   25 +
 ...TransparencyEnforcementDisabledForCas.yaml |   36 +
 ...arencyEnforcementDisabledForLegacyCas.yaml |   31 +
 ...ransparencyEnforcementDisabledForUrls.yaml |   29 +
 .../Miscellaneous/ChromeAppsEnabled.yaml      |   29 +
 .../Miscellaneous/ChromeCleanupEnabled.yaml   |   28 +
 .../ChromeCleanupReportingEnabled.yaml        |   31 +
 .../ChromeDataRegionSetting.yaml              |   41 +
 .../ChromeForTestingAllowed.yaml              |   26 +
 .../ChromeOsLockOnIdleSuspend.yaml            |   38 +
 .../ChromeOsMultiProfileUserBehavior.yaml     |   49 +
 .../Miscellaneous/ChromeRootStoreEnabled.yaml |   47 +
 .../Miscellaneous/ChromeVariations.yaml       |   42 +
 .../ClearBrowsingDataOnExitList.yaml          |   73 +
 .../Miscellaneous/ClearSiteDataOnExit.yaml    |   20 +
 .../Miscellaneous/ClickToCallEnabled.yaml     |   35 +
 .../ClientCertificateManagementAllowed.yaml   |   33 +
 .../CloudManagementEnrollmentMandatory.yaml   |   29 +
 .../CloudManagementEnrollmentToken.yaml       |   24 +
 .../CloudPolicyOverridesPlatformPolicy.yaml   |   33 +
 .../Miscellaneous/CloudUserPolicyMerge.yaml   |   33 +
 ...UserPolicyOverridesCloudMachinePolicy.yaml |   35 +
 ...ectionsWithClientCertificatesForHosts.yaml |   28 +
 ...ommandLineFlagSecurityWarningsEnabled.yaml |   32 +
 .../ComponentUpdatesEnabled.yaml              |   29 +
 .../ContextAwareAccessSignalsAllowlist.yaml   |   37 +
 .../ContextMenuPhotoSharingSettings.yaml      |   32 +
 ...extualGoogleIntegrationsConfiguration.yaml |   59 +
 .../ContextualGoogleIntegrationsEnabled.yaml  |   26 +
 .../ContextualSearchEnabled.yaml              |   24 +
 .../ContextualSuggestionsEnabled.yaml         |   21 +
 .../Miscellaneous/CopyPreventionSettings.yaml |   46 +
 .../Miscellaneous/CorsLegacyModeEnabled.yaml  |   30 +
 .../Miscellaneous/CorsMitigationList.yaml     |   34 +
 .../CreatePasskeysInICloudKeychain.yaml       |   39 +
 .../CredentialProviderPromoEnabled.yaml       |   23 +
 ...OriginWebAssemblyModuleSharingEnabled.yaml |   32 +
 .../Miscellaneous/DHEEnabled.yaml             |   24 +
 .../DNSInterceptionChecksEnabled.yaml         |   29 +
 .../DataCompressionProxyEnabled.yaml          |   19 +
 .../Miscellaneous/DataControlsRules.yaml      |  198 +++
 ...LeakPreventionClipboardCheckSizeLimit.yaml |   20 +
 .../DataLeakPreventionReportingEnabled.yaml   |   26 +
 .../DataLeakPreventionRulesList.yaml          |  147 ++
 .../DefaultBrowserSettingEnabled.yaml         |   30 +
 .../DefaultDownloadDirectory.yaml             |   28 +
 .../DefaultHandlersForFileExtensions.yaml     |   65 +
 ...earchProviderContextMenuAccessAllowed.yaml |   31 +
 .../Miscellaneous/DeleteKeyModifier.yaml      |   38 +
 .../Miscellaneous/DeskTemplatesEnabled.yaml   |   22 +
 .../DesktopSharingHubEnabled.yaml             |   29 +
 .../DeveloperToolsAvailability.yaml           |   49 +
 .../Miscellaneous/DeveloperToolsDisabled.yaml |   35 +
 .../Miscellaneous/DeviceAllowBluetooth.yaml   |   26 +
 ...llowEnterpriseRemoteAccessConnections.yaml |   31 +
 ...eviceAllowMGSToStoreDisplayProperties.yaml |   24 +
 ...AllowRedeemChromeOsRegistrationOffers.yaml |   28 +
 .../DeviceAllowedBluetoothServices.yaml       |   31 +
 .../Miscellaneous/DeviceAppPack.yaml          |   26 +
 .../DeviceAttributesAllowedForOrigins.yaml    |   27 +
 .../DeviceAuthenticationURLAllowlist.yaml     |   28 +
 .../DeviceAuthenticationURLBlocklist.yaml     |   35 +
 .../Miscellaneous/DeviceBlockDevmode.yaml     |   28 +
 .../Miscellaneous/DeviceChromeVariations.yaml |   43 +
 .../DeviceDebugPacketCaptureAllowed.yaml      |   29 +
 .../DeviceDlcPredownloadList.yaml             |   30 +
 .../DeviceEcryptfsMigrationStrategy.yaml      |   39 +
 ...viceEncryptedReportingPipelineEnabled.yaml |   26 +
 ...DeviceEphemeralNetworkPoliciesEnabled.yaml |   28 +
 .../DeviceExtendedFkeysModifier.yaml          |   40 +
 .../DeviceHardwareVideoDecodingEnabled.yaml   |   38 +
 .../DeviceHindiInscriptLayoutEnabled.yaml     |   27 +
 .../DeviceI18nShortcutsEnabled.yaml           |   33 +
 .../DeviceIdleLogoutTimeout.yaml              |   22 +
 .../DeviceIdleLogoutWarningDuration.yaml      |   22 +
 .../DeviceKeyboardBacklightColor.yaml         |   59 +
 ...eKeylockerForStorageEncryptionEnabled.yaml |   31 +
 ...viceLocalAccountManagedSessionEnabled.yaml |   22 +
 ...eenContextAwareAccessSignalsAllowlist.yaml |   32 +
 ...viceLoginScreenGeolocationAccessLevel.yaml |   52 +
 ...ceLoginScreenPrimaryMouseButtonSwitch.yaml |   34 +
 .../DeviceLoginScreenSaverId.yaml             |   20 +
 .../DeviceLoginScreenSaverTimeout.yaml        |   23 +
 ...oginScreenTouchVirtualKeyboardEnabled.yaml |   35 +
 ...eLoginScreenWebHidAllowDevicesForUrls.yaml |   53 +
 .../DeviceLoginScreenWebUILazyLoading.yaml    |   33 +
 ...eLoginScreenWebUsbAllowDevicesForUrls.yaml |   50 +
 .../DeviceNativePrintersBlacklist.yaml        |   26 +
 .../DeviceNativePrintersWhitelist.yaml        |   27 +
 .../Miscellaneous/DeviceOffHours.yaml         |   49 +
 .../DevicePciPeripheralDataAccessEnabled.yaml |   29 +
 .../DevicePolicyRefreshRate.yaml              |   22 +
 .../DevicePostQuantumKeyAgreementEnabled.yaml |   39 +
 .../Miscellaneous/DevicePowerwashAllowed.yaml |   25 +
 .../DeviceQuirksDownloadEnabled.yaml          |   29 +
 .../DeviceRebootOnUserSignout.yaml            |   41 +
 .../Miscellaneous/DeviceReleaseLtsTag.yaml    |   18 +
 ...eRestrictedManagedGuestSessionEnabled.yaml |   26 +
 .../DeviceRestrictionSchedule.yaml            |   33 +
 .../Miscellaneous/DeviceScheduledReboot.yaml  |   59 +
 .../DeviceScheduledUpdateCheck.yaml           |   54 +
 .../DeviceShowLowDiskSpaceNotification.yaml   |   33 +
 .../Miscellaneous/DeviceStartUpUrls.yaml      |   24 +
 ...viceSwitchFunctionKeysBehaviorEnabled.yaml |   40 +
 .../Miscellaneous/DeviceSystemAecEnabled.yaml |   31 +
 .../DeviceSystemWideTracingEnabled.yaml       |   30 +
 .../Miscellaneous/DeviceUserWhitelist.yaml    |   35 +
 .../DeviceVariationsRestrictParameter.yaml    |   22 +
 .../Miscellaneous/Disable3DAPIs.yaml          |   26 +
 .../Miscellaneous/DisablePluginFinder.yaml    |   26 +
 .../DisableSSLRecordSplitting.yaml            |   20 +
 .../Miscellaneous/DisableScreenshots.yaml     |   29 +
 .../Miscellaneous/DisableSpdy.yaml            |   27 +
 .../Miscellaneous/DisabledPlugins.yaml        |   34 +
 .../DisabledPluginsExceptions.yaml            |   36 +
 .../Miscellaneous/DisabledSchemes.yaml        |   29 +
 .../Miscellaneous/DiskCacheDir.yaml           |   23 +
 .../Miscellaneous/DiskCacheSize.yaml          |   25 +
 ...isplayCapturePermissionsPolicyEnabled.yaml |   37 +
 .../Miscellaneous/DnsOverHttpsMode.yaml       |   45 +
 .../Miscellaneous/DnsOverHttpsTemplates.yaml  |   28 +
 .../Miscellaneous/DnsPrefetchingEnabled.yaml  |   28 +
 .../DocumentScanAPITrustedExtensions.yaml     |   25 +
 .../DomainReliabilityAllowed.yaml             |   29 +
 .../Miscellaneous/DownloadBubbleEnabled.yaml  |   29 +
 .../Miscellaneous/DownloadDirectory.yaml      |   33 +
 .../DownloadManagerSaveToDriveSettings.yaml   |   32 +
 .../Miscellaneous/DownloadRestrictions.yaml   |   65 +
 .../Miscellaneous/DynamicCodeSettings.yaml    |   36 +
 .../Miscellaneous/EasyUnlockAllowed.yaml      |   26 +
 .../Miscellaneous/EcheAllowed.yaml            |   29 +
 .../EcryptfsMigrationStrategy.yaml            |   51 +
 .../Miscellaneous/EditBookmarksEnabled.yaml   |   28 +
 .../EmojiPickerGifSupportEnabled.yaml         |   39 +
 .../Miscellaneous/EmojiSuggestionEnabled.yaml |   24 +
 ...ableCommonNameFallbackForLocalAnchors.yaml |   31 +
 .../EnableDeprecatedPrivetPrinting.yaml       |   26 +
 .../EnableDeprecatedWebBasedSignin.yaml       |   23 +
 .../EnableDeprecatedWebPlatformFeatures.yaml  |   40 +
 .../EnableExperimentalPolicies.yaml           |   36 +
 .../EnableOnlineRevocationChecks.yaml         |   30 +
 .../EnableSha1ForLocalAnchors.yaml            |   29 +
 .../EnableSymantecLegacyInfrastructure.yaml   |   31 +
 .../Miscellaneous/EnableSyncConsent.yaml      |   23 +
 .../Miscellaneous/EnabledPlugins.yaml         |   35 +
 .../EncryptedClientHelloEnabled.yaml          |   33 +
 .../EnforceLocalAnchorConstraintsEnabled.yaml |   56 +
 ...EnterpriseAuthenticationAppLinkPolicy.yaml |   33 +
 .../EnterpriseBadgingTemporarySetting.yaml    |   47 +
 .../Miscellaneous/EnterpriseCustomLabel.yaml  |   28 +
 .../EnterpriseHardwarePlatformAPIEnabled.yaml |   29 +
 .../Miscellaneous/EnterpriseLogoUrl.yaml      |   30 +
 ...rpriseProfileCreationKeepBrowsingData.yaml |   31 +
 .../EnterpriseRealTimeUrlCheckMode.yaml       |   39 +
 .../Miscellaneous/EnterpriseWebStoreName.yaml |   21 +
 .../Miscellaneous/EnterpriseWebStoreURL.yaml  |   21 +
 .../Miscellaneous/EssentialSearchEnabled.yaml |   25 +
 .../Miscellaneous/EventPathEnabled.yaml       |   37 +
 ...TypePairsFromFileTypeDownloadWarnings.yaml |   53 +
 .../ExplicitlyAllowedNetworkPorts.yaml        |   84 +
 .../Miscellaneous/ExtensionCacheSize.yaml     |   22 +
 .../ExtensionInstallBlacklist.yaml            |   22 +
 .../ExtensionInstallEventLoggingEnabled.yaml  |   20 +
 .../ExtensionInstallWhitelist.yaml            |   22 +
 .../ExternalPrintServersWhitelist.yaml        |   30 +
 ...lProtocolDialogShowAlwaysOpenCheckbox.yaml |   29 +
 .../ExternalStorageDisabled.yaml              |   23 +
 .../ExternalStorageReadOnly.yaml              |   22 +
 .../Miscellaneous/F11KeyModifier.yaml         |   40 +
 .../Miscellaneous/F12KeyModifier.yaml         |   40 +
 .../Miscellaneous/FastPairEnabled.yaml        |   26 +
 .../Miscellaneous/FeedbackSurveysEnabled.yaml |   32 +
 ...tchKeepaliveDurationSecondsOnShutdown.yaml |   26 +
 ...PickerWithoutGestureAllowedForOrigins.yaml |   38 +
 .../FloatingWorkspaceEnabled.yaml             |   26 +
 .../FloatingWorkspaceV2Enabled.yaml           |   25 +
 .../Miscellaneous/FocusModeSoundsEnabled.yaml |   40 +
 .../Miscellaneous/ForceBrowserSignin.yaml     |   30 +
 .../ForceEnablePepperVideoDecoderDevAPI.yaml  |   40 +
 .../Miscellaneous/ForceEphemeralProfiles.yaml |   29 +
 .../Miscellaneous/ForceGoogleSafeSearch.yaml  |   29 +
 .../ForceLegacyDefaultReferrerPolicy.yaml     |   29 +
 ...ForceLogoutUnauthenticatedUserEnabled.yaml |   24 +
 ...ajorVersionToMinorPositionInUserAgent.yaml |   57 +
 .../ForceMaximizeOnFirstRun.yaml              |   23 +
 .../Miscellaneous/ForceNetworkInProcess.yaml  |   16 +
 ...ePermissionPolicyUnloadDefaultEnabled.yaml |   55 +
 .../Miscellaneous/ForceSafeSearch.yaml        |   34 +
 .../Miscellaneous/ForceYouTubeRestrict.yaml   |   45 +
 .../Miscellaneous/ForceYouTubeSafetyMode.yaml |   35 +
 .../Miscellaneous/ForcedLanguages.yaml        |   27 +
 .../Miscellaneous/FullRestoreEnabled.yaml     |   24 +
 .../Miscellaneous/FullRestoreMode.yaml        |   34 +
 .../Miscellaneous/FullscreenAlertEnabled.yaml |   25 +
 .../Miscellaneous/FullscreenAllowed.yaml      |   29 +
 .../Miscellaneous/GCFUserDataDir.yaml         |   23 +
 ...aLockScreenOfflineSigninTimeLimitDays.yaml |   33 +
 .../Miscellaneous/GhostWindowEnabled.yaml     |   24 +
 .../Miscellaneous/GlanceablesEnabled.yaml     |   28 +
 .../GloballyScopeHTTPAuthCacheEnabled.yaml    |   32 +
 .../GoogleLocationServicesEnabled.yaml        |   38 +
 .../GoogleSearchSidePanelEnabled.yaml         |   29 +
 .../Miscellaneous/HSTSPolicyBypassList.yaml   |   29 +
 .../HardwareAccelerationModeEnabled.yaml      |   26 +
 .../Miscellaneous/HeadlessMode.yaml           |   32 +
 .../Miscellaneous/HideWebStoreIcon.yaml       |   30 +
 .../Miscellaneous/HideWebStorePromo.yaml      |   19 +
 .../HighEfficiencyModeEnabled.yaml            |   27 +
 .../HindiInscriptLayoutEnabled.yaml           |   26 +
 .../Miscellaneous/HistoryClustersVisible.yaml |   36 +
 .../Miscellaneous/HomeAndEndKeysModifier.yaml |   38 +
 .../Http09OnNonDefaultPortsEnabled.yaml       |   31 +
 .../Miscellaneous/HttpAllowlist.yaml          |   51 +
 .../Miscellaneous/HttpsOnlyMode.yaml          |   49 +
 .../Miscellaneous/HttpsUpgradesEnabled.yaml   |   46 +
 .../Miscellaneous/ImportAutofillFormData.yaml |   28 +
 .../Miscellaneous/ImportBookmarks.yaml        |   29 +
 .../Miscellaneous/ImportHistory.yaml          |   29 +
 .../Miscellaneous/ImportHomepage.yaml         |   27 +
 .../Miscellaneous/ImportSavedPasswords.yaml   |   30 +
 .../Miscellaneous/ImportSearchEngine.yaml     |   28 +
 .../Miscellaneous/IncognitoEnabled.yaml       |   31 +
 .../IncognitoModeAvailability.yaml            |   48 +
 .../InsecureFormsWarningsEnabled.yaml         |   33 +
 .../InsecureHashesInTLSHandshakesEnabled.yaml |   32 +
 .../Miscellaneous/InsertKeyModifier.yaml      |   34 +
 .../InsightsExtensionEnabled.yaml             |   28 +
 .../Miscellaneous/InstantEnabled.yaml         |   29 +
 .../InstantTetheringAllowed.yaml              |   28 +
 .../IntensiveWakeUpThrottlingEnabled.yaml     |   46 +
 .../IntranetRedirectBehavior.yaml             |   45 +
 .../Miscellaneous/IsolateOrigins.yaml         |   31 +
 .../Miscellaneous/IsolateOriginsAndroid.yaml  |   28 +
 .../IsolatedWebAppInstallForceList.yaml       |   33 +
 .../Miscellaneous/JavascriptEnabled.yaml      |   32 +
 ...screenWithoutNotificationUrlAllowList.yaml |   24 +
 .../Miscellaneous/KeyPermissions.yaml         |   37 +
 .../KeyboardFocusableScrollersEnabled.yaml    |   32 +
 ...skBrowserPermissionsAllowedForOrigins.yaml |   24 +
 .../KioskCRXManifestUpdateURLIgnored.yaml     |   31 +
 .../Miscellaneous/LacrosAllowed.yaml          |   28 +
 .../Miscellaneous/LacrosAvailability.yaml     |   53 +
 .../LacrosDataBackwardMigrationMode.yaml      |   49 +
 .../LacrosSecondaryProfilesAllowed.yaml       |   32 +
 .../Miscellaneous/LacrosSelection.yaml        |   55 +
 .../LensCameraAssistedSearchEnabled.yaml      |   33 +
 .../LensDesktopNTPSearchEnabled.yaml          |   32 +
 .../Miscellaneous/LensOnGalleryEnabled.yaml   |   28 +
 .../Miscellaneous/LensOverlaySettings.yaml    |   38 +
 .../LensRegionSearchEnabled.yaml              |   31 +
 .../ListenToThisPageEnabled.yaml              |   27 +
 .../LoadCryptoTokenExtension.yaml             |   27 +
 .../Miscellaneous/LocalDiscoveryEnabled.yaml  |   30 +
 .../LockIconInAddressBarEnabled.yaml          |   28 +
 .../LockScreenAutoStartOnlineReauth.yaml      |   36 +
 .../LockScreenMediaPlaybackEnabled.yaml       |   24 +
 .../LoginDisplayPasswordButtonEnabled.yaml    |   24 +
 .../LookalikeWarningAllowlistDomains.yaml     |   32 +
 ...neLevelUserCloudPolicyEnrollmentToken.yaml |   19 +
 .../ManagedAccountsSigninRestriction.yaml     |   71 +
 .../Miscellaneous/ManagedBookmarks.yaml       |   36 +
 .../ManagedConfigurationPerOrigin.yaml        |   42 +
 ...tSessionAutoLaunchNotificationReduced.yaml |   24 +
 ...gedGuestSessionPrivacyWarningsEnabled.yaml |   31 +
 .../Miscellaneous/MaxConnectionsPerProxy.yaml |   22 +
 .../MaxInvalidationFetchDelay.yaml            |   24 +
 .../Miscellaneous/MediaCacheSize.yaml         |   22 +
 .../MediaRecommendationsEnabled.yaml          |   28 +
 .../Miscellaneous/MemorySaverModeSavings.yaml |   42 +
 .../MetricsReportingEnabled.yaml              |   40 +
 .../MixedContentAutoupgradeEnabled.yaml       |   26 +
 .../Miscellaneous/MutationEventsEnabled.yaml  |   28 +
 .../Miscellaneous/NTPCardsVisible.yaml        |   33 +
 .../NTPContentSuggestionsEnabled.yaml         |   26 +
 .../NTPCustomBackgroundEnabled.yaml           |   28 +
 .../NTPMiddleSlotAnnouncementVisible.yaml     |   29 +
 .../NativeClientForceAllowed.yaml             |   25 +
 .../NativeHostsExecutablesLaunchDirectly.yaml |   30 +
 .../NativeMessagingBlacklist.yaml             |   21 +
 .../NativeMessagingWhitelist.yaml             |   21 +
 .../NativePrintersBulkBlacklist.yaml          |   25 +
 .../NativePrintersBulkWhitelist.yaml          |   25 +
 .../NativeWindowOcclusionEnabled.yaml         |   30 +
 .../Miscellaneous/NearbyShareAllowed.yaml     |   29 +
 .../NetworkPredictionOptions.yaml             |   39 +
 .../NetworkServiceSandboxEnabled.yaml         |   27 +
 .../NewBaseUrlInheritanceBehaviorAllowed.yaml |   33 +
 .../NoteTakingAppsLockScreenAllowlist.yaml    |   25 +
 .../NoteTakingAppsLockScreenWhitelist.yaml    |   19 +
 .../OffsetParentNewSpecBehaviorEnabled.yaml   |   38 +
 .../OnBulkDataEntryEnterpriseConnector.yaml   |  157 ++
 .../OnFileAttachedEnterpriseConnector.yaml    |  161 ++
 .../OnFileDownloadedEnterpriseConnector.yaml  |  162 ++
 .../OnFileTransferEnterpriseConnector.yaml    |  115 ++
 .../OnPrintEnterpriseConnector.yaml           |  151 ++
 .../OnSecurityEventEnterpriseConnector.yaml   |   58 +
 .../OpenNetworkConfiguration.yaml             |   24 +
 .../OptimizationGuideFetchingEnabled.yaml     |   29 +
 .../Miscellaneous/OrcaEnabled.yaml            |   33 +
 .../OriginAgentClusterDefaultEnabled.yaml     |   48 +
 .../Miscellaneous/OsColorMode.yaml            |   37 +
 ...eSecurityRestrictionsOnInsecureOrigin.yaml |   28 +
 ...APISharedImagesForVideoDecoderAllowed.yaml |   38 +
 .../PPAPISharedImagesSwapChainAllowed.yaml    |   43 +
 .../PacHttpsUrlStrippingEnabled.yaml          |   36 +
 .../PageUpAndPageDownKeysModifier.yaml        |   38 +
 .../Miscellaneous/ParcelTrackingEnabled.yaml  |   23 +
 .../PaymentMethodQueryEnabled.yaml            |   29 +
 .../Miscellaneous/PdfAnnotationsEnabled.yaml  |   26 +
 .../PdfUseSkiaRendererEnabled.yaml            |   32 +
 .../PdfViewerOutOfProcessIframeEnabled.yaml   |   30 +
 .../PerAppTimeLimitsWhitelist.yaml            |   46 +
 .../Miscellaneous/PersistentQuotaEnabled.yaml |   28 +
 .../Miscellaneous/PhoneHubAllowed.yaml        |   29 +
 .../PhoneHubCameraRollAllowed.yaml            |   32 +
 .../PhoneHubNotificationsAllowed.yaml         |   28 +
 .../PhoneHubTaskContinuationAllowed.yaml      |   28 +
 .../PhysicalKeyboardAutocorrect.yaml          |   30 +
 .../PhysicalKeyboardPredictiveWriting.yaml    |   30 +
 .../Miscellaneous/PinnedLauncherApps.yaml     |   33 +
 .../PolicyAtomicGroupsEnabled.yaml            |   30 +
 ...licyDictionaryMultipleSourceMergeList.yaml |   66 +
 .../PolicyListMultipleSourceMergeList.yaml    |   37 +
 .../Miscellaneous/PolicyRefreshRate.yaml      |   26 +
 .../Miscellaneous/PolicyScopeDetection.yaml   |   28 +
 .../Miscellaneous/PolicyTestPageEnabled.yaml  |   37 +
 .../PostQuantumKeyAgreementEnabled.yaml       |   42 +
 .../PreconfiguredDeskTemplates.yaml           |   28 +
 .../PrefixedStorageInfoEnabled.yaml           |   28 +
 ...refixedVideoFullscreenApiAvailability.yaml |   55 +
 .../PrimaryMouseButtonSwitch.yaml             |   33 +
 .../PrintingAPIExtensionsWhitelist.yaml       |   26 +
 .../Miscellaneous/ProfileLabel.yaml           |   39 +
 .../ProfilePickerOnStartupAvailability.yaml   |   42 +
 .../Miscellaneous/ProfileReauthPrompt.yaml    |   25 +
 .../Miscellaneous/PromotionalTabsEnabled.yaml |   30 +
 .../Miscellaneous/PromotionsEnabled.yaml      |   32 +
 .../PromptForDownloadLocation.yaml            |   30 +
 .../PromptOnMultipleMatchingCertificates.yaml |   28 +
 ...visionManagedClientCertificateForUser.yaml |   33 +
 .../Miscellaneous/ProxySettings.yaml          |   66 +
 .../Miscellaneous/QRCodeGeneratorEnabled.yaml |   29 +
 .../Miscellaneous/QuicAllowed.yaml            |   26 +
 .../QuickOfficeForceFileDownloadEnabled.yaml  |   27 +
 .../QuickUnlockModeWhitelist.yaml             |   41 +
 .../Miscellaneous/RC4Enabled.yaml             |   22 +
 .../RSAKeyUsageForLocalAnchorsEnabled.yaml    |   62 +
 .../Miscellaneous/RelaunchHeadsUpPeriod.yaml  |   23 +
 .../Miscellaneous/RelaunchNotification.yaml   |   35 +
 .../RelaunchNotificationPeriod.yaml           |   26 +
 .../Miscellaneous/RelaunchWindow.yaml         |   51 +
 .../Miscellaneous/RemoteDebuggingAllowed.yaml |   28 +
 .../RendererAppContainerEnabled.yaml          |   27 +
 .../RendererCodeIntegrityEnabled.yaml         |   29 +
 .../ReportCrostiniUsageEnabled.yaml           |   26 +
 ...OnlineRevocationChecksForLocalAnchors.yaml |   32 +
 .../RestrictAccountsToPatterns.yaml           |   28 +
 .../RestrictSigninToPattern.yaml              |   23 +
 ...uestSessionExtensionCleanupExemptList.yaml |   24 +
 .../Miscellaneous/RoamingProfileLocation.yaml |   28 +
 .../RoamingProfileSupportEnabled.yaml         |   31 +
 .../Miscellaneous/RunAllFlashInAllowMode.yaml |   30 +
 .../SSLErrorOverrideAllowed.yaml              |   26 +
 .../SSLErrorOverrideAllowedForOrigins.yaml    |   30 +
 .../Miscellaneous/SSLVersionFallbackMin.yaml  |   36 +
 .../Miscellaneous/SSLVersionMax.yaml          |   34 +
 .../Miscellaneous/SSLVersionMin.yaml          |   47 +
 ...BrowsingExtendedReportingOptInAllowed.yaml |   22 +
 .../SafeBrowsingForTrustedSourcesEnabled.yaml |   30 +
 .../SafeBrowsingWhitelistDomains.yaml         |   28 +
 .../SafeSitesFilterBehavior.yaml              |   38 +
 ...lLockScreenOfflineSigninTimeLimitDays.yaml |   33 +
 .../SandboxExternalProtocolBlocked.yaml       |   35 +
 .../SavingBrowserHistoryDisabled.yaml         |   28 +
 .../Miscellaneous/SchedulerConfiguration.yaml |   29 +
 .../Miscellaneous/ScreenCaptureLocation.yaml  |   27 +
 ...aptureWithoutGestureAllowedForOrigins.yaml |   36 +
 .../ScrollToTextFragmentEnabled.yaml          |   30 +
 .../Miscellaneous/SearchSuggestEnabled.yaml   |   31 +
 .../SecondaryGoogleAccountSigninAllowed.yaml  |   29 +
 .../SecondaryGoogleAccountUsage.yaml          |   35 +
 .../SecurityKeyPermitAttestation.yaml         |   23 +
 .../SecurityTokenSessionBehavior.yaml         |   35 +
 ...curityTokenSessionNotificationSeconds.yaml |   26 +
 ...ouseEventsDisabledFormControlsEnabled.yaml |   40 +
 .../Miscellaneous/SessionLengthLimit.yaml     |   22 +
 .../Miscellaneous/SessionLocales.yaml         |   29 +
 .../SetTimeoutWithout1MsClampEnabled.yaml     |   39 +
 ...dArrayBufferUnrestrictedAccessAllowed.yaml |   33 +
 .../Miscellaneous/SharedClipboardEnabled.yaml |   35 +
 .../Miscellaneous/ShelfAlignment.yaml         |   41 +
 .../Miscellaneous/ShelfAutoHideBehavior.yaml  |   29 +
 .../Miscellaneous/ShoppingListEnabled.yaml    |   30 +
 .../ShortcutCustomizationAllowed.yaml         |   26 +
 .../ShowAiIntroScreenEnabled.yaml             |   29 +
 .../ShowAppsShortcutInBookmarkBar.yaml        |   28 +
 .../ShowDisplaySizeScreenEnabled.yaml         |   25 +
 .../ShowFullUrlsInAddressBar.yaml             |   35 +
 .../ShowGeminiIntroScreenEnabled.yaml         |   29 +
 .../ShowHumanPresenceSensorScreenEnabled.yaml |   26 +
 .../Miscellaneous/ShowLogoutButtonInTray.yaml |   23 +
 .../ShowTouchpadScrollScreenEnabled.yaml      |   25 +
 .../Miscellaneous/SideSearchEnabled.yaml      |   28 +
 .../SignedHTTPExchangeEnabled.yaml            |   28 +
 .../Miscellaneous/SigninAllowed.yaml          |   28 +
 .../SigninInterceptionEnabled.yaml            |   31 +
 .../Miscellaneous/SitePerProcess.yaml         |   32 +
 .../Miscellaneous/SitePerProcessAndroid.yaml  |   34 +
 .../Miscellaneous/SiteSearchSettings.yaml     |   58 +
 .../Miscellaneous/SmartLockSigninAllowed.yaml |   29 +
 .../Miscellaneous/SmsMessagesAllowed.yaml     |   28 +
 .../SpellCheckServiceEnabled.yaml             |   32 +
 .../Miscellaneous/SpellcheckEnabled.yaml      |   38 +
 .../Miscellaneous/SpellcheckLanguage.yaml     |   33 +
 .../SpellcheckLanguageBlacklist.yaml          |   35 +
 .../SpellcheckLanguageBlocklist.yaml          |   32 +
 .../StandardizedBrowserZoomEnabled.yaml       |   33 +
 .../StartupBrowserWindowLaunchSuppressed.yaml |   25 +
 ...tMimetypeCheckForWorkerScriptsEnabled.yaml |   44 +
 .../StricterMixedContentTreatmentEnabled.yaml |   28 +
 ...houtGestureAndAuthorizationForOrigins.yaml |   39 +
 .../SuggestLogoutAfterClosingLastWindow.yaml  |   24 +
 .../SuggestedContentEnabled.yaml              |   26 +
 .../SuppressChromeFrameTurndownPrompt.yaml    |   17 +
 ...uppressDifferentOriginSubframeDialogs.yaml |   32 +
 .../SuppressUnsupportedOSWarning.yaml         |   26 +
 .../Miscellaneous/SyncDisabled.yaml           |   36 +
 .../Miscellaneous/SyncTypesListDisabled.yaml  |   29 +
 .../SystemFeaturesDisableList.yaml            |   90 ++
 .../SystemFeaturesDisableMode.yaml            |   33 +
 .../Miscellaneous/SystemProxySettings.yaml    |   52 +
 .../Miscellaneous/SystemShortcutBehavior.yaml |   51 +
 .../TLS13HardeningForLocalAnchorsEnabled.yaml |   33 +
 .../TPMFirmwareUpdateSettings.yaml            |   50 +
 .../TabDiscardingExceptions.yaml              |   26 +
 .../Miscellaneous/TabFreezingEnabled.yaml     |   21 +
 .../Miscellaneous/TabUnderAllowed.yaml        |   22 +
 .../TargetBlankImpliesNoOpener.yaml           |   35 +
 .../TaskManagerEndProcessEnabled.yaml         |   26 +
 .../Miscellaneous/TermsOfServiceURL.yaml      |   20 +
 .../ThirdPartyBlockingEnabled.yaml            |   23 +
 ...leNonVisibleCrossOriginIframesAllowed.yaml |   31 +
 .../ToolbarAvatarLabelSettings.yaml           |   29 +
 .../Miscellaneous/TosDialogBehavior.yaml      |   39 +
 .../Miscellaneous/TotalMemoryLimitMb.yaml     |   22 +
 .../TouchVirtualKeyboardEnabled.yaml          |   33 +
 .../Miscellaneous/TranslateEnabled.yaml       |   33 +
 .../Miscellaneous/TrashEnabled.yaml           |   25 +
 .../Miscellaneous/TripleDESEnabled.yaml       |   32 +
 .../U2fSecurityKeyApiEnabled.yaml             |   31 +
 .../Miscellaneous/URLAllowlist.yaml           |   37 +
 .../Miscellaneous/URLBlacklist.yaml           |   32 +
 .../Miscellaneous/URLBlocklist.yaml           |   45 +
 .../Miscellaneous/URLWhitelist.yaml           |   28 +
 .../UnifiedDesktopEnabledByDefault.yaml       |   23 +
 ...anagedDeviceSignalsConsentFlowEnabled.yaml |   31 +
 .../UnsafelyTreatInsecureOriginAsSecure.yaml  |   34 +
 .../UnthrottledNestedTimeoutEnabled.yaml      |   42 +
 ...lKeyedAnonymizedDataCollectionEnabled.yaml |   36 +
 .../Miscellaneous/UrlKeyedMetricsAllowed.yaml |   32 +
 .../Miscellaneous/UrlParamFilterEnabled.yaml  |   28 +
 .../Miscellaneous/UsbDetachableAllowlist.yaml |   26 +
 .../Miscellaneous/UsbDetachableWhitelist.yaml |   24 +
 .../UsbDetectorNotificationEnabled.yaml       |   26 +
 .../Miscellaneous/UseLegacyFormControls.yaml  |   28 +
 .../UseMojoVideoDecoderForPepperAllowed.yaml  |   48 +
 .../UserAgentClientHintsEnabled.yaml          |   25 +
 ...erAgentClientHintsGREASEUpdateEnabled.yaml |   31 +
 .../Miscellaneous/UserAgentReduction.yaml     |   43 +
 ...erAvatarCustomizationSelectorsEnabled.yaml |   25 +
 .../Miscellaneous/UserAvatarImage.yaml        |   34 +
 ...serContextAwareAccessSignalsAllowlist.yaml |   34 +
 .../Miscellaneous/UserDataDir.yaml            |   26 +
 .../UserDataSnapshotRetentionLimit.yaml       |   25 +
 .../Miscellaneous/UserDisplayName.yaml        |   22 +
 .../Miscellaneous/UserFeedbackAllowed.yaml    |   27 +
 ...rFeedbackWithLowLevelDebugDataAllowed.yaml |   34 +
 .../VariationsRestrictParameter.yaml          |   24 +
 .../Miscellaneous/VideoCaptureAllowed.yaml    |   28 +
 .../VideoCaptureAllowedUrls.yaml              |   25 +
 ...VirtualKeyboardResizesLayoutByDefault.yaml |   27 +
 ...VirtualKeyboardSmartVisibilityEnabled.yaml |   28 +
 .../Miscellaneous/VmManagementCliAllowed.yaml |   23 +
 .../Miscellaneous/VpnConfigAllowed.yaml       |   22 +
 .../Miscellaneous/WPADQuickCheckEnabled.yaml  |   30 +
 ...llpaperGooglePhotosIntegrationEnabled.yaml |   25 +
 .../Miscellaneous/WallpaperImage.yaml         |   32 +
 .../WarnBeforeQuittingEnabled.yaml            |   26 +
 .../Miscellaneous/WebAnnotations.yaml         |   95 ++
 .../Miscellaneous/WebAppInstallForceList.yaml |  111 ++
 .../Miscellaneous/WebAppSettings.yaml         |   54 +
 ...nticationRemoteProxiedRequestsAllowed.yaml |   34 +
 .../Miscellaneous/WebAuthnFactors.yaml        |   38 +
 .../Miscellaneous/WebComponentsV0Enabled.yaml |   26 +
 ...ebDriverOverridesIncompatiblePolicies.yaml |   29 +
 .../WebRtcAllowLegacyTLSProtocols.yaml        |   30 +
 .../WebRtcEventLogCollectionAllowed.yaml      |   28 +
 .../Miscellaneous/WebRtcIPHandling.yaml       |   43 +
 .../WebRtcLocalIpsAllowedUrls.yaml            |   25 +
 .../WebRtcTextLogCollectionAllowed.yaml       |   27 +
 .../Miscellaneous/WebRtcUdpPortRange.yaml     |   21 +
 .../Miscellaneous/WebSQLAccess.yaml           |   26 +
 .../WebSQLInThirdPartyContextEnabled.yaml     |   26 +
 .../WebSQLNonSecureContextEnabled.yaml        |   28 +
 .../WebXRImmersiveArEnabled.yaml              |   32 +
 .../WelcomePageOnOSUpgradeEnabled.yaml        |   19 +
 .../Miscellaneous/WifiSyncAndroidAllowed.yaml |   33 +
 .../Miscellaneous/WindowOcclusionEnabled.yaml |   29 +
 .../NativeMessaging/.group.details.yaml       |    3 +
 .../NativeMessagingAllowlist.yaml             |   25 +
 .../NativeMessagingBlocklist.yaml             |   25 +
 .../NativeMessagingUserLevelHosts.yaml        |   25 +
 .../NativeMessaging/policy_atomic_groups.yaml |    6 +
 .../Network/.group.details.yaml               |    2 +
 ...wMethodsInCORSPreflightSpecConformant.yaml |   37 +
 .../Network/BlockTruncatedCookies.yaml        |   35 +
 ...CompressionDictionaryTransportEnabled.yaml |   28 +
 .../DataURLWhitespacePreservationEnabled.yaml |   32 +
 .../Network/DeviceDataRoamingEnabled.yaml     |   24 +
 .../Network/DeviceDockMacAddressSource.yaml   |   43 +
 .../Network/DeviceHostnameTemplate.yaml       |   19 +
 .../DeviceHostnameUserConfigurable.yaml       |   29 +
 .../DeviceOpenNetworkConfiguration.yaml       |   25 +
 .../Network/DeviceWiFiAllowed.yaml            |   24 +
 .../DeviceWiFiFastTransitionEnabled.yaml      |   24 +
 .../Network/DnsOverHttpsExcludedDomains.yaml  |   26 +
 .../Network/DnsOverHttpsIncludedDomains.yaml  |   28 +
 .../Network/DnsOverHttpsSalt.yaml             |   20 +
 .../DnsOverHttpsTemplatesWithIdentifiers.yaml |   33 +
 .../IPv6ReachabilityOverrideEnabled.yaml      |   30 +
 .../Network/NetworkThrottlingEnabled.yaml     |   35 +
 ...utOfProcessSystemDnsResolutionEnabled.yaml |   30 +
 .../Network/ZstdContentEncodingEnabled.yaml   |   36 +
 .../Network/policy_atomic_groups.yaml         |    5 +
 .../NetworkFileShares/.group.details.yaml     |    2 +
 .../NTLMShareAuthenticationEnabled.yaml       |   23 +
 .../NetBiosShareDiscoveryEnabled.yaml         |   23 +
 .../NetworkFileSharesAllowed.yaml             |   20 +
 .../NetworkFileSharesPreconfiguredShares.yaml |   40 +
 .../policy_atomic_groups.yaml                 |    7 +
 .../ParentalSupervision/.group.details.yaml   |    4 +
 .../EduCoexistenceToSVersion.yaml             |   26 +
 .../ParentAccessCodeConfig.yaml               |   50 +
 .../ParentalSupervision/PerAppTimeLimits.yaml |  101 ++
 .../PerAppTimeLimitsAllowlist.yaml            |   55 +
 .../ParentalSupervision/UsageTimeLimit.yaml   |  122 ++
 .../PasswordManager/.group.details.yaml       |    2 +
 ...DeletingUndecryptablePasswordsEnabled.yaml |   31 +
 ...asswordDismissCompromisedAlertEnabled.yaml |   27 +
 .../PasswordLeakDetectionEnabled.yaml         |   30 +
 .../PasswordManagerAllowShowPasswords.yaml    |   24 +
 .../PasswordManagerEnabled.yaml               |   35 +
 .../PasswordSharingEnabled.yaml               |   36 +
 .../ThirdPartyPasswordManagersAllowed.yaml    |   41 +
 .../PasswordManager/policy_atomic_groups.yaml |    8 +
 .../PluginVm/.group.details.yaml              |    2 +
 .../PluginVm/PluginVmAllowed.yaml             |   25 +
 .../PluginVmDataCollectionAllowed.yaml        |   24 +
 .../PluginVm/PluginVmImage.yaml               |   29 +
 .../PluginVm/PluginVmLicenseKey.yaml          |   21 +
 .../PluginVmRequiredFreeDiskSpace.yaml        |   21 +
 .../PluginVm/PluginVmUserId.yaml              |   17 +
 .../PluginVm/UserPluginVmAllowed.yaml         |   26 +
 .../PluginVm/policy_atomic_groups.yaml        |   10 +
 .../PowerAndShutdown/.group.details.yaml      |    2 +
 .../DeviceLoginScreenPowerManagement.yaml     |   60 +
 .../DeviceRebootOnShutdown.yaml               |   25 +
 .../PowerAndShutdown/UptimeLimit.yaml         |   21 +
 .../PowerManagement/.group.details.yaml       |    5 +
 .../PowerManagement/AllowScreenWakeLocks.yaml |   24 +
 .../PowerManagement/AllowWakeLocks.yaml       |   24 +
 ...iceAdvancedBatteryChargeModeDayConfig.yaml |   56 +
 ...eviceAdvancedBatteryChargeModeEnabled.yaml |   32 +
 ...eviceBatteryChargeCustomStartCharging.yaml |   25 +
 ...DeviceBatteryChargeCustomStopCharging.yaml |   25 +
 .../DeviceBatteryChargeMode.yaml              |   48 +
 .../DeviceBootOnAcEnabled.yaml                |   30 +
 .../DeviceChargingSoundsEnabled.yaml          |   37 +
 .../DeviceLowBatterySoundEnabled.yaml         |   37 +
 .../DevicePowerAdaptiveChargingEnabled.yaml   |   31 +
 .../DevicePowerPeakShiftBatteryThreshold.yaml |   25 +
 .../DevicePowerPeakShiftDayConfig.yaml        |   66 +
 .../DevicePowerPeakShiftEnabled.yaml          |   30 +
 .../DeviceUsbPowerShareEnabled.yaml           |   34 +
 .../PowerManagement/IdleAction.yaml           |   39 +
 .../PowerManagement/IdleActionAC.yaml         |   41 +
 .../PowerManagement/IdleActionBattery.yaml    |   41 +
 .../PowerManagement/IdleDelayAC.yaml          |   26 +
 .../PowerManagement/IdleDelayBattery.yaml     |   26 +
 .../PowerManagement/IdleWarningDelayAC.yaml   |   28 +
 .../IdleWarningDelayBattery.yaml              |   28 +
 .../PowerManagement/LidCloseAction.yaml       |   38 +
 .../PowerManagementIdleSettings.yaml          |   69 +
 .../PowerManagementUsesAudioActivity.yaml     |   23 +
 .../PowerManagementUsesVideoActivity.yaml     |   25 +
 .../PowerManagement/PowerSmartDimEnabled.yaml |   23 +
 .../PresentationIdleDelayScale.yaml           |   17 +
 .../PresentationScreenDimDelayScale.yaml      |   20 +
 .../ScreenBrightnessPercent.yaml              |   33 +
 .../PowerManagement/ScreenDimDelayAC.yaml     |   28 +
 .../ScreenDimDelayBattery.yaml                |   28 +
 .../PowerManagement/ScreenLockDelayAC.yaml    |   30 +
 .../ScreenLockDelayBattery.yaml               |   30 +
 .../PowerManagement/ScreenLockDelays.yaml     |   33 +
 .../PowerManagement/ScreenOffDelayAC.yaml     |   28 +
 .../ScreenOffDelayBattery.yaml                |   28 +
 .../UserActivityScreenDimDelayScale.yaml      |   21 +
 .../WaitForInitialUserActivity.yaml           |   24 +
 .../Printing/.group.details.yaml              |    2 +
 .../Printing/CloudPrintProxyEnabled.yaml      |   25 +
 .../Printing/CloudPrintSubmitEnabled.yaml     |   29 +
 .../CloudPrintWarningsSuppressed.yaml         |   27 +
 .../Printing/DefaultPrinterSelection.yaml     |   42 +
 .../DeletePrintJobHistoryAllowed.yaml         |   28 +
 .../Printing/DeviceExternalPrintServers.yaml  |   41 +
 .../DeviceExternalPrintServersAllowlist.yaml  |   29 +
 .../Printing/DeviceNativePrinters.yaml        |   38 +
 .../DeviceNativePrintersAccessMode.yaml       |   33 +
 .../Printing/DevicePrinters.yaml              |   35 +
 .../Printing/DevicePrintersAccessMode.yaml    |   41 +
 .../Printing/DevicePrintersAllowlist.yaml     |   29 +
 .../Printing/DevicePrintersBlocklist.yaml     |   27 +
 .../DevicePrintingClientNameTemplate.yaml     |   48 +
 .../Printing/DisablePrintPreview.yaml         |   26 +
 .../Printing/ExternalPrintServers.yaml        |   37 +
 .../ExternalPrintServersAllowlist.yaml        |   27 +
 .../Printing/NativePrinters.yaml              |   75 +
 .../NativePrintersBulkAccessMode.yaml         |   33 +
 .../NativePrintersBulkConfiguration.yaml      |   32 +
 .../Printing/OopPrintDriversAllowed.yaml      |   30 +
 .../Printing/PrintHeaderFooter.yaml           |   30 +
 .../PrintJobHistoryExpirationPeriod.yaml      |   24 +
 .../Printing/PrintPdfAsImageAvailability.yaml |   30 +
 .../Printing/PrintPdfAsImageDefault.yaml      |   33 +
 .../Printing/PrintPostScriptMode.yaml         |   35 +
 .../PrintPreviewUseSystemDefaultPrinter.yaml  |   28 +
 .../Printing/PrintRasterizationMode.yaml      |   35 +
 .../Printing/PrintRasterizePdfDpi.yaml        |   27 +
 .../Printing/PrinterTypeDenyList.yaml         |   61 +
 .../policy_definitions/Printing/Printers.yaml |   71 +
 .../Printing/PrintersBulkAccessMode.yaml      |   41 +
 .../Printing/PrintersBulkAllowlist.yaml       |   25 +
 .../Printing/PrintersBulkBlocklist.yaml       |   25 +
 .../Printing/PrintersBulkConfiguration.yaml   |   28 +
 .../PrintingAPIExtensionsAllowlist.yaml       |   23 +
 ...rintingAllowedBackgroundGraphicsModes.yaml |   34 +
 .../Printing/PrintingAllowedColorModes.yaml   |   32 +
 .../Printing/PrintingAllowedDuplexModes.yaml  |   34 +
 .../Printing/PrintingAllowedPinModes.yaml     |   33 +
 .../PrintingBackgroundGraphicsDefault.yaml    |   30 +
 .../Printing/PrintingColorDefault.yaml        |   28 +
 .../Printing/PrintingDuplexDefault.yaml       |   32 +
 .../Printing/PrintingEnabled.yaml             |   30 +
 .../Printing/PrintingLPACSandboxEnabled.yaml  |   27 +
 .../Printing/PrintingMaxSheetsAllowed.yaml    |   20 +
 .../Printing/PrintingPaperSizeDefault.yaml    |  182 +++
 .../Printing/PrintingPinDefault.yaml          |   28 +
 ...rintingSendUsernameAndFilenameEnabled.yaml |   25 +
 .../Printing/UserNativePrintersAllowed.yaml   |   22 +
 .../Printing/UserPrintersAllowed.yaml         |   24 +
 .../PrivacySandbox/.group.details.yaml        |    2 +
 .../PrivacySandboxAdMeasurementEnabled.yaml   |   31 +
 .../PrivacySandboxAdTopicsEnabled.yaml        |   31 +
 ...andboxFingerprintingProtectionEnabled.yaml |   31 +
 .../PrivacySandboxIpProtectionEnabled.yaml    |   33 +
 .../PrivacySandboxPromptEnabled.yaml          |   35 +
 .../PrivacySandboxSiteEnabledAdsEnabled.yaml  |   31 +
 .../PrivacySandbox/policy_atomic_groups.yaml  |    7 +
 .../PrivacyScreen/.group.details.yaml         |    2 +
 ...DeviceLoginScreenPrivacyScreenEnabled.yaml |   36 +
 .../PrivacyScreen/PrivacyScreenEnabled.yaml   |   34 +
 .../.group.details.yaml                       |    2 +
 ...InsecurePrivateNetworkRequestsAllowed.yaml |   44 +
 ...ePrivateNetworkRequestsAllowedForUrls.yaml |   35 +
 ...ivateNetworkAccessRestrictionsEnabled.yaml |   47 +
 .../policy_atomic_groups.yaml                 |    5 +
 .../Projector/.group.details.yaml             |    2 +
 .../ProjectorDogfoodForFamilyLinkEnabled.yaml |   30 +
 .../Projector/ProjectorEnabled.yaml           |   28 +
 .../Proxy/.group.details.yaml                 |   14 +
 .../Proxy/ProxyBypassList.yaml                |   29 +
 .../policy_definitions/Proxy/ProxyMode.yaml   |   58 +
 .../policy_definitions/Proxy/ProxyPacUrl.yaml |   28 +
 .../policy_definitions/Proxy/ProxyServer.yaml |   28 +
 .../Proxy/ProxyServerMode.yaml                |   54 +
 .../Proxy/policy_atomic_groups.yaml           |    9 +
 .../QuickAnswers/.group.details.yaml          |    2 +
 .../QuickAnswersDefinitionEnabled.yaml        |   25 +
 .../QuickAnswers/QuickAnswersEnabled.yaml     |   26 +
 .../QuickAnswersTranslationEnabled.yaml       |   25 +
 .../QuickAnswersUnitConversionEnabled.yaml    |   25 +
 .../QuickUnlock/.group.details.yaml           |    2 +
 .../PinUnlockAutosubmitEnabled.yaml           |   33 +
 .../QuickUnlock/PinUnlockMaximumLength.yaml   |   18 +
 .../QuickUnlock/PinUnlockMinimumLength.yaml   |   18 +
 .../QuickUnlock/PinUnlockWeakPinsAllowed.yaml |   26 +
 .../QuickUnlock/QuickUnlockModeAllowlist.yaml |   38 +
 .../QuickUnlock/QuickUnlockTimeout.yaml       |   36 +
 .../QuickUnlock/policy_atomic_groups.yaml     |   12 +
 .../RelatedWebsiteSets/.group.details.yaml    |    2 +
 .../RelatedWebsiteSetsEnabled.yaml            |   31 +
 .../RelatedWebsiteSetsOverrides.yaml          |  123 ++
 .../RemoteAccess/.group.details.yaml          |    8 +
 .../RemoteAccessClientFirewallTraversal.yaml  |   24 +
 .../RemoteAccessHostAllowClientPairing.yaml   |   26 +
 ...AccessHostAllowEnterpriseFileTransfer.yaml |   26 +
 ...lowEnterpriseRemoteSupportConnections.yaml |   29 +
 .../RemoteAccessHostAllowFileTransfer.yaml    |   28 +
 .../RemoteAccessHostAllowGnubbyAuth.yaml      |   30 +
 ...emoteAccessHostAllowPinAuthentication.yaml |   29 +
 ...emoteAccessHostAllowRelayedConnection.yaml |   28 +
 ...ccessHostAllowRemoteAccessConnections.yaml |   28 +
 ...cessHostAllowRemoteSupportConnections.yaml |   33 +
 ...sHostAllowUiAccessForRemoteAssistance.yaml |   30 +
 .../RemoteAccessHostAllowUrlForwarding.yaml   |   30 +
 .../RemoteAccessHostClientDomain.yaml         |   20 +
 .../RemoteAccessHostClientDomainList.yaml     |   31 +
 .../RemoteAccessHostClipboardSizeBytes.yaml   |   35 +
 ...RemoteAccessHostDebugOverridePolicies.yaml |   21 +
 .../RemoteAccess/RemoteAccessHostDomain.yaml  |   20 +
 .../RemoteAccessHostDomainList.yaml           |   31 +
 .../RemoteAccessHostEnableUserInterface.yaml  |   31 +
 .../RemoteAccessHostFirewallTraversal.yaml    |   27 +
 .../RemoteAccessHostMatchUsername.yaml        |   26 +
 ...cessHostMaximumSessionDurationMinutes.yaml |   25 +
 .../RemoteAccessHostRequireCurtain.yaml       |   28 +
 .../RemoteAccessHostRequireTwoFactor.yaml     |   23 +
 .../RemoteAccessHostTalkGadgetPrefix.yaml     |   28 +
 .../RemoteAccessHostTokenUrl.yaml             |   26 +
 ...sHostTokenValidationCertificateIssuer.yaml |   23 +
 .../RemoteAccessHostTokenValidationUrl.yaml   |   25 +
 .../RemoteAccessHostUdpPortRange.yaml         |   25 +
 .../RemoteAccess/policy_atomic_groups.yaml    |   32 +
 .../SAML/.group.details.yaml                  |    2 +
 .../LockScreenReauthenticationEnabled.yaml    |   23 +
 .../SAML/SAMLOfflineSigninTimeLimit.yaml      |   25 +
 .../SamlInSessionPasswordChangeEnabled.yaml   |   29 +
 ...lPasswordExpirationAdvanceWarningDays.yaml |   25 +
 .../SafeBrowsing/.group.details.yaml          |    2 +
 .../DisableSafeBrowsingProceedAnyway.yaml     |   30 +
 .../PasswordProtectionChangePasswordURL.yaml  |   25 +
 .../PasswordProtectionLoginURLs.yaml          |   30 +
 .../PasswordProtectionWarningTrigger.yaml     |   46 +
 .../SafeBrowsingAllowlistDomains.yaml         |   31 +
 .../SafeBrowsingDeepScanningEnabled.yaml      |   26 +
 .../SafeBrowsing/SafeBrowsingEnabled.yaml     |   39 +
 .../SafeBrowsingExtendedReportingEnabled.yaml |   38 +
 .../SafeBrowsingProtectionLevel.yaml          |   52 +
 ...eBrowsingProxiedRealTimeChecksAllowed.yaml |   46 +
 .../SafeBrowsingSurveysEnabled.yaml           |   27 +
 .../SafeBrowsing/policy_atomic_groups.yaml    |   17 +
 .../ScreenCapture/.group.details.yaml         |    4 +
 .../MultiScreenCaptureAllowedForUrls.yaml     |   23 +
 .../SameOriginTabCaptureAllowedByOrigins.yaml |   31 +
 .../ScreenCapture/ScreenCaptureAllowed.yaml   |   35 +
 .../ScreenCaptureAllowedByOrigins.yaml        |   31 +
 .../TabCaptureAllowedByOrigins.yaml           |   33 +
 .../WindowCaptureAllowedByOrigins.yaml        |   31 +
 .../ScreenCapture/policy_atomic_groups.yaml   |    8 +
 .../Screensaver/.group.details.yaml           |    2 +
 .../DeviceScreensaverLoginScreenEnabled.yaml  |   34 +
 ...eensaverLoginScreenIdleTimeoutSeconds.yaml |   27 +
 ...oginScreenImageDisplayIntervalSeconds.yaml |   27 +
 .../DeviceScreensaverLoginScreenImages.yaml   |   34 +
 .../ScreensaverLockScreenEnabled.yaml         |   32 +
 ...reensaverLockScreenIdleTimeoutSeconds.yaml |   25 +
 ...LockScreenImageDisplayIntervalSeconds.yaml |   25 +
 .../ScreensaverLockScreenImages.yaml          |   32 +
 .../Signin/.group.details.yaml                |    5 +
 .../BoundSessionCredentialsEnabled.yaml       |   42 +
 .../Signin/DeviceAllowNewUsers.yaml           |   30 +
 ...eAuthenticationFlowAutoReloadInterval.yaml |   38 +
 .../Signin/DeviceAutofillSAMLUsername.yaml    |   27 +
 .../Signin/DeviceEphemeralUsersEnabled.yaml   |   25 +
 .../DeviceFamilyLinkAccountsAllowed.yaml      |   30 +
 .../Signin/DeviceGuestModeEnabled.yaml        |   24 +
 ...ginScreenAutoSelectCertificateForUrls.yaml |   58 +
 .../DeviceLoginScreenDomainAutoComplete.yaml  |   19 +
 .../Signin/DeviceLoginScreenExtensions.yaml   |   32 +
 .../Signin/DeviceLoginScreenInputMethods.yaml |   22 +
 .../DeviceLoginScreenIsolateOrigins.yaml      |   25 +
 .../Signin/DeviceLoginScreenLocales.yaml      |   21 +
 ...nPromptOnMultipleMatchingCertificates.yaml |   28 +
 .../DeviceLoginScreenSitePerProcess.yaml      |   23 +
 .../DeviceLoginScreenSystemInfoEnforced.yaml  |   31 +
 .../DeviceRunAutomaticCleanupOnLogin.yaml     |   25 +
 .../DeviceSecondFactorAuthentication.yaml     |   38 +
 .../DeviceShowNumericKeyboardForPassword.yaml |   23 +
 .../Signin/DeviceShowUserNamesOnSignin.yaml   |   28 +
 .../Signin/DeviceStartUpFlags.yaml            |   25 +
 .../Signin/DeviceTransferSAMLCookies.yaml     |   32 +
 .../Signin/DeviceUserAllowlist.yaml           |   29 +
 .../Signin/DeviceWallpaperImage.yaml          |   31 +
 .../ExtensibleEnterpriseSSOEnabled.yaml       |   37 +
 .../Signin/LoginAuthenticationBehavior.yaml   |   35 +
 .../Signin/LoginVideoCaptureAllowedUrls.yaml  |   24 +
 ...rofileSeparationDataMigrationSettings.yaml |   50 +
 .../ProfileSeparationDomainExceptionList.yaml |   30 +
 .../Signin/ProfileSeparationSettings.yaml     |   50 +
 .../Signin/RecoveryFactorBehavior.yaml        |   34 +
 .../Signin/policy_atomic_groups.yaml          |   15 +
 .../SkyVault/.group.details.yaml              |    3 +
 .../SkyVault/LocalUserFilesAllowed.yaml       |   26 +
 .../LocalUserFilesMigrationDestination.yaml   |   36 +
 .../SkyVault/policy_atomic_groups.yaml        |    5 +
 .../Startup/.group.details.yaml               |    7 +
 .../Startup/HomepageIsNewTabPage.yaml         |   33 +
 .../Startup/HomepageLocation.yaml             |   31 +
 .../Startup/NewTabPageLocation.yaml           |   32 +
 .../Startup/RestoreOnStartup.yaml             |   52 +
 .../Startup/RestoreOnStartupURLs.yaml         |   28 +
 .../Startup/ShowHomeButton.yaml               |   27 +
 .../Startup/policy_atomic_groups.yaml         |   15 +
 .../.group.details.yaml                       |    2 +
 ...viceActivityHeartbeatCollectionRateMs.yaml |   25 +
 .../DeviceActivityHeartbeatEnabled.yaml       |   28 +
 .../DeviceExtensionsSystemLogEnabled.yaml     |   26 +
 ...lexHwDataForProductImprovementEnabled.yaml |   33 +
 .../DeviceMetricsReportingEnabled.yaml        |   30 +
 .../DeviceReportNetworkEvents.yaml            |   28 +
 .../DeviceReportRuntimeCounters.yaml          |   27 +
 ...ceReportRuntimeCountersCheckingRateMs.yaml |   25 +
 .../DeviceReportXDREvents.yaml                |   27 +
 .../EnableDeviceGranularReporting.yaml        |   27 +
 .../HeartbeatEnabled.yaml                     |   26 +
 .../HeartbeatFrequency.yaml                   |   21 +
 .../LogUploadEnabled.yaml                     |   26 +
 .../ReportAppInventory.yaml                   |   55 +
 .../ReportAppUsage.yaml                       |   55 +
 .../ReportAppUsageCollectionRateMs.yaml       |   23 +
 .../ReportArcStatusEnabled.yaml               |   24 +
 .../ReportCRDSessions.yaml                    |   29 +
 .../ReportDeviceActivityTimes.yaml            |   26 +
 .../ReportDeviceAppInfo.yaml                  |   28 +
 .../ReportDeviceAudioStatus.yaml              |   27 +
 ...ReportDeviceAudioStatusCheckingRateMs.yaml |   25 +
 .../ReportDeviceBacklightInfo.yaml            |   27 +
 .../ReportDeviceBluetoothInfo.yaml            |   27 +
 .../ReportDeviceBoardStatus.yaml              |   27 +
 .../ReportDeviceBootMode.yaml                 |   26 +
 .../ReportDeviceCpuInfo.yaml                  |   27 +
 .../ReportDeviceCrashReportInfo.yaml          |   29 +
 .../ReportDeviceFanInfo.yaml                  |   27 +
 .../ReportDeviceGraphicsStatus.yaml           |   29 +
 .../ReportDeviceHardwareStatus.yaml           |   30 +
 .../ReportDeviceLocation.yaml                 |   29 +
 .../ReportDeviceLoginLogout.yaml              |   28 +
 .../ReportDeviceMemoryInfo.yaml               |   27 +
 .../ReportDeviceNetworkConfiguration.yaml     |   28 +
 .../ReportDeviceNetworkInterfaces.yaml        |   29 +
 .../ReportDeviceNetworkStatus.yaml            |   28 +
 ...eviceNetworkTelemetryCollectionRateMs.yaml |   25 +
 ...ceNetworkTelemetryEventCheckingRateMs.yaml |   25 +
 .../ReportDeviceOsUpdateStatus.yaml           |   29 +
 .../ReportDevicePeripherals.yaml              |   27 +
 .../ReportDevicePowerStatus.yaml              |   27 +
 .../ReportDevicePrintJobs.yaml                |   29 +
 .../ReportDeviceSecurityStatus.yaml           |   28 +
 .../ReportDeviceSessionStatus.yaml            |   27 +
 ...iceSignalStrengthEventDrivenTelemetry.yaml |   39 +
 .../ReportDeviceStorageStatus.yaml            |   28 +
 .../ReportDeviceSystemInfo.yaml               |   27 +
 .../ReportDeviceTimezoneInfo.yaml             |   27 +
 .../ReportDeviceUsers.yaml                    |   29 +
 .../ReportDeviceVersionInfo.yaml              |   26 +
 .../ReportDeviceVpdInfo.yaml                  |   28 +
 .../ReportUploadFrequency.yaml                |   22 +
 .../ReportWebsiteActivityAllowlist.yaml       |   28 +
 .../ReportWebsiteTelemetry.yaml               |   30 +
 .../ReportWebsiteTelemetryAllowlist.yaml      |   28 +
 ...eportWebsiteTelemetryCollectionRateMs.yaml |   23 +
 .../policy_atomic_groups.yaml                 |   43 +
 .../WilcoDtc/.group.details.yaml              |    2 +
 .../WilcoDtc/DeviceWilcoDtcAllowed.yaml       |   29 +
 .../WilcoDtc/DeviceWilcoDtcConfiguration.yaml |   32 +
 .../templates/risk_tag_definitions.yaml       |   54 +
 1358 files changed, 44561 insertions(+), 1 deletion(-)
 create mode 100755 tools/under-control/src/components/policy/resources/templates/common_schemas.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/legacy_device_policy_proto_map.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/manual_device_policy_proto_map.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/messages.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policies.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/AccessibilityShortcutsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/AutoclickEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/CaretHighlightEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ColorCorrectionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/CursorHighlightEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenAccessibilityShortcutsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenAutoclickEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenCaretHighlightEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenCursorHighlightEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultHighContrastEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultLargeCursorEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultScreenMagnifierType.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultSpokenFeedbackEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultVirtualKeyboardEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDictationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenHighContrastEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenKeyboardFocusHighlightEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenLargeCursorEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenMonoAudioEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenScreenMagnifierType.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenSelectToSpeakEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenShowOptionsInSystemTrayMenu.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenSpokenFeedbackEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenStickyKeysEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenVirtualKeyboardEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DictationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/EnhancedNetworkVoicesInSelectToSpeakAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/FloatingAccessibilityMenuEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/HighContrastEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/KeyboardDefaultToFunctionKeys.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/KeyboardFocusHighlightEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/LargeCursorEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/MonoAudioEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ScreenMagnifierType.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/SelectToSpeakEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ShowAccessibilityOptionsInSystemTrayMenu.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/SpokenFeedbackEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/StickyKeysEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/UiAutomationProviderEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/VirtualKeyboardEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/VirtualKeyboardFeatures.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/ChromadToCloudMigrationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/CloudAPAuthEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceAuthDataCacheLifetime.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceGpoCacheLifetime.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceKerberosEncryptionTypes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceMachinePasswordChangeRate.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceUserPolicyLoopbackProcessingMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/AppRecommendationZeroStateEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcAppInstallEventLoggingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcAppToWebAppSharingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcBackupRestoreEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcBackupRestoreServiceEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcCertificatesSyncMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcGoogleLocationServicesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcLocationServiceEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcPolicy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/DeviceArcDataSnapshotHours.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/UnaffiliatedArcAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/UnaffiliatedDeviceArcAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForDevice.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForUser.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationExtensionAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationForContentProtectionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/DeviceWebBasedAttestationAllowedUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/DeviceBorealisAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/UserBorealisAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/ReportingEndpoints.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/IdleTimeout.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/IdleTimeoutActions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/AlternativeBrowserParameters.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/AlternativeBrowserPath.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherChromeParameters.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherChromePath.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherDelay.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherExternalGreylistUrl.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherExternalSitelistUrl.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherKeepLastChromeTab.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherParsingMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUrlGreylist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUrlList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUseIeSitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/BruschettaInstallerConfiguration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/BruschettaVMConfiguration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/CastReceiverEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/CastReceiverName.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificateManagementAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificates.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificatesWithConstraints.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CADistrustedCertificates.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CAHintCertificates.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CAPlatformIntegrationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/RequiredClientCertificateForDevice.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/RequiredClientCertificateForUser.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameContentTypes/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameContentTypes/ChromeFrameContentTypes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/AdditionalLaunchParameters.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/ChromeFrameRendererSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/RenderInChromeFrameList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/RenderInHostList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/SkipMetadataCheck.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudExtensionRequestEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudProfileReportingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudReportingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudReportingUploadFrequency.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/LegacyTechReportAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportExtensionsAndPluginsData.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportMachineIDData.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportPolicyData.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportSafeBrowsingData.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportUserIDData.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportVersionData.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/GoogleWorkspaceCloudUpload.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/MicrosoftOfficeCloudUpload.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutoSelectCertificateForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutomaticFullscreenAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutomaticFullscreenBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ClipboardAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ClipboardBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesSessionOnlyForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DataUrlInSvgUseEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultClipboardSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultCookiesSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultDirectSocketsSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileHandlingGuardSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileSystemReadGuardSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileSystemWriteGuardSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultGeolocationSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultImagesSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultInsecureContentSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptJitSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptOptimizerSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultKeygenSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultLocalFontsSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultMediaStreamSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultNotificationsSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultPluginsSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultPopupsSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultSensorsSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultSerialGuardSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultThirdPartyStoragePartitioningSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebBluetoothGuardSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebHidGuardSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebPrintingSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebUsbGuardSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWindowManagementSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWindowPlacementSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DirectSocketsAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DirectSocketsBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileHandlingAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileHandlingBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemReadAskForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemReadBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemSyncAccessHandleAsyncInterfaceEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemWriteAskForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemWriteBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/GetDisplayMediaSetSelectAllScreensAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ImagesAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ImagesBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/InsecureContentAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/InsecureContentBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptJitAllowedForSites.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptJitBlockedForSites.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptOptimizerAllowedForSites.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptOptimizerBlockedForSites.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/KeygenAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/KeygenBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LegacySameSiteCookieBehaviorEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LegacySameSiteCookieBehaviorEnabledForDomainList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LocalFontsAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LocalFontsBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/NotificationsAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/NotificationsBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PdfLocalFileAccessAllowedForDomains.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PluginsAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PluginsBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PopupsAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PopupsBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/RegisteredProtocolHandlers.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SensorsAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SensorsBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAllowAllPortsForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAllowUsbDevicesForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAskForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ThirdPartyStoragePartitioningBlockedForOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowAllDevicesForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowDevicesForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowDevicesWithHidUsagesForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAskForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebPrintingAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebPrintingBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbAllowDevicesForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbAskForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowManagementAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowManagementBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowPlacementAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowPlacementBlockedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniAnsiblePlaybook.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniArcAdbSideloadingAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniExportImportUIAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniPortForwardingAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniRootAccessAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/DeviceCrostiniArcAdbSideloadingAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/DeviceUnaffiliatedCrostiniAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/SystemTerminalSshAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/VirtualMachinesAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/CalendarIntegrationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemTimezone.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemTimezoneAutomaticDetection.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemUse24HourClock.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderAlternateURLs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderEncodings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderIconURL.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderImageURL.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderImageURLPostParams.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderInstantURL.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderInstantURLPostParams.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderKeyword.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderName.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderNewTabURL.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchTermsReplacementKey.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchURL.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchURLPostParams.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSuggestURL.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSuggestURLPostParams.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIDeskSaveAndShareEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIThirdPartyAccessEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIThirdPartyAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/ChromeOsReleaseChannel.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/ChromeOsReleaseChannelDelegated.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateDisabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateP2PEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateTimeRestrictions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceChannelDowngradeBehavior.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceExtendedAutoUpdateEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceMinimumVersion.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceMinimumVersionAueMessage.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceQuickFixBuildToken.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceRollbackAllowedMilestones.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceRollbackToTargetVersion.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceTargetVersionPrefix.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceTargetVersionSelector.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateAllowedConnectionTypes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateHttpDownloadsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateScatterFactor.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateStagingSchedule.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/MinimumRequiredChromeVersion.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/RebootAfterUpdate.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/DeviceDisplayResolution.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/DisplayRotationDefault.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveDisabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveDisabledOverCellular.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveFileSyncAvailable.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/MicrosoftOneDriveAccountRestrictions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/MicrosoftOneDriveMount.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Edu/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Edu/GraduationEnablementStatus.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/BlockExternalExtensions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ChromeAppsWebViewPermissiveBehaviorAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/DeviceLoginScreenExtensionManifestV2Availability.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionAllowInsecureUpdates.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionAllowedTypes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionDeveloperModeSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallBlocklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallForcelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallSources.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallTypeBlocklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionManifestV2Availability.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionOAuthRedirectUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionUnpublishedAvailability.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/MandatoryExtensionsForIncognitoNavigation.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/FirstPartySetsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/FirstPartySetsOverrides.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoDomainBlocklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoDomainBlocklistExceptions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Gaia/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Gaia/GaiaOfflineSigninTimeLimitDays.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/CreateThemesSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/DevToolsGenAiSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAILocalFoundationalModelSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAIVcBackgroundSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAIWallpaperSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAiDefaultSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HelpMeReadSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HelpMeWriteSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HistorySearchSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/TabCompareSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/TabOrganizerSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantOnboardingMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantVoiceMatchEnabledDuringOobe.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantWebEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionContextEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionHotwordEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionQuickAnswersEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/AccessCodeCastDeviceDuration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/AccessCodeCastEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/EnableMediaRouter.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/MediaRouterCastAllowAllIPs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/ShowCastIconInToolbar.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/ShowCastSessionsStartedByOtherDevices.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AllHttpAuthSchemesAllowedForOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AllowCrossOriginAuthPrompt.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthAndroidNegotiateAccountType.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthNegotiateDelegateAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthNegotiateDelegateByKdcPolicy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthSchemes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthServerAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/BasicAuthOverHttpEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/DisableAuthNegotiateCnameLookup.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/EnableAuthNegotiatePort.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/GSSAPILibraryName.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/IntegratedWebAuthenticationAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/NtlmV2Enabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosAccounts.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosAddAccountsAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosCustomPrefilledConfig.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosDomainAutocomplete.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosRememberPasswordEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosUseCustomPrefilledConfig.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/AllowKioskAppControlChromeVersion.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginBailoutEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginDelay.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginId.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountPromptForNetworkWhenOffline.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccounts.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceWeeklyScheduledSuspend.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskActiveWiFiCredentialsScopeChangeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskTroubleshootingToolsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskVisionTelemetryEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskWebAppOfflineEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/NewWindowsInKioskAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUserContentProviderEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUserCreationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUsersEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AbusiveExperienceInterventionEnforce.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AccessibilityImageLabelsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AccessibilityPerformanceFilteringAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdHocCodeSigningForPWAsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdditionalDnsQueryTypesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdsSettingForIntrusiveAdsSites.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdvancedProtectionAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdvancedProtectionDeepScanningEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowBackForwardCacheForCacheControlNoStorePageEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowChromeDataInBackups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowDeletingBrowserHistory.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowDinosaurEasterEgg.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowFileSelectionDialogs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowNativeNotifications.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowOutdatedPlugins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowPopupsDuringPageUnload.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowScreenLock.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowSyncXHRInPageDismissal.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowSystemNotifications.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowWebAuthnWithBrokenTlsCerts.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedDomainsForApps.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedDomainsForAppsList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedInputMethods.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedLanguages.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlternateErrorPagesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysAuthorizePlugins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysOnVpnPreConnectUrlAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysOpenPdfExternally.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AmbientAuthenticationInPrivateModesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppCacheForceEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppLaunchAutomation.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppStoreRatingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ApplicationBoundEncryptionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ApplicationLocaleValue.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ArcVmDataMigrationStrategy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AttestationExtensionWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioCaptureAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioCaptureAllowedUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioOutputAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioProcessHighPriorityEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioSandboxEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AuthNegotiateDelegateWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AuthServerWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoCleanUpStrategy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoFillEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoLaunchProtocolsFromOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoOpenAllowedForURLs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoOpenFileTypes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutofillAddressEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutofillCreditCardEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BackForwardCacheEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BackgroundModeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BatterySaverModeAvailability.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BeforeunloadEventCancelByPreventDefaultEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BlockThirdPartyCookies.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BookmarkBarEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserAddPersonEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserContextAwareAccessSignalsAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserGuestModeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserGuestModeEnforced.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserLabsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserLegacyExtensionPointsBlocked.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserNetworkTimeQueriesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserSignin.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserThemeColor.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowsingDataLifetime.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BuiltInDnsClientEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BuiltinCertificateVerifierEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CCTToSDialogEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CECPQ2Enabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CORSNonWildcardRequestHeadersSupport.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CSSCustomStateDeprecatedSyntaxEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CaptivePortalAuthenticationIgnoresProxy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForCas.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForLegacyCas.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeAppsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeCleanupEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeCleanupReportingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeDataRegionSetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeForTestingAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeOsLockOnIdleSuspend.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeOsMultiProfileUserBehavior.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeRootStoreEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeVariations.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClearBrowsingDataOnExitList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClearSiteDataOnExit.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClickToCallEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClientCertificateManagementAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudManagementEnrollmentMandatory.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudManagementEnrollmentToken.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudPolicyOverridesPlatformPolicy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudUserPolicyMerge.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudUserPolicyOverridesCloudMachinePolicy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CoalesceH2ConnectionsWithClientCertificatesForHosts.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CommandLineFlagSecurityWarningsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ComponentUpdatesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextAwareAccessSignalsAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextMenuPhotoSharingSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualGoogleIntegrationsConfiguration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualGoogleIntegrationsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualSearchEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualSuggestionsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CopyPreventionSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CorsLegacyModeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CorsMitigationList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CreatePasskeysInICloudKeychain.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CredentialProviderPromoEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CrossOriginWebAssemblyModuleSharingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DHEEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DNSInterceptionChecksEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataCompressionProxyEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataControlsRules.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionClipboardCheckSizeLimit.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionReportingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionRulesList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultBrowserSettingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultDownloadDirectory.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultHandlersForFileExtensions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultSearchProviderContextMenuAccessAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeleteKeyModifier.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeskTemplatesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DesktopSharingHubEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeveloperToolsAvailability.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeveloperToolsDisabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowBluetooth.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowEnterpriseRemoteAccessConnections.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowMGSToStoreDisplayProperties.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowRedeemChromeOsRegistrationOffers.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowedBluetoothServices.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAppPack.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAttributesAllowedForOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAuthenticationURLAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAuthenticationURLBlocklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceBlockDevmode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceChromeVariations.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceDebugPacketCaptureAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceDlcPredownloadList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEcryptfsMigrationStrategy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEncryptedReportingPipelineEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEphemeralNetworkPoliciesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceExtendedFkeysModifier.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceHardwareVideoDecodingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceHindiInscriptLayoutEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceI18nShortcutsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceIdleLogoutTimeout.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceIdleLogoutWarningDuration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceKeyboardBacklightColor.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceKeylockerForStorageEncryptionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLocalAccountManagedSessionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenContextAwareAccessSignalsAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenGeolocationAccessLevel.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenPrimaryMouseButtonSwitch.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenSaverId.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenSaverTimeout.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenTouchVirtualKeyboardEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebHidAllowDevicesForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebUILazyLoading.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebUsbAllowDevicesForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceNativePrintersBlacklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceNativePrintersWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceOffHours.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePciPeripheralDataAccessEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePolicyRefreshRate.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePostQuantumKeyAgreementEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePowerwashAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceQuirksDownloadEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRebootOnUserSignout.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceReleaseLtsTag.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRestrictedManagedGuestSessionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRestrictionSchedule.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceScheduledReboot.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceScheduledUpdateCheck.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceShowLowDiskSpaceNotification.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceStartUpUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSwitchFunctionKeysBehaviorEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSystemAecEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSystemWideTracingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceUserWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceVariationsRestrictParameter.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/Disable3DAPIs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisablePluginFinder.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableSSLRecordSplitting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableScreenshots.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableSpdy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledPlugins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledPluginsExceptions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledSchemes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DiskCacheDir.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DiskCacheSize.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisplayCapturePermissionsPolicyEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsOverHttpsMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsOverHttpsTemplates.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsPrefetchingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DocumentScanAPITrustedExtensions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DomainReliabilityAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadBubbleEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadDirectory.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadManagerSaveToDriveSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadRestrictions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DynamicCodeSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EasyUnlockAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EcheAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EcryptfsMigrationStrategy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EditBookmarksEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EmojiPickerGifSupportEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EmojiSuggestionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableCommonNameFallbackForLocalAnchors.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedPrivetPrinting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedWebBasedSignin.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedWebPlatformFeatures.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableExperimentalPolicies.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableOnlineRevocationChecks.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSha1ForLocalAnchors.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSymantecLegacyInfrastructure.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSyncConsent.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnabledPlugins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EncryptedClientHelloEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnforceLocalAnchorConstraintsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseAuthenticationAppLinkPolicy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseBadgingTemporarySetting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseCustomLabel.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseHardwarePlatformAPIEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseLogoUrl.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseProfileCreationKeepBrowsingData.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseRealTimeUrlCheckMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseWebStoreName.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseWebStoreURL.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EssentialSearchEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EventPathEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExemptDomainFileTypePairsFromFileTypeDownloadWarnings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExplicitlyAllowedNetworkPorts.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionCacheSize.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallBlacklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallEventLoggingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalPrintServersWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalProtocolDialogShowAlwaysOpenCheckbox.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalStorageDisabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalStorageReadOnly.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/F11KeyModifier.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/F12KeyModifier.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FastPairEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FeedbackSurveysEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FetchKeepaliveDurationSecondsOnShutdown.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FileOrDirectoryPickerWithoutGestureAllowedForOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FloatingWorkspaceEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FloatingWorkspaceV2Enabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FocusModeSoundsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceBrowserSignin.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceEnablePepperVideoDecoderDevAPI.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceEphemeralProfiles.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceGoogleSafeSearch.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceLegacyDefaultReferrerPolicy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceLogoutUnauthenticatedUserEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceMajorVersionToMinorPositionInUserAgent.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceMaximizeOnFirstRun.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceNetworkInProcess.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForcePermissionPolicyUnloadDefaultEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceSafeSearch.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceYouTubeRestrict.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceYouTubeSafetyMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForcedLanguages.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullRestoreEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullRestoreMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullscreenAlertEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullscreenAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GCFUserDataDir.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GaiaLockScreenOfflineSigninTimeLimitDays.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GhostWindowEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GlanceablesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GloballyScopeHTTPAuthCacheEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GoogleLocationServicesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GoogleSearchSidePanelEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HSTSPolicyBypassList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HardwareAccelerationModeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HeadlessMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HideWebStoreIcon.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HideWebStorePromo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HighEfficiencyModeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HindiInscriptLayoutEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HistoryClustersVisible.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HomeAndEndKeysModifier.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/Http09OnNonDefaultPortsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpsOnlyMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpsUpgradesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportAutofillFormData.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportBookmarks.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportHistory.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportHomepage.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportSavedPasswords.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportSearchEngine.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IncognitoEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IncognitoModeAvailability.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsecureFormsWarningsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsecureHashesInTLSHandshakesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsertKeyModifier.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsightsExtensionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InstantEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InstantTetheringAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IntensiveWakeUpThrottlingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IntranetRedirectBehavior.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolateOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolateOriginsAndroid.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolatedWebAppInstallForceList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/JavascriptEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeepFullscreenWithoutNotificationUrlAllowList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeyPermissions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeyboardFocusableScrollersEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KioskBrowserPermissionsAllowedForOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KioskCRXManifestUpdateURLIgnored.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosAvailability.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosDataBackwardMigrationMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosSecondaryProfilesAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosSelection.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensCameraAssistedSearchEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensDesktopNTPSearchEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensOnGalleryEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensOverlaySettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensRegionSearchEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ListenToThisPageEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LoadCryptoTokenExtension.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LocalDiscoveryEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockIconInAddressBarEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockScreenAutoStartOnlineReauth.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockScreenMediaPlaybackEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LoginDisplayPasswordButtonEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LookalikeWarningAllowlistDomains.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MachineLevelUserCloudPolicyEnrollmentToken.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedAccountsSigninRestriction.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedBookmarks.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedConfigurationPerOrigin.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedGuestSessionAutoLaunchNotificationReduced.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedGuestSessionPrivacyWarningsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MaxConnectionsPerProxy.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MaxInvalidationFetchDelay.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MediaCacheSize.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MediaRecommendationsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MemorySaverModeSavings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MetricsReportingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MixedContentAutoupgradeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MutationEventsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPCardsVisible.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPContentSuggestionsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPCustomBackgroundEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPMiddleSlotAnnouncementVisible.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeClientForceAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeHostsExecutablesLaunchDirectly.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeMessagingBlacklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeMessagingWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativePrintersBulkBlacklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativePrintersBulkWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeWindowOcclusionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NearbyShareAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NetworkPredictionOptions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NetworkServiceSandboxEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NewBaseUrlInheritanceBehaviorAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NoteTakingAppsLockScreenAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NoteTakingAppsLockScreenWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OffsetParentNewSpecBehaviorEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnBulkDataEntryEnterpriseConnector.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileAttachedEnterpriseConnector.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileDownloadedEnterpriseConnector.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileTransferEnterpriseConnector.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnPrintEnterpriseConnector.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnSecurityEventEnterpriseConnector.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OpenNetworkConfiguration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OptimizationGuideFetchingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OrcaEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OsColorMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OverrideSecurityRestrictionsOnInsecureOrigin.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PPAPISharedImagesForVideoDecoderAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PPAPISharedImagesSwapChainAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PacHttpsUrlStrippingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PageUpAndPageDownKeysModifier.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ParcelTrackingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PaymentMethodQueryEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfAnnotationsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfUseSkiaRendererEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfViewerOutOfProcessIframeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PerAppTimeLimitsWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PersistentQuotaEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubCameraRollAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubNotificationsAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubTaskContinuationAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhysicalKeyboardAutocorrect.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhysicalKeyboardPredictiveWriting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PinnedLauncherApps.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyAtomicGroupsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyDictionaryMultipleSourceMergeList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyListMultipleSourceMergeList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyRefreshRate.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyScopeDetection.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyTestPageEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PostQuantumKeyAgreementEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PreconfiguredDeskTemplates.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrefixedStorageInfoEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrefixedVideoFullscreenApiAvailability.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrimaryMouseButtonSwitch.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrintingAPIExtensionsWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfileLabel.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfilePickerOnStartupAvailability.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfileReauthPrompt.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromotionalTabsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromotionsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromptForDownloadLocation.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromptOnMultipleMatchingCertificates.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProvisionManagedClientCertificateForUser.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProxySettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QRCodeGeneratorEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuicAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuickOfficeForceFileDownloadEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuickUnlockModeWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RC4Enabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RSAKeyUsageForLocalAnchorsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchHeadsUpPeriod.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchNotification.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchNotificationPeriod.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchWindow.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RemoteDebuggingAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RendererAppContainerEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RendererCodeIntegrityEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ReportCrostiniUsageEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RequireOnlineRevocationChecksForLocalAnchors.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictAccountsToPatterns.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictSigninToPattern.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictedManagedGuestSessionExtensionCleanupExemptList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RoamingProfileLocation.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RoamingProfileSupportEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RunAllFlashInAllowMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLErrorOverrideAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLErrorOverrideAllowedForOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionFallbackMin.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionMax.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionMin.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingExtendedReportingOptInAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingForTrustedSourcesEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingWhitelistDomains.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeSitesFilterBehavior.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SamlLockScreenOfflineSigninTimeLimitDays.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SandboxExternalProtocolBlocked.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SavingBrowserHistoryDisabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SchedulerConfiguration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScreenCaptureLocation.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScreenCaptureWithoutGestureAllowedForOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScrollToTextFragmentEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SearchSuggestEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecondaryGoogleAccountSigninAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecondaryGoogleAccountUsage.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityKeyPermitAttestation.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityTokenSessionBehavior.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityTokenSessionNotificationSeconds.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SendMouseEventsDisabledFormControlsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SessionLengthLimit.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SessionLocales.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SetTimeoutWithout1MsClampEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SharedArrayBufferUnrestrictedAccessAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SharedClipboardEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShelfAlignment.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShelfAutoHideBehavior.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShoppingListEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShortcutCustomizationAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowAiIntroScreenEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowAppsShortcutInBookmarkBar.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowDisplaySizeScreenEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowFullUrlsInAddressBar.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowGeminiIntroScreenEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowHumanPresenceSensorScreenEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowLogoutButtonInTray.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowTouchpadScrollScreenEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SideSearchEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SignedHTTPExchangeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SigninAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SigninInterceptionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SitePerProcess.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SitePerProcessAndroid.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SiteSearchSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SmartLockSigninAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SmsMessagesAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellCheckServiceEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguage.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguageBlacklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguageBlocklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StandardizedBrowserZoomEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StartupBrowserWindowLaunchSuppressed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StrictMimetypeCheckForWorkerScriptsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StricterMixedContentTreatmentEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SubAppsAPIsAllowedWithoutGestureAndAuthorizationForOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuggestLogoutAfterClosingLastWindow.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuggestedContentEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressChromeFrameTurndownPrompt.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressDifferentOriginSubframeDialogs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressUnsupportedOSWarning.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncTypesListDisabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemFeaturesDisableList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemFeaturesDisableMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemProxySettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemShortcutBehavior.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TLS13HardeningForLocalAnchorsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TPMFirmwareUpdateSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabDiscardingExceptions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabFreezingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabUnderAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TargetBlankImpliesNoOpener.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TaskManagerEndProcessEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TermsOfServiceURL.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ThirdPartyBlockingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ThrottleNonVisibleCrossOriginIframesAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ToolbarAvatarLabelSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TosDialogBehavior.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TotalMemoryLimitMb.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TouchVirtualKeyboardEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TranslateEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TrashEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TripleDESEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/U2fSecurityKeyApiEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLBlacklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLBlocklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnifiedDesktopEnabledByDefault.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnmanagedDeviceSignalsConsentFlowEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnsafelyTreatInsecureOriginAsSecure.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnthrottledNestedTimeoutEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlKeyedAnonymizedDataCollectionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlKeyedMetricsAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlParamFilterEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetachableAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetachableWhitelist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetectorNotificationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UseLegacyFormControls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UseMojoVideoDecoderForPepperAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentClientHintsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentClientHintsGREASEUpdateEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentReduction.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAvatarCustomizationSelectorsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAvatarImage.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserContextAwareAccessSignalsAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDataDir.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDataSnapshotRetentionLimit.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDisplayName.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserFeedbackAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserFeedbackWithLowLevelDebugDataAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VariationsRestrictParameter.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VideoCaptureAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VideoCaptureAllowedUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VirtualKeyboardResizesLayoutByDefault.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VirtualKeyboardSmartVisibilityEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VmManagementCliAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VpnConfigAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WPADQuickCheckEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WallpaperGooglePhotosIntegrationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WallpaperImage.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WarnBeforeQuittingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAnnotations.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAppInstallForceList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAppSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAuthenticationRemoteProxiedRequestsAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAuthnFactors.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebComponentsV0Enabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebDriverOverridesIncompatiblePolicies.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcAllowLegacyTLSProtocols.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcEventLogCollectionAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcIPHandling.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcLocalIpsAllowedUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcTextLogCollectionAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcUdpPortRange.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLAccess.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLInThirdPartyContextEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLNonSecureContextEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebXRImmersiveArEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WelcomePageOnOSUpgradeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WifiSyncAndroidAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WindowOcclusionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingBlocklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingUserLevelHosts.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/AccessControlAllowMethodsInCORSPreflightSpecConformant.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/BlockTruncatedCookies.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/CompressionDictionaryTransportEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DataURLWhitespacePreservationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceDataRoamingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceDockMacAddressSource.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceHostnameTemplate.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceHostnameUserConfigurable.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceOpenNetworkConfiguration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceWiFiAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceWiFiFastTransitionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsExcludedDomains.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsIncludedDomains.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsSalt.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsTemplatesWithIdentifiers.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/IPv6ReachabilityOverrideEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/NetworkThrottlingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/OutOfProcessSystemDnsResolutionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/ZstdContentEncodingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NTLMShareAuthenticationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetBiosShareDiscoveryEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetworkFileSharesAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetworkFileSharesPreconfiguredShares.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/EduCoexistenceToSVersion.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/ParentAccessCodeConfig.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/PerAppTimeLimits.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/PerAppTimeLimitsAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/UsageTimeLimit.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/DeletingUndecryptablePasswordsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordDismissCompromisedAlertEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordLeakDetectionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordManagerAllowShowPasswords.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordManagerEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordSharingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/ThirdPartyPasswordManagersAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmDataCollectionAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmImage.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmLicenseKey.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmRequiredFreeDiskSpace.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmUserId.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/UserPluginVmAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/DeviceLoginScreenPowerManagement.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/DeviceRebootOnShutdown.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/UptimeLimit.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/AllowScreenWakeLocks.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/AllowWakeLocks.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceAdvancedBatteryChargeModeDayConfig.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceAdvancedBatteryChargeModeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeCustomStartCharging.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeCustomStopCharging.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBootOnAcEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceChargingSoundsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceLowBatterySoundEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerAdaptiveChargingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftBatteryThreshold.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftDayConfig.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceUsbPowerShareEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleAction.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleActionAC.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleActionBattery.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleDelayAC.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleDelayBattery.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleWarningDelayAC.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleWarningDelayBattery.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/LidCloseAction.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementIdleSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementUsesAudioActivity.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementUsesVideoActivity.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerSmartDimEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PresentationIdleDelayScale.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PresentationScreenDimDelayScale.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenBrightnessPercent.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenDimDelayAC.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenDimDelayBattery.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelayAC.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelayBattery.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelays.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenOffDelayAC.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenOffDelayBattery.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/UserActivityScreenDimDelayScale.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/WaitForInitialUserActivity.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintProxyEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintSubmitEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintWarningsSuppressed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DefaultPrinterSelection.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeletePrintJobHistoryAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceExternalPrintServers.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceExternalPrintServersAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceNativePrinters.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceNativePrintersAccessMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrinters.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersAccessMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersBlocklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintingClientNameTemplate.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DisablePrintPreview.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/ExternalPrintServers.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/ExternalPrintServersAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrinters.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrintersBulkAccessMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrintersBulkConfiguration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/OopPrintDriversAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintHeaderFooter.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintJobHistoryExpirationPeriod.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPdfAsImageAvailability.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPdfAsImageDefault.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPostScriptMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPreviewUseSystemDefaultPrinter.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintRasterizationMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintRasterizePdfDpi.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrinterTypeDenyList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/Printers.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkAccessMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkBlocklist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkConfiguration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAPIExtensionsAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedBackgroundGraphicsModes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedColorModes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedDuplexModes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedPinModes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingBackgroundGraphicsDefault.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingColorDefault.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingDuplexDefault.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingLPACSandboxEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingMaxSheetsAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingPaperSizeDefault.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingPinDefault.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingSendUsernameAndFilenameEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/UserNativePrintersAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/UserPrintersAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxAdMeasurementEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxAdTopicsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxFingerprintingProtectionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxIpProtectionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxPromptEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxSiteEnabledAdsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/DeviceLoginScreenPrivacyScreenEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/PrivacyScreenEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/InsecurePrivateNetworkRequestsAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/InsecurePrivateNetworkRequestsAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/PrivateNetworkAccessRestrictionsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/ProjectorDogfoodForFamilyLinkEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/ProjectorEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyBypassList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyPacUrl.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyServer.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyServerMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersDefinitionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersTranslationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersUnitConversionEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockAutosubmitEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockMaximumLength.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockMinimumLength.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockWeakPinsAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/QuickUnlockModeAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/QuickUnlockTimeout.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/RelatedWebsiteSetsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/RelatedWebsiteSetsOverrides.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessClientFirewallTraversal.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowClientPairing.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowEnterpriseFileTransfer.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowEnterpriseRemoteSupportConnections.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowFileTransfer.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowGnubbyAuth.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowPinAuthentication.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRelayedConnection.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRemoteAccessConnections.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRemoteSupportConnections.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowUiAccessForRemoteAssistance.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowUrlForwarding.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClientDomain.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClientDomainList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClipboardSizeBytes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDebugOverridePolicies.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDomain.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDomainList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostEnableUserInterface.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostFirewallTraversal.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostMatchUsername.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostMaximumSessionDurationMinutes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostRequireCurtain.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostRequireTwoFactor.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTalkGadgetPrefix.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenUrl.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenValidationCertificateIssuer.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenValidationUrl.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostUdpPortRange.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/LockScreenReauthenticationEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SAMLOfflineSigninTimeLimit.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SamlInSessionPasswordChangeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SamlPasswordExpirationAdvanceWarningDays.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/DisableSafeBrowsingProceedAnyway.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionChangePasswordURL.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionLoginURLs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionWarningTrigger.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingAllowlistDomains.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingDeepScanningEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingExtendedReportingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingProtectionLevel.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingProxiedRealTimeChecksAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingSurveysEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/MultiScreenCaptureAllowedForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/SameOriginTabCaptureAllowedByOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/ScreenCaptureAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/ScreenCaptureAllowedByOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/TabCaptureAllowedByOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/WindowCaptureAllowedByOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenIdleTimeoutSeconds.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenImageDisplayIntervalSeconds.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenImages.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenIdleTimeoutSeconds.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenImageDisplayIntervalSeconds.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenImages.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/BoundSessionCredentialsEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAllowNewUsers.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAuthenticationFlowAutoReloadInterval.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAutofillSAMLUsername.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceEphemeralUsersEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceFamilyLinkAccountsAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceGuestModeEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenAutoSelectCertificateForUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenDomainAutoComplete.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenExtensions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenInputMethods.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenIsolateOrigins.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenLocales.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenPromptOnMultipleMatchingCertificates.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenSitePerProcess.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenSystemInfoEnforced.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceRunAutomaticCleanupOnLogin.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceSecondFactorAuthentication.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceShowNumericKeyboardForPassword.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceShowUserNamesOnSignin.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceStartUpFlags.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceTransferSAMLCookies.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceUserAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceWallpaperImage.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ExtensibleEnterpriseSSOEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/LoginAuthenticationBehavior.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/LoginVideoCaptureAllowedUrls.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationDataMigrationSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationDomainExceptionList.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationSettings.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/RecoveryFactorBehavior.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/LocalUserFilesAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/LocalUserFilesMigrationDestination.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/HomepageIsNewTabPage.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/HomepageLocation.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/NewTabPageLocation.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/RestoreOnStartup.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/RestoreOnStartupURLs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/ShowHomeButton.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceActivityHeartbeatCollectionRateMs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceActivityHeartbeatEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceExtensionsSystemLogEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceFlexHwDataForProductImprovementEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceMetricsReportingEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportNetworkEvents.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportRuntimeCounters.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportRuntimeCountersCheckingRateMs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportXDREvents.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/EnableDeviceGranularReporting.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/HeartbeatEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/HeartbeatFrequency.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/LogUploadEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppInventory.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppUsage.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppUsageCollectionRateMs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportArcStatusEnabled.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportCRDSessions.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceActivityTimes.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAppInfo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAudioStatus.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAudioStatusCheckingRateMs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBacklightInfo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBluetoothInfo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBoardStatus.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBootMode.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceCpuInfo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceCrashReportInfo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceFanInfo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceGraphicsStatus.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceHardwareStatus.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceLocation.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceLoginLogout.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceMemoryInfo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkConfiguration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkInterfaces.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkStatus.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkTelemetryCollectionRateMs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkTelemetryEventCheckingRateMs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceOsUpdateStatus.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePeripherals.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePowerStatus.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePrintJobs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSecurityStatus.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSessionStatus.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSignalStrengthEventDrivenTelemetry.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceStorageStatus.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSystemInfo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceTimezoneInfo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceUsers.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceVersionInfo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceVpdInfo.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportUploadFrequency.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteActivityAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetry.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetryAllowlist.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetryCollectionRateMs.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/policy_atomic_groups.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/.group.details.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/DeviceWilcoDtcAllowed.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/DeviceWilcoDtcConfiguration.yaml
 create mode 100755 tools/under-control/src/components/policy/resources/templates/risk_tag_definitions.yaml

diff --git a/tools/under-control/src/RELEASE b/tools/under-control/src/RELEASE
index b2b1f917f..71a6a30ee 100644
--- a/tools/under-control/src/RELEASE
+++ b/tools/under-control/src/RELEASE
@@ -1 +1 @@
-130.0.6723.67
+130.0.6723.73
diff --git a/tools/under-control/src/components/policy/resources/templates/common_schemas.yaml b/tools/under-control/src/components/policy/resources/templates/common_schemas.yaml
new file mode 100755
index 000000000..f55183114
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/common_schemas.yaml
@@ -0,0 +1,382 @@
+BookmarkType:
+  properties:
+    children:
+      items:
+        $ref: BookmarkType
+      type: array
+    name:
+      type: string
+    toplevel_name:
+      type: string
+    url:
+      type: string
+  type: object
+CertPrincipalFields:
+  properties:
+    CN:
+      type: string
+    L:
+      type: string
+    O:
+      type: string
+    OU:
+      type: string
+  type: object
+Config:
+  description: Configuration used to generate and verify Parent Access Code.
+  properties:
+    access_code_ttl:
+      description: Time that access code is valid for (in seconds).
+      maximum: 3600
+      minimum: 60
+      type: integer
+    clock_drift_tolerance:
+      description: The allowed difference between the clock on child and parent devices
+        (in seconds).
+      maximum: 1800
+      minimum: 0
+      type: integer
+    shared_secret:
+      description: Secret shared between child and parent devices.
+      type: string
+  type: object
+DataControlsCondition:
+  properties:
+    and:
+      items:
+        $ref: DataControlsCondition
+      type: array
+    destinations:
+      properties:
+        incognito:
+          type: boolean
+        os_clipboard:
+          type: boolean
+        other_profile:
+          type: boolean
+        urls:
+          items:
+            type: string
+          type: array
+      type: object
+    not:
+      $ref: DataControlsCondition
+    or:
+      items:
+        $ref: DataControlsCondition
+      type: array
+    sources:
+      properties:
+        incognito:
+          type: boolean
+        os_clipboard:
+          type: boolean
+        other_profile:
+          type: boolean
+        urls:
+          items:
+            type: string
+          type: array
+      type: object
+  type: object
+DayPercentagePair:
+  description: Contains the number of days and the percentage of the fleet that should
+    be updated after those days have passed.
+  properties:
+    days:
+      description: Days from update discovery.
+      maximum: 28
+      minimum: 1
+      type: integer
+    percentage:
+      description: Percentage of the fleet that should be updated after the given
+        days.
+      maximum: 100
+      minimum: 0
+      type: integer
+  type: object
+DeviceLoginScreenPowerSettings:
+  description: Power management settings applicable only when running on AC power
+  properties:
+    Delays:
+      properties:
+        Idle:
+          description: The length of time without user input after which the idle
+            action is taken, in milliseconds
+          minimum: 0
+          type: integer
+        ScreenDim:
+          description: The length of time without user input after which the screen
+            is dimmed, in milliseconds
+          minimum: 0
+          type: integer
+        ScreenOff:
+          description: The length of time without user input after which the screen
+            is turned off, in milliseconds
+          minimum: 0
+          type: integer
+      type: object
+    IdleAction:
+      description: Action to take when the idle delay is reached
+      enum:
+      - Suspend
+      - Shutdown
+      - DoNothing
+      type: string
+  type: object
+DisallowedTimeInterval:
+  description: Start time of the interval, inclusive.
+  properties:
+    day_of_week:
+      description: Day of the week for the interval.
+      enum:
+      - Monday
+      - Tuesday
+      - Wednesday
+      - Thursday
+      - Friday
+      - Saturday
+      - Sunday
+      type: string
+    hours:
+      description: Hours elapsed since the start of the day in (24 hour format).
+      maximum: 23
+      minimum: 0
+      type: integer
+    minutes:
+      description: Minutes elapsed in the current hour.
+      maximum: 59
+      minimum: 0
+      type: integer
+  required:
+  - day_of_week
+  - minutes
+  - hours
+  type: object
+DomainFiletypePair:
+  properties:
+    domains:
+      items:
+        type: string
+      type: array
+    file_extension:
+      type: string
+  type: object
+ExtensionAllowedTypes:
+  items:
+    enum:
+    - extension
+    - theme
+    - user_script
+    - hosted_app
+    - legacy_packaged_app
+    - platform_app
+    type: string
+  type: array
+ExtensionInstallSources:
+  items:
+    type: string
+  type: array
+ListOfPermissions:
+  items:
+    pattern: ^[a-z][a-zA-Z0-9.]*$
+    type: string
+  type: array
+ListOfUrlPatterns:
+  items:
+    type: string
+  type: array
+PowerManagementDelays:
+  description: Delays and actions to take when the device is idle and running on AC
+    power
+  properties:
+    Delays:
+      properties:
+        Idle:
+          description: The length of time without user input after which the idle
+            action is taken, in milliseconds
+          minimum: 0
+          type: integer
+        IdleWarning:
+          description: The length of time without user input after which a warning
+            dialog is shown, in milliseconds
+          minimum: 0
+          type: integer
+        ScreenDim:
+          description: The length of time without user input after which the screen
+            is dimmed, in milliseconds
+          minimum: 0
+          type: integer
+        ScreenOff:
+          description: The length of time without user input after which the screen
+            is turned off, in milliseconds
+          minimum: 0
+          type: integer
+      type: object
+    IdleAction:
+      description: Action to take when the idle delay is reached
+      enum:
+      - Suspend
+      - Logout
+      - Shutdown
+      - DoNothing
+      type: string
+  type: object
+ProxyServerMode:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+QuickUnlockModeAllowlist:
+  items:
+    enum:
+    - all
+    - PIN
+    - FINGERPRINT
+    type: string
+  type: array
+QuickUnlockModeWhitelist:
+  items:
+    enum:
+    - all
+    - PIN
+    - FINGERPRINT
+    type: string
+  type: array
+Time:
+  description: Time interpreted in local wall-clock 24h format.
+  properties:
+    hour:
+      maximum: 23
+      minimum: 0
+      type: integer
+    minute:
+      maximum: 59
+      minimum: 0
+      type: integer
+  required:
+  - hour
+  - minute
+  type: object
+TimeUsageLimitEntry:
+  properties:
+    last_updated_millis:
+      type: string
+    usage_quota_mins:
+      minimum: 0
+      type: integer
+  type: object
+UsbDeviceId:
+  properties:
+    product_id:
+      type: integer
+    vendor_id:
+      type: integer
+  type: object
+UsbDeviceIdInclusive:
+  properties:
+    product_id:
+      type: integer
+    vendor_id:
+      type: integer
+  type: object
+WebAuthnFactors:
+  items:
+    enum:
+    - all
+    - PIN
+    - FINGERPRINT
+    type: string
+  type: array
+WeekDay:
+  enum:
+  - MONDAY
+  - TUESDAY
+  - WEDNESDAY
+  - THURSDAY
+  - FRIDAY
+  - SATURDAY
+  - SUNDAY
+  type: string
+WeeklyTime:
+  description: Use WeeklyTimeChecked in new code.
+  properties:
+    day_of_week:
+      $ref: WeekDay
+    time:
+      description: Milliseconds since midnight.
+      type: integer
+  type: object
+WeeklyTimeIntervals:
+  description: Use WeeklyTimeIntervalChecked in new code.
+  properties:
+    end:
+      $ref: WeeklyTime
+    start:
+      $ref: WeeklyTime
+  type: object
+WeeklyTimeChecked:
+  properties:
+    day_of_week:
+      $ref: WeekDay
+    milliseconds_since_midnight:
+      minimum: 0
+      maximum: 86399999
+      type: integer
+  required:
+  - day_of_week
+  - milliseconds_since_midnight
+  type: object
+WeeklyTimeIntervalChecked:
+  properties:
+    start:
+      $ref: WeeklyTimeChecked
+    end:
+      $ref: WeeklyTimeChecked
+  required:
+  - start
+  - end
+  type: object
+file_transfer_enable_disable_schema:
+  items:
+    properties:
+      source_destination_list:
+        items:
+          properties:
+            destinations:
+              $ref: file_transfer_source_destination_schema
+            sources:
+              $ref: file_transfer_source_destination_schema
+          type: object
+        type: array
+      tags:
+        items:
+          type: string
+        type: array
+    type: object
+  type: array
+file_transfer_source_destination_schema:
+  items:
+    properties:
+      file_system_type:
+        enum:
+        - UNKNOWN
+        - ANY
+        - '*'
+        - MY_FILES
+        - REMOVABLE
+        - DEVICE_MEDIA_STORAGE
+        - PROVIDED
+        - ARC
+        - GOOGLE_DRIVE
+        - SMB
+        - CROSTINI
+        - PLUGIN_VM
+        - BOREALIS
+        - BRUSCHETTA
+        - UNKNOWN_VM
+        type: string
+    type: object
+  type: array
diff --git a/tools/under-control/src/components/policy/resources/templates/legacy_device_policy_proto_map.yaml b/tools/under-control/src/components/policy/resources/templates/legacy_device_policy_proto_map.yaml
new file mode 100755
index 000000000..bd01d8268
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/legacy_device_policy_proto_map.yaml
@@ -0,0 +1,58 @@
+# Legacy device policies that don't have a 1:1 mapping between template and
+# chrome_device_policy.proto or where the types don't map the same way as for
+# user policy, so that code is not (easily) generatable. Do not add new device
+# policies here, make sure the proto is set up the same way as the (generated)
+# user policy proto.
+# Add deprecated policies here, though, if the proto field got deleted.
+
+
+# Add removed policies mapping here.
+? ''
+:
+# Proto fields with unknown policy.
+  - device_reporting.report_running_kiosk_app
+  - camera_enabled.camera_enabled
+  # Not an actual policy.
+  - auto_update_settings.target_version_display_name
+
+# Deprecated device policies where the proto field got deleted.
+DeviceAppPack:
+- ''
+DeviceIdleLogoutTimeout:
+- ''
+DeviceIdleLogoutWarningDuration:
+- ''
+DeviceLoginScreenSaverId:
+- ''
+DeviceLoginScreenSaverTimeout:
+- ''
+DeviceStartUpFlags:
+- ''
+DeviceStartUpUrls:
+- ''
+
+# DeviceOffHours is one-to-many and uses a strongly typed proto.
+DeviceOffHours:
+- device_off_hours.intervals
+- device_off_hours.timezone
+- device_off_hours.ignored_policy_proto_tags
+# DeviceUpdateAllowedConnectionTypes is not generatable since the proto uses
+# enums, whereas the schema uses strings.
+DeviceUpdateAllowedConnectionTypes:
+- auto_update_settings.allowed_connection_types
+# NetworkThrottlingEnabled is one-to-many and uses a strongly typed proto.
+NetworkThrottlingEnabled:
+- network_throttling.enabled
+- network_throttling.upload_rate_kbits
+- network_throttling.download_rate_kbits
+# TPMFirmwareUpdateSettings is one-to-many and uses a strongly typed proto.
+TPMFirmwareUpdateSettings:
+- tpm_firmware_update_settings.auto_update_mode
+- tpm_firmware_update_settings.allow_user_initiated_powerwash
+- tpm_firmware_update_settings.allow_user_initiated_preserve_device_state
+# UsbDetachableAllowlist is a strongly typed proto.
+UsbDetachableAllowlist:
+- usb_detachable_allowlist.id
+# UsbDetachableWhitelist is a strongly typed proto.
+UsbDetachableWhitelist:
+- usb_detachable_whitelist.id
diff --git a/tools/under-control/src/components/policy/resources/templates/manual_device_policy_proto_map.yaml b/tools/under-control/src/components/policy/resources/templates/manual_device_policy_proto_map.yaml
new file mode 100755
index 000000000..132ef859e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/manual_device_policy_proto_map.yaml
@@ -0,0 +1,228 @@
+# Mapping between device policies and fields in chrome_device_policy.proto.
+AllowKioskAppControlChromeVersion: allow_kiosk_app_control_chrome_version.allow_kiosk_app_control_chrome_version
+AttestationEnabledForDevice: attestation_settings.attestation_enabled
+AttestationForContentProtectionEnabled: attestation_settings.content_protection_enabled
+AutoCleanUpStrategy: auto_clean_up_settings.clean_up_strategy
+CastReceiverName: cast_receiver_name.name
+ChromadToCloudMigrationEnabled: chromad_to_cloud_migration_enabled.value
+ChromeOsReleaseChannel: release_channel.release_channel
+ChromeOsReleaseChannelDelegated: release_channel.release_channel_delegated
+DeviceAdvancedBatteryChargeModeDayConfig: device_advanced_battery_charge_mode.day_configs
+DeviceAdvancedBatteryChargeModeEnabled: device_advanced_battery_charge_mode.enabled
+DeviceAllowBluetooth: allow_bluetooth.allow_bluetooth
+DeviceAllowMGSToStoreDisplayProperties: device_allow_mgs_to_store_display_properties.value
+DeviceAllowNewUsers: allow_new_users.allow_new_users
+DeviceAllowRedeemChromeOsRegistrationOffers: allow_redeem_offers.allow_redeem_offers
+DeviceAllowedBluetoothServices: device_allowed_bluetooth_services.allowlist
+DeviceArcDataSnapshotHours: arc_data_snapshot_hours.arc_data_snapshot_hours
+DeviceAuthDataCacheLifetime: device_auth_data_cache_lifetime.lifetime_hours
+DeviceAuthenticationURLAllowlist: device_authentication_url_allowlist.value
+DeviceAuthenticationURLBlocklist: device_authentication_url_blocklist.value
+DeviceAutoUpdateDisabled: auto_update_settings.update_disabled
+DeviceAutoUpdateP2PEnabled: auto_update_settings.p2p_enabled
+DeviceAutoUpdateTimeRestrictions: auto_update_settings.disallowed_time_intervals
+DeviceAutofillSAMLUsername: saml_username.url_parameter_to_autofill_saml_username
+DeviceBatteryChargeCustomStartCharging: device_battery_charge_mode.custom_charge_start
+DeviceBatteryChargeCustomStopCharging: device_battery_charge_mode.custom_charge_stop
+DeviceBatteryChargeMode: device_battery_charge_mode.battery_charge_mode
+DeviceBlockDevmode: system_settings.block_devmode
+DeviceBootOnAcEnabled: device_boot_on_ac.enabled
+DeviceBorealisAllowed: device_borealis_allowed.allowed
+DeviceChannelDowngradeBehavior: auto_update_settings.channel_downgrade_behavior
+DeviceChromeVariations: device_chrome_variations_type.value
+DeviceCrostiniArcAdbSideloadingAllowed: device_crostini_arc_adb_sideloading_allowed.mode
+DeviceDataRoamingEnabled: data_roaming_enabled.data_roaming_enabled
+DeviceDebugPacketCaptureAllowed: device_debug_packet_capture_allowed.allowed
+DeviceDisplayResolution: device_display_resolution.device_display_resolution
+DeviceDockMacAddressSource: device_dock_mac_address_source.source
+DeviceEcryptfsMigrationStrategy: device_ecryptfs_migration_strategy.migration_strategy
+DeviceEncryptedReportingPipelineEnabled: device_reporting.encrypted_reporting_pipeline_enabled
+DeviceEphemeralUsersEnabled: ephemeral_users_enabled.ephemeral_users_enabled
+DeviceEphemeralNetworkPoliciesEnabled: device_ephemeral_network_policies_enabled.value
+DeviceExtendedFkeysModifier: extended_fkeys_modifier.modifier
+DeviceExternalPrintServers: external_print_servers.external_policy
+DeviceExternalPrintServersAllowlist: external_print_servers_allowlist.allowlist
+DeviceFamilyLinkAccountsAllowed: family_link_accounts_allowed.family_link_accounts_allowed
+DeviceFlexHwDataForProductImprovementEnabled: device_flex_hw_data_for_product_improvement_enabled.enabled
+DeviceLoginScreenGeolocationAccessLevel: device_login_screen_geolocation_access_level.geolocation_access_level
+DeviceGpoCacheLifetime: device_gpo_cache_lifetime.lifetime_hours
+DeviceGuestModeEnabled: guest_mode_enabled.guest_mode_enabled
+DeviceHostnameTemplate: network_hostname.device_hostname_template
+DeviceHostnameUserConfigurable: hostname_user_configurable.device_hostname_user_configurable
+DeviceI18nShortcutsEnabled: device_i18n_shortcuts_enabled.enabled
+DeviceKerberosEncryptionTypes: device_kerberos_encryption_types.types
+DeviceKeyboardBacklightColor: keyboard_backlight_color.color
+DeviceKeylockerForStorageEncryptionEnabled: keylocker_for_storage_encryption_enabled.enabled
+DeviceLocalAccountAutoLoginBailoutEnabled: device_local_accounts.enable_auto_login_bailout
+DeviceLocalAccountAutoLoginDelay: device_local_accounts.auto_login_delay
+DeviceLocalAccountAutoLoginId: device_local_accounts.auto_login_id
+DeviceLocalAccountPromptForNetworkWhenOffline: device_local_accounts.prompt_for_network_when_offline
+DeviceLocalAccounts: device_local_accounts.account
+DeviceLoginScreenAccessibilityShortcutsEnabled: accessibility_settings.login_screen_shortcuts_enabled
+DeviceLoginScreenAutoSelectCertificateForUrls: device_login_screen_auto_select_certificate_for_urls.login_screen_auto_select_certificate_rules
+DeviceLoginScreenAutoclickEnabled: accessibility_settings.login_screen_autoclick_enabled
+DeviceLoginScreenCaretHighlightEnabled: accessibility_settings.login_screen_caret_highlight_enabled
+DeviceLoginScreenContextAwareAccessSignalsAllowlist: device_login_screen_context_aware_access_signals_allowlist.value
+DeviceLoginScreenCursorHighlightEnabled: accessibility_settings.login_screen_cursor_highlight_enabled
+DeviceLoginScreenDefaultHighContrastEnabled: accessibility_settings.login_screen_default_high_contrast_enabled
+DeviceLoginScreenDefaultLargeCursorEnabled: accessibility_settings.login_screen_default_large_cursor_enabled
+DeviceLoginScreenDefaultScreenMagnifierType: accessibility_settings.login_screen_default_screen_magnifier_type
+DeviceLoginScreenDefaultSpokenFeedbackEnabled: accessibility_settings.login_screen_default_spoken_feedback_enabled
+DeviceLoginScreenDefaultVirtualKeyboardEnabled: accessibility_settings.login_screen_default_virtual_keyboard_enabled
+DeviceLoginScreenDictationEnabled: accessibility_settings.login_screen_dictation_enabled
+DeviceLoginScreenDomainAutoComplete: login_screen_domain_auto_complete.login_screen_domain_auto_complete
+DeviceLoginScreenExtensions: device_login_screen_extensions.device_login_screen_extensions
+DeviceLoginScreenExtensionManifestV2Availability: login_screen_extension_manifest_v2_availability.login_screen_extension_manifest_v2_availability
+DeviceLoginScreenHighContrastEnabled: accessibility_settings.login_screen_high_contrast_enabled
+DeviceLoginScreenInputMethods: login_screen_input_methods.login_screen_input_methods
+DeviceLoginScreenIsolateOrigins: device_login_screen_isolate_origins.isolate_origins
+DeviceLoginScreenKeyboardFocusHighlightEnabled: accessibility_settings.login_screen_keyboard_focus_highlight_enabled
+DeviceLoginScreenLargeCursorEnabled: accessibility_settings.login_screen_large_cursor_enabled
+DeviceLoginScreenLocales: login_screen_locales.login_screen_locales
+DeviceLoginScreenMonoAudioEnabled: accessibility_settings.login_screen_mono_audio_enabled
+DeviceLoginScreenPowerManagement: login_screen_power_management.login_screen_power_management
+DeviceLoginScreenPrimaryMouseButtonSwitch: login_screen_primary_mouse_button_switch.value
+DeviceLoginScreenPrivacyScreenEnabled: device_login_screen_privacy_screen_enabled.enabled
+DeviceLoginScreenPromptOnMultipleMatchingCertificates: login_screen_prompt_on_multiple_matching_certificates.value
+DeviceLoginScreenScreenMagnifierType: accessibility_settings.login_screen_screen_magnifier_type
+DeviceLoginScreenSelectToSpeakEnabled: accessibility_settings.login_screen_select_to_speak_enabled
+DeviceLoginScreenShowOptionsInSystemTrayMenu: accessibility_settings.login_screen_show_options_in_system_tray_menu_enabled
+DeviceLoginScreenSitePerProcess: device_login_screen_site_per_process.site_per_process
+DeviceLoginScreenSpokenFeedbackEnabled: accessibility_settings.login_screen_spoken_feedback_enabled
+DeviceLoginScreenStickyKeysEnabled: accessibility_settings.login_screen_sticky_keys_enabled
+DeviceLoginScreenSystemInfoEnforced: device_login_screen_system_info_enforced.value
+DeviceLoginScreenTouchVirtualKeyboardEnabled: DeviceLoginScreenTouchVirtualKeyboardEnabled.value
+DeviceLoginScreenVirtualKeyboardEnabled: accessibility_settings.login_screen_virtual_keyboard_enabled
+DeviceLoginScreenWebUILazyLoading: login_web_ui_lazy_loading.enabled
+DeviceLoginScreenWebHidAllowDevicesForUrls: device_login_screen_webhid_allow_devices_for_urls.value
+DeviceLoginScreenWebUsbAllowDevicesForUrls: device_login_screen_webusb_allow_devices_for_urls.device_login_screen_webusb_allow_devices_for_urls
+DeviceMachinePasswordChangeRate: device_machine_password_change_rate.rate_days
+DeviceMetricsReportingEnabled: metrics_enabled.metrics_enabled
+DeviceMinimumVersion: device_minimum_version.value
+DeviceMinimumVersionAueMessage: device_minimum_version_aue_message.value
+DeviceNativePrinters: native_device_printers.external_policy
+DeviceNativePrintersAccessMode: native_device_printers_access_mode.access_mode
+DeviceNativePrintersBlacklist: native_device_printers_blacklist.blacklist # nocheck
+DeviceNativePrintersWhitelist: native_device_printers_whitelist.whitelist # nocheck
+DeviceOpenNetworkConfiguration: open_network_configuration.open_network_configuration
+DevicePciPeripheralDataAccessEnabled: device_pci_peripheral_data_access_enabled_v2.enabled
+DevicePolicyRefreshRate: device_policy_refresh_rate.device_policy_refresh_rate
+DevicePowerPeakShiftBatteryThreshold: device_power_peak_shift.battery_threshold
+DevicePowerPeakShiftDayConfig: device_power_peak_shift.day_configs
+DevicePowerPeakShiftEnabled: device_power_peak_shift.enabled
+DevicePowerwashAllowed: device_powerwash_allowed.device_powerwash_allowed
+DevicePrinters: device_printers.external_policy
+DevicePrintersAccessMode: device_printers_access_mode.access_mode
+DevicePrintersAllowlist: device_printers_allowlist.allowlist
+DevicePrintersBlocklist: device_printers_blocklist.blocklist
+DevicePrintingClientNameTemplate: device_printing_client_name_template.value
+DeviceQuickFixBuildToken: auto_update_settings.device_quick_fix_build_token
+DeviceQuirksDownloadEnabled: quirks_download_enabled.quirks_download_enabled
+DeviceRebootOnShutdown: reboot_on_shutdown.reboot_on_shutdown
+DeviceRebootOnUserSignout: device_reboot_on_user_signout.reboot_on_signout_mode
+DeviceReleaseLtsTag: release_channel.release_lts_tag
+DeviceReportXDREvents: device_report_xdr_events.enabled
+DeviceRestrictedManagedGuestSessionEnabled: device_restricted_managed_guest_session_enabled.enabled
+DeviceRollbackAllowedMilestones: auto_update_settings.rollback_allowed_milestones
+DeviceRollbackToTargetVersion: auto_update_settings.rollback_to_target_version
+DeviceRunAutomaticCleanupOnLogin: device_run_automatic_cleanup_on_login.value
+DeviceScheduledReboot: device_scheduled_reboot.device_scheduled_reboot_settings
+DeviceScheduledUpdateCheck: device_scheduled_update_check.device_scheduled_update_check_settings
+DeviceSecondFactorAuthentication: device_second_factor_authentication.mode
+DeviceShowLowDiskSpaceNotification: device_show_low_disk_space_notification.device_show_low_disk_space_notification
+DeviceShowNumericKeyboardForPassword: device_show_numeric_keyboard_for_password.value
+DeviceShowUserNamesOnSignin: show_user_names.show_user_names
+DeviceSwitchFunctionKeysBehaviorEnabled: device_switch_function_keys_behavior_enabled.enabled
+DeviceSystemWideTracingEnabled: device_system_wide_tracing_enabled.enabled
+DeviceTargetVersionPrefix: auto_update_settings.target_version_prefix
+DeviceTargetVersionSelector: auto_update_settings.target_version_selector
+DeviceTransferSAMLCookies: saml_settings.transfer_saml_cookies
+DeviceUnaffiliatedCrostiniAllowed: device_unaffiliated_crostini_allowed.device_unaffiliated_crostini_allowed
+DeviceUpdateHttpDownloadsEnabled: auto_update_settings.http_downloads_enabled
+DeviceUpdateScatterFactor: auto_update_settings.scatter_factor_in_seconds
+DeviceUpdateStagingSchedule: auto_update_settings.staging_schedule
+DeviceUsbPowerShareEnabled: device_usb_power_share.enabled
+DeviceUserAllowlist: user_allowlist.user_allowlist
+DeviceUserPolicyLoopbackProcessingMode: device_user_policy_loopback_processing_mode.mode
+DeviceUserWhitelist: user_whitelist.user_whitelist
+DeviceVariationsRestrictParameter: variations_parameter.parameter
+DeviceWallpaperImage: device_wallpaper_image.device_wallpaper_image
+DeviceWebBasedAttestationAllowedUrls: device_web_based_attestation_allowed_urls.value
+DeviceWiFiAllowed: device_wifi_allowed.device_wifi_allowed
+DeviceWiFiFastTransitionEnabled: device_wifi_fast_transition_enabled.device_wifi_fast_transition_enabled
+DeviceWilcoDtcAllowed: device_wilco_dtc_allowed.device_wilco_dtc_allowed
+DeviceWilcoDtcConfiguration: device_wilco_dtc_configuration.device_wilco_dtc_configuration
+DisplayRotationDefault: display_rotation_default.display_rotation_default
+EnableDeviceGranularReporting: device_reporting.enable_granular_reporting
+ExtensionCacheSize: extension_cache_size.extension_cache_size
+HeartbeatEnabled: device_heartbeat_settings.heartbeat_enabled
+HeartbeatFrequency: device_heartbeat_settings.heartbeat_frequency
+DeviceHindiInscriptLayoutEnabled: device_hindi_inscript_layout_enabled.enabled
+KioskCRXManifestUpdateURLIgnored: kiosk_crx_manifest_update_url_ignored.value
+LogUploadEnabled: device_log_upload_settings.system_log_upload_enabled
+LoginAuthenticationBehavior: login_authentication_behavior.login_authentication_behavior
+LoginVideoCaptureAllowedUrls: login_video_capture_allowed_urls.urls
+ManagedGuestSessionPrivacyWarningsEnabled: managed_guest_session_privacy_warnings.enabled
+MinimumRequiredChromeVersion: minimum_required_version.chrome_version
+PluginVmAllowed: plugin_vm_allowed.plugin_vm_allowed
+PluginVmLicenseKey: plugin_vm_license_key.plugin_vm_license_key
+RebootAfterUpdate: auto_update_settings.reboot_after_update
+ReportCRDSessions: device_reporting.report_crd_sessions
+ReportDeviceActivityTimes: device_reporting.report_activity_times
+ReportDeviceAppInfo: device_reporting.report_app_info
+ReportDeviceAudioStatus: device_reporting.report_audio_status
+ReportDeviceAudioStatusCheckingRateMs: device_reporting.report_device_audio_status_checking_rate_ms
+ReportDeviceBacklightInfo: device_reporting.report_backlight_info
+ReportDeviceBluetoothInfo: device_reporting.report_bluetooth_info
+ReportDeviceBoardStatus: device_reporting.report_board_status
+ReportDeviceBootMode: device_reporting.report_boot_mode
+ReportDeviceCpuInfo: device_reporting.report_cpu_info
+ReportDeviceCrashReportInfo: device_reporting.report_crash_report_info
+ReportDeviceFanInfo: device_reporting.report_fan_info
+ReportDeviceGraphicsStatus: device_reporting.report_graphics_status
+ReportDeviceHardwareStatus: device_reporting.report_hardware_status
+ReportDeviceLocation: device_reporting.report_location
+ReportDeviceLoginLogout: device_reporting.report_login_logout
+ReportDeviceMemoryInfo: device_reporting.report_memory_info
+ReportDeviceNetworkConfiguration: device_reporting.report_network_configuration
+ReportDeviceNetworkInterfaces: device_reporting.report_network_interfaces
+ReportDeviceNetworkStatus: device_reporting.report_network_status
+ReportDeviceNetworkTelemetryCollectionRateMs: device_reporting.report_network_telemetry_collection_rate_ms
+ReportDeviceNetworkTelemetryEventCheckingRateMs: device_reporting.report_network_telemetry_event_checking_rate_ms
+ReportDeviceOsUpdateStatus: device_reporting.report_os_update_status
+ReportDevicePeripherals: device_reporting.report_peripherals
+ReportDevicePowerStatus: device_reporting.report_power_status
+ReportDevicePrintJobs: device_reporting.report_print_jobs
+DeviceReportRuntimeCounters: device_reporting.report_runtime_counters
+DeviceReportRuntimeCountersCheckingRateMs: device_reporting.device_report_runtime_counters_checking_rate_ms
+ReportDeviceSecurityStatus: device_reporting.report_security_status
+ReportDeviceSessionStatus: device_reporting.report_session_status
+ReportDeviceSignalStrengthEventDrivenTelemetry: device_reporting.report_signal_strength_event_driven_telemetry.entries
+ReportDeviceStorageStatus: device_reporting.report_storage_status
+ReportDeviceSystemInfo: device_reporting.report_system_info
+ReportDeviceTimezoneInfo: device_reporting.report_timezone_info
+ReportDeviceUsers: device_reporting.report_users
+ReportDeviceVersionInfo: device_reporting.report_version_info
+ReportDeviceVpdInfo: device_reporting.report_vpd_info
+ReportUploadFrequency: device_reporting.device_status_frequency
+RequiredClientCertificateForDevice: required_client_certificate_for_device.required_client_certificate_for_device
+SupervisedUsersEnabled: supervised_users_settings.supervised_users_enabled
+DeviceSystemAecEnabled: device_system_aec_enabled.device_system_aec_enabled
+SystemProxySettings: system_proxy_settings.system_proxy_settings
+SystemTimezone: system_timezone.timezone
+SystemTimezoneAutomaticDetection: system_timezone.timezone_detection_type
+SystemUse24HourClock: use_24hour_clock.use_24hour_clock
+UnaffiliatedArcAllowed: unaffiliated_arc_allowed.unaffiliated_arc_allowed
+UptimeLimit: uptime_limit.uptime_limit
+VirtualMachinesAllowed: virtual_machines_allowed.virtual_machines_allowed
+DeviceScreensaverLoginScreenEnabled: device_screensaver_login_screen_enabled.device_screensaver_login_screen_enabled
+DeviceScreensaverLoginScreenIdleTimeoutSeconds: device_screensaver_login_screen_idle_timeout_seconds.device_screensaver_login_screen_idle_timeout_seconds
+DeviceScreensaverLoginScreenImageDisplayIntervalSeconds: device_screensaver_login_screen_image_display_interval_seconds.device_screensaver_login_screen_image_display_interval_seconds
+DeviceScreensaverLoginScreenImages: device_screensaver_login_screen_images.device_screensaver_login_screen_images
+DeviceActivityHeartbeatEnabled: device_reporting.device_activity_heartbeat_enabled
+DeviceActivityHeartbeatCollectionRateMs: device_reporting.device_activity_heartbeat_collection_rate_ms
+DeviceReportNetworkEvents: device_reporting.report_network_events
+DeviceLowBatterySoundEnabled: device_low_battery_sound.enabled
+DeviceChargingSoundsEnabled: device_charging_sounds.enabled
+DeviceDlcPredownloadList: device_dlc_predownload_list.value
+# Mappings for new device policies are generated by default.
diff --git a/tools/under-control/src/components/policy/resources/templates/messages.yaml b/tools/under-control/src/components/policy/resources/templates/messages.yaml
new file mode 100755
index 000000000..64d342474
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/messages.yaml
@@ -0,0 +1,241 @@
+deprecated_policy_desc:
+  desc: Description shared by all deprecated policies, in Microsoft Windows' Group
+    Policy Editor.
+  text: This policy is deprecated. Its usage is discouraged. Read more at https://support.google.com/chrome/a/answer/7643500
+deprecated_policy_group_caption:
+  desc: Localized name for the deprecated policies folder, for Microsoft's Group Policy
+    Editor.
+  text: Deprecated policies
+deprecated_policy_group_desc:
+  desc: Localized description for the deprecated policies folder, for Microsoft's
+    Group Policy Editor.
+  text: These policies are included here to make them easy to remove.
+doc_android_restriction_name:
+  desc: Caption text of the field 'android restriction name' in the summary chart
+    of a policy in the generated documentation
+  text: 'Android restriction name:'
+doc_android_webview_restriction_name:
+  desc: Caption text of the field 'android webview restriction name' in the summary
+    chart of a policy in the generated documentation
+  text: 'Android WebView restriction name:'
+doc_arc_support:
+  desc: Caption text of the field in the generated documentation that describes how
+    a policy affects Android applications on ChromeOS
+  text: 'Note for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices
+    supporting Android apps:'
+doc_back_to_top:
+  desc: Text of a link in the generated policy documentation, that takes the user
+    to the top of the page
+  text: Back to top
+doc_banner:
+  desc: A banner shown at the top of the policy documentation
+  text: The Chrome Enterprise policy list is moving! Please update your bookmarks
+    to <ph name="POLICY_DOCUMENTATION_URL">https://cloud.google.com/docs/chrome-enterprise/policies/<ex>https://cloud.google.com/docs/chrome-enterprise/policies/</ex></ph>.
+doc_chrome_os_example_value:
+  desc: Caption text of the field 'windows (ChromeOS clients)' in the summary chart
+    of a policy in the generated documentation
+  text: 'Windows (<ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> clients):'
+doc_chrome_os_reg_loc:
+  desc: Caption text of the field '<ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+    registry location' in the summary chart of a policy in the generated documentation
+  text: 'Windows registry location for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+    clients:'
+doc_complex_policies_on_windows:
+  desc: Text pointing the user to a help article for complex policies on Windows
+  text: encoded as a JSON string, for details see <ph name="COMPLEX_POLICIES_URL">https://www.chromium.org/administrators/complex-policies-on-windows<ex>https://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>
+doc_data_type:
+  desc: Caption text of the field 'data type' in the summary chart of a policy in
+    the generated documentation
+  text: 'Data type:'
+doc_deprecated:
+  desc: Text appended in parentheses to the policy name to indicate that it has been
+    deprecated
+  text: Deprecated
+doc_description:
+  desc: Caption text of the 'description text' in the summary chart of a policy in
+    the generated documentation
+  text: 'Description:'
+doc_description_column_title:
+  desc: Appears at the top of the policy summary table, over the column of short policy
+    descriptions, in the generated policy documentation
+  text: Description
+doc_example_value:
+  desc: Caption text of the field 'example value' in the summary chart of a policy
+    in the generated documentation
+  text: 'Example value:'
+doc_feature_can_be_mandatory:
+  desc: The name of the feature that indicates for a given policy that it can be mandatory,
+    instead of recommended
+  text: Can Be Mandatory
+doc_feature_can_be_recommended:
+  desc: The name of the feature that indicates for a given policy that it can be recommended,
+    instead of mandatory
+  text: Can Be Recommended
+doc_feature_cloud_only:
+  desc: The name of the fature that indicates whether a policy can only be set from
+    Admin Console.
+  text: Cloud Only
+doc_feature_dynamic_refresh:
+  desc: The name of the feature that indicates for a given policy that changes to
+    it are respected by Chromium without a browser restart
+  text: Dynamic Policy Refresh
+doc_feature_internal_only:
+  desc: The name of the feature that indicates whether a policy is used for internal
+    development or testing purposes.
+  text: Internal Only
+doc_feature_metapolicy_type:
+  desc: The name of the feature that indicates the type of metapolicy a policy is,
+    if any.
+  text: Metapolicy Type
+doc_feature_per_profile:
+  desc: The name of the feature that indicates whether a policy is applicable to browser
+    Profiles individually or whether it affects the entire browser.
+  text: Per Profile
+doc_feature_platform_only:
+  desc: The name of the feature that indicates whether a policy can only be set with
+    platfrom policy.
+  text: Platform Only
+doc_feature_unlisted:
+  desc: The name of the feature that indicates whether a policy is set from cloud
+    without any user interface.
+  text: Unlisted
+doc_feature_user_only:
+  desc: The name of the feature that indicates whether a policy can only be set with
+    signed in managed account.
+  text: User Only
+doc_group_intro:
+  desc: Introduction text for the generated policy atomic group documentation
+  text: Both Chromium and Google Chrome have some groups of policies that depend on
+    each other to provide control over a feature. These sets are represented by the
+    following policy groups. Given that policies can have multiple sources, only values
+    coming from the highest priority source will be applied. Values coming from a
+    lower priority source in the same group will be ignored. The order of priority
+    is defined in <ph name="POLICY_PRIORITY_DOC_URL">https://support.google.com/chrome/a/?p=policy_order<ex>https://support.google.com/chrome/a/?p=policy_order</ex></ph>.
+doc_intro:
+  desc: Introduction text for the generated policy documentation
+  text: |-
+    Both Chromium and Google Chrome support the same set of policies. Please note that this document may include unreleased policies (i.e. their 'Supported on' entry refers to a not-yet released version of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>) which are subject to change or removal without notice and for which no guarantees of any kind are provided, including no guarantees with respect to their security and privacy properties.
+
+    These policies are strictly intended to be used to configure instances of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> internal to your organization. Use of these policies outside of your organization (for example, in a publicly distributed program) is considered malware and will likely be labeled as malware by Google and anti-virus vendors.
+
+    These settings don't need to be configured manually! Easy-to-use templates for Windows, Mac and Linux are available for download from <ph name="POLICY_TEMPLATE_DOWNLOAD_URL">https://www.chromium.org/administrators/policy-templates<ex> https://www.chromium.org/administrators/policy-templates</ex></ph>.
+
+    The recommended way to configure policy on Windows is via GPO, although provisioning policy via registry is still supported for Windows instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain.
+doc_legacy_single_line_label:
+  desc: A label for the legacy single-line textbox for a policy also has a more user-friendly
+    multi-line textbox. See http://crbug/829328
+  text: <ph name="POLICY_NAME">$6<ex>Wallpaper Image</ex></ph> (The single-line field
+    is deprecated and will be removed in the future. Please start using the multi-line
+    textbox below.)
+doc_mac_linux_pref_name:
+  desc: Caption text of the field 'mac/linux preference name' in the summary chart
+    of a policy in the generated documentation
+  text: 'Mac/Linux preference name:'
+doc_name_column_title:
+  desc: Appears at the top of the policy summary table, over the column of policy
+    names, in the generated policy documentation
+  text: Policy Name
+doc_not_supported:
+  desc: Appears next to the name of each unsupported feature in the 'list of supported
+    policy features' in the generated policy documentation
+  text: 'No'
+doc_oma_uri:
+  desc: Caption text of the field 'oma-uri' in the summary chart of a policy in the
+    generated documentation
+  text: '<ph name="OMA_URI">OMA-URI</ph>:'
+doc_policy_atomic_group:
+  desc: Caption text of the 'policy atomic group' in the summary chart of a policy
+    in the generated documentation
+  text: 'Policy atomic group:'
+doc_policy_documentation:
+  desc: Link title for the policy documentation
+  text: Documentation for policy
+doc_policy_in_atomic_group:
+  desc: Label notifying that a policy is part of an atomic policy group
+  text: 'This policy is part of the following atomic group (only policies from the
+    highest priority source present in the group are applied) :'
+doc_policy_restriction:
+  desc: Caption text of the field 'restrictions' in the summary chart of a policy
+    in the generated documentation
+  text: 'Restrictions:'
+doc_range_maximum:
+  desc: Caption text of the field 'maximum' in the summary chart of a policy in the
+    generated documentation. Present only if policy has a maximum range restriction.
+  text: 'Maximum:'
+doc_range_minimum:
+  desc: Caption text of the field 'minimum' in the summary chart of a policy in the
+    generated documentation. Present only if policy has a minimum range restriction.
+  text: 'Minimum:'
+doc_recommended:
+  desc: Text appended in parentheses next to the policies top-level container to indicate
+    that those policies are of the Recommended level
+  text: Default Settings (users can override)
+doc_reference_link:
+  desc: Text pointing the user to the reference page for this policy, which may have
+    more info (since it doesn't have a size limit)
+  text: 'Reference: <ph name="REFERENCE_URL">$6<ex>https://cloud.google.com/docs/chrome-enterprise/policies/?policy=WallpaperImage</ex></ph>'
+doc_schema:
+  desc: Caption text of the 'schema' in the summary chart of a policy in the generated
+    documentation
+  text: 'Schema:'
+doc_schema_description_link:
+  desc: Text pointing the user to the expanded documentation page for this policy,
+    containing the information about schema and formatting.
+  text: See <ph name="REFERENCE_URL">$6<ex>https://cloud.google.com/docs/chrome-enterprise/policies/?policy=WallpaperImage</ex></ph>
+    for more information about schema and formatting.
+doc_since_version:
+  desc: Text in the summary chart of a policy that specifies the version number in
+    which the policy was introduced.
+  text: since version <ph name="SINCE_VERSION">$6<ex>8</ex></ph>
+doc_supported:
+  desc: Appears next to the name of each supported feature in the 'list of supported
+    policy features' in the generated policy documentation
+  text: 'Yes'
+doc_supported_features:
+  desc: Caption text of the list of 'policy features that this policy supports' in
+    the summary chart of a policy in the generated documentation
+  text: 'Supported features:'
+doc_supported_on:
+  desc: Caption text of the list of 'products, platforms and versions where this policy
+    is supported' in the summary chart of a policy in the generated documentation
+  text: 'Supported on:'
+doc_until_version:
+  desc: Text in the summary chart of a policy that specifies the version number after
+    which the policy was dropped.
+  text: until version <ph name="UNTIL_VERSION">$6<ex>10</ex></ph>
+doc_url_schema:
+  desc: Caption text of the field with the link to expanded schema description in
+    the summary chart of a policy in the generated documentation
+  text: 'Expanded schema description:'
+doc_win_example_value:
+  desc: Caption text of the field 'windows (windows clients)' in the summary chart
+    of a policy in the generated documentation
+  text: 'Windows (Windows clients):'
+doc_win_reg_loc:
+  desc: Caption text of the field 'windows registry location' in the summary chart
+    of a policy in the generated documentation
+  text: 'Windows registry location for Windows clients:'
+mac_chrome_preferences:
+  desc: A text indicating in Mac OS X Workgroup Manager, that currently the preferences
+    of Chromium are being edited
+  text: <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> preferences
+removed_policy_desc:
+  desc: Description shared by all removed policies, in Microsoft Windows' Group Policy
+    Editor.
+  text: This policy is removed. It is not compatible with this version of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Read more at https://support.google.com/chrome/a/answer/7643500
+removed_policy_group_caption:
+  desc: Localized name for the removed policies folder, for Microsoft's Group Policy
+    Editor.
+  text: Removed policies
+removed_policy_group_desc:
+  desc: Localized description for the removed policies folder, for Microsoft's Group
+    Policy Editor.
+  text: These policies are included here to make them easy to remove.
+win_supported_all:
+  desc: A label specifying the oldest possible compatible version of Windows. This
+    text will appear right next to a label containing the text 'Supported on:'.
+  text: Microsoft Windows 7 or later
+win_supported_win7:
+  desc: A label specifying the policy compatibles with Windows 7. This text will appear
+    right next to a label containing the text 'Supported on:'.
+  text: Microsoft Windows 7
diff --git a/tools/under-control/src/components/policy/resources/templates/policies.yaml b/tools/under-control/src/components/policy/resources/templates/policies.yaml
new file mode 100755
index 000000000..c5730b51b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policies.yaml
@@ -0,0 +1,1355 @@
+policies:
+  1: HomepageLocation
+  2: HomepageIsNewTabPage
+  3: DefaultBrowserSettingEnabled
+  4: ApplicationLocaleValue
+  5: AlternateErrorPagesEnabled
+  6: SearchSuggestEnabled
+  7: DnsPrefetchingEnabled
+  8: DisableSpdy
+  9: JavascriptEnabled
+  10: IncognitoEnabled
+  11: SavingBrowserHistoryDisabled
+  12: PrintingEnabled
+  13: CloudPrintProxyEnabled
+  14: SafeBrowsingEnabled
+  15: MetricsReportingEnabled
+  16: PasswordManagerEnabled
+  17: PasswordManagerAllowShowPasswords
+  18: AutoFillEnabled
+  19: DisabledPlugins
+  20: SyncDisabled
+  21: ProxyMode
+  22: ProxyServerMode
+  23: ProxyServer
+  24: ProxyPacUrl
+  25: ProxyBypassList
+  26: AuthSchemes
+  27: DisableAuthNegotiateCnameLookup
+  28: EnableAuthNegotiatePort
+  29: AuthServerWhitelist
+  30: AuthNegotiateDelegateWhitelist
+  31: GSSAPILibraryName
+  32: ExtensionInstallBlacklist
+  33: ExtensionInstallWhitelist
+  34: ExtensionInstallForcelist
+  35: ShowHomeButton
+  36: DeveloperToolsDisabled
+  37: RestoreOnStartup
+  38: RestoreOnStartupURLs
+  39: BlockThirdPartyCookies
+  40: DefaultSearchProviderEnabled
+  41: DefaultSearchProviderName
+  42: DefaultSearchProviderKeyword
+  43: DefaultSearchProviderSearchURL
+  44: DefaultSearchProviderSuggestURL
+  45: DefaultSearchProviderInstantURL
+  46: DefaultSearchProviderIconURL
+  47: DefaultSearchProviderEncodings
+  48: DefaultCookiesSetting
+  49: DefaultImagesSetting
+  50: DefaultJavaScriptSetting
+  51: DefaultPluginsSetting
+  52: DefaultPopupsSetting
+  53: DefaultNotificationsSetting
+  54: DefaultGeolocationSetting
+  55: Disable3DAPIs
+  56: PolicyRefreshRate
+  57: ChromeFrameRendererSettings
+  58: RenderInChromeFrameList
+  59: RenderInHostList
+  60: ChromeFrameContentTypes
+  61: ChromeOsLockOnIdleSuspend
+  62: InstantEnabled
+  63: UserDataDir
+  64: DownloadDirectory
+  65: ClearSiteDataOnExit
+  66: DisablePluginFinder
+  67: CookiesBlockedForUrls
+  68: CookiesSessionOnlyForUrls
+  69: ImagesAllowedForUrls
+  70: ImagesBlockedForUrls
+  71: JavaScriptAllowedForUrls
+  72: JavaScriptBlockedForUrls
+  73: PluginsAllowedForUrls
+  74: PluginsBlockedForUrls
+  75: PopupsAllowedForUrls
+  76: PopupsBlockedForUrls
+  77: CookiesAllowedForUrls
+  78: EnabledPlugins
+  79: DisabledPluginsExceptions
+  80: TranslateEnabled
+  81: AllowOutdatedPlugins
+  82: BookmarkBarEnabled
+  83: EditBookmarksEnabled
+  84: AllowFileSelectionDialogs
+  85: DisabledSchemes
+  86: AlwaysAuthorizePlugins
+  87: GCFUserDataDir
+  88: DiskCacheDir
+  89: AllowCrossOriginAuthPrompt
+  90: DevicePolicyRefreshRate
+  91: ChromeOsReleaseChannel
+  92: MaxConnectionsPerProxy
+  93: IncognitoModeAvailability
+  94: RemoteAccessClientFirewallTraversal
+  95: RemoteAccessHostFirewallTraversal
+  96: HideWebStorePromo
+  97: ImportBookmarks
+  98: ImportHistory
+  99: ImportHomepage
+  100: ImportSearchEngine
+  101: ImportSavedPasswords
+  102: AutoSelectCertificateForUrls
+  103: URLBlacklist
+  104: URLWhitelist
+  105: NotificationsAllowedForUrls
+  106: NotificationsBlockedForUrls
+  107: OpenNetworkConfiguration
+  108: DeviceOpenNetworkConfiguration
+  109: CloudPrintSubmitEnabled
+  110: DiskCacheSize
+  111: MediaCacheSize
+  112: EnterpriseWebStoreURL
+  113: EnterpriseWebStoreName
+  114: ''
+  115: ''
+  116: ProxySettings
+  117: DisablePrintPreview
+  118: DisableSSLRecordSplitting
+  119: ReportDeviceVersionInfo
+  120: ReportDeviceActivityTimes
+  121: ReportDeviceBootMode
+  122: DeviceUserWhitelist
+  123: DeviceAllowNewUsers
+  124: DeviceGuestModeEnabled
+  125: DeviceShowUserNamesOnSignin
+  126: DeviceDataRoamingEnabled
+  127: DeviceMetricsReportingEnabled
+  128: DeviceEphemeralUsersEnabled
+  129: EnableOnlineRevocationChecks
+  130: DeviceIdleLogoutTimeout
+  131: DeviceIdleLogoutWarningDuration
+  132: DeviceLoginScreenSaverId
+  133: DeviceLoginScreenSaverTimeout
+  134: ChromeOsReleaseChannelDelegated
+  135: DeviceAppPack
+  136: DeviceAutoUpdateDisabled
+  137: DeviceStartUpUrls
+  138: BackgroundModeEnabled
+  139: DriveDisabled
+  140: DriveDisabledOverCellular
+  141: AdditionalLaunchParameters
+  142: DeviceTargetVersionPrefix
+  143: ReportDeviceLocation
+  144: PinnedLauncherApps
+  145: DeviceUpdateScatterFactor
+  146: DeviceUpdateAllowedConnectionTypes
+  147: RestrictSigninToPattern
+  148: ExtensionInstallSources
+  149: DefaultMediaStreamSetting
+  150: DisableSafeBrowsingProceedAnyway
+  151: SpellCheckServiceEnabled
+  152: ExternalStorageDisabled
+  153: DisableScreenshots
+  154: RemoteAccessHostDomain
+  155: RemoteAccessHostRequireTwoFactor
+  156: RemoteAccessHostTalkGadgetPrefix
+  157: RemoteAccessHostRequireCurtain
+  158: SystemTimezone
+  159: AudioOutputAllowed
+  160: AudioCaptureAllowed
+  161: DefaultSearchProviderAlternateURLs
+  162: ForceSafeSearch
+  163: DeviceLocalAccounts
+  164: ShowLogoutButtonInTray
+  165: BuiltInDnsClientEnabled
+  166: ShelfAutoHideBehavior
+  167: VideoCaptureAllowed
+  168: ExtensionAllowedTypes
+  169: UserDisplayName
+  170: SessionLengthLimit
+  171: DefaultSearchProviderSearchTermsReplacementKey
+  172: ScreenDimDelayAC
+  173: ScreenOffDelayAC
+  174: ScreenLockDelayAC
+  175: IdleDelayAC
+  176: ScreenDimDelayBattery
+  177: ScreenOffDelayBattery
+  178: ScreenLockDelayBattery
+  179: IdleDelayBattery
+  180: IdleAction
+  181: LidCloseAction
+  182: PowerManagementUsesAudioActivity
+  183: PowerManagementUsesVideoActivity
+  184: PresentationIdleDelayScale
+  185: DeviceAllowRedeemChromeOsRegistrationOffers
+  186: TermsOfServiceURL
+  187: AllowDeletingBrowserHistory
+  188: ShowAccessibilityOptionsInSystemTrayMenu
+  189: HideWebStoreIcon
+  190: SigninAllowed
+  191: DeviceStartUpFlags
+  192: UptimeLimit
+  193: RebootAfterUpdate
+  194: DeviceLocalAccountAutoLoginId
+  195: DeviceLocalAccountAutoLoginDelay
+  196: VariationsRestrictParameter
+  197: IdleWarningDelayAC
+  198: IdleWarningDelayBattery
+  199: DeviceVariationsRestrictParameter
+  200: AttestationEnabledForUser
+  201: AttestationExtensionWhitelist
+  202: DeviceLocalAccountAutoLoginBailoutEnabled
+  203: AllowScreenWakeLocks
+  204: ''
+  205: ''
+  206: ''
+  207: AttestationEnabledForDevice
+  208: AudioCaptureAllowedUrls
+  209: VideoCaptureAllowedUrls
+  210: UserActivityScreenDimDelayScale
+  211: LargeCursorEnabled
+  212: SpokenFeedbackEnabled
+  213: HighContrastEnabled
+  214: ScreenMagnifierType
+  215: DeviceLoginScreenDefaultLargeCursorEnabled
+  216: DeviceLoginScreenDefaultSpokenFeedbackEnabled
+  217: DeviceLoginScreenDefaultHighContrastEnabled
+  218: DeviceLoginScreenDefaultScreenMagnifierType
+  219: SupervisedUsersEnabled
+  220: PresentationScreenDimDelayScale
+  221: SuppressChromeFrameTurndownPrompt
+  222: IdleActionBattery
+  223: SupervisedUserCreationEnabled
+  224: ReportDeviceNetworkInterfaces
+  225: DeviceLoginScreenPowerManagement
+  226: IdleActionAC
+  227: ManagedBookmarks
+  228: MaxInvalidationFetchDelay
+  229: DefaultSearchProviderImageURL
+  230: DefaultSearchProviderSearchURLPostParams
+  231: DefaultSearchProviderSuggestURLPostParams
+  232: DefaultSearchProviderInstantURLPostParams
+  233: DefaultSearchProviderImageURLPostParams
+  234: RemoteAccessHostAllowClientPairing
+  235: RequireOnlineRevocationChecksForLocalAnchors
+  236: SystemUse24HourClock
+  237: DefaultSearchProviderNewTabURL
+  238: SkipMetadataCheck
+  239: AttestationForContentProtectionEnabled
+  240: FullscreenAllowed
+  241: DataCompressionProxyEnabled
+  242: DeviceAutoUpdateP2PEnabled
+  243: DeviceUpdateHttpDownloadsEnabled
+  244: ChromeOsMultiProfileUserBehavior
+  245: ForceEphemeralProfiles
+  246: AutoCleanUpStrategy
+  247: WaitForInitialUserActivity
+  248: ReportDeviceUsers
+  249: UserAvatarImage
+  250: DeviceLocalAccountPromptForNetworkWhenOffline
+  251: NativeMessagingBlacklist
+  252: NativeMessagingWhitelist
+  253: NativeMessagingUserLevelHosts
+  254: SAMLOfflineSigninTimeLimit
+  255: VirtualKeyboardEnabled
+  256: DeviceLoginScreenDefaultVirtualKeyboardEnabled
+  257: RemoteAccessHostAllowGnubbyAuth
+  258: PowerManagementIdleSettings
+  259: ScreenLockDelays
+  260: KeyboardDefaultToFunctionKeys
+  261: WPADQuickCheckEnabled
+  262: WallpaperImage
+  263: RemoteAccessHostAllowRelayedConnection
+  264: RemoteAccessHostUdpPortRange
+  265: EnableDeprecatedWebBasedSignin
+  266: DeviceBlockDevmode
+  267: ShowAppsShortcutInBookmarkBar
+  268: RegisteredProtocolHandlers
+  269: TouchVirtualKeyboardEnabled
+  270: EnableDeprecatedWebPlatformFeatures
+  271: DeviceTransferSAMLCookies
+  272: EasyUnlockAllowed
+  273: NetworkPredictionOptions
+  274: SessionLocales
+  275: BrowserGuestModeEnabled
+  276: BrowserAddPersonEnabled
+  277: ImportAutofillFormData
+  278: ExtensionSettings
+  279: SSLVersionMin
+  280: SSLVersionFallbackMin
+  281: ContextualSearchEnabled
+  282: ForceGoogleSafeSearch
+  283: ForceYouTubeSafetyMode
+  284: DeviceRebootOnShutdown
+  285: RemoteAccessHostMatchUsername
+  286: RemoteAccessHostTokenUrl
+  287: RemoteAccessHostTokenValidationUrl
+  288: RemoteAccessHostTokenValidationCertificateIssuer
+  289: RemoteAccessHostDebugOverridePolicies
+  290: ReportDeviceHardwareStatus
+  291: ReportDeviceSessionStatus
+  292: ReportUploadFrequency
+  293: HeartbeatEnabled
+  294: HeartbeatFrequency
+  295: CaptivePortalAuthenticationIgnoresProxy
+  296: ExtensionCacheSize
+  297: DeviceLoginScreenDomainAutoComplete
+  298: ForceMaximizeOnFirstRun
+  299: SafeBrowsingExtendedReportingOptInAllowed
+  300: SSLErrorOverrideAllowed
+  301: QuicAllowed
+  302: KeyPermissions
+  303: WelcomePageOnOSUpgradeEnabled
+  304: HardwareAccelerationModeEnabled
+  305: AuthAndroidNegotiateAccountType
+  306: LogUploadEnabled
+  307: UnifiedDesktopEnabledByDefault
+  308: DefaultPrinterSelection
+  309: AllowDinosaurEasterEgg
+  310: RC4Enabled
+  311: DisplayRotationDefault
+  312: SupervisedUserContentProviderEnabled
+  313: DefaultKeygenSetting
+  314: KeygenAllowedForUrls
+  315: KeygenBlockedForUrls
+  316: RemoteAccessHostClientDomain
+  317: ArcEnabled
+  318: ArcPolicy
+  319: AllowKioskAppControlChromeVersion
+  320: DefaultWebBluetoothGuardSetting
+  321: LoginAuthenticationBehavior
+  322: UsbDetachableWhitelist
+  323: DeviceAllowBluetooth
+  324: SuppressUnsupportedOSWarning
+  325: DeviceQuirksDownloadEnabled
+  326: SystemTimezoneAutomaticDetection
+  327: TaskManagerEndProcessEnabled
+  328: LoginVideoCaptureAllowedUrls
+  329: AllowScreenLock
+  330: ArcCertificatesSyncMode
+  331: AllowedDomainsForApps
+  332: PacHttpsUrlStrippingEnabled
+  333: EnableMediaRouter
+  334: DHEEnabled
+  335: CertificateTransparencyEnforcementDisabledForUrls
+  336: DeviceLoginScreenExtensions
+  337: ArcBackupRestoreEnabled
+  338: NTPContentSuggestionsEnabled
+  339: WebRtcUdpPortRange
+  340: EnableSha1ForLocalAnchors
+  341: ''
+  342: ComponentUpdatesEnabled
+  343: ExternalStorageReadOnly
+  344: RemoteAccessHostAllowUiAccessForRemoteAssistance
+  345: Http09OnNonDefaultPortsEnabled
+  346: ForceBrowserSignin
+  347: AlwaysOpenPdfExternally
+  348: ForceYouTubeRestrict
+  349: ReportArcStatusEnabled
+  350: NativePrinters
+  351: NetworkThrottlingEnabled
+  352: QuickUnlockModeWhitelist
+  353: QuickUnlockTimeout
+  354: PinUnlockMinimumLength
+  355: PinUnlockMaximumLength
+  356: PinUnlockWeakPinsAllowed
+  357: DeviceWallpaperImage
+  358: RoamingProfileSupportEnabled
+  359: RoamingProfileLocation
+  360: NewTabPageLocation
+  361: SSLVersionMax
+  362: ShowCastIconInToolbar
+  363: ArcLocationServiceEnabled
+  364: DeviceLoginScreenLocales
+  365: DeviceLoginScreenInputMethods
+  366: EnableCommonNameFallbackForLocalAnchors
+  367: InstantTetheringAllowed
+  368: RemoteAccessHostDomainList
+  369: RemoteAccessHostClientDomainList
+  370: BrowserNetworkTimeQueriesEnabled
+  371: DownloadRestrictions
+  372: DeviceSecondFactorAuthentication
+  373: PrintPreviewUseSystemDefaultPrinter
+  374: DeviceEcryptfsMigrationStrategy
+  375: SafeBrowsingForTrustedSourcesEnabled
+  376: EcryptfsMigrationStrategy
+  377: NoteTakingAppsLockScreenWhitelist
+  378: CastReceiverEnabled
+  379: CastReceiverName
+  380: DeviceOffHours
+  381: CloudPolicyOverridesPlatformPolicy
+  382: NativePrintersBulkConfiguration
+  383: NativePrintersBulkAccessMode
+  384: NativePrintersBulkBlacklist
+  385: NativePrintersBulkWhitelist
+  386: DeviceNativePrinters
+  387: DeviceNativePrintersAccessMode
+  388: DeviceNativePrintersBlacklist
+  389: DeviceNativePrintersWhitelist
+  390: TPMFirmwareUpdateSettings
+  391: RunAllFlashInAllowMode
+  392: AutofillCreditCardEnabled
+  393: NtlmV2Enabled
+  394: MinimumRequiredChromeVersion
+  395: PromptForDownloadLocation
+  396: DeviceLoginScreenAutoSelectCertificateForUrls
+  397: UnaffiliatedArcAllowed
+  398: IsolateOrigins
+  399: SitePerProcess
+  400: UnsafelyTreatInsecureOriginAsSecure
+  401: DefaultDownloadDirectory
+  402: SecurityKeyPermitAttestation
+  403: DeviceHostnameTemplate
+  404: AbusiveExperienceInterventionEnforce
+  405: SpellcheckLanguage
+  406: SecondaryGoogleAccountSigninAllowed
+  407: ThirdPartyBlockingEnabled
+  408: SpellcheckEnabled
+  409: AdsSettingForIntrusiveAdsSites
+  410: RestrictAccountsToPatterns
+  411: PasswordProtectionWarningTrigger
+  412: ''
+  413: EnableSymantecLegacyInfrastructure
+  414: WebDriverOverridesIncompatiblePolicies
+  415: DeviceKerberosEncryptionTypes
+  416: DeviceUserPolicyLoopbackProcessingMode
+  417: DeviceLoginScreenIsolateOrigins
+  418: DeviceLoginScreenSitePerProcess
+  419: RelaunchNotification
+  420: RelaunchNotificationPeriod
+  421: VirtualMachinesAllowed
+  422: SafeBrowsingWhitelistDomains
+  423: PasswordProtectionLoginURLs
+  424: PasswordProtectionChangePasswordURL
+  425: DeviceMachinePasswordChangeRate
+  426: DeviceRollbackAllowedMilestones
+  427: DeviceRollbackToTargetVersion
+  428: MachineLevelUserCloudPolicyEnrollmentToken
+  429: SafeBrowsingExtendedReportingEnabled
+  430: AutoplayAllowed
+  431: AutoplayWhitelist
+  432: TabUnderAllowed
+  433: UserNativePrintersAllowed
+  434: DefaultWebUsbGuardSetting
+  435: CertificateTransparencyEnforcementDisabledForCas
+  436: CertificateTransparencyEnforcementDisabledForLegacyCas
+  437: MediaRouterCastAllowAllIPs
+  438: ''
+  439: WebUsbAskForUrls
+  440: WebUsbBlockedForUrls
+  441: ChromeCleanupEnabled
+  442: ChromeCleanupReportingEnabled
+  443: DeveloperToolsAvailability
+  444: AllowedLanguages
+  445: IsolateOriginsAndroid
+  446: SitePerProcessAndroid
+  447: ArcAppInstallEventLoggingEnabled
+  448: UsageTimeLimit
+  449: ArcBackupRestoreServiceEnabled
+  450: ArcGoogleLocationServicesEnabled
+  451: EnableSyncConsent
+  452: ContextualSuggestionsEnabled
+  453: DeviceAutoUpdateTimeRestrictions
+  454: PromotionalTabsEnabled
+  455: SafeSitesFilterBehavior
+  456: AllowedInputMethods
+  457: OverrideSecurityRestrictionsOnInsecureOrigin
+  458: DeviceUpdateStagingSchedule
+  459: AutofillAddressEnabled
+  460: TabFreezingEnabled
+  461: UrlKeyedAnonymizedDataCollectionEnabled
+  462: NetworkFileSharesAllowed
+  463: DeviceLocalAccountManagedSessionEnabled
+  464: WebRtcEventLogCollectionAllowed
+  465: PowerSmartDimEnabled
+  466: CoalesceH2ConnectionsWithClientCertificatesForHosts
+  467: NetBiosShareDiscoveryEnabled
+  468: WebAppInstallForceList
+  469: SmsMessagesAllowed
+  470: ReportVersionData
+  471: ReportPolicyData
+  472: ReportMachineIDData
+  473: ReportUserIDData
+  474: PrintingAllowedColorModes
+  475: PrintingAllowedDuplexModes
+  476: ''
+  477: PrintingColorDefault
+  478: PrintingDuplexDefault
+  479: PrintingPaperSizeDefault
+  480: PrintHeaderFooter
+  481: CrostiniAllowed
+  482: DeviceUnaffiliatedCrostiniAllowed
+  483: EnterpriseHardwarePlatformAPIEnabled
+  484: ReportCrostiniUsageEnabled
+  485: VpnConfigAllowed
+  486: WebUsbAllowDevicesForUrls
+  487: BrowserSignin
+  488: SmartLockSigninAllowed
+  489: NTLMShareAuthenticationEnabled
+  490: NetworkFileSharesPreconfiguredShares
+  491: AllowWakeLocks
+  492: ScreenBrightnessPercent
+  493: CloudReportingEnabled
+  494: AlternativeBrowserPath
+  495: AlternativeBrowserParameters
+  496: BrowserSwitcherUrlList
+  497: BrowserSwitcherUrlGreylist
+  498: BrowserSwitcherUseIeSitelist
+  499: ReportExtensionsAndPluginsData
+  500: ReportSafeBrowsingData
+  501: DeviceWiFiFastTransitionEnabled
+  502: DeviceDisplayResolution
+  503: PluginVmAllowed
+  504: PluginVmImage
+  505: CloudManagementEnrollmentMandatory
+  506: PrintingSendUsernameAndFilenameEnabled
+  507: ParentAccessCodeConfig
+  508: DeviceGpoCacheLifetime
+  509: DeviceAuthDataCacheLifetime
+  510: CloudManagementEnrollmentToken
+  511: BrowserSwitcherExternalSitelistUrl
+  512: ReportDevicePowerStatus
+  513: ReportDeviceStorageStatus
+  514: ReportDeviceBoardStatus
+  515: PluginVmLicenseKey
+  516: ExtensionAllowInsecureUpdates
+  517: BrowserSwitcherEnabled
+  518: ClientCertificateManagementAllowed
+  519: BrowserSwitcherKeepLastChromeTab
+  520: DeviceRebootOnUserSignout
+  521: ForceNetworkInProcess
+  522: SchedulerConfiguration
+  523: CrostiniExportImportUIAllowed
+  524: BrowserSwitcherDelay
+  525: PrintingAllowedPinModes
+  526: PrintingPinDefault
+  527: VoiceInteractionContextEnabled
+  528: AuthNegotiateDelegateByKdcPolicy
+  529: VoiceInteractionHotwordEnabled
+  530: BrowserSwitcherChromePath
+  531: BrowserSwitcherChromeParameters
+  532: DeviceWilcoDtcAllowed
+  533: AllowPopupsDuringPageUnload
+  534: RemoteAccessHostAllowFileTransfer
+  535: DeviceWilcoDtcConfiguration
+  536: SpellcheckLanguageBlacklist
+  537: DeviceWiFiAllowed
+  538: DevicePowerPeakShiftEnabled
+  539: DevicePowerPeakShiftBatteryThreshold
+  540: DevicePowerPeakShiftDayConfig
+  541: DeviceBootOnAcEnabled
+  542: SignedHTTPExchangeEnabled
+  543: DeviceQuickFixBuildToken
+  544: ''
+  545: SamlInSessionPasswordChangeEnabled
+  546: ''
+  547: DeviceDockMacAddressSource
+  548: DeviceAdvancedBatteryChargeModeEnabled
+  549: DeviceAdvancedBatteryChargeModeDayConfig
+  550: DeviceBatteryChargeMode
+  551: DeviceBatteryChargeCustomStartCharging
+  552: DeviceBatteryChargeCustomStopCharging
+  553: DeviceUsbPowerShareEnabled
+  554: PolicyListMultipleSourceMergeList
+  555: SamlPasswordExpirationAdvanceWarningDays
+  556: DeviceScheduledUpdateCheck
+  557: KerberosEnabled
+  558: KerberosRememberPasswordEnabled
+  559: KerberosAddAccountsAllowed
+  560: KerberosAccounts
+  561: StickyKeysEnabled
+  562: ''
+  563: AppRecommendationZeroStateEnabled
+  564: BrowserSwitcherExternalGreylistUrl
+  565: PolicyDictionaryMultipleSourceMergeList
+  566: CommandLineFlagSecurityWarningsEnabled
+  567: RelaunchHeadsUpPeriod
+  568: StartupBrowserWindowLaunchSuppressed
+  569: ''
+  570: UserFeedbackAllowed
+  571: DevicePowerwashAllowed
+  572: ExternalPrintServers
+  573: SelectToSpeakEnabled
+  574: BrowserGuestModeEnforced
+  575: BuiltinCertificateVerifierEnabled
+  576: CrostiniRootAccessAllowed
+  577: VmManagementCliAllowed
+  578: ''
+  579: CACertificateManagementAllowed
+  580: PasswordLeakDetectionEnabled
+  581: LockScreenMediaPlaybackEnabled
+  582: DnsOverHttpsMode
+  583: ''
+  584: PolicyAtomicGroupsEnabled
+  585: ''
+  586: ''
+  587: ''
+  588: ''
+  589: ''
+  590: ''
+  591: ''
+  592: DictationEnabled
+  593: KeyboardFocusHighlightEnabled
+  594: CursorHighlightEnabled
+  595: CaretHighlightEnabled
+  596: MonoAudioEnabled
+  597: AutoclickEnabled
+  598: RendererCodeIntegrityEnabled
+  599: DeviceLoginScreenLargeCursorEnabled
+  600: ''
+  601: HSTSPolicyBypassList
+  602: ReportDeviceOsUpdateStatus
+  603: DeviceLoginScreenWebUsbAllowDevicesForUrls
+  604: AllowSyncXHRInPageDismissal
+  605: DeviceLoginScreenSpokenFeedbackEnabled
+  606: DeviceLoginScreenHighContrastEnabled
+  607: DeviceLoginScreenVirtualKeyboardEnabled
+  608: CloudExtensionRequestEnabled
+  609: DeviceLoginScreenSystemInfoEnforced
+  610: SharedClipboardEnabled
+  611: DeviceLoginScreenDictationEnabled
+  612: DeviceLoginScreenSelectToSpeakEnabled
+  613: DeviceLoginScreenCursorHighlightEnabled
+  614: DeviceLoginScreenCaretHighlightEnabled
+  615: DeviceLoginScreenMonoAudioEnabled
+  616: TotalMemoryLimitMb
+  617: DeviceLoginScreenAutoclickEnabled
+  618: DeviceLoginScreenStickyKeysEnabled
+  619: DeviceLoginScreenKeyboardFocusHighlightEnabled
+  620: ShelfAlignment
+  621: PrintingAllowedBackgroundGraphicsModes
+  622: PrintingBackgroundGraphicsDefault
+  623: LegacySameSiteCookieBehaviorEnabled
+  624: LegacySameSiteCookieBehaviorEnabledForDomainList
+  625: PrintJobHistoryExpirationPeriod
+  626: TLS13HardeningForLocalAnchorsEnabled
+  627: AudioSandboxEnabled
+  628: DeviceLoginScreenScreenMagnifierType
+  629: CorsMitigationList
+  630: CorsLegacyModeEnabled
+  631: ExternalPrintServersWhitelist
+  632: ExternalProtocolDialogShowAlwaysOpenCheckbox
+  633: DefaultInsecureContentSetting
+  634: InsecureContentAllowedForUrls
+  635: InsecureContentBlockedForUrls
+  636: DeviceWebBasedAttestationAllowedUrls
+  637: BlockExternalExtensions
+  638: DeviceShowNumericKeyboardForPassword
+  639: CrostiniAnsiblePlaybook
+  640: WebRtcLocalIpsAllowedUrls
+  641: PerAppTimeLimits
+  642: DnsOverHttpsTemplates
+  643: GloballyScopeHTTPAuthCacheEnabled
+  644: WebComponentsV0Enabled
+  645: ClickToCallEnabled
+  646: DeviceLoginScreenShowOptionsInSystemTrayMenu
+  647: PrinterTypeDenyList
+  648: ForceLegacyDefaultReferrerPolicy
+  649: SyncTypesListDisabled
+  650: AmbientAuthenticationInPrivateModesEnabled
+  651: PaymentMethodQueryEnabled
+  652: StricterMixedContentTreatmentEnabled
+  653: NTPCustomBackgroundEnabled
+  654: DNSInterceptionChecksEnabled
+  655: PrimaryMouseButtonSwitch
+  656: ReportDeviceCpuInfo
+  657: DeviceLoginScreenPrimaryMouseButtonSwitch
+  658: PerAppTimeLimitsWhitelist
+  659: AccessibilityShortcutsEnabled
+  660: ReportDeviceGraphicsStatus
+  661: DeviceLoginScreenAccessibilityShortcutsEnabled
+  662: LocalDiscoveryEnabled
+  663: ChromeVariations
+  664: PrintingAPIExtensionsWhitelist
+  665: ReportDeviceCrashReportInfo
+  666: ScreenCaptureAllowed
+  667: AdvancedProtectionDeepScanningEnabled
+  668: ''
+  669: ''
+  670: DeviceMinimumVersion
+  671: ReportDeviceTimezoneInfo
+  672: SystemProxySettings
+  673: UserDataSnapshotRetentionLimit
+  674: DeviceChromeVariations
+  675: NativeWindowOcclusionEnabled
+  676: DeviceLoginScreenPrivacyScreenEnabled
+  677: PrivacyScreenEnabled
+  678: AllowNativeNotifications
+  679: ForceLogoutUnauthenticatedUserEnabled
+  680: RequiredClientCertificateForUser
+  681: RequiredClientCertificateForDevice
+  682: ReportDeviceMemoryInfo
+  683: UseLegacyFormControls
+  684: SafeBrowsingProtectionLevel
+  685: AdvancedProtectionAllowed
+  686: ReportDeviceBacklightInfo
+  687: ScrollToTextFragmentEnabled
+  688: ManagedGuestSessionAutoLaunchNotificationReduced
+  689: SystemFeaturesDisableList
+  690: CrostiniArcAdbSideloadingAllowed
+  691: FloatingAccessibilityMenuEnabled
+  692: PrintingMaxSheetsAllowed
+  693: OnFileAttachedEnterpriseConnector
+  694: VoiceInteractionQuickAnswersEnabled
+  695: DeviceCrostiniArcAdbSideloadingAllowed
+  696: OnFileDownloadedEnterpriseConnector
+  697: OnBulkDataEntryEnterpriseConnector
+  698: PluginVmUserId
+  699: OnSecurityEventEnterpriseConnector
+  700: AutoOpenFileTypes
+  701: LoginDisplayPasswordButtonEnabled
+  702: ReportDeviceAppInfo
+  703: AccessibilityImageLabelsEnabled
+  704: AppCacheForceEnabled
+  705: UserPluginVmAllowed
+  706: PrintRasterizationMode
+  707: AutoOpenAllowedForURLs
+  708: ReportDeviceBluetoothInfo
+  709: ReportDeviceFanInfo
+  710: ReportDeviceVpdInfo
+  711: EnableExperimentalPolicies
+  712: PluginVmDataCollectionAllowed
+  713: IntensiveWakeUpThrottlingEnabled
+  714: DeviceMinimumVersionAueMessage
+  715: DefaultSearchProviderContextMenuAccessAllowed
+  716: CrostiniPortForwardingAllowed
+  717: VirtualKeyboardFeatures
+  718: PinUnlockAutosubmitEnabled
+  719: LockScreenReauthenticationEnabled
+  720: DeletePrintJobHistoryAllowed
+  721: EmojiSuggestionEnabled
+  722: AutoLaunchProtocolsFromOrigins
+  723: ManagedGuestSessionPrivacyWarningsEnabled
+  724: PluginVmRequiredFreeDiskSpace
+  725: UserAgentClientHintsEnabled
+  726: SuggestedContentEnabled
+  727: ExtensionInstallEventLoggingEnabled
+  728: EnterpriseRealTimeUrlCheckMode
+  729: AssistantOnboardingMode
+  730: DeviceExternalPrintServers
+  731: DeviceExternalPrintServersAllowlist
+  732: SafeBrowsingAllowlistDomains
+  733: DevicePrintersAccessMode
+  734: DevicePrintersBlocklist
+  735: DevicePrintersAllowlist
+  736: URLBlocklist
+  737: URLAllowlist
+  738: ExtensionInstallAllowlist
+  739: ShowFullUrlsInAddressBar
+  740: ExtensionInstallBlocklist
+  741: ReportDeviceSystemInfo
+  742: AutoplayAllowlist
+  743: DevicePrinters
+  744: NativeMessagingBlocklist
+  745: NativeMessagingAllowlist
+  746: AuthNegotiateDelegateAllowlist
+  747: AuthServerAllowlist
+  748: InsecureFormsWarningsEnabled
+  749: SpellcheckLanguageBlocklist
+  750: ExternalPrintServersAllowlist
+  751: DefaultSerialGuardSetting
+  752: SerialAskForUrls
+  753: SerialBlockedForUrls
+  754: DefaultSensorsSetting
+  755: SensorsAllowedForUrls
+  756: SensorsBlockedForUrls
+  757: DeviceChannelDowngradeBehavior
+  758: BackForwardCacheEnabled
+  759: NoteTakingAppsLockScreenAllowlist
+  760: CCTToSDialogEnabled
+  761: NearbyShareAllowed
+  762: PerAppTimeLimitsAllowlist
+  763: DeviceShowLowDiskSpaceNotification
+  764: DeviceUserAllowlist
+  765: UsbDetachableAllowlist
+  766: InsecurePrivateNetworkRequestsAllowed
+  767: InsecurePrivateNetworkRequestsAllowedForUrls
+  768: UserPrintersAllowed
+  769: Printers
+  770: PrintersBulkConfiguration
+  771: DeviceReleaseLtsTag
+  772: PrintersBulkAccessMode
+  773: DefaultFileSystemReadGuardSetting
+  774: DefaultFileSystemWriteGuardSetting
+  775: FileSystemReadAskForUrls
+  776: FileSystemReadBlockedForUrls
+  777: FileSystemWriteAskForUrls
+  778: FileSystemWriteBlockedForUrls
+  779: PrintersBulkBlocklist
+  780: PrintersBulkAllowlist
+  781: CloudPrintWarningsSuppressed
+  782: LookalikeWarningAllowlistDomains
+  783: PrintingAPIExtensionsAllowlist
+  784: QuickUnlockModeAllowlist
+  785: AttestationExtensionAllowlist
+  786: DataLeakPreventionRulesList
+  787: WebRtcAllowLegacyTLSProtocols
+  788: MediaRecommendationsEnabled
+  789: DeviceFamilyLinkAccountsAllowed
+  790: EduCoexistenceToSVersion
+  791: BrowsingDataLifetime
+  792: IntranetRedirectBehavior
+  793: LacrosAllowed
+  794: DeviceArcDataSnapshotHours
+  795: PhoneHubAllowed
+  796: PhoneHubNotificationsAllowed
+  797: PhoneHubTaskContinuationAllowed
+  798: WifiSyncAndroidAllowed
+  799: SecurityTokenSessionBehavior
+  800: SecurityTokenSessionNotificationSeconds
+  801: TosDialogBehavior
+  802: TargetBlankImpliesNoOpener
+  803: RemoteAccessHostEnableUserInterface
+  804: FullscreenAlertEnabled
+  805: NTPCardsVisible
+  806: BasicAuthOverHttpEnabled
+  807: SystemFeaturesDisableMode
+  808: IntegratedWebAuthenticationAllowed
+  809: ClearBrowsingDataOnExitList
+  810: ProfilePickerOnStartupAvailability
+  811: SigninInterceptionEnabled
+  812: RemoteAccessHostAllowRemoteAccessConnections
+  813: ManagedConfigurationPerOrigin
+  814: RemoteAccessHostMaximumSessionDurationMinutes
+  815: EnableDeprecatedPrivetPrinting
+  816: BrowserLabsEnabled
+  817: WindowOcclusionEnabled
+  818: DeviceAllowMGSToStoreDisplayProperties
+  819: SSLErrorOverrideAllowedForOrigins
+  820: WebXRImmersiveArEnabled
+  821: GaiaOfflineSigninTimeLimitDays
+  822: ''
+  823: DeviceSystemWideTracingEnabled
+  824: WebAppSettings
+  825: DevicePciPeripheralDataAccessEnabled
+  826: ContextAwareAccessSignalsAllowlist
+  827: FetchKeepaliveDurationSecondsOnShutdown
+  828: AllowSystemNotifications
+  829: SuppressDifferentOriginSubframeDialogs
+  830: DeviceBorealisAllowed
+  831: UserBorealisAllowed
+  832: LacrosSecondaryProfilesAllowed
+  833: GaiaLockScreenOfflineSigninTimeLimitDays
+  834: SamlLockScreenOfflineSigninTimeLimitDays
+  835: ReportDevicePrintJobs
+  836: AudioProcessHighPriorityEnabled
+  837: SerialAllowAllPortsForUrls
+  838: SerialAllowUsbDevicesForUrls
+  839: ForcedLanguages
+  840: BrowserThemeColor
+  841: CECPQ2Enabled
+  842: HeadlessMode
+  843: WebRtcIPHandling
+  844: PdfAnnotationsEnabled
+  845: DefaultFileHandlingGuardSetting
+  846: FileHandlingAllowedForUrls
+  847: FileHandlingBlockedForUrls
+  848: DeviceAllowedBluetoothServices
+  849: ExplicitlyAllowedNetworkPorts
+  850: DeviceDebugPacketCaptureAllowed
+  851: SuggestLogoutAfterClosingLastWindow
+  852: SharedArrayBufferUnrestrictedAccessAllowed
+  853: LensCameraAssistedSearchEnabled
+  854: RelaunchWindow
+  855: LacrosAvailability
+  856: DataLeakPreventionReportingEnabled
+  857: AdditionalDnsQueryTypesEnabled
+  858: TripleDESEnabled
+  859: CloudUserPolicyMerge
+  860: ManagedAccountsSigninRestriction
+  861: LockIconInAddressBarEnabled
+  862: DeviceScheduledReboot
+  863: ReportDeviceLoginLogout
+  864: RemoteDebuggingAllowed
+  865: DeviceAttributesAllowedForOrigins
+  866: BrowserSwitcherParsingMode
+  867: DefaultJavaScriptJitSetting
+  868: JavaScriptJitAllowedForSites
+  869: JavaScriptJitBlockedForSites
+  870: HttpsOnlyMode
+  871: DesktopSharingHubEnabled
+  872: ''
+  873: ReportDeviceAudioStatus
+  874: DeviceHostnameUserConfigurable
+  875: ReportDeviceNetworkConfiguration
+  876: ReportDeviceNetworkStatus
+  877: DataLeakPreventionClipboardCheckSizeLimit
+  878: CrossOriginWebAssemblyModuleSharingEnabled
+  879: RestrictedManagedGuestSessionExtensionCleanupExemptList
+  880: DisplayCapturePermissionsPolicyEnabled
+  881: ScreenCaptureAllowedByOrigins
+  882: WindowCaptureAllowedByOrigins
+  883: TabCaptureAllowedByOrigins
+  884: SameOriginTabCaptureAllowedByOrigins
+  885: AssistantVoiceMatchEnabledDuringOobe
+  886: LensRegionSearchEnabled
+  887: ArcAppToWebAppSharingEnabled
+  888: EnhancedNetworkVoicesInSelectToSpeakAllowed
+  889: PrintPdfAsImageAvailability
+  890: PrintRasterizePdfDpi
+  891: DeviceTargetVersionSelector
+  892: ChromeAppsEnabled
+  893: BrowserLegacyExtensionPointsBlocked
+  894: DeviceRestrictedManagedGuestSessionEnabled
+  895: PrintPostScriptMode
+  896: PrintPdfAsImageDefault
+  897: FullRestoreEnabled
+  898: GhostWindowEnabled
+  899: CloudUserPolicyOverridesCloudMachinePolicy
+  900: ReportDeviceSecurityStatus
+  901: EnableDeviceGranularReporting
+  902: WebSQLInThirdPartyContextEnabled
+  903: U2fSecurityKeyApiEnabled
+  904: DeviceLoginScreenPromptOnMultipleMatchingCertificates
+  905: PromptOnMultipleMatchingCertificates
+  906: SideSearchEnabled
+  907: AccessCodeCastEnabled
+  908: AccessCodeCastDeviceDuration
+  909: NetworkServiceSandboxEnabled
+  910: DeskTemplatesEnabled
+  911: PreconfiguredDeskTemplates
+  912: FastPairEnabled
+  913: SandboxExternalProtocolBlocked
+  914: ReportDeviceNetworkTelemetryCollectionRateMs
+  915: ReportDeviceNetworkTelemetryEventCheckingRateMs
+  916: KioskCRXManifestUpdateURLIgnored
+  917: QuickAnswersEnabled
+  918: QuickAnswersDefinitionEnabled
+  919: QuickAnswersTranslationEnabled
+  920: QuickAnswersUnitConversionEnabled
+  921: CORSNonWildcardRequestHeadersSupport
+  922: RemoteAccessHostClipboardSizeBytes
+  923: RemoteAccessHostAllowRemoteSupportConnections
+  924: UserAgentClientHintsGREASEUpdateEnabled
+  925: DeviceI18nShortcutsEnabled
+  926: HistoryClustersVisible
+  927: ChromadToCloudMigrationEnabled
+  928: CopyPreventionSettings
+  929: ReportDeviceAudioStatusCheckingRateMs
+  930: KeepFullscreenWithoutNotificationUrlAllowList
+  931: OnPrintEnterpriseConnector
+  932: UserAgentReduction
+  933: OriginAgentClusterDefaultEnabled
+  934: DeviceLoginScreenWebUILazyLoading
+  935: ProjectorEnabled
+  936: PhoneHubCameraRollAllowed
+  937: EcheAllowed
+  938: DeviceKeylockerForStorageEncryptionEnabled
+  939: ReportCRDSessions
+  940: DeviceRunAutomaticCleanupOnLogin
+  941: NTPMiddleSlotAnnouncementVisible
+  942: CloudProfileReportingEnabled
+  943: DefaultWebHidGuardSetting
+  944: WebHidAskForUrls
+  945: WebHidBlockedForUrls
+  946: PasswordDismissCompromisedAlertEnabled
+  947: ExemptDomainFileTypePairsFromFileTypeDownloadWarnings
+  948: FirstPartySetsEnabled
+  949: ForceMajorVersionToMinorPositionInUserAgent
+  950: AllHttpAuthSchemesAllowedForOrigins
+  951: DefaultWindowPlacementSetting
+  952: ReportDevicePeripherals
+  953: WebHidAllowAllDevicesForUrls
+  954: WebHidAllowDevicesForUrls
+  955: WebHidAllowDevicesWithHidUsagesForUrls
+  956: SecondaryGoogleAccountUsage
+  957: DeviceEncryptedReportingPipelineEnabled
+  958: ''
+  959: FloatingWorkspaceEnabled
+  960: WindowPlacementAllowedForUrls
+  961: WindowPlacementBlockedForUrls
+  962: CloudReportingUploadFrequency
+  963: OptimizationGuideFetchingEnabled
+  964: WebAuthnFactors
+  965: WebAuthenticationRemoteProxiedRequestsAllowed
+  966: WebSQLAccess
+  967: SetTimeoutWithout1MsClampEnabled
+  968: AllowChromeDataInBackups
+  969: FirstPartySetsOverrides
+  970: DownloadBubbleEnabled
+  971: DevicePowerAdaptiveChargingEnabled
+  972: GetDisplayMediaSetSelectAllScreensAllowedForUrls
+  973: WarnBeforeQuittingEnabled
+  974: SystemTerminalSshAllowed
+  975: InsightsExtensionEnabled
+  976: EnterpriseAuthenticationAppLinkPolicy
+  977: DefaultLocalFontsSetting
+  978: LocalFontsAllowedForUrls
+  979: LocalFontsBlockedForUrls
+  980: ProjectorDogfoodForFamilyLinkEnabled
+  981: UrlParamFilterEnabled
+  982: ''
+  983: DefaultClipboardSetting
+  984: ClipboardAllowedForUrls
+  985: ClipboardBlockedForUrls
+  986: OsColorMode
+  987: RendererAppContainerEnabled
+  988: UnthrottledNestedTimeoutEnabled
+  989: PolicyScopeDetection
+  990: EventPathEnabled
+  991: OnFileTransferEnterpriseConnector
+  992: ChromeRootStoreEnabled
+  993: WebSQLNonSecureContextEnabled
+  994: IdleTimeout
+  995: NewWindowsInKioskAllowed
+  996: EncryptedClientHelloEnabled
+  997: DeviceAutofillSAMLUsername
+  998: EnterpriseProfileCreationKeepBrowsingData
+  999: KerberosDomainAutocomplete
+  1000: KerberosCustomPrefilledConfig
+  1001: UnmanagedDeviceSignalsConsentFlowEnabled
+  1002: PersistentQuotaEnabled
+  1003: DeviceLoginScreenContextAwareAccessSignalsAllowlist
+  1004: PrefixedStorageInfoEnabled
+  1005: LoadCryptoTokenExtension
+  1006: HighEfficiencyModeEnabled
+  1007: DevicePrintingClientNameTemplate
+  1008: ReportDeviceSignalStrengthEventDrivenTelemetry
+  1009: BatterySaverModeAvailability
+  1010: TabDiscardingExceptions
+  1011: AssistantWebEnabled
+  1012: LacrosDataBackwardMigrationMode
+  1013: StrictMimetypeCheckForWorkerScriptsEnabled
+  1014: RecoveryFactorBehavior
+  1015: CalendarIntegrationEnabled
+  1016: DeviceReportXDREvents
+  1017: TrashEnabled
+  1018: ShoppingListEnabled
+  1019: DeskAPIThirdPartyAccessEnabled
+  1020: FileSystemSyncAccessHandleAsyncInterfaceEnabled
+  1021: DefaultHandlersForFileExtensions
+  1022: IsolatedWebAppInstallForceList
+  1023: DeskAPIThirdPartyAllowlist
+  1024: VirtualKeyboardResizesLayoutByDefault
+  1025: HindiInscriptLayoutEnabled
+  1026: DeviceKeyboardBacklightColor
+  1027: LensDesktopNTPSearchEnabled
+  1028: AccessControlAllowMethodsInCORSPreflightSpecConformant
+  1029: AllowWebAuthnWithBrokenTlsCerts
+  1030: ExtensionManifestV2Availability
+  1031: OffsetParentNewSpecBehaviorEnabled
+  1032: SendMouseEventsDisabledFormControlsEnabled
+  1033: BruschettaVMConfiguration
+  1034: DnsOverHttpsSalt
+  1035: DnsOverHttpsTemplatesWithIdentifiers
+  1036: IdleTimeoutActions
+  1037: ThrottleNonVisibleCrossOriginIframesAllowed
+  1038: PdfLocalFileAccessAllowedForDomains
+  1039: FloatingWorkspaceV2Enabled
+  1040: ''
+  1041: NewBaseUrlInheritanceBehaviorAllowed
+  1042: ShowCastSessionsStartedByOtherDevices
+  1043: CloudAPAuthEnabled
+  1044: UsbDetectorNotificationEnabled
+  1045: LacrosSelection
+  1046: UseMojoVideoDecoderForPepperAllowed
+  1047: PPAPISharedImagesSwapChainAllowed
+  1048: PrivacySandboxPromptEnabled
+  1049: PrivacySandboxAdTopicsEnabled
+  1050: PrivacySandboxSiteEnabledAdsEnabled
+  1051: PrivacySandboxAdMeasurementEnabled
+  1052: AppStoreRatingEnabled
+  1053: KerberosUseCustomPrefilledConfig
+  1054: DeviceHindiInscriptLayoutEnabled
+  1055: DeviceLoginScreenExtensionManifestV2Availability
+  1056: KioskTroubleshootingToolsEnabled
+  1057: ForceEnablePepperVideoDecoderDevAPI
+  1058: DomainReliabilityAllowed
+  1059: ScreensaverLockScreenEnabled
+  1060: ScreensaverLockScreenIdleTimeoutSeconds
+  1061: ScreensaverLockScreenImageDisplayIntervalSeconds
+  1062: ScreensaverLockScreenImages
+  1063: DeviceScreensaverLoginScreenEnabled
+  1064: DeviceScreensaverLoginScreenIdleTimeoutSeconds
+  1065: DeviceScreensaverLoginScreenImageDisplayIntervalSeconds
+  1066: DeviceScreensaverLoginScreenImages
+  1067: DefaultWindowManagementSetting
+  1068: WindowManagementAllowedForUrls
+  1069: WindowManagementBlockedForUrls
+  1070: OutOfProcessSystemDnsResolutionEnabled
+  1071: ExtensionUnpublishedAvailability
+  1072: MixedContentAutoupgradeEnabled
+  1073: ChromeAppsWebViewPermissiveBehaviorAllowed
+  1074: ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls
+  1075: DeviceActivityHeartbeatEnabled
+  1076: DeviceActivityHeartbeatCollectionRateMs
+  1077: WallpaperGooglePhotosIntegrationEnabled
+  1078: WebRtcTextLogCollectionAllowed
+  1079: EnforceLocalAnchorConstraintsEnabled
+  1080: ShowTouchpadScrollScreenEnabled
+  1081: DeviceSystemAecEnabled
+  1082: HttpAllowlist
+  1083: HttpsUpgradesEnabled
+  1084: ''
+  1085: MandatoryExtensionsForIncognitoNavigation
+  1086: CredentialProviderPromoEnabled
+  1087: RemoteAccessHostAllowEnterpriseRemoteSupportConnections
+  1088: ''
+  1089: UserAvatarCustomizationSelectorsEnabled
+  1090: DefaultThirdPartyStoragePartitioningSetting
+  1091: ThirdPartyStoragePartitioningBlockedForOrigins
+  1092: ScreenCaptureWithoutGestureAllowedForOrigins
+  1093: FileOrDirectoryPickerWithoutGestureAllowedForOrigins
+  1094: AppLaunchAutomation
+  1095: InsecureHashesInTLSHandshakesEnabled
+  1096: DeviceLoginScreenGeolocationAccessLevel
+  1097: DeviceReportNetworkEvents
+  1098: ''
+  1099: ShowDisplaySizeScreenEnabled
+  1100: EssentialSearchEnabled
+  1101: LegacyTechReportAllowlist
+  1102: ReportAppInventory
+  1103: ReportAppUsage
+  1104: ReportAppUsageCollectionRateMs
+  1105: BrowserContextAwareAccessSignalsAllowlist
+  1106: UserContextAwareAccessSignalsAllowlist
+  1107: GoogleSearchSidePanelEnabled
+  1108: PdfUseSkiaRendererEnabled
+  1109: DataUrlInSvgUseEnabled
+  1110: RSAKeyUsageForLocalAnchorsEnabled
+  1111: BeforeunloadEventCancelByPreventDefaultEnabled
+  1112: PolicyTestPageEnabled
+  1113: UrlKeyedMetricsAllowed
+  1114: AllowBackForwardCacheForCacheControlNoStorePageEnabled
+  1115: DeviceLoginScreenWebHidAllowDevicesForUrls
+  1116: SafeBrowsingProxiedRealTimeChecksAllowed
+  1117: PostQuantumKeyAgreementEnabled
+  1118: PhysicalKeyboardAutocorrect
+  1119: PhysicalKeyboardPredictiveWriting
+  1120: ColorCorrectionEnabled
+  1121: NativeClientForceAllowed
+  1122: EmojiPickerGifSupportEnabled
+  1123: DeviceChargingSoundsEnabled
+  1124: DeviceLowBatterySoundEnabled
+  1125: ArcVmDataMigrationStrategy
+  1126: AccessibilityPerformanceFilteringAllowed
+  1127: RemoteAccessHostAllowEnterpriseFileTransfer
+  1128: ''
+  1129: ''
+  1130: ''
+  1131: GlanceablesEnabled
+  1132: DeviceAuthenticationURLBlocklist
+  1133: DeviceAuthenticationURLAllowlist
+  1134: DeviceReportRuntimeCounters
+  1135: DeviceReportRuntimeCountersCheckingRateMs
+  1136: BruschettaInstallerConfiguration
+  1137: ForcePermissionPolicyUnloadDefaultEnabled
+  1138: ReportWebsiteActivityAllowlist
+  1139: ReportWebsiteTelemetryAllowlist
+  1140: ReportWebsiteTelemetryCollectionRateMs
+  1141: SafeBrowsingSurveysEnabled
+  1142: BlockTruncatedCookies
+  1143: ReportWebsiteTelemetry
+  1144: CompressionDictionaryTransportEnabled
+  1145: MicrosoftOfficeCloudUpload
+  1146: GoogleWorkspaceCloudUpload
+  1147: ShortcutCustomizationAllowed
+  1148: MicrosoftOneDriveMount
+  1149: ExtensionOAuthRedirectUrls
+  1150: CreatePasskeysInICloudKeychain
+  1151: QuickOfficeForceFileDownloadEnabled
+  1152: ProfileSeparationSettings
+  1153: ProfileSeparationDataMigrationSettings
+  1154: ProfileSeparationDomainExceptionList
+  1155: FullRestoreMode
+  1156: ''
+  1157: SafeBrowsingDeepScanningEnabled
+  1158: DriveFileSyncAvailable
+  1159: DeviceSwitchFunctionKeysBehaviorEnabled
+  1160: DeviceDlcPredownloadList
+  1161: DataControlsRules
+  1162: DeviceEphemeralNetworkPoliciesEnabled
+  1163: PPAPISharedImagesForVideoDecoderAllowed
+  1164: ProfileReauthPrompt
+  1165: RelatedWebsiteSetsEnabled
+  1166: DeviceExtendedFkeysModifier
+  1167: UnaffiliatedDeviceArcAllowed
+  1168: RelatedWebsiteSetsOverrides
+  1169: ShowHumanPresenceSensorScreenEnabled
+  1170: PasswordSharingEnabled
+  1171: ZstdContentEncodingEnabled
+  1172: IPv6ReachabilityOverrideEnabled
+  1173: UserFeedbackWithLowLevelDebugDataAllowed
+  1174: MicrosoftOneDriveAccountRestrictions
+  1175: DeviceFlexHwDataForProductImprovementEnabled
+  1176: SiteSearchSettings
+  1177: PrivateNetworkAccessRestrictionsEnabled
+  1178: ContextMenuPhotoSharingSettings
+  1179: ExtensionInstallTypeBlocklist
+  1180: ParcelTrackingEnabled
+  1181: NativeHostsExecutablesLaunchDirectly
+  1182: FeedbackSurveysEnabled
+  1183: DeskAPIDeskSaveAndShareEnabled
+  1184: OopPrintDriversAllowed
+  1185: DeviceHardwareVideoDecodingEnabled
+  1186: TabOrganizerSettings
+  1187: HelpMeWriteSettings
+  1188: CreateThemesSettings
+  1189: ListenToThisPageEnabled
+  1190: AlwaysOnVpnPreConnectUrlAllowlist
+  1191: CACertificates
+  1192: CADistrustedCertificates
+  1193: CAHintCertificates
+  1194: DeviceLoginScreenTouchVirtualKeyboardEnabled
+  1195: DeviceExtendedAutoUpdateEnabled
+  1196: CAPlatformIntegrationEnabled
+  1197: FloatingSsoEnabled
+  1198: FloatingSsoDomainBlocklist
+  1199: FloatingSsoDomainBlocklistExceptions
+  1200: F11KeyModifier
+  1201: F12KeyModifier
+  1202: VirtualKeyboardSmartVisibilityEnabled
+  1203: WebAnnotations
+  1204: DeleteKeyModifier
+  1205: HomeAndEndKeysModifier
+  1206: PageUpAndPageDownKeysModifier
+  1207: InsertKeyModifier
+  1208: ToolbarAvatarLabelSettings
+  1209: DeviceWeeklyScheduledSuspend
+  1210: RemoteAccessHostAllowUrlForwarding
+  1211: ScreenCaptureLocation
+  1212: AllowedDomainsForAppsList
+  1213: ChromeForTestingAllowed
+  1214: GoogleLocationServicesEnabled
+  1215: ProvisionManagedClientCertificateForUser
+  1216: LocalUserFilesAllowed
+  1217: ''
+  1218: SubAppsAPIsAllowedWithoutGestureAndAuthorizationForOrigins
+  1219: DefaultWebPrintingSetting
+  1220: WebPrintingAllowedForUrls
+  1221: WebPrintingBlockedForUrls
+  1222: DocumentScanAPITrustedExtensions
+  1223: RemoteAccessHostAllowPinAuthentication
+  1224: DownloadManagerSaveToDriveSettings
+  1225: AutomaticFullscreenAllowedForUrls
+  1226: AutomaticFullscreenBlockedForUrls
+  1227: MutationEventsEnabled
+  1228: DevToolsGenAiSettings
+  1229: CACertificatesWithConstraints
+  1230: DefaultDirectSocketsSetting
+  1231: DirectSocketsAllowedForUrls
+  1232: DirectSocketsBlockedForUrls
+  1233: ''
+  1234: PrefixedVideoFullscreenApiAvailability
+  1235: PrivacySandboxIpProtectionEnabled
+  1236: OrcaEnabled
+  1237: EnterpriseLogoUrl
+  1238: EnterpriseCustomLabel
+  1239: ProfileLabel
+  1240: PrivacySandboxFingerprintingProtectionEnabled
+  1241: MultiScreenCaptureAllowedForUrls
+  1242: ''
+  1243: ''
+  1244: BoundSessionCredentialsEnabled
+  1245: UiAutomationProviderEnabled
+  1246: ApplicationBoundEncryptionEnabled
+  1247: DeviceAuthenticationFlowAutoReloadInterval
+  1248: ShowAiIntroScreenEnabled
+  1249: ''
+  1250: EnterpriseBadgingTemporarySetting
+  1251: GenAILocalFoundationalModelSettings
+  1252: DeviceExtensionsSystemLogEnabled
+  1253: ChromeDataRegionSetting
+  1254: ContextualGoogleIntegrationsEnabled
+  1255: ContextualGoogleIntegrationsConfiguration
+  1256: PdfViewerOutOfProcessIframeEnabled
+  1257: LockScreenAutoStartOnlineReauth
+  1258: KeyboardFocusableScrollersEnabled
+  1259: ExtensibleEnterpriseSSOEnabled
+  1260: CSSCustomStateDeprecatedSyntaxEnabled
+  1261: MemorySaverModeSavings
+  1262: KioskVisionTelemetryEnabled
+  1263: GenAIWallpaperSettings
+  1264: GenAIVcBackgroundSettings
+  1265: DynamicCodeSettings
+  1266: LensOverlaySettings
+  1267: ThirdPartyPasswordManagersAllowed
+  1268: DeviceAllowEnterpriseRemoteAccessConnections
+  1269: ''
+  1270: FocusModeSoundsEnabled
+  1271: ExtensionDeveloperModeSettings
+  1272: LocalUserFilesMigrationDestination
+  1273: KioskBrowserPermissionsAllowedForOrigins
+  1274: LensOnGalleryEnabled
+  1275: HistorySearchSettings
+  1276: DevicePostQuantumKeyAgreementEnabled
+  1277: DefaultJavaScriptOptimizerSetting
+  1278: JavaScriptOptimizerAllowedForSites
+  1279: JavaScriptOptimizerBlockedForSites
+  1280: PromotionsEnabled
+  1281: QRCodeGeneratorEnabled
+  1282: DnsOverHttpsExcludedDomains
+  1283: DnsOverHttpsIncludedDomains
+  1284: SystemShortcutBehavior
+  1285: DeletingUndecryptablePasswordsEnabled
+  1286: StandardizedBrowserZoomEnabled
+  1287: ReportingEndpoints
+  1288: PrintingLPACSandboxEnabled
+  1289: ShowGeminiIntroScreenEnabled
+  1290: DeviceRestrictionSchedule
+  1291: TabCompareSettings
+  1292: AdHocCodeSigningForPWAsEnabled
+  1293: KioskWebAppOfflineEnabled
+  1294: GraduationEnablementStatus
+  1295: HelpMeReadSettings
+  1296: GenAiDefaultSettings
+  1297: KioskActiveWiFiCredentialsScopeChangeEnabled
+  1298: DataURLWhitespacePreservationEnabled
+
+atomic_groups:
+  1: Homepage
+  2: RemoteAccess
+  3: PasswordManager
+  4: Proxy
+  5: Extensions
+  6: RestoreOnStartup
+  7: DefaultSearchProvider
+  8: ImageSettings
+  9: CookiesSettings
+  10: JavascriptSettings
+  11: PluginsSettings
+  12: PopupsSettings
+  13: KeygenSettings
+  14: NotificationsSettings
+  15: WebUsbSettings
+  16: NativeMessaging
+  17: Drive
+  18: Attestation
+  19: ''
+  20: SupervisedUsers
+  21: GoogleCast
+  22: QuickUnlock
+  23: PinUnlock
+  24: SafeBrowsing
+  25: PasswordProtection
+  26: NetworkFileShares
+  27: CloudReporting
+  28: BrowserSwitcher
+  29: PluginVm
+  30: SAML
+  31: LoginScreenOrigins
+  32: UserAndDeviceReporting
+  33: WiFi
+  34: Kiosk
+  35: DateAndTime
+  36: Display
+  37: ActiveDirectoryManagement
+  38: LegacySameSiteCookieBehaviorSettings
+  39: SensorsSettings
+  40: PrivateNetworkRequestSettings
+  41: ScreenCaptureSettings
+  42: WindowManagementSettings
+  43: LocalFontsSettings
+  44: BrowserIdle
+  45: PrivacySandbox
+  46: KerberosPrefilledConfig
+  47: ThirdPartyStoragePartitioningSettings
+  48: ''
+  49: ProfileSeparation
+  50: FloatingSso
+  51: WebPrintingSettings
+  52: DirectSocketsSettings
+  53: SkyVaultSettings
+  54: BrowserEventReporting
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/.group.details.yaml
new file mode 100755
index 000000000..411f6db75
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/.group.details.yaml
@@ -0,0 +1,3 @@
+caption: Accessibility settings
+desc: Configure <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> accessibility
+  features.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/AccessibilityShortcutsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/AccessibilityShortcutsEnabled.yaml
new file mode 100755
index 000000000..60c59c802
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/AccessibilityShortcutsEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Enable accessibility features shortcuts
+default: null
+desc: |-
+  Enable accessibility features shortcuts.
+
+            If this policy is set to true, accessibility features shortcuts will always be enabled.
+
+            If this policy is set to false, accessibility features shortcuts will always be disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, accessibility features shortcuts will be enabled by default.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable accessibility shortcuts
+  value: true
+- caption: Disable accessibility shortcuts
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:81-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/AutoclickEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/AutoclickEnabled.yaml
new file mode 100755
index 000000000..5bb53ef1e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/AutoclickEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable the autoclick accessibility feature
+default: null
+desc: |-
+  Enable the autoclick accessibility feature.
+
+            This feature is responsible to click without physically pressing your mouse or touchpad, hover over the object you'd like to click.
+
+            If this policy is set to enabled, the autoclick will always be enabled.
+
+            If this policy is set to disabled, the autoclick will always be disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the autoclick is disabled initially but can be enabled by the user anytime.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable auto-click
+  value: true
+- caption: Disable auto-click
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:78-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/CaretHighlightEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/CaretHighlightEnabled.yaml
new file mode 100755
index 000000000..716e9b243
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/CaretHighlightEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable the caret highlight accessibility feature
+default: null
+desc: |-
+  Enable the caret highlight accessibility feature.
+
+            This feature is responsible for highlighting the area that surrounds the caret while editing.
+
+            If this policy is set to enabled, the caret highlight will always be enabled.
+
+            If this policy is set to disabled, the caret highlight will always be disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the caret highlight is disabled initially but can be enabled by the user anytime.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable caret highlight
+  value: true
+- caption: Disable caret highlight
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:78-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ColorCorrectionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ColorCorrectionEnabled.yaml
new file mode 100755
index 000000000..1f1251eff
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ColorCorrectionEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Enable the color correction accessibility feature
+default: null
+desc: |-
+  Enable the color correction accessibility feature.
+
+            This feature enables users to adjust the color correction settings on their managed <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices, which may make it easier for users with color vision deficiency to perceive colors on their screen.
+
+            If this policy is set to enabled, color correction will always be enabled; users will need to go into Settings to pick their specific color correction options (e.g. Deuteranomaly/Protanomaly/Tritanamaly/Greyscale filter and intensity). Color correction settings are displayed to the user on first use.
+
+            If this policy is set to disabled, color correction will always be disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the color correction feature is disabled initially but can be enabled by the user anytime.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable color correction
+  value: true
+- caption: Disable color correction
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- katie@chromium.org
+- chromeos-a11y-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:117-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/CursorHighlightEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/CursorHighlightEnabled.yaml
new file mode 100755
index 000000000..db81be1f3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/CursorHighlightEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Enable the cursor highlight accessibility feature
+default: null
+desc: |-
+  Enable the cursor highlight accessibility feature.
+
+            This feature is responsible for highlighting the area that surrounds the mouse cursor while moving it.
+
+            If this policy is set to enabled, the cursor highlight will always be enabled.
+
+            If this policy is set to disabled, the cursor highlight will always be disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the cursor highlight is disabled initially but can be enabled by the user anytime.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable cursor highlight
+  value: true
+- caption: Disable cursor highlight
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:78-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenAccessibilityShortcutsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenAccessibilityShortcutsEnabled.yaml
new file mode 100755
index 000000000..c0bad39c3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenAccessibilityShortcutsEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Enable accessibility features shortcuts on the login screen
+default: null
+desc: |-
+  Enable accessibility features shortcuts on the login screen.
+
+            If this policy is set to true, accessibility features shortcuts will always be enabled on the login screen.
+
+            If this policy is set to false, accessibility features shortcuts will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, accessibility features shortcuts will be enabled by default on the login screen.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable accessibility shortcuts on the sign-in screen
+  value: true
+- caption: Disable accessibility shortcuts on the sign-in screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:81-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenAutoclickEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenAutoclickEnabled.yaml
new file mode 100755
index 000000000..dda0444b9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenAutoclickEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Enable autoclick on the login screen
+default: null
+desc: |-
+  Enable the autoclick accessibility feature on the login screen.
+
+            This feature allows to automatically click when the mouse cursor stops, without requiring the user to physically press the mouse or touchpad buttons.
+
+            If this policy is set to true, the autoclick will always be enabled on the login screen.
+
+            If this policy is set to false, the autoclick will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the autoclick is disabled on the login screen initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable auto-click on the login screen
+  value: true
+- caption: Disable auto-click on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenCaretHighlightEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenCaretHighlightEnabled.yaml
new file mode 100755
index 000000000..6e4d0e98c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenCaretHighlightEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable caret highlight on the login screen
+default: null
+desc: |-
+  Enable the caret highlight accessibility feature on the login screen.
+
+            If this policy is set to true, the caret highlight will always be enabled on the login screen.
+
+            If this policy is set to false, the caret highlight will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the caret highlight is disabled on the login screen initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable caret highlight on the login screen
+  value: true
+- caption: Disable caret highlight on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenCursorHighlightEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenCursorHighlightEnabled.yaml
new file mode 100755
index 000000000..afc9e6d4f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenCursorHighlightEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable the cursor highlight on the login screen
+default: null
+desc: |-
+  Enable the cursor highlight accessibility feature on the login screen.
+
+            If this policy is set to true, the cursor highlight will always be enabled on the login screen.
+
+            If this policy is set to false, the cursor highlight will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the cursor highlight is disabled on the login screen initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable cursor highlight on the login screen
+  value: true
+- caption: Disable cursor highlight on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultHighContrastEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultHighContrastEnabled.yaml
new file mode 100755
index 000000000..fb0973cb4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultHighContrastEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Set the default state of high contrast mode on the login screen
+default: null
+desc: |-
+  Setting the policy to True turns High-contrast mode on at the sign-in screen. Setting the policy to False turns High-contrast mode off at the screen.
+
+        If you set the policy, users can temporarily change High-contrast mode, turning it on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
+
+        If not set, High-contrast mode is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
+
+            Note: <ph name="DEVICE_LOGIN_SCREEN_HIGH_CONTRAST_ENABLED_POLICY_NAME">DeviceLoginScreenHighContrastEnabled</ph> overrides this policy if the former is specified.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable high contrast on the login screen and allow the user to temporarily
+    disable it
+  value: true
+- caption: Disable high contrast on the login screen and allow the user to temporarily
+    enable it
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:29-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultLargeCursorEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultLargeCursorEnabled.yaml
new file mode 100755
index 000000000..37a6c102a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultLargeCursorEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Set default state of the large cursor on the login screen
+default: null
+desc: |-
+  Setting the policy to True turns the large cursor on at the sign-in screen. Setting the policy to False turns the large cursor off at the sign-in screen.
+
+        If you set the policy, users can temporarily turn the large cursor on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
+
+        If not set, the large cursor is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
+
+            Note: <ph name="DEVICE_LOGIN_SCREEN_LARGE_CURSOR_ENABLED">DeviceLoginScreenLargeCursorEnabled</ph> overrides this policy if the former is specified.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable large cursor on the login screen
+  value: true
+- caption: Disable large cursor on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:29-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultScreenMagnifierType.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultScreenMagnifierType.yaml
new file mode 100755
index 000000000..8e0e0b1ec
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultScreenMagnifierType.yaml
@@ -0,0 +1,40 @@
+caption: Set the default screen magnifier type enabled on the login screen
+default: null
+desc: |-
+  Setting the policy to None turns screen magnification off at the sign-in screen.
+
+  If you set the policy, users can temporarily turn the screen magnifier on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
+
+  If not set, the screen magnifier is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
+
+  Valid values: • 0 = Off • 1 = On • 2 = Docked magnifier on
+
+  Note: <ph name="DEVICE_LOGIN_SCREEN_SCREEN_MAGNIFIER_TYPE_POLICY_NAME">DeviceLoginScreenScreenMagnifierType</ph> overrides this policy if the former is specified.
+device_only: true
+example_value: 1
+features:
+  dynamic_refresh: true
+items:
+- caption: Screen magnifier disabled
+  name: None
+  value: 0
+- caption: Full-screen magnifier enabled
+  name: Full-screen
+  value: 1
+- caption: Docked magnifier enabled
+  name: Docked
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:29-
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultSpokenFeedbackEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultSpokenFeedbackEnabled.yaml
new file mode 100755
index 000000000..baa6b69b3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultSpokenFeedbackEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Set the default state of spoken feedback on the login screen
+default: null
+desc: |-
+  Setting the policy to True turns spoken feedback on at the sign-in screen. Setting the policy to False turns spoken feedback off at the screen.
+
+        If you set the policy, users can temporarily turn spoken feedback on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
+
+        If not set, spoken feedback is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
+
+            Note: <ph name="DEVICE_LOGIN_SCREEN_SPOKEN_FEEDBACK_ENABLED_POLICY_NAME">DeviceLoginScreenSpokenFeedbackEnabled</ph> overrides this policy if the former is specified.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable spoken feedback on the login screen and allow the user to temporarily
+    disable it
+  value: true
+- caption: Disable spoken feedback on the login screen and allow the user to temporarily
+    enable it
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:29-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultVirtualKeyboardEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultVirtualKeyboardEnabled.yaml
new file mode 100755
index 000000000..39b169205
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDefaultVirtualKeyboardEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Set default state of the on-screen keyboard on the login screen
+default: null
+deprecated: true
+desc: |-
+  This policy is deprecated, please use the <ph name="DEVICE_LOGIN_SCREEN_VIRTUAL_KEYBOARD_ENABLED_POLICY_NAME">DeviceLoginScreenVirtualKeyboardEnabled</ph> policy instead.
+
+        Setting the policy to True turns the on-screen keyboard on at sign-in. Setting the policy to False turns the on-screen keyboard off at sign-in.
+
+        If you set the policy, users can temporarily turn the on-screen keyboard on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
+
+        If not set, the on-screen keyboard is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
+
+        Note: <ph name="DEVICE_LOGIN_SCREEN_VIRTUAL_KEYBOARD_ENABLED_POLICY_NAME">DeviceLoginScreenVirtualKeyboardEnabled</ph> overrides this policy if the former is specified.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable on-screen keyboard on the login screen and allow the user to temporarily
+    disable it
+  value: true
+- caption: Disable on-screen keyboard on the login screen and allow the user to temporarily
+    enable it
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:34-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDictationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDictationEnabled.yaml
new file mode 100755
index 000000000..6ddc7f641
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenDictationEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable the dictation on the login screen
+default: null
+desc: |-
+  Enable the dictation accessibility feature on the login screen.
+
+            If this policy is set to true, the dictation will always be enabled on the login screen.
+
+            If this policy is set to false, the dictation will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the dictation is disabled on the login screen initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable dictation on the login screen
+  value: true
+- caption: Disable dictation on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenHighContrastEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenHighContrastEnabled.yaml
new file mode 100755
index 000000000..9591c2616
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenHighContrastEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable the high contrast on the login screen
+default: null
+desc: |-
+  Enable the high contrast accessibility feature on the login screen.
+
+            If this policy is set to true, the high contrast will always be enabled on the login screen.
+
+            If this policy is set to false, the high contrast will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the high contrast is disabled on the login screen initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable high contrast on the login screen
+  value: true
+- caption: Disable high contrast on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenKeyboardFocusHighlightEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenKeyboardFocusHighlightEnabled.yaml
new file mode 100755
index 000000000..8b8aa57d4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenKeyboardFocusHighlightEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Enable the keyboard focus highlighting accessibility feature
+default: null
+desc: |-
+  Enable the keyboard focus highlighting accessibility feature on the login screen.
+
+            This feature is responsible for highlighting the object that is focused by the keyboard.
+
+            If this policy is set to enabled, the keyboard focus highlighting will always be enabled.
+
+            If this policy is set to disabled, the keyboard focus highlighting will always be disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable keyboard focus highlighting on the login screen
+  value: true
+- caption: Disable keyboard focus highlighting on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenLargeCursorEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenLargeCursorEnabled.yaml
new file mode 100755
index 000000000..39cbb35d5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenLargeCursorEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable the large cursor on the login screen
+default: null
+desc: |-
+  Enable the large cursor accessibility feature on the login screen.
+
+            If this policy is set to true, the large cursor will always be enabled on the login screen.
+
+            If this policy is set to false, the large cursor will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the large cursor is disabled on the login screen initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable large cursor on the login screen
+  value: true
+- caption: Disable large cursor on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:78-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenMonoAudioEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenMonoAudioEnabled.yaml
new file mode 100755
index 000000000..d304d7f6b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenMonoAudioEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Enable mono audio on the login screen
+default: null
+desc: |-
+  Enable the mono audio accessibility feature on the login screen.
+
+            This feature allows to switch the device mode from the default stereo audio to the mono audio.
+
+            If this policy is set to true, the mono audio will always be enabled on the login screen.
+
+            If this policy is set to false, the mono audio will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the mono audio is disabled on the login screen initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable mono audio on the login screen
+  value: true
+- caption: Disable mono audio on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenScreenMagnifierType.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenScreenMagnifierType.yaml
new file mode 100755
index 000000000..f88111b2d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenScreenMagnifierType.yaml
@@ -0,0 +1,43 @@
+caption: Set the screen magnifier type on the login screen
+default: null
+desc: |-
+  If this policy is set, it controls the type of screen magnifier that is enabled.
+
+  If this policy is set to "Full-screen", the screen magnifier will always be enabled in full-screen magnifier mode on the login screen.
+
+  If this policy is set to "Docked", the screen magnifier will always be enabled in docked magnifier mode on the login screen.
+
+  If this policy is set to "None", the screen magnifier will always be disabled on the login screen.
+
+  If you set this policy, users cannot change or override it.
+
+  If this policy is left unset, the screen magnifier is disabled on the login screen initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Screen magnifier disabled
+  name: None
+  value: 0
+- caption: Full-screen magnifier enabled
+  name: Full-screen
+  value: 1
+- caption: Docked magnifier enabled
+  name: Docked
+  value: 2
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:79-
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenSelectToSpeakEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenSelectToSpeakEnabled.yaml
new file mode 100755
index 000000000..7868a7234
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenSelectToSpeakEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable the select to speak on the login screen
+default: null
+desc: |-
+  Enable the select to speak accessibility feature on the login screen.
+
+            If this policy is set to true, the select to speak will always be enabled on the login screen.
+
+            If this policy is set to false, the select to speak will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the select to speak is disabled on the login screen initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable select to speak on the login screen
+  value: true
+- caption: Disable select to speak on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenShowOptionsInSystemTrayMenu.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenShowOptionsInSystemTrayMenu.yaml
new file mode 100755
index 000000000..b1176a9d4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenShowOptionsInSystemTrayMenu.yaml
@@ -0,0 +1,30 @@
+caption: Show accessibility options in system tray menu in the login screen
+default: null
+desc: |-
+  Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.
+
+        If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.
+
+        If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Show accessibility options in the login screen system tray menu
+  value: true
+- caption: Hide accessibility options in the login screen system tray menu
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:80-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenSpokenFeedbackEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenSpokenFeedbackEnabled.yaml
new file mode 100755
index 000000000..ea3ab3e70
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenSpokenFeedbackEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable the spoken feedback on the login screen
+default: null
+desc: |-
+  Enable the spoken feedback accessibility feature on the login screen.
+
+            If this policy is set to true, the spoken feedback will always be enabled on the login screen.
+
+            If this policy is set to false, the spoken feedback will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the spoken feedback is disabled on the login screen initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable spoken feedback on the login screen
+  value: true
+- caption: Disable spoken feedback on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenStickyKeysEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenStickyKeysEnabled.yaml
new file mode 100755
index 000000000..a36cc737e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenStickyKeysEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable sticky keys on the login screen
+default: null
+desc: |-
+  Enable the sticky keys accessibility feature on the login screen.
+
+            If this policy is set to true, the sticky keys will always be enabled on the login screen.
+
+            If this policy is set to false, the sticky keys will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the sticky keys is disabled on the login screen initially but can be enabled by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable sticky keys on the login screen
+  value: true
+- caption: Disable sticky keys on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenVirtualKeyboardEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenVirtualKeyboardEnabled.yaml
new file mode 100755
index 000000000..a7ca5fc60
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DeviceLoginScreenVirtualKeyboardEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Enable the accessibility virtual keyboard on the login screen
+default: null
+desc: |-
+  Enable the virtual keyboard accessibility feature on the login screen.
+
+            If this policy is set to true, the accessibility virtual keyboard will always be enabled on the login screen.
+
+            If this policy is set to false, the accessibility virtual keyboard will always be disabled on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the accessibility virtual keyboard is disabled on the login screen initially but can be enabled by the user anytime via accessibility settings.
+
+            This policy does not affect whether the touch virtual keyboard is enabled. For example, the touch virtual keyboard will still show up on a tablet device even if this policy is set to false.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Enable accessibility virtual keyboard on the login screen
+  value: true
+- caption: Disable accessibility virtual keyboard on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- shend@chromium.org
+- e14s-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DictationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DictationEnabled.yaml
new file mode 100755
index 000000000..7b8361afb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/DictationEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Enable the dictation accessibility feature
+default: null
+desc: |-
+  Enable the dictation accessibility feature.
+
+            If this policy is set to enabled, the dictation will always be enabled.
+
+            If this policy is set to disabled, the dictation will always be disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the dictation is disabled initially but can be enabled by the user anytime.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable dictation
+  value: true
+- caption: Disable dictation
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:78-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/EnhancedNetworkVoicesInSelectToSpeakAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/EnhancedNetworkVoicesInSelectToSpeakAllowed.yaml
new file mode 100755
index 000000000..c1b8a79b5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/EnhancedNetworkVoicesInSelectToSpeakAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Allow the enhanced network text-to-speech voices in Select-to-speak
+default: true
+desc: |-
+  Allow the enhanced network text-to-speech voices in Select-to-speak accessibility feature. These voices send text to Google's servers to synthesize natural-sounding speech.
+
+            If this policy is set to false, the enhanced network text-to-speech voices feature in Select-to-speak will always be disabled.
+
+            If this policy is set to true or unset, the enhanced network text-to-speech voices feature in Select-to-speak can be enabled or disabled by the user.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow enhanced network text-to-speech voices when using Select-to-Speak
+  value: true
+- caption: Disallow enhanced network text-to-speech voices when using Select-to-Speak
+  value: false
+owners:
+- file://ui/accessibility/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:94-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/FloatingAccessibilityMenuEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/FloatingAccessibilityMenuEnabled.yaml
new file mode 100755
index 000000000..29a5c2248
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/FloatingAccessibilityMenuEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enables the floating accessibility menu
+default: false
+desc: |-
+  In kiosk mode, controls whether the floating accessibility menu is being shown.
+
+  If this policy is set to enabled, the floating accessibility menu will be always shown.
+
+  If this policy is set to disabled or left unset, the floating accessibility menu will never be shown.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Show the floating accessibility menu in kiosk mode
+  value: true
+- caption: Do not show the floating accessibility menu in kiosk mode
+  value: false
+owners:
+- apotapchuk@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:84-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/HighContrastEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/HighContrastEnabled.yaml
new file mode 100755
index 000000000..eaaaea30e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/HighContrastEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable high contrast mode
+default: null
+desc: |-
+  Setting the policy to True keeps High-contrast mode on. Setting the policy to False keeps High-contrast mode off.
+
+        If you set the policy, users can't change it. If not set, High-contrast mode is off, but users can turn it on any time.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable high contrast
+  value: true
+- caption: Disable high contrast
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:29-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/KeyboardDefaultToFunctionKeys.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/KeyboardDefaultToFunctionKeys.yaml
new file mode 100755
index 000000000..3d25418e3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/KeyboardDefaultToFunctionKeys.yaml
@@ -0,0 +1,25 @@
+caption: Media keys default to function keys
+default: false
+desc: |-
+  Setting the policy to True makes the top row of keys on the keyboard act as function key commands. Pressing the Search key changes their behavior back to media keys.
+
+  If set to False or not set, the keyboard defaults to producing media key commands. Pressing the Search key changes them to function keys.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Treat top-row keys as function keys, but allow user to change
+  value: true
+- caption: Treat top-row keys as media keys, but allow user to change
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:35-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/KeyboardFocusHighlightEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/KeyboardFocusHighlightEnabled.yaml
new file mode 100755
index 000000000..00c829634
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/KeyboardFocusHighlightEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable the keyboard focus highlighting accessibility feature
+default: null
+desc: |-
+  Enable the keyboard focus highlighting accessibility feature.
+
+            This feature is responsible for highlighting the object that has the focus by the keyboard.
+
+            If this policy is set to enabled, the keyboard focus highlighting will always be enabled.
+
+            If this policy is set to disabled, the keyboard focus highlighting will always be disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable keyboard focus highlighting
+  value: true
+- caption: Disable keyboard focus highlighting
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:78-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/LargeCursorEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/LargeCursorEnabled.yaml
new file mode 100755
index 000000000..3464d02cd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/LargeCursorEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable large cursor
+default: null
+desc: |-
+  Setting the policy to True keeps the large cursor on. Setting the policy to False keeps the large cursor off.
+
+        If you set the policy, users can't change the feature. If not set, the large cursor is off at first, but users can turn it on any time.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable large cursor
+  value: true
+- caption: Disable large cursor
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:29-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/MonoAudioEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/MonoAudioEnabled.yaml
new file mode 100755
index 000000000..455b48c69
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/MonoAudioEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable the mono audio accessibility feature
+default: null
+desc: |-
+  Enable the mono audio accessibility feature.
+
+            This feature is responsible for outputing stereo audio which includes different left and right channels, so different ears get different sounds.
+
+            If this policy is set to enabled, the mono audio will always be enabled.
+
+            If this policy is set to disabled, the mono audio will always be disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the mono audio is disabled initially but can be enabled by the user anytime.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable mono audio
+  value: true
+- caption: Disable mono audio
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:78-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ScreenMagnifierType.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ScreenMagnifierType.yaml
new file mode 100755
index 000000000..f25bcee4a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ScreenMagnifierType.yaml
@@ -0,0 +1,34 @@
+caption: Set screen magnifier type
+default: null
+desc: |-
+  Setting the policy to None turns the screen magnifier off.
+
+  If you set the policy, users can't change it. If not set, the screen magnifier is off at first, but users can turn it on any time.
+example_value: 1
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Screen magnifier disabled
+  name: None
+  value: 0
+- caption: Full-screen magnifier enabled
+  name: Full-screen
+  value: 1
+- caption: Docked magnifier enabled
+  name: Docked
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:29-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/SelectToSpeakEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/SelectToSpeakEnabled.yaml
new file mode 100755
index 000000000..429168b35
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/SelectToSpeakEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Enable select to speak
+default: null
+desc: |-
+  Enable the select to speak accessibility feature.
+
+            If this policy is set to true, the select to speak will always be enabled.
+
+            If this policy is set to false, the select to speak will always be disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the select to speak is disabled initially but can be enabled by the user anytime.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable select to speak
+  value: true
+- caption: Disable select to speak
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:77-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ShowAccessibilityOptionsInSystemTrayMenu.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ShowAccessibilityOptionsInSystemTrayMenu.yaml
new file mode 100755
index 000000000..7746b2001
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/ShowAccessibilityOptionsInSystemTrayMenu.yaml
@@ -0,0 +1,29 @@
+caption: Show accessibility options in system tray menu
+default: null
+desc: |-
+  Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.
+
+        If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.
+
+        If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Show accessibility options in the system tray menu
+  value: true
+- caption: Hide accessibility options in the system tray menu
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- katie@chromium.org
+- file://ui/accessibility/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:27-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/SpokenFeedbackEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/SpokenFeedbackEnabled.yaml
new file mode 100755
index 000000000..e98ac839a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/SpokenFeedbackEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable spoken feedback
+default: null
+desc: |-
+  Setting the policy to True keeps spoken feedback on. Setting the policy to False keeps spoken feedback off.
+
+         If you set the policy, users can't change it. If not set, spoken feedback is off at first, but users can turn it on any time.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable spoken feedback
+  value: true
+- caption: Disable spoken feedback
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:29-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/StickyKeysEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/StickyKeysEnabled.yaml
new file mode 100755
index 000000000..bc281ad38
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/StickyKeysEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable sticky keys
+default: null
+desc: |-
+  Setting the policy to True keeps sticky keys on. Setting the policy to False keeps sticky keys off.
+
+        If you set the policy, users can't change it. If not set, sticky keys is off at first, but users can turn it on any time.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable sticky keys
+  value: true
+- caption: Disable sticky keys
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:76-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/UiAutomationProviderEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/UiAutomationProviderEnabled.yaml
new file mode 100755
index 000000000..e8e2cbbb2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/UiAutomationProviderEnabled.yaml
@@ -0,0 +1,60 @@
+owners:
+- grt@chromium.org
+- file://ui/accessibility/OWNERS
+caption: Enable the browser's <ph name="UIA_NAME">UI Automation</ph> accessibility framework provider on
+  Windows
+desc: |-
+  Enables the <ph name="UIA_NAME">UI Automation</ph> accessibility framework
+  provider in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> for use by
+  accessibility tools.
+
+  This policy is supported in
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> for a one-year
+  transition period to allow enterprise administrators to control the deployment
+  of the browser's <ph name="UIA_NAME">UI Automation</ph> accessibility
+  framework provider. Accessibility and other tools that use the
+  <ph name="UIA_NAME">UI Automation</ph> accessibility framework to interoperate
+  with the browser may require updates to function properly with the browser's
+  <ph name="UIA_NAME">UI Automation</ph> provider. Administrators can use this
+  policy to temporarily disable the browser's
+  <ph name="UIA_NAME">UI Automation</ph> provider (thereby reverting to the old
+  behavior) while they work with vendors to provide updates to impacted tools.
+
+  When set to false, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> only
+  enables its <ph name="MSAA_NAME">Microsoft Active Accessibility</ph>
+  provider. Accessibility and other tools that use the newer
+  <ph name="UIA_NAME">UI Automation</ph> accessibility framework to interoperate
+  with the browser will communicate with it by way of a compatibility shim in
+  <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>.
+
+  When set to true, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  enables its <ph name="UIA_NAME">UI Automation</ph> provider in addition to its
+  <ph name="MSAA_NAME">Microsoft Active Accessibility</ph> provider.
+  Accessibility and other tools that use the newer
+  <ph name="UIA_NAME">UI Automation</ph> accessibility framework to interoperate
+  with the browser will communicate directly with it.
+
+  When left unset, the variations framework in <ph
+  name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is used to enable or disable
+  the provider.
+
+  Support for this policy setting will end in <ph
+  name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 136.
+supported_on:
+- chrome.win:125-
+features:
+  dynamic_refresh: false
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: Enable the <ph name="UIA_NAME">UI Automation</ph> provider.
+  value: true
+- caption: Disable the <ph name="UIA_NAME">UI Automation</ph> provider.
+  value: false
+- caption: The <ph name="UIA_NAME">UI Automation</ph> provider will be enabled or disabled via the variations framework.
+  value: null
+default: null
+example_value: false
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/VirtualKeyboardEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/VirtualKeyboardEnabled.yaml
new file mode 100755
index 000000000..d1c3af2c5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/VirtualKeyboardEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Enable the accessibility virtual keyboard
+default: null
+desc: |-
+  Enable the virtual keyboard accessibility feature.
+
+            If this policy is set to true, the accessibility virtual keyboard will always be enabled.
+
+            If this policy is set to false, the accessibility virtual keyboard will always be disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the accessibility virtual keyboard is disabled initially but can be enabled by the user at any time by using the accessibility settings.
+
+            This policy does not affect whether the touch virtual keyboard is enabled. For example, the touch virtual keyboard will still show up on a tablet device even if this policy is set to false. Use the <ph name="TOUCH_VIRTUAL_KEYBOARD_ENABLED_POLICY_NAME">TouchVirtualKeyboardEnabled</ph> policy to control the behavior of the touch virtual keyboard.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable accessibility virtual keyboard
+  value: true
+- caption: Disable accessibility virtual keyboard
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- shend@google.com
+- e14s-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:34-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/VirtualKeyboardFeatures.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/VirtualKeyboardFeatures.yaml
new file mode 100755
index 000000000..45f2f4a6e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Accessibility/VirtualKeyboardFeatures.yaml
@@ -0,0 +1,47 @@
+caption: Enable or disable various features on the on-screen keyboard
+desc: |-
+  Enable or disable various features on the on-screen keyboard. This policy takes effect only when "VirtualKeyboardEnabled" policy is enabled.
+
+        If one feature in this policy is set to True, it will be enabled on the on-screen keyboard.
+
+        If one feature in this policy is set to False or left unset, it will be disabled on the on-screen keyboard.
+
+        NOTE: this policy is only supported in PWA Kiosk mode.
+example_value:
+  auto_complete_enabled: true
+  auto_correct_enabled: true
+  handwriting_enabled: false
+  spell_check_enabled: false
+  voice_input_enabled: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- anqing@chromium.org
+schema:
+  properties:
+    auto_complete_enabled:
+      description: A boolean flag indicating if the on-screen keyboard can provide
+        auto-complete.
+      type: boolean
+    auto_correct_enabled:
+      description: A boolean flag indicating if the on-screen keyboard can provide
+        auto-correct.
+      type: boolean
+    handwriting_enabled:
+      description: A boolean flag indicating if the on-screen keyboard can provide
+        input via handwriting recognition.
+      type: boolean
+    spell_check_enabled:
+      description: A boolean flag indicating if the on-screen keyboard can provide
+        spell-check.
+      type: boolean
+    voice_input_enabled:
+      description: A boolean flag indicating if the on-screen keyboard can provide
+        voice input.
+      type: boolean
+  type: object
+supported_on:
+- chrome_os:94-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/.group.details.yaml
new file mode 100755
index 000000000..dd8330665
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/.group.details.yaml
@@ -0,0 +1,3 @@
+caption: <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> management settings
+desc: Controls settings specific to <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph>
+  managed <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/ChromadToCloudMigrationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/ChromadToCloudMigrationEnabled.yaml
new file mode 100755
index 000000000..2329646fe
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/ChromadToCloudMigrationEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable the migration of Chromad devices into cloud management
+deprecated: true
+default: false
+desc: |-
+  Enable the migration of <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> managed devices into cloud management. This policy allows for a remote start of a touchless migration of multiple devices in a company. Additionally, the migration will be as transparent as possible to the end users.
+
+        If this policy is enabled and the enrollment ID has already been uploaded to the DMServer, a remote device powerwash will be triggered.
+
+        If this policy is disabled or not set, the remote device powerwash is not triggered, independently of the enrollment ID upload status.
+
+        This check is triggered whenever the login screen is loaded, then retried every hour (if the device stays on the login screen). This prevents the migration from starting in the middle of a user session, causing potential problems to end users.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable the migration of <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph>
+    managed devices into cloud management.
+  value: true
+- caption: Disable the migration of <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph>
+    managed devices into cloud management.
+  value: false
+owners:
+- fsandrade@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:98-114
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/CloudAPAuthEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/CloudAPAuthEnabled.yaml
new file mode 100755
index 000000000..51fc44734
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/CloudAPAuthEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Allow automatic sign-in to Microsoft® cloud identity providers
+default: 0
+desc: |-
+  Configures automatic user sign-in for accounts backed by a Microsoft® cloud identity provider.
+
+  By setting this policy to 1 (<ph name="POLICY_VALUE_ENABLED">Enabled</ph>), users who sign into their computer with an account backed by a Microsoft® cloud identity provider (i.e., <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or the consumer Microsoft® account identity provider) or who have added a work or school account to <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> can be signed into web properties using that identity automatically. Information pertaining to the user's device and account is transmitted to the user's cloud identity provider for each authentication event.
+
+  By setting this policy to 0 (<ph name="POLICY_VALUE_DISABLED">Disabled</ph>) or leaving it unset, automatic sign-in as described above is disabled.
+
+  This feature is available starting in <ph name="WIN_NAME">Microsoft® Windows®</ph> 10.
+
+  Note: This policy doesn't apply to Incognito or Guest modes.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Disable Microsoft® cloud authentication
+  name: Disabled
+  value: 0
+- caption: Enable Microsoft® cloud authentication
+  name: Enabled
+  value: 1
+owners:
+- igorruvinov@chromium.org
+- file://chrome/browser/enterprise/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+supported_on:
+- chrome.win:111-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceAuthDataCacheLifetime.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceAuthDataCacheLifetime.yaml
new file mode 100755
index 000000000..61c870b24
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceAuthDataCacheLifetime.yaml
@@ -0,0 +1,27 @@
+caption: Authentication data cache lifetime
+deprecated: true
+default: 73
+desc: |-
+  Setting the policy specifies in hours the authentication data cache lifetime. The cache has data about realms trusted by the machine realm (affiliated realms). So, authentication data caching helps speed up sign-in. User-specific data and data for unaffiliated realms isn't cached.
+
+  Setting the policy to 0 turns authentication data caching off. Realm-specific data is fetched on every sign-in, so turning off authentication data caching can significantly slow down user sign-in.
+
+  Leaving the policy unset means cached authentication data can be reused for up to 73 hours.
+
+  Note: Restarting the device clears the cache. Even ephemeral users' realm data is cached. Turn off the cache to prevent the tracing of an ephemeral user's realm.
+device_only: true
+example_value: 0
+features:
+  dynamic_refresh: true
+owners:
+- fsandrade@chromium.org
+schema:
+  maximum: 9999
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:73-114
+tags:
+- admin-sharing
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceGpoCacheLifetime.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceGpoCacheLifetime.yaml
new file mode 100755
index 000000000..4842268b1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceGpoCacheLifetime.yaml
@@ -0,0 +1,26 @@
+caption: GPO cache lifetime
+deprecated: true
+default: 25
+desc: |-
+  Setting the policy specifies in hours the Group Policy Object (GPO) cache lifetime—the maximum duration GPOs can be reused before they're redownloaded. Instead of redownloading them on every policy fetch, the system reuses cached GPOs as long as their version doesn't change.
+
+  Setting the policy to 0 turns GPO caching off. Doing this increases server load, because GPOs are redownloaded on every policy fetch, even if they didn't change.
+
+  Leaving the policy unset means cached GPOs can be reused for up to 25 hours.
+
+  Note: Restarting and signing out clears the cache.
+device_only: true
+example_value: 0
+features:
+  dynamic_refresh: true
+owners:
+- fsandrade@chromium.org
+schema:
+  maximum: 9999
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:73-114
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceKerberosEncryptionTypes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceKerberosEncryptionTypes.yaml
new file mode 100755
index 000000000..c1314bcae
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceKerberosEncryptionTypes.yaml
@@ -0,0 +1,43 @@
+caption: Allowed Kerberos encryption types
+deprecated: true
+default: 1
+desc: |-
+  Setting the policy designates which encryption types are allowed when requesting Kerberos tickets from a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> server.
+
+  Setting the policy to:
+
+  * All allows the AES encryption types aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96, as well as the RC4 encryption type rc4-hmac. AES takes precedence if the server supports AES and RC4 encryption types.
+
+  * Strong or leaving it unset allows only the AES types.
+
+  * Legacy allows only the RC4 type. RC4 is insecure. It should only be needed in very specific circumstances. If possible, reconfigure the server to support AES encryption.
+
+  Also see https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types.
+device_only: true
+example_value: 1
+features:
+  dynamic_refresh: true
+items:
+- caption: All (insecure)
+  name: All
+  value: 0
+- caption: Strong
+  name: Strong
+  value: 1
+- caption: Legacy (insecure)
+  name: Legacy
+  value: 2
+owners:
+- fsandrade@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:66-114
+tags:
+- system-security
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceMachinePasswordChangeRate.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceMachinePasswordChangeRate.yaml
new file mode 100755
index 000000000..c4b8f574e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceMachinePasswordChangeRate.yaml
@@ -0,0 +1,27 @@
+caption: Machine password change rate
+deprecated: true
+default: 30
+desc: |-
+  Setting the policy specifies in days how often a client changes their machine account password. The password is randomly generated by the client and not visible to the user. Disabling this policy or setting a high number of days can negatively impact security, because it gives potential attackers more time to find and use the machine account password.
+
+  Leaving the policy unset means the machine account password is changed every 30 days.
+
+  Setting the policy to 0 turns off machine account password change.
+
+  Note: Passwords might get older than the specified number of days if the client has been offline for a longer period of time.
+device_only: true
+example_value: 0
+features:
+  dynamic_refresh: true
+owners:
+- fsandrade@chromium.org
+schema:
+  maximum: 9999
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:66-114
+tags:
+- system-security
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceUserPolicyLoopbackProcessingMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceUserPolicyLoopbackProcessingMode.yaml
new file mode 100755
index 000000000..d2c3dde4a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceUserPolicyLoopbackProcessingMode.yaml
@@ -0,0 +1,38 @@
+caption: User policy loopback processing mode
+deprecated: true
+default: 0
+desc: |-
+  Setting the policy specifies whether and how user policy from computer Group Policy Object (GPO) is processed.
+
+  * Default or leaving it unset has user policy read only from user GPOs. Computer GPOs are ignored.
+
+  * Merge will merge user policy in user GPOs with that of computer GPOs. Computer GPOs take precedence.
+
+  * Replace will replace user policy in user GPOs with that of computer GPOs. User GPOs are ignored.
+device_only: true
+example_value: 0
+features:
+  dynamic_refresh: true
+items:
+- caption: Default
+  name: Default
+  value: 0
+- caption: Merge
+  name: Merge
+  value: 1
+- caption: Replace
+  name: Replace
+  value: 2
+owners:
+- fsandrade@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:66-114
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/policy_atomic_groups.yaml
new file mode 100755
index 000000000..59c1c9148
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/policy_atomic_groups.yaml
@@ -0,0 +1,9 @@
+ActiveDirectoryManagement:
+  caption: <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> management settings
+  policies:
+  - DeviceMachinePasswordChangeRate
+  - DeviceUserPolicyLoopbackProcessingMode
+  - DeviceKerberosEncryptionTypes
+  - DeviceGpoCacheLifetime
+  - DeviceAuthDataCacheLifetime
+  - ChromadToCloudMigrationEnabled
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/.group.details.yaml
new file mode 100755
index 000000000..c72114b19
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Android settings
+desc: Controls settings for the Android container (ARC) and Android apps.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/AppRecommendationZeroStateEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/AppRecommendationZeroStateEnabled.yaml
new file mode 100755
index 000000000..2beaa8ab9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/AppRecommendationZeroStateEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable App Recommendations in Zero State of Search Box
+deprecated: true
+desc: |-
+  This feature has been removed in Chrome 100.
+
+        Setting this policy to Enabled will cause recommendations for apps previously installed by the user on other devices. These recommendations will appear in the launcher after the local app recommendations, if no search text has been entered.
+
+        Setting this policy as Disabled or leaving it unset means these recommendations do not appear.
+
+        If this policy is set, users cannot change it.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Show app recommendations in the <ph name="PRODUCT_OS_NAME">$2<ex>Google
+    ChromeOS</ex></ph> launcher
+  value: true
+- caption: Do not show app recommendations in the <ph name="PRODUCT_OS_NAME">$2<ex>Google
+    ChromeOS</ex></ph> launcher
+  value: false
+owners:
+- robsc@chromium.org
+- bartfab@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:75-99
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcAppInstallEventLoggingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcAppInstallEventLoggingEnabled.yaml
new file mode 100755
index 000000000..54939d11f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcAppInstallEventLoggingEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Log events for Android app installs
+default: false
+desc: |-
+  Setting the policy to True sends reports of key, policy-triggered Android app installation events to Google.
+
+  Setting the policy to False or leaving it unset means no events are captured.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Android app install event logs are shared with Google
+  value: true
+- caption: Android app install event logs are not shared with Google
+  value: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:67-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcAppToWebAppSharingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcAppToWebAppSharingEnabled.yaml
new file mode 100755
index 000000000..950fb2519
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcAppToWebAppSharingEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable sharing from Android apps to Web apps
+default: true
+desc: |-
+  Setting the policy to True enables sharing text/files from Android apps to supported Web Apps, using the built-in Android sharing system.
+        When enabled, this will send metadata for installed Web Apps to Google to generate and install a shim Android app.
+        Setting the policy to False disables this functionality.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Android to Web App sharing.
+  value: true
+- caption: Disable Android to Web App sharing.
+  value: false
+owners:
+- tsergeant@chromium.org
+- chromeos-apps-foundation-team@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:94-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcBackupRestoreEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcBackupRestoreEnabled.yaml
new file mode 100755
index 000000000..7b96ae302
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcBackupRestoreEnabled.yaml
@@ -0,0 +1,18 @@
+caption: Enable Android Backup Service
+deprecated: true
+desc: This policy was removed in <ph name="PRODUCT_NAME">$2<ex>Google ChromeOS</ex></ph>
+  68 and replaced by <ph name="ARC_BR_POLICY_NAME">ArcBackupRestoreServiceEnabled</ph>.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:53-67
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcBackupRestoreServiceEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcBackupRestoreServiceEnabled.yaml
new file mode 100755
index 000000000..1ec83e7d5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcBackupRestoreServiceEnabled.yaml
@@ -0,0 +1,37 @@
+caption: Control Android backup and restore service
+default: 0
+default_for_enterprise_users: 0
+desc: |-
+  Setting the policy to <ph name="BR_ENABLED">BackupAndRestoreEnabled</ph> means Android backup and restore is initially on. Setting the policy to <ph name="BR_DISABLED">BackupAndRestoreDisabled</ph> or leaving it unset keeps backup and restore off during setup.
+
+  Setting the policy to <ph name="BR_UNDER_USER_CONTROL">BackupAndRestoreUnderUserControl</ph> means users see prompts to use backup and restore. If they turn on backup and restore, Android app data is uploaded to Android backup servers and restored during reinstallations of compatible apps.
+
+  After initial setup, users can turn backup and restore on or off.
+example_value: 1
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Backup and restore disabled
+  name: BackupAndRestoreDisabled
+  value: 0
+- caption: User decides whether to enable backup and restore
+  name: BackupAndRestoreUnderUserControl
+  value: 1
+- caption: Backup and restore enabled
+  name: BackupAndRestoreEnabled
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- anqing@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:68-
+tags:
+- google-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcCertificatesSyncMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcCertificatesSyncMode.yaml
new file mode 100755
index 000000000..41e428c33
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcCertificatesSyncMode.yaml
@@ -0,0 +1,32 @@
+caption: Set certificate availability for ARC-apps
+default: 0
+desc: |-
+  Setting the policy to CopyCaCerts makes all ONC-installed CA certificates with <ph name="WEB_TRUSTED_BIT">Web TrustBit</ph> available for ARC-apps.
+
+  Setting to None or leaving it unset makes <ph name="PRODUCT_OS_NAME">$2<ex>ChromeOS</ex></ph> certificates unavailable for ARC-apps.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Disable usage of <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+    certificates to ARC-apps
+  name: SyncDisabled
+  value: 0
+- caption: Enable <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> CA certificates
+    to ARC-apps
+  name: CopyCaCerts
+  value: 1
+owners:
+- pbond@chromium.org
+- edmanp@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+supported_on:
+- chrome_os:52-
+tags:
+- system-security
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcEnabled.yaml
new file mode 100755
index 000000000..e93214246
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcEnabled.yaml
@@ -0,0 +1,23 @@
+caption: Enable ARC
+default: false
+default_for_enterprise_users: false
+desc: Unless Ephemeral mode or multiple sign-in is on during the user's session, setting
+  ArcEnabled to True turns ARC on for the user. Setting the policy to False or leaving
+  it unset means enterprise users can't use ARC.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable ARC
+  value: true
+- caption: Disable ARC
+  value: false
+owners:
+- pbond@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:50-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcGoogleLocationServicesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcGoogleLocationServicesEnabled.yaml
new file mode 100755
index 000000000..d4f7d97fe
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcGoogleLocationServicesEnabled.yaml
@@ -0,0 +1,40 @@
+caption: Control Android Google location services
+deprecated: true
+default: 0
+default_for_enterprise_users: 0
+desc: |-
+  Warning! This policy is deprecated, please use <ph name="CROS_GLS_POLICY_NAME">GoogleLocationServicesEnabled</ph> instead. <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> now has a system location toggle, which governs the entire system including <ph name="ANDROID_NAME">Android</ph>. The <ph name="ANDROID_NAME">Android</ph> toggle is now read-only and reflects the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> location state.
+
+  Unless the <ph name="DEFAULT_GEOLOCATION_SETTING_POLICY_NAME">DefaultGeolocationSetting</ph> policy is set to <ph name="BLOCK_GEOLOCATION_SETTING">BlockGeolocation</ph>, then setting <ph name="GLS_ENABLED">GoogleLocationServicesEnabled</ph> turns Google location services on during initial setup. Setting the policy to <ph name="GLS_DISABLED">GoogleLocationServicesDisabled</ph> or leaving it unset keeps location services off during setup.
+
+  Setting policy to <ph name="GLS_UNDER_USER_CONTROL">GoogleLocationServicesUnderUserControl</ph> prompts users about whether or not to use Google location services. If they turn it on, <ph name="ANDROID_NAME">Android</ph> apps, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> apps, websites, and system services use the services to search the device location and send anonymous location data to Google.
+
+  After initial setup, users can turn Google location services on or off.
+example_value: 1
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Google location services disabled
+  name: GoogleLocationServicesDisabled
+  value: 0
+- caption: User decides whether to enable Google location services
+  name: GoogleLocationServicesUnderUserControl
+  value: 1
+- caption: Google location services enabled
+  name: GoogleLocationServicesEnabled
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:68-
+tags:
+- google-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcLocationServiceEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcLocationServiceEnabled.yaml
new file mode 100755
index 000000000..56df50964
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcLocationServiceEnabled.yaml
@@ -0,0 +1,18 @@
+caption: Enable Android Google Location Service
+deprecated: true
+desc: This policy was removed in <ph name="PRODUCT_NAME">$2<ex>Google ChromeOS</ex></ph>
+  68 and replaced by <ph name="ARC_GLS_POLICY_NAME">ArcGoogleLocationServicesEnabled</ph>.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:57-67
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcPolicy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcPolicy.yaml
new file mode 100755
index 000000000..6ca764c19
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/ArcPolicy.yaml
@@ -0,0 +1,59 @@
+caption: Configure ARC
+desc: |-
+  Setting the policy specifies a set of policies to hand over to the ARC runtime. Admins can use it to select the Android apps that autoinstall. Enter value in valid JSON format.
+
+        To pin apps to the launcher, see PinnedLauncherApps.
+description_schema:
+  properties:
+    applications:
+      items:
+        properties:
+          defaultPermissionPolicy:
+            description: 'Policy for granting permission requests to apps. PERMISSION_POLICY_UNSPECIFIED:
+              Policy not specified. If no policy is specified for a permission at
+              any level, then the `PROMPT` behavior is used by default. PROMPT: Prompt
+              the user to grant a permission. GRANT: Automatically grant a permission.
+              DENY: Automatically deny a permission.'
+            enum:
+            - PERMISSION_POLICY_UNSPECIFIED
+            - PROMPT
+            - GRANT
+            - DENY
+            type: string
+          installType:
+            description: 'Specifies how an app is installed. AVAILABLE: The app is
+              not installed automatically, but the user can install it. This is the
+              default if this policy is not specified. FORCE_INSTALLED: The app
+              is installed automatically and the user cannot uninstall it. BLOCKED:
+              The app is blocked and cannot be installed. If the app was installed
+              under a previous policy it will be uninstalled.'
+            enum:
+            - AVAILABLE
+            - FORCE_INSTALLED
+            - BLOCKED
+            type: string
+          managedConfiguration:
+            description: 'App-specific JSON configuration object with a set of key-value
+              pairs, e.g. ''"managedConfiguration": { "key1": value1, "key2": value2
+              }''. The keys are defined in the app manifest.'
+            type: object
+          packageName:
+            description: Android app identifier, e.g. "com.google.android.gm" for
+              Gmail
+            type: string
+        type: object
+      type: array
+  type: object
+example_value: '{"applications":[{"packageName":"com.google.android.gm","installType":"FORCE_INSTALLED","defaultPermissionPolicy":"PROMPT","managedConfiguration":{}},{"packageName":"com.google.android.apps.docs","installType":"BLOCKED","defaultPermissionPolicy":"PROMPT","managedConfiguration":{}},{"packageName":"com.google.android.calculator","installType":"AVAILABLE","defaultPermissionPolicy":"PROMPT","managedConfiguration":{}}]}'
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- arc-commercial@google.com
+- mhasank@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_os:50-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/DeviceArcDataSnapshotHours.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/DeviceArcDataSnapshotHours.yaml
new file mode 100755
index 000000000..bb4d80d26
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/DeviceArcDataSnapshotHours.yaml
@@ -0,0 +1,47 @@
+caption: Intervals when ARC data snapshot update process can be started for Managed
+  Guest Sessions
+desc: 'If "DeviceArcDataSnapshotHours" policy is set, then the ARC data snapshotting
+  mechanism is turned on. And the ARC data snapshot update can be started automatically
+  during the defined time intervals. When an interval starts, ARC data snapshot update
+  is required and no user is logged-in, the ARC data snapshot update process is started
+  without user notification. If the user session is active, the UI notification is
+  shown and have to be accepted in order to reboot a device and start ARC data snapshot
+  update process. Note: a device is blocked for usage during the ARC data snapshot
+  update process.'
+device_only: true
+deprecated: true
+example_value:
+  intervals:
+  - end:
+      day_of_week: MONDAY
+      time: 21720000
+    start:
+      day_of_week: MONDAY
+      time: 12840000
+  - end:
+      day_of_week: FRIDAY
+      time: 57600000
+    start:
+      day_of_week: FRIDAY
+      time: 38640000
+  timezone: GMT
+features:
+  dynamic_refresh: true
+owners:
+- pbond@chromium.org
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  properties:
+    intervals:
+      items:
+        $ref: WeeklyTimeIntervals
+      type: array
+    timezone:
+      type: string
+  type: object
+supported_on:
+- chrome_os:88-113
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/UnaffiliatedArcAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/UnaffiliatedArcAllowed.yaml
new file mode 100755
index 000000000..c2e0730ff
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/UnaffiliatedArcAllowed.yaml
@@ -0,0 +1,25 @@
+caption: Allow unaffiliated users to use ARC
+default: true
+desc: |-
+  Unless ARC is turned off by other means, then setting the policy to True or leaving it unset lets users use ARC. Setting the policy to False means unaffiliated users may not use ARC.
+
+  Changes to the policy only apply while ARC isn't running, for example, while starting ChromeOS.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: false
+items:
+- caption: Allow unaffiliated users to use Android apps
+  value: true
+- caption: Do not allow unaffiliated users to use Android apps
+  value: false
+owners:
+- arc-commercial@google.com
+- mhasank@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:64-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/UnaffiliatedDeviceArcAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/UnaffiliatedDeviceArcAllowed.yaml
new file mode 100755
index 000000000..346a2483f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Arc/UnaffiliatedDeviceArcAllowed.yaml
@@ -0,0 +1,24 @@
+caption: Allow enterprise users to use ARC on unaffiliated devices.
+desc:  |-
+  Unless ARC is turned off by other means, then setting the policy to True or leaving it unset lets managed users use ARC on unaffiliated devices. Setting the policy to False means managed users may not use ARC on unaffiliated devices.
+
+  Note that other restrictions, like those imposed by ArcEnabled and UnaffiliatedArcAllowed policies, continue to be respected, and ARC gets disabled if any of them specifies so.
+example_value: true
+default: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow users to use Android apps on unaffiliated devices
+  value: true
+- caption: Do not allow users to use Android apps on unaffiliated devices
+  value: false
+owners:
+- arc-commercial@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:120-
+tags: []
+type: main
+
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/.group.details.yaml
new file mode 100755
index 000000000..862ed4db1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Remote attestation
+desc: Configure the remote attestation with TPM mechanism.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForDevice.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForDevice.yaml
new file mode 100755
index 000000000..5241c55b4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForDevice.yaml
@@ -0,0 +1,28 @@
+caption: Enable remote attestation for the device
+deprecated: true
+default: false
+desc: |-
+  This policy was removed in M121. It served to enable and disable Remote Attestation for the device but Remote Attestation has been enabled by default.
+
+  Setting the policy to Enabled allows remote attestation for the device. A certificate is automatically generated and uploaded to the Device Management Server.
+
+  Setting the policy to Disabled or leaving it unset means no certificate is generated and calls to the <ph name="ENTERPRISE_PLATFORM_KEYS_API">Enterprise Platform Keys API</ph> fail.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable remote attestation for the device
+  value: true
+- caption: Disable remote attestation for the device
+  value: false
+owners:
+- emaxx@chromium.org
+- file://chrome/browser/ash/attestation/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:28-120
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForUser.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForUser.yaml
new file mode 100755
index 000000000..00d5132fd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForUser.yaml
@@ -0,0 +1,26 @@
+caption: Enable remote attestation for the user
+deprecated: true
+desc: |-
+  This policy was removed in M118. It served to enable and disable Remote Attestation for the user but Remote Attestation has been enabled by default.
+
+  Setting the policy to Enabled lets users use the hardware on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices to remotely attest its identity to the privacy CA through the <ph name="ENTERPRISE_PLATFORM_KEYS_API">Enterprise Platform Keys API</ph> using <ph name="CHALLENGE_USER_KEY_FUNCTION">chrome.enterprise.platformKeys.challengeUserKey()</ph>.
+
+        Setting the policy to Disabled or leaving it unset has calls to the API fail with an error code.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable remote attestation for the user
+  value: true
+- caption: Disable remote attestation for the user
+  value: false
+owners:
+- emaxx@chromium.org
+- file://chrome/browser/ash/attestation/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:28-117
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationExtensionAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationExtensionAllowlist.yaml
new file mode 100755
index 000000000..86a0d7c55
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationExtensionAllowlist.yaml
@@ -0,0 +1,21 @@
+caption: Extensions allowed to to use the remote attestation API
+desc: |-
+  Setting the policy specifies the allowed extensions to use the <ph name="ENTERPRISE_PLATFORM_KEYS_API">Enterprise Platform Keys API</ph> functions for remote attestation. Extensions must be on this list to use the API.
+
+        If an extension is not in the list, or the list is not set, the call to the API fails with an error code.
+example_value:
+- ghdilpkmfbfdnomkmaiogjhjnggaggoi
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- emaxx@chromium.org
+- file://chrome/browser/extensions/api/enterprise_platform_keys/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:87-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationForContentProtectionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationForContentProtectionEnabled.yaml
new file mode 100755
index 000000000..a3d0bfd86
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/AttestationForContentProtectionEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable the use of remote attestation for content protection for the device
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices use remote attestation (Verified Access) to get a certificate issued by the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> CA that asserts the device is eligible to play protected content. This process involves sending hardware endorsement information to the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> CA which uniquely identifies the device.
+
+  Setting the policy to Disabled means the device won't use remote attestation for content protection, and the device may not play protected content.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable remote attestation for content protection
+  value: true
+- caption: Disable remote attestation for content protection
+  value: false
+owners:
+- emaxx@chromium.org
+- file://chrome/browser/ash/attestation/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:31-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/DeviceWebBasedAttestationAllowedUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/DeviceWebBasedAttestationAllowedUrls.yaml
new file mode 100755
index 000000000..c15a6e155
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/DeviceWebBasedAttestationAllowedUrls.yaml
@@ -0,0 +1,31 @@
+caption: URLs that will be granted access to perform the device attestation during
+  SAML authentication
+desc: |-
+  This policy configures which URLs will be granted access to use remote attestation of device identity during the SAML flow on the sign-in screen.
+
+        Specifically, if a URL matches one of the patterns provided through this policy, it will be allowed to receive a HTTP header containing a response to a remote attestation challenge, attesting device identity and device state.
+
+        If this policy is not set or is set to an empty list, no URL is allowed to use remote attestation on the sign-in screen.
+
+        URLs must have HTTPS scheme, e.g. "https://example.com".
+
+        For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
+device_only: true
+example_value:
+- https://www.example.com/
+- https://[*.]example.edu/
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- miersh@google.com
+- file://chrome/browser/ash/login/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:80-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/policy_atomic_groups.yaml
new file mode 100755
index 000000000..137dc39fa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Attestation/policy_atomic_groups.yaml
@@ -0,0 +1,7 @@
+Attestation:
+  caption: Attestation
+  policies:
+  - AttestationEnabledForDevice
+  - AttestationEnabledForUser
+  - AttestationExtensionAllowlist
+  - AttestationForContentProtectionEnabled
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/.group.details.yaml
new file mode 100755
index 000000000..d8fd87030
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Borealis
+desc: Controls policies related to the <ph name="BOREALIS_NAME">Borealis</ph> subsystem.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/DeviceBorealisAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/DeviceBorealisAllowed.yaml
new file mode 100755
index 000000000..5ca8f88ce
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/DeviceBorealisAllowed.yaml
@@ -0,0 +1,30 @@
+caption: Allow devices to use <ph name="BOREALIS_NAME">Borealis</ph> on <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph>
+default: true
+deprecated: True
+desc: |-
+  This policy is deprecated, please use <ph name="USER_BOREALIS_ALLOWED_NAME">UserBorealisAllowed</ph> instead.
+
+        Controls the availability of <ph name="BOREALIS_NAME">Borealis</ph> for this device.
+
+        If the policy is set to false, <ph name="BOREALIS_NAME">Borealis</ph> will be unavailable for all users of the device. Otherwise (when the policy is unset, or true) <ph name="BOREALIS_NAME">Borealis</ph> will be available if and only if no other policy or setting disables it.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Do not prevent <ph name="BOREALIS_NAME">Borealis</ph> from running on a
+    device
+  value: true
+- caption: Prevent <ph name="BOREALIS_NAME">Borealis</ph> from running on a device
+  value: false
+owners:
+- philpearson@google.com
+- davidriley@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:91-110
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/UserBorealisAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/UserBorealisAllowed.yaml
new file mode 100755
index 000000000..7802bdd07
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Borealis/UserBorealisAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Allow users to use <ph name="BOREALIS_NAME">Borealis</ph> on <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph>
+default: true
+default_for_enterprise_users: false
+desc: |-
+  Controls the availability of <ph name="BOREALIS_NAME">Borealis</ph> for this user.
+
+        If the policy is unset, or is set to false, <ph name="BOREALIS_NAME">Borealis</ph> will be unavailable. When the policy is set to true <ph name="BOREALIS_NAME">Borealis</ph> will be available if and only if no other policy or setting disables it.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow <ph name="BOREALIS_NAME">Borealis</ph> to run for a user
+  value: true
+- caption: Prevent <ph name="BOREALIS_NAME">Borealis</ph> from running for a user
+  value: false
+owners:
+- philpearson@google.com
+- davidriley@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:91-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/.group.details.yaml
new file mode 100755
index 000000000..04362d2c7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Browser Event Reporting
+desc: Controls settings for Browser Event Reporting.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/ReportingEndpoints.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/ReportingEndpoints.yaml
new file mode 100755
index 000000000..35beffc8d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/ReportingEndpoints.yaml
@@ -0,0 +1,26 @@
+caption: Reporting Endpoints
+default: {}
+desc: |-
+  Allows you to configure the list of Reporting API Endpoints[1] where
+  enterprise reports can be sent.
+
+  [1] https://www.w3.org/TR/reporting-1/#endpoint
+example_value:
+  endpoint-1: https://example.com
+  reporting-endpoint: https://reporting.example/cookie-issues
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- sandormajor@google.com
+- selya@google.com
+schema:
+  type: object
+  additionalProperties:
+    type: string
+future_on:
+- android
+- chrome.*
+- chrome_os
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/policy_atomic_groups.yaml
new file mode 100755
index 000000000..f8aeadc82
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserEventReporting/policy_atomic_groups.yaml
@@ -0,0 +1,4 @@
+BrowserEventReporting:
+  caption: Browser Event Reporting
+  policies:
+  - ReportingEndpoints
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/.group.details.yaml
new file mode 100755
index 000000000..4bc319c28
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/.group.details.yaml
@@ -0,0 +1,3 @@
+caption: Idle Browser Actions
+desc: |-
+  Controls actions that run when the browser is idle.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/IdleTimeout.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/IdleTimeout.yaml
new file mode 100755
index 000000000..2359203b4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/IdleTimeout.yaml
@@ -0,0 +1,29 @@
+caption: Delay before running idle actions
+default: 0
+desc: |-
+  Triggers an action when the computer is idle.
+
+  If this policy is set, it specifies the length of time without user input (in minutes) before the browser runs actions configured via the <ph name="IDLE_TIMEOUT_ACTIONS_POLICY_NAME">IdleTimeoutActions</ph> policy.
+
+  If this policy is not set, no action will be ran.
+
+  The minimum threshold is 1 minute.
+
+  "User input" is defined by Operating System APIs, and includes things like moving the mouse or typing on the keyboard.
+example_value: 30
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome.*:116-
+- ios:123-
+future_on:
+- android
+owners:
+- nicolaso@chromium.org
+- cbe-magic@google.com
+schema:
+  minimum: 1
+  type: integer
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/IdleTimeoutActions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/IdleTimeoutActions.yaml
new file mode 100755
index 000000000..9f47ee280
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/IdleTimeoutActions.yaml
@@ -0,0 +1,101 @@
+caption: Actions to run when the computer is idle
+desc: |-
+  List of actions to run when the timeout from the <ph name="IDLE_TIMEOUT_POLICY_NAME">IdleTimeout</ph> policy is reached.
+
+  Warning: Setting this policy can impact and permanently remove local personal data. It is recommended to test your settings before deploying to prevent accidental deletion of personal data.
+
+  If the <ph name="IDLE_TIMEOUT_POLICY_NAME">IdleTimeout</ph> policy is unset, this policy has no effect.
+
+  When the timeout from the <ph name="IDLE_TIMEOUT_POLICY_NAME">IdleTimeout</ph> policy is reached, the browser runs the actions configured in this policy.
+
+  If this policy is empty or left unset, the <ph name="IDLE_TIMEOUT_POLICY_NAME">IdleTimeout</ph> policy has no effect.
+
+  Supported actions are:
+
+  '<ph name="CLOSE_BROWSERS_ACTION">close_browsers</ph>': close all browser windows and PWAs for this profile. Not supported on Android and iOS.
+
+  '<ph name="CLOSE_TABS_ACTION">close_tabs</ph>': close all open tabs in open windows. Only supported on iOS.
+
+  '<ph name="SHOW_PROFILE_PICKER_ACTION">show_profile_picker</ph>': show the Profile Picker window. Not supported on Android and iOS.
+
+  '<ph name="SIGN_OUT_ACTION">sign_out</ph>': Signs out the current signed in user. Only supported on iOS.
+
+  '<ph name="CLEAR_BROWSING_HISTORY_ACTION">clear_browsing_history</ph>', '<ph name="CLEAR_DOWNLOAD_HISTORY_ACTION">clear_download_history</ph>', '<ph name="CLEAR_COOKIES_AND_OTHER_SITE_DATA_ACTION">clear_cookies_and_other_site_data</ph>', '<ph name="CLEAR_CACHED_IMAGES_AND_FILES_ACTION">clear_cached_images_and_files</ph>', '<ph name="CLEAR_PASSWORD_SIGNIN_ACTION">clear_password_signing</ph>', '<ph name="CLEAR_AUTOFILL_ACTION">clear_autofill</ph>', '<ph name="CLEAR_SITE_SETTINGS_ACTION">clear_site_settings</ph>', '<ph name="CLEAR_HOSTED_APP_DATA_ACTION">clear_hosted_app_data</ph>': clear the corresponding browsing data. See the <ph name="CLEAR_BROWSING_DATA_ON_EXIT_LIST_POLICY_NAME">ClearBrowsingDataOnExitList</ph> policy for more details. The types supported on iOS are '<ph name="CLEAR_BROWSING_HISTORY_ACTION">clear_browsing_history</ph>', '<ph name="CLEAR_COOKIES_AND_OTHER_SITE_DATA_ACTION">clear_cookies_and_other_site_data</ph>', '<ph name="CLEAR_CACHED_IMAGES_AND_FILES_ACTION">clear_cached_images_and_files</ph>', '<ph name="CLEAR_PASSWORD_SIGNIN_ACTION">clear_password_signing</ph>', and '<ph name="CLEAR_AUTOFILL_ACTION">clear_autofill</ph>'
+
+  '<ph name="RELOAD_PAGES_ACTION">reload_pages</ph>': reload all webpages. For some pages, the user may be prompted for confirmation first. Not supported on iOS.
+
+  Setting '<ph name="CLEAR_BROWSING_HISTORY_ACTION">clear_browsing_history</ph>', '<ph name="CLEAR_PASSWORD_SIGNIN_ACTION">clear_password_signing</ph>', '<ph name="CLEAR_AUTOFILL_ACTION">clear_autofill</ph>', and '<ph name="CLEAR_SITE_SETTINGS_ACTION">clear_site_settings</ph>' will disable sync for the respective data types if neither `<ph name="CHROME_SYNC_NAME">Chrome Sync</ph>` is disabled by setting the <ph name="SYNC_DISABLED_POLICY_NAME">SyncDisabled</ph> policy nor <ph name="BROWSER_SIGNIN_POLICY_NAME">BrowserSignin</ph> is disabled.
+example_value:
+- close_browsers
+- show_profile_picker
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome.*:116-
+- ios:123-
+future_on:
+- android
+owners:
+- nicolaso@chromium.org
+- cbe-magic@google.com
+items:
+- caption: Close Browsers
+  name: close_browsers
+  value: close_browsers
+- caption: Show Profile Picker
+  name: show_profile_picker
+  value: show_profile_picker
+- caption: Clear Browsing History
+  name: clear_browsing_history
+  value: clear_browsing_history
+- caption: Clear Download History
+  name: clear_download_history
+  value: clear_download_history
+- caption: Clear Cookies and Other Site Data
+  name: clear_cookies_and_other_site_data
+  value: clear_cookies_and_other_site_data
+- caption: Clear Cached Images and Files
+  name: clear_cached_images_and_files
+  value: clear_cached_images_and_files
+- caption: Clear Password Signin
+  name: clear_password_signin
+  value: clear_password_signin
+- caption: Clear Autofill
+  name: clear_autofill
+  value: clear_autofill
+- caption: Clear Site Settings
+  name: clear_site_settings
+  value: clear_site_settings
+- caption: Clear Hosted App Data
+  name: clear_hosted_app_data
+  value: clear_hosted_app_data
+- caption: Reload Pages
+  name: reload_pages
+  value: reload_pages
+- caption: Sign Out
+  name: sign_out
+  value: sign_out
+- caption: Close Tabs
+  name: close_tabs
+  value: close_tabs
+schema:
+  items:
+    enum:
+    - close_browsers
+    - show_profile_picker
+    - clear_browsing_history
+    - clear_download_history
+    - clear_cookies_and_other_site_data
+    - clear_cached_images_and_files
+    - clear_password_signin
+    - clear_autofill
+    - clear_site_settings
+    - clear_hosted_app_data
+    - reload_pages
+    - sign_out
+    - close_tabs
+    type: string
+  type: array
+tags: []
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/policy_atomic_groups.yaml
new file mode 100755
index 000000000..0bb5cc7d7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserIdle/policy_atomic_groups.yaml
@@ -0,0 +1,5 @@
+BrowserIdle:
+  caption: Idle Browser Actions
+  policies:
+  - IdleTimeout
+  - IdleTimeoutActions
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/.group.details.yaml
new file mode 100755
index 000000000..21d614744
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/.group.details.yaml
@@ -0,0 +1,5 @@
+caption: <ph name="LBS_PRODUCT_NAME">Legacy Browser Support</ph>
+desc: |-
+  Configure policies to switch between browsers.
+
+        Configured websites will automatically open in another browser than <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/AlternativeBrowserParameters.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/AlternativeBrowserParameters.yaml
new file mode 100755
index 000000000..cd95cd48e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/AlternativeBrowserParameters.yaml
@@ -0,0 +1,29 @@
+caption: Command-line parameters for the alternative browser.
+desc: |-
+  Setting the policy to a list of strings means each string is passed to the alternative browser as separate command-line parameters. On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, the parameters are joined with spaces. On <ph name="MAC_OS_NAME">macOS</ph> and <ph name="LINUX_OS_NAME">Linux®</ph>, a parameter can have spaces and still be treated as a single parameter.
+
+        If a parameter contains <ph name="URL_PLACEHOLDER">${url}</ph>, <ph name="URL_PLACEHOLDER">${url}</ph> is replaced with the URL of the page to open. If no parameter contains <ph name="URL_PLACEHOLDER">${url}</ph>, the URL is appended at the end of the command line.
+
+        Environment variables are expanded. On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, <ph name="ENV_VARIABLE_WIN_EXAMPLE">%ABC%</ph> is replaced with the value of the <ph name="ENV_VARIABLE_VALUE">ABC</ph> environment variable. On <ph name="MAC_OS_NAME">macOS</ph> and <ph name="LINUX_OS_NAME">Linux®</ph>, <ph name="ENV_VARIABLE_UNIX_EXAMPLE">${ABC}</ph> is replaced with the value of the <ph name="ENV_VARIABLE_VALUE">ABC</ph> environment variable.
+
+        Leaving the policy unset means only the URL is passed as a command-line parameter.
+example_value:
+- -foreground
+- -new-window
+- ${url}
+- -profile
+- '%HOME%\browser_profile'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:71-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/AlternativeBrowserPath.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/AlternativeBrowserPath.yaml
new file mode 100755
index 000000000..a40ff7241
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/AlternativeBrowserPath.yaml
@@ -0,0 +1,18 @@
+caption: Alternative browser to launch for configured websites.
+desc: |-
+  Setting the policy controls which command to use to open URLs in an alternative browser. The policy can be set to one of <ph name="INTERNET_EXPLORER_VALUE_PLACEHOLDER">${ie}</ph>, <ph name="FIREFOX_VALUE_PLACEHOLDER">${firefox}</ph>, <ph name="SAFARI_VALUE_PLACEHOLDER">${safari}</ph>, <ph name="OPERA_VALUE_PLACEHOLDER">${opera}</ph>, <ph name="EDGE_VALUE_PLACEHOLDER">${edge}</ph> or a file path. When this policy is set to a file path, that file is used as an executable file. <ph name="INTERNET_EXPLORER_VALUE_PLACEHOLDER">${ie}</ph> is only available on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>. <ph name="SAFARI_VALUE_PLACEHOLDER">${safari}</ph> and <ph name="EDGE_VALUE_PLACEHOLDER">${edge}</ph> are only available on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> and <ph name="MAC_OS_NAME">macOS</ph>.
+
+        Leaving the policy unset puts a platform-specific default in use: <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> for <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, or <ph name="SAFARI_PRODUCT_NAME">Safari®</ph> for <ph name="MAC_OS_NAME">macOS</ph>. On <ph name="LINUX_OS_NAME">Linux®</ph>, launching an alternative browser will fail.
+example_value: ${ie}
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:71-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherChromeParameters.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherChromeParameters.yaml
new file mode 100755
index 000000000..58f3ced95
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherChromeParameters.yaml
@@ -0,0 +1,25 @@
+caption: Command-line parameters for switching from the alternative browser.
+desc: |-
+  Setting the policy to a list of strings means the strings are joined with spaces and passed from <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as command-line parameters. If a parameter contains <ph name="URL_PLACEHOLDER">${url}</ph>, <ph name="URL_PLACEHOLDER">${url}</ph> is replaced with the URL of the page to open. If no parameter contains <ph name="URL_PLACEHOLDER">${url}</ph>, the URL is appended at the end of the command line.
+
+        Environment variables are expanded. On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, <ph name="ENV_VARIABLE_WIN_EXAMPLE">%ABC%</ph> is replaced with the value of the <ph name="ENV_VARIABLE_VALUE">ABC</ph> environment variable.
+
+        Leaving the policy unset means <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> only passes the URL to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as a command-line parameter.
+
+        Note: If the Legacy Browser Support add-in for <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> isn't installed, this policy has no effect.
+example_value:
+- --force-dark-mode
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.win:74-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherChromePath.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherChromePath.yaml
new file mode 100755
index 000000000..5bc5e6404
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherChromePath.yaml
@@ -0,0 +1,20 @@
+caption: Path to Chrome for switching from the alternative browser.
+desc: |-
+  This policy controls the command to use to open URLs in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> when switching from <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>. This policy can be set to an executable file path or <ph name="PRODUCT_NAME_PLACEHOLDER">${chrome}</ph> to autodetect the location of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        Leaving the policy unset means <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> autodetects <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s own executable path when launching <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from Internet Explorer.
+
+        Note: If the Legacy Browser Support add-in for <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> isn't installed, this policy has no effect.
+example_value: ${chrome}
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.win:74-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherDelay.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherDelay.yaml
new file mode 100755
index 000000000..66366065d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherDelay.yaml
@@ -0,0 +1,19 @@
+caption: Delay before launching alternative browser (milliseconds)
+default: 0
+desc: |-
+  Setting the policy to a number has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> show a message for that number of milliseconds, then it opens an alternative browser.
+
+  Leaving the policy unset or set to 0 means navigating to a designated URL immediately opens it in an alternative browser.
+example_value: 10000
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome.*:74-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherEnabled.yaml
new file mode 100755
index 000000000..ab004acb5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable the Legacy Browser Support feature.
+default: false
+desc: |-
+  Setting the policy to Enabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will try to launch some URLs in an alternate browser, such as <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>. This feature is set using the policies in the <ph name="LEGACY_BROWSER_SUPPORT_POLICY_GROUP">Legacy Browser support</ph> group.
+
+  Setting the policy to Disabled or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won't try to launch designated URLs in an alternate browser.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Legacy Browser Support
+  value: true
+- caption: Disable Legacy Browser Support
+  value: false
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:73-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherExternalGreylistUrl.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherExternalGreylistUrl.yaml
new file mode 100755
index 000000000..9a47429c5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherExternalGreylistUrl.yaml
@@ -0,0 +1,21 @@
+caption: URL of an XML file that contains URLs that should never trigger a browser
+  switch.
+desc: |-
+  Setting the policy to a valid URL has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> download the site list from that URL and apply the rules as if they were set up with the <ph name="BROWSER_SWITCHER_URL_GREYLIST_POLICY_NAME">BrowserSwitcherUrlGreylist</ph> policy. These policies prevent <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and the alternative browser from opening one another.
+
+        Leaving it unset (or set to a invalid URL) means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't use the policy as a source of rules for not switching browsers.
+
+        Note: This policy points to an XML file in the same format as <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy. This loads rules from an XML file, without sharing those rules with <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>. Read more on <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy ( https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode )
+example_value: http://example.com/greylist.xml
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:77-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherExternalSitelistUrl.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherExternalSitelistUrl.yaml
new file mode 100755
index 000000000..b5877f885
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherExternalSitelistUrl.yaml
@@ -0,0 +1,22 @@
+caption: URL of an XML file that contains URLs to load in an alternative browser.
+desc: |-
+  Setting the policy to a valid URL has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> download the site list from that URL and apply the rules as if they were set up with the <ph name="SITELIST_POLICY_NAME">BrowserSwitcherUrlList</ph> policy.
+
+        Leaving it unset (or set to a invalid URL) means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't use the policy as a source of rules for switching browsers.
+
+        Note: This policy points to an XML file in the same format as <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy. This loads rules from an XML file, without sharing those rules with <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>. Read more on <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy ( https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode)
+example_value: http://example.com/sitelist.xml
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:72-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherKeepLastChromeTab.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherKeepLastChromeTab.yaml
new file mode 100755
index 000000000..32b890688
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherKeepLastChromeTab.yaml
@@ -0,0 +1,24 @@
+caption: Keep last tab open in Chrome.
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> keep at least one tab open, after switching to an alternate browser.
+
+  Setting the policy to Disabled has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> close the tab after switching to an alternate browser, even if it was the last tab. This causes <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to exit completely.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Keep at least one Chrome tab open
+  value: true
+- caption: Close Chrome completely
+  value: false
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:74-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherParsingMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherParsingMode.yaml
new file mode 100755
index 000000000..a0a8296e4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherParsingMode.yaml
@@ -0,0 +1,36 @@
+caption: Sitelist parsing mode
+default: 0
+desc: |-
+  This policy controls how <ph name="PRODUCT_NAME">Google Chrome</ph> interprets sitelist/greylist policies for the Legacy Browser Support feature. It affects the following policies: <ph name="URL_LIST_POLICY_NAME">BrowserSwitcherUrlList</ph>, <ph name="URL_GREYLIST_POLICY_NAME">BrowserSwitcherUrlGreylist</ph>, <ph name="USE_IE_SITELIST_POLICY_NAME">BrowserSwitcherUseIeSitelist</ph>, <ph name="EXTERNAL_SITELIST_POLICY_NAME">BrowserSwitcherExternalSitelistUrl</ph>, and <ph name="EXTERNAL_GREYLIST_POLICY_NAME">BrowserSwitcherExternalGreylistUrl</ph>.
+
+        If 'Default' (0) or unset, URL matching is less strict. Rules that do not contain "/" look for a substring anywhere in the URL's hostname. Matching the path component of a URL is case-sensitive.
+
+        If 'IESiteListMode' (1), URL matching is more strict. Rules that do not contain "/" only match at the end of the hostname. They must also be at a domain name boundary. Matching the path component of a URL is case-insensitive. This is more compatible with <ph name="MS_IE_PRODUCT_NAME">Microsoft® Internet Explorer®</ph> and <ph name="MS_EDGE_PRODUCT_NAME">Microsoft® Edge®</ph>.
+
+        For example, with the rules "example.com" and "acme.com/abc":
+
+        "http://example.com/", "http://subdomain.example.com/" and "http://acme.com/abc" match regardless of parsing mode.
+
+        "http://notexample.com/", "http://example.com.invalid.com/", "http://example.comabc/" only match in 'Default' mode.
+
+        "http://acme.com/ABC" only matches in 'IESiteListMode'.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Default behavior for LBS.
+  name: Default
+  value: 0
+- caption: More compatible with Microsoft IE/Edge enterprise mode sitelists.
+  name: IESiteListMode
+  value: 1
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome.*:95-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUrlGreylist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUrlGreylist.yaml
new file mode 100755
index 000000000..1ec3b5081
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUrlGreylist.yaml
@@ -0,0 +1,27 @@
+caption: Websites that should never trigger a browser switch.
+desc: |-
+  Setting the policy controls the list of websites that will never cause a browser switch. Each item is treated as a rule. Those rules that match won't open an alternative browser. Unlike the <ph name="URL_LIST_POLICY_NAME">BrowserSwitcherUrlList</ph> policy, rules apply to both directions. When the <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> add-in is on, it also controls whether <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> should open these URLs in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        Leaving the policy unset adds no websites to the list.
+
+        Note: Elements can also be added to this list through the <ph name="EXTERNAL_SITELIST_URL_POLICY_NAME">BrowserSwitcherExternalGreylistUrl</ph> policy.
+example_value:
+- ie.com
+- '!open-in-chrome.ie.com'
+- foobar.com/ie-only/
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:71-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUrlList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUrlList.yaml
new file mode 100755
index 000000000..d9752176c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUrlList.yaml
@@ -0,0 +1,25 @@
+caption: Websites to open in alternative browser
+desc: |-
+  Setting the policy controls the list of websites to open in an alternative browser. Each item is treated as a rule for something to open in an alternative browser. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses those rules when choosing if a URL should open in an alternative browser. When the <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> add-in is on, <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph> switches back to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> when the rules don't match. If rules contradict each other, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the most specific rule.
+
+        Leaving the policy unset adds no websites to the list.
+
+        Note: Elements can also be added to this list through the <ph name="USE_IE_SITELIST_POLICY_NAME">BrowserSwitcherUseIeSitelist</ph> and <ph name="EXTERNAL_SITELIST_URL_POLICY_NAME">BrowserSwitcherExternalSitelistUrl</ph> policies.
+example_value:
+- ie.com
+- '!open-in-chrome.ie.com'
+- foobar.com/ie-only/
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:71-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUseIeSitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUseIeSitelist.yaml
new file mode 100755
index 000000000..9a8d34b66
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/BrowserSwitcherUseIeSitelist.yaml
@@ -0,0 +1,28 @@
+caption: Use Internet Explorer's SiteList policy for Legacy Browser Support.
+default: false
+desc: |-
+  This policy controls whether to load rules from <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s SiteList policy.
+
+  When this policy is set to true, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> reads <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> to obtain the site list's URL. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> then downloads the site list from that URL, and applies the rules as if they had been configured with the <ph name="BROWSER_SWITCHER_URL_LIST_POLICY_NAME">BrowserSwitcherUrlList</ph> policy.
+
+  When this policy is false or unset, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> does not use <ph name="IE_PRODUCT_NAME">Internet Explorer®</ph>'s <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy as a source of rules for switching browsers.
+
+  For more information on Internet Explorer's <ph name="IEEM_SITELIST_POLICY">SiteList</ph> policy: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Use the Internet Explorer SiteList policy as a source of rules
+  value: true
+- caption: Do not use the Internet Explorer SiteList policy as a source of rules
+  value: false
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:71-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/policy_atomic_groups.yaml
new file mode 100755
index 000000000..7cd53ba7e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/BrowserSwitcher/policy_atomic_groups.yaml
@@ -0,0 +1,15 @@
+BrowserSwitcher:
+  caption: Legacy Browser Support
+  policies:
+  - AlternativeBrowserPath
+  - AlternativeBrowserParameters
+  - BrowserSwitcherChromePath
+  - BrowserSwitcherChromeParameters
+  - BrowserSwitcherDelay
+  - BrowserSwitcherEnabled
+  - BrowserSwitcherExternalSitelistUrl
+  - BrowserSwitcherExternalGreylistUrl
+  - BrowserSwitcherKeepLastChromeTab
+  - BrowserSwitcherUrlList
+  - BrowserSwitcherUrlGreylist
+  - BrowserSwitcherUseIeSitelist
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/.group.details.yaml
new file mode 100755
index 000000000..388b832aa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Bruschetta
+desc: Controls policies related to the Bruschetta subsystem.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/BruschettaInstallerConfiguration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/BruschettaInstallerConfiguration.yaml
new file mode 100755
index 000000000..9525169cf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/BruschettaInstallerConfiguration.yaml
@@ -0,0 +1,45 @@
+owners:
+- sidereal@google.com
+- file://chrome/browser/ash/guest_os/OWNERS
+
+caption: Configure the installer for Bruschetta VMs on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices
+
+desc: |-
+  Sets metadata used by the installer for Bruschetta VMs on <ph
+  name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices, prior to it
+  being installed.
+
+future_on:
+- chrome_os
+
+features:
+  dynamic_refresh: true
+  per_profile: false
+  cloud_only: true
+  unlisted: true
+
+type: dict
+
+schema:
+  type: object
+  description: Installer metadata
+  properties:
+    display_name:
+      type: string
+      description: |-
+        Name to show in the installer UI e.g. Happy VM. If unset will show a
+        fallback name, either derived from the first (by display order) entry in
+        the BruschettaVMConfiguration policy, or failing that, a generic name.
+    learn_more_url:
+      type: string
+      description: |-
+        A URL for users to visit to learn more. If unset there will
+        be no "learn more" URL in the installer. If present, it must use
+        the https scheme.
+
+example_value:
+  display_name: AwesomeNix
+  learn_more_url: https://example.com/learn_more
+
+tags:
+ - system-security
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/BruschettaVMConfiguration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/BruschettaVMConfiguration.yaml
new file mode 100755
index 000000000..25e8520c6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Bruschetta/BruschettaVMConfiguration.yaml
@@ -0,0 +1,135 @@
+owners:
+- sidereal@google.com
+- file://chrome/browser/ash/guest_os/OWNERS
+
+caption: Configure Bruschetta VMs on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+
+desc: |-
+  Configure installation and runtime policies for Bruschetta VMs on
+  <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>. This allows for
+  third-party VMs to be installed by users. This feature is disabled by default.
+
+  This policy is a map of configuration IDs to VM configurations. When a VM is
+  installed from a configuration it is persistently associated with that
+  configuration ID, and any runtime policies in that configuration apply to that
+  VM. Multiple VMs may be installed from the same configuration on the same device.
+
+future_on:
+- chrome_os
+
+features:
+  dynamic_refresh: true
+  per_profile: false
+  cloud_only: true
+  unlisted: true
+
+type: dict
+
+schema:
+  type: object
+  description: Mapping from persistent IDs to VM configurations
+  patternProperties:
+    "[a-zA-Z0-9-_]+":
+      type: object
+      description: A VM configuration. Denotes a type of VM that the user can
+       install, which will be persistently associated with the ID of this
+       configuration, and controls that apply to this type of VM.
+      required:
+      - name
+      - enabled_state
+      properties:
+        name:
+          type: string
+          description: User visible name for this configuration
+        enabled_state:
+          type: string
+          description: Controls whether VMs using this configuration can be
+           installed and run (<ph name="INSTALL_ALLOWED">INSTALL_ALLOWED</ph>),
+           run but not installed (<ph name="RUN_ALLOWED">RUN_ALLOWED</ph>), or
+           cannot be run (<ph name="BLOCKED">BLOCKED</ph>). Note that to install
+           a VM the installer_image_x86_64 key must also be set. Removing a
+           configuration entirely implicitly sets this to <ph name="BLOCKED">BLOCKED</ph>,
+           preventing VMs from running without a policy.
+          enum:
+          - BLOCKED
+          - RUN_ALLOWED
+          - INSTALL_ALLOWED
+        installer_image_x86_64:
+          type: object
+          description: The UEFI-bootable disk image used to install the VM on x86_64 devices.
+          required:
+          - url
+          - hash
+          properties:
+            url:
+              type: string
+              description: URL of the disk image to download.
+            hash:
+              type: string
+              description: Hexadecimal encoded SHA-256 hash of the disk image.
+        uefi_pflash_x86_64:
+          type: object
+          description: The initial non-volatile UEFI data used by the VM firmware.
+          required:
+          - url
+          - hash
+          properties:
+            url:
+              type: string
+              description: URL of the data to download.
+            hash:
+              type: string
+              description: Hexadecimal encoded SHA-256 hash of the data.
+        vtpm:
+          type: object
+          description: Controls if VMs using this configuration have
+           access to a vTPM, defaults to false and
+           <ph name="FORCE_SHUTDOWN_IF_MORE_RESTRICTED">FORCE_SHUTDOWN_IF_MORE_RESTRICTED</ph>
+           if unset.
+          required:
+          - enabled
+          properties:
+            enabled:
+              type: boolean
+              description: Controls whether VMs using this configuration have
+               access to a vTPM, defaults to false.
+            policy_update_action:
+              type: string
+              description: Controls how to treat running VMs that don't match
+               this policy setting, defaults to
+               <ph name="FORCE_SHUTDOWN_IF_MORE_RESTRICTED">FORCE_SHUTDOWN_IF_MORE_RESTRICTED</ph>.
+              enum:
+              - NONE
+              - FORCE_SHUTDOWN_IF_MORE_RESTRICTED
+              - FORCE_SHUTDOWN_ALWAYS
+        oem_strings:
+          type: array
+          description: SMBIOS OEM strings to pass to the VM during install.
+           Defaults to the empty list.
+          items:
+            type: string
+        display_order:
+          type: integer
+          description: The order in which the VM configuration will be displayed in the installer.
+           When multiple VM configurations are specified, the one with the smallest display_order
+           value is displayed at the top of the list. Defaults to zero.
+
+example_value:
+  vm-type:
+    name: Standard Virtual Machine
+    enabled_state: INSTALL_ALLOWED
+    installer_image_x86_64:
+      url: https://example.com/installer_image
+      hash: 761b22509ee7bd3e1a3da9eb9e37c6443acfc582670b733601ca5a1de44b99de
+    uefi_pflash_x86_64:
+      url: https://example.com/uefi_pflash
+      hash: 4d9a81e8feb96abb6da0d92642996a26edea6e94345da12a19999470c57bb0a6
+    vtpm:
+      enabled: true
+      policy_update_action: NONE
+    oem_strings:
+      - example config string
+    display_order: 5
+
+tags:
+ - system-security
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/.group.details.yaml
new file mode 100755
index 000000000..c2a8a9adc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Cast Receiver
+desc: Configure the Cast Receiver in <ph name="PRODUCT_NAME">$2<ex>Google ChromeOS</ex></ph>.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/CastReceiverEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/CastReceiverEnabled.yaml
new file mode 100755
index 000000000..46ce5ebef
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/CastReceiverEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable casting content to the device
+default_for_enterprise_users: false
+deprecated: true
+desc: |-
+  Allow content to be cast to the device using <ph name="PRODUCT_NAME">Google Cast</ph>.
+
+            If this policy is set to False, users will not be able to cast content to their device. If this policy is set to True, users are allowed to cast content. If this policy is not set, users are not allowed to cast content to enrolled ChromeOS devices, but can cast to non enrolled devices.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+items:
+- caption: Enable casting content to the device
+  value: true
+- caption: Disable casting content to the device
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/CastReceiverName.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/CastReceiverName.yaml
new file mode 100755
index 000000000..8d03bb509
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/CastReceiverName.yaml
@@ -0,0 +1,21 @@
+caption: Name of the <ph name="PRODUCT_NAME">Google Cast</ph> destination
+deprecated: true
+desc: |-
+  Determine the name advertised as a <ph name="PRODUCT_NAME">Google Cast</ph> destination.
+
+            If this policy is set to a non empty string, that string will be used as the name of the <ph name="PRODUCT_NAME">Google Cast</ph> destination. Otherwise, the destination name will be the device name. If this policy is not set, the destination name will be the device name, and the owner of the device (or a user from the domain managing the device) will be allowed to change it. The name is limited to 24 characters.
+device_only: true
+example_value: My Chromebook
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- chrome_os
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/policy_atomic_groups.yaml
new file mode 100755
index 000000000..a7b88a38f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CastReceiver/policy_atomic_groups.yaml
@@ -0,0 +1,5 @@
+GoogleCast:
+  caption: Google Cast
+  policies:
+  - CastReceiverEnabled
+  - CastReceiverName
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/.group.details.yaml
new file mode 100755
index 000000000..cd0009ced
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Certificate management settings
+desc: Controls user and device policies for certificate management.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificateManagementAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificateManagementAllowed.yaml
new file mode 100755
index 000000000..6a07e225f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificateManagementAllowed.yaml
@@ -0,0 +1,34 @@
+caption: Allow users to manage installed CA certificates.
+default: 0
+desc: Setting the policy to All (0) or leaving it unset lets users edit trust settings
+  for all CA certificates, remove user-imported certificates, and import certificates
+  using Certificate Manager. Setting the policy to UserOnly (1) lets users manage
+  only user-imported certificates, but not change trust settings of built-in certificates.
+  Setting it to None (2) lets users view (not manage) CA certificates.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow users to manage all certificates
+  name: All
+  value: 0
+- caption: Allow users to manage user certificates
+  name: UserOnly
+  value: 1
+- caption: Disallow users from managing certificates
+  name: None
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:78-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificates.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificates.yaml
new file mode 100755
index 000000000..2eb6b7af6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificates.yaml
@@ -0,0 +1,28 @@
+caption: TLS certificates that should be trusted by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> for server authentication
+default: null
+desc: |-
+  A list of TLS certificates that should be trusted by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> for server authentication.
+  Certificates should be base64-encoded.
+example_value:
+  - MIICCTCCAY6gAwIBAgINAgPluILrIPglJ209ZjAKBggqhkjOPQQDAzBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjMwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQfTzOHMymKoYTey8chWEGJ6ladK0uFxh1MJ7x/JlFyb+Kf1qPKzEUURout736GjOyxfi//qXGdGIRFBEFVbivqJn+7kAHjSxm65FSWRQmx1WyRRK2EE46ajA2ADDL24CejQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTB8Sa6oC2uhYHP0/EqEr24Cmf9vDAKBggqhkjOPQQDAwNpADBmAjEA9uEglRR7VKOQFhG/hMjqb2sXnh5GmCCbn9MN2azTL818+FsuVbu/3ZL3pAzcMeGiAjEA/JdmZuVDFhOD3cffL74UOO0BzrEXGhF16b0DjyZ+hOXJYKaV11RZt+cRLInUue4X
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- dadrian@chromium.org
+- davidben@chromium.org
+- hchao@chromium.org
+- mattm@chromium.org
+- trusty-transport@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+future_on:
+- chrome.linux
+- chrome.mac
+- chrome.win
+- android
+- chrome_os
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificatesWithConstraints.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificatesWithConstraints.yaml
new file mode 100755
index 000000000..0ba9c160d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CACertificatesWithConstraints.yaml
@@ -0,0 +1,47 @@
+caption: TLS certificates that should be trusted by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> for server authentication with constraints
+default: null
+desc: |-
+  A list of TLS certificates that should be trusted by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> for server authentication, with constraints added outside the certificate. If no constraint of a certain type is present, then any name of that type is allowed.
+  Certificates should be base64-encoded. At least one constraint must be specified for each certificate.
+example_value:
+- certificate: "MIICCTCCAY6gAwIBAgINAgPluILrIPglJ209ZjAKBggqhkjOPQQDAzBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjMwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQfTzOHMymKoYTey8chWEGJ6ladK0uFxh1MJ7x/JlFyb+Kf1qPKzEUURout736GjOyxfi//qXGdGIRFBEFVbivqJn+7kAHjSxm65FSWRQmx1WyRRK2EE46ajA2ADDL24CejQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTB8Sa6oC2uhYHP0/EqEr24Cmf9vDAKBggqhkjOPQQDAwNpADBmAjEA9uEglRR7VKOQFhG/hMjqb2sXnh5GmCCbn9MN2azTL818+FsuVbu/3ZL3pAzcMeGiAjEA/JdmZuVDFhOD3cffL74UOO0BzrEXGhF16b0DjyZ+hOXJYKaV11RZt+cRLInUue4X"
+  constraints:
+    permitted_dns_names:
+      - "example.org"
+    permitted_cidrs:
+      - "10.1.1.0/24"
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- dadrian@chromium.org
+- davidben@chromium.org
+- hchao@chromium.org
+- mattm@chromium.org
+- trusty-transport@chromium.org
+schema:
+  type: array
+  items:
+    type: object
+    properties:
+      certificate:
+        type: string
+      constraints:
+        type: object
+        properties:
+          permitted_dns_names:
+            type: array
+            items:
+              type: string
+          permitted_cidrs:
+            type: array
+            items:
+              type: string
+future_on:
+- chrome.linux
+- chrome.mac
+- chrome.win
+- android
+- chrome_os
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CADistrustedCertificates.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CADistrustedCertificates.yaml
new file mode 100755
index 000000000..8cc89b8f7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CADistrustedCertificates.yaml
@@ -0,0 +1,32 @@
+caption: TLS certificates that should be distrusted by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> for server authentication
+default: null
+desc: |-
+  A list of certificate public keys that should be distrusted by <ph
+  name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> for TLS server
+  authentication.
+
+  The policy value is a list of base64-encoded X.509 certificates. Any
+  certificate with a matching SPKI (SubjectPublicKeyInfo) will be distrusted.
+example_value:
+  - MIIB/TCCAaOgAwIBAgIUQthnWVsd1jWpUCNBf/uILjXC+t4wCgYIKoZIzj0EAwIwVDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCFZpcmdpbmlhMQ8wDQYDVQQHDAZSZXN0b24xITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzEyMDcxNjE5NTVaFw0yMzEyMjExNjE5NTVaMFQxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGUmVzdG9uMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ9Akav/KB0aVA9FM1QK4J1CEHn5rFOyY/nxcr5HG3+Fom0Kwu5zTR/kz9eOYgtG/1NmCzbiEKaULDfzA8V9aJ7o1MwUTAdBgNVHQ4EFgQUq37bLKiuw8Y/G+rurMf46hw7EekwHwYDVR0jBBgwFoAUq37bLKiuw8Y/G+rurMf46hw7EekwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEA/JhtLSgtVOcXkgFJ9V5Vb6lhGdiKQFfzO9wTxPeCxCECIFePYPucys2n/r9MOBMHiX/8068ssv+uceqokzUg0mAb
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- dadrian@chromium.org
+- davidben@chromium.org
+- hchao@chromium.org
+- mattm@chromium.org
+- trusty-transport@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+future_on:
+- chrome.linux
+- chrome.mac
+- chrome.win
+- android
+- chrome_os
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CAHintCertificates.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CAHintCertificates.yaml
new file mode 100755
index 000000000..7208a4268
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CAHintCertificates.yaml
@@ -0,0 +1,28 @@
+caption: TLS certificates that are not trusted or distrusted but can be used in path-building for server authentication
+default: null
+desc: |-
+  A list of certificates that are not trusted or distrusted in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  but can be used as hints for path-building. Certificates should be base64-encoded.
+example_value:
+  - MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAwMDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzpkgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsXlOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcmBA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKAgOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwLtmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYDVR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYGCCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcwAoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcGA1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3BraS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcNAQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQcSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrLRklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U+o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2YrPxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IERlQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGsYye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjOz23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJGAJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKwjuDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- dadrian@chromium.org
+- davidben@chromium.org
+- hchao@chromium.org
+- mattm@chromium.org
+- trusty-transport@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+future_on:
+- chrome.linux
+- chrome.mac
+- chrome.win
+- android
+- chrome_os
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CAPlatformIntegrationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CAPlatformIntegrationEnabled.yaml
new file mode 100755
index 000000000..b601a5167
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/CAPlatformIntegrationEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Use user-added TLS certificates from platform trust stores for server authentication
+default: true
+desc: |-
+  If enabled(or not set), user-added TLS certificates from platform trust stores will be used in path-building for TLS server authentication.
+
+  If disabled, user-added TLS certificates from platform trust stores will not be used in path-building for TLS server authentication.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- dadrian@chromium.org
+- davidben@chromium.org
+- hchao@chromium.org
+- mattm@chromium.org
+- trusty-transport@chromium.org
+items:
+- caption: Import user-added TLS server certificates from platform trust stores.
+  value: true
+- caption: Do not import user-added TLS server certificates from platform trust stores.
+  value: false
+schema:
+  type: boolean
+# Intentionally not supported on ChromeOS as there is no "platform" certificate
+# store to integrate with.
+future_on:
+- chrome.linux
+- chrome.mac
+- chrome.win
+- android
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/RequiredClientCertificateForDevice.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/RequiredClientCertificateForDevice.yaml
new file mode 100755
index 000000000..97bc8bda8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/RequiredClientCertificateForDevice.yaml
@@ -0,0 +1,61 @@
+caption: Required device-wide Client Certificates
+desc: Specifies device-wide client certificates that should be enrolled using the
+  device management protocol.
+device_only: true
+example_value:
+- cert_profile_id: cert_profile_id_1
+  enable_remote_attestation_check: true
+  key_algorithm: rsa
+  name: Certificate Profile 1
+  policy_version: some_hash
+  renewal_period_seconds: 2592000
+  protocol_version: 2
+features:
+  can_be_mandatory: true
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  items:
+    properties:
+      cert_profile_id:
+        description: The identifier for this client certificate.
+        type: string
+      enable_remote_attestation_check:
+        description: 'Enable an additional security check based on remote attestation
+          (optional, default: True).'
+        type: boolean
+      key_algorithm:
+        description: The algorithm for key pair generation.
+        enum:
+        - rsa
+        type: string
+      name:
+        description: The name of the certificate profile.
+        type: string
+      policy_version:
+        description: The client should not interpret this data and should forward
+          it verbatim. The DMServer uses policy_version to verify that the policy
+          view of DMServer matches the view of ChromeOS device.
+        type: string
+      renewal_period_seconds:
+        description: Number of seconds before expiration of a certificate when renewal
+          should be triggered
+        type: integer
+      protocol_version:
+        description: Version of the certificate provisioning protocol. Defaults to 1.
+          1 is the 'static' protocol. 2 is the 'dynamic' protocol.
+        type: integer
+    required:
+    - cert_profile_id
+    - key_algorithm
+    type: object
+  type: array
+supported_on:
+- chrome_os:84-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/RequiredClientCertificateForUser.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/RequiredClientCertificateForUser.yaml
new file mode 100755
index 000000000..8462ecb10
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CertificateManagement/RequiredClientCertificateForUser.yaml
@@ -0,0 +1,60 @@
+caption: Required Client Certificates
+desc: Specifies client certificates that should be enrolled using the device management
+  protocol.
+device_only: false
+example_value:
+- cert_profile_id: cert_profile_id_1
+  enable_remote_attestation_check: true
+  key_algorithm: rsa
+  name: Certificate Profile 1
+  policy_version: some_hash
+  renewal_period_seconds: 2592000
+  protocol_version: 2
+features:
+  can_be_mandatory: true
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  items:
+    properties:
+      cert_profile_id:
+        description: The identifier for this client certificate.
+        type: string
+      enable_remote_attestation_check:
+        description: 'Enable an additional security check based on remote attestation
+          (optional, default: True).'
+        type: boolean
+      key_algorithm:
+        description: The algorithm for key pair generation.
+        enum:
+        - rsa
+        type: string
+      name:
+        description: The name of the certificate profile.
+        type: string
+      policy_version:
+        description: The client should not interpret this data and should forward
+          it verbatim. The DMServer uses policy_version to verify that the policy
+          view of DMServer matches the view of ChromeOS device.
+        type: string
+      renewal_period_seconds:
+        description: Number of seconds before expiration of a certificate when renewal
+          should be triggered
+        type: integer
+      protocol_version:
+        description: Version of the certificate provisioning protocol. Defaults to 1.
+          1 is the 'static' protocol. 2 is the 'dynamic' protocol.
+        type: integer
+    required:
+    - cert_profile_id
+    - key_algorithm
+    type: object
+  type: array
+supported_on:
+- chrome_os:83-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameContentTypes/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameContentTypes/.group.details.yaml
new file mode 100755
index 000000000..d66972429
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameContentTypes/.group.details.yaml
@@ -0,0 +1,4 @@
+caption: Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to
+  handle the following content types
+desc: Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to handle
+  the following content types.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameContentTypes/ChromeFrameContentTypes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameContentTypes/ChromeFrameContentTypes.yaml
new file mode 100755
index 000000000..7f7bcc880
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameContentTypes/ChromeFrameContentTypes.yaml
@@ -0,0 +1,22 @@
+caption: Allow <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> to
+  handle the listed content types
+deprecated: true
+desc: |-
+  If this policy is set, the specified content types are handled by <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>.
+
+            If this policy is not set, the default renderer is used for all sites. (The <ph name="CHROME_FRAME_RENDERER_SETTINGS_POLICY_NAME">ChromeFrameRendererSettings</ph> policy may be used to configure the default renderer.)
+example_value:
+- text/xml
+- application/xml
+features:
+  dynamic_refresh: false
+owners:
+- file://components/policy/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_frame:8-32
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/.group.details.yaml
new file mode 100755
index 000000000..0701acca5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/.group.details.yaml
@@ -0,0 +1,5 @@
+caption: Default HTML renderer for <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome
+  Frame</ex></ph>
+desc: |-
+  Allows you to configure the default HTML renderer when <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> is installed.
+        The default setting is to allow the host browser do the rendering, but you can optionally override this and have <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> render HTML pages by default.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/AdditionalLaunchParameters.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/AdditionalLaunchParameters.yaml
new file mode 100755
index 000000000..c6f3b8357
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/AdditionalLaunchParameters.yaml
@@ -0,0 +1,19 @@
+caption: Additional command line parameters for <ph name="PRODUCT_NAME">$1<ex>Google
+  Chrome</ex></ph>
+deprecated: true
+desc: |-
+  Allows you to specify additional parameters that are used when <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> launches <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+            If this policy is not set the default command line will be used.
+example_value: --enable-media-stream --enable-media-source
+features:
+  dynamic_refresh: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_frame:19-32
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/ChromeFrameRendererSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/ChromeFrameRendererSettings.yaml
new file mode 100755
index 000000000..cc8f30f66
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/ChromeFrameRendererSettings.yaml
@@ -0,0 +1,28 @@
+caption: Default HTML renderer for <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome
+  Frame</ex></ph>
+deprecated: true
+desc: |-
+  Allows you to configure the default HTML renderer when <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> is installed.
+            The default setting used when this policy is left not set is to allow the host browser do the rendering, but you can optionally override this and have <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> render HTML pages by default.
+example_value: 1
+features:
+  dynamic_refresh: false
+items:
+- caption: Use the host browser by default
+  name: RenderInHost
+  value: 0
+- caption: Use <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> by
+    default
+  name: RenderInChromeFrame
+  value: 1
+owners:
+- file://components/policy/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+supported_on:
+- chrome_frame:8-32
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/RenderInChromeFrameList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/RenderInChromeFrameList.yaml
new file mode 100755
index 000000000..833c5a9ef
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/RenderInChromeFrameList.yaml
@@ -0,0 +1,25 @@
+caption: Always render the following URL patterns in <ph name="PRODUCT_FRAME_NAME">$3<ex>Google
+  Chrome Frame</ex></ph>
+deprecated: true
+desc: |-
+  Customize the list of URL patterns that should always be rendered by <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>.
+
+            If this policy is not set the default renderer will be used for all sites as specified by the 'ChromeFrameRendererSettings' policy.
+
+            For example patterns see https://www.chromium.org/developers/how-tos/chrome-frame-getting-started.
+example_value:
+- https://www.example.com
+- https://www.example.edu
+features:
+  dynamic_refresh: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_frame:8-32
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/RenderInHostList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/RenderInHostList.yaml
new file mode 100755
index 000000000..cbbcb7ed6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/RenderInHostList.yaml
@@ -0,0 +1,24 @@
+caption: Always render the following URL patterns in the host browser
+deprecated: true
+desc: |-
+  Customize the list of URL patterns that should always be rendered by the host browser.
+
+            If this policy is not set the default renderer will be used for all sites as specified by the 'ChromeFrameRendererSettings' policy.
+
+            For example patterns see https://www.chromium.org/developers/how-tos/chrome-frame-getting-started.
+example_value:
+- https://www.example.com
+- https://www.example.edu
+features:
+  dynamic_refresh: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_frame:8-32
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/SkipMetadataCheck.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/SkipMetadataCheck.yaml
new file mode 100755
index 000000000..354ffbf95
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ChromeFrameRendererSettings/SkipMetadataCheck.yaml
@@ -0,0 +1,23 @@
+caption: Skip the meta tag check in <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome
+  Frame</ex></ph>
+deprecated: true
+desc: |-
+  Normally pages with X-UA-Compatible set to chrome=1 will be rendered in <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> regardless of the 'ChromeFrameRendererSettings' policy.
+
+            If you enable this setting, pages will not be scanned for meta tags.
+
+            If you disable this setting, pages will be scanned for meta tags.
+
+            If this policy is not set, pages will be scanned for meta tags.
+example_value: false
+features:
+  dynamic_refresh: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_frame:31-32
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/.group.details.yaml
new file mode 100755
index 000000000..3d633120b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/.group.details.yaml
@@ -0,0 +1,8 @@
+caption: Cloud Reporting
+desc: |-
+  Configure cloud reporting policies.
+
+        When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, these policies will be ignored.
+
+        These policies are only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+        These policies are always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudExtensionRequestEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudExtensionRequestEnabled.yaml
new file mode 100755
index 000000000..5b9fb4bc0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudExtensionRequestEnabled.yaml
@@ -0,0 +1,37 @@
+caption: Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> extension installation
+  requests
+default: false
+desc: |-
+  This policy controls <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> extension installation requests which allows users to send the requests to the Google Admin console for approval.
+
+  When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored, extension installation requests are not created or uploaded.
+  When this policy is left unset or set to disabled, extension installation requests are not created or uploaded.
+  When this policy is set to enabled, extension installation requests are created and uploaded to Google Admin console.
+
+  Extension installation requests are created when users try to install an extension that is not allowed by <ph name="EXTENSION_INSTALL_ALLOWLIST">ExtensionInstallAllowlist</ph> or <ph name="EXTENSION_SETTINGS">ExtensionSettings</ph>.
+
+  This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+  This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+example_value: true
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Create and upload extension install requests to the Admin console
+  value: true
+- caption: Do not create or upload extension install requests to the Admin console
+  value: false
+owners:
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:85-
+- chrome_os:85-
+tags:
+- admin-sharing
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudProfileReportingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudProfileReportingEnabled.yaml
new file mode 100755
index 000000000..196665d92
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudProfileReportingEnabled.yaml
@@ -0,0 +1,37 @@
+caption: Enable <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> cloud reporting for managed profile
+default: false
+desc: |-
+  This policy controls <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> cloud reporting for a particular managed profile.
+
+  When this policy is left unset or set to Disabled, there is no data collected or uploaded.
+  When this policy is set to Enabled, the data is collected and uploaded to <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph>.
+
+  The report contains profile state and usage information, including but not limited to OS version, browser version, installed extensions and applied policies.
+
+  This policy can only be set as cloud user policy.
+example_value: true
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+  user_only: true
+supported_on:
+- chrome.*:124-
+- android:124-
+future_on:
+- chrome_os
+- fuchsia
+items:
+- caption: Enable managed profile cloud reporting
+  value: true
+- caption: Disable managed profile cloud reporting
+  value: false
+owners:
+- zmin@chromium.org
+- file://components/enterprise/browser/reporting/OWNERS
+schema:
+  type: boolean
+tags:
+- admin-sharing
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudReportingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudReportingEnabled.yaml
new file mode 100755
index 000000000..998cc6ca3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudReportingEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> cloud reporting
+default: false
+desc: |-
+  This policy controls <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> cloud reporting which uploads information about the browser operation to <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph>.
+
+  When this policy is left unset or set to Disabled, there is no data collected or uploaded.
+  When this policy is set to Enabled, the data is collected and uploaded to <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph>.
+
+  For <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, this policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph>.
+  For <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>, this policy is always effective.
+example_value: true
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable managed browser cloud reporting
+  value: true
+- caption: Disable managed browser cloud reporting
+  value: false
+owners:
+- zmin@chromium.org
+- file://components/enterprise/browser/reporting/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:72-
+- chrome_os:81-
+- ios:88-
+- android:97-
+tags:
+- admin-sharing
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudReportingUploadFrequency.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudReportingUploadFrequency.yaml
new file mode 100755
index 000000000..5ea58a2a8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/CloudReportingUploadFrequency.yaml
@@ -0,0 +1,32 @@
+caption: Frequency of cloud reporting in hours
+default: 24
+desc: |-
+  Controls the frequency of Chrome status report uploads.
+
+  This includes reports that are enabled by <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph>.
+
+  When the policy is not set, reports are uploaded every 24 hours.
+  When the policy is set, the number of hours between two successive report uploads is defined by this policy.
+example_value: 12
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- zmin@chromium.org
+- file://components/enterprise/browser/reporting/OWNERS
+schema:
+  maximum: 24
+  minimum: 3
+  type: integer
+supported_on:
+- chrome.*:101-
+- chrome_os:101-
+- android:101-
+- ios:101-
+tags:
+- admin-sharing
+- google-sharing
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/LegacyTechReportAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/LegacyTechReportAllowlist.yaml
new file mode 100755
index 000000000..b23d0520c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/LegacyTechReportAllowlist.yaml
@@ -0,0 +1,40 @@
+caption: Specifies URLs that allow legacy technology report
+default: []
+desc: |-
+  Controls if a page that use legacy technologies will be reported based on its URL.
+
+  When policy is set, the URLs whose prefix match an allowlist entry will be used to generated report and uploaded. Unmatched URLs will be ignored.
+  When policy is not set or set to an empty list, no report will be generated.
+
+  The matching patterns use a similar format to those for the '<ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>' policy, which are documented at https://support.google.com/chrome/a?p=url_blocklist_filter_format. With a few exceptions below:
+   * No wildcard '*' support.
+   * Schema, port and query are ignored.
+   * At most 100 URLs can be added into the allowlist,
+
+  For <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, this policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph>.
+
+  More information about legacy technologies can be found at https://chromestatus.com/features.
+example_value:
+- example.com
+- www.example.edu/path
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome.*:119-
+- android:119-
+future_on:
+- chrome_os
+- fuchsia
+owners:
+- zmin@chromium.org
+- file://components/enterprise/browser/reporting/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+tags:
+- admin-sharing
+- google-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportExtensionsAndPluginsData.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportExtensionsAndPluginsData.yaml
new file mode 100755
index 000000000..e401a20ad
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportExtensionsAndPluginsData.yaml
@@ -0,0 +1,32 @@
+caption: Report Extensions and Plugins information
+default: true
+desc: |-
+  This policy controls whether to report extensions and plugins information.
+
+  When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
+
+  When this policy is left unset or set to True, extension and plugins data are gathered.
+  When this policy is set to False, extensions and plugins data are not gathered.
+
+  This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+  This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+example_value: false
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome.*
+items:
+- caption: Enable reporting of extension and plugin information
+  value: true
+- caption: Disable reporting of extension and plugin information
+  value: false
+owners:
+- zmin@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+tags:
+- admin-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportMachineIDData.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportMachineIDData.yaml
new file mode 100755
index 000000000..f125ac311
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportMachineIDData.yaml
@@ -0,0 +1,31 @@
+caption: Report Machine Identification information
+default: true
+desc: |-
+  This policy controls whether to report information that can be used to identify machines, such as machine name and network addresses.
+
+  When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
+
+  When this policy is left unset or set to True, information that can be used to identify machines is gathered.
+  When this policy is set to False, information that can be used to identify machines is not gathered.
+
+  This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+example_value: false
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome.*
+items:
+- caption: Enable reporting of machine identification information
+  value: true
+- caption: Disable reporting of machine identification information
+  value: false
+owners:
+- zmin@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+tags:
+- admin-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportPolicyData.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportPolicyData.yaml
new file mode 100755
index 000000000..24b60a684
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportPolicyData.yaml
@@ -0,0 +1,32 @@
+caption: Report <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Policy Information
+default: true
+desc: |-
+  This policy controls whether to report policy data and time of policy fetch.
+
+  When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
+
+  When this policy is left unset or set to True, policy data and time of policy fetch are gathered.
+  When this policy is set to False, policy data and time of policy fetch are not gathered.
+
+  This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+  This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+example_value: false
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome.*
+items:
+- caption: Enable reporting of policy data
+  value: true
+- caption: Disable reporting of policy data
+  value: false
+owners:
+- zmin@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+tags:
+- admin-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportSafeBrowsingData.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportSafeBrowsingData.yaml
new file mode 100755
index 000000000..716b493b3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportSafeBrowsingData.yaml
@@ -0,0 +1,27 @@
+caption: Report Safe Browsing information
+deprecated: true
+desc: |-
+  This policy controls whether to report Safe Browsing information including the number of Safe Browsing warning and the number of safe browsering warning click through.
+
+        When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
+
+        When this policy is left unset or set to True, Safe Browsing data are gathered.
+        When this policy is set to False, Safe Browsing data are not gathered.
+
+        This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+        This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+example_value: false
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- zmin@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:72-84
+tags:
+- admin-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportUserIDData.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportUserIDData.yaml
new file mode 100755
index 000000000..0dde3d481
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportUserIDData.yaml
@@ -0,0 +1,32 @@
+caption: Report User Identification information
+default: true
+desc: |-
+  This policy controls whether to report information that can be used to identify users, such as OS login, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Profile login, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Profile name, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Profile path and <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> executable path.
+
+  When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
+
+  When this policy is left unset or set to True, information that can be used to identify users is gathered.
+  When this policy is set to False, information that can be used to identify users is not gathered.
+
+  This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+  This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+example_value: false
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome.*
+items:
+- caption: Enable reporting of user identification information
+  value: true
+- caption: Disable reporting of user identification information
+  value: false
+owners:
+- zmin@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+tags:
+- admin-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportVersionData.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportVersionData.yaml
new file mode 100755
index 000000000..8542ac834
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/ReportVersionData.yaml
@@ -0,0 +1,33 @@
+caption: Report OS and <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Version
+  Information
+default: true
+desc: |-
+  This policy controls whether to report version information, such as OS version, OS platform, OS architecture, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version and <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> channel.
+
+  When the policy <ph name="CLOUD_REPORTING_ENABLED_POLICY_NAME">CloudReportingEnabled</ph> is left unset or set to disabled, this policy will be ignored.
+
+  When this policy is left unset or set to True, version information is gathered.
+  When this policy is set to False, version information is not gathered.
+
+  This policy is only effective when the machine is enrolled with <ph name="CLOUD_MANAGEMENT_ENROLLMENT_TOKEN">CloudManagementEnrollmentToken</ph> for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+  This policy is always effective for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+example_value: false
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome.*
+items:
+- caption: Enable reporting of version information
+  value: true
+- caption: Disable reporting of version information
+  value: false
+owners:
+- zmin@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+tags:
+- admin-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/policy_atomic_groups.yaml
new file mode 100755
index 000000000..31e627986
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudReporting/policy_atomic_groups.yaml
@@ -0,0 +1,12 @@
+CloudReporting:
+  caption: Cloud Reporting
+  policies:
+  - ReportVersionData
+  - ReportPolicyData
+  - ReportMachineIDData
+  - ReportUserIDData
+  - ReportExtensionsAndPluginsData
+  - CloudExtensionRequestEnabled
+  - CloudReportingEnabled
+  - CloudProfileReportingEnabled
+  - CloudReportingUploadFrequency
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/.group.details.yaml
new file mode 100755
index 000000000..d9bda446a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: CloudUpload
+desc: Controls settings related to the Cloud Upload feature.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/GoogleWorkspaceCloudUpload.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/GoogleWorkspaceCloudUpload.yaml
new file mode 100755
index 000000000..cd535bef3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/GoogleWorkspaceCloudUpload.yaml
@@ -0,0 +1,42 @@
+caption: Configures the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> and <ph name="GOOGLE_WORKSPACE_NAME">Google Workspace</ph>
+default: allowed
+default_for_enterprise_users: disallowed
+desc: |-
+  This policy allows the admins to configure the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> and <ph name="GOOGLE_WORKSPACE_NAME">Google Workspace</ph> on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+  Setting the policy to '<ph name="ALLOWED_NAME">allowed</ph>' lets the user set up the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> and <ph name="GOOGLE_WORKSPACE_NAME">Google Workspace</ph> if they wish to.
+  After completing the setup process, files with matching file formats will by default be moved to <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> and handled by one of the <ph name="GOOGLE_WORKSPACE_NAME">Google Workspace</ph> apps when the user attempts to open them.
+
+  Setting the policy to '<ph name="DISALLOWED_NAME">disallowed</ph>' prohibits the user from setting up the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> as described above and removes <ph name="GOOGLE_WORKSPACE_NAME">Google Workspace</ph> apps from the list of potential file handlers.
+
+  Setting the policy to '<ph name="AUTOMATED_NAME">automated</ph>' sets up the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> and <ph name="GOOGLE_WORKSPACE_NAME">Google Workspace</ph> automatically, so that files with matching file formats will by default be moved to <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> and handled by one of the <ph name="GOOGLE_WORKSPACE_NAME">Google Workspace</ph> apps when the user attempts to open them.
+
+  Leaving the policy unset is functionally equivalent to setting it to '<ph name="ALLOWED_NAME">allowed</ph>' for regular users; for enterprise users unset policy defaults to '<ph name="DISALLOWED_NAME">disallowed</ph>'.
+example_value: allowed
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> and <ph name="GOOGLE_WORKSPACE_NAME">Google Workspace</ph>
+  name: allowed
+  value: allowed
+- caption: Disallow the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> and <ph name="GOOGLE_WORKSPACE_NAME">Google Workspace</ph>
+  name: disallowed
+  value: disallowed
+- caption: Automate the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> and <ph name="GOOGLE_WORKSPACE_NAME">Google Workspace</ph>
+  name: automated
+  value: automated
+owners:
+- greengrape@google.com
+- file://chrome/browser/chromeos/enterprise/cloud_storage/OWNERS
+- cros-commercial-clippy-eng@google.com
+schema:
+  enum:
+  - allowed
+  - disallowed
+  - automated
+  type: string
+supported_on:
+- chrome_os:122-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/MicrosoftOfficeCloudUpload.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/MicrosoftOfficeCloudUpload.yaml
new file mode 100755
index 000000000..deb87096c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/CloudUpload/MicrosoftOfficeCloudUpload.yaml
@@ -0,0 +1,42 @@
+caption: Configures the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> and <ph name="MICROSOFT_365_NAME">Microsoft 365</ph>
+default: allowed
+default_for_enterprise_users: disallowed
+desc: |-
+  This policy allows the admins to configure the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> and <ph name="MICROSOFT_365_NAME">Microsoft 365</ph> on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+  Setting the policy to '<ph name="ALLOWED_NAME">allowed</ph>' lets the user set up the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> and <ph name="MICROSOFT_365_NAME">Microsoft 365</ph> if they wish to.
+  After completing the setup process, files with matching file formats will by default be moved to <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> and handled by the <ph name="MICROSOFT_365_NAME">Microsoft 365</ph> app when the user attempts to open them.
+
+  Setting the policy to '<ph name="DISALLOWED_NAME">disallowed</ph>' prohibits the user from setting up the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> and <ph name="MICROSOFT_365_NAME">Microsoft 365</ph> as described above and removes <ph name="MICROSOFT_365_NAME">Microsoft 365</ph> from the list of potential file handlers.
+
+  Setting the policy to '<ph name="AUTOMATED_NAME">automated</ph>' sets up the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> and <ph name="MICROSOFT_365_NAME">Microsoft 365</ph> automatically, so that files with matching file formats will by default be moved to <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> and handled by the <ph name="MICROSOFT_365_NAME">Microsoft 365</ph> app when the user attempts to open them.
+
+  Leaving the policy unset is functionally equivalent to setting it to '<ph name="ALLOWED_NAME">allowed</ph>' for regular users; for enterprise users unset policy defaults to '<ph name="DISALLOWED_NAME">disallowed</ph>'.
+example_value: allowed
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> and <ph name="MICROSOFT_365_NAME">Microsoft 365</ph>
+  name: allowed
+  value: allowed
+- caption: Disallow the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> and <ph name="MICROSOFT_365_NAME">Microsoft 365</ph>
+  name: disallowed
+  value: disallowed
+- caption: Automate the <ph name="CLOUD_UPLOAD_NAME">Cloud Upload</ph> flow for <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> and <ph name="MICROSOFT_365_NAME">Microsoft 365</ph>
+  name: automated
+  value: automated
+owners:
+- greengrape@google.com
+- file://chrome/browser/chromeos/enterprise/cloud_storage/OWNERS
+- cros-commercial-clippy-eng@google.com
+schema:
+  enum:
+  - allowed
+  - disallowed
+  - automated
+  type: string
+supported_on:
+- chrome_os:122-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/.group.details.yaml
new file mode 100755
index 000000000..34a5d9113
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/.group.details.yaml
@@ -0,0 +1,3 @@
+caption: Content settings
+desc: Content settings allow you to specify how contents of a specific type (for example
+  Cookies, Images or JavaScript) is handled.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutoSelectCertificateForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutoSelectCertificateForUrls.yaml
new file mode 100755
index 000000000..403142970
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutoSelectCertificateForUrls.yaml
@@ -0,0 +1,55 @@
+caption: Automatically select client certificates for these sites
+desc: |-
+  Setting the policy lets you make a list of URL patterns that specify sites for which Chrome can automatically select a client certificate. The value is an array of stringified JSON dictionaries, each with the form <ph name="AUTO_SELECT_CERTIFICATE_FOR_URLS_EXAMPLE">{ "pattern": "$URL_PATTERN", "filter" : $FILTER }</ph>, where <ph name="URL_PATTERN_PLACEHOLDER">$URL_PATTERN</ph> is a content setting pattern. <ph name="FILTER_PLACEHOLDER">$FILTER</ph> restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected.
+
+        Examples for the usage of the <ph name="FILTER_PLACEHOLDER">$FILTER</ph> section:
+
+        * When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> is set to <ph name="AUTO_SELECT_CERTIFICATE_FOR_URLS_FILTER_EXAMPLE">{ "ISSUER": { "CN": "$ISSUER_CN" } }</ph>, only client certificates issued by a certificate with the CommonName <ph name="ISSUER_CN_PLACEHOLDER">$ISSUER_CN</ph> are selected.
+
+        * When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains both the <ph name="ISSUER_STRING_VALUE">"ISSUER"</ph> and the <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> sections, only client certificates that satisfy both conditions are selected.
+
+        * When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains a <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> section with the <ph name="FILTER_STRING_ORGANIZATION">"O"</ph> value, a certificate needs at least one organization matching the specified value to be selected.
+
+        * When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains a <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> section with a <ph name="FILTER_STRING_ORGANIZATIONAL_UNIT">"OU"</ph> value, a certificate needs at least one organizational unit matching the specified value to be selected.
+
+        * When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> is set to <ph name="EMPTY_DICTIONARY">{}</ph>, the selection of client certificates is not additionally restricted. Note that filters provided by the web server still apply.
+
+        Leaving the policy unset means there's no autoselection for any site.
+example_value:
+- '{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer
+  name", "L": "certificate issuer location", "O": "certificate issuer org", "OU":
+  "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L":
+  "certificate subject location", "O": "certificate subject org", "OU": "certificate
+  subject org unit"}}}'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- miersh@google.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:15-
+- chrome_os:15-
+tags:
+- website-sharing
+type: list
+validation_schema:
+  items:
+    properties:
+      filter:
+        properties:
+          ISSUER:
+            $ref: CertPrincipalFields
+          SUBJECT:
+            $ref: CertPrincipalFields
+        type: object
+      pattern:
+        type: string
+    type: object
+  type: array
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutomaticFullscreenAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutomaticFullscreenAllowedForUrls.yaml
new file mode 100755
index 000000000..ed2c4062c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutomaticFullscreenAllowedForUrls.yaml
@@ -0,0 +1,39 @@
+caption: Allow automatic fullscreen on these sites
+desc: |-
+  For security reasons, the
+  <ph name="REQUEST_FULLSCREEN_API_NAME">requestFullscreen()</ph> web API
+  requires a prior user gesture ("transient activation") to be called or will
+  otherwise fail. Users' personal settings may allow certain origins to call
+  this API without a prior user gesture, as described in
+  <ph name="AUTOMATIC_FULLSCREEN_HELP_URL">https://chromestatus.com/feature/6218822004768768</ph>.
+
+  This policy supersedes users' personal settings and allows matching origins to
+  call the API without a prior user gesture.
+
+  For detailed information on valid url patterns, please see
+  https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
+  Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+  Origins matching both blocked and allowed policy patterns will be blocked.
+  Origins not specified by policy nor user settings will require a prior user
+  gesture to call this API.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://third_party/blink/renderer/core/fullscreen/OWNERS
+- msw@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:124-
+- chrome_os:124-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutomaticFullscreenBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutomaticFullscreenBlockedForUrls.yaml
new file mode 100755
index 000000000..d242ca22a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/AutomaticFullscreenBlockedForUrls.yaml
@@ -0,0 +1,39 @@
+caption: Block automatic fullscreen on these sites
+desc: |-
+  For security reasons, the
+  <ph name="REQUEST_FULLSCREEN_API_NAME">requestFullscreen()</ph> web API
+  requires a prior user gesture ("transient activation") to be called or will
+  otherwise fail. Users' personal settings may allow certain origins to call
+  this API without a prior user gesture, as described in
+  <ph name="AUTOMATIC_FULLSCREEN_HELP_URL">https://chromestatus.com/feature/6218822004768768</ph>.
+
+  This policy supersedes users' personal settings and blocks matching origins
+  from calling the API without a prior user gesture.
+
+  For detailed information on valid url patterns, please see
+  https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
+  Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+  Origins matching both blocked and allowed policy patterns will be blocked.
+  Origins not specified by policy nor user settings will require a prior user
+  gesture to call this API.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://third_party/blink/renderer/core/fullscreen/OWNERS
+- msw@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:124-
+- chrome_os:124-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ClipboardAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ClipboardAllowedForUrls.yaml
new file mode 100755
index 000000000..19e786dc9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ClipboardAllowedForUrls.yaml
@@ -0,0 +1,28 @@
+caption: Allow clipboard on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify sites that can use the clipboard site permission. This does not include all clipboard operations on origins matching the patterns. For instance, users will still be able to paste using keyboard shortcuts as this isn't gated by the clipboard site permission.
+
+
+        Leaving the policy unset means <ph name="DEFAULT_CLIPBOARD_SETTING">DefaultClipboardSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- domfc@chromium.org
+- file://components/content_settings/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:103-
+- chrome_os:103-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ClipboardBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ClipboardBlockedForUrls.yaml
new file mode 100755
index 000000000..9e148709c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ClipboardBlockedForUrls.yaml
@@ -0,0 +1,27 @@
+caption: Block clipboard on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify sites that can't use the clipboard site permission. This does not include all clipboard operations on origins matching the patterns. For instance, users will still be able to paste using keyboard shortcuts as this isn't gated by the clipboard site permission.
+
+        Leaving the policy unset means <ph name="DEFAULT_CLIPBOARD_SETTING">DefaultClipboardSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- domfc@chromium.org
+- file://components/content_settings/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:103-
+- chrome_os:103-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesAllowedForUrls.yaml
new file mode 100755
index 000000000..7f567d8ee
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesAllowedForUrls.yaml
@@ -0,0 +1,38 @@
+caption: Allow cookies on these sites
+desc: |-
+  Allows you to set a list of url patterns that specify sites which are allowed to set cookies.
+
+            URL patterns may be a single URL indicating that the site may use cookies on all top-level sites.
+
+            Patterns may also be two URLs delimited by a comma. The first specifies the site that should be allowed to use cookies. The second specifies the top-level site that the first value should be applied on.
+
+            If you use a pair of URLs, the first value in the pair supports * but the second value does not. Using * for the first value indicates that all sites may use cookies when the second URL is the top-level site.
+
+            If this policy is left not set the global default value will be used for all sites either from the <ph name="DEFAULT_COOKIES_SETTINGS_POLICY_NAME">DefaultCookiesSetting</ph> or <ph name="BLOCK_THIRD_PARTY_COOKIES_POLICY_NAME">BlockThirdPartyCookies</ph> policies if they are set, or the user's personal configuration otherwise.
+
+            See also policies <ph name="COOKIES_BLOCKED_FOR_URLS_POLICY_NAME">CookiesBlockedForUrls</ph> and <ph name="COOKIES_SESSIONS_ONLY_FOR_URLS">CookiesSessionOnlyForUrls</ph>. Note that there must be no conflicting URL patterns between these three policies - it is unspecified which policy takes precedence.
+
+            For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+- https://www.example.com/,https://www.toplevel.com/
+- '*,https://www.toplevel.com/'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- dullweber@google.com
+- file://components/content_settings/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-
+- chrome_os:11-
+- android:30-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesBlockedForUrls.yaml
new file mode 100755
index 000000000..0423464bb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesBlockedForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Block cookies on these sites
+desc: |-
+  Setting the policy lets you make a list of URL patterns that specify sites that can't set cookies.
+
+        Leaving the policy unset results in the use of <ph name="DEFAULT_COOKIES_SETTINGS_POLICY_NAME">DefaultCookiesSetting</ph> for all sites, if it's set. If not, the user's personal setting applies.
+
+        While no specific policy takes precedence, see <ph name="COOKIES_ALLOWED_FOR_URLS_POLICY_NAME">CookiesAllowedForUrls</ph> and <ph name="COOKIES_SESSION_ONLY_FOR_URLS_POLICY_NAME">CookiesSessionOnlyForUrls</ph>. URL patterns among these 3 policies must not conflict.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- dullweber@google.com
+- file://components/content_settings/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-
+- chrome_os:11-
+- android:30-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesSessionOnlyForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesSessionOnlyForUrls.yaml
new file mode 100755
index 000000000..3ccedd242
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/CookiesSessionOnlyForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Limit cookies from matching URLs to the current session
+desc: |-
+  Unless the <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> policy is set to permanently restore URLs from previous sessions, then setting <ph name="COOKIES_SESSION_ONLY_FOR_URLS_POLICY_NAME">CookiesSessionOnlyForUrls</ph> lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.
+
+        Leaving the policy unset results in the use of <ph name="DEFAULT_COOKIES_SETTINGS_POLICY_NAME">DefaultCookiesSetting</ph> for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.
+
+        While no specific policy takes precedence, see <ph name="COOKIES_BLOCKED_FOR_URLS_POLICY_NAME">CookiesBlockedForUrls</ph> and <ph name="COOKIES_ALLOWED_FOR_URLS_POLICY_NAME">CookiesAllowedForUrls</ph>. URL patterns among these 3 policies must not conflict.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- dullweber@google.com
+- file://components/content_settings/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-
+- chrome_os:11-
+- android:30-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DataUrlInSvgUseEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DataUrlInSvgUseEnabled.yaml
new file mode 100755
index 000000000..a363d10ad
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DataUrlInSvgUseEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Data URL support for SVGUseElement.
+default: false
+example_value: false
+desc: |-
+  This policy enables Data URL support for SVGUseElement, which will be disabled
+  by default starting in M119.
+        If this policy is set to Enabled, Data URLs will continue to work in SVGUseElement.
+        If this policy is set to Disabled or not set, Data URLs won't work in SVGUseElement.
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Data URL support in SVGUseElement.
+  value: true
+- caption: Disable Data URL support in SVGUseElement.
+  value: false
+owners:
+- jkokatsu@google.com
+- chrome-security-owp-team@google.com
+schema:
+  type: boolean
+future_on:
+- fuchsia
+supported_on:
+- chrome.*:120-
+- chrome_os:120-
+- android:120-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultClipboardSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultClipboardSetting.yaml
new file mode 100755
index 000000000..b8bd01e87
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultClipboardSetting.yaml
@@ -0,0 +1,34 @@
+caption: Default clipboard setting
+default: null
+desc: |-
+  Setting the policy to 2 blocks sites from using the clipboard site permission. Setting the policy to 3 or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use one.
+
+        This policy can be overridden for specific URL patterns using the <ph name="CLIPBOARD_ALLOWED_FOR_URLS_POLICY_NAME">ClipboardAllowedForUrls</ph> and <ph name="CLIPBOARD_BLOCKED_FOR_URLS_POLICY_NAME">ClipboardBlockedForUrls</ph> policies.
+
+        This policy only affects clipboard operations controlled by the clipboard site permission, and does not affect sanitized clipboard writes or trusted copy and paste operations.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not allow any site to use the clipboard site permission
+  name: BlockClipboard
+  value: 2
+- caption: Allow sites to ask the user to grant the clipboard site permission
+  name: AskClipboard
+  value: 3
+owners:
+- domfc@chromium.org
+- file://components/content_settings/OWNERS
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome.*:103-
+- chrome_os:103-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultCookiesSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultCookiesSetting.yaml
new file mode 100755
index 000000000..17ef44532
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultCookiesSetting.yaml
@@ -0,0 +1,38 @@
+caption: Default cookies setting
+desc: |-
+  Unless the <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> policy is set to permanently restore URLs from previous sessions, then setting <ph name="COOKIES_SESSION_ONLY_FOR_URLS_POLICY_NAME">CookiesSessionOnlyForUrls</ph> lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.
+
+        Leaving the policy unset results in the use of <ph name="DEFAULT_COOKIES_SETTINGS_POLICY_NAME">DefaultCookiesSetting</ph> for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.
+
+        While no specific policy takes precedence, see <ph name="COOKIES_BLOCKED_FOR_URLS_POLICY_NAME">CookiesBlockedForUrls</ph> and <ph name="COOKIES_ALLOWED_FOR_URLS_POLICY_NAME">CookiesAllowedForUrls</ph>. URL patterns among these 3 policies must not conflict.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow all sites to set local data
+  name: AllowCookies
+  value: 1
+- caption: Do not allow any site to set local data
+  name: BlockCookies
+  value: 2
+- caption: Keep cookies for the duration of the session
+  name: SessionOnly
+  value: 4
+owners:
+- dullweber@google.com
+- file://components/content_settings/OWNERS
+schema:
+  enum:
+  - 1
+  - 2
+  - 4
+  type: integer
+supported_on:
+- chrome.*:10-
+- chrome_os:11-
+- android:30-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultDirectSocketsSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultDirectSocketsSetting.yaml
new file mode 100755
index 000000000..d78164856
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultDirectSocketsSetting.yaml
@@ -0,0 +1,35 @@
+caption: Control use of the Direct Sockets API
+default: null
+desc: |-
+  The Direct Sockets API allows communication with arbitrary endpoints using TCP and UDP.
+  Please see https://github.com/WICG/direct-sockets for details.
+
+  Setting the policy to 1 allows qualifying origins to use Direct Sockets.
+  These include Chrome Apps, Isolated Web Apps and Web Kiosks; the API is never available on the open web.
+
+  Setting the policy to 2 blocks origins from using Direct Sockets.
+
+  Leaving it unset allows Direct Sockets.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome.*
+- chrome_os
+items:
+- caption: Allow qualifying origins to use Direct Sockets
+  name: AllowDirectSockets
+  value: 1
+- caption: Do not allow origins to use Direct Sockets
+  name: BlockDirectSockets
+  value: 2
+owners:
+- file://content/browser/direct_sockets/OWNERS
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileHandlingGuardSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileHandlingGuardSetting.yaml
new file mode 100755
index 000000000..3bf82b0fd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileHandlingGuardSetting.yaml
@@ -0,0 +1,33 @@
+caption: Control use of the File Handling API
+default: null
+deprecated: true
+desc: |-
+  Setting the policy to <ph name="ASK_FILE_HANDLING">AskFileHandling</ph> lets web apps ask for access to file types via the File Handling API. Setting the policy to <ph name="BLOCK_FILE_HANDLING">BlockFileHandling</ph> denies access to file types.
+
+        Leaving it unset lets web apps ask for access, but users can change this setting.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Do not allow any web app to access file types via the File Handling API
+  name: BlockFileHandling
+  value: 2
+- caption: Allow web apps to ask the user to grant access to file types via the File
+    Handling API
+  name: AskFileHandling
+  value: 3
+owners:
+- estade@chromium.org
+- cmp@chromium.org
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:91-96
+- chrome.*:91-96
+tags:
+- website-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileSystemReadGuardSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileSystemReadGuardSetting.yaml
new file mode 100755
index 000000000..31d2e277a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileSystemReadGuardSetting.yaml
@@ -0,0 +1,35 @@
+caption: Control use of the File System API for reading
+default: null
+desc: |-
+  Setting the policy to 3 lets websites ask for read access to files and directories in the host operating system's file system via the File System API. Setting the policy to 2 denies access.
+
+        Leaving it unset lets websites ask for access, but users can change this setting.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not allow any site to request read access to files and directories via
+    the File System API
+  name: BlockFileSystemRead
+  value: 2
+- caption: Allow sites to ask the user to grant read access to files and directories
+    via the File System API
+  name: AskFileSystemRead
+  value: 3
+owners:
+- mek@chromium.org
+- file://content/browser/file_system_access/OWNERS
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:86-
+- chrome.*:86-
+tags:
+- website-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileSystemWriteGuardSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileSystemWriteGuardSetting.yaml
new file mode 100755
index 000000000..bb4f61c29
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultFileSystemWriteGuardSetting.yaml
@@ -0,0 +1,33 @@
+caption: Control use of the File System API for writing
+default: null
+desc: |-
+  Setting the policy to 3 lets websites ask for write access to files and directories in the host operating system's file system. Setting the policy to 2 denies access.
+
+        Leaving it unset lets websites ask for access, but users can change this setting.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not allow any site to request write access to files and directories
+  name: BlockFileSystemWrite
+  value: 2
+- caption: Allow sites to ask the user to grant write access to files and directories
+  name: AskFileSystemWrite
+  value: 3
+owners:
+- mek@chromium.org
+- file://content/browser/file_system_access/OWNERS
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:86-
+- chrome.*:86-
+tags:
+- website-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultGeolocationSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultGeolocationSetting.yaml
new file mode 100755
index 000000000..14f4288bd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultGeolocationSetting.yaml
@@ -0,0 +1,42 @@
+arc_support: (Warning! Soon this dependency will be dropped, please start using <ph name="GLS_POLICY_NAME">GoogleLocationServicesEnabled</ph> instead) If this policy is set to <ph name="BLOCK_GEOLOCATION_SETTING">BlockGeolocation</ph>,
+  <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> system services and Android apps cannot access location information. If you set this policy to any other
+  value or leave it unset, the user is asked to allow when an Android app wants
+  to access location information.
+caption: Default geolocation setting
+default: null
+desc: |-
+  Setting the policy to 1 lets sites track the users' physical location as the default state. Setting the policy to 2 denies this tracking by default. You can set the policy to ask whenever a site wants to track the users' physical location.
+
+  Leaving the policy unset means the <ph name="ASK_GEOLOCATION_POLICY_NAME">AskGeolocation</ph> policy applies, but users can change this setting.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow sites to track the users' physical location
+  name: AllowGeolocation
+  value: 1
+- caption: Do not allow any site to track the users' physical location
+  name: BlockGeolocation
+  value: 2
+- caption: Ask whenever a site wants to track the users' physical location
+  name: AskGeolocation
+  value: 3
+owners:
+- engedy@chromium.org
+- file://components/permissions/PERMISSIONS_OWNERS
+schema:
+  enum:
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome.*:10-
+- chrome_os:11-
+- android:30-
+tags:
+- website-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultImagesSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultImagesSetting.yaml
new file mode 100755
index 000000000..f42045ef0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultImagesSetting.yaml
@@ -0,0 +1,32 @@
+caption: Default images setting
+default: null
+desc: |-
+  Setting the policy to 1 lets all websites display images. Setting the policy to 2 denies image display.
+
+  Leaving it unset allows images, but users can change this setting.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow all sites to show all images
+  name: AllowImages
+  value: 1
+- caption: Do not allow any site to show images
+  name: BlockImages
+  value: 2
+owners:
+- engedy@chromium.org
+- file://components/content_settings/OWNERS
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:10-
+- chrome_os:11-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultInsecureContentSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultInsecureContentSetting.yaml
new file mode 100755
index 000000000..8082274b8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultInsecureContentSetting.yaml
@@ -0,0 +1,34 @@
+caption: Control use of insecure content exceptions
+default: 3
+desc: |-
+  Allows you to set whether users can add exceptions to allow mixed content for specific sites.
+
+  This policy can be overridden for specific URL patterns using the 'InsecureContentAllowedForUrls' and 'InsecureContentBlockedForUrls' policies.
+
+  If this policy is left not set, users will be allowed to add exceptions to allow blockable mixed content and disable autoupgrades for optionally blockable mixed content.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not allow any site to load mixed content
+  name: BlockInsecureContent
+  value: 2
+- caption: Allow users to add exceptions to allow mixed content
+  name: AllowExceptionsInsecureContent
+  value: 3
+owners:
+- carlosil@chromium.org
+- estark@chromium.org
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome.*:79-
+- chrome_os:79-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptJitSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptJitSetting.yaml
new file mode 100755
index 000000000..c1bc7c09a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptJitSetting.yaml
@@ -0,0 +1,37 @@
+caption: Control use of JavaScript JIT
+default: 1
+desc: |-
+  Allows you to set whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will run the v8 JavaScript engine with JIT (Just In Time) compiler enabled or not.
+
+            Disabling the JavaScript JIT will mean that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT may allow <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to render web content in a more secure configuration.
+
+            This policy can be overridden for specific URL patterns using the <ph name="JAVA_SCRIPT_JIT_ALLOWED_FOR_SITES_POLICY_NAME">JavaScriptJitAllowedForSites</ph> and <ph name="JAVA_SCRIPT_JIT_BLOCKED_FOR_SITES_POLICY_NAME">JavaScriptJitBlockedForSites</ph> policies.
+
+            If this policy is left not set, JavaScript JIT is enabled.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow any site to run JavaScript JIT
+  name: AllowJavaScriptJit
+  value: 1
+- caption: Do not allow any site to run JavaScript JIT
+  name: BlockJavaScriptJit
+  value: 2
+owners:
+- wfh@chromium.org
+- nasko@chromium.org
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:93-
+- chrome_os:93-
+- android:93-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptOptimizerSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptOptimizerSetting.yaml
new file mode 100755
index 000000000..2aa6c15cd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptOptimizerSetting.yaml
@@ -0,0 +1,44 @@
+caption: Control use of JavaScript optimizers
+default: 1
+desc: |-
+  Allows you to set whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  will run the v8 JavaScript engine with more advanced JavaScript optimizations enabled.
+
+  Disabling JavaScript optimizations (by setting this policy's value to 2) will
+  mean that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may render web
+  content more slowly.
+
+  This policy can be overridden for specific URL patterns using the <ph
+  name="JAVA_SCRIPT_OPTIMIZER_ALLOWED_FOR_SITES_POLICY_NAME">
+  JavaScriptOptimizerAllowedForSites</ph> and <ph
+  name="JAVA_SCRIPT_OPTIMIZER_BLOCKED_FOR_SITES_POLICY_NAME">
+  JavaScriptOptimizerBlockedForSites</ph> policies.
+
+  If this policy is left not set, JavaScript optimizations are enabled.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- android
+- chrome.*
+- chrome_os
+- fuchsia
+items:
+- caption: Enable advanced JavaScript optimizations on all sites
+  name: AllowJavaScriptOptimizer
+  value: 1
+- caption: Disable advanced JavaScript optimizations on all sites
+  name: BlockJavaScriptOptimizer
+  value: 2
+owners:
+- ellyjones@chromium.org
+- wfh@chromium.org
+- nasko@chromium.org
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptSetting.yaml
new file mode 100755
index 000000000..f90ddf62c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultJavaScriptSetting.yaml
@@ -0,0 +1,33 @@
+caption: Default JavaScript setting
+default: null
+desc: |-
+  Setting the policy to 1 lets websites run JavaScript. Setting the policy to 2 denies JavaScript.
+
+  Leaving it unset allows JavaScript, but users can change this setting.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow all sites to run JavaScript
+  name: AllowJavaScript
+  value: 1
+- caption: Do not allow any site to run JavaScript
+  name: BlockJavaScript
+  value: 2
+owners:
+- engedy@chromium.org
+- file://components/content_settings/OWNERS
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:10-
+- chrome_os:11-
+- android:30-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultKeygenSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultKeygenSetting.yaml
new file mode 100755
index 000000000..6722a1b7d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultKeygenSetting.yaml
@@ -0,0 +1,34 @@
+caption: Default key generation setting
+deprecated: true
+desc: |-
+  Allows you to set whether websites are allowed to use key generation. Using key generation can be either allowed for all websites or denied for all websites.
+
+            If this policy is left not set, 'BlockKeygen' will be used and the user will be able to change it.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow all sites to use key generation
+  name: AllowKeygen
+  value: 1
+- caption: Do not allow any site to use key generation
+  name: BlockKeygen
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:49-56
+- chrome_os:49-56
+- android:49-56
+tags:
+- system-security
+- website-sharing
+- local-data-access
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultLocalFontsSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultLocalFontsSetting.yaml
new file mode 100755
index 000000000..fd38a1572
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultLocalFontsSetting.yaml
@@ -0,0 +1,34 @@
+caption: Default Local Fonts permission setting
+default: null
+desc: |-
+  Setting the policy to <ph name="BLOCK_LOCAL_FONTS_POLICY_NAME">BlockLocalFonts</ph> (value 2) automatically denies the local fonts permission to sites by default. This will limit the ability of sites to see information about local fonts.
+
+        Setting the policy to <ph name="ASK_LOCAL_FONTS_POLICY_NAME">AskLocalFonts</ph> (value 3) will prompt the user when the local fonts permission is requested by default. If users allow the permission, it will extend the ability of sites to see information about local fonts.
+
+        Leaving the policy unset means the default behavior applies which is to prompt the user, but users can change this setting
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Denies the Local Fonts permission on all sites by default
+  name: BlockLocalFonts
+  value: 2
+- caption: Ask every time a site wants obtain the Local Fonts permission
+  name: AskLocalFonts
+  value: 3
+owners:
+- dslee@chromium.org
+- storage-dev@chromium.org
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome.*:103-
+- chrome_os:103-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultMediaStreamSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultMediaStreamSetting.yaml
new file mode 100755
index 000000000..7e094973f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultMediaStreamSetting.yaml
@@ -0,0 +1,31 @@
+caption: Default mediastream setting
+deprecated: true
+desc: |-
+  Allows you to set whether websites are allowed to get access to media capture devices. Access to media capture devices can be allowed by default, or the user can be asked every time a website wants to get access to media capture devices.
+
+            If this policy is left not set, 'PromptOnAccess' will be used and the user will be able to change it.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Do not allow any site to access the camera and microphone
+  name: BlockAccess
+  value: 2
+- caption: Ask every time a site wants to access the camera and/or microphone
+  name: PromptOnAccess
+  value: 3
+owners:
+- engedy@chromium.org
+- file://components/permissions/PERMISSIONS_OWNERS
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome.*:22-
+- chrome_os:22-
+tags:
+- website-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultNotificationsSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultNotificationsSetting.yaml
new file mode 100755
index 000000000..187d7324e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultNotificationsSetting.yaml
@@ -0,0 +1,36 @@
+caption: Default notification setting
+default: null
+desc: |-
+  Setting the policy to 1 lets websites display desktop notifications. Setting the policy to 2 denies desktop notifications.
+
+  Leaving it unset means <ph name="ASK_NOTIFICATIONS_POLICY_NAME">AskNotifications</ph> applies, but users can change this setting.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow sites to show desktop notifications
+  name: AllowNotifications
+  value: 1
+- caption: Do not allow any site to show desktop notifications
+  name: BlockNotifications
+  value: 2
+- caption: Ask every time a site wants to show desktop notifications
+  name: AskNotifications
+  value: 3
+owners:
+- engedy@chromium.org
+- file://components/permissions/PERMISSIONS_OWNERS
+schema:
+  enum:
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome.*:10-
+- chrome_os:11-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultPluginsSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultPluginsSetting.yaml
new file mode 100755
index 000000000..568cbf347
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultPluginsSetting.yaml
@@ -0,0 +1,37 @@
+caption: Default <ph name="FLASH_PLUGIN_NAME">Flash</ph> setting
+deprecated: true
+desc: |-
+  This policy is deprecated in M88, Flash is no longer supported by Chrome. Setting the policy to 1 lets you set whether all websites can automatically run the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin. Setting the policy to 2 denies this plugin for all websites. Click to play lets the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin run, but users click on the placeholder to start it.
+
+        Leaving the policy unset uses <ph name="BLOCK_PLUGINS_POLICY_NAME">BlockPlugins</ph> and lets users change this setting.
+
+        Note: Automatic playback is only for domains explicitly listed in the <ph name="PLUGINS_ALLOWED_FOR_URLS_POLICY_NAME">PluginsAllowedForUrls</ph> policy. To turn automatic playback on for all sites, add http://* and https://* to this list.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow all sites to automatically run the <ph name="FLASH_PLUGIN_NAME">Flash</ph>
+    plugin
+  name: AllowPlugins
+  value: 1
+- caption: Block the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin
+  name: BlockPlugins
+  value: 2
+- caption: Click to play
+  name: ClickToPlay
+  value: 3
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  enum:
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome.*:10-87
+- chrome_os:11-87
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultPopupsSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultPopupsSetting.yaml
new file mode 100755
index 000000000..525c70016
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultPopupsSetting.yaml
@@ -0,0 +1,34 @@
+caption: Default pop-ups setting
+default: null
+desc: |-
+  Setting the policy to 1 lets websites display pop-ups. Setting the policy to 2 denies pop-ups.
+
+  Leaving it unset means <ph name="BLOCK_POPUPS_POLICY_NAME">BlockPopups</ph> applies, but users can change this setting.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow all sites to show pop-ups
+  name: AllowPopups
+  value: 1
+- caption: Do not allow any site to show pop-ups
+  name: BlockPopups
+  value: 2
+owners:
+- engedy@chromium.org
+- file://components/permissions/PERMISSIONS_OWNERS
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:10-
+- chrome_os:11-
+- android:33-
+- ios:88-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultSensorsSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultSensorsSetting.yaml
new file mode 100755
index 000000000..78f237dad
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultSensorsSetting.yaml
@@ -0,0 +1,33 @@
+caption: Default sensors setting
+default: null
+desc: |-
+  Setting the policy to 1 lets websites access and use sensors such as motion and light. Setting the policy to 2 denies access to sensors.
+
+        Leaving it unset means <ph name="ALLOW_SENSORS_POLICY_NAME">AllowSensors</ph> applies, but users can change this setting.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow sites to access sensors
+  name: AllowSensors
+  value: 1
+- caption: Do not allow any site to access sensors
+  name: BlockSensors
+  value: 2
+owners:
+- file://third_party/blink/renderer/modules/sensor/OWNERS
+- reillyg@chromium.org
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:88-
+- chrome_os:88-
+- android:88-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultSerialGuardSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultSerialGuardSetting.yaml
new file mode 100755
index 000000000..f54a2d162
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultSerialGuardSetting.yaml
@@ -0,0 +1,33 @@
+caption: Control use of the Serial API
+default: null
+desc: |-
+  Setting the policy to 3 lets websites ask for access to serial ports. Setting the policy to 2 denies access to serial ports.
+
+        Leaving it unset lets websites ask for access, but users can change this setting.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not allow any site to request access to serial ports via the Serial
+    API
+  name: BlockSerial
+  value: 2
+- caption: Allow sites to ask the user to grant access to a serial port
+  name: AskSerial
+  value: 3
+owners:
+- reillyg@chromium.org
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:86-
+- chrome.*:86-
+tags:
+- website-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultThirdPartyStoragePartitioningSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultThirdPartyStoragePartitioningSetting.yaml
new file mode 100755
index 000000000..773c89511
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultThirdPartyStoragePartitioningSetting.yaml
@@ -0,0 +1,35 @@
+caption: Default third-party storage partitioning setting
+default: null
+desc: |-
+  Third-party storage partitioning is on by default for some users as of M113, but can be disabled via Chrome flag.
+            If this policy is set to <ph name="ALLOW_PARTITIONING_VALUE">AllowPartitioning</ph> or unset, third-party storage partitioning may be enabled.
+            If this policy is set to <ph name="BLOCK_PARTITIONING_VALUE">BlockPartitioning</ph>, third-party storage partitioning cannot be enabled.
+            For detailed information on third-party storage partitioning, please see https://developer.chrome.com/docs/privacy-sandbox/storage-partitioning/.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow third-party storage partitioning to be enabled.
+  name: AllowPartitioning
+  value: 1
+- caption: Block third-party storage partitioning from being enabled.
+  name: BlockPartitioning
+  value: 2
+owners:
+- arichiv@chromium.org
+- potassium-katabolism@google.com
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+# TODO(crbug.com/40896849): Deprecate this when origin trial ends (likely M123)
+- android:113-
+- chrome.*:113-
+- chrome_os:113-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebBluetoothGuardSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebBluetoothGuardSetting.yaml
new file mode 100755
index 000000000..946b212f7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebBluetoothGuardSetting.yaml
@@ -0,0 +1,35 @@
+caption: Control use of the Web Bluetooth API
+default: null
+desc: |-
+  Setting the policy to 3 lets websites ask for access to nearby Bluetooth devices. Setting the policy to 2 denies access to nearby Bluetooth devices.
+
+        Leaving the policy unset lets sites ask for access, but users can change this setting.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not allow any site to request access to Bluetooth devices via the Web
+    Bluetooth API
+  name: BlockWebBluetooth
+  value: 2
+- caption: Allow sites to ask the user to grant access to a nearby Bluetooth device
+  name: AskWebBluetooth
+  value: 3
+owners:
+- engedy@chromium.org
+- file://components/permissions/PERMISSIONS_OWNERS
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:50-
+- android:50-
+- chrome.*:50-
+tags:
+- website-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebHidGuardSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebHidGuardSetting.yaml
new file mode 100755
index 000000000..d05907ab9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebHidGuardSetting.yaml
@@ -0,0 +1,35 @@
+caption: Control use of the WebHID API
+default: null
+desc: |-
+  Setting the policy to 3 lets websites ask for access to HID devices. Setting the policy to 2 denies access to HID devices.
+
+        Leaving it unset lets websites ask for access, but users can change this setting.
+
+        This policy can be overridden for specific <ph name="URL_LABEL">url</ph> patterns using the <ph name="WEB_HID_ASK_FOR_URLS_POLICY_NAME">WebHidAskForUrls</ph> and <ph name="WEB_HID_BLOCKED_FOR_URLS_POLICY_NAME">WebHidBlockedForUrls</ph> policies.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not allow any site to request access to HID devices via the WebHID API
+  name: BlockWebHid
+  value: 2
+- caption: Allow sites to ask the user to grant access to a HID device
+  name: AskWebHid
+  value: 3
+owners:
+- mattreynolds@chromium.org
+- file://third_party/blink/renderer/modules/hid/OWNERS
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:100-
+- chrome.*:100-
+tags:
+- website-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebPrintingSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebPrintingSetting.yaml
new file mode 100755
index 000000000..18d334274
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebPrintingSetting.yaml
@@ -0,0 +1,30 @@
+caption: Control use of the WebPrinting API
+default: null
+desc: |-
+  Setting the policy to 2 automatically blocks sites from using the WebPrinting API.
+
+  Setting the policy to 3 will prompt the user when a site wants to use the WebPrinting API.
+
+  Leaving it unset lets websites ask for local printer access, but users can change this setting.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+items:
+- caption: Do not allow any site to request access to local printers via the WebPrinting API
+  name: BlockWebPrinting
+  value: 2
+- caption: Allow sites to ask the user to grant access to local printers via the WebPrinting API
+  name: AskWebPrinting
+  value: 3
+owners:
+- file://chrome/browser/printing/web_api/OWNERS
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebUsbGuardSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebUsbGuardSetting.yaml
new file mode 100755
index 000000000..3f57f00c3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWebUsbGuardSetting.yaml
@@ -0,0 +1,34 @@
+caption: Control use of the WebUSB API
+default: null
+desc: |-
+  Setting the policy to 3 lets websites ask for access to connected USB devices. Setting the policy to 2 denies access to connected USB devices.
+
+        Leaving it unset lets websites ask for access, but users can change this setting.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not allow any site to request access to USB devices via the WebUSB API
+  name: BlockWebUsb
+  value: 2
+- caption: Allow sites to ask the user to grant access to a connected USB device
+  name: AskWebUsb
+  value: 3
+owners:
+- reillyg@chromium.org
+- odejesush@chromium.org
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:67-
+- android:67-
+- chrome.*:67-
+tags:
+- website-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWindowManagementSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWindowManagementSetting.yaml
new file mode 100755
index 000000000..6dd198375
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWindowManagementSetting.yaml
@@ -0,0 +1,35 @@
+caption: Default Window Management permission setting
+default: null
+desc: |-
+  Setting the policy to <ph name="BLOCK_WINDOW_MANAGEMENT_POLICY_NAME">BlockWindowManagement</ph> (value 2) automatically denies the window management permission to sites by default. This will limit the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
+
+  Setting the policy to <ph name="ASK_WINDOW_MANAGEMENT_POLICY_NAME">AskWindowManagement</ph> (value 3) will prompt the user when the window management permission is requested by default. If users allow the permission, it will extend the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
+
+  Leaving the policy unset means the <ph name="ASK_WINDOW_MANAGEMENT_POLICY_NAME">AskWindowManagement</ph> policy applies, but users can change this setting.
+
+  This replaces the deprecated <ph name="DEFAULT_WINDOW_PLACEMENT_SETTING_POLICY_NAME">DefaultWindowPlacementSetting</ph> policy.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Denies the Window Management permission on all sites by default
+  name: BlockWindowManagement
+  value: 2
+- caption: Ask every time a site wants obtain the Window Management permission
+  name: AskWindowManagement
+  value: 3
+owners:
+- msw@chromium.org
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome.*:111-
+- chrome_os:111-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWindowPlacementSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWindowPlacementSetting.yaml
new file mode 100755
index 000000000..87f308a73
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DefaultWindowPlacementSetting.yaml
@@ -0,0 +1,34 @@
+caption: Default Window Placement permission setting
+default: null
+desc: |-
+  Setting the policy to <ph name="BLOCK_WINDOW_PLACEMENT_POLICY_NAME">BlockWindowPlacement</ph> (value 2) automatically denies the window placement permission to sites by default. This will limit the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
+
+        Setting the policy to <ph name="ASK_WINDOW_PLACEMENT_POLICY_NAME">AskWindowPlacement</ph> (value 3) will prompt the user when the window placement permission is requested by default. If users allow the permission, it will extend the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
+
+        Leaving the policy unset means the <ph name="ASK_WINDOW_PLACEMENT_POLICY_NAME">AskWindowPlacement</ph> policy applies, but users can change this setting.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Denies the Window Placement permission on all sites by default
+  name: BlockWindowPlacement
+  value: 2
+- caption: Ask every time a site wants obtain the Window Placement permission
+  name: AskWindowPlacement
+  value: 3
+owners:
+- msw@chromium.org
+schema:
+  enum:
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome.*:100-
+- chrome_os:100-
+deprecated: true
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DirectSocketsAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DirectSocketsAllowedForUrls.yaml
new file mode 100755
index 000000000..6a9cfc88b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DirectSocketsAllowedForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Allow Direct Sockets API on these sites
+desc: |-
+  The Direct Sockets API allows communication with arbitrary endpoints using TCP and UDP.
+  Please see https://github.com/WICG/direct-sockets for details.
+
+  Setting the policy lets you list the URL patterns that specify which sites are allowed to use Direct Sockets API.
+  These may include Chrome Apps, Isolated Web Apps and Web Kiosks; the API is never available on the open web.
+
+  Leaving the policy unset means <ph name="DEFAULT_DIRECT_SOCKETS_SETTING_POLICY_NAME">DefaultDirectSocketsSetting</ph> applies for all sites, if it's set.
+
+  URL patterns must not conflict with <ph name="DIRECT_SOCKETS_BLOCKED_FOR_URLS_POLICY_NAME">DirectSocketsBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+  For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome.*
+- chrome_os
+owners:
+- file://content/browser/direct_sockets/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DirectSocketsBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DirectSocketsBlockedForUrls.yaml
new file mode 100755
index 000000000..ac716302b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/DirectSocketsBlockedForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Block Direct Sockets API on these sites
+desc: |-
+  The Direct Sockets API allows communication with arbitrary endpoints using TCP and UDP.
+  Please see https://github.com/WICG/direct-sockets for details.
+
+  Setting the policy lets you list the URL patterns that specify which sites are blocked from using DirectSockets.
+  These may include Chrome Apps, Isolated Web Apps and Web Kiosks; the API is never available on the open web.
+
+  Leaving the policy unset means <ph name="DEFAULT_DIRECT_SOCKETS_SETTING_POLICY_NAME">DefaultDirectSocketsSetting</ph> applies for all sites, if it's set.
+
+  URL patterns must not conflict with <ph name="DIRECT_SOCKETS_ALLOWED_FOR_URLS_POLICY_NAME">DirectSocketsAllowedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+  For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome.*
+- chrome_os
+owners:
+- file://content/browser/direct_sockets/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileHandlingAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileHandlingAllowedForUrls.yaml
new file mode 100755
index 000000000..37fb3d331
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileHandlingAllowedForUrls.yaml
@@ -0,0 +1,31 @@
+caption: Allow the File Handling API on these web apps
+deprecated: true
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which web apps are granted access to file types.
+
+        Leaving the policy unset means <ph name="DEFAULT_FILE_HANDLING_GUARD_SETTING_POLICY_NAME">DefaultFileHandlingGuardSetting</ph> applies for all web apps, if it's set. If not, users' personal settings apply.
+
+        For URL patterns which match neither <ph name="FILE_HANDLING_ALLOWED_FOR_URLS_POLICY_NAME">FileHandlingAllowedForUrls</ph> nor <ph name="FILE_HANDLING_BLOCKED_FOR_URLS_POLICY_NAME">FileHandlingBlockedForUrls</ph>, <ph name="DEFAULT_FILE_HANDLING_GUARD_SETTING_POLICY_NAME">DefaultFileHandlingGuardSetting</ph>, or the users' personal settings, will be used, in that order.
+
+        URL patterns must not conflict with <ph name="FILE_HANDLING_BLOCKED_FOR_URLS_POLICY_NAME">FileHandlingBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- estade@chromium.org
+- cmp@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:91-96
+- chrome.*:91-96
+tags:
+- website-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileHandlingBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileHandlingBlockedForUrls.yaml
new file mode 100755
index 000000000..13a362205
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileHandlingBlockedForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Block the File Handling API on these web apps
+deprecated: true
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which web apps can't ask users to grant them access to file types.
+
+        Leaving the policy unset means <ph name="DEFAULT_FILE_HANDLING_GUARD_SETTING_POLICY_NAME">DefaultFileHandlingGuardSetting</ph> applies for all web apps, if it's set. If not, the user's personal setting applies.
+
+        For URL patterns which match neither <ph name="FILE_HANDLING_ALLOWED_FOR_URLS_POLICY_NAME">FileHandlingAllowedForUrls</ph> nor <ph name="FILE_HANDLING_BLOCKED_FOR_URLS_POLICY_NAME">FileHandlingBlockedForUrls</ph>, <ph name="DEFAULT_FILE_HANDLING_GUARD_SETTING_POLICY_NAME">DefaultFileHandlingGuardSetting</ph>, or the users' personal settings, will be used, in that order.
+
+        URL patterns must not conflict with <ph name="FILE_HANDLING_ALLOWED_FOR_URLS_POLICY_NAME">FileHandlingAllowedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- estade@chromium.org
+- cmp@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:91-96
+- chrome.*:91-96
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemReadAskForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemReadAskForUrls.yaml
new file mode 100755
index 000000000..544d8c6e1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemReadAskForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Allow read access via the File System API on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
+
+        Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_READ_GUARD_SETTING_POLICY_NAME">DefaultFileSystemReadGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+        URL patterns must not conflict with <ph name="FILE_SYSTEM_READ_BLOCKED_FOR_URLS_POLICY_NAME">FileSystemReadBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- mek@chromium.org
+- file://content/browser/file_system_access/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:86-
+- chrome.*:86-
+tags:
+- website-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemReadBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemReadBlockedForUrls.yaml
new file mode 100755
index 000000000..bda790af6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemReadBlockedForUrls.yaml
@@ -0,0 +1,29 @@
+caption: Block read access via the File System API on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
+
+        Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_READ_GUARD_SETTING_POLICY_NAME">DefaultFileSystemReadGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+        URL patterns can't conflict with <ph name="FILE_SYSTEM_READ_ASK_FOR_URLS_POLICY_NAME">FileSystemReadAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- mek@chromium.org
+- file://content/browser/file_system_access/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:86-
+- chrome.*:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemSyncAccessHandleAsyncInterfaceEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemSyncAccessHandleAsyncInterfaceEnabled.yaml
new file mode 100755
index 000000000..d4ec611c0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemSyncAccessHandleAsyncInterfaceEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Re-enable the deprecated async interface for <ph name="FILE_SYSTEM_SYNC_ACCESS_HANDLE">FileSystemSyncAccessHandle</ph>
+  in File System Access API
+deprecated: true
+default: false
+desc: |-
+  Starting in M108, all of <ph name="FILE_SYSTEM_SYNC_ACCESS_HANDLE">FileSystemSyncAccessHandle</ph> methods will be invoked synchronously.
+        Until M110, this policy re-enables asynchronous invocation of <ph name="FILE_SYSTEM_SYNC_ACCESS_HANDLE">FileSystemSyncAccessHandle</ph> methods.
+        If this policy is set to Enabled, <ph name="FILE_SYSTEM_SYNC_ACCESS_HANDLE">FileSystemSyncAccessHandle</ph> methods are invoked asynchronously.
+        If this policy is set to Disabled or not set, all of <ph name="FILE_SYSTEM_SYNC_ACCESS_HANDLE">FileSystemSyncAccessHandle</ph> methods are invoked synchronously.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enables <ph name="FILE_SYSTEM_SYNC_ACCESS_HANDLE">FileSystemSyncAccessHandle</ph>
+    methods to be invoked asynchronously
+  value: true
+- caption: Disables any asynchronous methods of <ph name="FILE_SYSTEM_SYNC_ACCESS_HANDLE">FileSystemSyncAccessHandle</ph>.
+  value: false
+owners:
+- dslee@chromium.org
+- chrome-owp-storage@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:108-110
+- chrome_os:108-110
+- android:108-110
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemWriteAskForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemWriteAskForUrls.yaml
new file mode 100755
index 000000000..3dd137463
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemWriteAskForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Allow write access to files and directories on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them write access to files or directories in the host operating system's file system.
+
+        Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_WRITE_GUARD_SETTING_POLICY_NAME">DefaultFileSystemWriteGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+        URL patterns must not conflict with <ph name="FILE_SYSTEM_WRITE_BLOCKED_FOR_URLS_POLICY_NAME">FileSystemWriteBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- mek@chromium.org
+- file://content/browser/file_system_access/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:86-
+- chrome.*:86-
+tags:
+- website-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemWriteBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemWriteBlockedForUrls.yaml
new file mode 100755
index 000000000..5e0dc4c99
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/FileSystemWriteBlockedForUrls.yaml
@@ -0,0 +1,29 @@
+caption: Block write access to files and directories on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them write access to files or directories in the host operating system's file system.
+
+        Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_WRITE_GUARD_SETTING_POLICY_NAME">DefaultFileSystemWriteGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+        URL patterns can't conflict with <ph name="FILE_SYSTEM_WRITE_ASK_FOR_URLS_POLICY_NAME">FileSystemWriteAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- mek@chromium.org
+- file://content/browser/file_system_access/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:86-
+- chrome.*:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/GetDisplayMediaSetSelectAllScreensAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/GetDisplayMediaSetSelectAllScreensAllowedForUrls.yaml
new file mode 100755
index 000000000..f1fa0e9c5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/GetDisplayMediaSetSelectAllScreensAllowedForUrls.yaml
@@ -0,0 +1,26 @@
+caption: Enables auto-select for multi screen captures
+desc: |-
+  The <ph name="GET_DISPLAY_MEDIA_SET_NAME">getDisplayMediaSet</ph> API allows web applications to capture multiple surfaces at once.
+        This policy unlocks the <ph name="AUTO_SELECT_ALL_SCREENS_NAME">autoSelectAllScreens</ph> property for web applications at defined origins.
+        If the <ph name="AUTO_SELECT_ALL_SCREENS_NAME">autoSelectAllScreens</ph> property is defined in a <ph name="GET_DISPLAY_MEDIA_SET_NAME">getDisplayMediaSet</ph> request, all screen surfaces are automatically captured without requiring explicit user permission.
+        If the policy is not set, <ph name="AUTO_SELECT_ALL_SCREENS_NAME">autoSelectAllScreens</ph> is not available for any web application.
+  In order to improve privacy, starting with <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 116, this policy will not support dynamic refresh anymore. Therefore, the user can be sure that no additional pages will be able to capture the screens after login if it were not allowed at session start already.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  # intentional!
+  dynamic_refresh: false
+  per_profile: true
+owners:
+- file://chrome/browser/media/webrtc/OWNERS
+- simonha@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:102-
+- chrome.linux:111-123
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ImagesAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ImagesAllowedForUrls.yaml
new file mode 100755
index 000000000..4b541ccd2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ImagesAllowedForUrls.yaml
@@ -0,0 +1,29 @@
+caption: Allow images on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify sites that may display images.
+
+        Leaving the policy unset means <ph name="DEFAULT_IMAGES_SETTING_ENABLED_POLICY_NAME">DefaultImagesSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+        Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- engedy@chromium.org
+- file://components/content_settings/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-
+- chrome_os:11-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ImagesBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ImagesBlockedForUrls.yaml
new file mode 100755
index 000000000..6ebd8697c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ImagesBlockedForUrls.yaml
@@ -0,0 +1,29 @@
+caption: Block images on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify sites that can't display images.
+
+        Leaving the policy unset means <ph name="DEFAULT_IMAGE_SETTING_ENABLED_POLICY_NAME">DefaultImagesSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+         For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+         Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- engedy@chromium.org
+- file://components/content_settings/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-
+- chrome_os:11-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/InsecureContentAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/InsecureContentAllowedForUrls.yaml
new file mode 100755
index 000000000..9dde8142c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/InsecureContentAllowedForUrls.yaml
@@ -0,0 +1,27 @@
+caption: Allow insecure content on these sites
+desc: |-
+  Allows you to set a list of url patterns that specify sites which are allowed to display blockable (i.e. active) mixed content (i.e. HTTP content on HTTPS sites) and for which optionally blockable mixed content upgrades will be disabled.
+
+            If this policy is left not set blockable mixed content will be blocked and optionally blockable mixed content will be upgraded, and users will be allowed to set exceptions to allow it for specific sites.
+
+            For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- carlosil@chromium.org
+- estark@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:79-
+- chrome_os:79-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/InsecureContentBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/InsecureContentBlockedForUrls.yaml
new file mode 100755
index 000000000..7ba2b7352
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/InsecureContentBlockedForUrls.yaml
@@ -0,0 +1,27 @@
+caption: Block insecure content on these sites
+desc: |-
+  Allows you to set a list of url patterns that specify sites which are not allowed to display blockable (i.e. active) mixed content (i.e. HTTP content on HTTPS sites), and for which optionally blockable (i.e. passive) mixed content will be upgraded.
+
+            If this policy is left not set blockable mixed content will be blocked and optionally blockable mixed content will be upgraded, but users will be allowed to set exceptions to allow it for specific sites.
+
+            For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- carlosil@chromium.org
+- estark@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:79-
+- chrome_os:79-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptAllowedForUrls.yaml
new file mode 100755
index 000000000..d69893256
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptAllowedForUrls.yaml
@@ -0,0 +1,28 @@
+caption: Allow JavaScript on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify the sites that can run JavaScript.
+
+        Leaving the policy unset means <ph name="DEFAULT_JAVA_SCRIPT_SETTING_POLICY_NAME">DefaultJavaScriptSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- engedy@chromium.org
+- file://components/content_settings/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-
+- chrome_os:11-
+- android:30-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptBlockedForUrls.yaml
new file mode 100755
index 000000000..ef5e0c0d2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptBlockedForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Block JavaScript on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify the sites that can't run JavaScript.
+
+        Leaving the policy unset means <ph name="DEFAULT_JAVA_SCRIPT_SETTING_POLICY_NAME">DefaultJavaScriptSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+        Note that this policy blocks JavaScript based on whether the origin of the top-level document (usually the page URL that is also displayed in the address bar) matches any of the patterns. Therefore this policy is not appropriate for mitigating web supply-chain attacks. For example, supplying the pattern "https://[*.]foo.com/" will not prevent a page hosted on, say, https://example.com from running a script loaded from https://www.foo.com/example.js. Furthermore, supplying the pattern "https://example.com/" will not prevent a document from https://example.com from running scripts if it is not the top-level document, but embedded as a sub-frame into a page hosted on another origin, say, https://www.bar.com.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- engedy@chromium.org
+- file://components/content_settings/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-
+- chrome_os:11-
+- android:30-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptJitAllowedForSites.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptJitAllowedForSites.yaml
new file mode 100755
index 000000000..725f0f0e0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptJitAllowedForSites.yaml
@@ -0,0 +1,31 @@
+caption: Allow JavaScript to use JIT on these sites
+desc: |-
+  Allows you to set a list of site url patterns that specify sites which are allowed to run JavaScript with JIT (Just In Time) compiler enabled.
+
+            For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+            JavaScript JIT policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.site.com will not correctly apply to site.com or subdomain.site.com since they both resolve to the same eTLD+1 (site.com) for which there is no policy. In this case, policy must be set on site.com to apply correctly for both site.com and subdomain.site.com.
+
+            This policy applies on a frame-by-frame basis and not based on top level origin url alone, so e.g. if site-one.com is listed in the <ph name="JAVA_SCRIPT_JIT_ALLOWED_FOR_SITES_POLICY_NAME">JavaScriptJitAllowedForSites</ph> policy but site-one.com loads a frame containing site-two.com then site-one.com will have JavaScript JIT enabled, but site-two.com will use the policy from <ph name="DEFAULT_JAVA_SCRIPT_JIT_SETTING_POLICY_NAME">DefaultJavaScriptJitSetting</ph>, if set, or default to JavaScript JIT enabled.
+
+            If this policy is not set for a site then the policy from <ph name="DEFAULT_JAVA_SCRIPT_JIT_SETTING_POLICY_NAME">DefaultJavaScriptJitSetting</ph> applies to the site, if set, otherwise Javascript JIT is enabled for the site.
+example_value:
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- wfh@chromium.org
+- nasko@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:93-
+- chrome_os:93-
+- android:93-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptJitBlockedForSites.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptJitBlockedForSites.yaml
new file mode 100755
index 000000000..870967e4f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptJitBlockedForSites.yaml
@@ -0,0 +1,33 @@
+caption: Block JavaScript from using JIT on these sites
+desc: |-
+  Allows you to set a list of site url patterns that specify sites which are not allowed to run JavaScript JIT (Just In Time) compiler enabled.
+
+            Disabling the JavaScript JIT will mean that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT may allow <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to render web content in a more secure configuration.
+
+            For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+            JavaScript JIT policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.site.com will not correctly apply to site.com or subdomain.site.com since they both resolve to the same eTLD+1 (site.com) for which there is no policy. In this case, policy must be set on site.com to apply correctly for both site.com and subdomain.site.com.
+
+            This policy applies on a frame-by-frame basis and not based on top level origin url alone, so e.g. if site-one.com is listed in the <ph name="JAVA_SCRIPT_JIT_BLOCKED_FOR_SITES_POLICY_NAME">JavaScriptJitBlockedForSites</ph> policy but site-one.com loads a frame containing site-two.com then site-one.com will have JavaScript JIT disabled, but site-two.com will use the policy from <ph name="DEFAULT_JAVA_SCRIPT_JIT_SETTING_POLICY_NAME">DefaultJavaScriptJitSetting</ph>, if set, or default to JavaScript JIT enabled.
+
+            If this policy is not set for a site then the policy from <ph name="DEFAULT_JAVA_SCRIPT_JIT_SETTING_POLICY_NAME">DefaultJavaScriptJitSetting</ph> applies to the site, if set, otherwise JavaScript JIT is enabled for the site.
+example_value:
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- wfh@chromium.org
+- nasko@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:93-
+- chrome_os:93-
+- android:93-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptOptimizerAllowedForSites.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptOptimizerAllowedForSites.yaml
new file mode 100755
index 000000000..40438f23d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptOptimizerAllowedForSites.yaml
@@ -0,0 +1,50 @@
+caption: Allow JavaScript optimization on these sites
+desc: |-
+  Allows you to set a list of site url patterns that specify sites for which
+  advanced JavaScript optimizations are enabled.
+
+  For detailed information on valid site url patterns, please see
+  https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
+  Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+  JavaScript optimization policy exceptions will only be enforced at a site
+  granularity (eTLD+1). A policy set for only subdomain.site.com will not
+  correctly apply to site.com or subdomain.site.com since they both resolve to
+  the same eTLD+1 (site.com) for which there is no policy. In this case, policy
+  must be set on site.com to apply correctly for both site.com and
+  subdomain.site.com.
+
+  This policy applies on a frame-by-frame basis and not based on top level
+  origin url alone, so e.g. if site-one.com is listed in the <ph
+  name="JAVA_SCRIPT_OPTIMIZER_ALLOWED_FOR_SITES_POLICY_NAME">
+  JavaScriptOptimizerAllowedForSites</ph> policy but site-one.com loads a frame   containing site-two.com then site-one.com will have JavaScript optimizations
+  enabled, but site-two.com will use the policy from <ph
+  name="DEFAULT_JAVA_SCRIPT_OPTIMIZER_SETTING_POLICY_NAME">
+  DefaultJavaScriptOptimizerSetting</ph>, if set, or default to JavaScript
+  optimizations enabled. Blocklist entries have higher priority than allowlist
+  entries, which in turn have higher priority than the configured default value.
+
+  If this policy is not set for a site then the policy from <ph
+  name="DEFAULT_JAVA_SCRIPT_OPTIMIZER_SETTING_POLICY_NAME">
+  DefaultJavaScriptOptimizerSetting</ph> applies to the site, if set, otherwise
+  Javascript optimization is enabled for the site.
+example_value:
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- android
+- chrome.*
+- chrome_os
+- fuchsia
+owners:
+- ellyjones@chromium.org
+- wfh@chromium.org
+- nasko@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptOptimizerBlockedForSites.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptOptimizerBlockedForSites.yaml
new file mode 100755
index 000000000..d2ba74b41
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/JavaScriptOptimizerBlockedForSites.yaml
@@ -0,0 +1,54 @@
+caption: Block JavaScript optimizations on these sites
+desc: |-
+  Allows you to set a list of site url patterns that specify sites for which
+  advanced JavaScript optimizations are disabled.
+
+  Disabling JavaScript optimizations will mean that <ph name="PRODUCT_NAME">
+  $1<ex>Google Chrome</ex></ph> may render web content more slowly.
+
+  For detailed information on valid url patterns, please see
+  https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
+  Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+  JavaScript optimization policy exceptions will only be enforced at a site
+  granularity (eTLD+1). A policy set for only subdomain.site.com will not
+  correctly apply to site.com or subdomain.site.com since they both resolve to
+  the same eTLD+1 (site.com) for which there is no policy. In this case, policy
+  must be set on site.com to apply correctly for both site.com and
+  subdomain.site.com.
+
+  This policy applies on a frame-by-frame basis and not based on top level
+  origin url alone, so e.g. if site-one.com is listed in the <ph
+  name="JAVA_SCRIPT_OPTIMIZER_BLOCKED_FOR_SITES_POLICY_NAME">
+  JavaScriptOptimizerBlockedForSites</ph> policy but site-one.com loads a frame
+  containing site-two.com then site-one.com will have JavaScript optimizations
+  disabled, but site-two.com will use the policy from <ph
+  name="DEFAULT_JAVA_SCRIPT_OPTIMIZER_SETTING_POLICY_NAME">
+  DefaultJavaScriptOptimizerSetting</ph>, if set, or default to JavaScript
+  optimizations enabled. Blocklist entries have higher priority than allowlist
+  entries, which in turn have higher priority than the configured default value.
+
+  If this policy is not set for a site then the policy from <ph
+  name="DEFAULT_JAVA_SCRIPT_OPTIMIZER_SETTING_POLICY_NAME">
+  DefaultJavaScriptOptimizerSetting</ph> applies to the site, if set, otherwise
+  JavaScript optimization is enabled for the site.
+example_value:
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- android
+- chrome.*
+- chrome_os
+- fuchsia
+owners:
+- ellyjones@chromium.org
+- wfh@chromium.org
+- nasko@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/KeygenAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/KeygenAllowedForUrls.yaml
new file mode 100755
index 000000000..23d2900a6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/KeygenAllowedForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Allow key generation on these sites
+deprecated: true
+desc: |-
+  Allows you to set a list of url patterns that specify sites which are allowed to use key generation. If a url pattern is in 'KeygenBlockedForUrls', that overrides these exceptions.
+
+            If this policy is left not set the global default value will be used for all sites either from the 'DefaultKeygenSetting' policy if it is set, or the user's personal configuration otherwise.
+
+            For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- engedy@chromium.org
+- file://components/content_settings/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:49-56
+- chrome_os:49-56
+- android:49-56
+tags:
+- system-security
+- website-sharing
+- local-data-access
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/KeygenBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/KeygenBlockedForUrls.yaml
new file mode 100755
index 000000000..7db49ab6b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/KeygenBlockedForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Block key generation on these sites
+deprecated: true
+desc: |-
+  Allows you to set a list of url patterns that specify sites which are not allowed to use key generation. If a url pattern is in 'KeygenAllowedForUrls', this policy overrides these exceptions.
+
+            If this policy is left not set the global default value will be used for all sites either from the 'DefaultKeygenSetting' policy if it is set, or the user's personal configuration otherwise.
+
+            For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- engedy@chromium.org
+- file://components/content_settings/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:49-56
+- chrome_os:49-56
+- android:49-56
+tags:
+- system-security
+- website-sharing
+- local-data-access
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LegacySameSiteCookieBehaviorEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LegacySameSiteCookieBehaviorEnabled.yaml
new file mode 100755
index 000000000..11cdae960
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LegacySameSiteCookieBehaviorEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Default legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> cookie behavior
+  setting
+deprecated: true
+desc: |-
+  This policy is deprecated, if you still require legacy cookie behavior please use <ph name="LEGACY_SAMESITE_COOKIE_BEHAVIOR_ENABLED_FOR_DOMAIN_LIST_POLICY_NAME">LegacySameSiteCookieBehaviorEnabledForDomainList</ph>. Allows you to revert all cookies to legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> behavior. Reverting to legacy behavior causes cookies that don't specify a <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> attribute to be treated as if they were "<ph name="ATTRIBUTE_VALUE_SAMESITE_NONE">SameSite=None</ph>", removes the requirement for "<ph name="ATTRIBUTE_VALUE_SAMESITE_NONE">SameSite=None</ph>" cookies to carry the "<ph name="ATTRIBUTE_SECURE_NAME">Secure</ph>" attribute, and skips the scheme comparison when evaluating if two sites are same-site. See https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies for full description.
+
+            When this policy is not set, the default <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> behavior for cookies will depend on the user's personal configuration for the <ph name="FEATURE_NAME_SAMESITE_BY_DEFAULT_COOKIES">SameSite-by-default</ph> feature, the <ph name="FEATURE_NAME_SAMESITE_NONE_MUST_BE_SECURE">Cookies-without-SameSite-must-be-secure</ph> feature, and the <ph name="FEATURE_NAME_SCHEMEFUL_SAME_SITE">Schemeful Same-Site</ph> feature which may be set by a field trial or by enabling or disabling the <ph name="FLAG_NAME_SAMESITE_BY_DEFAULT_COOKIES">same-site-by-default-cookies</ph> flag, the <ph name="FLAG_NAME_SAMESITE_NONE_MUST_BE_SECURE">cookies-without-same-site-must-be-secure</ph> flag, or the <ph name="FLAG_NAME_SCHEMEFUL_SAME_SITE">schemeful-same-site</ph> flag, respectively.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Revert to legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> behavior
+    for cookies on all sites
+  name: DefaultToLegacySameSiteCookieBehavior
+  value: 1
+- caption: Use <ph name="FEATURE_NAME_SAMESITE_BY_DEFAULT_COOKIES">SameSite-by-default</ph>
+    behavior for cookies on all sites
+  name: DefaultToSameSiteByDefaultCookieBehavior
+  value: 2
+owners:
+- bingler@chromium.org
+- file://net/cookies/OWNERS
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:79-92
+- chrome_os:79-92
+- android:79-92
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LegacySameSiteCookieBehaviorEnabledForDomainList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LegacySameSiteCookieBehaviorEnabledForDomainList.yaml
new file mode 100755
index 000000000..e6b0d0419
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LegacySameSiteCookieBehaviorEnabledForDomainList.yaml
@@ -0,0 +1,31 @@
+caption: Revert to legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> behavior
+  for cookies on these sites
+desc: |-
+  Cookies set for domains matching these patterns will revert to legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> behavior. Reverting to legacy behavior causes cookies that don't specify a <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> attribute to be treated as if they were "<ph name="ATTRIBUTE_VALUE_SAMESITE_NONE">SameSite=None</ph>", removes the requirement for "<ph name="ATTRIBUTE_VALUE_SAMESITE_NONE">SameSite=None</ph>" cookies to carry the "<ph name="ATTRIBUTE_SECURE_NAME">Secure</ph>" attribute, and skips the scheme comparison when evaluating if two sites are same-site. See https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies for full description.
+
+            For cookies on domains not covered by the patterns specified here, or for all cookies if this policy is not set, the global default value will be the user's personal configuration.
+
+            For detailed information on valid patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
+
+            Note that patterns you list here are treated as domains, not URLs, so you should not specify a scheme or port.
+example_value:
+- www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- bingler@chromium.org
+- file://net/cookies/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:79-
+- chrome_os:79-
+- android:79-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LocalFontsAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LocalFontsAllowedForUrls.yaml
new file mode 100755
index 000000000..7b686fd37
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LocalFontsAllowedForUrls.yaml
@@ -0,0 +1,27 @@
+caption: Allow Local Fonts permission on these sites
+desc: |-
+  Sets a list of site url patterns that specify sites which will automatically grant the local fonts permission. This will extend the ability of sites to see information about local fonts.
+
+        For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
+
+        If this policy is not set for a site then the policy from <ph name="DEFAULT_LOCAL_FONTS_SETTING_POLICY_NAME">DefaultLocalFontsSetting</ph> applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- dslee@chromium.org
+- storage-dev@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:103-
+- chrome_os:103-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LocalFontsBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LocalFontsBlockedForUrls.yaml
new file mode 100755
index 000000000..2f099033e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/LocalFontsBlockedForUrls.yaml
@@ -0,0 +1,27 @@
+caption: Block Local Fonts permission on these sites
+desc: |-
+  Sets a list of site url patterns that specify sites which will automatically deny the local fonts permission. This will limit the ability of sites to see information about local fonts.
+
+        For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
+
+        If this policy is not set for a site then the policy from <ph name="DEFAULT_LOCAL_FONTS_SETTING_POLICY_NAME">DefaultLocalFontsSetting</ph> applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- dslee@chromium.org
+- storage-dev@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:103-
+- chrome_os:103-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/NotificationsAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/NotificationsAllowedForUrls.yaml
new file mode 100755
index 000000000..b21107274
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/NotificationsAllowedForUrls.yaml
@@ -0,0 +1,27 @@
+caption: Allow notifications on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify the sites that can display notifications.
+
+        Leaving the policy unset means <ph name="DEFAULT_NOTIFICATIONS_SETTING_POLICY_NAME">DefaultNotificationsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- engedy@chromium.org
+- file://components/permissions/PERMISSIONS_OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:16-
+- chrome_os:16-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/NotificationsBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/NotificationsBlockedForUrls.yaml
new file mode 100755
index 000000000..3e175e454
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/NotificationsBlockedForUrls.yaml
@@ -0,0 +1,27 @@
+caption: Block notifications on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify the sites that can't display notifications.
+
+        Leaving the policy unset means <ph name="DEFAULT_NOTIFICATIONS_SETTING_POLICY_NAME">DefaultNotificationsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- engedy@chromium.org
+- file://components/permissions/PERMISSIONS_OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:16-
+- chrome_os:16-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PdfLocalFileAccessAllowedForDomains.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PdfLocalFileAccessAllowedForDomains.yaml
new file mode 100755
index 000000000..1f0042d40
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PdfLocalFileAccessAllowedForDomains.yaml
@@ -0,0 +1,38 @@
+caption: Allow local file access to file:// URLs on these sites in the PDF Viewer
+
+desc: |-
+  Setting this policy allows the domains listed to access file:// URLs in the PDF Viewer.
+  Adding to the policy allows the domain to access file:// URLs in the PDF Viewer.
+  Removing from the policy disallows the domain from accessing file:// URLs in the PDF Viewer.
+  Leaving the policy unset disallows all domains from accessing file:// URLs in the PDF Viewer.
+
+supported_on:
+- chrome.*:110-
+- chrome_os:110-
+
+future_on:
+- fuchsia
+
+features:
+  dynamic_refresh: true
+  per_profile: true
+
+default: []
+
+owners:
+- andyphan@chromium.org
+- file://pdf/OWNERS
+
+type: list
+
+schema:
+  items:
+    type: string
+  type: array
+
+example_value:
+- example.com
+- google.com
+
+tags:
+- local-data-access
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PluginsAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PluginsAllowedForUrls.yaml
new file mode 100755
index 000000000..27f6fc7e4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PluginsAllowedForUrls.yaml
@@ -0,0 +1,26 @@
+caption: Allow the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin on these sites
+deprecated: true
+desc: |-
+  This policy is deprecated in M88, Flash is no longer supported by Chrome. Setting the policy lets you set a list of URL patterns that specify the sites that can run the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin.
+
+        Leaving the policy unset means <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. However, starting in M85, patterns with '*' and '[*.]' wildcards in the host are no longer supported for this policy.
+example_value:
+- https://www.example.com
+- http://example.edu:8080
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- engedy@chromium.org
+- file://components/permissions/PERMISSIONS_OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-87
+- chrome_os:11-87
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PluginsBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PluginsBlockedForUrls.yaml
new file mode 100755
index 000000000..ea84b372f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PluginsBlockedForUrls.yaml
@@ -0,0 +1,26 @@
+caption: Block the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin on these sites
+deprecated: true
+desc: |-
+  This policy is deprecated in M88, Flash is no longer supported by Chrome. Setting the policy lets you set a list of URL patterns that specify the sites that can't run the <ph name="FLASH_PLUGIN_NAME">Flash</ph> plugin.
+
+        Leaving the policy unset means <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. However, starting in M85, patterns with '*' and '[*.]' wildcards in the host are no longer supported for this policy.
+example_value:
+- https://www.example.com
+- http://example.edu:8080
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- engedy@chromium.org
+- file://components/permissions/PERMISSIONS_OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-87
+- chrome_os:11-87
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PopupsAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PopupsAllowedForUrls.yaml
new file mode 100755
index 000000000..448031a6e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PopupsAllowedForUrls.yaml
@@ -0,0 +1,29 @@
+caption: Allow pop-ups on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify the sites that can open pop-ups.
+
+        Leaving the policy unset means <ph name="DEFAULT_POPUPS_SETTING_POLICY_NAME">DefaultPopupsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- engedy@chromium.org
+- file://components/permissions/PERMISSIONS_OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-
+- chrome_os:11-
+- android:34-
+- ios:88-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PopupsBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PopupsBlockedForUrls.yaml
new file mode 100755
index 000000000..86e20ff00
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/PopupsBlockedForUrls.yaml
@@ -0,0 +1,29 @@
+caption: Block pop-ups on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify the sites that can't open pop-ups.
+
+        Leaving the policy unset means <ph name="DEFAULT_POPUPS_SETTING_POLICY_NAME">DefaultPopupsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- engedy@chromium.org
+- file://components/permissions/PERMISSIONS_OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-
+- chrome_os:11-
+- android:34-
+- ios:88-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/RegisteredProtocolHandlers.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/RegisteredProtocolHandlers.yaml
new file mode 100755
index 000000000..292d16334
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/RegisteredProtocolHandlers.yaml
@@ -0,0 +1,44 @@
+arc_support: The protocol handlers set via this policy are not used when handling
+  Android intents.
+caption: Register protocol handlers
+desc: |-
+  Setting the policy (as recommended only) lets you register a list of protocol handlers, which merge with the ones that the user registers, putting both sets in use. Set the property "protocol" to the scheme, such as "mailto", and set the property "URL" to the URL pattern of the application that handles the scheme specified in the "protocol" field. The pattern can include a "%s" placeholder, which the handled URL replaces.
+
+        Users can't remove a protocol handler registered by policy. However, by installing a new default handler, they can change the protocol handlers installed by policy.
+example_value:
+- default: true
+  protocol: mailto
+  url: https://mail.google.com/mail/?extsrc=mailto&url=%s
+features:
+  can_be_mandatory: false
+  can_be_recommended: true
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- engedy@chromium.org
+- file://chrome/browser/custom_handlers/OWNERS
+schema:
+  items:
+    properties:
+      default:
+        description: A boolean flag indicating if the protocol handler should be set
+          as the default.
+        type: boolean
+      protocol:
+        description: The protocol for the protocol handler.
+        type: string
+      url:
+        description: The URL of the protocol handler.
+        type: string
+    required:
+    - protocol
+    - url
+    type: object
+  type: array
+supported_on:
+- chrome.*:37-
+- chrome_os:37-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SensorsAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SensorsAllowedForUrls.yaml
new file mode 100755
index 000000000..26cf1c713
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SensorsAllowedForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Allow access to sensors on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify the sites that can access sensors like motion and light sensors.
+
+        Leaving the policy unset means <ph name="DEFAULT_SENSORS_SETTING_POLICY_NAME">DefaultSensorsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        If the same URL pattern exists in both this policy and the <ph name="SENSORS_BLOCKED_FOR_URLS_POLICY_NAME">SensorsBlockedForUrls</ph> policy, the latter is prioritized and access to motion or light sensors will be blocked.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://third_party/blink/renderer/modules/sensor/OWNERS
+- timvolodine@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:88-
+- chrome_os:88-
+- android:88-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SensorsBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SensorsBlockedForUrls.yaml
new file mode 100755
index 000000000..aaa0eb9af
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SensorsBlockedForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Block access to sensors on these sites
+desc: |-
+  Setting the policy lets you set a list of URL patterns that specify the sites that can't access sensors like motion and light sensors.
+
+        Leaving the policy unset means <ph name="DEFAULT_SENSORS_SETTING_POLICY_NAME">DefaultSensorsSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        If the same URL pattern exists in both this policy and the <ph name="SENSORS_ALLOWED_FOR_URLS_POLICY_NAME">SensorsAllowedForUrls</ph> policy, this policy is prioritized and access to motion or light sensors will be blocked.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://third_party/blink/renderer/modules/sensor/OWNERS
+- rijubrata.bhaumik@intel.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:88-
+- chrome_os:88-
+- android:88-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAllowAllPortsForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAllowAllPortsForUrls.yaml
new file mode 100755
index 000000000..66bb2a972
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAllowAllPortsForUrls.yaml
@@ -0,0 +1,28 @@
+caption: Automatically grant permission to sites to connect all serial ports.
+desc: |-
+  Setting the policy allows you to list sites which are automatically granted permission to access all available serial ports.
+
+        The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.
+
+        On <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>, this policy only applies to affiliated users.
+
+        This policy overrides <ph name="DEFAULT_SERIAL_GUARD_SETTING_POLICY_NAME">DefaultSerialGuardSetting</ph>, <ph name="SERIAL_ASK_FOR_URLS_POLICY_NAME">SerialAskForUrls</ph>, <ph name="SERIAL_BLOCKED_FOR_URLS_POLICY_NAME">SerialBlockedForUrls</ph> and the user's preferences.
+example_value:
+- https://www.example.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- reillyg@chromium.org
+- file://content/browser/serial/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:94-
+- chrome.*:94-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAllowUsbDevicesForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAllowUsbDevicesForUrls.yaml
new file mode 100755
index 000000000..656fb71fa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAllowUsbDevicesForUrls.yaml
@@ -0,0 +1,62 @@
+caption: Automatically grant permission to sites to connect to USB serial devices.
+desc: |-
+  Setting the policy allows you to list sites which are automatically granted permission to access USB serial devices with vendor and product IDs matching the <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> and <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> fields. Omitting the <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field allows the given sites permission to access devices with a vendor ID matching the <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> field and any product ID.
+
+        The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.
+
+        On ChromeOS, this policy only applies to affiliated users.
+
+        This policy overrides <ph name="DEFAULT_SERIAL_GUARD_SETTING_POLICY_NAME">DefaultSerialGuardSetting</ph>, <ph name="SERIAL_ASK_FOR_URLS_POLICY_NAME">SerialAskForUrls</ph>, <ph name="SERIAL_BLOCKED_FOR_URLS_POLICY_NAME">SerialBlockedForUrls</ph> and the user's preferences.
+
+        This policy only affects access to USB devices through the Web Serial API. To grant access to USB devices through the WebUSB API see the <ph name="WEB_USB_ALLOW_DEVICES_FOR_URLS_POLICY_NAME">WebUsbAllowDevicesForUrls</ph> policy.
+example_value:
+- devices:
+  - product_id: 5678
+    vendor_id: 1234
+  urls:
+  - https://specific-device.example.com
+- devices:
+  - vendor_id: 1234
+  urls:
+  - https://all-vendor-devices.example.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- reillyg@chromium.org
+- file://content/browser/serial/OWNERS
+schema:
+  items:
+    properties:
+      devices:
+        items:
+          properties:
+            product_id:
+              maximum: 65535
+              minimum: 0
+              type: integer
+            vendor_id:
+              maximum: 65535
+              minimum: 0
+              type: integer
+          required:
+          - vendor_id
+          type: object
+        type: array
+      urls:
+        items:
+          type: string
+        type: array
+    required:
+    - devices
+    - urls
+    type: object
+  type: array
+supported_on:
+- chrome_os:94-
+- chrome.*:94-
+tags:
+- website-sharing
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAskForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAskForUrls.yaml
new file mode 100755
index 000000000..bbbe2c2b4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialAskForUrls.yaml
@@ -0,0 +1,31 @@
+caption: Allow the Serial API on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a serial port.
+
+        Leaving the policy unset means <ph name="DEFAULT_SERIAL_GUARD_SETTING_POLICY_NAME">DefaultSerialGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+        For URL patterns which do not match the policy <ph name="SERIAL_BLOCKED_FOR_URLS_POLICY_NAME">SerialBlockedForUrls</ph> (if there is a match), <ph name="DEFAULT_SERIAL_GUARD_SETTING_POLICY_NAME">DefaultSerialGuardSetting</ph> (if set), or the users' personal settings take precedence, in that order.
+
+        URL patterns must not conflict with <ph name="SERIAL_BLOCKED_FOR_URLS_POLICY_NAME">SerialBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- reillyg@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:86-
+- chrome.*:86-
+tags:
+- website-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialBlockedForUrls.yaml
new file mode 100755
index 000000000..d8d867d22
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/SerialBlockedForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Block the Serial API on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a serial port.
+
+        Leaving the policy unset means <ph name="DEFAULT_SERIAL_GUARD_SETTING_POLICY_NAME">DefaultSerialGuardSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        For URL patterns which do not match the policy <ph name="SERIAL_ASK_FOR_URLS_POLICY_NAME">SerialAskForUrls</ph> (if there is a match), <ph name="DEFAULT_SERIAL_GUARD_SETTING_POLICY_NAME">DefaultSerialGuardSetting</ph> (if set), or the users' personal settings take precedence, in that order.
+
+        URL patterns can't conflict with <ph name="SERIAL_ASK_FOR_URLS_POLICY_NAME">SerialAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- reillyg@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:86-
+- chrome.*:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ThirdPartyStoragePartitioningBlockedForOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ThirdPartyStoragePartitioningBlockedForOrigins.yaml
new file mode 100755
index 000000000..9144bb862
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/ThirdPartyStoragePartitioningBlockedForOrigins.yaml
@@ -0,0 +1,29 @@
+caption: Block third-party storage partitioning for these origins
+desc: |-
+  Allows you to set a list of url patterns that specify top-level (the url in the tab's address bar) origins which block third-party storage partitioning (partitioning of cross-origin iframe storage).
+            If this policy is left not set or a top-level origin doesn't match then the value from <ph name="DEFAULT_THIRD_PARTY_STORAGE_PARTITIONING_SETTING_POLICY_NAME">DefaultThirdPartyStoragePartitioningSetting</ph> will be used.
+            For detailed information on valid patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
+            Note that patterns you list here are treated as origins, not URLs, so you should not specify a path.
+            For detailed information on third-party storage partitioning, please see https://developer.chrome.com/docs/privacy-sandbox/storage-partitioning/.
+example_value:
+- www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- arichiv@chromium.org
+- potassium-katabolism@google.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+# TODO(crbug.com/40896849): Deprecate this when origin trial ends (likely M123)
+- android:113-
+- chrome.*:113-
+- chrome_os:113-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowAllDevicesForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowAllDevicesForUrls.yaml
new file mode 100755
index 000000000..2ea48bc3b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowAllDevicesForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Automatically grant permission to sites to connect to any HID device.
+desc: |-
+  Setting the policy allows you to list sites which are automatically granted permission to access all available devices.
+
+        The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.
+
+        On ChromeOS, this policy only applies to affiliated users.
+
+        This policy overrides <ph name="DEFAULT_WEB_HID_GUARD_SETTING_POLICY_NAME">DefaultWebHidGuardSetting</ph>, <ph name="WEB_HID_ASK_FOR_URLS_POLICY_NAME">WebHidAskForUrls</ph>, <ph name="WEB_HID_BLOCKED_FOR_URLS_POLICY_NAME">WebHidBlockedForUrls</ph> and the user's preferences.
+example_value:
+- https://google.com
+- https://chromium.org
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- mattreynolds@chromium.org
+- file://third_party/blink/renderer/modules/hid/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:100-
+- chrome.*:100-
+tags:
+- website-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowDevicesForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowDevicesForUrls.yaml
new file mode 100755
index 000000000..1ac9d5a93
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowDevicesForUrls.yaml
@@ -0,0 +1,56 @@
+caption: Automatically grant permission to these sites to connect to HID devices with
+  the given vendor and product IDs.
+desc: |-
+  Setting the policy lets you list the URLs that specify which sites are automatically granted permission to access a HID device with the given vendor and product IDs. Each item in the list requires both <ph name="DEVICES_FIELD_NAME">devices</ph> and <ph name="URLS_FIELD_NAME">urls</ph> fields for the item to be valid, otherwise the item is ignored. Each item in the <ph name="DEVICES_FIELD_NAME">devices</ph> field must have a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> and may have a <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field. Omitting the <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field will create a policy matching any device with the specified vendor ID. An item which has a <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field without a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> field is invalid and is ignored.
+
+        Leaving the policy unset means <ph name="DEFAULT_WEB_HID_GUARD_SETTING_POLICY_NAME">DefaultWebHidGuardSetting</ph> applies, if it's set. If not, the user's personal setting applies.
+
+        URLs in this policy shouldn't conflict with those configured through <ph name="WEB_HID_BLOCKED_FOR_URLS_POLICY_NAME">WebHidBlockedForUrls</ph>. If they do, this policy takes precedence over <ph name="WEB_HID_BLOCKED_FOR_URLS_POLICY_NAME">WebHidBlockedForUrls</ph>.
+example_value:
+- devices:
+  - product_id: 5678
+    vendor_id: 1234
+  urls:
+  - https://google.com
+  - https://chromium.org
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- mattreynolds@chromium.org
+- file://third_party/blink/renderer/modules/hid/OWNERS
+schema:
+  items:
+    properties:
+      devices:
+        items:
+          properties:
+            product_id:
+              maximum: 65535
+              minimum: 0
+              type: integer
+            vendor_id:
+              maximum: 65535
+              minimum: 0
+              type: integer
+          required:
+          - vendor_id
+          type: object
+        type: array
+      urls:
+        items:
+          type: string
+        type: array
+    required:
+    - devices
+    - urls
+    type: object
+  type: array
+supported_on:
+- chrome_os:100-
+- chrome.*:100-
+tags:
+- website-sharing
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowDevicesWithHidUsagesForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowDevicesWithHidUsagesForUrls.yaml
new file mode 100755
index 000000000..ebfd98c77
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAllowDevicesWithHidUsagesForUrls.yaml
@@ -0,0 +1,56 @@
+caption: Automatically grant permission to these sites to connect to HID devices containing
+  top-level collections with the given HID usage.
+desc: |-
+  Setting the policy lets you list the URLs that specify which sites are automatically granted permission to access a HID device containing a top-level collection with the given HID usage. Each item in the list requires both <ph name="USAGES_FIELD_NAME">usages</ph> and <ph name="URLS_FIELD_NAME">urls</ph> fields for the policy to be valid. Each item in the <ph name="USAGES_FIELD_NAME">usages</ph> field must have a <ph name="USAGE_PAGE_FIELD_NAME">usage_page</ph> and may have a <ph name="USAGE_FIELD_NAME">usage</ph> field. Omitting the <ph name="USAGE_FIELD_NAME">usage</ph> field will create a policy matching any device containing a top-level collection with a usage from the specified usage page. An item which has a <ph name="USAGE_FIELD_NAME">usage</ph> field without a <ph name="USAGE_PAGE_FIELD_NAME">usage_page</ph> field is invalid and is ignored.
+
+        Leaving the policy unset means <ph name="DEFAULT_WEB_HID_GUARD_SETTING_POLICY_NAME">DefaultWebHidGuardSetting</ph> applies, if it's set. If not, the user's personal setting applies.
+
+        URLs in this policy shouldn't conflict with those configured through <ph name="WEB_HID_BLOCKED_FOR_URLS_POLICY_NAME">WebHidBlockedForUrls</ph>. If they do, this policy takes precedence over <ph name="WEB_HID_BLOCKED_FOR_URLS_POLICY_NAME">WebHidBlockedForUrls</ph>.
+example_value:
+- urls:
+  - https://google.com
+  - https://chromium.org
+  usages:
+  - usage: 5678
+    usage_page: 1234
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- mattreynolds@chromium.org
+- file://third_party/blink/renderer/modules/hid/OWNERS
+schema:
+  items:
+    properties:
+      urls:
+        items:
+          type: string
+        type: array
+      usages:
+        items:
+          properties:
+            usage:
+              maximum: 65535
+              minimum: 0
+              type: integer
+            usage_page:
+              maximum: 65535
+              minimum: 0
+              type: integer
+          required:
+          - usage_page
+          type: object
+        type: array
+    required:
+    - usages
+    - urls
+    type: object
+  type: array
+supported_on:
+- chrome_os:100-
+- chrome.*:100-
+tags:
+- website-sharing
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAskForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAskForUrls.yaml
new file mode 100755
index 000000000..976942d0a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidAskForUrls.yaml
@@ -0,0 +1,38 @@
+caption: Allow the WebHID API on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a HID device.
+
+        Leaving the policy unset means <ph name="DEFAULT_WEB_HID_GUARD_SETTING_POLICY_NAME">DefaultWebHidGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+        For URL patterns which do not match the policy, the following take precedence, in this order:
+
+          * <ph name="WEB_HID_BLOCKED_FOR_URLS_POLICY_NAME">WebHidBlockedForUrls</ph> (if there is a match),
+
+          * <ph name="DEFAULT_WEB_HID_GUARD_SETTING_POLICY_NAME">DefaultWebHidGuardSetting</ph> (if set), or
+
+          * Users' personal settings.
+
+        URL patterns must not conflict with <ph name="WEB_HID_BLOCKED_FOR_URLS_POLICY_NAME">WebHidBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://google.com
+- https://chromium.org
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- mattreynolds@chromium.org
+- file://third_party/blink/renderer/modules/hid/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:100-
+- chrome.*:100-
+tags:
+- website-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidBlockedForUrls.yaml
new file mode 100755
index 000000000..946d2f163
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebHidBlockedForUrls.yaml
@@ -0,0 +1,37 @@
+caption: Block the WebHID API on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a HID device.
+
+        Leaving the policy unset means <ph name="DEFAULT_WEB_HID_GUARD_SETTING_POLICY_NAME">DefaultWebHidGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+        For URL patterns which do not match the policy, the following take precedence, in this order:
+
+          * <ph name="WEB_HID_ASK_FOR_URLS_POLICY_NAME">WebHidAskForUrls</ph> (if there is a match),
+
+          * <ph name="DEFAULT_WEB_HID_GUARD_SETTING_POLICY_NAME">DefaultWebHidGuardSetting</ph> (if set), or
+
+          * Users' personal settings.
+
+        URL patterns can't conflict with <ph name="WEB_HID_ASK_FOR_URLS_POLICY_NAME">WebHidAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://google.com
+- https://chromium.org
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- mattreynolds@chromium.org
+- file://third_party/blink/renderer/modules/hid/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:100-
+- chrome.*:100-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebPrintingAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebPrintingAllowedForUrls.yaml
new file mode 100755
index 000000000..534c9c400
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebPrintingAllowedForUrls.yaml
@@ -0,0 +1,25 @@
+caption: Allow WebPrinting API on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites are automatically granted access to local printers via the WebPrinting API.
+
+  Leaving the policy unset means <ph name="DEFAULT_WEB_PRINTING_SETTING_POLICY_NAME">DefaultWebPrintingSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+  URL patterns must not conflict with <ph name="WEB_PRINTING_BLOCKED_FOR_URLS_POLICY_NAME">WebPrintingBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+  For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+owners:
+- file://chrome/browser/printing/web_api/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebPrintingBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebPrintingBlockedForUrls.yaml
new file mode 100755
index 000000000..83fd7da39
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebPrintingBlockedForUrls.yaml
@@ -0,0 +1,25 @@
+caption: Block WebPrinting API on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites are automatically denied access to local printers via the WebPrinting API.
+
+  Leaving the policy unset means <ph name="DEFAULT_WEB_PRINTING_SETTING_POLICY_NAME">DefaultWebPrintingSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+  URL patterns must not conflict with <ph name="WEB_PRINTING_ALLOWED_FOR_URLS_POLICY_NAME">WebPrintingAllowedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+  For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+owners:
+- file://chrome/browser/printing/web_api/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbAllowDevicesForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbAllowDevicesForUrls.yaml
new file mode 100755
index 000000000..fe4de7d17
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbAllowDevicesForUrls.yaml
@@ -0,0 +1,58 @@
+caption: Automatically grant permission to these sites to connect to USB devices with
+  the given vendor and product IDs.
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites are automatically granted permission to access a USB device with the given vendor and product IDs. Each item in the list requires both <ph name="DEVICES_FIELD_NAME">devices</ph> and <ph name="URLS_FIELD_NAME">urls</ph> fields for the policy to be valid. Each item in the <ph name="DEVICES_FIELD_NAME">devices</ph> field can have a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> and <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field. Omitting the <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> field will create a policy matching any device. Omitting the <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field will create a policy matching any device with the given vendor ID. A policy which has a <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field without a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> field is invalid.
+
+        The USB permission model will grant the specified URL permission to access the USB device as a top-level origin. If embedded frames need to access USB devices, the 'usb' <ph name="FEATURE_POLICY_HEADER_NAME">feature-policy</ph> header should be used to grant access. The URL must be valid, otherwise the policy is ignored.
+
+        Deprecated: The USB permission model used to support specifying both the requesting and embedding URLs. This is deprecated and only supported for backwards compatibility in this manner: if both a requesting and embedding URL is specified, then the embedding URL will be granted the permission as top-level origin and the requesting URL will be ignored entirely.
+
+        This policy overrides <ph name="DEFAULT_WEB_USB_GUARD_SETTING_POLICY_NAME">DefaultWebUsbGuardSetting</ph>, <ph name="WEB_USB_ASK_FOR_URLS_POLICY_NAME">WebUsbAskForUrls</ph>, <ph name="WEB_USB_BLOCKED_FOR_URLS_POLICY_NAME">WebUsbBlockedForUrls</ph> and the user's preferences.
+
+        This policy only affects access to USB devices through the WebUSB API. To grant access to USB devices through the Web Serial API see the <ph name="SERIAL_ALLOW_USB_DEVICES_FOR_URLS_POLICY_NAME">SerialAllowUsbDevicesForUrls</ph> policy.
+example_value:
+- devices:
+  - product_id: 5678
+    vendor_id: 1234
+  urls:
+  - https://google.com
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- reillyg@chromium.org
+- odejesush@chromium.org
+schema:
+  items:
+    properties:
+      devices:
+        items:
+          properties:
+            product_id:
+              maximum: 65535
+              minimum: 0
+              type: integer
+            vendor_id:
+              maximum: 65535
+              minimum: 0
+              type: integer
+          type: object
+        type: array
+      urls:
+        items:
+          type: string
+        type: array
+    required:
+    - devices
+    - urls
+    type: object
+  type: array
+supported_on:
+- android:75-
+- chrome_os:74-
+- chrome.*:74-
+tags:
+- website-sharing
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbAskForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbAskForUrls.yaml
new file mode 100755
index 000000000..81a433c08
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbAskForUrls.yaml
@@ -0,0 +1,31 @@
+caption: Allow WebUSB on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a USB device.
+
+        Leaving the policy unset means <ph name="DEFAULT_WEB_USB_GUARD_SETTING_POLICY_NAME">DefaultWebUsbGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+        URL patterns must not conflict with <ph name="WEB_USB_ASK_FOR_URLS_POLICY_NAME">WebUsbAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- reillyg@chromium.org
+- odejesush@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:68-
+- android:68-
+- chrome.*:68-
+tags:
+- website-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbBlockedForUrls.yaml
new file mode 100755
index 000000000..3bc755825
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WebUsbBlockedForUrls.yaml
@@ -0,0 +1,30 @@
+caption: Block WebUSB on these sites
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a USB device.
+
+        Leaving the policy unset means <ph name="DEFAULT_WEB_USB_GUARD_SETTING_POLICY_NAME">DefaultWebUsbGuardSetting</ph> applies for all sites, if it's set. If not, the user's personal setting applies.
+
+        URL patterns can't conflict with <ph name="WEB_USB_ASK_FOR_URLS_POLICY_NAME">WebUsbAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- reillyg@chromium.org
+- odejesush@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:68-
+- android:68-
+- chrome.*:68-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowManagementAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowManagementAllowedForUrls.yaml
new file mode 100755
index 000000000..e269a8ac0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowManagementAllowedForUrls.yaml
@@ -0,0 +1,28 @@
+caption: Allow Window Management permission on these sites
+desc: |-
+  Allows you to set a list of site url patterns that specify sites which will automatically grant the window management permission. This will extend the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
+
+  For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
+
+  If this policy is not set for a site then the policy from <ph name="DEFAULT_WINDOW_MANAGEMENT_SETTING_POLICY_NAME">DefaultWindowManagementSetting</ph> applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
+
+  This replaces the deprecated <ph name="WINDOW_PLACEMENT_ALLOWED_FOR_URLS_POLICY_NAME">WindowPlacementAllowedForUrls</ph> policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- msw@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:111-
+- chrome_os:111-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowManagementBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowManagementBlockedForUrls.yaml
new file mode 100755
index 000000000..78484c56c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowManagementBlockedForUrls.yaml
@@ -0,0 +1,28 @@
+caption: Block Window Management permission on these sites
+desc: |-
+  Allows you to set a list of site url patterns that specify sites which will automatically deny the window management permission. This will limit the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
+
+  For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
+
+  If this policy is not set for a site then the policy from <ph name="DEFAULT_WINDOW_MANAGEMENT_SETTING_POLICY_NAME">DefaultWindowManagementSetting</ph> applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
+
+  This replaces the deprecated <ph name="WINDOW_PLACEMENT_BLOCKED_FOR_URLS_POLICY_NAME">WindowPlacementBlockedForUrls</ph> policy.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- msw@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:111-
+- chrome_os:111-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowPlacementAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowPlacementAllowedForUrls.yaml
new file mode 100755
index 000000000..7408f32f9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowPlacementAllowedForUrls.yaml
@@ -0,0 +1,27 @@
+caption: Allow Window Placement permission on these sites
+desc: |-
+  Allows you to set a list of site url patterns that specify sites which will automatically grant the window placement permission. This will extend the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
+
+        For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
+
+        If this policy is not set for a site then the policy from <ph name="DEFAULT_WINDOW_PLACEMENT_SETTING_POLICY_NAME">DefaultWindowPlacementSetting</ph> applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- msw@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:100-
+- chrome_os:100-
+deprecated: true
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowPlacementBlockedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowPlacementBlockedForUrls.yaml
new file mode 100755
index 000000000..929ff2442
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/WindowPlacementBlockedForUrls.yaml
@@ -0,0 +1,27 @@
+caption: Block Window Placement permission on these sites
+desc: |-
+  Allows you to set a list of site url patterns that specify sites which will automatically deny the window placement permission. This will limit the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
+
+        For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
+
+        If this policy is not set for a site then the policy from <ph name="DEFAULT_WINDOW_PLACEMENT_SETTING_POLICY_NAME">DefaultWindowPlacementSetting</ph> applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- msw@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:100-
+- chrome_os:100-
+deprecated: true
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/policy_atomic_groups.yaml
new file mode 100755
index 000000000..adbd23328
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ContentSettings/policy_atomic_groups.yaml
@@ -0,0 +1,95 @@
+CookiesSettings:
+  caption: Cookies settings
+  policies:
+  - DefaultCookiesSetting
+  - CookiesAllowedForUrls
+  - CookiesBlockedForUrls
+  - CookiesSessionOnlyForUrls
+ImageSettings:
+  caption: Image settings
+  policies:
+  - DefaultImagesSetting
+  - ImagesAllowedForUrls
+  - ImagesBlockedForUrls
+JavascriptSettings:
+  caption: Javascript settings
+  policies:
+  - DefaultJavaScriptSetting
+  - JavaScriptAllowedForUrls
+  - JavaScriptBlockedForUrls
+KeygenSettings:
+  caption: Keygen settings
+  policies:
+  - DefaultKeygenSetting
+  - KeygenAllowedForUrls
+  - KeygenBlockedForUrls
+LegacySameSiteCookieBehaviorSettings:
+  caption: Legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> cookie behavior
+    settings
+  policies:
+  - LegacySameSiteCookieBehaviorEnabled
+  - LegacySameSiteCookieBehaviorEnabledForDomainList
+LocalFontsSettings:
+  caption: Local Fonts settings
+  policies:
+  - DefaultLocalFontsSetting
+  - LocalFontsAllowedForUrls
+  - LocalFontsBlockedForUrls
+NotificationsSettings:
+  caption: Notification settings
+  policies:
+  - DefaultNotificationsSetting
+  - NotificationsAllowedForUrls
+  - NotificationsBlockedForUrls
+PluginsSettings:
+  caption: Plugins settings
+  policies:
+  - DefaultPluginsSetting
+  - PluginsAllowedForUrls
+  - PluginsBlockedForUrls
+PopupsSettings:
+  caption: Pop-ups settings
+  policies:
+  - DefaultPopupsSetting
+  - PopupsAllowedForUrls
+  - PopupsBlockedForUrls
+SensorsSettings:
+  caption: Sensors settings
+  policies:
+  - DefaultSensorsSetting
+  - SensorsAllowedForUrls
+  - SensorsBlockedForUrls
+ThirdPartyStoragePartitioningSettings:
+  caption: Third-party storage partitioning settings
+  policies:
+  - DefaultThirdPartyStoragePartitioningSetting
+  - ThirdPartyStoragePartitioningBlockedForOrigins
+WebUsbSettings:
+  caption: Web USB settings
+  policies:
+  - DefaultWebUsbGuardSetting
+  - DeviceLoginScreenWebUsbAllowDevicesForUrls
+  - WebUsbAllowDevicesForUrls
+  - WebUsbAskForUrls
+  - WebUsbBlockedForUrls
+WindowManagementSettings:
+  caption: Window Management settings
+  policies:
+  - DefaultWindowManagementSetting
+  - WindowManagementAllowedForUrls
+  - WindowManagementBlockedForUrls
+  - DefaultWindowPlacementSetting
+  - WindowPlacementAllowedForUrls
+  - WindowPlacementBlockedForUrls
+WebPrintingSettings:
+  caption: Web Printing settings
+  policies:
+  - DefaultWebPrintingSetting
+  - WebPrintingAllowedForUrls
+  - WebPrintingBlockedForUrls
+DirectSocketsSettings:
+  caption: Direct Sockets settings
+  policies:
+  - DefaultDirectSocketsSetting
+  - DirectSocketsAllowedForUrls
+  - DirectSocketsBlockedForUrls
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/.group.details.yaml
new file mode 100755
index 000000000..6939a0d33
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Linux container
+desc: Controls settings for the Linux container (Crostini).
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniAllowed.yaml
new file mode 100755
index 000000000..d25047e5f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniAllowed.yaml
@@ -0,0 +1,28 @@
+caption: User is enabled to run Crostini
+default: true
+desc: Setting the policy to Enabled or leaving it unset lets users run <ph name="PRODUCT_CROSTINI_NAME">Crostini</ph>,
+  as long as <ph name="VIRTUAL_MACHINES_ALLOWED_POLICY_NAME">VirtualMachinesAllowed</ph>
+  and <ph name="CROSTINI_ALLOWED_POLICY_NAME">CrostiniAllowed</ph> are set to Enabled.
+  Setting the policy to Disabled turns <ph name="PRODUCT_CROSTINI_NAME">Crostini</ph>
+  off for the user. Changing it to Disabled starts applying the policy to starting
+  new <ph name="PRODUCT_CROSTINI_NAME">Crostini</ph> containers, not those already
+  running.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow users to use virtual machines needed to support Linux apps
+  value: true
+- caption: Do not allow users to use virtual machines needed to support Linux apps
+  value: false
+owners:
+- timzheng@chromium.org
+- aoldemeier@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:70-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniAnsiblePlaybook.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniAnsiblePlaybook.yaml
new file mode 100755
index 000000000..dac8d7eb9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniAnsiblePlaybook.yaml
@@ -0,0 +1,34 @@
+caption: Crostini Ansible playbook
+desc: |-
+  Provides an Ansible playbook that should be executed in the default Crostini container.
+
+        This policy allows to provide an Ansible playbook to be applied to the default Crostini container if it is available on the given device and allowed by policies.
+
+        The size of the data must not exceed 1MB (1000000 bytes) and must be encoded in YAML. The cryptographic hash is used to verify the integrity of the download.
+
+        The configuration is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.
+
+        If you set the policy, users can't change it. If not set, users can continue using default Crostini container in its ongoing configuration if Crostini is allowed by policies.
+example_value:
+  hash: deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+  url: https://example.com/ansibleplaybook
+features:
+  dynamic_refresh: true
+  per_profile: false
+max_size: 1000000
+owners:
+- aoldemeier@chromium.org
+- okalitova@chromium.org
+schema:
+  properties:
+    hash:
+      description: The SHA-256 hash of the Ansible playbook.
+      type: string
+    url:
+      description: The URL from which the Ansible playbook can be downloaded.
+      type: string
+  type: object
+supported_on:
+- chrome_os:80-
+tags: []
+type: external
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniArcAdbSideloadingAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniArcAdbSideloadingAllowed.yaml
new file mode 100755
index 000000000..8301d74c2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniArcAdbSideloadingAllowed.yaml
@@ -0,0 +1,34 @@
+caption: Control usage of Android apps from untrusted sources for the user
+default: 0
+desc: |-
+  This policy controls the usage of Android apps from untrusted sources (other than Google Play Store) on a per-user basis.
+
+        If the value for this policy is not set, then the functionality is treated as disallowed.
+
+        If the user's device is managed, the availability of this functionality is additionally dependant on the corresponding device policy.
+
+        If the user's device is not managed, the availability of this functionality is additionally dependant on whether the user is the device owner.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- chrome_os
+items:
+- caption: Prevent the user from using Android apps from untrusted sources
+  name: Disallow
+  value: 0
+- caption: Allow the user to use Android apps from untrusted sources
+  name: Allow
+  value: 1
+owners:
+- janagrill@google.com
+- okalitova@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+tags:
+- system-security
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniExportImportUIAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniExportImportUIAllowed.yaml
new file mode 100755
index 000000000..e43792554
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniExportImportUIAllowed.yaml
@@ -0,0 +1,24 @@
+caption: User is enabled to export / import Crostini containers via the UI
+default: true
+desc: Setting the policy to Enabled or leaving it unset makes the export-import UI
+  available to users. Setting the policy to Disabled renders the export-import UI
+  unavailable to users.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable Linux virtual machine backup and restore
+  value: true
+- caption: Disable Linux virtual machine backup and restore
+  value: false
+owners:
+- joelhockey@chromium.org
+- aoldemeier@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:74-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniPortForwardingAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniPortForwardingAllowed.yaml
new file mode 100755
index 000000000..5ffe4927b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniPortForwardingAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Allow users to [enable/configure] Crostini port forwarding
+default: true
+desc: |-
+  Specifies whether port forwarding into Crostini containers is allowed.
+
+  If this policy is set to True or not set, users will be able to configure port forwarding into their Crostini containers.
+
+  If this policy is set to False, port forwarding into Crostini containers will be disabled.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow port forwarding into Linux virtual machines
+  value: true
+- caption: Do not allow port forwarding into Linux virtual machines
+  value: false
+owners:
+- denniskempin@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:85-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniRootAccessAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniRootAccessAllowed.yaml
new file mode 100755
index 000000000..7a67ff312
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/CrostiniRootAccessAllowed.yaml
@@ -0,0 +1,26 @@
+caption: User is allowed to have root access to Crostini containers
+default: true
+desc: |-
+  Allow this user root access to Crostini containers.
+
+  If the policy is set to true or left unset root access to Crostini containers will be granted to the user.
+  If the policy is set to false, root access to both existing and new Crostini containers will not be granted to the user.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- chrome_os
+items:
+- caption: Enable root access to Linux virtual machines
+  value: true
+- caption: Disable root access to Linux virtual machines
+  value: false
+owners:
+- aoldemeier@chromium.org
+- okalitova@chromium.org
+schema:
+  type: boolean
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/DeviceCrostiniArcAdbSideloadingAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/DeviceCrostiniArcAdbSideloadingAllowed.yaml
new file mode 100755
index 000000000..0cf2dabd0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/DeviceCrostiniArcAdbSideloadingAllowed.yaml
@@ -0,0 +1,39 @@
+caption: Control usage of Android apps from untrusted sources for the device
+default: 0
+desc: |-
+  This policy controls the usage of Android apps from untrusted sources (other than Google Play Store) for a device.
+
+        If the value for this policy is not set, then the functionality is treated as disallowed.
+
+        The availability of this functionality is additionally dependant on the corresponding user policy.
+device_only: true
+example_value: 1
+features:
+  dynamic_refresh: true
+future_on:
+- chrome_os
+items:
+- caption: Prevent users of this device from using ADB sideloading, without forcing
+    a powerwash, which might leave the device in a questionable state security-wise
+  name: Disallow
+  value: 0
+- caption: Prevent users of this device from using ADB sideloading and force a device
+    powerwash if sideloading was enabled before
+  name: DisallowWithPowerwash
+  value: 1
+- caption: Allow affiliated users of this device to use ADB sideloading
+  name: AllowForAffiliatedUsers
+  value: 2
+owners:
+- janagrill@google.com
+- okalitova@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+tags:
+- system-security
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/DeviceUnaffiliatedCrostiniAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/DeviceUnaffiliatedCrostiniAllowed.yaml
new file mode 100755
index 000000000..ffbb8fff6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/DeviceUnaffiliatedCrostiniAllowed.yaml
@@ -0,0 +1,31 @@
+caption: Allow unaffiliated users to use Crostini
+default: true
+desc: Setting the policy to Enabled or leaving it unset lets all users use <ph name="PRODUCT_CROSTINI_NAME">Crostini</ph>
+  as long as all 3 policies, <ph name="VIRTUAL_MACHINES_ALLOWED_POLICY_NAME">VirtualMachinesAllowed</ph>,
+  <ph name="CROSTINI_ALLOWED_POLICY_NAME">CrostiniAllowed</ph>, and <ph name="DEVICE_UNAFFILIATED_CROSTINI_ALLOWED_POLICY_NAME">DeviceUnaffiliatedCrostiniAllowed</ph>
+  are set to Enabled. Setting the policy to Disabled means unaffiliated users can't
+  use <ph name="PRODUCT_CROSTINI_NAME">Crostini</ph>. Changing it to Disabled starts
+  applying the policy to starting new <ph name="PRODUCT_CROSTINI_NAME">Crostini</ph>
+  containers, not those already running.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow unaffiliated users to use virtual machines needed to support Linux
+    apps
+  value: true
+- caption: Do not allow unaffiliated users to use virtual machines needed to support
+    Linux apps
+  value: false
+owners:
+- timzheng@chromium.org
+- aoldemeier@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:70-
+tags:
+- system-security
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/SystemTerminalSshAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/SystemTerminalSshAllowed.yaml
new file mode 100755
index 000000000..30051d012
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/SystemTerminalSshAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Allow SSH outgoing client connections in Terminal System App
+default: true
+default_for_enterprise_users: false
+desc: |-
+  If this policy doesn't exist (e.g. for unmanaged users), the SSH (Secure SHell) outgoing client connections feature in Terminal System App is enabled (default True).
+        If the user is managed, and the policy is unset or Disabled, the feature is disabled in Terminal.
+        Setting the policy to Enabled allows managed users to create outgoing client SSH connections in Terminal.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable SSH in Terminal System App
+  value: true
+- caption: Disable SSH in Terminal System App
+  value: false
+owners:
+- joelhockey@chromium.org
+- aoldemeier@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:102-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/VirtualMachinesAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/VirtualMachinesAllowed.yaml
new file mode 100755
index 000000000..9f0d69b76
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Crostini/VirtualMachinesAllowed.yaml
@@ -0,0 +1,27 @@
+caption: Allow devices to run virtual machines on ChromeOS
+default: false
+default_for_managed_devices_doc_only: false
+desc: |-
+  Setting the policy to Enabled lets the device run virtual machines on <ph name="PRODUCT_OS_NAME">$2<ex>ChromeOS</ex></ph>. <ph name="VIRTUAL_MACHINES_ALLOWED_POLICY_NAME">VirtualMachinesAllowed</ph> and <ph name="CROSTINI_ALLOWED_POLICY_NAME">CrostiniAllowed</ph> must be Enabled to use <ph name="PRODUCT_CROSTINI_NAME">Crostini</ph>. Setting the policy to Disabled means the device can't run virtual machines. Changing it to Disabled starts applying the policy to starting new virtual machines, not those already running.
+
+  When this policy is not set on a managed device, the device can't run virtual machines. Unmanaged devices can run virtual machines.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow the device to run virtual machines
+  value: true
+- caption: Do not allow the device to run virtual machines
+  value: false
+owners:
+- timzheng@chromium.org
+- aoldemeier@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:66-
+tags:
+- system-security
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/.group.details.yaml
new file mode 100755
index 000000000..1011663de
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Date and time
+desc: Controls clock and time zone settings.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/CalendarIntegrationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/CalendarIntegrationEnabled.yaml
new file mode 100755
index 000000000..aea0eb9ef
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/CalendarIntegrationEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable <ph name="GOOGLE_CALENDAR_NAME">Google Calendar</ph> Integration
+default: true
+desc: |-
+  Enable <ph name="GOOGLE_CALENDAR_NAME">Google Calendar</ph> integration which allows <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> users to fetch events from <ph name="GOOGLE_CALENDAR_NAME">Google Calendar</ph> to populate <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> calendar widget in system status bar.
+
+            If this policy is enabled, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device can retrieve <ph name="GOOGLE_CALENDAR_NAME">Google Calendar</ph> events to populate <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> calendar widget in system status bar for the logged in user.
+
+            If this policy is disabled, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device cannot retrieve <ph name="GOOGLE_CALENDAR_NAME">Google Calendar</ph> events to populate <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> calendar widget in system status bar for the logged in user.
+
+            If this policy is left unset, the <ph name="GOOGLE_CALENDAR_NAME">Google Calendar</ph> feature is enabled by default for enterprise users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome_os:113-
+items:
+- caption: Enable <ph name="GOOGLE_CALENDAR_NAME">Google Calendar</ph> Integration.
+  value: true
+- caption: Disable <ph name="GOOGLE_CALENDAR_NAME">Google Calendar</ph> Integration.
+  value: false
+owners:
+- ramyagopalan@google.com
+- jiamingc@google.com
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemTimezone.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemTimezone.yaml
new file mode 100755
index 000000000..d862a6163
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemTimezone.yaml
@@ -0,0 +1,21 @@
+caption: Timezone
+desc: |-
+  Setting the policy specifies a device's time zone and turns off location-based automatic time zone adjustment while overriding the <ph name="SYSTEM_TIMEZONE_AUTOMATIC_DETECTION_POLICY_NAME">SystemTimezoneAutomaticDetection</ph> policy. Users can't change the time zone.
+
+        New devices start with the time zone set to US Pacific. Value format follows the names in the IANA Time Zone Database ( https://en.wikipedia.org/wiki/Tz_database ). Entering an invalid value activates the policy using GMT.
+
+        If not set or if you enter an empty string, the device uses the currently active time zone, but users can change it.
+device_only: true
+example_value: America/Los_Angeles
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_os:22-
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemTimezoneAutomaticDetection.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemTimezoneAutomaticDetection.yaml
new file mode 100755
index 000000000..a9d1ed89a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemTimezoneAutomaticDetection.yaml
@@ -0,0 +1,52 @@
+caption: Configure the automatic timezone detection method
+default: 0
+desc: |-
+  Unless the <ph name="SYSTEM_TIMEZONE_POLICY_NAME">SystemTimezone</ph> policy turns off automatic time zone detection, then setting the policy outlines the automatic time zone detection method, which users can't change.
+
+  Setting the policy to:
+   * <ph name="TIMEZONE_AUTOMATIC_DETECTION_DISABLED">TimezoneAutomaticDetectionDisabled</ph> keeps automatic time zone detection off.
+   * <ph name="TTIMEZON_AUTOMATIC_DETECTION_IP_ONLY">TimezoneAutomaticDetectionIPOnly</ph> keeps automatic time zone detection on, using the IP-only method.
+   * <ph name="TIMEZONE_AUTOMATIC_DETECTION_SEND_WIFI_ACCESS_POINTS">TimezoneAutomaticDetectionSendWiFiAccessPoints</ph> keeps automatic time zone detection on, continually sending the list of visible Wi-Fi access-points to the Geolocation API server for finer-grained time zone detection.
+   * <ph name="TIMEZONE_AUTOMATIC_DETECTION_SEND_ALL_LOCATION_INFO">TimezoneAutomaticDetectionSendAllLocationInfo</ph> keeps automatic time zone detection on, continually sending location information (such as Wi-Fi access points, reachable cell towers) to a server for the most fine-grained time zone detection.
+
+  If not set, set to Let users decide, or set to None, then users control automatic time zone detection using normal controls in <ph name="OS_SETTINGS_URL">chrome://os-settings</ph>.
+
+  Note: If you're using this policy to resolve the time zone automatically, don't forget to set <ph name="CROS_GLS_POLICY_NAME">GoogleLocationServicesEnabled</ph> policy to either <ph name="GLS_ALLOWED">Allow</ph> or <ph name="GLS_ONLY_ALLOWED_FOR_SYSTEM">OnlyAllowedForSystemServices</ph>.
+device_only: true
+example_value: 0
+features:
+  dynamic_refresh: true
+items:
+- caption: Let users decide
+  name: TimezoneAutomaticDetectionUsersDecide
+  value: 0
+- caption: Never auto-detect timezone
+  name: TimezoneAutomaticDetectionDisabled
+  value: 1
+- caption: Always use coarse timezone detection
+  name: TimezoneAutomaticDetectionIPOnly
+  value: 2
+- caption: Always send WiFi access-points to server while resolving timezone
+  name: TimezoneAutomaticDetectionSendWiFiAccessPoints
+  value: 3
+- caption: Always send any available location signals to the server while resolving
+    timezone
+  name: TimezoneAutomaticDetectionSendAllLocationInfo
+  value: 4
+owners:
+- alemate@chromium.org
+- michaelpg@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  - 4
+  type: integer
+supported_on:
+- chrome_os:53-
+tags:
+- google-sharing
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemUse24HourClock.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemUse24HourClock.yaml
new file mode 100755
index 000000000..63ba2e134
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/SystemUse24HourClock.yaml
@@ -0,0 +1,31 @@
+caption: Use 24 hour clock by default
+default: null
+desc: |-
+  Setting the policy to True gives a device's sign-in screen a 24-hour clock format.
+
+        Setting the policy to False gives a device's sign-in screen a 12-hour clock format.
+
+        Leaving the policy unset makes a device use the format from the current locale.
+
+        User sessions also default to the device format, but users can change an account's clock format.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: 24 hour clock format
+  value: true
+- caption: 12 hour clock format
+  value: false
+- caption: Automatic based on current language
+  value: null
+owners:
+- alemate@chromium.org
+- michaelpg@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:30-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/policy_atomic_groups.yaml
new file mode 100755
index 000000000..667bf1c84
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DateAndTime/policy_atomic_groups.yaml
@@ -0,0 +1,6 @@
+DateAndTime:
+  caption: Date and time
+  policies:
+  - CalendarIntegrationEnabled
+  - SystemTimezone
+  - SystemTimezoneAutomaticDetection
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/.group.details.yaml
new file mode 100755
index 000000000..77b7891a4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/.group.details.yaml
@@ -0,0 +1,3 @@
+caption: Default search provider
+desc: Configures the default search provider. You can specify the default search provider
+  that the user will use or choose to disable default search.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderAlternateURLs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderAlternateURLs.yaml
new file mode 100755
index 000000000..5f6b4caaf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderAlternateURLs.yaml
@@ -0,0 +1,28 @@
+caption: List of alternate URLs for the default search provider
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_ALTERNATE_URLS_POLICY_NAME">DefaultSearchProviderAlternateURLs</ph> specifies a list of alternate URLs for extracting search terms from the search engine. The URLs should include the string <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>.
+
+        Leaving <ph name="DEFAULT_SEARCH_PROVIDER_ALTERNATE_URLS_POLICY_NAME">DefaultSearchProviderAlternateURLs</ph> unset means no alternate URLs are used to extract search terms.
+example_value:
+- https://search.my.company/suggest#q={searchTerms}
+- https://search.my.company/suggest/search#q={searchTerms}
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:24-
+- chrome_os:24-
+- android:30-
+- ios:88-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderEnabled.yaml
new file mode 100755
index 000000000..0fd2fff9a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderEnabled.yaml
@@ -0,0 +1,37 @@
+caption: Enable the default search provider
+default: null
+desc: |-
+  Setting the policy to Enabled means a default search is performed when a user enters non-URL text in the address bar. To specify the default search provider, set the rest of the default search policies. If you leave those policies empty, the user can choose the default provider. Setting the policy to Disabled means there's no search when the user enters non-URL text in the address bar. The Disabled value is not supported by the <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph>.
+
+  If you set the policy, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, the default search provider is on, and users can set the search provider list.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable the default search provider
+  value: true
+- caption: Disable the default search provider
+  value: false
+- caption: Enable the default search provider and allow users to modify the search
+    provier list
+  value: null
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+- ios:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderEncodings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderEncodings.yaml
new file mode 100755
index 000000000..fd994e23f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderEncodings.yaml
@@ -0,0 +1,30 @@
+caption: Default search provider encodings
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, setting <ph name="DEFAULT_SEARCH_PROVIDER_ENCODINGS_POLICY_NAME">DefaultSearchProviderEncodings</ph> specifies the character encodings supported by the search provider. Encodings are code page names such as UTF-8, GB2312, and ISO-8859-1. They're tried in the order provided.
+
+        Leaving <ph name="DEFAULT_SEARCH_PROVIDER_ENCODINGS_POLICY_NAME">DefaultSearchProviderEncodings</ph> unset puts UTF-8 in use.
+example_value:
+- UTF-8
+- UTF-16
+- GB2312
+- ISO-8859-1
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+- ios:88-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderIconURL.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderIconURL.yaml
new file mode 100755
index 000000000..e0e32bb4f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderIconURL.yaml
@@ -0,0 +1,23 @@
+caption: Default search provider icon
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_ICON_URL_POLICY_NAME">DefaultSearchProviderIconURL</ph> specifies the default search provider's favorite icon URL.
+
+        Leaving <ph name="DEFAULT_SEARCH_PROVIDER_ICON_URL_POLICY_NAME">DefaultSearchProviderIconURL</ph> unset means there's no icon for the search provider.
+deprecated: true
+example_value: https://search.my.company/favicon.ico
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:8-121
+- chrome_os:11-121
+- android:30-121
+- ios:88-121
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderImageURL.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderImageURL.yaml
new file mode 100755
index 000000000..2e9291610
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderImageURL.yaml
@@ -0,0 +1,34 @@
+caption: Parameter providing search-by-image feature for the default search provider
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_IMAGE_URL_POLICY_NAME">DefaultSearchProviderImageURL</ph> specifies the URL of the search engine used for image search. (If <ph name="DEFAULT_SEARCH_PROVIDER_IMAGE_URL_POST_PARMS_POLICY_NAME">DefaultSearchProviderImageURLPostParams</ph> is set, then image search requests use the POST method instead.)
+
+        Leaving <ph name="DEFAULT_SEARCH_PROVIDER_IMAGE_URL_POLICY_NAME">DefaultSearchProviderImageURL</ph> unset means no image search is used.
+
+        If image search uses the GET method, then the URL must specify image
+        parameters using a valid combination of the following placeholders:
+        <ph name="IMAGE_IMAGE_URL">'{google:imageURL}'</ph>,
+        <ph name="IMAGE_ORIGINAL_HEIGHT">'{google:imageOriginalHeight}'</ph>,
+        <ph name="IMAGE_ORIGINAL_WIDTH">'{google:imageOriginalWidth}'</ph>,
+        <ph name="IMAGE_PROCESSED_IMAGE_DIMENSIONS">'{google:processedImageDimensions}'</ph>,
+        <ph name="IMAGE_SEARCH_SOURCE">'{google:imageSearchSource}'</ph>,
+        <ph name="IMAGE_THUMBNAIL">'{google:imageThumbnail}'</ph>,
+        <ph name="IMAGE_THUMBNAIL_BASE64">'{google:imageThumbnailBase64}'</ph>.
+example_value: https://search.my.company/searchbyimage/upload
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:29-
+- chrome_os:29-
+- android:30-
+- ios:88-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderImageURLPostParams.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderImageURLPostParams.yaml
new file mode 100755
index 000000000..5c2cb2a4e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderImageURLPostParams.yaml
@@ -0,0 +1,34 @@
+caption: Parameters for image URL which uses POST
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_IMAGE_URL_POST_PARMS_POLICY_NAME">DefaultSearchProviderImageURLPostParams</ph> specifies the parameters during image search with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as {imageThumbnail}, real image thumbnail data replaces it.
+
+        Leaving <ph name="DEFAULT_SEARCH_PROVIDER_IMAGE_URL_POST_PARMS_POLICY_NAME">DefaultSearchProviderImageURLPostParams</ph> unset means image search request is sent using the GET method.
+
+        The URL must specify the image parameter using a valid combination of
+        the following placeholders depending on what the search provider supports:
+        <ph name="IMAGE_IMAGE_URL">'{google:imageURL}'</ph>,
+        <ph name="IMAGE_ORIGINAL_HEIGHT">'{google:imageOriginalHeight}'</ph>,
+        <ph name="IMAGE_ORIGINAL_WIDTH">'{google:imageOriginalWidth}'</ph>,
+        <ph name="IMAGE_PROCESSED_IMAGE_DIMENSIONS">'{google:processedImageDimensions}'</ph>,
+        <ph name="IMAGE_SEARCH_SOURCE">'{google:imageSearchSource}'</ph>,
+        <ph name="IMAGE_THUMBNAIL">'{google:imageThumbnail}'</ph>,
+        <ph name="IMAGE_THUMBNAIL_BASE64">'{google:imageThumbnailBase64}'</ph>.
+example_value: content={google:imageThumbnail},url={google:imageURL},sbisrc={google:imageSearchSource}
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:29-
+- chrome_os:29-
+- android:30-
+- ios:88-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderInstantURL.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderInstantURL.yaml
new file mode 100755
index 000000000..75f6c2327
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderInstantURL.yaml
@@ -0,0 +1,26 @@
+caption: Default search provider instant URL
+deprecated: true
+desc: |-
+  Specifies the URL of the search engine used to provide instant results. The URL should contain the string <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, which will be replaced at query time by the text the user has entered so far.
+
+            This policy is optional. If not set, no instant search results will be provided.
+
+            Google's instant results URL can be specified as: <ph name="GOOGLE_INSTANT_SEARCH_URL">'{google:baseURL}suggest?q={searchTerms}'</ph>.
+
+            This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.
+example_value: https://search.my.company/suggest?q={searchTerms}
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:10-63
+- chrome_os:11-63
+- android:30-63
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderInstantURLPostParams.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderInstantURLPostParams.yaml
new file mode 100755
index 000000000..a3b98fa16
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderInstantURLPostParams.yaml
@@ -0,0 +1,24 @@
+caption: Parameters for instant URL which uses POST
+deprecated: true
+desc: |-
+  Specifies the parameters used when doing instant search with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {searchTerms} in above example, it will be replaced with real search terms data.
+
+            This policy is optional. If not set, instant search request will be sent using the GET method.
+
+            This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.
+example_value: q={searchTerms},ie=utf-8,oe=utf-8
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:29-63
+- chrome_os:29-63
+- android:30-63
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderKeyword.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderKeyword.yaml
new file mode 100755
index 000000000..3f4dd0191
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderKeyword.yaml
@@ -0,0 +1,24 @@
+caption: Default search provider keyword
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_KEYWORD_POLICY_NAME">DefaultSearchProviderKeyword</ph> specifies the keyword or shortcut used in the address bar to trigger the search for this provider.
+
+        Leaving <ph name="DEFAULT_SEARCH_PROVIDER_KEYWORD_POLICY_NAME">DefaultSearchProviderKeyword</ph> unset means no keyword activates the search provider.
+example_value: mis
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-121
+- ios:88-121
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderName.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderName.yaml
new file mode 100755
index 000000000..332ce839e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderName.yaml
@@ -0,0 +1,25 @@
+caption: Default search provider name
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_NAME_POLICY_NAME">DefaultSearchProviderName</ph> specifies the default search provider's name.
+
+        Leaving <ph name="DEFAULT_SEARCH_PROVIDER_NAME_POLICY_NAME">DefaultSearchProviderName</ph> unset means the hostname specified by the search URL is used.
+example_value: My Intranet Search
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- chrome-desktop-search@google.com
+- jdonnelly@google.com
+schema:
+  type: string
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+- ios:88-
+tags:
+- website-sharing
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderNewTabURL.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderNewTabURL.yaml
new file mode 100755
index 000000000..02a551602
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderNewTabURL.yaml
@@ -0,0 +1,24 @@
+caption: Default search provider new tab page URL
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_NEW_TAB_URL_POLICY_NAME">DefaultSearchProviderNewTabURL</ph> specifies the URL of the search engine used to provide a New Tab page.
+
+        Leaving <ph name="DEFAULT_SEARCH_PROVIDER_NEW_TAB_URL_POLICY_NAME">DefaultSearchProviderNewTabURL</ph> unset means no new tab page is provided.
+example_value: https://search.my.company/newtab
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:30-
+- chrome_os:30-
+- android:30-121
+- ios:88-121
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchTermsReplacementKey.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchTermsReplacementKey.yaml
new file mode 100755
index 000000000..7301c6270
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchTermsReplacementKey.yaml
@@ -0,0 +1,24 @@
+caption: Parameter controlling search term placement for the default search provider
+deprecated: true
+desc: |-
+  If this policy is set and a search URL suggested from the omnibox contains this parameter in the query string or in the fragment identifier, then the suggestion will show the search terms and search provider instead of the raw search URL.
+
+            This policy is optional. If not set, no search term replacement will be performed.
+
+            This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.
+example_value: espv
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:25-63
+- chrome_os:25-63
+- android:30-63
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchURL.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchURL.yaml
new file mode 100755
index 000000000..05f95c86d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchURL.yaml
@@ -0,0 +1,25 @@
+caption: Default search provider search URL
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_SEARCH_URL_POLICY_NAME">DefaultSearchProviderSearchURL</ph> specifies the URL of the search engine used during a default search. The URL should include the string <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, replaced in the query by the user's search terms.
+
+        You can specify Google's search URL as: <ph name="GOOGLE_SEARCH_URL">'{google:baseURL}search?q={searchTerms}&amp;{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}'</ph>.
+example_value: https://search.my.company/search?q={searchTerms}
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+- ios:88-
+tags:
+- website-sharing
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchURLPostParams.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchURLPostParams.yaml
new file mode 100755
index 000000000..d41735809
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSearchURLPostParams.yaml
@@ -0,0 +1,24 @@
+caption: Parameters for search URL which uses POST
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_SEARCH_URL_POST_PARAMS_POLICY_NAME">DefaultSearchProviderSearchURLPostParams</ph> specifies the parameters when searching a URL with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, real search terms data replaces it.
+
+        Leaving <ph name="DEFAULT_SEARCH_PROVIDER_SEARCH_URL_POST_PARAMS_POLICY_NAME">DefaultSearchProviderSearchURLPostParams</ph> unset means search requests are sent using the GET method.
+example_value: q={searchTerms},ie=utf-8,oe=utf-8
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:29-
+- chrome_os:29-
+- android:30-
+- ios:88-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSuggestURL.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSuggestURL.yaml
new file mode 100755
index 000000000..2a57223c5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSuggestURL.yaml
@@ -0,0 +1,24 @@
+caption: Default search provider suggest URL
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_SUGGEST_URL_POLICY_NAME">DefaultSearchProviderSuggestURL</ph> specifies the URL of the search engine to provide search suggestions. The URL should include the string <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, replaced in the query by the user's search terms.
+
+        You can specify Google's search URL as: <ph name="GOOGLE_SUGGEST_SEARCH_URL">'{google:baseURL}complete/search?output=chrome&amp;q={searchTerms}'</ph>.
+example_value: https://search.my.company/suggest?q={searchTerms}
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+- ios:88-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSuggestURLPostParams.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSuggestURLPostParams.yaml
new file mode 100755
index 000000000..89a446603
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderSuggestURLPostParams.yaml
@@ -0,0 +1,24 @@
+caption: Parameters for suggest URL which uses POST
+desc: |-
+  If <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> is on, then setting <ph name="DEFAULT_SEARCH_PROVIDER_SUGGEST_URL_POST_PARAMS_POLICY_NAME">DefaultSearchProviderSuggestURLPostParams</ph> specifies the parameters during suggestion search with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, real search terms data replaces it.
+
+        Leaving <ph name="DEFAULT_SEARCH_PROVIDER_SUGGEST_URL_POST_PARAMS_POLICY_NAME">DefaultSearchProviderSuggestURLPostParams</ph> unset unset means suggest search requests are sent using the GET method.
+example_value: q={searchTerms},ie=utf-8,oe=utf-8
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:29-
+- chrome_os:29-
+- android:30-
+- ios:88-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/policy_atomic_groups.yaml
new file mode 100755
index 000000000..0566b376a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DefaultSearchProvider/policy_atomic_groups.yaml
@@ -0,0 +1,19 @@
+DefaultSearchProvider:
+  caption: Default search provider
+  policies:
+  - DefaultSearchProviderEnabled
+  - DefaultSearchProviderName
+  - DefaultSearchProviderKeyword
+  - DefaultSearchProviderSearchURL
+  - DefaultSearchProviderSuggestURL
+  - DefaultSearchProviderInstantURL
+  - DefaultSearchProviderIconURL
+  - DefaultSearchProviderEncodings
+  - DefaultSearchProviderAlternateURLs
+  - DefaultSearchProviderSearchTermsReplacementKey
+  - DefaultSearchProviderImageURL
+  - DefaultSearchProviderNewTabURL
+  - DefaultSearchProviderSearchURLPostParams
+  - DefaultSearchProviderSuggestURLPostParams
+  - DefaultSearchProviderInstantURLPostParams
+  - DefaultSearchProviderImageURLPostParams
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/.group.details.yaml
new file mode 100755
index 000000000..de95577cd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Desk Connector Settings
+desc: Controls settings for the desk connector API.
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIDeskSaveAndShareEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIDeskSaveAndShareEnabled.yaml
new file mode 100755
index 000000000..ac31319ba
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIDeskSaveAndShareEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable Save and Share API for third-party <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> control.
+default: false
+desc: If the policy is set to Enabled allows third-party web applications to use <ph name="DESK_API_NAME">Desk API</ph>
+  to save and share <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> desks.
+  If the policy is set to Disabled the user will not be able to save and share desk data through the
+  <ph name="DESK_API_NAME">Desk API</ph>.
+  If the policy is unset the behavior will be the same as disabled.
+  The policy will only take effect on enrolled devices.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+items:
+- caption: Enable Save and Share API for third-party <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> control.
+  value: true
+- caption: Do not enable Save and Share API for third-party <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> control.
+  value: false
+owners:
+- avynn@google.com
+- aprilzhou@google.com
+- yzd@google.com
+schema:
+  type: boolean
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIThirdPartyAccessEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIThirdPartyAccessEnabled.yaml
new file mode 100755
index 000000000..8ed8c992a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIThirdPartyAccessEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable <ph name="DESK_API_NAME">Desk API</ph> for third-party <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> control
+default: false
+desc: Setting the policy to Enabled allows third-party web applications to use Desk
+  API to control <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> desks. If the policy is not set or disabled, the  <ph name="DESK_API_NAME">Desk API</ph>
+  will be unavailable. The policy will only take effect on enrolled devices.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome_os:115-
+items:
+- caption: Enable <ph name="DESK_API_NAME">Desk API</ph> for third-party <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> control
+  value: true
+- caption: Do not enable <ph name="DESK_API_NAME">Desk API</ph> for third-party <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> control
+  value: false
+owners:
+- chromeos-commercial-remote-management@google.com
+- aprilzhou@google.com
+- yzd@google.com
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIThirdPartyAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIThirdPartyAllowlist.yaml
new file mode 100755
index 000000000..766e1367d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeskConnector/DeskAPIThirdPartyAllowlist.yaml
@@ -0,0 +1,20 @@
+caption: Enable <ph name="DESK_API_NAME">Desk API</ph> for a list of third-party domains
+desc: Specifies the list of third-party web application domains that are allowed to
+  use <ph name="DESK_API_NAME">Desk API</ph> to control <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> desks. These URL patterns should follow the format
+  defined for "matches" property in https://developer.chrome.com/docs/extensions/mv3/manifest/externally_connectable/#reference
+example_value:
+- https://*.chromium.org/*
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome_os:115-
+owners:
+- aprilzhou@google.com
+- yzd@google.com
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/.group.details.yaml
new file mode 100755
index 000000000..eec66e3cc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/.group.details.yaml
@@ -0,0 +1,3 @@
+caption: Device update settings
+desc: Controls how and when <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+  updates are applied.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/ChromeOsReleaseChannel.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/ChromeOsReleaseChannel.yaml
new file mode 100755
index 000000000..f900548f5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/ChromeOsReleaseChannel.yaml
@@ -0,0 +1,43 @@
+caption: Release channel
+default: "stable-channel"
+desc: |-
+  Specifies the release channel that this device should be locked to.
+
+  Setting <ph name="CHROME_OS_RELEASE_CHANNEL_POLICY_NAME">ChromeOsReleaseChannel</ph> only has an effect if <ph name="CHROME_OS_RELEASE_CHANNEL_DELEGATED_POLICY_NAME">ChromeOsReleaseChannelDelegated</ph> is set to False.
+device_only: true
+example_value: stable-channel
+features:
+  dynamic_refresh: true
+items:
+- caption: LTS channel
+  name: LTSChannel
+  value: lts-channel
+- caption: LTC channel
+  name: LTCChannel
+  value: ltc-channel
+- caption: Stable channel
+  name: StableChannel
+  value: stable-channel
+- caption: Beta channel
+  name: BetaChannel
+  value: beta-channel
+- caption: Dev channel (may be unstable)
+  name: DevChannel
+  value: dev-channel
+owners:
+- mpolzer@google.com
+- vsavu@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  enum:
+  - stable-channel
+  - beta-channel
+  - dev-channel
+  - lts-channel
+  - ltc-channel
+  type: string
+supported_on:
+- chrome_os:11-
+tags: []
+type: string-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/ChromeOsReleaseChannelDelegated.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/ChromeOsReleaseChannelDelegated.yaml
new file mode 100755
index 000000000..fff23e8f5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/ChromeOsReleaseChannelDelegated.yaml
@@ -0,0 +1,27 @@
+caption: Users may configure the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+  release channel
+default: false
+desc: |-
+  Users are only allowed to change the release channel of the device if this policy is set to True. If this policy is False or not set, users are not allowed to change the channel.
+
+  Setting <ph name="CHROME_OS_RELEASE_CHANNEL_POLICY_NAME">ChromeOsReleaseChannel</ph> only has an effect if <ph name="CHROME_OS_RELEASE_CHANNEL_DELEGATED_POLICY_NAME">ChromeOsReleaseChannelDelegated</ph> is set to False.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow users to change the release channel
+  value: true
+- caption: Prevent users from changing the release channel
+  value: false
+owners:
+- mpolzer@google.com
+- vsavu@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:19-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateDisabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateDisabled.yaml
new file mode 100755
index 000000000..72d5e667d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateDisabled.yaml
@@ -0,0 +1,29 @@
+caption: Disable Auto Update
+default: false
+desc: |-
+  Disables automatic updates when set to True.
+
+  <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices automatically check for updates when this setting is not configured or set to False.
+
+  Warning: It is recommended to keep auto-updates enabled so that users receive software updates and critical security fixes. Turning off auto-updates might leave users at risk.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Block updates
+  value: true
+- caption: Allow updates
+  value: false
+owners:
+- mpolzer@google.com
+- sergiyb@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:19-
+tags:
+- system-security
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateP2PEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateP2PEnabled.yaml
new file mode 100755
index 000000000..2c9580791
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateP2PEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Auto update P2P enabled
+default: true
+default_for_managed_devices_doc_only: true
+desc: |-
+  Specifies whether P2P is to be used for OS update payloads.
+  If set to True, devices will share and attempt to consume update payloads on the LAN, potentially reducing Internet bandwidth usage and congestion. If the update payload is not available on the LAN, the device will fall back to downloading from an update server.
+  If set to False, P2P will not be used.
+
+  NOTE: The default behavior for consumer and enterprise devices differs: on managed devices P2P will be enabled, while on non-managed devices it will not be enabled.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow peer to peer auto update downloads
+  value: true
+- caption: Do not allow peer to peer auto update downloads
+  value: false
+owners:
+- zeuthen@chromium.org
+- vsavu@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:31-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateTimeRestrictions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateTimeRestrictions.yaml
new file mode 100755
index 000000000..fed2dfd44
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceAutoUpdateTimeRestrictions.yaml
@@ -0,0 +1,55 @@
+caption: Update Time Restrictions
+desc: |-
+  This policy controls the time frames during which the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device is not allowed to check for updates automatically.
+        When this policy is set to a non-empty list of time intervals:
+        Devices will not be able to check for updates automatically during the specified time intervals. Devices that require an enterprise rollback or are below the minimum <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version will not be affected by this policy due to potential security issues. Furthermore, this policy will not block update checks requested by users or administrators.
+        Starting from M88, this policy cancels an ongoing update when a restricted time interval is reached. The next auto update after the restricted time interval ends will automatically resume the update. Devices updating to a Quick Fix Build will not be affected by this policy.
+        When this policy is unset or contains no time intervals:
+        No automatic update checks will be blocked by this policy, but they may be blocked by other policies.
+        Till M88, this feature is only enabled on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices configured as auto-launch kiosks. Other devices will not be restricted by this policy. However starting from M89, this policy is enabled on all <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices.
+device_only: true
+example_value:
+- end:
+    day_of_week: Thursday
+    hours: 2
+    minutes: 30
+  start:
+    day_of_week: Monday
+    hours: 3
+    minutes: 50
+- end:
+    day_of_week: Sunday
+    hours: 15
+    minutes: 10
+  start:
+    day_of_week: Thursday
+    hours: 3
+    minutes: 30
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- asumaneev@gogole.com
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  items:
+    description: Time interval that spans at most one week. If the start time is later
+      than the end time, then the interval will wrap around.
+    properties:
+      end:
+        $ref: DisallowedTimeInterval
+        description: End of the interval, exclusive.
+      start:
+        $ref: DisallowedTimeInterval
+        description: Start time of the interval, inclusive.
+    required:
+    - start
+    - end
+    type: object
+  type: array
+supported_on:
+- chrome_os:69-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceChannelDowngradeBehavior.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceChannelDowngradeBehavior.yaml
new file mode 100755
index 000000000..7b3275dbb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceChannelDowngradeBehavior.yaml
@@ -0,0 +1,39 @@
+caption: Channel downgrade behavior
+default: 1
+desc: |-
+  This policy specifies channel downgrade behavior on enrolled devices. With channel downgrade we mean switching to a more stable channel, e.g. beta to stable.
+
+        The value of this policy affects user-initiated channel downgrades as well as admin initiated channel downgrades.
+
+        On a channel downgrade, the device can either roll back its version and reset or wait for its current (or a higher) version to become available on the channel and receive no update until then.
+
+        If an enrolled user initiates a channel downgrade, they can decide to reset or wait, or the choice is made for them depending on this policy's value. If an admin initiates a channel downgrade via setting <ph name="CHROME_OS_RELEASE_CHANNEL_POLICY_NAME">ChromeOsReleaseChannel</ph>, the device is rolled back on the next update check only if rollback was selected. Otherwise, the device will wait for the target channel to catch up with its current version.
+
+        If unset or invalid, the behavior is the same as for "Wait for target channel to catch up on channel downgrade".
+device_only: true
+example_value: 1
+features:
+  dynamic_refresh: true
+future_on:
+- chrome_os
+items:
+- caption: Wait for the target channel to catch up on channel downgrade
+  name: WaitForVersionCatchUp
+  value: 1
+- caption: Roll back and reset the device on channel downgrade, try to preserve enrollment
+  name: Rollback
+  value: 2
+- caption: User decides on channel downgrade behavior
+  name: AllowUserToConfigure
+  value: 3
+owners:
+- mpolzer@google.com
+schema:
+  enum:
+  - 1
+  - 2
+  - 3
+  type: integer
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceExtendedAutoUpdateEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceExtendedAutoUpdateEnabled.yaml
new file mode 100755
index 000000000..ed2689612
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceExtendedAutoUpdateEnabled.yaml
@@ -0,0 +1,46 @@
+owners:
+- artyomchen@chromium.org
+- chromeos-commercial-remote-management@google.com
+
+caption: Enable/disable Extended Automatic Updates
+
+desc: |-
+  Allow eligible devices that will lose Android support to be opted into
+  Extended Automatic Updates.
+
+  If the policy is Enabled, devices will opt in to Extended Automatic Updates.
+
+  If the policy is Disabled or unset, devices will stop receiving updates
+  after the original Auto Update Expiration date.
+
+  This policy is only relevant for older models not automatically receiving
+  extended updates.
+
+  For more details please see
+  https://support.google.com/chrome/a/?p=extended_updates_support.
+
+supported_on:
+- chrome_os:126-
+
+device_only: true
+
+features:
+  dynamic_refresh: true
+  per_profile: false
+
+type: main
+
+schema:
+  type: boolean
+
+items:
+- caption: Allow extended automatic updates
+  value: true
+- caption: Do not allow extended automatic updates
+  value: false
+
+default: false
+
+example_value: true
+
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceMinimumVersion.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceMinimumVersion.yaml
new file mode 100755
index 000000000..2aa355f97
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceMinimumVersion.yaml
@@ -0,0 +1,79 @@
+caption: Configure minimum allowed <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+  version for the device.
+desc: |-
+  Configures the requirement of the minimum allowed version of <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+        When this policy is set to a non-empty list:
+        If none of the entries has a <ph name="CHROMEOS_VERSION_PROPERTY_NAME">chromeos_version</ph> greater than the current version of the device, then no restrictions are applied and the already existing restrictions are revoked.
+        If at least one of the entries has a <ph name="CHROMEOS_VERSION_PROPERTY_NAME">chromeos_version</ph> greater than the current version, the entry whose version is greater and closest to the current version is chosen.
+        In case of conflict, preference is given to the entry with lower <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph> or <ph name="AUE_WARNING_PERIOD_PROPERTY_NAME">aue_warning_period</ph> and the policy is applied using that entry.
+
+        If the current version becomes obsolete during user session and the current network limits auto updates, an on-screen notification is shown to update the device within the <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph> shown in the notification.
+        No notifications are shown if the current network allows auto updates and the device must be updated within the <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph>.
+        The <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph> starts from the time the policy is applied.
+        If the device is not updated till the expiry of the <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph>, the user is signed out of the session.
+        If the current version is found to be obsolete at the time of login with expired <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph>, the user is required to update the device before signing in.
+
+        If the current version becomes obsolete during user session and the device has reached auto update expiration, an on-screen notification is shown to return the device within <ph name="AUE_WARNING_PERIOD_PROPERTY_NAME">aue_warning_period</ph>.
+        If the device is found to have reached auto update expiration at the time of login with expired <ph name="AUE_WARNING_PERIOD_PROPERTY_NAME">aue_warning_period</ph>, the device is blocked for any user to sign in.
+
+        Unmanaged user sessions do not receive notifications and force log out if <ph name="UNMANAGED_USER_RESTRICTED_PROPERTY_NAME">unmanaged_user_restricted</ph> is unset or set to False.
+
+        If this policy is not set or set to empty, no restrictions are applied, already existing restrictions are revoked and user can sign in regardless of <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version.
+
+        Here <ph name="CHROMEOS_VERSION_PROPERTY_NAME">chromeos_version</ph> can be either an exact version like '13305.0.0' or a version prefix, like '13305'.
+        The <ph name="WARNING_PERIOD_PROPERTY_NAME">warning_period</ph> and <ph name="AUE_WARNING_PERIOD_PROPERTY_NAME">aue_warning_period</ph> are optional values specified in number of days. Default value for them is 0 days, which means that there is no warning period.
+        The <ph name="UNMANAGED_USER_RESTRICTED_PROPERTY_NAME">unmanaged_user_restricted</ph> is an optional property with default value as False.
+device_only: true
+example_value:
+  requirements:
+  - aue_warning_period: 14
+    chromeos_version: '12215'
+    warning_period: 0
+  - aue_warning_period: 21
+    chromeos_version: 13315.60.12
+    warning_period: 10
+  unmanaged_user_restricted: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- janagrill@google.com
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  properties:
+    requirements:
+      items:
+        properties:
+          aue_warning_period:
+            description: Time in days after auto update expiration post which the
+              user will be signed out if <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+              version is less than the specified <ph name="CHROMEOS_VERSION_PROPERTY_NAME">chromeos_version</ph>
+            minimum: 0
+            type: integer
+          chromeos_version:
+            description: Minimum allowed <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+              version
+            type: string
+          warning_period:
+            description: Time in days after which the user will be signed out if <ph
+              name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version is less
+              than the specified <ph name="CHROMEOS_VERSION_PROPERTY_NAME">chromeos_version</ph>
+            minimum: 0
+            type: integer
+        required:
+        - chromeos_version
+        type: object
+      type: array
+    unmanaged_user_restricted:
+      description: A boolean flag indicating whether unmanaged user sessions should
+        receive notifications and force log out if update is required as per this
+        policy.
+      type: boolean
+  type: object
+supported_on:
+- chrome_os:86-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceMinimumVersionAueMessage.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceMinimumVersionAueMessage.yaml
new file mode 100755
index 000000000..47d38908e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceMinimumVersionAueMessage.yaml
@@ -0,0 +1,26 @@
+caption: Configure auto update expiration message for DeviceMinimumVersion policy
+desc: |-
+  This policy is only effective when the device has reached auto update expiration and does not meet the minimum allowed version of <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> set through <ph name="DEVICE_MINIMUM_VERSION_POLICY_NAME">DeviceMinimumVersion</ph> policy.
+
+        When this policy is set to a non-empty string :
+        If the warning time mentioned in <ph name="DEVICE_MINIMUM_VERSION_POLICY_NAME">DeviceMinimumVersion</ph> policy has expired, this message is shown at the login screen when the device is blocked for any user to sign in.
+        If the warning time mentioned in <ph name="DEVICE_MINIMUM_VERSION_POLICY_NAME">DeviceMinimumVersion</ph> policy has not expired, this message is shown on the Chrome management page after user sign in.
+
+        If this policy is not set or set to empty, the default auto update expiration message is shown to the user in both of the above cases.
+        The auto update expiration message must be plain text without any formatting. No markup is allowed.
+device_only: true
+example_value: This device has reached auto update expiration. Kindly return it.
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- janagrill@google.com
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: string
+supported_on:
+- chrome_os:86-
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceQuickFixBuildToken.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceQuickFixBuildToken.yaml
new file mode 100755
index 000000000..0c7b737cc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceQuickFixBuildToken.yaml
@@ -0,0 +1,23 @@
+caption: Provide users with Quick Fix Build
+desc: |-
+  This policy controls whether or not the device should be updated to a Quick Fix Build.
+
+        If policy value is set to a token that maps to a Quick Fix Build, the device will be updated to the corresponding Quick Fix Build if the update is not blocked by another policy.
+
+        If this policy is not set, or if its value does not map to a Quick Fix Build, then the device won't be updated to a Quick Fix Build. If the device is already running a Quick Fix Build and the policy is not set anymore or its value does not map to a Quick Fix Build anymore, then the device will be updated to a regular build if the update is not blocked by another policy.
+device_only: true
+example_value: sometoken
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- sergiyb@google.com
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: string
+supported_on:
+- chrome_os:75-
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceRollbackAllowedMilestones.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceRollbackAllowedMilestones.yaml
new file mode 100755
index 000000000..93af4a8e6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceRollbackAllowedMilestones.yaml
@@ -0,0 +1,29 @@
+caption: Number of milestones rollback is allowed
+default: 4
+desc: |-
+  Specifies the minimum number of <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> milestones rollback should be allowed starting from the stable version at any time.
+
+  Default is 0 for consumer, 4 (approx. half a year) for enterprise enrolled devices.
+
+  Setting this policy prevents rollback protection to apply for at least this number of milestones.
+
+  Setting this policy to a lower value has a permanent effect: the device MAY not be able to roll back to earlier versions even after the policy is reset to a larger value.
+
+  Actual rollback possibilities may also depend on the board and critical vulnerability patches.
+device_only: true
+example_value: 4
+features:
+  dynamic_refresh: true
+owners:
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  maximum: 4
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:67-
+tags:
+- system-security
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceRollbackToTargetVersion.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceRollbackToTargetVersion.yaml
new file mode 100755
index 000000000..4301713b3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceRollbackToTargetVersion.yaml
@@ -0,0 +1,35 @@
+caption: Roll back OS to target version
+default: 1
+desc: |-
+  Specifies whether the device should roll back to the version set by <ph name="DEVICE_TARGET_VERSION_PREFIX_POLICY_NAME">DeviceTargetVersionPrefix</ph> if it's already running a later version.
+
+  Default is RollbackDisabled.
+device_only: true
+example_value: 1
+features:
+  dynamic_refresh: true
+items:
+- caption: Do not roll back OS to target version.
+  name: RollbackDisabled
+  value: 1
+- caption: |-
+    Roll back device to target version if current OS version is newer than target. The device is powerwashed but device-wide network configurations without certificates are preserved and it automatically re-enrolls.
+    Rollback to <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 106 or earlier is not supported.
+  name: RollbackAndRestoreIfPossible
+  value: 3
+owners:
+- mpolzer@google.com
+- crisguerrero@chromium.org
+- chromeos-commercial-remote-management@google.com
+schema:
+  enum:
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:67-
+tags:
+- system-security
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceTargetVersionPrefix.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceTargetVersionPrefix.yaml
new file mode 100755
index 000000000..1bf651d7f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceTargetVersionPrefix.yaml
@@ -0,0 +1,28 @@
+caption: Target Auto Update Version
+desc: |-
+  Sets a target version for Auto Updates.
+
+        Specifies the prefix of a target version <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> should update to. If the device is running a version that's before the specified prefix, it will update to the latest version with the given prefix. If the device is already on a later version, effects depend on the value of <ph name="DEVICE_ROLLBACK_TO_TARGET_VERSION_POLICY_NAME">DeviceRollbackToTargetVersion</ph>. The prefix format works component-wise as is demonstrated in the following example:
+
+        "" (or not configured): update to latest version available.
+        "1412.": update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2)
+        "1412.2.": update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2)
+        "1412.24.34": update to this specific version only
+
+        Warning: It is not recommended to configure version restrictions as they may prevent users from receiving software updates and critical security fixes. Restricting updates to a specific version prefix might leave users at risk.
+device_only: true
+example_value: '1412.'
+features:
+  dynamic_refresh: true
+owners:
+- janagrill@google.com
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: string
+supported_on:
+- chrome_os:19-
+tags:
+- system-security
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceTargetVersionSelector.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceTargetVersionSelector.yaml
new file mode 100755
index 000000000..7495fae10
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceTargetVersionSelector.yaml
@@ -0,0 +1,33 @@
+caption: Allow devices to select a specific version to update to
+deprecated: true
+desc: |-
+  This setting allows devices to select a specific target version of <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> they will update to.
+
+        If not set, devices will update according to other settings or to the latest available version.
+
+        If set, devices will update up to a selected version.
+
+        The exact format of this policy value is an implementation detail of the update service and may change. The policy value is not processed on the device.
+
+        If used together with <ph name="DEVICE_TARGET_VERSION_PREFIX_POLICY_NAME">DeviceTargetVersionPrefix</ph>, this policy will be checked first by update service.
+        Unlike <ph name="DEVICE_TARGET_VERSION_PREFIX_POLICY_NAME">DeviceTargetVersionPrefix</ph> (which may allow minor updates), devices will stay on the selected version until the value of this policy is changed.
+
+        If used together with <ph name="DEVICE_ROLLBACK_TO_TARGET_VERSION_POLICY_NAME">DeviceRollbackToTargetVersion</ph>, device version can be reverted to a specific previous version.
+
+        Warning: It is not recommended to configure version restrictions as they may prevent users from receiving software updates and critical security fixes. Restricting updates to a specific version might leave users at risk.
+device_only: true
+example_value: 0,1626155736-
+features:
+  dynamic_refresh: true
+owners:
+- vsavu@google.com
+- asumaneev@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: string
+supported_on:
+- chrome_os:95-116
+tags:
+- system-security
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateAllowedConnectionTypes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateAllowedConnectionTypes.yaml
new file mode 100755
index 000000000..0351d13a0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateAllowedConnectionTypes.yaml
@@ -0,0 +1,22 @@
+caption: Connection types allowed for updates
+desc: |2-
+   The types of connections that are allowed to use for OS updates. OS updates potentially put heavy strain on the connection due to their size and may incur additional cost. Therefore, they are by default not enabled for connection types that are considered expensive (currently only "cellular").
+
+        The recognized connection type identifiers are <ph name="CONNECTION_TYPE_ETHERNET_NAME">"ethernet"</ph>, <ph name="CONNECTION_TYPE_WIFI_NAME">"wifi"</ph>, and <ph name="CONNECTION_TYPE_CELLULAR_NAME">"cellular"</ph>.
+device_only: true
+example_value:
+- ethernet
+features:
+  dynamic_refresh: true
+owners:
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:21-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateHttpDownloadsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateHttpDownloadsEnabled.yaml
new file mode 100755
index 000000000..2edf6869f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateHttpDownloadsEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Allow autoupdate downloads via HTTP
+default: false
+desc: |-
+  Auto-update payloads on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> can be downloaded via HTTP instead of HTTPS. This allows transparent HTTP caching of HTTP downloads.
+
+  If this policy is set to true, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will attempt to download auto-update payloads via HTTP. If the policy is set to false or not set, HTTPS will be used for downloading auto-update payloads.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Use HTTP for update downloads
+  value: true
+- caption: Use HTTPS for update downloads
+  value: false
+owners:
+- mpolzer@google.com
+- vsavu@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:29-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateScatterFactor.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateScatterFactor.yaml
new file mode 100755
index 000000000..998721576
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateScatterFactor.yaml
@@ -0,0 +1,23 @@
+caption: Auto update scatter factor
+desc: Specifies the number of seconds up to which a device may randomly delay its
+  download of an update from the time the update was first pushed out to the server.
+  The device may wait a portion of this time in terms of wall-clock-time and the remaining
+  portion in terms of the number of update checks. In any case, the scatter is upper
+  bounded to a constant amount of time so that a device does not ever get stuck waiting
+  to download an update forever.
+device_only: true
+example_value: 7200
+features:
+  dynamic_refresh: true
+owners:
+- crisguerrero@google.com
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: integer
+supported_on:
+- chrome_os:20-
+tags:
+- system-security
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateStagingSchedule.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateStagingSchedule.yaml
new file mode 100755
index 000000000..a193f164e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/DeviceUpdateStagingSchedule.yaml
@@ -0,0 +1,35 @@
+caption: The staging schedule for applying a new update
+desc: |-
+  This policy defines a list of percentages that will define the fraction of <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices in the OU to update per day starting from the day the update is first discovered. The discovery time is later than the update published time, since it could be a while after the update publishing until the device checks for updates.
+
+        Each (day, percentage) pair contains which percentage of the fleet has to be updated by the given number of days since the update has been discovered. For example, if we have the pairs [(4, 40), (10, 70), (15, 100)], then 40% of the fleet should have been updated 4 days after seeing the update. 70% should be updated after 10 days, and so on.
+
+        If there is a value defined for this policy, updates will ignore the <ph name="DEVICE_UPDATE_SCATTER_FACTOR_POLICY_NAME">DeviceUpdateScatterFactor</ph> policy and follow this policy instead.
+
+        If this list is empty, there will be no staging and updates will be applied according to other device policies.
+
+        This policy does not apply for channel switches.
+device_only: true
+example_value:
+- days: 7
+  percentage: 50
+- days: 10
+  percentage: 100
+features:
+  dynamic_refresh: true
+owners:
+- crisguerrero@google.com
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  items:
+    $ref: DayPercentagePair
+    description: Contains the number of days and the percentage of the fleet that
+      should be updated after those days have passed.
+  type: array
+supported_on:
+- chrome_os:69-
+tags:
+- system-security
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/MinimumRequiredChromeVersion.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/MinimumRequiredChromeVersion.yaml
new file mode 100755
index 000000000..648f4b3ab
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/MinimumRequiredChromeVersion.yaml
@@ -0,0 +1,25 @@
+caption: Configure minimum allowed Chrome version for the device.
+deprecated: true
+desc: "This policy is removed in M82, please use DeviceMinimumVersion instead.\n\n\
+  \      Configures the requirement of the minimum allowed version of <ph name=\"\
+  PRODUCT_NAME\">$1<ex>Google Chrome</ex></ph>. Versions below given are treated as\
+  \ obsolete and device would not allow user sign in before OS is updated.\n\n   \
+  \   If current version becomes obsolete during user session, user will be forcefully\
+  \ signed out.\n\n      If this policy is not set, no restrictions are applied, and\
+  \ user can sign regardless of <ph name=\"PRODUCT_NAME\">$1<ex>Google Chrome</ex></ph>\
+  \ version.\n\n      Here \"Version\" can be either an exact version like '61.0.3163.120'\
+  \ or a version prefix, like '61.0'  "
+device_only: true
+example_value: 61.0.3163.120
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- antrim@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_os:64-81
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/RebootAfterUpdate.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/RebootAfterUpdate.yaml
new file mode 100755
index 000000000..6e4bbec36
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/DeviceUpdate/RebootAfterUpdate.yaml
@@ -0,0 +1,32 @@
+caption: Automatically reboot after update
+default: false
+desc: |-
+  Schedule an automatic reboot after a <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> update has been applied.
+
+  When this policy is set to true, an automatic reboot is scheduled when a <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> update has been applied and a reboot is required to complete the update process. The reboot is scheduled immediately but may be delayed on the device by up to 24 hours if a user is currently using the device.
+
+  When this policy is set to false, no automatic reboot is scheduled after applying a <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> update. The update process is completed when the user next reboots the device.
+
+  If you set this policy, users cannot change or override it.
+
+  Note: Currently, automatic reboots are only enabled while the login screen is being shown or a kiosk app session is in progress.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow automatic reboot after updates
+  value: true
+- caption: Disallow automatic reboot after updates
+  value: false
+owners:
+- crisguerrero@google.com
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:29-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/.group.details.yaml
new file mode 100755
index 000000000..7d332ca61
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Display
+desc: Controls display settings.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/DeviceDisplayResolution.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/DeviceDisplayResolution.yaml
new file mode 100755
index 000000000..2d52182b8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/DeviceDisplayResolution.yaml
@@ -0,0 +1,48 @@
+caption: Set display resolution and scale factor
+desc: |-
+  Setting the policy sets the resolution and scale factor for each display. External display settings apply to connected displays. (The policy doesn't apply if a display doesn't support the specified resolution or scale.)
+
+        Setting <ph name="EXTERNAL_USE_NATIVE">external_use_native</ph> to True means the policy ignores <ph name="EXTERNAL_WIDTH">external_width</ph> and <ph name="EXTERNAL_HEIGHT">external_height</ph> and sets external displays to their native resolution. Setting <ph name="EXTERNAL_USE_NATIVE">external_use_native</ph> to False or leaving it and <ph name="EXTERNAL_WIDTH">external_width</ph> or <ph name="EXTERNAL_HEIGHT">external_height</ph> unset means the policy doesn't affect external displays.
+
+        Setting the recommended flag to True lets users change resolution and scale factor of any display through the settings page, but their settings change back at the next reboot. Setting the recommended flag to False or leaving it unset means users can't change the display settings.
+
+        Note: Set <ph name="EXTERNAL_WIDTH">external_width</ph> and <ph name="EXTERNAL_HEIGHT">external_height</ph> in pixels and <ph name="EXTERNAL_SCALE_PERCENTAGE">external_scale_percentage</ph> and <ph name="INTERNAL_SCALE_PERCENTAGE">internal_scale_percentage</ph> in percents.
+device_only: true
+example_value:
+  external_height: 1080
+  external_scale_percentage: 100
+  external_use_native: false
+  external_width: 1920
+  internal_scale_percentage: 150
+  recommended: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  properties:
+    external_height:
+      minimum: 1
+      type: integer
+    external_scale_percentage:
+      minimum: 1
+      type: integer
+    external_use_native:
+      type: boolean
+    external_width:
+      minimum: 1
+      type: integer
+    internal_scale_percentage:
+      minimum: 1
+      type: integer
+    recommended:
+      type: boolean
+  type: object
+supported_on:
+- chrome_os:72-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/DisplayRotationDefault.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/DisplayRotationDefault.yaml
new file mode 100755
index 000000000..24ba6c23f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/DisplayRotationDefault.yaml
@@ -0,0 +1,39 @@
+caption: Set default display rotation, reapplied on every reboot
+default: 0
+desc: |-
+  Setting the policy has each display rotate to the specified orientation on every reboot and the first time it's connected after the policy value changes. Users may change the display rotation through the settings page after signing in, but it changes back at the next reboot. This policy applies to primary and secondary displays.
+
+  If not set, the default value is 0 degrees and users are free to change it. In this case, the default value isn't reapplied at restart.
+device_only: true
+example_value: 1
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Rotate screen by 0 degrees
+  name: ROTATE_0
+  value: 0
+- caption: Rotate screen clockwise by 90 degrees
+  name: ROTATE_90
+  value: 1
+- caption: Rotate screen by 180 degrees
+  name: ROTATE_180
+  value: 2
+- caption: Rotate screen clockwise by 270 degrees
+  name: ROTATE_270
+  value: 3
+owners:
+- giovax@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:48-
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/policy_atomic_groups.yaml
new file mode 100755
index 000000000..d07c6399e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Display/policy_atomic_groups.yaml
@@ -0,0 +1,5 @@
+Display:
+  caption: Display
+  policies:
+  - DeviceDisplayResolution
+  - DisplayRotationDefault
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/.group.details.yaml
new file mode 100755
index 000000000..427cd5a47
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Drive
+desc: Configure cloud drives (Google Drive, Microsoft OneDrive) in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveDisabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveDisabled.yaml
new file mode 100755
index 000000000..d62ac5057
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveDisabled.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy does not prevent the user from using the Android Google Drive
+  app. If you want to prevent access to Google Drive, you should disallow installation
+  of the Android Google Drive app as well.
+caption: Disable Drive in the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+  Files app
+default: false
+desc: |-
+  Setting the policy to Enabled turns off <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> syncing in the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> Files app. No data is uploaded to Drive.
+
+  Setting the policy to Disabled or leaving it unset lets users transfer files to Drive.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Disable Google Drive syncing
+  value: true
+- caption: Enable Google Drive syncing
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:19-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveDisabledOverCellular.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveDisabledOverCellular.yaml
new file mode 100755
index 000000000..7fce5971f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveDisabledOverCellular.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy has no effect on the Android Google Drive app. If you want
+  to prevent use of Google Drive over cellular connections, you should disallow installation
+  of the Android Google Drive app.
+caption: Disable Google Drive over cellular connections in the <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph> Files app
+default: false
+desc: |-
+  Setting the policy to Enabled turns off <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> syncing in the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> Files app when on a cellular connection. Data is only synced to Drive when connected through Wi-Fi or Ethernet.
+
+  Setting the policy to Disabled or leaving it unset lets users transfer files to Drive on cellular connections.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Disable Google Drive syncing over cellular connections
+  value: true
+- caption: Enable Google Drive syncing over cellular connections
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:19-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveFileSyncAvailable.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveFileSyncAvailable.yaml
new file mode 100755
index 000000000..10e0b4eaa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/DriveFileSyncAvailable.yaml
@@ -0,0 +1,48 @@
+caption: <ph name="PRODUCT_OS_NAME">$2<ex>ChromeOS</ex></ph> file sync
+default: visible
+desc: |-
+  <ph name="PRODUCT_OS_NAME">$2<ex>ChromeOS</ex></ph> file sync automatically
+  makes <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> files in a user's “My
+  Drive” available offline (space permitting) on
+  <ph name="CHROMEBOOK_PLUS_NAME">Chromebook Plus</ph> devices.
+
+  Once the feature is on, all new files will also be made available offline
+  automatically. If later there is insufficient space, all new files will stop
+  being made available offline automatically. However, the user can still
+  manually make items available offline.
+
+  Setting the policy to <ph name="POLICY_VALUE_VISIBLE">visible</ph>: Shows
+  file sync in the Files app and Settings. The user can turn file sync on or
+  off.
+
+  Setting the policy to <ph name="POLICY_VALUE_DISABLEDE">disabled</ph>: Turns
+  off file sync if it was previously turned on by the user. Hides the feature
+  from the Files app and Settings so the user can’t turn it back on. Existing
+  files that were made available offline by the user will remain available
+  offline. The user can still manually make items available offline.
+
+  If the policy is unset: <ph name="POLICY_VALUE_VISIBLE">visible</ph> is the
+  default selection.
+example_value: visible
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome_os:119-
+items:
+- caption: The user can't see any of the UI relating to the <ph name="PRODUCT_OS_NAME">$2<ex>ChromeOS</ex></ph> file sync feature.
+  name: Disabled
+  value: disabled
+- caption: The user can use the <ph name="PRODUCT_OS_NAME">$2<ex>ChromeOS</ex></ph> file sync feature.
+  name: Visible
+  value: visible
+owners:
+- file://ui/file_manager/OWNERS
+- benreich@chromium.org
+schema:
+  enum:
+  - disabled
+  - visible
+  type: string
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/MicrosoftOneDriveAccountRestrictions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/MicrosoftOneDriveAccountRestrictions.yaml
new file mode 100755
index 000000000..51cf9349d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/MicrosoftOneDriveAccountRestrictions.yaml
@@ -0,0 +1,36 @@
+caption: Restricts accounts that can use the <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> integration
+desc: |-
+  This policy allows admins to restrict which accounts are allowed to sign-in for <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> when the <ph name="MICROSOFT_ONE_DRIVE_MOUNT_POLICY_NAME">MicrosoftOneDriveMount</ph> policy is enabled.
+
+  If this policy contains a value of '<ph name="COMMON_NAME">common</ph>', any account can be used to sign-in.
+
+  If this policy contains a value of '<ph name="ORGANIZATIONS_NAME">organizations</ph>', work or school accounts can be used to sign-in.
+
+  If this policy contains a value of '<ph name="CONSUMERS_NAME">consumers</ph>', personal <ph name="MICROSOFT_NAME">Microsoft</ph> accounts can be used to sign-in.
+
+  If this policy contains domain names or tenant IDs, accounts from these domain names or tenant IDs (see https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols#endpoints) can be used to sign-in.
+
+  If this policy is unset or only contains an empty value, it behaves as if '<ph name="COMMON_NAME">common</ph>' was specified for regular users; for enterprise users it behaves as if '<ph name="ORGANIZATIONS_NAME">organizations</ph>' was specified.
+
+  Changing restrictions might lead to users being signed out of their <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> account if it does not adhere to the new restrictions.
+
+  Note: At this time only the first entry will be taken into account. Later extensions will support multiple entries.
+example_value:
+- domain.com
+default: ["common"]
+default_for_enterprise_users: ["organizations"]
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- lmasopust@chromium.org
+- file://chrome/browser/chromeos/enterprise/cloud_storage/OWNERS
+- cros-commercial-clippy-eng@google.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:122-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/MicrosoftOneDriveMount.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/MicrosoftOneDriveMount.yaml
new file mode 100755
index 000000000..6c2beeb71
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/MicrosoftOneDriveMount.yaml
@@ -0,0 +1,44 @@
+caption: Configures the mounting of <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph>
+default: allowed
+default_for_enterprise_users: disallowed
+desc: |-
+  This policy allows the admins to configure the mounting of <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph>.
+
+  Setting the policy to '<ph name="ALLOWED_NAME">allowed</ph>' lets the user set up <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> if they wish to.
+  After completing the setup process, <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> will be mounted in the file manager.
+
+  Setting the policy to '<ph name="DISALLOWED_NAME">disallowed</ph>' prohibits the user from setting up <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph>.
+
+  Setting the policy to '<ph name="AUTOMATED_NAME">automated</ph>' attempts to set up <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> automatically. This requires the user to log in to <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> with a Microsoft account. In case of failure it falls back to showing the setup flow.
+
+  Leaving the policy unset is functionally equivalent to setting it to '<ph name="ALLOWED_NAME">allowed</ph>' for regular users; for enterprise users unset policy defaults to '<ph name="DISALLOWED_NAME">disallowed</ph>'.
+
+  It is possible to add further account restrict with the <ph name="MICROSOFT_ONE_DRIVE_ACCOUNT_RESTRICTIONS">MicrosoftOneDriveAccountRestrictions</ph> policy.
+example_value: allowed
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow setup of <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph>
+  name: allowed
+  value: allowed
+- caption: Disallow setup of <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph>
+  name: disallowed
+  value: disallowed
+- caption: Automate setup of <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph>
+  name: automated
+  value: automated
+owners:
+- simonha@google.com
+- file://chrome/browser/chromeos/enterprise/cloud_storage/OWNERS
+- cros-commercial-clippy-eng@google.com
+schema:
+  enum:
+  - allowed
+  - disallowed
+  - automated
+  type: string
+supported_on:
+- chrome_os:122-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/policy_atomic_groups.yaml
new file mode 100755
index 000000000..58b4b64c0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Drive/policy_atomic_groups.yaml
@@ -0,0 +1,6 @@
+Drive:
+  caption: Drive
+  policies:
+  - DriveDisabled
+  - DriveDisabledOverCellular
+  - DriveFileSyncAvailable
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Edu/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Edu/.group.details.yaml
new file mode 100755
index 000000000..03ed898a4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Edu/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: EDU settings
+desc: Controls settings for EDU users
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Edu/GraduationEnablementStatus.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Edu/GraduationEnablementStatus.yaml
new file mode 100755
index 000000000..703157013
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Edu/GraduationEnablementStatus.yaml
@@ -0,0 +1,68 @@
+caption: Configure when the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> Graduation tool is available
+desc: |-
+  This policy enables the Graduation app for managed users. The Graduation app helps users transfer their data from their managed account to a consumer account.
+
+      If <ph name="GRADUATION_ENABLEMENT_STATUS_IS_ENABLED_VALUE">is_enabled</ph> is set to <ph name="GRADUATION_ENABLEMENT_STATUS_IS_ENABLED_VALUE_TRUE">true</ph>, the Graduation app will be shown on and between the start and end dates according to the local time.
+
+      If <ph name="GRADUATION_ENABLEMENT_STATUS_IS_ENABLED_VALUE">is_enabled</ph> is set to <ph name="GRADUATION_ENABLEMENT_STATUS_IS_ENABLED_VALUE_FALSE">false</ph> or unset, the app will not be shown.
+
+      If <ph name="GRADUATION_ENABLEMENT_STATUS_START_DATE_VALUE">start_date</ph> is unset, then the app is shown until the end date.
+
+      If <ph name="GRADUATION_ENABLEMENT_STATUS_END_DATE_VALUE">end_date</ph> is unset, then the app is shown indefinitely from the start date.
+
+      If both <ph name="GRADUATION_ENABLEMENT_STATUS_START_DATE_VALUE">start_date</ph> and <ph name="GRADUATION_ENABLEMENT_STATUS_END_DATE_VALUE">end_date</ph> are unset, the app is shown indefinitely. If the start and end dates are invalid, then the Graduation app will not be shown. This includes if the provided dates are non-existent or the end date is before the start date.
+
+      Data transfer with Takeout also needs to be enabled in order for the Graduation app to work properly. See https://support.google.com/a/answer/6364687 for additional information.
+example_value:
+  is_enabled: true
+  start_date:
+    day: 8
+    month: 7
+    year: 2024
+  end_date:
+    day: 8
+    month: 12
+    year: 2024
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- courtneywong@chromium.org
+- file://chrome/browser/ash/child_accounts/OWNERS
+schema:
+  properties:
+    is_enabled:
+      type: boolean
+    start_date:
+      properties:
+        day:
+          maximum: 31
+          minimum: 1
+          type: integer
+        month:
+          maximum: 12
+          minimum: 1
+          type: integer
+        year:
+          minimum: 0
+          type: integer
+      type: object
+    end_date:
+      properties:
+        day:
+          maximum: 31
+          minimum: 1
+          type: integer
+        month:
+          maximum: 12
+          minimum: 1
+          type: integer
+        year:
+          minimum: 0
+          type: integer
+      type: object
+  type: object
+future_on:
+- chrome_os
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/.group.details.yaml
new file mode 100755
index 000000000..b35b09c2a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/.group.details.yaml
@@ -0,0 +1,6 @@
+caption: Extensions
+desc: Configures extension-related policies. The user is not allowed to install blocked
+  extensions unless they are whitelisted. You can also force <ph name="PRODUCT_NAME">$1<ex>Google
+  Chrome</ex></ph> to automatically install extensions by specifying them in <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph>.
+  Force-installed extensions are installed regardless whether they are present in
+  the blocklist.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/BlockExternalExtensions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/BlockExternalExtensions.yaml
new file mode 100755
index 000000000..a06e3c2c4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/BlockExternalExtensions.yaml
@@ -0,0 +1,31 @@
+caption: Blocks external extensions from being installed
+default: false
+desc: |-
+  Controls external extensions installation.
+
+  Setting this policy to Enabled blocks external extensions from being installed.
+
+  Setting this policy to Disabled or leaving it unset allows external extensions to be installed.
+
+  External extensions and their installation are documented at https://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions.
+
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Block installation of external extensions
+  value: true
+- caption: Allow installation of external extensions
+  value: false
+owners:
+- reillyg@chromium.org
+- file://extensions/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:80-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ChromeAppsWebViewPermissiveBehaviorAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ChromeAppsWebViewPermissiveBehaviorAllowed.yaml
new file mode 100755
index 000000000..7a489143a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ChromeAppsWebViewPermissiveBehaviorAllowed.yaml
@@ -0,0 +1,63 @@
+owners:
+- mcnee@chromium.org
+- file://components/guest_view/OWNERS
+
+caption: Restore permissive Chrome Apps <ph name="WEBVIEW_TAG_NAME">&lt;webview&gt;</ph> behavior
+
+desc: |-
+  Chrome Apps <ph name="WEBVIEW_TAG_NAME">&lt;webview&gt;</ph> allows for
+  behavior which is in the process of being removed from
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+  The previous behavior allows the
+  <ph name="WEBVIEW_TAG_NAME">&lt;webview&gt;</ph>
+  <ph name="NEWWINDOW_EVENT_NAME">newwindow</ph> event
+  (https://developer.chrome.com/docs/extensions/reference/webviewTag/#event-newwindow)
+  to attach the new window to a <ph name="WEBVIEW_TAG_NAME">&lt;webview&gt;</ph>
+  element in a separate App window from the originating
+  <ph name="WEBVIEW_TAG_NAME">&lt;webview&gt;</ph>. With the new behavior, this
+  attachment is still allowed, however the window reference returned from the
+  call to <ph name="WINDOW_OPEN_NAME">window.open</ph> in the originating
+  <ph name="WEBVIEW_TAG_NAME">&lt;webview&gt;</ph> is invalidated.
+
+  If enabled, the previous behavior is used.
+  If disabled or unset, the behavior change takes effect as it is rolled
+  out through the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  release process.
+
+  This policy is a temporary workaround in the event that enterprises
+  experience breakage due to this change. The last supported version of this
+  policy was version 121. It was removed in version 122.
+
+# On ChromeOS, this policy should reach an LTS release before being removed.
+supported_on:
+- chrome.*:113-121
+- chrome_os:113-121
+- fuchsia:113-121
+
+deprecated: true
+
+# While this policy on its own could be dynamic, the GuestView MPArch
+# migration (crbug.com/1261928), which depends on this policy being disabled,
+# would not be able to handle dynamic changes.
+features:
+  dynamic_refresh: false
+  per_profile: true
+
+type: main
+
+schema:
+  type: boolean
+
+items:
+- caption: Restore permissive behavior.
+  value: true
+- caption: Behavior changes may take effect depending on feature launch process.
+  value: false
+
+default: false
+
+example_value: false
+
+tags:
+- system-security
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/DeviceLoginScreenExtensionManifestV2Availability.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/DeviceLoginScreenExtensionManifestV2Availability.yaml
new file mode 100755
index 000000000..2e4b9cc25
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/DeviceLoginScreenExtensionManifestV2Availability.yaml
@@ -0,0 +1,48 @@
+owners:
+- zmin@chromium.org
+- file://components/policy/OWNERS
+caption: Control Manifest v2 extension availability
+desc: |-
+  Control if Manifest v2 extensions can be used on the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> sign-in screen.
+
+  Manifest v2 extensions support will be deprecated and all extensions need
+  to be migrated to v3 in the future. More information and timeline of the
+  migration can be found at https://developer.chrome.com/docs/extensions/mv3/mv2-sunset/.
+
+  If the policy is set to <ph name="DEFAULT">Default</ph> (0) or not set, v2 extensions loading are decided by device, following the timeline above.
+  If the policy is set to <ph name="DISABLE">Disable</ph> (1), v2 extensions installation are blocked, existing ones are disabled. The option is going to be treated the same as if the policy is not set after v2 support is turned off by default.
+  If the policy is set to <ph name="ENABLE">Enable</ph> (2), v2 extensions are allowed. The option is going to be treated the same as if the policy is not set before v2 support is turned off by default.
+  If the policy is set to <ph name="ENABLE_FOR_FORCED_EXTENSIONS">EnableForForcedExtensions</ph> (3), force installed v2 extensions are allowed. This includes extensions that are listed by <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph> or <ph name="EXTENSION_SETTINGS_POLICY_NAME">ExtensionSettings</ph> with <ph name="INSTALLATION_MODE">installation_mode</ph> "force_installed" or "normal_installed". All other v2 extensions are disabled. The option is always available regardless of the migration state.
+
+
+  Extensions availability are still controlled by other policies.
+supported_on:
+- chrome_os:111-
+device_only: true
+features:
+  dynamic_refresh: true
+type: int-enum
+schema:
+   type: integer
+   enum:
+   - 0
+   - 1
+   - 2
+   - 3
+items:
+- caption: Default device behavior
+  name: Default
+  value: 0
+- caption: Manifest v2 is disabled
+  name: Disable
+  value: 1
+- caption: Manifest v2 is enabled
+  name: Enable
+  value: 2
+- caption: Manifest v2 is enabled for forced extensions only
+  name: EnableForForcedExtensions
+  value: 3
+default: 0
+example_value: 2
+tags: []
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionAllowInsecureUpdates.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionAllowInsecureUpdates.yaml
new file mode 100755
index 000000000..a6331ab4b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionAllowInsecureUpdates.yaml
@@ -0,0 +1,30 @@
+caption: Allow insecure algorithms in integrity checks on extension updates and installs
+deprecated: true
+desc: |-
+  Setting the policy to Enabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> permits installation and updates for extensions hosted outside the Chrome Web Store, the content of which might only be minimally protected.
+
+        Setting the policy to Disabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won't permit fresh installation of (and updates to) such extensions. The policy has no effect in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 78 and later.
+
+        Leaving this policy unset means it is Enabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 73 to 75, and Disabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 76 and 77.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow installation and updates for extensions hosted outside of Chrome
+    Web Store
+  value: true
+- caption: Prevent installation and updates for extensions hosted outside of Chrome
+    Web Store
+  value: false
+owners:
+- waffles@chromium.org
+- rdevlin.cronin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:73-77
+- chrome_os:73-77
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionAllowedTypes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionAllowedTypes.yaml
new file mode 100755
index 000000000..f7f6039ac
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionAllowedTypes.yaml
@@ -0,0 +1,61 @@
+caption: Configure allowed app/extension types
+desc: |-
+  Setting the policy controls which apps and extensions may be installed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, which hosts they can interact with, and limits runtime access.
+
+        Leaving the policy unset results in no restrictions on the acceptable extension and app types.
+
+        Extensions and apps which have a type that's not on the list won't be installed. Each value should be one of these strings:
+
+        * "extension"
+
+        * "theme"
+
+        * "user_script"
+
+        * "hosted_app"
+
+        * "legacy_packaged_app"
+
+        * "platform_app"
+
+        See the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> extensions documentation for more information on these types.
+
+        Versions earlier than 75 that use multiple comma separated extension IDs aren't supported and are skipped. The rest of the policy applies.
+
+        Note: This policy also affects extensions and apps to be force-installed using <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph>.
+example_value:
+- hosted_app
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Extension
+  name: extension
+  value: extension
+- caption: Theme
+  name: theme
+  value: theme
+- caption: User script
+  name: user_script
+  value: user_script
+- caption: Hosted app
+  name: hosted_app
+  value: hosted_app
+- caption: Legacy packaged app
+  name: legacy_packaged_app
+  value: legacy_packaged_app
+- caption: Platform app
+  name: platform_app
+  value: platform_app
+label: Types of extensions/apps that are allowed to be installed
+owners:
+- file://extensions/OWNERS
+schema:
+  $ref: ExtensionAllowedTypes
+supported_on:
+- chrome.*:25-
+- chrome_os:25-
+tags: []
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionDeveloperModeSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionDeveloperModeSettings.yaml
new file mode 100755
index 000000000..635370169
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionDeveloperModeSettings.yaml
@@ -0,0 +1,36 @@
+caption: Control the availability of developer mode on extensions page
+desc: |-
+  Control if users can turn on Developer Mode on chrome://extensions.
+
+  If the policy is not set, users can turn on developer mode on extension page unless <ph name="DEVELOPER_TOOLS_AVAILABILITY_POLICY_NAME">DeveloperToolsAvailability</ph> policy is set to <ph name="DEVELOPER_TOOLS_DISALLOWED">DeveloperToolsDisallowed</ph> (2).
+  If the policy is set to <ph name="ALLOW">Allow</ph> (0), users can turn on developer mode on extensions page.
+  If the policy is set to <ph name="DISALLOW">Disallow</ph> (1), users can not turn on developer mode on extensions page.
+
+  If this policy is set, <ph name="DEVELOPER_TOOLS_AVAILABILITY_POLICY_NAME">DeveloperToolsAvailability</ph> can no longer control extensions developer mode.
+
+supported_on:
+- chrome.*:128-
+- chrome_os:128-
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- zmin@chromium.org
+- file://extensions/OWNERS
+tags: []
+
+type: int-enum
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+items:
+- caption: Allow the usage of developer mode on extensions page
+  name: Allow
+  value: 0
+- caption: Do not allow the usage of developer mode on extensions page
+  name: Disallow
+  value: 1
+default: null
+example_value: 1
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls.yaml
new file mode 100755
index 000000000..cfe942ccf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls.yaml
@@ -0,0 +1,37 @@
+caption: Configure a list of origins that grant extended background lifetime to the connecting extensions.
+desc: |-
+  Extensions that connect to one of these origins will be be kept running as long as the port is connected.
+
+  If unset, the policy's default values will be used. These are app origins that offer SDKs that are known to not offer the possibility to restart a closed connection to a previous state:
+  - Smart Card Connector
+  - Citrix Receiver (stable, beta, back-up)
+  - VMware Horizon (stable, beta)
+
+  If set, the default value list is extended with the newly configured values. Both defaults and the policy-provided entries will grant the exception to the connecting extensions, as long as the port is connected.
+example_value:
+- chrome-extension://abcdefghijklmnopabcdefghijklmnop/
+- chrome-extension://bcdefghijklmnopabcdefghijklmnopa/
+default:
+- chrome-extension://khpfeaanjngmcnplbdlpegiifgpfgdco/
+- chrome-extension://haiffjcadagjlijoggckpgfnoeiflnem/
+- chrome-extension://lbfgjakkeeccemhonnolnmglmfmccaag/
+- chrome-extension://anjihnbmjbbpofafpmklejenkgnjfcdi/
+- chrome-extension://ppkfnjlimknmjoaemnpidmdlfchhehel/
+- chrome-extension://kenkpdjcfppbccchillfdjkjnejjgand/
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome.*:112-
+- chrome_os:112-
+future_on:
+- fuchsia
+owners:
+- mpetrisor@chromium.org
+- chromeos-commercial-identity@google.com
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallAllowlist.yaml
new file mode 100755
index 000000000..a1bf1d265
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallAllowlist.yaml
@@ -0,0 +1,28 @@
+caption: Configure extension installation allow list
+desc: |-
+  Setting the policy specifies which extensions are not subject to the blocklist.
+
+         A blocklist value of <ph name="ALL_EXTENSIONS">*</ph> means all extensions are blocked and users can only install extensions listed in the allow list.
+
+         By default, all extensions are allowed. But, if you prohibited extensions by policy, use the list of allowed extensions to change that policy.
+example_value:
+- extension_id1
+- extension_id2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+label: Extension IDs to exempt from the blocklist
+owners:
+- rdevlin.cronin@chromium.org
+- file://extensions/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:86-
+- chrome_os:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallBlocklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallBlocklist.yaml
new file mode 100755
index 000000000..63014da29
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallBlocklist.yaml
@@ -0,0 +1,28 @@
+caption: Configure extension installation blocklist
+desc: |-
+  Allows you to specify which extensions the users can NOT install. Extensions already installed will be disabled if blocked, without a way for the user to enable them. Once an extension disabled due to the blocklist is removed from it, it will automatically get re-enabled.
+
+            A blocklist value of '*' means all extensions are blocked unless they are explicitly listed in the allowlist.
+
+            If this policy is left not set the user can install any extension in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+example_value:
+- extension_id1
+- extension_id2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+label: Extension IDs the user should be prevented from installing (or * for all)
+owners:
+- lazyboy@chromium.org
+- file://extensions/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:86-
+- chrome_os:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallForcelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallForcelist.yaml
new file mode 100755
index 000000000..aa28d044a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallForcelist.yaml
@@ -0,0 +1,41 @@
+arc_support: Android apps can be force-installed from the Google Admin console using
+  Google Play. They do not use this policy.
+caption: Configure the list of force-installed apps and extensions
+desc: |-
+  Setting the policy specifies a list of apps and extensions that install silently, without user interaction, and which users can't uninstall or turn off. Permissions are granted implicitly, including for the enterprise.deviceAttributes and enterprise.platformKeys extension APIs. (These 2 APIs aren't available to apps and extensions that aren't force-installed.)
+
+  Leaving the policy unset means no apps or extensions are autoinstalled, and users can uninstall any app or extension in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+  This policy supersedes <ph name="EXTENSION_INSTALL_BLOCKLIST_POLICY_NAME">ExtensionInstallBlocklist</ph> policy. If a previously force-installed app or extension is removed from this list, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> automatically uninstalls it.
+
+  The source code of any extension may be altered by users through developer tools, potentially rendering the extension dysfunctional. If this is a concern, set the <ph name="DEVELOPER_TOOLS_DISABLED_POLICY_NAME">DeveloperToolsDisabled</ph> policy.
+
+  Each list item of the policy is a string that contains an extension ID and, optionally, an update URL separated by a semicolon (;). The extension ID is the 32-letter string found, for example, on chrome://extensions when in Developer mode. If specified, the update URL should point to an Update Manifest XML document ( https://developer.chrome.com/extensions/autoupdate ). The update URL should use one of the following schemes: <ph name="HTTP_SCHEME">http</ph>, <ph name="HTTPS_SCHEME">https</ph> or <ph name="FILE_SCHEME">file</ph>. By default, the Chrome Web Store's update URL is used. The update URL set in this policy is only used for the initial installation; subsequent updates of the extension use the update URL in the extension's manifest. The update url for subsequent updates can be overridden using the <ph name="EXTENSION_SETTINGS_POLICY_NAME">ExtensionSettings</ph> policy, see http://support.google.com/chrome/a?p=Configure_ExtensionSettings_policy.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> instances, apps and extensions from outside the Chrome Web Store can only be forced installed if the instance is joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph> instances, apps and extensions from outside the Chrome Web Store can only be force installed if the instance is managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  Note: This policy doesn't apply to Incognito mode. Read about hosting extensions ( https://developer.chrome.com/extensions/hosting ).
+example_value:
+- aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx
+- abcdefghijklmnopabcdefghijklmnop
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+label: Extension/App IDs and update URLs to be silently installed
+owners:
+- karandeepb@chromium.org
+- file://extensions/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:9-
+- chrome_os:11-
+tags:
+- full-admin-access
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallSources.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallSources.yaml
new file mode 100755
index 000000000..b72ca7848
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallSources.yaml
@@ -0,0 +1,27 @@
+caption: Configure extension, app, and user script install sources
+desc: |-
+  Setting the policy specifies which URLs may install extensions, apps, and themes. Before <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 21, users could click on a link to a *.crx file, and <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> would offer to install the file after a few warnings. Afterwards, such files must be downloaded and dragged to the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> settings page. This setting allows specific URLs to have the old, easier installation flow.
+
+        Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users can easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (the referrer) must be allowed by these patterns.
+
+        <ph name="EXTENSION_INSTALL_BLOCKLIST_POLICY_NAME">ExtensionInstallBlocklist</ph> takes precedence over this policy. That is, an extension on the blocklist won't be installed, even if it happens from a site on this list.
+example_value:
+- https://corp.mycompany.com/*
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+label: URL patterns to allow extension, app, and user script installs from
+owners:
+- dbertoni@chromium.org
+- file://extensions/OWNERS
+schema:
+  $ref: ExtensionInstallSources
+supported_on:
+- chrome.*:21-
+- chrome_os:21-
+tags:
+- full-admin-access
+- system-security
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallTypeBlocklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallTypeBlocklist.yaml
new file mode 100755
index 000000000..b16bb75dd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallTypeBlocklist.yaml
@@ -0,0 +1,30 @@
+caption: Blocklist for install types of extensions
+desc: |-
+  The blocklist controls which extensions install types are disallowed.
+
+  Setting "command_line" will block extension from being loaded from
+  command line.
+
+example_value:
+- command_line
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Blocks extensions from being loaded from command line
+  name: command_line
+  value: command_line
+owners:
+- kristianm@chromium.org
+- file://extensions/OWNERS
+
+schema:
+  items:
+    enum:
+    - command_line
+    type: string
+  type: array
+supported_on:
+- chrome.*:120-
+tags: []
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionManifestV2Availability.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionManifestV2Availability.yaml
new file mode 100755
index 000000000..55b0f91bb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionManifestV2Availability.yaml
@@ -0,0 +1,50 @@
+owners:
+- zmin@chromium.org
+- file://components/policy/OWNERS
+caption: Control Manifest v2 extension availability
+desc: |-
+  Control if Manifest v2 extensions can be used by browser.
+
+  Manifest v2 extensions support will be deprecated and all extensions need
+  to be migrated to v3 in the future. More information and timeline of the
+  migration can be found at https://developer.chrome.com/docs/extensions/mv3/mv2-sunset/.
+
+  If the policy is set to <ph name="DEFAULT">Default</ph> (0) or not set, v2 extensions loading are decided by browser, following the timeline above.
+  If the policy is set to <ph name="DISABLE">Disable</ph> (1), v2 extensions installation are blocked, existing ones are disabled. The option is going to be treated the same as if the policy is not set after v2 support is turned off by default.
+  If the policy is set to <ph name="ENABLE">Enable</ph> (2), v2 extensions are allowed. The option is going to be treated the same as if the policy is not set before v2 support is turned off by default.
+  If the policy is set to <ph name="ENABLE_FOR_FORCED_EXTENSIONS">EnableForForcedExtensions</ph> (3), force installed v2 extensions are allowed. This includes extensions that are listed by <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph> or <ph name="EXTENSION_SETTINGS_POLICY_NAME">ExtensionSettings</ph> with <ph name="INSTALLATION_MODE">installation_mode</ph> "force_installed" or "normal_installed". All other v2 extensions are disabled. The option is always available regardless of the migration state.
+
+
+  Extensions availability are still controlled by other policies.
+supported_on:
+- chrome.*:110-
+- chrome_os:110-
+future_on:
+- fuchsia
+features:
+  dynamic_refresh: true
+  per_profile: true
+type: int-enum
+schema:
+   type: integer
+   enum:
+   - 0
+   - 1
+   - 2
+   - 3
+items:
+- caption: Default browser behavior
+  name: Default
+  value: 0
+- caption: Manifest v2 is disabled
+  name: Disable
+  value: 1
+- caption: Manifest v2 is enabled
+  name: Enable
+  value: 2
+- caption: Manifest v2 is enabled for forced extensions only
+  name: EnableForForcedExtensions
+  value: 3
+default: 0
+example_value: 2
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionOAuthRedirectUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionOAuthRedirectUrls.yaml
new file mode 100755
index 000000000..1832a6673
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionOAuthRedirectUrls.yaml
@@ -0,0 +1,35 @@
+owners:
+- melfice@google.com
+- cros-3pidp@google.com
+
+supported_on:
+- chrome_os:118-
+
+features:
+  dynamic_refresh: true
+  per_profile: true
+
+caption: Configure additional OAuth redirect URLs
+  per extension
+
+desc: |-
+  Setting this policy specifies, for each affected extension, a list of OAuth redirect URLs that can
+  be used by extensions with the <ph name="IDENTITY_API_NAME">identity</ph> API
+  (<ph name="IDENTITY_API_URL">https://developer.chrome.com/docs/extensions/reference/identity/</ph>)
+  in addition to the standard https://&lt;extension id&gt;.chromiumapp.org/ redirect URL.
+
+  Leaving the policy unset, or providing an empty list of URLs means that all the apps or extensions
+  may only use the standard redirect URL when using the <ph name="IDENTITY_API_NAME">identity</ph> API.
+
+example_value: {"lcncmkcnkcdbbanbjakcencbaoegdjlp": ["example://example/", "https://lcncmkcnkcdbbanbjakcencbaoegdjlp.chromiumapp.org/"]}
+
+type: dict
+schema:
+  type: object
+  additionalProperties:
+    type: array
+    items:
+      type: string
+
+tags:
+- admin-sharing
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionSettings.yaml
new file mode 100755
index 000000000..3dd3ec1ab
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionSettings.yaml
@@ -0,0 +1,148 @@
+caption: Extension management settings
+desc: |-
+  Setting the policy controls extension management settings for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, including any controlled by existing extension-related policies. The policy supersedes any legacy policies that might be set.
+
+  This policy maps an extension ID or an update URL to its specific setting only. A default configuration can be set for the special ID <ph name="DEFAULT_SCOPE">"*"</ph>, which applies to all extensions without a custom configuration in this policy. With an update URL, configuration applies to extensions with the exact update URL stated in the extension manifest ( http://support.google.com/chrome/a?p=Configure_ExtensionSettings_policy ). If the 'override_update_url' flag is set to true, the extension is installed and updated using the "update" URL specified in the <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph> policy or in 'update_url' field in this policy. The flag 'override_update_url' is ignored if the 'update_url' is a Chrome Web Store url.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> instances, apps and extensions from outside the Chrome Web Store can only be forced installed if the instance is joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph> instances, apps and extensions from outside the Chrome Web Store can only be force installed if the instance is managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value:
+  '*':
+    allowed_types:
+    - hosted_app
+    blocked_install_message: Custom error message.
+    blocked_permissions:
+    - downloads
+    - bookmarks
+    install_sources:
+    - https://company-intranet/chromeapps
+    installation_mode: blocked
+    runtime_allowed_hosts:
+    - '*://good.example.com'
+    runtime_blocked_hosts:
+    - '*://*.example.com'
+  abcdefghijklmnopabcdefghijklmnop:
+    blocked_permissions:
+    - history
+    installation_mode: allowed
+    minimum_version_required: 1.0.1
+    toolbar_pin: force_pinned
+    file_url_navigation_allowed: true
+  bcdefghijklmnopabcdefghijklmnopa:
+    allowed_permissions:
+    - downloads
+    installation_mode: force_installed
+    runtime_allowed_hosts:
+    - '*://good.example.com'
+    runtime_blocked_hosts:
+    - '*://*.example.com'
+    update_url: https://example.com/update_url
+  cdefghijklmnopabcdefghijklmnopab:
+    blocked_install_message: Custom error message.
+    installation_mode: blocked
+  defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd:
+    blocked_install_message: Custom error message.
+    installation_mode: blocked
+  fghijklmnopabcdefghijklmnopabcde:
+    blocked_install_message: Custom removal message.
+    installation_mode: removed
+  ghijklmnopabcdefghijklmnopabcdef:
+    installation_mode: force_installed
+    override_update_url: true
+    update_url: https://example.com/update_url
+  update_url:https://www.example.com/update.xml:
+    allowed_permissions:
+    - downloads
+    blocked_permissions:
+    - wallpaper
+    installation_mode: allowed
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- finnur@chromium.org
+- file://extensions/OWNERS
+schema:
+  patternProperties:
+    ^[a-p]{32}(?:,[a-p]{32})*,?$:
+      properties:
+        allowed_permissions:
+          $ref: ListOfPermissions
+        blocked_install_message:
+          description: text that will be displayed to the user in the chrome webstore
+            if installation is blocked.
+          type: string
+        blocked_permissions:
+          $ref: ListOfPermissions
+        file_url_navigation_allowed:
+          type: boolean
+        installation_mode:
+          enum:
+          - blocked
+          - allowed
+          - force_installed
+          - normal_installed
+          - removed
+          type: string
+        minimum_version_required:
+          pattern: ^[0-9]+([.][0-9]+)*$
+          type: string
+        override_update_url:
+          type: boolean
+        runtime_allowed_hosts:
+          $ref: ListOfUrlPatterns
+        runtime_blocked_hosts:
+          $ref: ListOfUrlPatterns
+        toolbar_pin:
+          enum:
+          - force_pinned
+          - default_unpinned
+          type: string
+        update_url:
+          type: string
+      type: object
+    '^update_url:':
+      properties:
+        allowed_permissions:
+          $ref: ListOfPermissions
+        blocked_permissions:
+          $ref: ListOfPermissions
+        installation_mode:
+          enum:
+          - blocked
+          - allowed
+          - removed
+          type: string
+      type: object
+  properties:
+    '*':
+      properties:
+        allowed_types:
+          $ref: ExtensionAllowedTypes
+        blocked_install_message:
+          type: string
+        blocked_permissions:
+          $ref: ListOfPermissions
+        install_sources:
+          $ref: ExtensionInstallSources
+        installation_mode:
+          enum:
+          - blocked
+          - allowed
+          - removed
+          type: string
+        runtime_allowed_hosts:
+          $ref: ListOfUrlPatterns
+        runtime_blocked_hosts:
+          $ref: ListOfUrlPatterns
+      type: object
+  type: object
+supported_on:
+- chrome.*:62-
+- chrome_os:62-
+tags: []
+type: dict
+url_schema: https://www.chromium.org/administrators/policy-list-3/extension-settings-full
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionUnpublishedAvailability.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionUnpublishedAvailability.yaml
new file mode 100755
index 000000000..7d68a38e7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/ExtensionUnpublishedAvailability.yaml
@@ -0,0 +1,40 @@
+owners:
+- anunoy@chromium.org
+- file://components/policy/OWNERS
+caption: Control availability of extensions unpublished on the Chrome Web Store.
+desc: |-
+  If this policy is enabled, extensions that are unpublished on the Chrome Web
+  Store will be disabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+  This policy only applies to extensions that are installed and updated from the
+  Chrome Web Store.
+
+  Off-store extensions such as unpacked extensions installed using developer
+  mode and extensions installed using the command-line switch are ignored.
+  Force-installed extensions that are self-hosted are ignored. All
+  version-pinned extensions are also ignored.
+
+  If the policy is set to <ph name="ALLOW_UNPUBLISHED">AllowUnpublished</ph> (0) or not set, extensions that are unpublished on the Chrome Web Store are allowed.
+  If the policy is set to <ph name="DISABLE_UNPUBLISHED">DisableUnpublished</ph> (1), extensions that are unpublished on the Chrome Web Store are disabled.
+
+supported_on:
+- chrome.*:115-
+- chrome_os:115-
+features:
+  dynamic_refresh: true
+  per_profile: true
+type: int-enum
+schema:
+   type: integer
+   enum:
+   - 0
+   - 1
+items:
+- caption: Allow unpublished extensions
+  name: AllowUnpublished
+  value: 0
+- caption: Disable unpublished extensions
+  name: DisableUnpublished
+  value: 1
+default: 0
+example_value: 1
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/MandatoryExtensionsForIncognitoNavigation.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/MandatoryExtensionsForIncognitoNavigation.yaml
new file mode 100755
index 000000000..15944b943
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/MandatoryExtensionsForIncognitoNavigation.yaml
@@ -0,0 +1,27 @@
+caption: Extensions that have to be allowed to run in Incognito by the user in order to navigate in Incognito mode
+desc: |-
+  This policy allows administrators to configure a list of extension ids required for Incognito mode navigation.
+
+  The user must explicitly allow all extensions in this list to run in Incognito mode, otherwise navigation in Incognito is not allowed.
+
+  If an extension specified in this policy is not installed, Incognito navigation is blocked.
+
+  This policy is applied to the Incognito mode. This means Incognito must be enabled in the browser. If Incognito mode is disabled via the policy <ph name="INCOGNITO_MODE_AVAILABILITY">IncognitoModeAvailability</ph>, this policy has no effect.
+example_value:
+- abcdefghijklmnopabcdefghijklmnop
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+supported_on:
+- chrome_os:114-
+owners:
+- acostinas@google.com
+- suprnet@google.com
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/policy_atomic_groups.yaml
new file mode 100755
index 000000000..d5b9dbeeb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Extensions/policy_atomic_groups.yaml
@@ -0,0 +1,13 @@
+Extensions:
+  caption: Extensions
+  policies:
+  - ExtensionInstallAllowlist
+  - ExtensionInstallBlocklist
+  - ExtensionInstallForcelist
+  - ExtensionInstallSources
+  - ExtensionAllowedTypes
+  - ExtensionAllowInsecureUpdates
+  - ExtensionSettings
+  - ExtensionManifestV2Availability
+  - ExtensionUnpublishedAvailability
+  - ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/.group.details.yaml
new file mode 100755
index 000000000..15a4b9cb6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: First-Party Sets Settings
+desc: Controls policies for the First-Party Sets feature.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/FirstPartySetsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/FirstPartySetsEnabled.yaml
new file mode 100755
index 000000000..6b04ce714
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/FirstPartySetsEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Enable First-Party Sets.
+default: true
+# TODO(b/313073098): Deprecate policy.
+desc: |-
+  This policy is provided as a way to opt-out of the First-Party Sets feature.
+
+  When this policy is unset or set to Enabled, the First-Party Sets feature is enabled.
+
+  When this policy is set to Disabled, the First-Party Sets feature is disabled.
+
+  It controls whether Chrome supports First-Party Sets related integrations.
+
+  This is the equivalent of the <ph name="RELATED_WEBSITE_SETS_ENABLED_POLICY_NAME">RelatedWebsiteSetsEnabled</ph> policy.
+  Either policy may be used, but this one will be deprecated soon so the <ph name="RELATED_WEBSITE_SETS_ENABLED_POLICY_NAME">RelatedWebsiteSetsEnabled</ph> policy is preferred.
+  They both have the same effect on the browser's behavior.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome.*:113-
+- chrome_os:113-
+- android:113-
+- fuchsia:113-
+items:
+- caption: Enable First-Party Sets for all affected users
+  value: true
+- caption: Disable First-Party Sets for all affected users
+  value: false
+owners:
+- kaklilu@chromium.org
+- chrome-first-party-sets@chromium.org
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/FirstPartySetsOverrides.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/FirstPartySetsOverrides.yaml
new file mode 100755
index 000000000..5bd54b2d9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FirstPartySets/FirstPartySetsOverrides.yaml
@@ -0,0 +1,125 @@
+caption: Override First-Party Sets.
+default: {}
+# TODO(b/313073098): Deprecate policy.
+desc: |-
+  This policy provides a way to override the list of sets the browser uses for First-Party Sets features.
+
+  Each set in the browser's list of First-Party Sets must meet the requirements of a First-Party Set.
+  A First-Party Set must contain a primary site and one or more member sites.
+  A set can also contain a list of service sites that it owns, as well as a map from a site to all of its ccTLD variants.
+  See https://github.com/WICG/first-party-sets for more information on First-Party Sets are used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+  All sites in a First-Party Set must be a registrable domain served over HTTPS. Each site in a First-Party Set must also be unique,
+  meaning a site cannot be listed more than once in a First-Party Set.
+
+  When this policy is given an empty dictionary, the browser uses the public list of First-Party Sets.
+
+  For all sites in a First-Party Set from the <ph name="REPLACEMENTS">replacements</ph> list, if a site is also present
+  on a First-Party Set in the browser's list, then that site will be removed from the browser's First-Party Set.
+  After this, the policy's First-Party Set will be added to the browser's list of First-Party Sets.
+
+  For all sites in a First-Party Set from the <ph name="ADDITIONS">additions</ph> list, if a site is also present
+  on a First-Party Set in the browser's list, then the browser's First-Party Set will be updated so that the
+  new First-Party Set can be added to the browser's list. After the browser's list has been updated,
+  the policy's First-Party Set will be added to the browser's list of First-Party Sets.
+
+  The browser's list of First-Party Sets requires that for all sites in its list, no site is in
+  more than one set. This is also required for both the <ph name="REPLACEMENTS">replacements</ph> list
+  and the <ph name="ADDITIONS">additions</ph> list. Similarly, a site cannot be in both the
+  <ph name="REPLACEMENTS">replacements</ph> list and the <ph name="ADDITIONS">additions</ph> list.
+
+  Wildcards (*) are not supported as a policy value, nor within any First-Party Set in these lists.
+
+  All sets provided by the policy must be valid First-Party Sets, if they aren't then an
+  appropriate error will be outputted.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  This is the equivalent of the <ph name="RELATED_WEBSITE_SETS_OVERRIDES_POLICY_NAME">RelatedWebsiteSetsOverrides</ph> policy.
+  Either policy may be used, but this one will be deprecated soon so the <ph name="RELATED_WEBSITE_SETS_OVERRIDES_POLICY_NAME">RelatedWebsiteSetsOverrides</ph> policy is preferred.
+  They both have the same effect on the browser's behavior.
+example_value:
+  additions:
+  - associatedSites:
+    - https://associate2.test
+    ccTLDs:
+      https://associate2.test:
+      - https://associate2.com
+    primary: https://primary2.test
+    serviceSites:
+    - https://associate2-content.test
+  replacements:
+  - associatedSites:
+    - https://associate1.test
+    ccTLDs:
+      https://associate1.test:
+      - https://associate1.co.uk
+    primary: https://primary1.test
+    serviceSites:
+    - https://associate1-content.test
+features:
+  dynamic_refresh: false
+  per_profile: true
+supported_on:
+- chrome.*:113-
+- chrome_os:113-
+- android:113-
+- fuchsia:113-
+owners:
+- kaklilu@chromium.org
+- chrome-first-party-sets@chromium.org
+schema:
+  properties:
+    additions:
+      items:
+        properties:
+          associatedSites:
+            items:
+              type: string
+            type: array
+          ccTLDs:
+            additionalProperties:
+              items:
+                type: string
+              type: array
+            type: object
+          primary:
+            type: string
+          serviceSites:
+            items:
+              type: string
+            type: array
+        required:
+        - primary
+        - associatedSites
+        type: object
+      type: array
+    replacements:
+      items:
+        properties:
+          associatedSites:
+            items:
+              type: string
+            type: array
+          ccTLDs:
+            additionalProperties:
+              items:
+                type: string
+              type: array
+            type: object
+          primary:
+            type: string
+          serviceSites:
+            items:
+              type: string
+            type: array
+        required:
+        - primary
+        - associatedSites
+        type: object
+      type: array
+  type: object
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/.group.details.yaml
new file mode 100755
index 000000000..45c83c186
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Floating SSO Settings
+desc: Controls if Floating SSO is enabled and the cookie domain blocklist and its exceptions.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoDomainBlocklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoDomainBlocklist.yaml
new file mode 100755
index 000000000..fa7b36378
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoDomainBlocklist.yaml
@@ -0,0 +1,26 @@
+caption: Floating SSO Service blocked domain list
+desc: |-
+  Configures a list of blocked cookie domains that will not be moved when a user switches between <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices, when the Floating SSO Service is enabled.
+
+  If a cookie is set for a domain which matches one of the provided filters, the cookie is excluded from the move. Cookie domains are matched according to "host" field rules outlined in https://support.google.com/chrome/a?p=url_blocklist_filter_format, all other fields are ignored. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+  The <ph name="FLOATING_SSO_DOMAIN_BLOCKLIST_EXCEPTIONS_POLICY_NAME">FloatingSsoDomainBlocklistExceptions</ph> policy takes precedence.
+example_value:
+- '*'
+- 'example.com'
+- '*.example.com'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+owners:
+- andreydav@google.com
+- mpetrisor@chromium.org
+- imprivata-eng@google.com
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoDomainBlocklistExceptions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoDomainBlocklistExceptions.yaml
new file mode 100755
index 000000000..d2225efd3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoDomainBlocklistExceptions.yaml
@@ -0,0 +1,25 @@
+caption: Floating SSO Service domain blocklist exception list
+desc: |-
+  Configures the list of blocklist excepted cookie domains to be moved when a user switches between <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices, when the Floating SSO Service is enabled.
+
+  If a cookie is set for a domain which matches one of the provided filters, the cookie is included into the move. Cookie domains are matched according to "host" field rules outlined in https://support.google.com/chrome/a?p=url_blocklist_filter_format, all other fields are ignored. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+  Leaving the policy empty allows no exceptions to <ph name="FLOATING_SSO_DOMAIN_BLOCKLIST_POLICY_NAME">FloatingSsoDomainBlocklist</ph>. To only allow a limited number of domains to be moved, block all domains by setting the <ph name="FLOATING_SSO_DOMAIN_BLOCKLIST_POLICY_NAME">FloatingSsoDomainBlocklist</ph> policy to <ph name="WILDCARD_VALUE">*</ph>, and configure the blocklist exceptions here.
+example_value:
+- 'example.com'
+- '*.example.com'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+owners:
+- andreydav@google.com
+- mpetrisor@chromium.org
+- imprivata-eng@google.com
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoEnabled.yaml
new file mode 100755
index 000000000..d9c0eebfd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/FloatingSsoEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable Floating SSO Service
+default: false
+desc: |-
+  When a user switches between <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices, the Floating SSO Service will restore the user's web service authentication state from the previous device onto the new device. This is achieved by moving user's cookies across devices.
+
+  Setting the policy to Enabled will restore the user's web service authentication state from the user's last used <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device automatically upon login.
+  Setting the policy to Disabled or leaving it unset will not restore the user's web service authentication state upon login on a different device.
+
+  The web service domains blocked from being restored can be configured using the <ph name="FLOATING_SSO_DOMAIN_BLOCKLIST_POLICY_NAME">FloatingSsoDomainBlocklist</ph> policy, while exceptions to that policy can be configured using the <ph name="FLOATING_SSO_DOMAIN_BLOCKLIST_EXCEPTIONS_POLICY_NAME">FloatingSsoDomainBlocklistExceptions</ph> policy.
+  If both of these policies are unset, all web service authentications, except Google authentications, will be moved.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+items:
+- caption: Enable Floating SSO and move the user's web service authentications to new device
+  value: true
+- caption: Disable Floating SSO and do not move the user's web service authentications to new device
+  value: false
+owners:
+- andreydav@google.com
+- mpetrisor@chromium.org
+- imprivata-eng@google.com
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/policy_atomic_groups.yaml
new file mode 100755
index 000000000..a8639f5bf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/FloatingSso/policy_atomic_groups.yaml
@@ -0,0 +1,6 @@
+FloatingSso:
+  caption: Floating SSO Service settings
+  policies:
+  - FloatingSsoEnabled
+  - FloatingSsoDomainBlocklist
+  - FloatingSsoDomainBlocklistExceptions
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Gaia/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Gaia/.group.details.yaml
new file mode 100755
index 000000000..d263fb9d7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Gaia/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Gaia user identity management settings
+desc: Controls settings for users authenticated againts Gaia without SAML.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Gaia/GaiaOfflineSigninTimeLimitDays.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Gaia/GaiaOfflineSigninTimeLimitDays.yaml
new file mode 100755
index 000000000..c06ab071e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Gaia/GaiaOfflineSigninTimeLimitDays.yaml
@@ -0,0 +1,29 @@
+caption: Limit the time for which a user authenticated via GAIA without SAML can log
+  in offline
+default: null
+desc: |-
+  During login, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> can authenticate against a server (online) or using a cached password (offline).
+
+        When this policy is set to a value of -1, this policy will not enforce online authentication and will allow the user to use offline authentication until a different reason than this policy enforces an online login. If the policy is set to a value of 0, online login will always be required. When this policy is set to any other value, it specifies the length of time since the last online authentication after which the user must use online authentication again in the next sign-in.
+
+        Leaving this policy not set will make <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> use offline login.
+
+        This policy affects only users who authenticated using GAIA without SAML.
+
+        The policy value should be specified in days.
+example_value: 32
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- rodmartin@google.com
+- chromeos-commercial-identity@google.com
+- file://components/policy/OWNERS
+schema:
+  maximum: 365
+  minimum: -1
+  type: integer
+supported_on:
+- chrome_os:90-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/.group.details.yaml
new file mode 100755
index 000000000..61933f695
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Generative AI
+desc: Configure the various features that use Generative AI.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/CreateThemesSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/CreateThemesSettings.yaml
new file mode 100755
index 000000000..c51a0e1ff
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/CreateThemesSettings.yaml
@@ -0,0 +1,43 @@
+caption: Settings for Create Themes with AI
+
+desc: |-
+  Create Themes with AI lets users create custom themes/wallpapers by preselecting from a list of options.
+
+  0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models. 0 is the default value, except when noted below.
+
+  1 = Enable the feature for users, but do not send data to Google to train or improve AI models. 1 is the default value for Enterprise users managed by <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph> and for Education accounts managed by <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph>.
+
+  2 = Disable the feature.
+
+  For more information on data handling for generative AI features, please see https://support.google.com/chrome/a?p=generative_ai_settings.
+default: 0
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow Create Themes and improve AI models.
+  name: Allowed
+  value: 0
+- caption: Allow Create Themes without improving AI models.
+  name: AllowedWithoutLogging
+  value: 1
+- caption: Do not allow Create Themes.
+  name: Disabled
+  value: 2
+owners:
+- file://components/search/OWNERS
+- file://components/optimization_guide/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+tags:
+- google-sharing
+supported_on:
+- chrome.*:121-
+- chrome_os:121-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/DevToolsGenAiSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/DevToolsGenAiSettings.yaml
new file mode 100755
index 000000000..b94bbdc48
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/DevToolsGenAiSettings.yaml
@@ -0,0 +1,43 @@
+caption: Settings for DevTools Generative AI Features
+
+desc: |-
+  These features in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s DevTools employ generative AI models to provide additional debugging information. To use these features, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> has to collect data such as error messages, stack traces, code snippets, and network requests and send them to a server owned by Google, which runs a generative AI model. Response body or authentication and cookie headers in network requests are not included in the data sent to the server.
+
+  0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models. 0 is the default value, except when noted below.
+
+  1 = Enable the feature for users, but do not send data to Google to train or improve AI models. 1 is the default value for Enterprise users managed by <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph> and for Education accounts managed by <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph>.
+
+  2 = Disable the feature.
+
+  DevTools Generative AI features include:
+
+  - Console Insights: explains console messages and offers suggestions on how to fix console errors.
+default: 0
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow DevTools Generative AI Features and improve AI models.
+  name: Allowed
+  value: 0
+- caption: Allow DevTools Generative AI Features without improving AI models.
+  name: AllowedWithoutLogging
+  value: 1
+- caption: Do not allow DevTools Generative AI Features.
+  name: Disabled
+  value: 2
+owners:
+- wolfi@chromium.org
+- devtools-console-insights@google.com
+schema:
+  enum:
+  - 0
+  - 2
+  - 1
+  type: integer
+supported_on:
+- chrome.*:125-
+- chrome_os:125-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAILocalFoundationalModelSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAILocalFoundationalModelSettings.yaml
new file mode 100755
index 000000000..7f4bac060
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAILocalFoundationalModelSettings.yaml
@@ -0,0 +1,36 @@
+caption: Settings for GenAI local foundational model
+
+desc: |-
+  Configure how <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> downloads the foundational GenAI model and uses for inference locally. 
+
+  When the policy is set to Allowed (0) or not set, the model is downloaded automatically, and used for inference.
+
+  When the policy is set to Disabled (1), the model will not be downloaded.
+
+  Model downloading can also be disabled by <ph name="COMPONENT_UPDATES_ENABLED_POLICY_NAME">ComponentUpdatesEnabled</ph>.
+
+default: 0
+example_value: 1
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- chrome_os
+items:
+- caption: Downloads model automatically
+  name: Allowed
+  value: 0
+- caption: Do not download model
+  name: Disabled
+  value: 1
+owners:
+- file://components/optimization_guide/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+tags: []
+supported_on:
+- chrome.*:124-
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAIVcBackgroundSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAIVcBackgroundSettings.yaml
new file mode 100755
index 000000000..03916ce72
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAIVcBackgroundSettings.yaml
@@ -0,0 +1,38 @@
+caption: Settings for Generative AI VC Background feature
+desc: |-
+  Generative AI VC Background allows users to self-express using generative AI features to create personalized video conferencing backgrounds in <ph name="PRODUCT_OS_NAME">$1<ex>Google ChromeOS</ex></ph>.
+
+  0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models. 0 is the default value, except when noted below.
+
+  1 = Enable the feature for users, but do not send data to Google to train or improve AI models. 1 is the default value for Enterprise users managed by <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph> and for Education accounts managed by <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph>.
+
+  2 = Disable the feature.
+
+  For more information on data handling for generative AI features, please see https://support.google.com/chrome/a?p=generative_ai_settings.
+default: 0
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://ash/webui/personalization_app/OWNERS
+items:
+- caption: Allow Generative AI VC Background and improve AI models
+  name: Allowed
+  value: 0
+- caption: Allow Generative AI VC Background without improving AI models
+  name: AllowedWithoutLogging
+  value: 1
+- caption: Do not allow Generative AI VC Background
+  name: Disabled
+  value: 2
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:130-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAIWallpaperSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAIWallpaperSettings.yaml
new file mode 100755
index 000000000..d2ce32500
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAIWallpaperSettings.yaml
@@ -0,0 +1,38 @@
+caption: Settings for Generative AI Wallpaper feature
+desc: |-
+  Generative AI Wallpaper allows users to self-express using generative AI features to create personalized wallpapers in <ph name="PRODUCT_OS_NAME">$1<ex>Google ChromeOS</ex></ph>.
+
+  0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models. 0 is the default value, except when noted below.
+
+  1 = Enable the feature for users, but do not send data to Google to train or improve AI models. 1 is the default value for Enterprise users managed by <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph> and for Education accounts managed by <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph>.
+
+  2 = Disable the feature.
+
+  For more information on data handling for generative AI features, please see https://support.google.com/chrome/a?p=generative_ai_settings.
+default: 0
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://ash/webui/personalization_app/OWNERS
+items:
+- caption: Allow Generative AI VC Background and improve AI models
+  name: Allowed
+  value: 0
+- caption: Allow Generative AI Wallpaper without improving AI models
+  name: AllowedWithoutLogging
+  value: 1
+- caption: Do not allow Generative AI Wallpaper
+  name: Disabled
+  value: 2
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:130-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAiDefaultSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAiDefaultSettings.yaml
new file mode 100755
index 000000000..b2e72b63b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/GenAiDefaultSettings.yaml
@@ -0,0 +1,50 @@
+caption: Set the default policy value for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s covered generative AI features
+
+desc: |-
+  This policy defines the default setting for all covered generative AI features. For example, if this policy is set to value 1, then 1 will be the default setting for all covered generative AI features. It will not impact any manually set policy values. See https://support.google.com/chrome/a?p=generative_ai_settings for the list of covered features.
+
+  0 = Allows the feature to be used, while allowing Google to use relevant data to improve its AI models. Relevant data may include prompts, inputs, outputs, source materials, and written feedback, depending on the feature. It may also be reviewed by humans to improve AI models. 0 is the default value, except when noted below.
+
+  1 = Allows the feature to be used, but does not allow Google to improve models using users' content (including prompts, inputs, outputs, source materials, and written feedback). 1 is the default value for Enterprise users managed by <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph> and for Education accounts managed by <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph>.
+
+  2 = Disable the feature.
+
+  If a covered feature does not have an equivalent policy value, the closest higher value will be used. Please review documentation for that feature for more details about how it interacts with values in this policy.
+
+  For more information on data handling for generative AI features, please see https://support.google.com/chrome/a?p=generative_ai_settings
+
+default: 0
+default_for_enterprise_users: 1
+example_value: 2
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow GenAI features and improve AI models
+  name: Allowed
+  value: 0
+- caption: Allow GenAI features without improving AI models
+  name: AllowedWithoutLogging
+  value: 1
+- caption: Do not allow GenAI features
+  name: Disabled
+  value: 2
+owners:
+- igorruvinov@chromium.org
+- file://components/policy/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- android:130-
+- chrome.*:130-
+- chrome_os:130-
+- ios:130-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HelpMeReadSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HelpMeReadSettings.yaml
new file mode 100755
index 000000000..3726a0bae
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HelpMeReadSettings.yaml
@@ -0,0 +1,37 @@
+caption: Settings for Help Me Read feature
+desc: |-
+  This policy controls the settings of the Help Me Read feature for <ph name="PRODUCT_OS_NAME">$1<ex>Google ChromeOS</ex></ph>.
+
+  0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models. 0 is the default value, except when noted below.
+
+  1 = Enable the feature for users, but do not send data to Google to train or improve AI models. 1 is the default value for Enterprise users managed by <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph> and for Education accounts managed by <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph>.
+
+  2 = Disable the feature.
+
+default: 0
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chromeos/components/mahi/OWNERS
+items:
+- caption: Allow Help Me Read and improve AI models.
+  name: Allowed
+  value: 0
+- caption: Allow Help Me Read without improving AI models.
+  name: AllowedWithoutLogging
+  value: 1
+- caption: Do not allow Help Me Read.
+  name: Disabled
+  value: 2
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:130-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HelpMeWriteSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HelpMeWriteSettings.yaml
new file mode 100755
index 000000000..b206dc80e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HelpMeWriteSettings.yaml
@@ -0,0 +1,43 @@
+caption: Settings for Help Me Write
+
+desc: |-
+  Help Me Write is an AI-based writing assistant for short-form content on the web. Suggested content is based on prompts entered by the user and the content of the web page.
+
+  0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models. 0 is the default value, except when noted below.
+
+  1 = Enable the feature for users, but do not send data to Google to train or improve AI models. 1 is the default value for Enterprise users managed by <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph> and for Education accounts managed by <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph>.
+
+  2 = Disable the feature.
+
+  For more information on data handling for generative AI features, please see https://support.google.com/chrome/a?p=generative_ai_settings.
+default: 0
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow Help Me Write and improve AI models.
+  name: Allowed
+  value: 0
+- caption: Allow Help Me Write without improving AI models.
+  name: AllowedWithoutLogging
+  value: 1
+- caption: Do not allow Help Me Write.
+  name: Disabled
+  value: 2
+owners:
+- file://components/compose/OWNERS
+- file://components/optimization_guide/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+tags:
+- google-sharing
+supported_on:
+- chrome.*:121-
+- chrome_os:121-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HistorySearchSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HistorySearchSettings.yaml
new file mode 100755
index 000000000..fe539125a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/HistorySearchSettings.yaml
@@ -0,0 +1,45 @@
+caption: Settings for AI-powered History Search
+
+desc: |-
+  AI History Search is a feature that allows users to search their browsing history based on page contents and not just the page title and URL.
+
+  0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models. 0 is the default value, except when noted below.
+
+  1 = Enable the feature for users, but do not send data to Google to train or improve AI models. 1 is the default value for Enterprise users managed by <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph> and for Education accounts managed by <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph>.
+
+  2 = Disable the feature.
+
+  If the policy is unset, the default behavior is 0 for regular consumer users and 2 for managed users on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+  For more information on data handling for generative AI features, please see https://support.google.com/chrome/a?p=generative_ai_settings.
+default: 0
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow AI History Search and improve AI models.
+  name: Allowed
+  value: 0
+- caption: Allow AI History Search without improving AI models.
+  name: AllowedWithoutLogging
+  value: 1
+- caption: Do not allow AI History Search.
+  name: Disabled
+  value: 2
+owners:
+- file://components/history_embeddings/OWNERS
+- file://components/optimization_guide/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+tags:
+- google-sharing
+supported_on:
+- chrome.*:128-
+- chrome_os:128-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/TabCompareSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/TabCompareSettings.yaml
new file mode 100755
index 000000000..67b665f6c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/TabCompareSettings.yaml
@@ -0,0 +1,42 @@
+caption: Tab Compare settings
+default: 0
+desc: |-
+  Tab Compare is an AI-powered tool for comparing information across a user's tabs. As an example, the feature can be offered to the user when multiple tabs with products in a similar category are open.
+
+  0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models. 0 is the default value, except when noted below.
+
+  1 = Enable the feature for users, but do not send data to Google to train or improve AI models. 1 is the default value for Enterprise users managed by <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph> and for Education accounts managed by <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph>.
+
+  2 = Disable the feature.
+
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- ios
+- android
+items:
+- caption: Allow Tab Compare and improve AI models.
+  name: Allowed
+  value: 0
+- caption: Allow Tab Compare without improving AI models.
+  name: AllowedWithoutLogging
+  value: 1
+- caption: Do not allow Tab Compare.
+  name: Disabled
+  value: 2
+owners:
+- chrome-shopping@google.com
+- file://components/commerce/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:129-
+- chrome_os:129-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/TabOrganizerSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/TabOrganizerSettings.yaml
new file mode 100755
index 000000000..a576cc7ef
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GenerativeAI/TabOrganizerSettings.yaml
@@ -0,0 +1,43 @@
+caption: Settings for Tab Organizer
+
+desc: |-
+  Tab Organizer is an AI-based tool that automatically creates tab groups based on a user's open tabs. Suggestions are based on open tabs (but not page content).
+
+  0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models. 0 is the default value, except when noted below.
+
+  1 = Enable the feature for users, but do not send data to Google to train or improve AI models. 1 is the default value for Enterprise users managed by <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph> and for Education accounts managed by <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph>.
+
+  2 = Disable the feature.
+
+  For more information on data handling for generative AI features, please see https://support.google.com/chrome/a?p=generative_ai_settings.
+default: 0
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow Tab Organizer and improve AI models.
+  name: Allowed
+  value: 0
+- caption: Allow Tab Organizer without improving AI models.
+  name: AllowedWithoutLogging
+  value: 1
+- caption: Do not allow Tab Organizer.
+  name: Disabled
+  value: 2
+owners:
+- file://chrome/browser/ui/tabs/OWNERS
+- file://components/optimization_guide/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+tags:
+- google-sharing
+supported_on:
+- chrome.*:121-
+- chrome_os:121-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/.group.details.yaml
new file mode 100755
index 000000000..672b99e7e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Google Assistant
+desc: Controls settings for Google Assistant.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantOnboardingMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantOnboardingMode.yaml
new file mode 100755
index 000000000..72e2ff247
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantOnboardingMode.yaml
@@ -0,0 +1,32 @@
+caption: Mode of the Assistant onboarding experience
+default: Default
+desc: |-
+  This policy controls the mode of the Assistant onboarding experience.
+
+        If the policy is unset or is set to <ph name="ASSISTANT_ONBOARDING_MODE_DEFAULT">"Default"</ph>, the default mode of the Assistant onboarding experience is used.
+        If the policy is set to <ph name="ASSISTANT_ONBOARDING_MODE_EDUCATION">"Education"</ph>, the EDU mode of the Assistant onboarding experience is used.
+example_value: Default
+features:
+  cloud_only: true
+  dynamic_refresh: false
+  per_profile: true
+  unlisted: true
+items:
+- caption: Use the default mode of the Assistant onboarding experience
+  name: Default
+  value: Default
+- caption: Use the EDU mode of the Assistant onboarding experience
+  name: Education
+  value: Education
+owners:
+- xiaohuic@chromium.org
+- croissant-eng@google.com
+schema:
+  enum:
+  - Default
+  - Education
+  type: string
+supported_on:
+- chrome_os:85-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantVoiceMatchEnabledDuringOobe.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantVoiceMatchEnabledDuringOobe.yaml
new file mode 100755
index 000000000..8bf800cdd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantVoiceMatchEnabledDuringOobe.yaml
@@ -0,0 +1,24 @@
+caption: Enable Google Assistant voice match flow
+default: true
+desc: |-
+  Setting the policy to Enabled lets show Google Assistant voice match flow during initial setup. Setting the policy to Disabled keeps Google Assistant from showing voice match flow during initial setup.
+
+        Leaving the policy unset means it is Enabled.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Show Google Assistant voice match flow during initial setup
+  value: true
+- caption: Do not show Google Assistant voice match flow during initial setup
+  value: false
+owners:
+- cros-oac@google.com
+- file://chrome/browser/ui/webui/ash/login/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:93-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantWebEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantWebEnabled.yaml
new file mode 100755
index 000000000..07af8a420
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/AssistantWebEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Allow using <ph name="ASSISTANT_PRODUCT_NAME">Google Assistant</ph> on the
+  web, e.g. to enable changing passwords automatically
+default: null
+desc: |-
+  Setting the policy to Enabled allows users to use <ph name="ASSISTANT_PRODUCT_NAME">Google Assistant</ph> on the web, e.g. for faster checkout and password changes. Using <ph name="ASSISTANT_PRODUCT_NAME">Google Assistant</ph> requires additional user consent and <ph name="ASSISTANT_PRODUCT_NAME">Google Assistant</ph> will only run if users choose to give this consent, even if the policy is set to Enabled.
+
+        Setting the policy to Disabled means users cannot use <ph name="ASSISTANT_PRODUCT_NAME">Google Assistant</ph> on the web.
+
+        If the policy is not set, the user can turn off <ph name="ASSISTANT_PRODUCT_NAME">Google Assistant</ph>.
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow using <ph name="ASSISTANT_PRODUCT_NAME">Google Assistant</ph> on
+    the web
+  value: true
+- caption: Do not allow using <ph name="ASSISTANT_PRODUCT_NAME">Google Assistant</ph>
+    on the web
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- brunobraga@google.com
+- jkeitel@google.com
+schema:
+  type: boolean
+supported_on:
+- android:109-109
+- chrome.*:107-109
+- chrome_os:107-109
+tags: []
+type: main
+deprecated: true
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionContextEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionContextEnabled.yaml
new file mode 100755
index 000000000..941976115
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionContextEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Allow Google Assistant to access screen context
+default: null
+desc: |-
+  Setting the policy to Enabled lets Google Assistant access screen context and send that data to a server. Setting the policy to Disabled keeps Google Assistant from screen context.
+
+        Leaving the policy unset lets users decide to turn this feature on or off.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow Google Assistant to access screen context
+  value: true
+- caption: Block Google Assistant from accessing screen context during interactions
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- yanxiao@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:74-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionHotwordEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionHotwordEnabled.yaml
new file mode 100755
index 000000000..12d246ac5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionHotwordEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Allow Google Assistant to listen for the voice activation phrase
+default: null
+desc: |-
+  Setting the policy to Enabled lets Google Assistant listen for the voice activation phrase. Setting the policy to Disabled keeps Google Assistant from listening for the phrase.
+
+        Leaving the policy unset lets users decide to turn this feature on or off.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable the Google Assistant hotword
+  value: true
+- caption: Disable the Google Assistant hotword
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- yanxiao@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:74-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionQuickAnswersEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionQuickAnswersEnabled.yaml
new file mode 100755
index 000000000..55e609530
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleAssistant/VoiceInteractionQuickAnswersEnabled.yaml
@@ -0,0 +1,23 @@
+caption: Allow Quick Answers to access selected content
+deprecated: true
+desc: |-
+  This policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 89.
+
+        This policy gives Quick Answers permission to access selected content and send the info to server.
+
+        If the policy is enabled, Quick Answers will be allowed to access selected content.
+        If the policy is disabled, Quick Answers will not be allowed to access selected content.
+        If the policy is not set, users can decide whether to allow Quick Answers to access selected content.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- llin@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:84-88
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/.group.details.yaml
new file mode 100755
index 000000000..6b3431533
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/.group.details.yaml
@@ -0,0 +1,4 @@
+caption: <ph name="PRODUCT_NAME">Google Cast</ph>
+desc: Configure policies for <ph name="PRODUCT_NAME">Google Cast</ph>, a feature that
+  allows users to send the contents of tabs, sites or the desktop from the browser
+  to remote displays and sound systems.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/AccessCodeCastDeviceDuration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/AccessCodeCastDeviceDuration.yaml
new file mode 100755
index 000000000..e523c7af7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/AccessCodeCastDeviceDuration.yaml
@@ -0,0 +1,31 @@
+caption: Specifies how long (in seconds) a cast device selected with an access code
+  or QR code stays in the <ph name="PRODUCT_NAME">Google Cast</ph> menu's list of
+  cast devices.
+default: 0
+desc: |-
+  This policy specifies how long (in seconds) a cast device that was previously selected via an access code or QR code can be seen within the <ph name="PRODUCT_NAME">Google Cast</ph> menu of cast devices.
+        The lifetime of an entry starts at the time the access code was first entered or the QR code was first scanned.
+        During this period the cast device will appear in the <ph name="PRODUCT_NAME">Google Cast</ph> menu's list of cast devices.
+        After this period, in order to use the cast device again the access code must be reentered or the QR code must be rescanned.
+        By default, the period is zero seconds, so cast devices will not stay in the <ph name="PRODUCT_NAME">Google Cast</ph> menu, and so the access code must be reentered, or the QR code rescanned, in order to initiate a new casting session.
+        Note that this policy only affects how long a cast devices appears in the <ph name="PRODUCT_NAME">Google Cast</ph> menu, and has no effect on any ongoing cast session which will continue even if the period expires.
+        This policy has no effect unless the <ph name="ACCESS_CODE_CAST_ENABLED_POLICY_NAME">AccessCodeCastEnabled</ph> policy is Enabled.
+example_value: 60
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- bzielinski@google.com
+- dorianbrandon@google.com
+- leelee@google.com
+- cros-edu-eng@google.com
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:103-
+- chrome.*:103-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/AccessCodeCastEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/AccessCodeCastEnabled.yaml
new file mode 100755
index 000000000..089dea5ac
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/AccessCodeCastEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Allow users to select cast devices with an access code or QR code from within
+  the <ph name="PRODUCT_NAME">Google Cast</ph> menu.
+default: false
+desc: |-
+  This policy controls whether a user will be presented with an option, within the <ph name="PRODUCT_NAME">Google Cast</ph> menu which allows them to cast to cast devices that do not appear in the <ph name="PRODUCT_NAME">Google Cast</ph> menu, using either the access code or QR code displayed on the cast devices's screen.
+        By default, a user must reenter the access code or rescan the QR code in order to initiate a subsequent casting session, but if the <ph name="ACCESS_CODE_CAST_DEVICE_DURATION_POLICY_NAME">AccessCodeCastDeviceDuration</ph> policy has been set to a non-zero value (the default is zero), then the cast device will remain in the list of available cast devices until the specified period of time has expired.
+        When this policy is set to Enabled, users will be presented with the option to select cast devices by using an access code or by scanning a QR code.
+        When this policy is set to Disabled or not set, users will not be given the option to select cast devices by using an access code or by scanning a QR code.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: User will be given the option in the <ph name="PRODUCT_NAME">Google Cast</ph>
+    menu to select cast devices by using an access code or by scanning a QR code.
+  value: true
+- caption: User will not be given the option in the <ph name="PRODUCT_NAME">Google
+    Cast</ph> menu to select cast devices by using an access code or by scanning a
+    QR code.
+  value: false
+owners:
+- bzielinski@google.com
+- dorianbrandon@google.com
+- leelee@google.com
+- cros-edu-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:102-
+- chrome.*:102-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/EnableMediaRouter.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/EnableMediaRouter.yaml
new file mode 100755
index 000000000..c56e43c1a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/EnableMediaRouter.yaml
@@ -0,0 +1,27 @@
+caption: Enable <ph name="PRODUCT_NAME">Google Cast</ph>
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset turns on <ph name="PRODUCT_NAME">Google Cast</ph>, which users can launch from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.
+
+  Setting the policy to Disabled turns off <ph name="PRODUCT_NAME">Google Cast</ph>.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow users to use <ph name="PRODUCT_NAME">Google Cast</ph>
+  value: true
+- caption: Do not allow users to use <ph name="PRODUCT_NAME">Google Cast</ph>
+  value: false
+owners:
+- file://components/media_router/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:52-
+- chrome_os:52-
+- android:52-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/MediaRouterCastAllowAllIPs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/MediaRouterCastAllowAllIPs.yaml
new file mode 100755
index 000000000..f981942c6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/MediaRouterCastAllowAllIPs.yaml
@@ -0,0 +1,34 @@
+caption: Allow <ph name="PRODUCT_NAME">Google Cast</ph> to connect to Cast devices
+  on all IP addresses.
+default: null
+desc: |-
+  Unless <ph name="ENABLE_MEDIA_ROUTER_POLICY_NAME">EnableMediaRouter</ph> is set to Disabled, setting <ph name="MEDIA_ROUTER_CAST_ALLOW_ALL_IPS_POLICY_NAME">MediaRouterCastAllowAllIPs</ph> to Enabled connects <ph name="PRODUCT_NAME">Google Cast</ph> to Cast devices on all IP addresses, not just RFC1918/RFC4193 private addresses.
+
+  Setting the policy to Disabled connects <ph name="PRODUCT_NAME">Google Cast</ph> to Cast devices only on RFC1918/RFC4193.
+
+  Leaving the policy unset connects <ph name="PRODUCT_NAME">Google Cast</ph> to Cast devices only on RFC1918/RFC4193, unless the CastAllowAllIPs feature is turned on.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow <ph name="PRODUCT_NAME">Google Cast</ph> to connect to devices on
+    all IP addresses
+  value: true
+- caption: Allow <ph name="PRODUCT_NAME">Google Cast</ph> to only connect to devices
+    on private IP addresses
+  value: false
+- caption: Allow <ph name="PRODUCT_NAME">Google Cast</ph> to only connect to devices
+    on private IP addresses, unless the CastAllowAllIPs feature is turned on.
+  value: null
+owners:
+- file://components/media_router/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:67-
+- chrome_os:67-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/ShowCastIconInToolbar.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/ShowCastIconInToolbar.yaml
new file mode 100755
index 000000000..747649709
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/ShowCastIconInToolbar.yaml
@@ -0,0 +1,29 @@
+caption: Show the <ph name="PRODUCT_NAME">Google Cast</ph> toolbar icon
+default: false
+desc: |-
+  Setting the policy to Enabled displays the Cast toolbar icon on the toolbar or the overflow menu, and users can't remove it.
+
+  Setting the policy to Disabled or leaving it unset lets users pin or remove the icon through its contextual menu.
+
+  If the policy <ph name="ENABLE_MEDIA_ROUTER_POLICY_NAME">EnableMediaRouter</ph> is set to Disabled, then this policy's value has no effect, and the toolbar icon doesn't appear.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Always show the <ph name="PRODUCT_NAME">Google Cast</ph> icon in the toolbar
+  value: true
+- caption: Do not show the <ph name="PRODUCT_NAME">Google Cast</ph> icon in the toolbar
+    by default, but let users choose
+  value: false
+owners:
+- file://components/media_router/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:58-
+- chrome_os:58-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/ShowCastSessionsStartedByOtherDevices.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/ShowCastSessionsStartedByOtherDevices.yaml
new file mode 100755
index 000000000..7f242e20b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/GoogleCast/ShowCastSessionsStartedByOtherDevices.yaml
@@ -0,0 +1,29 @@
+caption: Show media controls for <ph name="PRODUCT_NAME">Google Cast</ph> sessions started by other devices on the local network
+default: true
+default_for_enterprise_users: false
+desc: |-
+  When this policy is enabled, media playback controls UI is available for <ph name="PRODUCT_NAME">Google Cast</ph> sessions started by other devices on the local network.
+
+        When this policy is unset for enterprise users or is disabled, media playback controls UI is unavailable for <ph name="PRODUCT_NAME">Google Cast</ph> sessions started by other devices on the local network.
+
+        If the policy <ph name="ENABLE_MEDIA_ROUTER_POLICY_NAME">EnableMediaRouter</ph> is disabled, then this policy's value has no effect, as the entire <ph name="PRODUCT_NAME">Google Cast</ph> functionality is disabled.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Show media controls for <ph name="PRODUCT_NAME">Google Cast</ph> sessions started by other devices
+  value: true
+- caption: Do not show media controls for <ph name="PRODUCT_NAME">Google Cast</ph> sessions started by other devices
+  value: false
+owners:
+- file://components/media_router/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:110-
+- chrome_os:110-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/.group.details.yaml
new file mode 100755
index 000000000..a4c0e5537
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: HTTP authentication
+desc: Policies related to integrated HTTP authentication.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AllHttpAuthSchemesAllowedForOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AllHttpAuthSchemesAllowedForOrigins.yaml
new file mode 100755
index 000000000..273266405
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AllHttpAuthSchemesAllowedForOrigins.yaml
@@ -0,0 +1,26 @@
+caption: List of origins allowing all HTTP authentication
+desc: |-
+  Setting the policy specifies for which origins to allow all the HTTP authentication schemes <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> supports regardless of the <ph name="AUTH_SCHEMES_POLICY_NAME">AuthSchemes</ph> policy.
+
+        Format the origin pattern according to this format (<ph name="URL_SCHEME_FORMAT_LINK">https://support.google.com/chrome/a?p=url_blocklist_filter_format</ph>). Up to 1,000 exceptions can be defined in <ph name="ALL_HTTP_AUTH_ALLOWED_FOR_ORIGINS_POLICY_NAME">AllHttpAuthSchemesAllowedForOrigins</ph>.
+        Wildcards are allowed for the whole origin or parts of the origin, either the scheme, host, port.
+example_value:
+- '*.example.com'
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- ydago@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:100-
+- android:100-
+- chrome_os:100-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AllowCrossOriginAuthPrompt.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AllowCrossOriginAuthPrompt.yaml
new file mode 100755
index 000000000..de4054068
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AllowCrossOriginAuthPrompt.yaml
@@ -0,0 +1,30 @@
+caption: Cross-origin HTTP Authentication prompts
+default: false
+desc: |-
+  Setting the policy to Enabled allows third-party images on a page to show an authentication prompt.
+
+  Setting the policy to Disabled or leaving it unset renders third-party images unable to show an authentication prompt.
+
+  Typically, this policy is Disabled as a phishing defense.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow third-party images to show an authentication prompt
+  value: true
+- caption: Prevent third-party images from showing an authentication prompt
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:13-
+- chrome_os:62-
+tags:
+- website-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthAndroidNegotiateAccountType.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthAndroidNegotiateAccountType.yaml
new file mode 100755
index 000000000..bb5b196d3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthAndroidNegotiateAccountType.yaml
@@ -0,0 +1,19 @@
+caption: Account type for <ph name="HTTP_NEGOTIATE">HTTP Negotiate</ph> authentication
+desc: |-
+  Setting the policy specifies the type of accounts provided by the Android authentication app that supports <ph name="HTTP_NEGOTIATE">HTTP Negotiate</ph> authentication (such as Kerberos authentication). This information should be available from the supplier of the authentication app. For details, see The Chromium Projects ( https://goo.gl/hajyfN )
+
+        Leaving the policy unset turns off <ph name="HTTP_NEGOTIATE">HTTP Negotiate</ph> authentication on Android.
+example_value: com.example.spnego
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- android:46-
+- webview_android:49-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthNegotiateDelegateAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthNegotiateDelegateAllowlist.yaml
new file mode 100755
index 000000000..765abb533
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthNegotiateDelegateAllowlist.yaml
@@ -0,0 +1,22 @@
+caption: Kerberos delegation server allowlist
+desc: |-
+  Setting the policy assigns servers that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may delegate to. Separate multiple server names with commas. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+
+        Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won't delegate user credentials, even if a server is detected as intranet.
+example_value: '*.example.com,foobar.example.com'
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:86-
+- android:86-
+- chrome_os:86-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthNegotiateDelegateByKdcPolicy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthNegotiateDelegateByKdcPolicy.yaml
new file mode 100755
index 000000000..bf337684b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthNegotiateDelegateByKdcPolicy.yaml
@@ -0,0 +1,29 @@
+caption: Use KDC policy to delegate credentials.
+default: false
+desc: |-
+  Setting the policy to Enabled means HTTP authentication respects approval by KDC policy. In other words, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> delegates user credentials to the service being accessed if the KDC sets <ph name="OK_AS_DELEGATE">OK-AS-DELEGATE</ph> on the service ticket. See RFC 5896 ( https://tools.ietf.org/html/rfc5896.html ). The service should also be allowed by <ph name="AUTH_NEGOTIATE_DELEGATE_ALLOWLIST_POLICY_NAME">AuthNegotiateDelegateAllowlist</ph>.
+
+  Setting the policy to Disabled or leaving it unset means KDC policy is ignored on supported platforms and only <ph name="AUTH_NEGOTIATE_DELEGATE_ALLOWLIST_POLICY_NAME">AuthNegotiateDelegateAllowlist</ph> is respected.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, KDC policy is always respected.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Use KDC policy approval during HTTP authentication
+  value: true
+- caption: Ignore KDC policy approval during HTTP authentication
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.linux:74-
+- chrome.mac:74-
+- chrome_os:74-
+tags:
+- website-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthSchemes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthSchemes.yaml
new file mode 100755
index 000000000..d5805631a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthSchemes.yaml
@@ -0,0 +1,34 @@
+caption: Supported authentication schemes
+desc: |-
+  Setting the policy specifies which HTTP authentication schemes <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> supports.
+
+        Leaving the policy unset employs all 4 schemes.
+
+        Valid values:
+
+        * basic
+
+        * digest
+
+        * ntlm
+
+        * negotiate
+
+        Note: Separate multiple values with commas.
+example_value: basic,digest,ntlm,negotiate
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:9-
+- android:46-
+- chrome_os:62-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthServerAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthServerAllowlist.yaml
new file mode 100755
index 000000000..708d1fad3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/AuthServerAllowlist.yaml
@@ -0,0 +1,25 @@
+caption: Authentication server allowlist
+desc: |-
+  Setting the policy specifies which servers should be allowed for integrated authentication. Integrated authentication is only on when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> gets an authentication challenge from a proxy or from a server in this permitted list.
+
+        Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> tries to detect if a server is on the intranet. Only then will it respond to IWA requests. If a server is detected as internet, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> ignores IWA requests from it.
+
+        Note: Separate multiple server names with commas. Wildcards, <ph name="WILDCARD_VALUE">*</ph>, are allowed.
+example_value: '*.example.com,example.com'
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:86-
+- android:86-
+- webview_android:86-
+- chrome_os:86-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/BasicAuthOverHttpEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/BasicAuthOverHttpEnabled.yaml
new file mode 100755
index 000000000..57dd90962
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/BasicAuthOverHttpEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Allow <ph name="BASIC_AUTH">Basic</ph> authentication for HTTP
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset will allow <ph name="BASIC_AUTH">Basic</ph> authentication challenges received over non-secure HTTP.
+
+        Setting the policy to Disabled forbids non-secure HTTP requests from using the <ph name="BASIC_AUTH">Basic</ph> authentication scheme; only secure HTTPS is allowed.
+
+        This policy setting is ignored (and <ph name="BASIC_AUTH">Basic</ph> is always forbidden) if the <ph name="AUTH_SCHEMES_POLICY_NAME">AuthSchemes</ph> policy is set and does not include <ph name="BASIC_AUTH">Basic</ph>.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: <ph name="BASIC_AUTH">Basic</ph> authentication is allowed on HTTP connections
+  value: true
+- caption: Non-secure HTTP connections are not permitted to use <ph name="BASIC_AUTH">Basic</ph>
+    authentication; HTTPS is required
+  value: false
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:88-
+- chrome_os:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/DisableAuthNegotiateCnameLookup.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/DisableAuthNegotiateCnameLookup.yaml
new file mode 100755
index 000000000..0077575da
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/DisableAuthNegotiateCnameLookup.yaml
@@ -0,0 +1,28 @@
+caption: Disable CNAME lookup when negotiating Kerberos authentication
+default: false
+desc: |-
+  Setting the policy to Enabled skips CNAME lookup. The server name is used as entered when generating the Kerberos SPN.
+
+  Setting the policy to Disabled or leaving it unset means CNAME lookup determines the canonical name of the server when generating the Kerberos SPN.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Disable CNAME lookup during Kerberos authentication
+  value: true
+- caption: Use CNAME lookup during Kerberos authentication
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:9-
+- android:46-
+- chrome_os:62-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/EnableAuthNegotiatePort.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/EnableAuthNegotiatePort.yaml
new file mode 100755
index 000000000..9534aec80
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/EnableAuthNegotiatePort.yaml
@@ -0,0 +1,27 @@
+caption: Include non-standard port in Kerberos SPN
+default: false
+desc: |-
+  Setting the policy to Enabled and entering a nonstandard port (in other words, a port other than 80 or 443) includes it in the generated Kerberos SPN.
+
+  Setting the policy to Disabled or leaving it unset means the generated Kerberos SPN won't include a port.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Include non-standard port in generated Kerberos SPN
+  value: true
+- caption: Do not include port in generated Kerberos SPN
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:9-
+- chrome_os:62-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/GSSAPILibraryName.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/GSSAPILibraryName.yaml
new file mode 100755
index 000000000..d43cb1f98
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/GSSAPILibraryName.yaml
@@ -0,0 +1,18 @@
+caption: GSSAPI library name
+desc: |-
+  Setting the policy specifies which GSSAPI library to use for HTTP authentication. Set the policy to either a library name or a full path.
+
+        Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses a default library name.
+example_value: libgssapi_krb5.so.2
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.linux:9-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/IntegratedWebAuthenticationAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/IntegratedWebAuthenticationAllowed.yaml
new file mode 100755
index 000000000..a7a5b5691
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/IntegratedWebAuthenticationAllowed.yaml
@@ -0,0 +1,25 @@
+caption: Allow reusing the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+  login credentials for network authentication
+default: false
+deprecated: true
+desc: ' This policy is deprecated, please configure Kerberos policies to reuse the
+  login password instead.'
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: The <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> login credentials
+    will be used for network authentication to a managed proxy.
+  value: true
+- caption: The <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> login credentials
+    will not be used for network authentication.
+  value: false
+owners:
+- acostinas@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:89-93
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/NtlmV2Enabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/NtlmV2Enabled.yaml
new file mode 100755
index 000000000..14b0ac59f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/HTTPAuthentication/NtlmV2Enabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable NTLMv2 authentication.
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset turns NTLMv2 on.
+
+        Setting the policy to Disabled turns NTLMv2 off.
+
+        All recent versions of Samba and <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> servers support NTLMv2. This should only be turned off for backward compatibility as it reduces the security of authentication.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Turn NTLMv2 on
+  value: true
+- caption: Turn NTLMv2 off
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.linux:63-
+- chrome.mac:63-
+- chrome_os:63-
+- android:63-
+- webview_android:63-
+tags:
+- website-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/.group.details.yaml
new file mode 100755
index 000000000..34b117ef3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Kerberos
+desc: Policies related to Kerberos authentication.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosAccounts.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosAccounts.yaml
new file mode 100755
index 000000000..2ba35c52f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosAccounts.yaml
@@ -0,0 +1,75 @@
+caption: Configure Kerberos accounts
+desc: |-
+  Adds prefilled Kerberos accounts. If the Kerberos credentials match the login credentials, an account can be configured to reuse the login credentials by specifying '<ph name="LOGIN_EMAIL_PLACEHOLDER">${LOGIN_EMAIL}</ph>' and <ph name="PASSWORD_PLACEHOLDER">${PASSWORD}</ph>' for principal and password, respectively, so that the Kerberos ticket can be retrieved automatically, unless two-factor authentication is configured. Users cannot modify accounts added via this policy.
+
+            If this policy is enabled, the list of accounts defined by the policy is added to the Kerberos Accounts settings.
+
+            If this policy is disabled or not set, no accounts are added to the Kerberos Accounts settings and all accounts previously added with this policy are removed. Users may still add accounts manually if the 'Users can add Kerberos accounts' policy is enabled.
+example_value:
+- password: ${PASSWORD}
+  principal: ${LOGIN_EMAIL}
+- principal: user1@REALM.COM
+  remember_password_from_policy: true
+- krb5conf:
+  - '[libdefaults]'
+  - '  default_tgs_enctypes = aes256-cts-hmac-sha1-96'
+  - '  default_tkt_enctypes = aes256-cts-hmac-sha1-96'
+  - '  permitted_enctypes = aes256-cts-hmac-sha1-96'
+  - '  default_realm = REALM.COM'
+  - ''
+  - '[realms]'
+  - '  REALM.COM = {'
+  - '    kdc = us-west.realm.com'
+  - '    master_kdc = us-west.realm.com'
+  - '    kpasswd_server = us-west.realm.com'
+  - '  }'
+  password: p4zzw0rd!
+  principal: user2@REALM.COM
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- fsandrade@chromium.org
+- file://chrome/browser/ash/kerberos/OWNERS
+schema:
+  items:
+    properties:
+      krb5conf:
+        description: Kerberos configuration (one line per array item), see
+          https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html.
+        items:
+          type: string
+        type: array
+      password:
+        description: Kerberos password. The placeholder
+          <ph name="PASSWORD_PLACEHOLDER">${PASSWORD}</ph> is replaced by the
+          login password.
+        sensitiveValue: true
+        type: string
+      principal:
+        description: User principal 'user@realm'. The placeholder
+          <ph name="LOGIN_ID_PLACEHOLDER">${LOGIN_ID}</ph> is replaced by the
+          username 'user'. The placeholder
+          <ph name="LOGIN_EMAIL_PLACEHOLDER">${LOGIN_EMAIL}</ph> is replaced by
+          the full principal 'user@realm'.
+        pattern: ^(?:[^@]+@[^@]+)|(?:\${LOGIN_ID})|(?:\${LOGIN_EMAIL})$
+        type: string
+      remember_password_from_policy:
+        description: Whether to remember the Kerberos password value set in this
+          policy item. If not set or set to true, the password is remembered. If
+          set to false, the password is not remembered. Ignored if the password
+          field is not specified for this account. This field is supported since
+          ChromeOS version 116.
+        type: boolean
+      # Note that the `remember_password` field has been deprecated in favor of
+      # the `remember_password_from_policy` field, which defaults to a different
+      # value.
+    required:
+    - principal
+    type: object
+  type: array
+supported_on:
+- chrome_os:87-
+tags:
+- website-sharing
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosAddAccountsAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosAddAccountsAllowed.yaml
new file mode 100755
index 000000000..fdb422e16
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosAddAccountsAllowed.yaml
@@ -0,0 +1,27 @@
+caption: Users can add Kerberos accounts
+default: true
+desc: |-
+  Controls whether users may add Kerberos accounts.
+
+  If this policy is enabled or not set, users may add Kerberos accounts via the Kerberos Accounts settings in the Kerberos settings page. Users have full control over accounts they added and may modify or remove them.
+
+  If this policy is disabled, users may not add Kerberos accounts. Accounts can only be added via the 'Configure Kerberos accounts' policy. This is an effective way to lock down accounts.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow users to add Kerberos accounts
+  value: true
+- caption: Do not allow users to add Kerberos accounts
+  value: false
+owners:
+- fsandrade@chromium.org
+- file://chrome/browser/ash/kerberos/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:87-
+tags:
+- website-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosCustomPrefilledConfig.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosCustomPrefilledConfig.yaml
new file mode 100755
index 000000000..fc7743446
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosCustomPrefilledConfig.yaml
@@ -0,0 +1,24 @@
+caption: Prefilled configuration for Kerberos tickets
+default: ""
+desc: |-
+  Specifies the suggested <ph name="KRB5_CONFIG">krb5</ph> configuration for the new manually created tickets.
+
+        If the 'KerberosUseCustomPrefilledConfig' policy is enabled, the policy's value is applied as the suggested configuration and shown in the "Advanced" section of the Kerberos authentication dialog. Setting this policy to an empty string, or leaving it unset, will result in deleting the recommended <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> configuration.
+
+        If the 'KerberosUseCustomPrefilledConfig' policy is disabled, the value of this policy is not used.
+example_value: |
+  [libdefaults]
+    default_tgs_enctypes = aes256-cts-hmac-sha1-96
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- slutskii@google.com
+- file://chrome/browser/ash/kerberos/OWNERS
+schema:
+  type: string
+supported_on:
+- chrome_os:116-
+tags:
+- website-sharing
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosDomainAutocomplete.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosDomainAutocomplete.yaml
new file mode 100755
index 000000000..884ce8cf6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosDomainAutocomplete.yaml
@@ -0,0 +1,21 @@
+caption: Autocomplete domain for new Kerberos tickets
+desc: |-
+  Adds a prefilled domain to the Kerberos authentication dialog.
+
+            If this policy is set, the "Kerberos username" field shows the prefilled domain on the right. If the user enters their username it is going to be concatenated with the prefilled domain. If the user's input contains "@", the prefilled domain is not shown and does not affect the input.
+
+            If this policy is unset, no additional information is shown and creating the ticket works as usual.
+example_value: my-kerberos-domain.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- slutskii@google.com
+- file://chrome/browser/ash/kerberos/OWNERS
+schema:
+  type: string
+supported_on:
+- chrome_os:116-
+tags:
+- website-sharing
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosEnabled.yaml
new file mode 100755
index 000000000..decbafb5b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable Kerberos functionality
+default: false
+desc: |-
+  Controls whether the Kerberos functionality is enabled. Kerberos is an authentication protocol that can be used to authenticate to web apps and file shares.
+
+  If this policy is enabled, Kerberos functionality is enabled. Kerberos accounts can be added either through the 'Configure Kerberos accounts' policy or through the Kerberos Accounts settings in the Kerberos settings page.
+
+  If this policy is disabled or not set, the Kerberos Accounts settings are disabled. No Kerberos accounts can be added and Kerberos authentication cannot be used. All existing Kerberos accounts are deleted, all stored passwords are deleted.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable Kerberos
+  value: true
+- caption: Disable Kerberos
+  value: false
+owners:
+- fsandrade@chromium.org
+- file://chrome/browser/ash/kerberos/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:87-
+tags:
+- website-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosRememberPasswordEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosRememberPasswordEnabled.yaml
new file mode 100755
index 000000000..fdad76dde
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosRememberPasswordEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable 'Remember password' feature for Kerberos
+default: true
+desc: |-
+  Controls whether the 'Remember password' feature is enabled in the Kerberos authentication dialog. Passwords are stored encrypted on disk, only accessible to the Kerberos system daemon and during a user session.
+
+  If this policy is enabled or not set, users can decide whether Kerberos passwords are remembered, so that they do not have to be entered again. Kerberos tickets are automatically fetched unless additional authentication is required (two-factor authentication).
+
+  If this policy is disabled, passwords are never remembered and all previously stored passwords are removed. Users have to enter their password every time they need to authenticate with the Kerberos system. Depending on server settings, this usually happens between every 8 hours to several months.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow users to remember Kerberos passwords
+  value: true
+- caption: Do not allow users to remember Kerberos passwords
+  value: false
+owners:
+- fsandrade@chromium.org
+- file://chrome/browser/ash/kerberos/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:87-
+tags:
+- website-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosUseCustomPrefilledConfig.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosUseCustomPrefilledConfig.yaml
new file mode 100755
index 000000000..cd7cbdc4f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/KerberosUseCustomPrefilledConfig.yaml
@@ -0,0 +1,27 @@
+caption: Change the prefilled configuration for Kerberos tickets
+default: false
+desc: |-
+  Changes the suggested <ph name="KRB5_CONFIG">krb5</ph> configuration for the new manually created tickets.
+
+        If this policy is enabled, the value of 'KerberosCustomPrefilledConfig' policy is applied as the suggested configuration and shown in the "Advanced" section of the Kerberos authentication dialog.
+
+        If this policy is disabled or not set, the recommended <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> configuration is applied instead. Note that it is also shown in the "Advanced" section of the Kerberos authentication dialog.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Change the recommended <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> configuration.
+  value: true
+- caption: Don't change the recommended <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> configuration.
+  value: false
+owners:
+- slutskii@google.com
+- file://chrome/browser/ash/kerberos/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:116-
+tags:
+- website-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/policy_atomic_groups.yaml
new file mode 100755
index 000000000..1170d0912
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kerberos/policy_atomic_groups.yaml
@@ -0,0 +1,5 @@
+KerberosPrefilledConfig:
+  caption: Kerberos prefilled configuration
+  policies:
+  - KerberosCustomPrefilledConfig
+  - KerberosUseCustomPrefilledConfig
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/.group.details.yaml
new file mode 100755
index 000000000..a0e4ea1af
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Kiosk settings
+desc: Controls public session and kiosk account types.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/AllowKioskAppControlChromeVersion.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/AllowKioskAppControlChromeVersion.yaml
new file mode 100755
index 000000000..ac1d64c50
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/AllowKioskAppControlChromeVersion.yaml
@@ -0,0 +1,33 @@
+arc_support: If the kiosk app is an Android app, it will have no control over the
+  <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version, even if this
+  policy is set to <ph name="TRUE">True</ph>.
+caption: Allow the auto launched with zero delay kiosk app to control <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph> version
+default: false
+desc: |-
+  Setting the policy to Enabled means the value of the <ph name="REQUIRED_PLATFORM_VERSION">required_platform_version</ph> manifest key of the zero-delay, autolaunched kiosk app is used as the autoupdate target version prefix.
+
+  Setting the policy to Disabled or leaving it unset means the <ph name="REQUIRED_PLATFORM_VERSION">required_platform_version</ph> manifest key is ignored and autoupdate proceeds as normal.
+
+  Warning: Do not delegate control of the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version to a kiosk app, because it might prevent the device from getting software updates and critical security fixes. Delegating control of the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version might leave users at risk.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: ChromeOS updates are set to the version defined in the kiosk app manifest
+  value: true
+- caption: ChromeOS updates ignore the version defined in the kiosk app manifest
+  value: false
+owners:
+- mpolzer@google.com
+- sergiyb@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:51-
+tags:
+- system-security
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginBailoutEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginBailoutEnabled.yaml
new file mode 100755
index 000000000..5804f8d4d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginBailoutEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable bailout keyboard shortcut for auto-login
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset means a device-local account is set up for zero-delay, automatic sign-in. <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> honors the keyboard shortcut Ctrl+Alt+S for bypassing automatic sign-in and showing the sign-in screen.
+
+  Setting the policy to Disabled means users can't bypass zero-delay automatic sign-in (if configured).
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable auto-login bailout
+  value: true
+- caption: Disable auto-login bailout
+  value: false
+owners:
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:28-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginDelay.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginDelay.yaml
new file mode 100755
index 000000000..b1950ad9a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginDelay.yaml
@@ -0,0 +1,22 @@
+caption: Device-local account auto-login timer
+default: 0
+desc: |-
+  Setting the policy determines the amount of time in milliseconds without user activity before automatically signing in to the device-local account specified by the <ph name="DEVICE_LOCAL_ACCOUNT_AUTO_LOGIN_ID_POLICY_NAME">DeviceLocalAccountAutoLoginId</ph> policy.
+
+  Leaving it unset means 0 milliseconds is used as the timeout.
+
+  If the <ph name="DEVICE_LOCAL_ACCOUNT_AUTO_LOGIN_ID_POLICY_NAME">DeviceLocalAccountAutoLoginId</ph> policy is unset, this policy has no effect.
+device_only: true
+example_value: 180000
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome_os:26-
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginId.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginId.yaml
new file mode 100755
index 000000000..b75193f2a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountAutoLoginId.yaml
@@ -0,0 +1,19 @@
+caption: Device-local account for auto-login
+desc: |-
+  Setting the policy means the specified session is automatically signed if there is no user interaction at the sign-in screen within the time specified in <ph name="DEVICE_LOCAL_ACCOUNT_AUTO_LOGIN_DELAY_POLICY_NAME">DeviceLocalAccountAutoLoginDelay</ph>. The device-local account must already be set up (see <ph name="DEVICE_LOCAL_ACCOUNTS_POLICY_NAME">DeviceLocalAccounts</ph>).
+
+        Leaving it unset means there's no automatic sign-in.
+device_only: true
+example_value: public@example.com
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_os:26-
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountPromptForNetworkWhenOffline.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountPromptForNetworkWhenOffline.yaml
new file mode 100755
index 000000000..a9f36ab71
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccountPromptForNetworkWhenOffline.yaml
@@ -0,0 +1,25 @@
+caption: Enable network configuration prompt when offline
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset means when a device is offline, if a device-local account is set for zero-delay, automatic sign-in, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> shows a network-configuration prompt.
+
+  Setting the policy to Disabled has an error message displayed instead.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable network configuration prompt when offline
+  value: true
+- caption: Disable network configuration prompt when offline
+  value: false
+owners:
+- xiyuan@chromium.org
+- poromov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:33-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccounts.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccounts.yaml
new file mode 100755
index 000000000..c7778076a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceLocalAccounts.yaml
@@ -0,0 +1,22 @@
+caption: Device-local accounts
+desc: |-
+  Setting the policy specifies the list of device-local accounts to display on the sign-in screen. Identifiers tell the different device-local accounts apart.
+
+        If the policy is unset or an empty list, there are no device-local accounts.
+device_only: true
+example_value:
+- demo@example.com
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:25-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceWeeklyScheduledSuspend.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceWeeklyScheduledSuspend.yaml
new file mode 100755
index 000000000..ebdaf9e32
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/DeviceWeeklyScheduledSuspend.yaml
@@ -0,0 +1,35 @@
+caption: Schedule weekly suspend intervals
+desc: |-
+  This policy establishes a series of weekly intervals for scheduling automated suspension. When an interval starts, the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device will enter suspend mode, and wake up when the interval ends.
+
+  Schedules with overlapping intervals are not supported. This policy will not have any effect if it contains any two overlapping intervals.
+
+  <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices will use the system timezone to apply these intervals.
+
+  Important Note: The schedules set by this policy may not occur as expected if they conflict with other power management settings, such as <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph>. Ensure these settings are configured to allow the scheduled suspend intervals to take effect.
+device_only: true
+example_value:
+- start:
+    day_of_week: TUESDAY
+    time: 12840000
+  end:
+    day_of_week: TUESDAY
+    time: 21720000
+- start:
+    day_of_week: FRIDAY
+    time: 38640000
+  end:
+    day_of_week: MONDAY
+    time: 57600000
+features:
+  dynamic_refresh: true
+owners:
+- file://chrome/browser/ash/app_mode/OWNERS
+schema:
+  items:
+    $ref: WeeklyTimeIntervals
+  type: array
+supported_on:
+- chrome_os:125-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskActiveWiFiCredentialsScopeChangeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskActiveWiFiCredentialsScopeChangeEnabled.yaml
new file mode 100755
index 000000000..55159d34b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskActiveWiFiCredentialsScopeChangeEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Expose per-app kiosk active WiFi credentials to the device level
+default: false
+desc: |-
+  Setting the policy to Enabled means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will automatically save the active kiosk WiFi credentials at the device level: the active WiFi can be used by any other kiosk apps or users on the device.
+  Leaving this policy unset or setting it to Disabled means kiosk active WiFi credentials are stored at the kiosk level: WiFi configured in a kiosk app can only be used in that same kiosk app.
+  This policy is not recommended and has to be used when no other options are available (e.g. OpenNetworkConfiguration policy).
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Save the active WiFi credentials at the device level
+  value: true
+- caption: Kiosk WiFi credentials are stored at the kiosk level
+  value: false
+owners:
+- irfedorova@google.com
+- chromeos-kiosk-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:130-
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskTroubleshootingToolsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskTroubleshootingToolsEnabled.yaml
new file mode 100755
index 000000000..7454128fc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskTroubleshootingToolsEnabled.yaml
@@ -0,0 +1,29 @@
+owners:
+- pbond@chromium.org
+- file://chrome/browser/ash/app_mode/OWNERS
+caption: Enable Kiosk troubleshooting tools
+desc: |-
+  Setting the policy to Enabled means Kiosk troubleshooting tools are available
+  to be used in a Kiosk session:
+  - Chrome developer tools
+  - Chrome browser window
+  - Task manager
+  Leaving this policy unset or setting to Disabled means Kiosk troubleshooting tools are disabled.
+
+  Please remember not to keep this policy enabled at all times, especially in production deployments.
+features:
+  dynamic_refresh: true
+  per_profile: true
+type: main
+schema:
+  type: boolean
+items:
+- caption: Enable Kiosk troubleshooting tools.
+  value: true
+- caption: Disable Kiosk troubleshooting tools.
+  value: false
+default: false
+example_value: false
+supported_on:
+- chrome_os:113-
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskVisionTelemetryEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskVisionTelemetryEnabled.yaml
new file mode 100755
index 000000000..3ad9649fc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskVisionTelemetryEnabled.yaml
@@ -0,0 +1,24 @@
+owners:
+- sseckler@chromium.org
+- file://chromeos/components/kiosk/OWNERS
+caption: Enable Kiosk Vision's telemetry reporting.
+desc: |-
+  Setting the policy to Enabled means Kiosk Vision's telemetry reporting is enabled.
+  It will start the Kiosk Vision framework and enable reporting of the audience telemetry.
+  Leaving this policy unset or setting it to Disabled means Kiosk Vision's telemetry reporting is disabled.
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: Enable Kiosk Vision's telemetry reporting.
+  value: true
+- caption: Disable Kiosk Vision's telemetry reporting.
+  value: false
+default: false
+example_value: false
+future_on:
+- chrome_os
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskWebAppOfflineEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskWebAppOfflineEnabled.yaml
new file mode 100755
index 000000000..f79d2f5b8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/KioskWebAppOfflineEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Allow kiosk web app to show network prompt on app launch if the device is offline
+default: true
+desc: |-
+  If the policy is disabled, it represents that the kiosk web app cannot function offline. A network prompt will be shown on a kiosk session start only if the device is offline. This will make sure that the device is online before the app is successfully launched.
+
+  This network prompt might not be shown if an app is set to auto-launch and the <ph name="PROMPT_POLICY_NAME">DeviceLocalAccountPromptForNetworkWhenOffline</ph> (<ph name="PROMPT_POLICY_URL">https://chromeenterprise.google/policies/#DeviceLocalAccountPromptForNetworkWhenOffline</ph>) is disabled.
+
+  This policy has no effect on Chrome App or Web app which has a install URL which performs a cross-origin redirect to a different Web app (For eg. if the app install URL is  <ph name="APP_INSTALL_URL">https://example.com</ph>, but, on load it redirects to a different Web App i.e. <ph name="APP_REDIRECTED_URL">https://www.app.example.de</ph>).
+
+  If the policy is set to true or not set, web apps will be launched even if the device is offline.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+
+items:
+- caption: Kiosk web app is offline capable
+  value: true
+- caption: Kiosk web app is not offline capable
+  value: false
+owners:
+- file://chrome/browser/ash/app_mode/OWNERS
+- macinashutosh@google.com
+- pbond@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:130-
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/NewWindowsInKioskAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/NewWindowsInKioskAllowed.yaml
new file mode 100755
index 000000000..12e77c855
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/NewWindowsInKioskAllowed.yaml
@@ -0,0 +1,24 @@
+caption: Allow Web Kiosk to open more than one browser window on any screen
+default: false
+desc: |-
+  Setting the policy to Enabled means a Kiosk Web App can open another browser window which can be placed on the same screen or on a different screen. To open a new window, Web App should call <ph name="OPEN_NEW_WINDOW_JS">window.open(url, target, windowFeatures)</ph> JavaScript function.
+
+        Setting the policy to Disabled or leaving it unset means a Kiosk Web App can use only the main browser window and cannot open a new window. Calling any Javascript functions for opening a new window will be ignored.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow a Kiosk Web App to open another browser window
+  value: true
+- caption: Prohibit a Kiosk Web App from opening another browser window
+  value: false
+owners:
+- irfedorova@google.com
+- chromeos-kiosk-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:116-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/policy_atomic_groups.yaml
new file mode 100755
index 000000000..d722a50b2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Kiosk/policy_atomic_groups.yaml
@@ -0,0 +1,9 @@
+Kiosk:
+  caption: Kiosk settings
+  policies:
+  - DeviceLocalAccounts
+  - DeviceLocalAccountAutoLoginId
+  - DeviceLocalAccountAutoLoginDelay
+  - DeviceLocalAccountAutoLoginBailoutEnabled
+  - DeviceLocalAccountPromptForNetworkWhenOffline
+  - KioskTroubleshootingToolsEnabled
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/.group.details.yaml
new file mode 100755
index 000000000..6cfbe816a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Locally managed users settings
+desc: Configure settings for managed users.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUserContentProviderEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUserContentProviderEnabled.yaml
new file mode 100755
index 000000000..c56f21407
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUserContentProviderEnabled.yaml
@@ -0,0 +1,19 @@
+caption: Enable the supervised user content provider
+deprecated: true
+desc: |-
+  If true and the user is a supervised user then other Android apps can query the user's web restrictions through a content provider.
+
+            If false or unset then the content provider returns no information.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:49-70
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUserCreationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUserCreationEnabled.yaml
new file mode 100755
index 000000000..8fe3ee725
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUserCreationEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable creation of supervised users
+deprecated: true
+desc: |-
+  If set to false, supervised-user creation by this user will be disabled. Any existing supervised users will still be available.
+
+            If set to true or not configured, supervised users can be created and managed by this user.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable creation of supervised users
+  value: true
+- caption: Disable creation of supervised users
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:29-70
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUsersEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUsersEnabled.yaml
new file mode 100755
index 000000000..1952db97d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/SupervisedUsersEnabled.yaml
@@ -0,0 +1,23 @@
+caption: Enable supervised users
+default_for_managed_devices_doc_only: false
+deprecated: true
+desc: |-
+  If set to true, supervised users can be created and used.
+
+            If set to false or not configured, supervised-user creation and login will be disabled. All existing supervised users will be hidden.
+
+            NOTE: The default behavior for consumer and enterprise devices differs: on consumer devices supervised users are enabled by default, but on enterprise devices they are disabled by default.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:29-70
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/policy_atomic_groups.yaml
new file mode 100755
index 000000000..82314ee3f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/LocallyManagedUsers/policy_atomic_groups.yaml
@@ -0,0 +1,6 @@
+SupervisedUsers:
+  caption: Supervised users
+  policies:
+  - SupervisedUsersEnabled
+  - SupervisedUserCreationEnabled
+  - SupervisedUserContentProviderEnabled
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/.group.details.yaml
new file mode 100755
index 000000000..1abf6ce15
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Miscellaneous
+desc: Miscellaneous
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AbusiveExperienceInterventionEnforce.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AbusiveExperienceInterventionEnforce.yaml
new file mode 100755
index 000000000..b35938980
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AbusiveExperienceInterventionEnforce.yaml
@@ -0,0 +1,27 @@
+caption: Abusive Experience Intervention Enforce
+default: true
+desc: |-
+  If <ph name="SAFE_BROWSING_ENABLED_POLICY_NAME">SafeBrowsingEnabled</ph> is not Disabled, then setting <ph name="ABUSIVE_EXPERIENCE_INTERVENTION_ENFORCE_POLICY_NAME">AbusiveExperienceInterventionEnforce</ph> to Enabled or leaving it unset prevents sites with abusive experiences from opening new windows or tabs.
+
+         Setting <ph name="SAFE_BROWSING_ENABLED_POLICY_NAME">SafeBrowsingEnabled</ph> to Disabled or <ph name="ABUSIVE_EXPERIENCE_INTERVENTION_ENFORCE_POLICY_NAME">AbusiveExperienceInterventionEnforce</ph> to Disabled lets sites with abusive experiences open new windows or tabs.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Prevent sites with abusive experiences from opening new windows or tabs
+  value: true
+- caption: Allow sites with abusive experiences to open new windows or tabs
+  value: false
+owners:
+- shivanisha@chromium.org
+- csharrison@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:65-
+- chrome_os:65-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AccessibilityImageLabelsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AccessibilityImageLabelsEnabled.yaml
new file mode 100755
index 000000000..6c1787700
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AccessibilityImageLabelsEnabled.yaml
@@ -0,0 +1,44 @@
+caption: Enable <ph name="PRODUCT_NAME">Get Image Descriptions from Google</ph>.
+default: null
+desc: "The <ph name=\"PRODUCT_NAME\">Get Image Descriptions from Google</ph>\n   \
+  \       accessibility feature enables visually-impaired screen reader users to\n\
+  \          get descriptions of unlabeled images on the web. Users who choose to\
+  \ enable it\n          will have the option of using an anonymous Google service\
+  \ to provide\n          automatic descriptions for unlabeled images they encounter\
+  \ on the web.\n\n          If this feature is enabled, the content of images will\
+  \ be sent to Google\n          servers in order to generate a description. No cookies\
+  \ or other user\n          data is sent, and Google does not save or log any image\
+  \ content.\n\n          If this policy is set to Enabled, the\n          <ph name=\"\
+  PRODUCT_NAME\">Get Image Descriptions from Google</ph>\n          feature will be\
+  \ enabled, though it will only affect users who are using a\n          screen reader\
+  \ or other similar assistive technology.\n\n          If this policy is set to Disabled,\
+  \ users will not have the option of enabling\n          the feature.\n\n       \
+  \   If this policy is not set, user can choose to use this feature or not.\n   \
+  \       "
+example_value: false
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Use an anonymous Google service to provide automatic descriptions for unlabeled
+    images
+  value: true
+- caption: Do not use Google services to provide automatic image descriptions
+  value: false
+- caption: Let users choose to use an anonymous Google service to provide automatic
+    descriptions for unlabeled images
+  value: null
+owners:
+- file://ui/accessibility/OWNERS
+- dtseng@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:84-
+- chrome.*:84-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AccessibilityPerformanceFilteringAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AccessibilityPerformanceFilteringAllowed.yaml
new file mode 100755
index 000000000..7541e9ed6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AccessibilityPerformanceFilteringAllowed.yaml
@@ -0,0 +1,25 @@
+caption: Allow Accessibility Performance Filtering.
+default: true
+desc: |-
+  A policy to control whether the accessibility engine is allowed to dynamically compute a filter for the accessibility tree in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to improve performance.
+  When the policy is either set to Enabled or not set, the accessibility engine is allowed to dynamically compute filter modes for the accessibility tree in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, which may lead to a performance improvement.
+  When the policy is set to Disabled, the accessibility engine is not allowed to dynamically compute filter modes for the accessibility tree.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Allow Accessibility Performance Filtering to be used.
+  value: true
+- caption: Disallow Accessibility Performance Filtering to be used.
+  value: false
+owners:
+- file://ui/accessibility/OWNERS
+- aldietz@google.com
+- mschillaci@google.com
+schema:
+  type: boolean
+supported_on:
+- android:117-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdHocCodeSigningForPWAsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdHocCodeSigningForPWAsEnabled.yaml
new file mode 100755
index 000000000..74347496c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdHocCodeSigningForPWAsEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Native application signing during Progressive Web Application installation
+desc: |-
+  Setting the policy to Enabled or leaving it unset enables the use of ad-hoc signatures for the native application that is created when installing a Progressive Web Application (PWA). This ensures that each installed application has a unique identity to <ph name="MAC_OS_NAME">macOS</ph> system components.
+
+  Setting the policy to Disabled will result in every native application created when installing Progressive Web Applications having the same identity. This can interfere with <ph name="MAC_OS_NAME">macOS</ph> functionality.
+
+  Only turn off the policy if you are using an endpoint security solution that blocks applications with an ad-hoc signature.
+
+supported_on:
+- chrome.mac:129-
+
+features:
+  dynamic_refresh: false
+  per_profile: false
+
+type: main
+schema:
+  type: boolean
+
+items:
+- caption: Use ad-hoc code signatures.
+  value: true
+- caption: Do not use ad-hoc code signatures.
+  value: false
+- caption: Depend on feature launch process.
+  value: null
+
+default: null
+example_value: false
+
+owners:
+- markrowe@chromium.org
+- file://chrome/browser/web_applications/OWNERS
+
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdditionalDnsQueryTypesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdditionalDnsQueryTypesEnabled.yaml
new file mode 100755
index 000000000..18d52ec37
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdditionalDnsQueryTypesEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Allow DNS queries for additional DNS record types
+default: true
+desc: |-
+  This policy controls whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may query additional DNS record types when making insecure DNS requests. This policy has no effect on DNS queries made via Secure DNS, which may always query additional DNS types.
+
+        If this policy is unset or set to Enabled, additional types such as <ph name="DNS_TYPE_HTTPS">HTTPS</ph> (DNS type 65) may be queried in addition to <ph name="DNS_TYPE_A">A</ph> (DNS type 1) and <ph name="DNS_TYPE_AAAA">AAAA</ph> (DNS type 28).
+
+        If this policy is set to Disabled, DNS will only be queried for <ph name="DNS_TYPE_A">A</ph> (DNS type 1) and/or <ph name="DNS_TYPE_AAAA">AAAA</ph> (DNS type 28).
+
+        This policy is a temporary measure and will be removed in future versions of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. After removal of the policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will always be able to query additional DNS types.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow additional DNS query types
+  value: true
+- caption: Prevent additional DNS query types
+  value: false
+owners:
+- ericorth@chromium.org
+- file://net/OWNERS
+schema:
+  type: boolean
+supported_on:
+- android:92-
+- chrome.*:92-
+- chrome_os:92-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdsSettingForIntrusiveAdsSites.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdsSettingForIntrusiveAdsSites.yaml
new file mode 100755
index 000000000..11b1da9bf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdsSettingForIntrusiveAdsSites.yaml
@@ -0,0 +1,32 @@
+caption: Ads setting for sites with intrusive ads
+default: 1
+desc: |-
+  Unless <ph name="SAFE_BROWSING_ENABLED_POLICY_NAME">SafeBrowsingEnabled</ph> is set to False, then setting <ph name="ADS_SETTINGS_FOR_INTRUSIVE_ADS_SITES_POLICY_NAME">AdsSettingForIntrusiveAdsSites</ph> to 1 or leaving it unset allows ads on all sites.
+
+        Setting the policy to 2 blocks ads on sites with intrusive ads.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow ads on all sites
+  name: AllowAds
+  value: 1
+- caption: Do not allow ads on sites with intrusive ads
+  name: BlockAds
+  value: 2
+owners:
+- shivanisha@chromium.org
+- csharrison@chromium.org
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:65-
+- chrome_os:65-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdvancedProtectionAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdvancedProtectionAllowed.yaml
new file mode 100755
index 000000000..a1df8a5b9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdvancedProtectionAllowed.yaml
@@ -0,0 +1,31 @@
+caption: Enable additional protections for users enrolled in the Advanced Protection
+  program
+default: true
+desc: This policy controls whether users enrolled in the Advanced Protection program
+  receive extra protections. Some of these features may involve the sharing of data
+  with Google (for example, Advanced Protection users will be able to send their downloads
+  to Google for malware scanning). If set to True or not set, enrolled users will
+  receive extra protections. If set to False, Advanced Protection users will receive
+  only the standard consumer features.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Users enrolled in the Advanced Protection program will receive extra protections
+  value: true
+- caption: Users enrolled in the Advanced Protection program will only receive standard
+    consumer protections
+  value: false
+owners:
+- file://chrome/browser/safe_browsing/OWNERS
+- drubery@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:83-
+- chrome_os:83-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdvancedProtectionDeepScanningEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdvancedProtectionDeepScanningEnabled.yaml
new file mode 100755
index 000000000..4980c5f76
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AdvancedProtectionDeepScanningEnabled.yaml
@@ -0,0 +1,20 @@
+caption: Enable sending downloads to Google for deep scanning for users enrolled in
+  the Advanced Protection program
+deprecated: true
+desc: |-
+  This policy is deprecated, and has been replaced with AdvancedProtectionAllowed.
+
+        This policy controls whether users enrolled in the Advanced Protection program are allowed to send their downloads to Google for malware scanning. If set to True or not set, enrolled users will be be prompted to send their files to Google for deep scanning. If the user selects 'Scan', their download will be sent to Google. If set to False, users will not be prompted and their downloads will not be sent to Google.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chrome/browser/safe_browsing/OWNERS
+- drubery@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:81-81
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowBackForwardCacheForCacheControlNoStorePageEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowBackForwardCacheForCacheControlNoStorePageEnabled.yaml
new file mode 100755
index 000000000..e7f61a232
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowBackForwardCacheForCacheControlNoStorePageEnabled.yaml
@@ -0,0 +1,37 @@
+owners:
+- chrome-bfcache@google.com
+- leimy@chromium.org
+caption: |-
+  Allow pages with <ph name="CACHE_CONTROL_NO_STORE_NAME">Cache-Control: no-store</ph> header to enter back/forward cache
+desc: |-
+  This policy controls if a page with <ph name="CACHE_CONTROL_NO_STORE_NAME">Cache-Control: no-store</ph> header can be stored in back/forward cache. The website setting this header may not expect the page to be restored from back/forward cache since some sensitive information could still be displayed after the restoration even if it is no longer accessible.
+
+  If the policy is enabled or unset, the page with <ph name="CACHE_CONTROL_NO_STORE_NAME">Cache-Control: no-store</ph> header might be restored from back/forward cache unless the cache eviction is triggered (e.g. when there is HTTP-only cookie change to the site).
+
+  If the policy is disabled, the page with <ph name="CACHE_CONTROL_NO_STORE_NAME">Cache-Control: no-store</ph> header will not be stored in back/forward cache.
+supported_on:
+- chrome.*:116-
+- chrome_os:116-
+- android:116-
+- fuchsia:117-
+deprecated: false
+device_only: false
+features:
+  can_be_mandatory: true
+  can_be_recommended: false
+  dynamic_refresh: true
+  internal_only: false
+  per_profile: true
+  platform_only: false
+  unlisted: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: 'Allow pages with <ph name="CACHE_CONTROL_NO_STORE_NAME">Cache-Control: no-store</ph> header to be stored in back/forward cache.'
+  value: true
+- caption: 'Disallow pages with <ph name="CACHE_CONTROL_NO_STORE_NAME">Cache-Control: no-store</ph> header to be stored in back/forward cache.'
+  value: false
+default: true
+example_value: true
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowChromeDataInBackups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowChromeDataInBackups.yaml
new file mode 100755
index 000000000..01b064117
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowChromeDataInBackups.yaml
@@ -0,0 +1,25 @@
+caption: Allow backup of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> data
+default: true
+desc: |-
+  If this policy is set to False, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> data, including cookies and website local storage, will be excluded from iCloud and local backups on iOS.
+            If this policy is set to True or unset, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may be included in backups.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+supported_on:
+- ios:121-
+items:
+- caption: Allow <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> data to be
+    included in backups
+  value: true
+- caption: Prevent <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> data from
+    being included in backups
+  value: false
+owners:
+- ajuma@chromium.org
+- file://ios/chrome/OWNERS
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowDeletingBrowserHistory.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowDeletingBrowserHistory.yaml
new file mode 100755
index 000000000..b2f16657d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowDeletingBrowserHistory.yaml
@@ -0,0 +1,28 @@
+caption: Enable deleting browser and download history
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset means browser history and download history can be deleted in Chrome, and users can't change this setting.
+
+  Setting the policy to Disabled means browser history and download history can't be deleted. Even with this policy off, the browsing and download history are not guaranteed to be retained. Users may be able to edit or delete the history database files directly, and the browser itself may expire or archive any or all history items at any time.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable deleting browser and download history
+  value: true
+- caption: Disable deleting browser and download history
+  value: false
+owners:
+- file://chrome/browser/enterprise/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:57-
+- chrome_os:57-
+tags:
+- local-data-access
+- admin-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowDinosaurEasterEgg.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowDinosaurEasterEgg.yaml
new file mode 100755
index 000000000..804b4bf61
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowDinosaurEasterEgg.yaml
@@ -0,0 +1,30 @@
+caption: Allow Dinosaur Easter Egg Game
+default: null
+default_for_enterprise_users: false
+desc: |-
+  Setting the policy to True allows users to play the dinosaur game. Setting the policy to False means users can't play the dinosaur easter egg game when device is offline.
+
+  Leaving the policy unset means users can't play the game on enrolled <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>, but can under other circumstances.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable dinosaur easter egg game
+  value: true
+- caption: Disable dinosaur easter egg game
+  value: false
+- caption: Disable dinosaur easter egg game on enrolled <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices, enable under other circumstances
+  value: null
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:48-
+- chrome.*:48-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowFileSelectionDialogs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowFileSelectionDialogs.yaml
new file mode 100755
index 000000000..1548990ee
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowFileSelectionDialogs.yaml
@@ -0,0 +1,26 @@
+caption: Allow invocation of file selection dialogs
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset means Chrome can display, and users can open, file selection dialogs.
+
+        Setting the policy to Disabled means that whenever users perform actions provoking a file selection dialog, such as importing bookmarks, uploading files, and saving links, a message appears instead. The user is assumed to have clicked Cancel on the file selection dialog.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow file selection dialogs
+  value: true
+- caption: Prevent file selection dialogs
+  value: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:12-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowNativeNotifications.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowNativeNotifications.yaml
new file mode 100755
index 000000000..08cf8438d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowNativeNotifications.yaml
@@ -0,0 +1,24 @@
+caption: Allows native notifications
+default: true
+deprecated: true
+desc: |-
+  This policy is deprecated, please use the '<ph name="ALLOW_SYSTEM_NOTIFICATIONS_POLICY_NAME">AllowSystemNotifications</ph>' policy instead.
+
+  Configures whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> on Linux will use native notifications.
+
+  If set to True or not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is allowed to use native notifications.
+
+  If set to False, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not use native notifications. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Message Center will be used as a fallback.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chrome/browser/notifications/OWNERS
+- knollr@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.linux:83-100
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowOutdatedPlugins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowOutdatedPlugins.yaml
new file mode 100755
index 000000000..591044556
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowOutdatedPlugins.yaml
@@ -0,0 +1,30 @@
+caption: Allow running plugins that are outdated
+default: null
+deprecated: true
+desc: |-
+  This policy is deprecated in M88, Flash is no longer supported by Chrome. Setting the policy to Enabled means outdated plugins are used as normal plugins. Setting the policy to Disabled means outdated plugins aren't used.
+
+        Leaving the policy unset means users will be asked for permission to run outdated plugins.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow outdated <ph name="FLASH_PLUGIN_NAME">Flash</ph> to be used as normal
+    <ph name="FLASH_PLUGIN_NAME">Flash</ph>
+  value: true
+- caption: Disallow outdated <ph name="FLASH_PLUGIN_NAME">Flash</ph>
+  value: false
+- caption: Ask user for permission to run outdated <ph name="FLASH_PLUGIN_NAME">Flash</ph>
+  value: null
+owners:
+- file://components/policy/OWNERS
+- hendrich@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:12-87
+- chrome_os:12-87
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowPopupsDuringPageUnload.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowPopupsDuringPageUnload.yaml
new file mode 100755
index 000000000..2c1bcb407
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowPopupsDuringPageUnload.yaml
@@ -0,0 +1,30 @@
+caption: Allows a page to show pop-ups during its unloading
+default_for_enterprise_users: false
+deprecated: true
+desc: |-
+  Setting the policy to True allows pages to show pop-ups while the pages unload.
+
+        Setting the policy to False or leaving it unset prevents pages from showing pop-ups while the pages unload.
+
+        This policy was removed in Chrome 88 and is ignored if set.
+
+        See https://www.chromestatus.com/feature/5989473649164288.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Allow pages to show pop-ups during unloading
+  value: true
+- caption: Prevent pages from showing pop-ups during unloading
+  value: false
+owners:
+- avi@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:74-87
+- chrome_os:74-87
+- android:74-87
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowScreenLock.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowScreenLock.yaml
new file mode 100755
index 000000000..6a22a1a48
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowScreenLock.yaml
@@ -0,0 +1,24 @@
+caption: Permit locking the screen
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets users who authenticate with a password lock the screen.
+
+  Setting the policy to Disabled means users can't lock the screen. (They can only sign out from the user session.)
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow locking the screen
+  value: true
+- caption: Do not allow locking the screen
+  value: false
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:52-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowSyncXHRInPageDismissal.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowSyncXHRInPageDismissal.yaml
new file mode 100755
index 000000000..a2e0f93fc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowSyncXHRInPageDismissal.yaml
@@ -0,0 +1,33 @@
+caption: Allows a page to perform synchronous XHR requests during page dismissal.
+default_for_enterprise_users: false
+deprecated: true
+desc: |-
+  This policy allows an admin to specify that a page may send synchronous XHR requests during page dismissal.
+
+        When the policy is set to enabled, pages are allowed to send synchronous XHR requests during page dismissal.
+
+        When the policy is set to disabled or not set, pages are not allowed to send synchronous XHR requests during page dismissal.
+
+        This policy was removed in Chrome 99.
+
+        See https://www.chromestatus.com/feature/4664843055398912 .
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Allow pages to send synchronous XHR requests during page dismissal
+  value: true
+- caption: Do not allow pages to send synchronous XHR requests during page dismissal
+  value: false
+owners:
+- kdillon@chromium.org, panicker@chromium.org
+- kdillon@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:78-99
+- chrome_os:78-99
+- android:78-99
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowSystemNotifications.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowSystemNotifications.yaml
new file mode 100755
index 000000000..5e9b21f0c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowSystemNotifications.yaml
@@ -0,0 +1,25 @@
+caption: Allows system notifications
+default: true
+desc: |-
+  Configures whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> on Linux will use system notifications.
+
+  If set to True or not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is allowed to use system notifications.
+
+  If set to False, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not use system notifications. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Message Center will be used as a fallback.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow system notifications to be used
+  value: true
+- caption: Do not allow system notifications to be used
+  value: false
+owners:
+- file://chrome/browser/notifications/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.linux:90-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowWebAuthnWithBrokenTlsCerts.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowWebAuthnWithBrokenTlsCerts.yaml
new file mode 100755
index 000000000..f1a34bd5e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowWebAuthnWithBrokenTlsCerts.yaml
@@ -0,0 +1,32 @@
+caption: Allow Web Authentication requests on sites with broken TLS certificates.
+default: false
+desc: |-
+  If set to Enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will
+  allow Web Authentication requests on websites that have TLS certificates with
+  errors (i.e. websites considered not secure).
+
+  If the policy is set to Disabled or left unset, the default behavior of
+  blocking such requests will apply.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+supported_on:
+- chrome.*:110-
+- chrome_os:110-
+- android:110-
+items:
+- caption: Allow WebAuthn API requests on sites with broken TLS certificates.
+  value: true
+- caption: Do not allow WebAuthn API requests on sites with broken TLS certificates.
+  value: false
+owners:
+- nsatragno@chromium.org
+- file://device/fido/OWNERS
+schema:
+  type: boolean
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedDomainsForApps.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedDomainsForApps.yaml
new file mode 100755
index 000000000..2f8d8dfe5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedDomainsForApps.yaml
@@ -0,0 +1,29 @@
+caption: Define domains allowed to access <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google
+  Workspace</ph>
+desc: |-
+  Setting the policy turns on Chrome's restricted sign-in feature in <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph> and prevents users from changing this setting. Users can only access Google tools using accounts from the specified domains (to allow gmail or googlemail accounts, add consumer_accounts to the list of domains). This setting prevents users from signing in and adding a Secondary Account on a managed device that requires Google authentication, if that account doesn't belong to one of the explicitly allowed domains.
+
+        Leaving this setting empty or unset means users can access <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph> with any account.
+
+        Users cannot change or override this setting.
+
+        Note: This policy causes the X-GoogApps-Allowed-Domains header to be appended to all HTTP and HTTPS requests to all google.com domains, as described in https://support.google.com/a/answer/1668854.
+example_value: managedchrome.com,example.com
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- igorcov@chromium.org
+- atwilson@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:51-
+- chrome_os:51-
+- android:51-
+tags:
+- filtering
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedDomainsForAppsList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedDomainsForAppsList.yaml
new file mode 100755
index 000000000..28f583d45
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedDomainsForAppsList.yaml
@@ -0,0 +1,32 @@
+caption: Define domains allowed to access <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google
+  Workspace</ph>
+desc: |-
+  Setting the policy turns on Chrome's restricted sign-in feature in <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph> and prevents users from changing this setting. Users can only access Google tools using accounts from the specified domains (to allow gmail or googlemail accounts, add consumer_accounts to the list of domains). This setting prevents users from signing in and adding a Secondary Account on a managed device that requires Google authentication, if that account doesn't belong to one of the explicitly allowed domains.
+
+        Leaving this setting empty or unset means users can access <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph> with any account.
+
+        Users cannot change or override this setting.
+
+        Note: This policy causes the X-GoogApps-Allowed-Domains header to be appended to all HTTP and HTTPS requests to all google.com domains, as described in https://support.google.com/a/answer/1668854.
+example_value:
+- managedchrome.com
+- example.com
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- igorcov@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+future_on:
+- chrome.*
+- chrome_os
+- android
+- fuchsia
+tags:
+- filtering
+type: list
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedInputMethods.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedInputMethods.yaml
new file mode 100755
index 000000000..fb1e19f97
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedInputMethods.yaml
@@ -0,0 +1,25 @@
+caption: Configure the allowed input methods in a user session
+desc: |-
+  Setting the policy lets users choose one of the input methods for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> sessions that you specify.
+
+         If you leave it unset or set to an empty list, users can select all supported input methods.
+
+         Starting with version M106 allowed input methods are automatically enabled in kiosk session.
+
+        Note: If the current input method is unsupported, it switches to the hardware keyboard layout (if allowed) or the first valid entry in this list. Invalid or unsupported methods are ignored.
+device_only: false
+example_value:
+- xkb:us::eng
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- hendrich@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:69-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedLanguages.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedLanguages.yaml
new file mode 100755
index 000000000..3fad32bdb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AllowedLanguages.yaml
@@ -0,0 +1,23 @@
+caption: Configure the allowed languages in a user session
+desc: |-
+  Setting the policy lets users add only one of the languages listed in this policy to the list of preferred languages.
+
+        If not set or set to an empty list, users can specify languages as preferred.
+
+        If set to a list with invalid values, those values are ignored. If users added languages not allowed by this policy to the list of preferred languages, they're removed. If they had <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> displayed in a language not allowed by this policy, the next time they sign in, the display language switches to an allowed UI language. Otherwise, if this policy only has invalid entries, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> switches to the first valid value specified by this policy or a fallback locale such as en-US.
+device_only: false
+example_value:
+- en-US
+features:
+  dynamic_refresh: false
+  per_profile: true
+owners:
+- hendrich@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:72-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlternateErrorPagesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlternateErrorPagesEnabled.yaml
new file mode 100755
index 000000000..4149d9820
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlternateErrorPagesEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable alternate error pages
+default: null
+desc: |-
+  Setting the policy to True means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses alternate error pages built into (such as "page not found"). Setting the policy to False means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> never uses alternate error pages.
+
+  If you set the policy, users can't change it. If not set, the policy is on, but users can change this setting.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable alternate error pages
+  value: true
+- caption: Disable alternate error pages
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://net/OWNERS
+- bashi@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysAuthorizePlugins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysAuthorizePlugins.yaml
new file mode 100755
index 000000000..bf9a3ff5e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysAuthorizePlugins.yaml
@@ -0,0 +1,26 @@
+caption: Always runs plugins that require authorization (deprecated)
+deprecated: true
+desc: |-
+  If you enable this setting, plugins that are not outdated always run.
+
+        If this setting is disabled or not set, users will be asked for permission to run plugins that require authorization. These are plugins that can compromise security.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Always run plugins that are not outdated
+  value: true
+- caption: Ask user for permission to run plugins that require authorization
+  value: false
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:13-64
+- chrome_os:13-64
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysOnVpnPreConnectUrlAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysOnVpnPreConnectUrlAllowlist.yaml
new file mode 100755
index 000000000..dc27d6bb9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysOnVpnPreConnectUrlAllowlist.yaml
@@ -0,0 +1,32 @@
+caption: Allow user browser access to a list of URLs while Always-on VPN is active in strict mode with lockdown enabled and the VPN is not connected
+desc: |-
+  This policy only applies to browser traffic; the Play Store, Android apps web navigation and other user traffic like Linux VM traffic or print jobs, still honor the restrictions imposed by the Always-on VPN. This policy is only enforced while the VPN is not connected and only for user browser traffic. While this policy is enforced, system traffic can also bypass the Always-on VPN to perform tasks like policy fetches and synchronizing the system clock.
+
+  Use this policy to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths, using the format specified at https://support.google.com/chrome/a?p=url_blocklist_filter_format. The most specific filter determines if a URL is blocked or allowed.
+
+  If the <ph name="ALWAYSON_VPN_PRE_CONNECT_URL_ALLOWLIST_POLICY_NAME">AlwaysOnVpnPreConnectUrlAllowlist</ph> is set, an Always-on VPN is configured and the Always-on VPN is not connected, navigation to all hosts is blocked, except for those allowed by the <ph name="ALWAYSON_VPN_PRE_CONNECT_URL_ALLOWLIST_POLICY_NAME">AlwaysOnVpnPreConnectUrlAllowlist</ph> policy. In this device state, the <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> and <ph name="URL_ALLOWLIST_POLICY_NAME">URLAllowlist</ph> are ignored. When the Always-on VPN connects, the <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> and <ph name="URL_ALLOWLIST_POLICY_NAME">URLAllowlist</ph> policies are applied and the <ph name="ALWAYSON_VPN_PRE_CONNECT_URL_ALLOWLIST_POLICY_NAME">AlwaysOnVpnPreConnectUrlAllowlist</ph> policy is ignored.
+
+  This policy is limited to 1,000 entries.
+
+  Leaving the policy unset prevents any browser navigation while the Always-on VPN with strict mode is active and the VPN is not connected.
+
+example_value:
+- example.com
+- https://ssl.server.com
+- hosting.com/good_path
+- https://server:8080/path
+- .exact.hostname.com
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome_os:122-
+owners:
+- chromeos-commercial-networking@google.com
+- acostinas@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysOpenPdfExternally.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysOpenPdfExternally.yaml
new file mode 100755
index 000000000..23d3d0073
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AlwaysOpenPdfExternally.yaml
@@ -0,0 +1,31 @@
+caption: Always Open PDF files externally
+default: null
+desc: |-
+  Setting the policy to Enabled turns the internal PDF viewer off in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, treats PDF files as a download, and lets users open PDFs with the default application.
+
+  Setting the policy to Disabled means that unless users turns off the PDF plugin, it will open PDF files.
+
+  If you set the policy, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, users can choose whether to open PDF externally or not.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Always open PDF files using an external PDF viewer
+  value: true
+- caption: Always open PDF files using the internal PDF viewer
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:55-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AmbientAuthenticationInPrivateModesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AmbientAuthenticationInPrivateModesEnabled.yaml
new file mode 100755
index 000000000..92623a903
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AmbientAuthenticationInPrivateModesEnabled.yaml
@@ -0,0 +1,52 @@
+caption: Enable Ambient Authentication for profile types.
+desc: |-
+  Configuring this policy will allow/disallow ambient authentication for Incognito and Guest profiles in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        Ambient Authentication is http authentication with default credentials if explicit credentials are not provided via NTLM/Kerberos/Negotiate challenge/response schemes.
+
+        Setting the <ph name="REGULAR_ONLY_OPTION_NAME">RegularOnly</ph> (value 0), allows ambient authentication for Regular sessions only. Incognito and Guest sessions wouldn't be allowed to ambiently authenticate.
+
+        Setting the <ph name="INCOGNITO_AND_REGULAR_OPTION_NAME">IncognitoAndRegular</ph> (value 1), allows ambient authentication for Incognito and Regular sessions. Guest sessions wouldn't be allowed to ambiently authenticate.
+
+        Setting the <ph name="GUEST_AND_REGULAR_OPTION_NAME">GuestAndRegular</ph> (value 2), allows ambient authentication for Guest and Regular sessions. Incognito sessions wouldn't be allowed to ambiently authenticate.
+
+        Setting the  <ph name="ALL_OPTION_NAME">All</ph> (value 3), allows ambient authentication for all sessions.
+
+        Note that, ambient authentication is always allowed on regular profiles.
+
+        In <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 81 and later, if the policy is left not set, ambient authentication will be enabled in regular sessions only.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable ambient authentication in regular sessions only.
+  name: RegularOnly
+  value: 0
+- caption: Enable ambient authentication in incognito and regular sessions.
+  name: IncognitoAndRegular
+  value: 1
+- caption: Enable ambient authentication in guest and regular sessions.
+  name: GuestAndRegular
+  value: 2
+- caption: Enable ambient authentication in regular, incognito and guest sessions.
+  name: All
+  value: 3
+owners:
+- rhalavati@chromium.org
+- roagarwal@chromium.org
+- chrome-privacy-core@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome.*:80-
+- chrome_os:80-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppCacheForceEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppCacheForceEnabled.yaml
new file mode 100755
index 000000000..38322261c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppCacheForceEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Allows the AppCache feature to be re-enabled even if it is off by default.
+deprecated: true
+desc: |-
+  If set to true, this will force AppCache to be enabled, even when AppCache in Chrome is not available by default.
+
+        If unset or set to false, AppCache will follow Chrome's defaults.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Force AppCache to be enabled
+  value: true
+- caption: Use default AppCache behavior
+  value: false
+owners:
+- enne@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:84-95
+- chrome_os:84-95
+- android:84-95
+- webview_android:84-95
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppLaunchAutomation.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppLaunchAutomation.yaml
new file mode 100755
index 000000000..fc0c9deef
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppLaunchAutomation.yaml
@@ -0,0 +1,83 @@
+caption: App Launch Automation
+desc: Setting this policy allows administrators to configure automation for
+  launching apps on <ph name="PRODUCT_NAME">$1<ex>Google ChromeOS</ex></ph>
+  devices. These apps can be launched on user login, or users can launch them
+  together from the launcher.
+example_value:
+- auto_launch_on_startup: false
+  created_time_usec: '13320917261678808'
+  desk:
+    apps:
+    - app_type: browser
+      browser_tabs:
+      - url: https://www.chromium.org
+      window_id: 30002
+    - app_type: browser
+      browser_tabs:
+      - url: chrome://version/
+      - url: https://dev.chromium.org
+      window_id: 30001
+  name: App Automation 1
+  updated_time_usec: '13320917261678808'
+  uuid: 27ea906b-a7d3-40b1-8c36-76d332d7f184
+- created_time_usec: '13320917271679905'
+  desk:
+    apps:
+    - app_type: browser
+      browser_tabs:
+      - url: https://www.google.com/
+      - url: https://www.youtube.com/
+      window_id: 30001
+  name: App Automation 2
+  updated_time_usec: '13320917271679905'
+  uuid: 3aa30d88-576e-48ea-ab26-cbdd2cbe43a1
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- yzd@google.com
+- cros-commercial-productivity-policy-eng@google.com
+schema:
+  type: array
+  items:
+    type: object
+    properties:
+      auto_launch_on_startup:
+        type: boolean
+      created_time_usec:
+        type: string
+      desk:
+        type: object
+        properties:
+          apps:
+            type: array
+            items:
+              type: object
+              properties:
+                app_type:
+                  enum:
+                  - android
+                  - browser
+                  - chrome_app
+                  - isolated_web_app
+                  - progressive_web_app
+                  type: string
+                browser_tabs:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      url:
+                        type: string
+                window_id:
+                  type: integer
+      name:
+        type: string
+      updated_time_usec:
+        type: string
+      uuid:
+        type: string
+supported_on:
+- chrome_os:116-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppStoreRatingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppStoreRatingEnabled.yaml
new file mode 100755
index 000000000..2db4f867d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AppStoreRatingEnabled.yaml
@@ -0,0 +1,23 @@
+caption: Allows users to be shown the <ph name="IOS_NAME">iOS</ph> App Store Rating promo
+desc: |-
+  When the policy is not set or set to Enabled, the App Store Rating promo may be shown to the user, at most once per year.
+  When the policy is set to Disabled, the App Store Rating promo will not be shown to the user.
+supported_on:
+- ios:110-
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: Allow the App Store Rating promo to be displayed
+  value: true
+- caption: Do not allow the App Store Rating promo to be displayed
+  value: false
+owners:
+- hiramahmood@google.com
+- file://components/policy/OWNERS
+default: true
+example_value: false
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ApplicationBoundEncryptionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ApplicationBoundEncryptionEnabled.yaml
new file mode 100755
index 000000000..54674406b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ApplicationBoundEncryptionEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable Application Bound Encryption
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset binds encryption keys used for local data storage to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> whenever that is possible.
+
+  Setting the policy to Disabled has a detrimental effect on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s security as unknown and potentially hostile apps can retrieve encryption keys used to secure data.
+
+  Only turn off the policy if there are compatibility issues, such as other applications that need legitimate access to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s data, encrypted user data is expected to be fully portable between different computers or the integrity and location of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s executable files is not consistent.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable Application Bound Encryption
+  value: true
+- caption: Disable Application Bound Encryption
+  value: false
+owners:
+- wfh@chromium.org
+- nparker@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:125-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ApplicationLocaleValue.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ApplicationLocaleValue.yaml
new file mode 100755
index 000000000..a08447f25
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ApplicationLocaleValue.yaml
@@ -0,0 +1,23 @@
+caption: Application locale
+desc: |-
+  Setting the policy specifies the locale <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses.
+
+        Turning it off or leaving it unset means the locale will be the first valid locale from:
+        1) The user specified locale (if configured).
+        2) The system locale.
+        3) The fallback locale (en-US).
+example_value: en
+features:
+  can_be_recommended: true
+  dynamic_refresh: false
+  per_profile: false
+label: Application locale
+owners:
+- file://components/policy/OWNERS
+- hendrich@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.win:8-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ArcVmDataMigrationStrategy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ArcVmDataMigrationStrategy.yaml
new file mode 100755
index 000000000..138e74fc8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ArcVmDataMigrationStrategy.yaml
@@ -0,0 +1,37 @@
+caption: Migration strategy for ARC VM Data Migration
+desc: |-
+  Setting the policy specifies the action to take when the user's ARC data directory was created with virtio-fs. Unless virtio-fs data is migrated to virtio-blk, Android apps might run slower on ARC VM.
+
+        Setting the policy to:
+
+        * <ph name="DO_NOT_PROMPT">DoNotPrompt</ph> means do not ask the user to go through the migration flow. This is the default value when policy is unset.
+
+        * <ph name="PROMPT">Prompt</ph> (or an unsupported value) means that, at sign-in, user is prompted to go through the data migration flow. This can take up to 10 minutes.
+
+        This policy only applies to ARM devices migrating to ARCVM.
+device_only: false
+default: 0
+example_value: 1
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Do not prompt users to migrate.
+  name: DoNotPrompt
+  value: 0
+- caption: Prompt users to migrate.
+  name: Prompt
+  value: 1
+owners:
+- youkichihosoi@chromium.org
+- mhasank@chromium.org
+- arc-commercial@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+supported_on:
+- chrome_os:114-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AttestationExtensionWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AttestationExtensionWhitelist.yaml
new file mode 100755
index 000000000..7ab5ebf4e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AttestationExtensionWhitelist.yaml
@@ -0,0 +1,24 @@
+caption: Extensions allowed to to use the remote attestation API
+deprecated: true
+desc: |-
+  This policy is deprecated, please use <ph name="ATTESTATION_EXTENSION_ALLOWLIST_POLICY_NAME">AttestationExtensionAllowlist</ph> instead.
+
+        Setting the policy specifies the allowed extensions to use the <ph name="ENTERPRISE_PLATFORM_KEYS_API">Enterprise Platform Keys API</ph> function <ph name="CHALLENGE_USER_KEY_FUNCTION">chrome.enterprise.platformKeys.challengeUserKey()</ph> for remote attestation. Extensions must be on this list to use the API.
+
+        If an extension is not in the list, or the list is not set, the call to the API fails with an error code.
+example_value:
+- ghdilpkmfbfdnomkmaiogjhjnggaggoi
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- emaxx@chromium.org
+- file://chrome/browser/extensions/api/enterprise_platform_keys/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:28-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioCaptureAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioCaptureAllowed.yaml
new file mode 100755
index 000000000..309cbf236
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioCaptureAllowed.yaml
@@ -0,0 +1,30 @@
+arc_support: For Android apps, this policy affects the microphone only. When this
+  policy is set to true, the microphone is muted for all Android apps, with no exceptions.
+caption: Allow or deny audio capture
+desc: |-
+  Setting the policy to Enabled or leaving it unset means that, with the exception of URLs set in the AudioCaptureAllowedUrls list, users get prompted for audio capture access.
+
+        Setting the policy to Disabled turns off prompts, and audio capture is only available to URLs set in the AudioCaptureAllowedUrls list.
+
+        Note: The policy affects all audio input (not just the built-in microphone).
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable audio input
+  value: true
+- caption: Disable audio input
+  value: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:25-
+- chrome_os:23-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioCaptureAllowedUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioCaptureAllowedUrls.yaml
new file mode 100755
index 000000000..59d932c28
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioCaptureAllowedUrls.yaml
@@ -0,0 +1,25 @@
+caption: URLs that will be granted access to audio capture devices without prompt
+desc: |-
+  Setting the policy means you specify the URL list whose patterns get matched to the security origin of the requesting URL. A match grants access to audio capture devices without prompt
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Note, however, that the pattern "*", which matches any URL, is not supported by this policy.
+example_value:
+- https://www.example.com/
+- https://[*.]example.edu/
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- guidou@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:29-
+- chrome_os:29-
+tags:
+- website-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioOutputAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioOutputAllowed.yaml
new file mode 100755
index 000000000..669e0308e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioOutputAllowed.yaml
@@ -0,0 +1,25 @@
+caption: Allow playing audio
+desc: |-
+  Setting the policy to Enabled or leaving it unset allows all supported audio outputs on the users' devices.
+
+        Setting the policy to Disabled allows no audio output while users are signed in.
+
+        Note: The policy affects all audio output, including audio accessibility features. Do not turn the policy off if a user requires a screen reader.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable audio output
+  value: true
+- caption: Disable audio output
+  value: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:23-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioProcessHighPriorityEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioProcessHighPriorityEnabled.yaml
new file mode 100755
index 000000000..2726181b7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioProcessHighPriorityEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Allow the audio process to run with priority above normal on Windows
+default: null
+desc: |-
+  This policy controls the priority of the audio process on Windows.
+        If this policy is enabled, the audio process will run with above normal priority.
+        If this policy is disabled, the audio process will run with normal priority.
+        If this policy is not set, the default configuration for the audio process will be used.
+        This policy is intended as a temporary measure to give enterprises the ability to
+        run audio with higher priority to address certain performance issues with audio capture.
+        This policy will be removed in the future.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Use high priority for audio process
+  value: true
+- caption: Use normal Priority for audio process
+  value: false
+- caption: Use default priority for audio process
+  value: null
+owners:
+- file://services/audio/OWNERS
+- guidou@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:90-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioSandboxEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioSandboxEnabled.yaml
new file mode 100755
index 000000000..d77d61e0a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AudioSandboxEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Allow the audio sandbox to run
+default: null
+desc: |-
+  This policy controls the audio process sandbox.
+        If this policy is enabled, the audio process will run sandboxed.
+        If this policy is disabled, the audio process will run unsandboxed and the WebRTC audio-processing module will run in the renderer process.
+        This leaves users open to security risks related to running the audio subsystem unsandboxed.
+        If this policy is not set, the default configuration for the audio sandbox will be used, which may differ per platform.
+        This policy is intended to give enterprises flexibility to disable the audio sandbox if they use security software setups that interfere with the sandbox.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Always sandbox the audio process
+  value: true
+- caption: Never sandbox the audio process
+  value: false
+- caption: Use the default configuration for the audio sandbox
+  value: null
+owners:
+- file://services/audio/OWNERS
+- dalecurtis@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:79-
+- chrome.linux:79-
+- chrome.mac:79-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AuthNegotiateDelegateWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AuthNegotiateDelegateWhitelist.yaml
new file mode 100755
index 000000000..d00dcc4b5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AuthNegotiateDelegateWhitelist.yaml
@@ -0,0 +1,18 @@
+caption: Kerberos delegation server allowlist
+deprecated: true
+desc: This policy is deprecated, please use the '<ph name="AUTH_NEGOTIATE_DELEGATE_ALLOWLIST_POLICY_NAME">AuthNegotiateDelegateAllowlist</ph>' policy instead.
+example_value: foobar.example.com
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:9-100
+- android:46-100
+- chrome_os:62-100
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AuthServerWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AuthServerWhitelist.yaml
new file mode 100755
index 000000000..7740ba6d0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AuthServerWhitelist.yaml
@@ -0,0 +1,19 @@
+caption: Authentication server allowlist
+deprecated: true
+desc: This policy is deprecated and unsupported, please use the '<ph name="AUTH_SERVER_ALLOWLIST_POLICY_NAME">AuthServerAllowlist</ph>' policy instead.
+example_value: '*.example.com,example.com'
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:9-100
+- android:46-100
+- webview_android:49-100
+- chrome_os:62-100
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoCleanUpStrategy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoCleanUpStrategy.yaml
new file mode 100755
index 000000000..949fa01d1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoCleanUpStrategy.yaml
@@ -0,0 +1,38 @@
+caption: Select the strategy used to free up disk space during automatic clean-up
+  (deprecated)
+deprecated: true
+desc: |-
+  This policy is deprecated. <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will always use the 'RemoveLRU' clean-up strategy.
+
+        Controls the automatic clean-up behavior on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices. Automatic clean-up is triggered when the amount of free disk space reaches a critical level to recover some disk space.
+
+        If this policy is set to 'RemoveLRU', the automatic clean-up will keep removing users from the device in least-recently-logged-in order until there is enough free space.
+
+        If this policy is set to 'RemoveLRUIfDormant', the automatic clean-up will keep removing users who have not logged in for at least 3 months in least-recently-logged-in order until there is enough free space.
+
+        If this policy is not set, automatic clean-up uses the default built-in strategy. Currently, it is the 'RemoveLRUIfDormant' strategy.
+device_only: true
+example_value: remove-lru
+features:
+  dynamic_refresh: true
+items:
+- caption: Least recently used users are removed until there is enough free space
+  name: RemoveLRU
+  value: remove-lru
+- caption: Least recently used users who have not logged in within last 3 months are
+    removed until there is enough free space
+  name: RemoveLRUIfDormant
+  value: remove-lru-if-dormant
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  enum:
+  - remove-lru
+  - remove-lru-if-dormant
+  type: string
+supported_on:
+- chrome_os:32-35
+tags: []
+type: string-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoFillEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoFillEnabled.yaml
new file mode 100755
index 000000000..d3386ee05
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoFillEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable AutoFill
+deprecated: true
+desc: |-
+  This policy is deprecated in M70, please use <ph name="AUTOFILL_ADDRESS_ENABLED_POLICY_NAME">AutofillAddressEnabled</ph> and <ph name="AUTOFILL_CREDIT_CARD_ENABLED_POLICY_NAME">AutofillCreditCardEnabled</ph> instead.
+
+        Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information.
+
+        If you disable this setting, AutoFill will be inaccessible to users.
+
+        If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.
+example_value: false
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable AutoFill
+  value: true
+- caption: Disable AutoFill
+  value: false
+owners:
+- file://components/autofill/OWNERS
+- sebsg@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoLaunchProtocolsFromOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoLaunchProtocolsFromOrigins.yaml
new file mode 100755
index 000000000..a154f8c15
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoLaunchProtocolsFromOrigins.yaml
@@ -0,0 +1,50 @@
+caption: Define a list of protocols that can launch an external application from listed
+  origins without prompting the user
+desc: |-
+  Allows you to set a list of protocols, and for each protocol an associated list of allowed origin patterns, that can launch an external application without prompting the user. The trailing separator should not be included when listing the protocol, so list "skype" instead of "skype:" or "skype://".
+
+  If this policy is set, a protocol will only be permitted to launch an external application without prompting by policy if the protocol is listed, and the origin of the site trying to launch the protocol matches one of the origin patterns in that protocol's allowed_origins list. If either condition is false the external protocol launch prompt will not be omitted by policy.
+
+  If this policy is not set, no protocols can launch without a prompt by default. Users may opt out of prompts on a per-protocol/per-site basis unless the <ph name="EXTERNAL_PROTOCOL_DIALOG_SHOW_ALWAYS_OPEN_CHECKBOX_POLICY_NAME">ExternalProtocolDialogShowAlwaysOpenCheckbox</ph> policy is set to Disabled. This policy has no impact on per-protocol/per-site prompt exemptions set by users.
+
+  The origin matching patterns use a similar format to those for the '<ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>' policy, which are documented at https://support.google.com/chrome/a?p=url_blocklist_filter_format.
+
+  However, origin matching patterns for this policy cannot contain "/path" or "@query" elements. Any pattern that does contain a "/path" or "@query" element will be ignored.
+example_value:
+- allowed_origins:
+  - example.com
+  - http://www.example.com:8080
+  protocol: spotify
+- allowed_origins:
+  - https://example.com
+  - https://.mail.example.com
+  protocol: teams
+- allowed_origins:
+  - '*'
+  protocol: outlook
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- csharp@chromium.org
+- engedy@chromium.org
+schema:
+  items:
+    properties:
+      allowed_origins:
+        items:
+          type: string
+        type: array
+      protocol:
+        type: string
+    required:
+    - protocol
+    - allowed_origins
+    type: object
+  type: array
+supported_on:
+- chrome.*:85-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoOpenAllowedForURLs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoOpenAllowedForURLs.yaml
new file mode 100755
index 000000000..fee44125b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoOpenAllowedForURLs.yaml
@@ -0,0 +1,32 @@
+caption: URLs where AutoOpenFileTypes can apply
+desc: |-
+  List of URLs specifying which urls <ph name="AUTO_OPEN_FILE_TYPES_POLICY_NAME">AutoOpenFileTypes</ph> will apply to. This policy has no impact on automatically open values set by users.
+
+        If this policy is set, files will only automatically open by policy if the url is part of this set and the file type is listed in <ph name="AUTO_OPEN_FILE_TYPES_POLICY_NAME">AutoOpenFileTypes</ph>. If either condition is false the download won't automatically open by policy.
+
+        If this policy isn't set, all downloads where the file type is in <ph name="AUTO_OPEN_FILE_TYPES_POLICY_NAME">AutoOpenFileTypes</ph> will automatically open.
+
+        A URL pattern has to be formatted according to https://support.google.com/chrome/a?p=url_blocklist_filter_format.
+example_value:
+- example.com
+- https://ssl.server.com
+- hosting.com/good_path
+- https://server:8080/path
+- .exact.hostname.com
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- csharp@chromium.org
+- qinmin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:84-
+- chrome_os:84-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoOpenFileTypes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoOpenFileTypes.yaml
new file mode 100755
index 000000000..26db68a8f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoOpenFileTypes.yaml
@@ -0,0 +1,30 @@
+caption: List of file types that should be automatically opened on download
+desc: |-
+  List of file types that should be automatically opened on download. The leading separator should not be included when listing the file type, so list "txt" instead of ".txt".
+
+  Files with types that should be automatically opened will still be subject to the enabled safe browsing checks and won't be opened if they fail those checks.
+
+  If this policy isn't set, only file types that a user has already specified to automatically be opened will do so when downloaded.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value:
+- exe
+- txt
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- csharp@chromium.org
+- qinmin@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:84-
+- chrome_os:84-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutofillAddressEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutofillAddressEnabled.yaml
new file mode 100755
index 000000000..3d744fe3e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutofillAddressEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable AutoFill for addresses
+desc: |-
+  Setting the policy to True or leaving it unset gives users control of Autofill for addresses in the UI.
+
+        Setting the policy to False means Autofill never suggests or fills address information, nor does it save additional address information that users submit while browsing the web.
+example_value: false
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable AutoFill for addresses
+  value: true
+- caption: Disable AutoFill for addresses
+  value: false
+owners:
+- file://components/autofill/OWNERS
+- sebsg@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:69-
+- chrome_os:69-
+- android:69-
+- ios:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutofillCreditCardEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutofillCreditCardEnabled.yaml
new file mode 100755
index 000000000..f17655b6f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutofillCreditCardEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable AutoFill for credit cards
+desc: |-
+  Setting the policy to True or leaving it unset means users can control autofill suggestions for credit cards in the UI.
+
+        Setting the policy to False means autofill never suggests or fills credit card information, nor will it save additional credit card information that users might submit while browsing the web.
+example_value: false
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable AutoFill for credit cards
+  value: true
+- caption: Disable AutoFill for credit cards
+  value: false
+owners:
+- file://components/autofill/OWNERS
+- caitkp@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:63-
+- chrome_os:63-
+- android:63-
+- ios:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayAllowed.yaml
new file mode 100755
index 000000000..aa96b8a9b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayAllowed.yaml
@@ -0,0 +1,30 @@
+caption: Allow media autoplay
+desc: |-
+  Setting the policy to True lets <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> autoplay media. Setting the policy to False stops <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from autoplaying media.
+
+         By default, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't autoplay media. But, for certain URL patterns, you can use the <ph name="AUTOPLAY_ALLOWLIST_POLICY_NAME">AutoplayAllowlist</ph> policy to change this setting.
+
+        If this policy changes while <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is running, it only applies to newly opened tabs.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow Chrome to autoplay media
+  value: true
+- caption: Do not allow Chrome to autoplay media
+  value: false
+owners:
+- fbeaufort@chromium.org
+- beccahughes@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:66-
+- chrome.linux:66-
+- chrome.mac:66-
+- chrome_os:66-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayAllowlist.yaml
new file mode 100755
index 000000000..5d91877ae
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayAllowlist.yaml
@@ -0,0 +1,25 @@
+caption: Allow media autoplay on a allowlist of URL patterns
+desc: |-
+  Setting the policy lets videos play automatically (without user consent) with audio content in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If <ph name="AUTOPLAY_ALLOWED_POLICY_NAME">AutoplayAllowed</ph> policy is set to True, then this policy has no effect. If <ph name="AUTOPLAY_ALLOWED_POLICY_NAME">AutoplayAllowed</ph> is set to False, then any URL patterns set in this policy can still play. If this policy changes while <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is running, it only applies to newly opened tabs.
+
+        For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- fbeaufort@chromium.org
+- beccahughes@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:86-
+- chrome_os:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayWhitelist.yaml
new file mode 100755
index 000000000..1824d31e8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/AutoplayWhitelist.yaml
@@ -0,0 +1,21 @@
+caption: Allow media autoplay on a allowlist of URL patterns
+deprecated: true
+desc: This policy is deprecated and unsupported, please use the '<ph name="AUTOPLAY_ALLOWLIST_POLICY_NAME">AutoplayAllowlist</ph>' policy instead.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- fbeaufort@chromium.org
+- beccahughes@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:66-100
+- chrome_os:66-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BackForwardCacheEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BackForwardCacheEnabled.yaml
new file mode 100755
index 000000000..7fb0ac127
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BackForwardCacheEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Control the <ph name="PRODUCT_NAME">BackForwardCache</ph> feature.
+default: true
+desc: "When enabled the <ph name=\"PRODUCT_NAME\">BackForwardCache</ph> feature allows\
+  \ the use of the back-forward cache. When navigating away from a page, its current\
+  \ state (document tree, script, etc.) may be preserved in the back-forward cache.\
+  \ If the browser navigates back to the page, the page may be restored from the back-forward\
+  \ cache and displayed in the state it was in before being cached.\n\n          This\
+  \ feature might cause issues for some websites that do not expect this caching.\
+  \ In particular, some websites depend on the \"<ph name=\"UNLOAD_HANDLER_NAME\"\
+  >unload</ph>\" event being dispatched when the browser navigates away from the page.\
+  \ The \"<ph name=\"UNLOAD_HANDLER_NAME\">unload</ph>\" event will not be dispatched\
+  \ if the page enters the back-forward cache.\n\n          If this policy is set\
+  \ to enabled or not set,\n          the <ph name=\"PRODUCT_NAME\">BackForwardCache</ph>\
+  \ feature will be enabled.\n\n          If this policy is set to disabled then the\
+  \ feature will be force disabled.\n          "
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow the back-forward cache to be used
+  value: true
+- caption: Do not allow the back-forward cache to be used
+  value: false
+owners:
+- chrome-bfcache@google.com
+- rakina@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:123-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BackgroundModeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BackgroundModeEnabled.yaml
new file mode 100755
index 000000000..0bfbfae2d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BackgroundModeEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Continue running background apps when <ph name="PRODUCT_NAME">$1<ex>Google
+  Chrome</ex></ph> is closed
+default: null
+desc: |-
+  Setting the policy to Enabled turns background mode on. In background mode, a <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> process is started on OS sign-in and keeps running when the last browser window is closed, allowing background apps and the browsing session to remain active. The background process displays an icon in the system tray and can always be closed from there.
+
+        Setting the policy to Disabled turns background mode off.
+
+        If you set the policy, users can't change it in the browser settings. If unset, background mode is off at first, but users can change it.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable background mode
+  value: true
+- caption: Disable background mode
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:19-
+- chrome.linux:19-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BatterySaverModeAvailability.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BatterySaverModeAvailability.yaml
new file mode 100755
index 000000000..0fcefe441
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BatterySaverModeAvailability.yaml
@@ -0,0 +1,50 @@
+caption: Enable Battery Saver Mode
+default: null
+desc: "This policy enables or disables the Battery Saver Mode setting.\n\
+  \      On Chrome, this setting makes it so that frame rate is throttled to\
+  \ lower power consumption. If this policy is unset, the end user can control\
+  \ this setting in chrome://settings/performance.\n\
+  \      On ChromeOS, this setting makes it so that frame rate and CPU\
+  \ frequency are throttled, backlights are dimmed, and Android is put in\
+  \ Battery Saver Mode. On devices with multiple CPUs, some CPUs will be turned\
+  \ off.\n\
+  \      The different levels are:\n\
+  \      <ph name=\"BATTERY_SAVER_MODE_DISABLED\">Disabled</ph>\
+  \ (0): Battery Saver Mode will be disabled.\n\
+  \      <ph name=\"BATTERY_SAVER_MODE_ENABLED_BELOW_THRESHOLD\">EnabledBelowThreshold</ph>\
+  \ (1): Battery Saver Mode will be enabled when the device is on battery power\
+  \ and battery level is low.\n\
+  \      <ph name=\"BATTERY_SAVER_MODE_ENABLED_ON_BATTERY\">EnabledOnBattery</ph>\
+  \ (2): This value is deprecated as of M121. From M121 onwards, values will be\
+  \      treated as EnabledBelowThreshold.\n      "
+example_value: 1
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Battery Saver Mode will be disabled.
+  name: Disabled
+  value: 0
+- caption: Battery Saver Mode will be enabled when the device is on battery power
+    and battery level is low.
+  name: EnabledBelowThreshold
+  value: 1
+- caption: This value is deprecated as of M121. In M121 and after, values will be
+    treated as EnabledBelowThreshold.
+  name: EnabledOnBattery
+  value: 2
+owners:
+- anthonyvd@chromium.org
+- file://components/performance_manager/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:108-
+- chrome_os:108-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BeforeunloadEventCancelByPreventDefaultEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BeforeunloadEventCancelByPreventDefaultEnabled.yaml
new file mode 100755
index 000000000..b44c46902
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BeforeunloadEventCancelByPreventDefaultEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Control new behavior for the cancel dialog produced by the beforeunload event
+default: null
+desc: |-
+  This policy provides a temporary opt-out for two related fixes to the behavior of the confirmation dialog shown by the beforeunload event.
+  When this policy is Enabled, the new and correct behavior will be used. When this policy is Disabled, the old and legacy behavior will be used. When this policy is not set, the default behavior will be used.
+  This policy is a temporary workaround and will be removed soon.
+
+  New and correct behavior: In `beforeunload`, calling `event.preventDefault()` will trigger the confirmation dialog. Setting `event.returnValue` to the empty string will not trigger the confirmation dialog.
+
+  Old and legacy behavior: In `beforeunload`, calling `event.preventDefault()` will not trigger the confirmation dialog. Setting `event.returnValue` to the empty string will trigger the confirmation dialog.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Show cancel dialog when event.preventDefault() is called for beforeunload event. Do not show cancel dialog when event.returnValue is the empty string for beforeunload event.
+  value: true
+- caption: Do not show cancel dialog when event.preventDefault() is called for beforeunload event. Show cancel dialog when beforeunload event.returnValue is the empty string for beforeunload event.
+  value: false
+- caption: Use default behavior of feature rollout plan.
+  value: null
+owners:
+- dizhangg@chromium.org
+- dom-dev@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:117-
+- chrome_os:117-
+- android:117-
+- webview_android:117-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BlockThirdPartyCookies.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BlockThirdPartyCookies.yaml
new file mode 100755
index 000000000..a9730a3cb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BlockThirdPartyCookies.yaml
@@ -0,0 +1,31 @@
+caption: Block third party cookies
+default: null
+desc: |-
+  Setting the policy to Enabled prevents webpage elements that aren't from the domain that's in the browser's address bar from setting cookies. Setting the policy to Disabled lets those elements set cookies and prevents users from changing this setting.
+
+        Leaving it unset turns third-party cookies on, but users can change this setting.
+example_value: false
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Block 3rd party cookies
+  value: true
+- caption: Allow 3rd party cookies
+  value: false
+- caption: Allow 3rd party cookies, but allow the user to change this setting
+  value: null
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:10-
+- chrome_os:11-
+- android:83-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BookmarkBarEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BookmarkBarEnabled.yaml
new file mode 100755
index 000000000..cc7637554
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BookmarkBarEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable Bookmark Bar
+default: null
+desc: |-
+  Setting the policy to True displays a bookmark bar in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Setting the policy to False means users never see the bookmark bar.
+
+        If you set the policy, users can't change it. If not set, users decide whether to use this function.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable bookmark bar
+  value: true
+- caption: Disable bookmark bar
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:12-
+- chrome_os:12-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserAddPersonEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserAddPersonEnabled.yaml
new file mode 100755
index 000000000..58eab7cfc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserAddPersonEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable add person in user manager
+desc: |-
+  If this policy is set to true or not configured, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and <ph name="LACROS_NAME">Lacros</ph> will allow to add a new person from the user manager.
+
+        If this policy is set to false, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and <ph name="LACROS_NAME">Lacros</ph> will not allow adding a new person from the user manager.
+
+        Note: If this policy is not configured or set to true, but <ph name="LACROS_SECONDARY_PROFILES_ALLOWED_POLICY_NAME">LacrosSecondaryProfilesAllowed</ph> is set to false, <ph name="LACROS_NAME">Lacros</ph> will not allow adding a new person from the user manager.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow adding new profiles
+  value: true
+- caption: Disallow adding new profiles
+  value: false
+owners:
+- droger@chromium.org
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:39-
+- chrome_os:100-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserContextAwareAccessSignalsAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserContextAwareAccessSignalsAllowlist.yaml
new file mode 100755
index 000000000..d15f100a0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserContextAwareAccessSignalsAllowlist.yaml
@@ -0,0 +1,31 @@
+caption: Enable the <ph name="CHROME_ENTERPRISE_DEVICE_TRUST_CONNECTOR">Chrome Enterprise Device Trust Connector</ph> attestation flow for a list of URLs on Managed Browsers
+desc: |-
+  Enable <ph name="CHROME_ENTERPRISE_DEVICE_TRUST_CONNECTOR">Chrome Enterprise Device Trust Connector</ph> for a list of URLs.
+
+  Setting this policy specifies for which URLs <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will offer to start the attestation flow for managed browsers. The latter allows those websites to get an attested set of context-aware signals from the device.
+  This policy can only be configured via the Chrome Enterprise Connectors page on the <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph>.
+
+  Leaving this policy unset or empty means that no website will be able to start a browser-level attestation flow and get signals from the device. However if the corresponding
+  <ph name="USER_CONTEXT_AWARE_ACCESS_SIGNALS_ALLOWLIST">UserContextAwareAccessSignalsAllowlist</ph> policy is enabled then the attestation flow can be started for the managed profile and device signals can be collected.
+
+  For detailed information on valid <ph name="URL_LABEL">URL</ph> patterns, please see https://support.google.com/chrome/a?p=url_blocklist_filter_format.
+example_value:
+- https://example1.com
+- example2.com
+- https://foo.example3.com/path
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: false
+supported_on:
+- chrome.*:116-
+owners:
+- hmare@google.com
+- seblalancette@chromium.org
+- cbe-device-trust-eng@google.com
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserGuestModeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserGuestModeEnabled.yaml
new file mode 100755
index 000000000..5150fd4bf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserGuestModeEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable guest mode in browser
+desc: |-
+  If this policy is set to true or not configured, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and <ph name="LACROS_NAME">Lacros</ph> will enable guest logins. Guest logins are <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profiles where all windows are in incognito mode.
+
+        If this policy is set to false, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and <ph name="LACROS_NAME">Lacros</ph> will not allow guest profiles to be started.
+
+        Note: If this policy is not configured or set to true, but <ph name="LACROS_SECONDARY_PROFILES_ALLOWED_POLICY_NAME">LacrosSecondaryProfilesAllowed</ph> is set to false, <ph name="LACROS_NAME">Lacros</ph> will not allow guest profiles to be started.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow guest browser logins
+  value: true
+- caption: Prevent guest browser logins
+  value: false
+owners:
+- mlerman@chromium.org
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:38-
+- chrome_os:100-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserGuestModeEnforced.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserGuestModeEnforced.yaml
new file mode 100755
index 000000000..45fda02ff
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserGuestModeEnforced.yaml
@@ -0,0 +1,25 @@
+caption: Enforce browser guest mode
+desc: |-
+  Setting the policy to Enabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> enforces guest sessions and prevents profile sign-ins. Guest sign-ins are <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profiles where windows are in Incognito mode.
+
+        Setting the policy to Disabled, leaving it unset, or disabling browser Guest mode (through <ph name="BROWSER_GUEST_MODE_ENABLED_POLICY_NAME">BrowserGuestModeEnabled</ph>) allows the use of new and existing profiles.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Only allow guest browser logins
+  value: true
+- caption: Allow guest browser logins and profile logins
+  value: false
+owners:
+- mlerman@chromium.org
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:77-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserLabsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserLabsEnabled.yaml
new file mode 100755
index 000000000..be6609eb5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserLabsEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Browser experiments icon in toolbar
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving the policy unset means that users can access browser experimental features through an icon in the toolbar
+
+        Setting the policy to Disabled removes the browser experimental features icon from the toolbar.
+
+        chrome://flags and any other means of turning off and on browser features will still behave as expected regardless of whether this policy is Enabled or Disabled.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable browser experimental features toolbar entrypoint
+  value: true
+- caption: Disable browser experimental features toolbar entrypoint
+  value: false
+owners:
+- elainechien@chromium.org
+- labs-on-chrome@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:89-
+- chrome_os:93-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserLegacyExtensionPointsBlocked.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserLegacyExtensionPointsBlocked.yaml
new file mode 100755
index 000000000..7b6814fe0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserLegacyExtensionPointsBlocked.yaml
@@ -0,0 +1,27 @@
+caption: Block Browser Legacy Extension Points
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset will permit <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to apply the additional extension point security mitigation to block legacy extension points in the Browser process.
+
+        Setting the policy to Disabled has a detrimental effect on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s security and stability as unknown and potentially hostile code can load inside <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s browser process. Only turn off the policy if there are compatibility issues with third-party software that must run inside <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s browser process.
+
+        Note: Read more about Process mitigation policies ( https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md#Process-mitigation-policies ).
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Block legacy extension points in the Browser process
+  value: true
+- caption: Do not block legacy extension points in the Browser process
+  value: false
+owners:
+- wfh@chromium.org
+- ssmole@microsoft.com
+schema:
+  type: boolean
+supported_on:
+- chrome.win:95-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserNetworkTimeQueriesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserNetworkTimeQueriesEnabled.yaml
new file mode 100755
index 000000000..f5344ba11
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserNetworkTimeQueriesEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Allow queries to a Google time service
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> send occasional queries to a Google server to retrieve an accurate timestamp.
+
+        Setting the policy to Disabled stops <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from sending these queries.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow queries to a Google server to retrieve an accurate timestamp
+  value: true
+- caption: Do not allow queries to Google servers to retrieve timestamps
+  value: false
+owners:
+- estark@chromium.org
+- mab@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:60-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserSignin.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserSignin.yaml
new file mode 100755
index 000000000..c4cb769a3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserSignin.yaml
@@ -0,0 +1,46 @@
+caption: Browser sign in settings
+desc: |-
+  This policy controls the sign-in behavior of the browser. It allows you to specify if the user can sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> with their account and use account related services like <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Sync.
+
+        If the policy is set to "Disable browser sign-in" then the user cannot sign in to the browser and use account-based services. In this case browser-level features like <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Sync cannot be used and will be unavailable. On <ph name="IOS_NAME">iOS</ph>, if the user was signed in and the policy is set to "Disabled" they will be signed out immediately. On other platforms, they will be signed out the next time they run <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. On all platforms, their local profile data like bookmarks, passwords etc. will be preserved and still usable. The user will still be able to sign into and use Google web services like Gmail.
+
+        If the policy is set to "Enable browser sign-in," then the user is allowed to sign in to the browser. On all platforms except <ph name="IOS_NAME">iOS</ph>, the user is automatically signed in to the browser when signed in to Google web services like Gmail. Being signed in to the browser means the user's account information will be kept by the browser. However, it does not mean that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Sync will be turned on by default; the user must separately opt-in to use this feature. Enabling this policy will prevent the user from turning off the setting that allows browser sign-in. To control the availability of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Sync, use the <ph name="SYNC_POLICY_NAME">SyncDisabled</ph> policy.
+
+        If the policy is set to "Force browser sign-in" the user is presented with an account selection dialog and has to choose and sign in to an account to use the browser. This ensures that for managed accounts the policies associated with the account are applied and enforced. The default value of <ph name="GUEST_MODE_POLICY_NAME">BrowserGuestModeEnabled</ph> will be set to disabled. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article: https://support.google.com/chrome/a/answer/7572556 . This option is not supported on <ph name="LINUX_OS_NAME">Linux</ph> nor <ph name="ANDROID_NAME">Android</ph>, where it will fall back to "Enable browser sign-in" if used.
+
+        If this policy is not set then the user can decide if they want to enable browser sign-in in the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> settings and use it as they see fit.
+example_value: 2
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Disable browser sign-in
+  name: Disable
+  value: 0
+- caption: Enable browser sign-in
+  name: Enable
+  value: 1
+- caption: Force users to sign-in to use the browser
+  name: Force
+  supported_on:
+  - chrome.win:70-
+  - chrome.mac:70-
+  - ios:97-
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:70-
+- android:70-
+- ios:90-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserThemeColor.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserThemeColor.yaml
new file mode 100755
index 000000000..cf63df68f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowserThemeColor.yaml
@@ -0,0 +1,25 @@
+caption: Configure the color of the browser's theme
+default: null
+desc: |-
+  This policy allows admins to configure the color of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s theme. The input string should be a valid hex color string matching the format "#RRGGBB".
+
+        Setting the policy to a valid hex color causes a theme based on that color to be automatically generated and applied to the browser. Users won't be able to change the theme set by the policy.
+
+        Leaving the policy unset lets users change their browser's theme as preferred.
+example_value: '#FFFFFF'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- igorruvinov@google.com
+- ydago@google.com
+- pastarmovj@google.com
+schema:
+  description: Hex color which will be used to generate and apply a theme to the browser.
+  type: string
+supported_on:
+- chrome.*:91-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowsingDataLifetime.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowsingDataLifetime.yaml
new file mode 100755
index 000000000..febd649bb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BrowsingDataLifetime.yaml
@@ -0,0 +1,56 @@
+caption: Browsing Data Lifetime Settings
+desc: |-
+  Configures browsing data lifetime settings for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. This policy allows admins to configure (per data-type) when data is deleted by the browser. This is useful for customers that work with sensitive customer data.
+
+  Warning: Setting this policy can impact and permanently remove local personal data. It is recommended to test your settings before deploying to prevent accidental deletion of personal data.
+
+  The available data types are <ph name="DATA_TYPE_BROWSING_HISTORY">'browsing_history'</ph>, <ph name="DATA_TYPE_DOWNLOAD_HISTORY">'download_history'</ph>, <ph name="DATA_TYPE_COOKIES_AND_OTHER_SITE_DATA">'cookies_and_other_site_data'</ph>, <ph name="DATA_TYPE_CACHED_IMAGES_AND_FILES">'cached_images_and_files'</ph>, <ph name="DATA_TYPE_PASSWORD">'password_signin'</ph>, <ph name="DATA_TYPE_AUTOFILL">'autofill'</ph>, <ph name="DATA_TYPE_SITE_SETTINGS">'site_settings'</ph> and <ph name="DATA_TYPE_HOSTED_APP_DATA">'hosted_app_data'</ph>. <ph name="DATA_TYPE_DOWNLOAD_HISTORY">'download_history'</ph> and <ph name="DATA_TYPE_HOSTED_APP_DATA">'hosted_app_data'</ph> are not supported on Android.
+
+  The browser will automatically remove data of selected types that is older than <ph name="TIME_TO_LIVE_IN_HOURS">'time_to_live_in_hours'</ph>. The minimum value that can be set is 1 hour.
+
+  The deletion of expired data will happen 15 seconds after the browser starts then every 30 minutes while the browser is running.
+
+  Until Chrome 114, this policy required the <ph name="SYNC_DISABLED_POLICY_NAME">SyncDisabled</ph> policy to be set to true. Starting Chrome 115, setting this policy will disable sync for the respective data types if neither `<ph name="CHROME_SYNC_NAME">Chrome Sync</ph>` is disabled by setting the <ph name="SYNC_DISABLED_POLICY_NAME">SyncDisabled</ph> policy nor <ph name="BROWSER_SIGNIN_POLICY_NAME">BrowserSignin</ph> is disabled.
+example_value:
+- data_types:
+  - browsing_history
+  time_to_live_in_hours: 24
+- data_types:
+  - password_signin
+  - autofill
+  time_to_live_in_hours: 12
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- ydago@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    properties:
+      data_types:
+        items:
+          enum:
+          - browsing_history
+          - download_history
+          - cookies_and_other_site_data
+          - cached_images_and_files
+          - password_signin
+          - autofill
+          - site_settings
+          - hosted_app_data
+          type: string
+        type: array
+      time_to_live_in_hours:
+        minimum: 1
+        type: integer
+    type: object
+  type: array
+supported_on:
+- chrome.*:89-
+- chrome_os:89-
+- android:96-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BuiltInDnsClientEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BuiltInDnsClientEnabled.yaml
new file mode 100755
index 000000000..311062428
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BuiltInDnsClientEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Use built-in DNS client
+default: null
+desc: |-
+  This policy controls which software stack is used to communicate with the DNS server: the Operating System DNS client, or <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s built-in DNS client. This policy does not affect which DNS servers are used: if, for example, the operating system is configured to use an enterprise DNS server, that same server would be used by the built-in DNS client. It also does not control if DNS-over-HTTPS is used; <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will always use the built-in resolver for DNS-over-HTTPS requests. Please see the <ph name="DNS_OVER_HTTPS_MODE_POLICY_NAME">DnsOverHttpsMode</ph> policy for information on controlling DNS-over-HTTPS.
+
+        If this policy is set to Enabled or is left unset, the built-in DNS client will be used.
+
+        If this policy is set to Disabled, the built-in DNS client will only be used when DNS-over-HTTPS is in use.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Always use the built-in DNS client
+  value: true
+- caption: Never use the built-in DNS client
+  value: false
+- caption: Always use the built-in DNS client
+  value: null
+owners:
+- ericorth@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:73-
+- chrome.*:25-
+- chrome_os:73-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BuiltinCertificateVerifierEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BuiltinCertificateVerifierEnabled.yaml
new file mode 100755
index 000000000..01a64e4d1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/BuiltinCertificateVerifierEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Determines whether the built-in certificate verifier will be used to verify
+  server certificates
+default: null
+deprecated: true
+desc: |-
+  This policy is no longer supported, however the related policy <ph name="CHROME_ROOT_STORE_ENABLED_POLICY_NAME">ChromeRootStoreEnabled</ph> may be supported on certain platforms.
+
+        When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will perform verification of server certificates using the built-in certificate verifier.
+        When this setting is disabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will perform verification of server certificates using the legacy certificate verifier provided by the platform, unless <ph name="CHROME_ROOT_STORE_ENABLED_POLICY_NAME">ChromeRootStoreEnabled</ph> is enabled.
+        When this setting is not set, the built-in or the legacy certificate verifier may be used.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Use the built-in certificate verifier
+  value: true
+- caption: Use the legacy platform certificate verifier
+  value: false
+- caption: Use any certificate verifier
+  value: null
+owners:
+- file://components/policy/OWNERS
+- miersh@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:77-83
+- chrome.linux:79-83
+- chrome.mac:83-106
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CCTToSDialogEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CCTToSDialogEnabled.yaml
new file mode 100755
index 000000000..e7a94d0a9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CCTToSDialogEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable ToS during first-run for CCT
+deprecated: true
+desc: |-
+  This policy is deprecated, please use the <ph name="TOS_DIALOG_BEHAVIOR_POLICY_NAME">ToSDialogBehavior</ph> policy instead.
+
+        By default the Terms of Service are shown when CCT is first-run. Setting this policy to Disabled will cause the Terms of Service dialog to not appear during the first-run-experience or subsequent runs. Setting this policy to Enabled or leaving it unset will cause the Terms of Service dialog to appear during the first-run-experience. The other caveats are:
+
+        - This policy only works on fully managed Android devices that can be configured by Unified Endpoint Management vendors.
+
+        - If this policy is Disabled the BrowserSignin policy will have no effect.
+
+        - If this policy is Disabled metrics​ will not be sent to the server.
+
+        - If this policy is Disabled the browser will have limited functionality.
+
+        - If this policy is Disabled admins must communicate this to end users of the device.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+  platform_only: true
+owners:
+- skym@chromium.org
+- wenyufu@chromium.org
+- twellington@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:86-86
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CECPQ2Enabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CECPQ2Enabled.yaml
new file mode 100755
index 000000000..6c7f4ba05
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CECPQ2Enabled.yaml
@@ -0,0 +1,31 @@
+caption: CECPQ2 post-quantum key-agreement enabled for TLS
+deprecated: true
+default: true
+desc: |-
+  This policy was removed in M114. It served to disable CECPQ2, but CECPQ2 has been disabled by default. A separate policy will be introduced to control the rollout of the replacement of CECPQ2. That replacement will be a combination of the standard key-agreement X25519 with NIST's chosen post-quantum KEM, called "Kyber".
+
+  If this policy is not configured, or is set to enabled, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will follow the default rollout process for CECPQ2, a post-quantum key-agreement algorithm in TLS.
+
+        CECPQ2 results in larger TLS messages which, in very rare cases, can trigger bugs in some networking hardware. This policy can be set to False to disable CECPQ2 while networking issues are resolved.
+
+        This policy is a temporary measure and will be removed in future versions of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable default CECPQ2 rollout process
+  value: true
+- caption: Disable CECPQ2
+  value: false
+owners:
+- file://crypto/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:91-113
+- chrome_os:91-113
+- android:91-113
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CORSNonWildcardRequestHeadersSupport.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CORSNonWildcardRequestHeadersSupport.yaml
new file mode 100755
index 000000000..01aabd305
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CORSNonWildcardRequestHeadersSupport.yaml
@@ -0,0 +1,33 @@
+caption: CORS non-wildcard request headers support
+default: true
+desc: |-
+  Configures support of CORS non-wildcard request headers.
+
+        <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 97 introduces support for CORS non-wildcard request headers. When scripts make a cross-origin network request via fetch() and XMLHttpRequest with a script-added Authorization header, the header must be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. "Explicitly" here means that the wild card symbol "*" doesn't cover the Authorization header. See <ph name="CORS_NON_WILDCARD_REQUEST_HEADERS_FEATURE_URL">https://chromestatus.com/feature/5742041264816128</ph> for more detail.
+
+        If this policy is not set, or set to True, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will support the CORS non-wildcard request headers and behave as described above.
+
+        When this policy is set to False, chrome will allow the wildcard symbol ("*") in the Access-Control-Allow-Headers header in the CORS preflight response to cover the Authorization header.
+
+        This Enterprise policy is temporary; it's intended to be removed in the future.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Support CORS non-wildcard request headers.
+  value: true
+- caption: Do not support CORS non-wildcard request headers.
+  value: false
+owners:
+- yhirano@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:97-
+- chrome_os:97-
+- android:97-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CSSCustomStateDeprecatedSyntaxEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CSSCustomStateDeprecatedSyntaxEnabled.yaml
new file mode 100755
index 000000000..9e1871cb7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CSSCustomStateDeprecatedSyntaxEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Controls whether the deprecated <ph name="CUSTOM_STATE_DEPRECATED_SYNTAX">:--foo</ph> syntax for CSS custom state is enabled
+desc: |2-
+  The <ph name="CUSTOM_STATE_DEPRECATED_SYNTAX">:--foo</ph> syntax for the CSS custom state feature is being changed to <ph name="CUSTOM_STATE_NEW_SYNTAX">:state(foo)</ph> in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> in order to comply with changes that have been made in <ph name="FIREFOX_PRODUCT_NAME">Firefox</ph> and <ph name="SAFARI_PRODUCT_NAME">Safari</ph>. This policy allows the old deprecated syntax to be enabled until M133.
+
+  The deprecation may break some <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>-only websites which use the deprecated <ph name="CUSTOM_STATE_DEPRECATED_SYNTAX">:--foo</ph> syntax.
+
+  If this policy is enabled, then the old deprecated syntax will be enabled.
+
+  If this policy is disabled, then the old deprecated syntax will be disabled.
+
+  If this policy is not set, then the old deprecated syntax will be disabled.
+default: false
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Old deprecated syntax will be enabled.
+  value: true
+- caption: Old deprecated syntax will be disabled.
+  value: false
+owners:
+- jarhar@chromium.org
+- masonf@chromium.org
+- dom-dev@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:127-
+- chrome_os:127-
+- android:127-
+- webview_android:127-
+tags: []
+type: main
+deprecated: false
+device_only: false
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CaptivePortalAuthenticationIgnoresProxy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CaptivePortalAuthenticationIgnoresProxy.yaml
new file mode 100755
index 000000000..6fece9685
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CaptivePortalAuthenticationIgnoresProxy.yaml
@@ -0,0 +1,25 @@
+caption: Captive portal authentication ignores proxy
+default_for_enterprise_users: false
+desc: |-
+  Setting the policy to Enabled lets <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> bypass any proxy for captive portal authentication. These authentication webpages, starting from the captive portal sign-in page until Chrome detects a successful internet connection, open in a separate window, ignoring all policy settings and restrictions for the current user. This policy only takes effect if a proxy is set up (by policy, extension, or the user in chrome://settings).
+
+        Setting the policy to Disabled or leaving it unset means any captive portal authentication pages are shown in a (regular) new browser tab, using the current user's proxy settings.
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow captive portal authentication to ignore proxy settings
+  value: true
+- caption: Prevent captive portal authentication from ignoring proxy settings
+  value: false
+owners:
+- ultrotter@google.com
+- rsorokin@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:41-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForCas.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForCas.yaml
new file mode 100755
index 000000000..13d0ccbf6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForCas.yaml
@@ -0,0 +1,36 @@
+caption: Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo
+  hashes
+desc: |-
+  Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hashes. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the hash must meet one of these conditions:
+
+        * It's of the server certificate's <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph>.
+
+        * It's of a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> that appears in a Certificate Authority (CA) certificate in the certificate chain. That CA certificate is constrained through the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName has an organizationName attribute.
+
+        * It's of a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the server's certificate has the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.
+
+        Specify a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash by linking the hash algorithm name, a slash, and the Base64 encoding of that hash algorithm applied to the DER-encoded <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.
+
+        Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't trust those certificates.
+example_value:
+- sha256/AAAAAAAAAAAAAAAAAAAAAA==
+- sha256//////////////////////w==
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/certificate_transparency/OWNERS
+- rsleevi@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:67-
+- chrome_os:67-
+- android:67-
+tags:
+- system-security
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForLegacyCas.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForLegacyCas.yaml
new file mode 100755
index 000000000..03e03d536
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForLegacyCas.yaml
@@ -0,0 +1,31 @@
+caption: Disable Certificate Transparency enforcement for a list of Legacy Certificate
+  Authorities
+desc: |-
+  Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of Legacy Certificate Authorities (CA) for certificate chains with a specified <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash must appear in a CA certificate recognized as a Legacy CA. A Legacy CA is publicly trusted by one or more operating systems supported by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, but not Android Open Source Project or <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+        Specify a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash by linking the hash algorithm name, a slash and the Base64 encoding of that hash algorithm applied to the DER-encoded <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.
+
+        Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't trust those certificates.
+
+        This policy was removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 128.
+example_value:
+- sha256/AAAAAAAAAAAAAAAAAAAAAA==
+- sha256//////////////////////w==
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/certificate_transparency/OWNERS
+- rsleevi@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+deprecated: true
+supported_on:
+- chrome.*:67-127
+- chrome_os:67-127
+- android:67-127
+tags:
+- system-security
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForUrls.yaml
new file mode 100755
index 000000000..4a6070762
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForUrls.yaml
@@ -0,0 +1,29 @@
+caption: Disable Certificate Transparency enforcement for a list of URLs
+desc: |-
+  Setting the policy turns off Certificate Transparency disclosure requirements for the hostnames in the specified URLs. While making it harder to detect misissued certificates, hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed).
+
+        Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't trust those certificates.
+
+        A URL pattern follows this format ( https://support.google.com/chrome/a?p=url_blocklist_filter_format ). However, because the validity of certificates for a given hostname is independent of the scheme, port, or path, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> only considers the hostname portion of the URL. Wildcard hosts aren't supported.
+example_value:
+- example.com
+- .example.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- file://components/certificate_transparency/OWNERS
+- rsleevi@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:53-
+- chrome_os:53-
+- android:53-
+tags:
+- system-security
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeAppsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeAppsEnabled.yaml
new file mode 100755
index 000000000..af5f06d2f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeAppsEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Extend support for Chrome Apps on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>,
+  <ph name="MAC_OS_NAME">macOS</ph>, and <ph name="LINUX_OS_NAME">Linux</ph>.
+default: false
+deprecated: true
+desc: |-
+  Chrome Apps are deprecated on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, <ph name="MAC_OS_NAME">macOS</ph>, and <ph name="LINUX_OS_NAME">Linux</ph>.
+        If this policy is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will continue to allow Chrome Apps to be run on these platforms until the final date when Chrome Apps support is removed on all platforms, June 2022.
+        If this policy is disabled or unset, Chrome Apps may not be allowed to run, depending on the status of the deprecation rollout.
+        In either case, Chrome Apps that are force installed by policy will continue to be allowed.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Chrome Apps will be allowed to run on these platforms.
+  value: true
+- caption: Chrome Apps may not be allowed to run, depending on the status of the deprecation
+    rollout.
+  value: false
+owners:
+- mattm@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:104-113
+- chrome.mac:104-113
+- chrome.linux:104-113
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeCleanupEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeCleanupEnabled.yaml
new file mode 100755
index 000000000..0437305c8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeCleanupEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable Chrome Cleanup on Windows
+default: true
+deprecated: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset means Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is allowed.
+
+  Setting the policy to Disabled means Chrome Cleanup won't periodically scan and manual triggering is disabled.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Allow Chrome Cleanup to periodically scan the system and allow manual scans
+  value: true
+- caption: Prevent Chrome Cleanup from periodically scanning the system and disable
+    manual scans
+  value: false
+owners:
+- proberge@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:68-118
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeCleanupReportingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeCleanupReportingEnabled.yaml
new file mode 100755
index 000000000..24c979e29
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeCleanupReportingEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Control how Chrome Cleanup reports data to Google
+default: null
+deprecated: true
+desc: |-
+  Setting the policy to Enabled means if <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> detects unwanted software, it may, in line with policy set by <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph>, report about the scan to Google. <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> asks users if they want the cleanup. It sends results to Google.
+
+  Setting the policy to Disabled means if <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> detects unwanted software, it won't report about the scan to Google, regardless of the value of <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph>. <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> asks users if they want the cleanup. The results aren't reported to Google.
+
+  Leaving the policy unset means <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> may, in line with policy set by <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph>, report about scans for detecting unwanted software to Google. <ph name="CHROME_CLEANUP_NAME">Chrome Cleanup</ph> asks users if they want the cleanup and to share the results with Google to help with future unwanted software detection. These results have file metadata, automatically installed extensions, and registry keys, as described by the Chrome Privacy Whitepaper.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Results from a Chrome Cleanup cleanup are always shared with Google
+  value: true
+- caption: Results from a Chrome Cleanup cleanup are never shared with Google
+  value: false
+- caption: Users may choose to share results from a Chrome Cleanup cleanup with Google
+  value: null
+owners:
+- proberge@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:68-118
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeDataRegionSetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeDataRegionSetting.yaml
new file mode 100755
index 000000000..2f98e5b6b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeDataRegionSetting.yaml
@@ -0,0 +1,41 @@
+caption: Set the data regions preference for data storage
+desc: |-
+  Choose to store your covered data from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> in a specific geographic location.
+
+  If this policy is left unset or is set to <ph name="DATA_REGION_SETTING_NO_PREFERENCE_OPTION_NAME">No preference</ph> (value 0), covered data may be stored in any geographic location(s).
+
+  If this policy is set to <ph name="DATA_REGION_SETTING_UNITED_STATES_OPTION_NAME">United States</ph> (value 1), covered data will be stored in United States.
+
+  If this policy is set to <ph name="DATA_REGION_SETTING_EUROPE_OPTION_NAME">Europe</ph> (value 2), covered data will be stored in Europe.
+default: 0
+example_value: 0
+features:
+  cloud_only: true
+  dynamic_refresh: false
+  per_profile: true
+  unlisted: true
+  user_only: true
+items:
+- caption: No preference.
+  name: NoPreference
+  value: 0
+- caption: United States.
+  name: UnitedStates
+  value: 1
+- caption: Europe.
+  name: Europe
+  value: 2
+owners:
+- alexwchen@chromium.org
+- file://chrome/browser/enterprise/OWNERS
+schema:
+  type: integer
+  enum:
+  - 0
+  - 1
+  - 2
+future_on:
+- chrome.*
+- chrome_os
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeForTestingAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeForTestingAllowed.yaml
new file mode 100755
index 000000000..d379075e6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeForTestingAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Allow Chrome for Testing
+default: true
+desc: |-
+  Controls whether users may use Chrome for Testing.
+
+        If this policy is set to Enabled or not set, users may install and run Chrome for Testing.
+
+        If this policy is set to Disabled, users are not allowed to run Chrome for Testing. Users will still be able to install Chrome for Testing, however it will not run with the profiles where this policy is set to Disabled.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Allow use of the Chrome for Testing
+  value: true
+- caption: Do not allow use of the Chrome for Testing
+  value: false
+owners:
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:123-
+- android:128-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeOsLockOnIdleSuspend.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeOsLockOnIdleSuspend.yaml
new file mode 100755
index 000000000..119f036de
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeOsLockOnIdleSuspend.yaml
@@ -0,0 +1,38 @@
+caption: Enable lock when the device suspends or the lid is closed
+default: null
+desc: |-
+  Setting the policy to Enabled means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> asks users for a password to unlock the device when it suspends or the lid is closed.
+
+        Devices will lock when the lid is closed except if they are docked (using an external monitor).  In such a case, the device will not lock when the lid closes, but will lock if the external monitor is removed and the lid is still closed.
+
+        Until <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> M106, this policy would only lock the device when it suspends.  From M106 onwards, this policy will lock the device when it suspends or the lid is closed.
+
+        By setting this policy to Enabled, and <ph name="LID_CLOSE_ACTION_POLICY_NAME">LidCloseAction</ph> to <ph name="LID_CLOSE_ACTION_ENUM_DO_NOTHING">LidCloseActionDoNothing</ph>, a device will lock when the lid is closed, but will only suspend if and when configured to do so in <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph>.
+
+        Note that if this policy is set to Enabled and <ph name="ALLOW_SCREEN_LOCK_POLICY_NAME">AllowScreenLock</ph> is set to Disabled, the device cannot be locked and the user will be logged out instead.
+
+        Setting the policy to Disabled means users are not asked for a password to unlock the device.
+
+        Leaving the policy unset lets the user choose whether to be prompted for a password to unlock the device.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Lock the device when it suspends or the lid is closed
+  value: true
+- caption: Do not lock the device when it suspends or the lid is closed
+  value: false
+- caption: Allow users to decide whether the device should lock when it suspends or
+    the lid is closed
+  value: null
+owners:
+- xiyuan@chromium.org
+- chromeos-power@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:9-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeOsMultiProfileUserBehavior.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeOsMultiProfileUserBehavior.yaml
new file mode 100755
index 000000000..0eeaadacb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeOsMultiProfileUserBehavior.yaml
@@ -0,0 +1,49 @@
+arc_support: When multiple users are logged in, only the primary user can use Android
+  apps.
+caption: Control the user behavior in a multiprofile session
+default_for_enterprise_users: primary-only
+desc: |-
+  Control the user behavior in a multiprofile session on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices.
+
+        If this policy is set to 'MultiProfileUserBehaviorUnrestricted', the user can be either primary or secondary user in a multiprofile session.
+
+        If this policy is set to 'MultiProfileUserBehaviorMustBePrimary', the user can only be the primary user in a multiprofile session.
+
+        If this policy is set to 'MultiProfileUserBehaviorNotAllowed', the user cannot be part of a multiprofile session.
+
+        If you set this setting, users cannot change or override it.
+
+        If the setting is changed while the user is signed into a multiprofile session, all users in the session will be checked against their corresponding settings. The session will be closed if any one of the users is no longer allowed to be in the session.
+
+        If the policy is left not set, the default value 'MultiProfileUserBehaviorMustBePrimary' applies for enterprise-managed users and 'MultiProfileUserBehaviorUnrestricted' will be used for non-managed users.
+example_value: unrestricted
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow enterprise user to be both primary and secondary  (Default behavior
+    for non-managed users)
+  name: MultiProfileUserBehaviorUnrestricted
+  value: unrestricted
+- caption: Allow enterprise user to be primary multiprofile user only (Default behavior
+    for enterprise-managed users)
+  name: MultiProfileUserBehaviorMustBePrimary
+  value: primary-only
+- caption: Do not allow enterprise user to be part of multiprofile (primary or secondary)
+  name: MultiProfileUserBehaviorNotAllowed
+  value: not-allowed
+owners:
+- xiyuan@chromium.org
+- sinhak@chromium.org
+- rsorokin@chromium.org
+- cros-oac@google.com
+schema:
+  enum:
+  - unrestricted
+  - primary-only
+  - not-allowed
+  type: string
+supported_on:
+- chrome_os:31-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeRootStoreEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeRootStoreEnabled.yaml
new file mode 100755
index 000000000..3660885b3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeRootStoreEnabled.yaml
@@ -0,0 +1,47 @@
+caption: Determines whether the Chrome Root Store and built-in certificate verifier
+  will be used to verify server certificates
+default: null
+deprecated: true
+desc: |-
+  When this policy is set to enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  will perform verification of server certificates using the built-in
+  certificate verifier with the Chrome Root Store as the source of public trust.
+
+  When this policy is set to disabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  will use the system certificate verifier and system root certificates.
+
+  When this policy is not set, the Chrome Root Store or system provided roots
+  may be used.
+
+  This policy was removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 113
+  for <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> and <ph name="MAC_OS_NAME">macOS</ph>,
+  <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 120,
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 120 for
+  <ph name="LINUX_OS_NAME">Linux</ph>, and
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 121 for
+  <ph name="ANDROID_NAME">Android</ph> when support for using the
+  platform supplied certificate verifier and roots was removed.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Use the Chrome Root Store.
+  value: true
+- caption: Do not use the Chrome Root Store.
+  value: false
+- caption: Chrome Root Store may be used depending on feature launch process.
+  value: null
+owners:
+- mattm@chromium.org
+- hchao@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:105-112
+- chrome.mac:105-112
+- android:114-120
+- chrome.linux:114-119
+- chrome_os:114-119
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeVariations.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeVariations.yaml
new file mode 100755
index 000000000..058702fdd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeVariations.yaml
@@ -0,0 +1,42 @@
+caption: Determine the availability of variations
+desc: |-
+  Configuring this policy allows to specify which variations are allowed to be applied in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        Variations provide a means for offering modifications to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> without shipping a new version of the browser by selectively enabling or disabling already existing features. See https://support.google.com/chrome/a?p=Manage_the_Chrome_variations_framework for more information.
+
+        Setting the <ph name="VARIATIONS_ENABLED_OPTION_NAME">VariationsEnabled</ph> (value 0), or leaving the policy not set allows all variations to be applied to the browser.
+
+        Setting the <ph name="CRITICAL_VARIATIONS_ONLY_OPTION_NAME">CriticalFixesOnly</ph> (value 1), allows only variations considered critical security or stability fixes to be applied to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        Setting the <ph name="VARIATIONS_DISABLED_OPTION_NAME">VariationsDisabled</ph> (value 2), prevent all variations from being applied to the browser. Please note that this mode can potentially prevent the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> developers from providing critical security fixes in a timely manner and is thus not recommended.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable all variations
+  name: VariationsEnabled
+  value: 0
+- caption: Enable variations concerning critical fixes only
+  name: CriticalFixesOnly
+  value: 1
+- caption: Disable all variations
+  name: VariationsDisabled
+  value: 2
+owners:
+- pastarmovj@chromium.org
+- asvitkine@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- android:112-
+- chrome.*:83-
+- ios:88-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClearBrowsingDataOnExitList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClearBrowsingDataOnExitList.yaml
new file mode 100755
index 000000000..1c040eb3f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClearBrowsingDataOnExitList.yaml
@@ -0,0 +1,73 @@
+caption: Clear Browsing Data on Exit
+desc: |-
+  Configures a list of browsing data types that should be deleted when the user closes all browser windows.
+
+  Warning: Setting this policy can impact and permanently remove local personal data. It is recommended to test your settings before deploying to prevent accidental deletion of personal data.
+
+  The available data types are browsing history (<ph name="DATA_TYPE_BROWSING_HISTORY">browsing_history</ph>), download history (<ph name="DATA_TYPE_DOWNLOAD_HISTORY">download_history</ph>), cookies (<ph name="DATA_TYPE_COOKIES_AND_OTHER_SITE_DATA">cookies_and_other_site_data</ph>), cache<ph name="DATA_TYPE_CACHED_IMAGES_AND_FILES"> (cached_images_and_files)</ph>, autofill (<ph name="DATA_TYPE_AUTOFILL">autofill</ph>), passwords (<ph name="DATA_TYPE_PASSWORD">password_signin</ph>), site settings (<ph name="DATA_TYPE_SITE_SETTINGS">site_settings</ph>) and hosted apps data (<ph name="DATA_TYPE_HOSTED_APP_DATA">hosted_app_data</ph>). This policy does not take precedence over <ph name="ALLOW_DELETING_BROWSER_HISTORY_POLICY_NAME">AllowDeletingBrowserHistory</ph>.
+
+  Until Chrome 114, this policy required the <ph name="SYNC_DISABLED_POLICY_NAME">SyncDisabled</ph> policy to be set to true. Starting Chrome 115, setting this policy will disable sync for the respective data types if neither `<ph name="CHROME_SYNC_NAME">Chrome Sync</ph>` is disabled by setting the <ph name="SYNC_DISABLED_POLICY_NAME">SyncDisabled</ph> policy nor <ph name="BROWSER_SIGNIN_POLICY_NAME">BrowserSignin</ph> is disabled.
+
+  If for some reason the data deletion has started and did not complete, the browsing data will be cleared the next time the profile is loaded.
+
+  If <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> does not exit cleanly (for example, if the browser or the OS crashes), the browsing data will not be cleared since the browser closing was not a result of the use closing all the browser windows.
+example_value:
+- browsing_history
+- download_history
+- cookies_and_other_site_data
+- cached_images_and_files
+- password_signin
+- autofill
+- site_settings
+- hosted_app_data
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Browsing history
+  name: browsing_history
+  value: browsing_history
+- caption: Download history
+  name: download_history
+  value: download_history
+- caption: Cookies and other site data
+  name: cookies_and_other_site_data
+  value: cookies_and_other_site_data
+- caption: Cached images and files
+  name: cached_images_and_files
+  value: cached_images_and_files
+- caption: Password signin
+  name: password_signin
+  value: password_signin
+- caption: Autofill
+  name: autofill
+  value: autofill
+- caption: Site settings
+  name: site_settings
+  value: site_settings
+- caption: Hosted apps data
+  name: hosted_app_data
+  value: hosted_app_data
+owners:
+- ydago@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    enum:
+    - browsing_history
+    - download_history
+    - cookies_and_other_site_data
+    - cached_images_and_files
+    - password_signin
+    - autofill
+    - site_settings
+    - hosted_app_data
+    type: string
+  type: array
+supported_on:
+- chrome.*:89-
+- chrome_os:89-
+tags: []
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClearSiteDataOnExit.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClearSiteDataOnExit.yaml
new file mode 100755
index 000000000..f7e470e6e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClearSiteDataOnExit.yaml
@@ -0,0 +1,20 @@
+caption: Clear site data on browser shutdown (deprecated)
+deprecated: true
+desc: This policy has been retired as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  version 29.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+label: Clear site data on browser shutdown (deprecated)
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:11-28
+- chrome_os:11-28
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClickToCallEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClickToCallEnabled.yaml
new file mode 100755
index 000000000..7fb778bb0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClickToCallEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Enable the Click to Call Feature
+default: null
+desc: |-
+  Enable the Click to Call feature which allows users to send phone numbers from Chrome Desktops to an Android device when the user is Signed-in. For more information, see help center article: https://support.google.com/chrome/answer/9430554?hl=en.
+
+        If this policy is set to enabled, the capability of sending phone numbers to Android devices will be enabled for the Chrome user.
+
+        If this policy is set to disabled, the capability of sending phone numbers to Android devices will be disabled for the Chrome user.
+
+        If you set this policy, users cannot change or override it.
+
+        If this policy is left unset, the Click to Call feature is enabled by default.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow users to send phone numbers from Chrome to their Android device
+  value: true
+- caption: Do not allow users to send phone numbers from Chrome to their Android device
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- knollr@chromium.org
+- mvanouwerkerk@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:79-
+- chrome_os:79-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClientCertificateManagementAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClientCertificateManagementAllowed.yaml
new file mode 100755
index 000000000..d4477ab7f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ClientCertificateManagementAllowed.yaml
@@ -0,0 +1,33 @@
+caption: Allow users to manage installed client certificates.
+default: 0
+desc: |-
+  Setting the policy to 'All' (value 0) or leaving it unset lets users manage certificates. Setting the policy to 'None' (value 2) means users can only view (not manage) certificates.
+
+        Setting the policy to 'UserOnly' (value 1) lets users manage user certificates, but not device-wide certificates.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow users to manage all certificates
+  name: All
+  value: 0
+- caption: Allow users to manage user certificates
+  name: UserOnly
+  value: 1
+- caption: Disallow users from managing certificates
+  name: None
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:74-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudManagementEnrollmentMandatory.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudManagementEnrollmentMandatory.yaml
new file mode 100755
index 000000000..ab29654e3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudManagementEnrollmentMandatory.yaml
@@ -0,0 +1,29 @@
+caption: Enable mandatory cloud management enrollment
+desc: |-
+  Setting the policy to Enabled mandates <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph> enrollment and blocks <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> launch process if failed.
+
+        Setting the policy to Disabled or leaving it unset renders <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph> optional and doesn't block <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> launch process if failed.
+
+        Machine scope cloud policy enrollment on desktop uses this policy. See https://support.google.com/chrome/a/answer/9301891?ref_topic=9301744 for details.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+items:
+- caption: Prevent Chrome from launching if not enrolled into Chrome Browser Cloud
+    Management
+  value: true
+- caption: Allow Chrome to launch if not enrolled into Chrome Browser Cloud Management
+  value: false
+owners:
+- zmin@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:72-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudManagementEnrollmentToken.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudManagementEnrollmentToken.yaml
new file mode 100755
index 000000000..2dc15a019
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudManagementEnrollmentToken.yaml
@@ -0,0 +1,24 @@
+caption: The enrollment token of cloud policy
+desc: |-
+  Setting the policy means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> tries to register itself with <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. The value of this policy is an enrollment token you can retrieve from the <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph>.
+
+        See https://support.google.com/chrome/a/answer/9301891?ref_topic=9301744 for details.
+example_value: 37185d02-e055-11e7-80c1-9a214cf093ae
+features:
+  dynamic_refresh: false
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+owners:
+- zmin@chromium.org
+- pastarmovj@chromium.org
+- rogerta@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:72-
+- ios:88-
+- android:97-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudPolicyOverridesPlatformPolicy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudPolicyOverridesPlatformPolicy.yaml
new file mode 100755
index 000000000..a7c7bc9f2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudPolicyOverridesPlatformPolicy.yaml
@@ -0,0 +1,33 @@
+caption: <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> cloud policy overrides
+  Platform policy.
+desc: |-
+  Setting the policy to Enabled means cloud policy takes precedence if it conflicts with platform policy.
+
+        Setting the policy to Disabled or leaving it unset means platform policy takes precedence if it conflicts with cloud policy.
+
+        This mandatory policy affects machine scope cloud policies.
+
+        This policy is only available on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>; it has no effect on <ph name="GOOGLE_UPDATE_NAME">Google Update</ph>.
+example_value: false
+features:
+  dynamic_refresh: true
+  metapolicy_type: precedence
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Cloud machine policies take precedence over platform machine policies
+  value: true
+- caption: Platform machine policies take precedence over cloud machine policies
+  value: false
+owners:
+- zmin@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:75-
+- ios:88-
+- android:97-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudUserPolicyMerge.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudUserPolicyMerge.yaml
new file mode 100755
index 000000000..0f91bc052
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudUserPolicyMerge.yaml
@@ -0,0 +1,33 @@
+caption: Enables merging of user cloud policies into machine-level policies
+default: false
+desc: |-
+  Setting the policy to Enabled allows policies associated with a <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph> account to be merged into machine-level policies.
+
+        Only policies originating from secure users can be merged. A secure user is affiliated with the organization that manages their browser using <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. All other user-level policies will always be ignored.
+
+        Policies that need to be merged also need to be set in either <ph name="POLICY_POLICYLISTMULTIPLESOURCEMERGELIST">PolicyListMultipleSourceMergeList</ph> or <ph name="POLICY_POLICYDICTIONARYMULTIPLESOURCEMERGELIST">PolicyDictionaryMultipleSourceMergeList</ph>. This policy will be ignored if neither of the two aforementioned policies is configured.
+
+        Leaving the policy unset or setting it to Disabled prevents user-level cloud policies from being merged with policies from any other sources.
+example_value: true
+features:
+  dynamic_refresh: true
+  metapolicy_type: merge
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable merging of user-level cloud policies.
+  value: true
+- caption: Disable merging of user-level cloud policies.
+  value: false
+owners:
+- igorruvinov@google.com
+- pastarmovj@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:92-
+- android:97-
+- ios:121-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudUserPolicyOverridesCloudMachinePolicy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudUserPolicyOverridesCloudMachinePolicy.yaml
new file mode 100755
index 000000000..3ed298148
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CloudUserPolicyOverridesCloudMachinePolicy.yaml
@@ -0,0 +1,35 @@
+caption: Allow user cloud policies to override <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome
+  Browser Cloud Management</ph> policies.
+default: false
+desc: |-
+  Setting the policy to Enabled allows policies associated with a <ph name="GOOGLE_WORKSPACE_PRODUCT_NAME">Google Workspace</ph> account to take precedence if they conflict with <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph> policies.
+
+        Only policies originating from secure users can take precedence. A secure user is affiliated with the organization that manages their browser using <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. All other user-level policies will have default precedence.
+
+        The policy can be combined with <ph name="POLICY_CLOUDPOLICYOVERRIDESPLATFORMPOLICY">CloudPolicyOverridesPlatformPolicy</ph>. If both policies are enabled, user cloud policies will also take precedence over conflicting platform policies.
+
+        Leaving the policy unset or setting it to disabled causes user-level cloud policies to have default priority.
+example_value: false
+features:
+  dynamic_refresh: true
+  metapolicy_type: precedence
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow user cloud policies to override machine cloud policies.
+  value: true
+- caption: Prevent user cloud policies from overriding machine cloud policies.
+  value: false
+owners:
+- igorruvinov@chromium.org
+- zmin@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:96-
+- android:97-
+- ios:105-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CoalesceH2ConnectionsWithClientCertificatesForHosts.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CoalesceH2ConnectionsWithClientCertificatesForHosts.yaml
new file mode 100755
index 000000000..d2fb0413a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CoalesceH2ConnectionsWithClientCertificatesForHosts.yaml
@@ -0,0 +1,28 @@
+caption: Allow coalescing of HTTP/2 connections for these hosts even when client certificates
+  are used
+desc: |-
+  This policy allows HTTP/2 connection coalescing when client certificates are in use. In order to coalesce, both the hostname of the potential new connection and the hostname of an existing connection must match one or more patterns described by this policy. The policy is a list of hosts using the <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> filter format: "example.com" matches "example.com" and all subdomains (e.g. "sub.example.com"), while ".example.net" matches exactly "example.net".
+
+        Coalescing requests to different hosts over connections that use client certificates can create security and privacy issues, as the ambient authority will be conveyed to all requests, even if the user did not explicitly authorize this. This policy is temporary and will be removed in a future release. See https://crbug.com/855690.
+
+        If this policy is left unset, then the default behavior of not allowing any HTTP/2 connection coalescing on connections using client certificates will be used.
+example_value:
+- example.com
+features:
+  dynamic_refresh: true
+  internal_only: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- rsleevi@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:70-
+- android:70-
+- chrome_os:70-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CommandLineFlagSecurityWarningsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CommandLineFlagSecurityWarningsEnabled.yaml
new file mode 100755
index 000000000..4bd2e6b7b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CommandLineFlagSecurityWarningsEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Enable security warnings for command-line flags
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset means security warnings appear when potentially dangerous command-line flags are used to launch Chrome.
+
+  Setting the policy to Disabled prevents security warnings from appearing when Chrome is launched with potentially dangerous command-line flags.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Show security warnings when potentially dangerous command-line flags are
+    used
+  value: true
+- caption: Hide security warnings when potentially dangerous command-line flags are
+    used
+  value: false
+owners:
+- proberge@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:76-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ComponentUpdatesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ComponentUpdatesEnabled.yaml
new file mode 100755
index 000000000..dec191568
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ComponentUpdatesEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable component updates in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+desc: |-
+  Enables component updates for all components in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> when not set or set to enabled.
+
+        If set to disabled, updates to components are disabled. However, some components are exempt from this policy: updates to any component that does not contain executable code and is critical for the security of the browser will not be disabled.
+        Examples of such components include the certificate revocation lists and subresource filters.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable updates for all components
+  value: true
+- caption: Disable updates for non-critical components
+  value: false
+owners:
+- file://components/update_client/OWNERS
+- sorin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:54-
+- chrome_os:54-
+- android:105-
+- ios:105-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextAwareAccessSignalsAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextAwareAccessSignalsAllowlist.yaml
new file mode 100755
index 000000000..80d689f56
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextAwareAccessSignalsAllowlist.yaml
@@ -0,0 +1,37 @@
+caption: Enable the <ph name="CHROME_ENTERPRISE_DEVICE_TRUST_CONNECTOR">Chrome Enterprise Device Trust Connector</ph> attestation flow for a list of URLs
+deprecated: true
+desc: |-
+  This policy is deprecated and has been split into <ph name="BROWSER_CONTEXT_AWARE_ACCESS_SIGNALS_ALLOWLIST_POLICY_NAME">BrowserContextAwareAccessSignalsAllowlist</ph>, <ph name="USER_CONTEXT_AWARE_ACCESS_SIGNALS_ALLOWLIST_POLICY_NAME">UserContextAwareAccessSignalsAllowlist</ph> and <ph name="DEVICE_LOGIN_SCREEN_CONTEXT_AWARE_ACCESS_SIGNALS_ALLOWLIST_POLICY_NAME">DeviceLoginScreenContextAwareAccessSignalsAllowlist</ph>.
+
+  Enable <ph name="CHROME_ENTERPRISE_DEVICE_TRUST_CONNECTOR">Chrome Enterprise Device Trust Connector</ph> for a list of URLs.
+
+  Setting this policy specifies for which URLs <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will offer to start the attestation flow. The latter allows those websites to get an attested set of context-aware signals from the device.
+
+  Leaving this policy unset or empty means that no website will be able to start the attestation flow nor get signals from the device.
+
+  For <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>, this policy is related to remote attestation where a certificate is automatically generated and uploaded to the server. For usage of the attestation flow on the device's login screen, please use the <ph name="DEVICE_LOGIN_SCREEN_CONTEXT_AWARE_ACCESS_SIGNALS_ALLOWLIST_POLICY_NAME">DeviceLoginScreenContextAwareAccessSignalsAllowlist</ph> policy.
+
+  For detailed information on valid <ph name="URL_LABEL">URL</ph> patterns, please see https://support.google.com/chrome/a?p=url_blocklist_filter_format.
+example_value:
+- https://example1.com
+- example2.com
+- https://foo.example3.com/path
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- rodmartin@google.com
+- seblalancette@chromium.org
+- cbe-device-trust-eng@google.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.win:108-120
+- chrome.linux:108-120
+- chrome.mac:109-120
+- chrome_os:108-120
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextMenuPhotoSharingSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextMenuPhotoSharingSettings.yaml
new file mode 100755
index 000000000..c1ae55875
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextMenuPhotoSharingSettings.yaml
@@ -0,0 +1,32 @@
+caption: Allow saving images directly to <ph name="GOOGLE_PHOTOS_PRODUCT_NAME">Google Photos</ph>
+default: 0
+desc: This policy controls whether the user is allowed to save images to <ph name="GOOGLE_PHOTOS_PRODUCT_NAME">Google Photos</ph> 
+  directly from the context menu.
+
+  Setting the policy to Enabled or leaving it unset allows the user to save images to <ph name="GOOGLE_PHOTOS_PRODUCT_NAME">Google Photos</ph> from the context menu.
+  Setting the policy to Disabled prevent users seeing the option in the context menu.
+
+  This policy does not prevent users from saving images to <ph name="GOOGLE_PHOTOS_PRODUCT_NAME">Google Photos</ph> using other ways beside the context menu.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: The context menu will have a menu item to share images to <ph name="GOOGLE_PHOTOS_PRODUCT_NAME">Google Photos</ph>.
+  name: Enabled
+  value: 0
+- caption: The context menu will not have a menu item to share images to <ph name="GOOGLE_PHOTOS_PRODUCT_NAME">Google Photos</ph>.
+  name: Disabled
+  value: 1
+owners:
+- qpubert@google.com
+- olivierrobin@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+supported_on:
+- ios:120-
+tags: []
+type: int-enum
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualGoogleIntegrationsConfiguration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualGoogleIntegrationsConfiguration.yaml
new file mode 100755
index 000000000..82881ca57
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualGoogleIntegrationsConfiguration.yaml
@@ -0,0 +1,59 @@
+caption: Contextual integrations of Google services on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+desc: |-
+  Improve productivity by allowing information from Google apps and services to appear on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> system surfaces.
+
+  An integration will be displayed if the associated Google service is turned on.
+
+  When <ph name="CONTEXTUAL_GOOGLE_INTEGRATIONS_ENABLED">ContextualGoogleIntegrationsEnabled</ph> is Disabled, all services will be disabled, regardless the settings of this policy.
+
+  When <ph name="CONTEXTUAL_GOOGLE_INTEGRATIONS_ENABLED">ContextualGoogleIntegrationsEnabled</ph> is Enabled or not set, services can be selected by this policy.
+
+  If this policy is left unset, all services will be enabled.
+
+  Otherwise, only selected services will be enabled.
+example_value:
+- GoogleCalendar
+- GoogleClassroom
+- GoogleTasks
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+# `GoogleCalendar` will eventually replace `CalendarIntegrationEnabled` policy.
+- caption: <ph name="GOOGLE_CALENDAR_NAME">Google Calendar</ph>
+  name: GoogleCalendar
+  value: GoogleCalendar
+# `GoogleClassroom` will not be immediately supported.
+- caption: <ph name="GOOGLE_CLASSROOM_NAME">Google Classroom</ph>
+  name: GoogleClassroom
+  value: GoogleClassroom
+- caption: <ph name="GOOGLE_TASKS_NAME">Google Tasks</ph>
+  name: GoogleTasks
+  value: GoogleTasks
+- caption: <ph name="CHROME_SYNC_NAME">Chrome Sync</ph>
+  name: ChromeSync
+  value: ChromeSync
+- caption: <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph>
+  name: GoogleDrive
+  value: GoogleDrive
+- caption: Weather
+  name: Weather
+  value: Weather
+owners:
+- amitrokhin@google.com
+- file://ash/glanceables/OWNERS
+schema:
+  items:
+    enum:
+    - GoogleCalendar
+    - GoogleClassroom
+    - GoogleTasks
+    - ChromeSync
+    - GoogleDrive
+    - Weather
+    type: string
+  type: array
+supported_on:
+- chrome_os:125-
+tags: []
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualGoogleIntegrationsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualGoogleIntegrationsEnabled.yaml
new file mode 100755
index 000000000..4f2a04bc5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualGoogleIntegrationsEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Contextual integrations of Google services on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+default: true
+desc: |-
+  Improve productivity by allowing information from Google apps and services to appear on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> system surfaces.
+
+  If this policy is Enabled or left unset, the integrations selected in <ph name="CONTEXTUAL_GOOGLE_INTEGRATIONS_CONFIGURATION">ContextualGoogleIntegrationsConfiguration</ph> are enabled.
+
+  If this policy is Disabled, all integrations are disabled.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow integrations
+  value: true
+- caption: Disable integrations
+  value: false
+owners:
+- amitrokhin@google.com
+- file://ash/glanceables/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:125-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualSearchEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualSearchEnabled.yaml
new file mode 100755
index 000000000..3cca23f86
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualSearchEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable Touch to Search
+default: true
+desc: |-
+  Setting the policy to True or leaving it unset makes Touch to Search available to the user, and they can turn the feature on or off.
+
+        Setting the policy to False turns Touch to Search off completely.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow users to use Touch to Search
+  value: true
+- caption: Prevent users from using Touch to Search
+  value: false
+owners:
+- donnd@chromium.org
+- twellington@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:40-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualSuggestionsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualSuggestionsEnabled.yaml
new file mode 100755
index 000000000..7fe6afe49
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ContextualSuggestionsEnabled.yaml
@@ -0,0 +1,21 @@
+caption: Enable contextual suggestions of related web pages
+deprecated: true
+desc: |-
+  This feature never launched, therefore the policy is deprecated. If this is set to true or unset, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will suggest pages related to the current page.
+        These suggestions are fetched remotely from Google servers.
+
+        If this setting is set to false, suggestions will not be fetched or displayed.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:69-75
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CopyPreventionSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CopyPreventionSettings.yaml
new file mode 100755
index 000000000..641390378
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CopyPreventionSettings.yaml
@@ -0,0 +1,46 @@
+caption: Allows blocking copying to the clipboard on specified URLs
+deprecated: true
+desc: |-
+  This policy is deprecated and will eventually be replaced by DataControlsRules.
+
+  This policy blocks copying data to the clipboard on specific URLs.
+
+  The <ph name="ENTERPRISE_CONNECTOR_ENABLE_FIELD">enable</ph> and <ph name="ENTERPRISE_CONNECTOR_DISABLE_FIELD">disable</ph> URL lists control which sites are allowed to write to the clipboard. A clipboard write is blocked if the URL matches a pattern in 'enable' and doesn't match a pattern in 'disable'. A copy is not blocked if the URL does not match any pattern.
+
+  The origin matching patterns use a similar format to those for the '<ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>' policy, which are documented at https://support.google.com/chrome/a?p=url_blocklist_filter_format.
+
+  The <ph name="ENTERPRISE_CONNECTOR_MINIMUM_DATA_SIZE">minimum_data_size</ph> indicates the minimum amount of data in bytes that triggers the pattern check. This means that a clipboard write from a blocked URL would be allowed if the size of the copied data is smaller than the value specified in this field. The default value is 100 bytes if the field is unset.
+example_value:
+  disable:
+  - not-sensitive.example.com
+  enable:
+  - '*'
+  minimum_data_size: 100
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- domfc@chromium.org
+- dpr-eng@google.com
+schema:
+  properties:
+    disable:
+      items:
+        type: string
+      type: array
+    enable:
+      items:
+        type: string
+      type: array
+    minimum_data_size:
+      minimum: 0
+      type: integer
+  type: object
+supported_on:
+- chrome.*:108-
+- chrome_os:108-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CorsLegacyModeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CorsLegacyModeEnabled.yaml
new file mode 100755
index 000000000..e9ccef67c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CorsLegacyModeEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Use the legacy <ph name="CORS">CORS</ph> implementation rather than new <ph
+  name="CORS">CORS</ph>
+deprecated: true
+desc: |-
+  Use the legacy <ph name="CORS">CORS</ph> implementation rather than new <ph name="CORS">CORS</ph>.
+
+        If this setting is set to True, the legacy implementation is used that should be compatible with previous versions.
+
+        If this setting is set to False, or is not set, the new implementation is used that might cause enterprise specific compatibility issues potentially.
+
+        This policy will be removed after a couple of milestones.
+
+        For details on <ph name="CORS">CORS</ph>, visit: <ph name="CORS_HELP_URL">https://www.chromestatus.com/feature/5768642492891136</ph>.
+
+        Note that this policy was announced to be removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 82, but removed in version 84.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+owners:
+- toyoshim@chromium.org
+- yhirano@chromium.org
+- kinuko@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:79-83
+- chrome_os:79-83
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CorsMitigationList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CorsMitigationList.yaml
new file mode 100755
index 000000000..bf3487c9c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CorsMitigationList.yaml
@@ -0,0 +1,34 @@
+caption: Enable <ph name="CORS">CORS</ph> check mitigations in the new <ph name="CORS">CORS</ph>
+  implementation
+deprecated: true
+desc: |-
+  Enable <ph name="CORS">CORS</ph> check mitigations in the new <ph name="CORS">CORS</ph> implementation, allowing Extensions to keep compatible behavior, and allowing <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to send specified headers without <ph name="CORS">CORS</ph> checks.
+
+        If this list is set to empty, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> tries to run Extensions in compatible manners, and does not introduce <ph name="API">API</ph> changes for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 79 as explained at <ph name="WEB_REQUEST_API_MANUAL">https://developer.chrome.com/extensions/webRequest</ph>.
+
+        If this list is set to have <ph name="HTTP">HTTP</ph> request header names, <ph name="CORS">CORS</ph> inspection will ignore the listed headers in addition to enable the mitigation for Extensions.
+
+        If this list is not set, both mitigations explained above are not applied.
+
+        For details on <ph name="CORS">CORS</ph>, visit: <ph name="CORS_HELP_URL">https://www.chromestatus.com/feature/5768642492891136</ph>.
+
+        Note that this policy was announced to be removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 82, but removed in version 84.
+example_value:
+- x-googapps-allowed-domains
+- youtube-restrict
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- toyoshim@chromium.org
+- yhirano@chromium.org
+- kinuko@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:79-83
+- chrome_os:79-83
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CreatePasskeysInICloudKeychain.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CreatePasskeysInICloudKeychain.yaml
new file mode 100755
index 000000000..2949c1048
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CreatePasskeysInICloudKeychain.yaml
@@ -0,0 +1,39 @@
+caption: Control whether passkey creation will default to iCloud Keychain.
+desc: |-
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may direct
+  passkey/WebAuthn creation requests directly to iCloud Keychain on macOS 13.5
+  or later. If iCloud Keychain syncing has not been enabled yet, this will
+  prompt the user to sign in with iCloud, or may prompt them to enable iCloud
+  Keychain syncing.
+
+  If this policy is set to false, iCloud Keychain will not be used by default
+  and the previous behavior (of creating the credential in the <ph
+  name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profile) may be used
+  instead. Users will still be able to select iCloud Keychain as an option, and
+  may still see iCloud Keychain credentials when signing in.
+
+  If this policy is set to "true" then iCloud Keychain will be the default
+  whenever the WebAuthn request is compatible with that choice.
+
+  If this policy is not set then the default depends on factors such as
+  whether iCloud Drive is enabled, and whether the user has recently used or
+  created a credential in their
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profile.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- agl@chromium.org
+- nsatragno@google.com
+schema:
+  type: boolean
+items:
+- caption: Default to creating passkeys in iCloud Keychain when possible.
+  value: true
+- caption: Default to creating passkeys in other stores such as the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profile.
+  value: false
+tags: []
+supported_on:
+- chrome.mac:118-
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CredentialProviderPromoEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CredentialProviderPromoEnabled.yaml
new file mode 100755
index 000000000..fbedff656
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CredentialProviderPromoEnabled.yaml
@@ -0,0 +1,23 @@
+owners:
+- hiramahmood@google.com
+- file://components/policy/OWNERS
+caption: Allows users to be shown the Credential Provider Extension promo
+desc: |-
+  When the policy is not set or set to Enabled, the Credential Provider Extension promo may be shown to the user.
+  When the policy is set to Disabled, the Credential Provider Extension promo will not be shown to the user.
+supported_on:
+- ios:112-
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: Allow the Credential Provider Extension promo to be displayed
+  value: true
+- caption: Do not allow the Credential Provider Extension promo to be displayed
+  value: false
+default: true
+example_value: false
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CrossOriginWebAssemblyModuleSharingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CrossOriginWebAssemblyModuleSharingEnabled.yaml
new file mode 100755
index 000000000..1086a3af8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/CrossOriginWebAssemblyModuleSharingEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Specifies whether WebAssembly modules can be sent cross-origin
+default: false
+deprecated: true
+desc: |2-
+
+        Specifies whether WebAssembly modules can be sent to another window or worker cross-origin. Cross-origin WebAssembly module sharing will be deprecated as part of the efforts to deprecate document.domain, see https://github.com/mikewest/deprecating-document-domain. This policy allows to re-enable cross-origin WebAssembly module sharing to offer a longer transition period in the deprecation process.
+
+        When set to True, sites can send WebAssembly modules also cross-origin without restrictions.
+
+        When set to False or not set, sites can only send WebAssembly modules to windows and workers in the same origin.
+device_only: false
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Allow WebAssembly modules to be sent cross-origin
+  value: true
+- caption: Prevent WebAssembly modules to be sent cross-origin
+  value: false
+owners:
+- ahaas@chromium.org
+- clamy@chromium.org
+- vahl@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:94-98
+- chrome_os:94-98
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DHEEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DHEEnabled.yaml
new file mode 100755
index 000000000..a48114dbf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DHEEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable DHE cipher suites in TLS
+deprecated: true
+desc: |-
+  This policy was removed in M58 after DHE was removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If the policy is not set, or is set to false, then DHE cipher suites in TLS will not be enabled. Otherwise it may be set to true to enable DHE cipher suites and retain compatibility with an outdated server. This is a stopgap measure and the server should be reconfigured.
+
+        Servers are encouraged to migrated to ECDHE cipher suites. If these are unavailable, ensure a cipher suite using RSA key exchange is enabled.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://crypto/OWNERS
+- davidben@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:53-57
+- chrome_os:53-57
+- android:53-57
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DNSInterceptionChecksEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DNSInterceptionChecksEnabled.yaml
new file mode 100755
index 000000000..1b90d6ce5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DNSInterceptionChecksEnabled.yaml
@@ -0,0 +1,29 @@
+caption: DNS interception checks enabled
+default: true
+desc: |-
+  This policy configures a local switch that can be used to disable DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
+
+        This detection may not be necessary in an enterprise environment where the network configuration is known, since it causes some amount of DNS and HTTP traffic on start-up and each DNS configuration change.
+
+        When this policy is not set, or is enabled, the DNS interception checks are performed. When explicitly disabled, they're not.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Perform DNS interception checks
+  value: true
+- caption: Do not perform DNS interception checks
+  value: false
+owners:
+- krb@chromium.org
+- jdonnelly@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:80-
+- chrome_os:80-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataCompressionProxyEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataCompressionProxyEnabled.yaml
new file mode 100755
index 000000000..804a92d78
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataCompressionProxyEnabled.yaml
@@ -0,0 +1,19 @@
+caption: Enable the data compression proxy feature
+deprecated: true
+desc: |-
+  Setting the policy to Enabled allows the data compression proxy. Setting the policy to Disabled disallows the proxy.
+
+        If you set the policy, users can't change it. If unset, users can choose to use the feature.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- bolian@chromium.org
+- acostinas@google.com
+schema:
+  type: boolean
+supported_on:
+- android:31-99
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataControlsRules.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataControlsRules.yaml
new file mode 100755
index 000000000..b25b078f7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataControlsRules.yaml
@@ -0,0 +1,198 @@
+caption: Sets a list of Data Controls rules.
+desc: |-
+  Configures a list of Data Control rules to prevent data leaks.
+
+        Each rule consists of the following:
+        - Condition fields to trigger that rule. A rule will only trigger if a user action matches all the fields populated in its <ph name="DATA_CONTROLS_SOURCES">sources</ph>, <ph name="DATA_CONTROLS_DESTINATIONS">destinations</ph>, <ph name="DATA_CONTROLS_AND">and</ph>, <ph name="DATA_CONTROLS_OR">or</ph> and <ph name="DATA_CONTROLS_NOT">not</ph> fields. For list sub-fields, only one entry needs to be matched, for example only one URL pattern needs to match to trigger the rule.
+        - A list of restrictions to be applied. Depending on the restriction, only <ph name="DATA_CONTROLS_SOURCES">sources</ph> or <ph name="DATA_CONTROLS_DESTINATIONS">destinations</ph> conditions may be available.
+
+        Rules can be added to:
+        - Control the clipboard data shared between the sources and the destinations.
+        - Control blocking screenshots based on the source tabs.
+
+        If <ph name="ON_SECURITY_EVENT_ENTERPRISE_CONNECTOR">OnSecurityEventEnterpriseConnector</ph> policy is set to True, triggered rules are reported to the admin.
+        The restriction level can be set to BLOCK, WARN, or REPORT.
+        - If the restriction level is set to BLOCK, the action won't be allowed.
+        - If the restriction level is set to WARN, a user will be warned and may choose to proceed with or cancel the action.
+        - If the restriction level is set to REPORT, the user action will not be interrupted, but a report will be sent if <ph name="ON_SECURITY_EVENT_ENTERPRISE_CONNECTOR">OnSecurityEventEnterpriseConnector</ph> policy is enabled.
+
+        Notes:
+        - Format the URL patterns according to this format ( https://support.google.com/chrome/a?p=url_blocklist_filter_format ).
+        - For data leak prevention rules specific to <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>, see also the <ph name="DATA_LEAK_PREVENTION_RULES_LIST">DataLeakPreventionRulesList</ph> policy.
+
+        If the policy is left not set, no restrictions will be applied.
+
+        This policy is available only to users who have an assigned Chrome Enterprise Premium license.
+example_value:
+- description: Block copying from internal sites to the OS clipboard
+  name: Block copying from corp sites to OS
+  destinations:
+    os_clipboard: true
+  sources:
+    urls:
+    - salesforce.com
+    - gmail.com
+    - docs.google.com
+    - drive.google.com
+    - company.com
+  restrictions:
+  - class: CLIPBOARD
+    level: BLOCK
+- description: Block copying from non-incognito to incognito between profiles or to the OS clipboard
+  name: Block copying between profiles
+  destinations:
+    os_clipboard: true
+  sources:
+    incognito: false
+    os_clipboard: false
+    other_profile: false
+  destinations:
+    incognito: true
+    os_clipboard: true
+    other_profile: true
+  restrictions:
+  - class: CLIPBOARD
+    level: BLOCK
+- description: Block copying to an AI site to avoid data leaks
+  name: Block Cat GPT
+  destinations:
+    urls:
+    - cat.close.ai.com
+  restrictions:
+  - class: CLIPBOARD
+    level: BLOCK
+- description: Block pasting in non corp sites using a not condition
+  not:
+    destinations:
+      urls:
+      - corp.com
+  restrictions:
+  - class: CLIPBOARD
+    level: BLOCK
+- description: Block pasting to incognito with an exception of corp sites
+  and:
+    - destinations:
+        incognito: true
+    - not:
+        destinations:
+          urls:
+          - corp.com
+  restrictions:
+  - class: CLIPBOARD
+    level: BLOCK
+- description: Block copying from non corp sites using a not condition
+  not:
+    sources:
+      urls:
+      - corp.com
+  restrictions:
+  - class: CLIPBOARD
+    level: BLOCK
+- description: Block copying from incognito with an exception of corp sites
+  and:
+    - sources:
+        incognito: true
+    - not:
+        sources:
+          urls:
+          - corp.com
+  restrictions:
+  - class: CLIPBOARD
+    level: BLOCK
+- description: Prevent clipboard data from leaving a specified set of corp sites
+  and:
+    - sources:
+        urls:
+        - corp1.com
+        - corp2.com
+    - or:
+      - not:
+          destinations:
+            urls:
+              - corp1.com
+              - corp2.com
+      - destinations:
+          os_clipboard: true
+      - destinations:
+          other_profile: true
+  restrictions:
+  - class: CLIPBOARD
+    level: BLOCK
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chrome/browser/enterprise/data_controls/OWNERS
+- domfc@chromium.org
+- dpr-eng@google.com
+schema:
+  items:
+    properties:
+      and:
+        items:
+          $ref: DataControlsCondition
+        type: array
+      description:
+        type: string
+      destinations:
+        properties:
+          incognito:
+            type: boolean
+          os_clipboard:
+            type: boolean
+          other_profile:
+            type: boolean
+          urls:
+            items:
+              type: string
+            type: array
+        type: object
+      name:
+        type: string
+      not:
+        $ref: DataControlsCondition
+      or:
+        items:
+          $ref: DataControlsCondition
+        type: array
+      restrictions:
+        items:
+          properties:
+            class:
+              enum:
+              - CLIPBOARD
+              - SCREENSHOT
+              type: string
+            level:
+              enum:
+              - BLOCK
+              - WARN
+              - REPORT
+              type: string
+          type: object
+        type: array
+      rule_id:
+        type: string
+      sources:
+        properties:
+          incognito:
+            type: boolean
+          os_clipboard:
+            type: boolean
+          other_profile:
+            type: boolean
+          urls:
+            items:
+              type: string
+            type: array
+        type: object
+    type: object
+  type: array
+future_on:
+- android
+supported_on:
+- chrome.*:128-
+- chrome_os:128-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionClipboardCheckSizeLimit.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionClipboardCheckSizeLimit.yaml
new file mode 100755
index 000000000..07097c2f1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionClipboardCheckSizeLimit.yaml
@@ -0,0 +1,20 @@
+caption: Set minimal size limit for data leak prevention clipboard restriction
+default: 0
+desc: |-
+  This policy sets the minimal data size (in bytes) of the data in the clipboard that will be checked against clipboard restriction rules defined in DataLeakPreventionRulesList policy.
+        If not set, it defaults to 0 that means that all pastes from the clipboard will be checked according to the configured rules.
+example_value: 50
+features:
+  can_be_recommended: false
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://chrome/browser/ash/policy/dlp/OWNERS
+- poromov@chromium.org
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:93-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionReportingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionReportingEnabled.yaml
new file mode 100755
index 000000000..756441765
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionReportingEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Enable data leak prevention reporting
+default: false
+desc: |-
+  This policy is a general switch for all rules defined in the DataLeakPreventionRulesList policy.
+        Setting this policy to True will switch on real-time reporting of data leak prevention events.
+        Setting this policy to False or leaving it unset will switch off the reporting.
+        Rules defined with ALLOW level restrictions in DataLeakPreventionRulesList will not report events in both cases.
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable reporting of data leak prevention events
+  value: true
+- caption: Disable reporting of data leak prevention events
+  value: false
+owners:
+- file://chrome/browser/ash/policy/dlp/OWNERS
+- jkopanski@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:92-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionRulesList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionRulesList.yaml
new file mode 100755
index 000000000..5a6ff7a91
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DataLeakPreventionRulesList.yaml
@@ -0,0 +1,147 @@
+caption: Sets a list of data leak prevention rules.
+desc: |-
+  Configures a list of rules to prevent data leak on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+        Data leak can happen by copying and pasting data, transferring files, printing, screensharing, or taking screenshots ...etc.
+
+        Each rule consists of the following:
+        - A list of sources defined as URLs. Any data in the sources will be considered confidential data, to which the restrictions will be applied.
+        - A list of destinations defined as URLs or components, to which the confidential data is either allowed or disallowed to be shared.
+        - A list of restrictions to be applied on the data of the sources.
+
+        Rules can be added to:
+        - Control the clipboard data shared between the sources and the destinations.
+        - Control taking screenshots of any of the sources.
+        - Control printing of any of the sources.
+        - Control the privacy screen when any of the sources is visible.
+        - Control screen sharing of any of the sources.
+        - Control files downloaded from any of the sources when they are transferred to the destination. Supported on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 108 and higher.
+
+        The restriction level can be set to BLOCK, ALLOW, REPORT, WARN.
+        - If the restriction level is set to BLOCK, the action won't be allowed. If <ph name="DATA_LEAK_PREVENTION_REPORTING_ENABLED">DataLeakPreventionReportingEnabled</ph> is set to True, the blocked action will be reported to the admin.
+        - If the restriction level is set to ALLOW, the action will be allowed.
+        - If the restriction level is set to REPORT and <ph name="DATA_LEAK_PREVENTION_REPORTING_ENABLED">DataLeakPreventionReportingEnabled</ph> is set to True, the action will be reported to the admin.
+        - If the restriction level is set to WARN, a user will be warned and may choose to proceed with or cancel the action. If <ph name="DATA_LEAK_PREVENTION_REPORTING_ENABLED">DataLeakPreventionReportingEnabled</ph> is set to True, showing the warning will be reported to the admin; proceeding with the action will also be reported.
+
+        Notes:
+        - PRIVACY_SCREEN restriction doesn't block the ability to turn on privacy screen, but enforces it when the restriction class is set to BLOCK.
+        - Destinations cannot be empty in case one of the restrictions is CLIPBOARD or FILES, but they don't make any difference for the remaining restrictions.
+        - DRIVE and USB destinations are ignored for CLIPBOARD restriction.
+        - Format the URL patterns according to this format ( https://support.google.com/chrome/a?p=url_blocklist_filter_format ).
+
+        If the policy is left not set, no restrictions will be applied.
+example_value:
+- description: Allow copy and paste for work purposes, block printing, enforce privacy
+    screen, report screen sharing, and warn on screenshots and video capture
+  destinations:
+    urls:
+    - salesforce.com
+    - gmail.com
+    - docs.google.com
+    - drive.google.com
+    - company.com
+  name: Support agent work flows
+  rule_id: rules/00examplerule
+  restrictions:
+  - class: CLIPBOARD
+    level: ALLOW
+  - class: SCREENSHOT
+    level: WARN
+  - class: PRINTING
+    level: BLOCK
+  - class: PRIVACY_SCREEN
+    level: BLOCK
+  - class: SCREEN_SHARE
+    level: REPORT
+  sources:
+    urls:
+    - salesforce.com
+    - gmail.com
+    - docs.google.com
+    - drive.google.com
+    - company.com
+- description: Block copy and paste from work flows to other sites and external drives
+  destinations:
+    components:
+    - ARC
+    - CROSTINI
+    - PLUGIN_VM
+    urls:
+    - '*'
+  name: Non agent work flows
+  restrictions:
+  - class: CLIPBOARD
+    level: BLOCK
+  sources:
+    urls:
+    - salesforce.com
+    - gmail.com
+    - docs.google.com
+    - company.com
+features:
+  can_be_recommended: false
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://chrome/browser/ash/policy/dlp/OWNERS
+- ayaelattar@chromium.org
+schema:
+  items:
+    properties:
+      description:
+        type: string
+      destinations:
+        properties:
+          components:
+            items:
+              enum:
+              - ARC
+              - CROSTINI
+              - PLUGIN_VM
+              - DRIVE
+              - USB
+              - ONEDRIVE
+              type: string
+            type: array
+          urls:
+            items:
+              type: string
+            type: array
+        type: object
+      name:
+        type: string
+      rule_id:
+        type: string
+      restrictions:
+        items:
+          properties:
+            class:
+              enum:
+              - CLIPBOARD
+              - SCREENSHOT
+              - PRINTING
+              - PRIVACY_SCREEN
+              - SCREEN_SHARE
+              - FILES
+              type: string
+            level:
+              enum:
+              - BLOCK
+              - ALLOW
+              - REPORT
+              - WARN
+              type: string
+          type: object
+        type: array
+      sources:
+        properties:
+          urls:
+            items:
+              type: string
+            type: array
+        type: object
+    type: object
+  type: array
+supported_on:
+- chrome_os:92-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultBrowserSettingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultBrowserSettingEnabled.yaml
new file mode 100755
index 000000000..bd0304cd5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultBrowserSettingEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as Default Browser
+desc: |-
+  Setting the policy to True has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> always check whether it's the default browser on startup and, if possible, automatically register itself. Setting the policy to False stops <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from ever checking if it's the default and turns user controls off for this option.
+
+        Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> lets users control whether it's the default and, if not, whether user notifications should appear.
+
+        Note: For <ph name="MS_WIN_NAME">Microsoft®Windows®</ph> administrators, turning this setting on only works for machines running Windows 7. For later versions, you must deploy a "default application associations" file that makes <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> the handler for the <ph name="HTTPS_PROTOCOL">https</ph> and <ph name="HTTP_PROTOCOL">http</ph> protocols (and, optionally, the <ph name="FTP_PROTOCOL">ftp</ph> protocol and other file formats). See Chrome Help ( https://support.google.com/chrome?p=make_chrome_default_win ).
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable the default browser check on startup
+  value: true
+- caption: Disable the default browser check on startup
+  value: false
+label: Set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as Default Browser
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win7:11-
+- chrome.mac:11-
+- chrome.linux:11-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultDownloadDirectory.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultDownloadDirectory.yaml
new file mode 100755
index 000000000..d6a1d2a68
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultDownloadDirectory.yaml
@@ -0,0 +1,28 @@
+caption: Set default download directory
+desc: |-
+  Setting the policy changes the default directory that Chrome downloads files to, but users can change the directory.
+
+        Leaving the policy unset means Chrome uses its platform-specific default directory.
+
+        This policy has no effect if the policy <ph name="DOWNLOAD_DIRECTORY_POLICY_NAME">DownloadDirectory</ph> is set.
+
+        Note: See a list of variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).
+example_value: /home/${user_name}/Downloads
+features:
+  can_be_mandatory: false
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- macourteau@chromium.org
+- zmin@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:64-
+- chrome_os:64-
+tags:
+- local-data-access
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultHandlersForFileExtensions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultHandlersForFileExtensions.yaml
new file mode 100755
index 000000000..d8f8b271e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultHandlersForFileExtensions.yaml
@@ -0,0 +1,65 @@
+arc_support: This policy can also be used to specify Android apps as default file handlers.
+caption: Assigns apps as default handlers for specified file extensions
+desc: |-
+  This policy allows the admins to specify apps that act as default handlers for the respective file extensions
+  on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> that users can't change.
+
+  For all file extensions not specified in the policy, users are free to set their own defaults with respect to
+  the usual workflow.
+
+  Specify Chrome apps by their ID, such as <ph name="DEFAULT_HANDLERS_FOR_FILE_EXTENSIONS_POLICY_CHROME_APP_EXAMPLE">pjkljhegncpnkpknbcohdijeoejaedia</ph>;
+  Web apps by the URL used in <ph name="WEB_APP_INSTALL_FORCE_LIST_POLICY_NAME">WebAppInstallForceList</ph>, such as <ph name="DEFAULT_HANDLERS_FOR_FILE_EXTENSIONS_POLICY_WEB_APP_EXAMPLE">https://google.com/maps</ph>;
+  Android apps by their package name, such as <ph name="DEFAULT_HANDLERS_FOR_FILE_EXTENSIONS_POLICY_ANDROID_APP_EXAMPLE">com.google.android.gm</ph>;
+  System Web Apps by their snake case name, such as <ph name="DEFAULT_HANDLERS_FOR_FILE_EXTENSIONS_POLICY_SYSTEM_WEB_APP_EXAMPLE">projector</ph>;
+  Virtual Tasks by their designated name prepended with <ph name="DEFAULT_HANDLERS_FOR_FILE_EXTENSIONS_POLICY_VIRTUAL_TASK_PREFIX">VirtualTask/</ph>, such as <ph name="DEFAULT_HANDLERS_FOR_FILE_EXTENSIONS_POLICY_VIRTUAL_TASK_EXAMPLE">VirtualTask/microsoft-office</ph>.
+  Isolated Web Apps by their web bundle ID, such as <ph name="DEFAULT_HANDLERS_FOR_FILE_EXTENSIONS_POLICY_ISOLATED_WEB_APP_EXAMPLE">egoxo6biqdjrk62rman4vvr5cbq2ozsyydig7jmdxcmohdob2ecaaaic</ph>.
+
+  Note that apps MUST declare themselves as file handlers for specified file extensions in the manifest in order for
+  that policy item to take effect (i.e. the policy does NOT extend existing app capabilities).
+
+  Leaving the policy unset allows <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> to select default handlers according to the internal logic.
+example_value:
+- file_extensions:
+  - maps
+  policy_id: https://google.com/maps
+- file_extensions:
+  - xslx
+  policy_id: pnomlkjighijklmnopabcdefghijklff
+- file_extensions:
+  - docx
+  - pdf
+  policy_id: abcdefghijklmnopabcdefghijklmnop
+- file_extensions:
+  - proj
+  policy_id: projector
+- file_extensions:
+  - pptx
+  policy_id: VirtualTask/microsoft-office
+- file_extensions:
+  - rdp
+  policy_id: egoxo6biqdjrk62rman4vvr5cbq2ozsyydig7jmdxcmohdob2ecaaaic
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome_os:111-
+owners:
+- greengrape@google.com
+- file://ui/file_manager/OWNERS
+schema:
+  items:
+    properties:
+      file_extensions:
+        items:
+          type: string
+        type: array
+      policy_id:
+        type: string
+    required:
+    - policy_id
+    - file_extensions
+    type: object
+  type: array
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultSearchProviderContextMenuAccessAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultSearchProviderContextMenuAccessAllowed.yaml
new file mode 100755
index 000000000..c14851c56
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DefaultSearchProviderContextMenuAccessAllowed.yaml
@@ -0,0 +1,31 @@
+caption: Allow default search provider context menu search access
+desc: |-
+  Enables the use of a default search provider on the context menu.
+
+            If you set this policy to disabled the search context menu item that relies on your default search provider will not be available.
+
+            If this policy is set to enabled or not set, the context menu item for your default search provider will be available.
+
+            The policy value is only appled when the <ph name="DEFAULT_SEARCH_PROVIDER_ENABLED_POLICY_NAME">DefaultSearchProviderEnabled</ph> policy is enabled, and is not applicable otherwise.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable access to the default search provider context menu
+  value: true
+- caption: Disable access to the default search provider context menu
+  value: false
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:85-
+- chrome_os:85-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeleteKeyModifier.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeleteKeyModifier.yaml
new file mode 100755
index 000000000..cc5367e05
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeleteKeyModifier.yaml
@@ -0,0 +1,38 @@
+caption: Control the shortcut used to trigger the Delete "six pack" key
+default: 2
+desc: |-
+  This policy determines the behavior for remapping the Delete key within
+  the 'remap keys' subpage. The 'remap keys' subpage allows users to
+  customize keyboard keys. If enabled, this policy prevents users from
+  customizing these specific remappings. If the policy is not set,
+  search-based shortcuts will act as the default and allows users to
+  configure the shortcuts.
+example_value: 0
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Setting a shortcut for the "Delete" action is disabled.
+  name: None
+  value: 0
+- caption: Delete shortcut setting uses the shortcut that contains the alt modifier
+  name: Alt
+  value: 1
+- caption: Delete shortcut setting uses the shortcut that contains the search modifier
+  name: Search
+  value: 2
+owners:
+- michaelcheco@google.com
+- cros-peripherals@google.com
+schema:
+  # These values correspond to the `SixPackShortcutModifier` mojom enum.
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:123-
+tags: []
+type: int-enum
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeskTemplatesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeskTemplatesEnabled.yaml
new file mode 100755
index 000000000..f865e27d2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeskTemplatesEnabled.yaml
@@ -0,0 +1,22 @@
+caption: Allow users to select a desk template layout to load
+default: false
+desc: Setting the policy to Enabled allows users to use desktop layout templates.  Setting
+  the policy to Disabled or unset means these templates will be unavailable.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+items:
+- caption: Allow users to use desk templates
+  value: true
+- caption: Do not allow users to use desk templates
+  value: false
+owners:
+- brianbeck@chromium.org
+- yzd@chromium.org
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DesktopSharingHubEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DesktopSharingHubEnabled.yaml
new file mode 100755
index 000000000..b710d14f9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DesktopSharingHubEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable desktop sharing in the omnibox and 3-dot menu
+default: true
+desc: |-
+  Setting the policy to True or leaving it unset lets users share or save the current webpage using actions provided by the desktop sharing hub. The sharing hub is accessed through either an omnibox icon or the 3-dot menu.
+
+         Setting the policy to False removes the sharing icon from the omnibox and the entry from the 3-dot menu.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable desktop sharing hub
+  value: true
+- caption: Disable desktop sharing hub
+  value: false
+owners:
+- kristipark@chromium.org
+- jeffreycohen@chromium.org
+- file://components/send_tab_to_self/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.win:93-
+- chrome.linux:93-
+- chrome.mac:93-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeveloperToolsAvailability.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeveloperToolsAvailability.yaml
new file mode 100755
index 000000000..2dce96525
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeveloperToolsAvailability.yaml
@@ -0,0 +1,49 @@
+arc_support: This policy also controls access to Android Developer Options. If you
+  set this policy to 'DeveloperToolsDisallowed' (value 2), users cannot access Developer
+  Options. If you set this policy to another value or leave it unset, users can access
+  Developer Options by tapping seven times on the build number in the Android settings
+  app.
+caption: Control where Developer Tools can be used
+desc: |-
+  Setting the policy to 0 (the default) means you can access the developer tools and the JavaScript console, but not in the context of extensions installed by enterprise policy or, since version 114 and if this is a managed user, extensions built into the browser. Setting the policy to 1 means you can access the developer tools and the JavaScript console in all contexts, including that of extensions installed by enterprise policy. Setting the policy to 2 means you can't access developer tools, and you can't inspect website elements.
+
+        This setting also turns off keyboard shortcuts and menu or context menu entries to open developer tools or the JavaScript console.
+
+        As of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 99, this setting also controls entry points for the 'View page source' feature. If you set this policy to 'DeveloperToolsDisallowed' (value 2), users cannot access source viewing via keyboard shortcut or the context menu. To fully block source viewing, you must also add 'view-source:*' to the <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> policy.
+
+        As of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 119, this setting also controls whether developer mode for Isolated Web Apps can be activated and used.
+
+        As of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 128, this setting will not control developer mode on extensions page if <ph name="EXTENSION_DEVELOPER_MODE_SETTINGS_POLICY_NAME">ExtensionDeveloperModeSettings</ph> policy is set.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Disallow usage of the Developer Tools on apps and extensions
+    installed by enterprise policy or, since version 114 and if this is a
+    managed user, extensions built into the browser. Allow usage of the
+    Developer Tools in other contexts
+  name: DeveloperToolsDisallowedForForceInstalledExtensions
+  value: 0
+- caption: Allow usage of the Developer Tools
+  name: DeveloperToolsAllowed
+  value: 1
+- caption: Disallow usage of the Developer Tools
+  name: DeveloperToolsDisallowed
+  value: 2
+owners:
+- file://extensions/OWNERS
+- extensions-core@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:68-
+- chrome_os:68-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeveloperToolsDisabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeveloperToolsDisabled.yaml
new file mode 100755
index 000000000..2dc643d29
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeveloperToolsDisabled.yaml
@@ -0,0 +1,35 @@
+arc_support: This policy also controls access to Android Developer Options. If you
+  set this policy to true, users cannot access Developer Options. If you set this
+  policy to false or leave it unset, users can access Developer Options by tapping
+  seven times on the build number in the Android settings app.
+caption: Disable Developer Tools
+deprecated: true
+desc: |-
+  This policy is deprecated in M68, please use DeveloperToolsAvailability instead.
+
+        Disables the Developer Tools and the JavaScript console.
+
+        If you enable this setting, the Developer Tools can not be accessed and web-site elements can not be inspected anymore. Any keyboard shortcuts and any menu or context menu entries to open the Developer Tools or the JavaScript Console will be disabled.
+
+        Setting this option to disabled or leaving it not set allows the user to use the Developer Tools and the JavaScript console.
+
+        If the policy DeveloperToolsAvailability is set, the value of the policy DeveloperToolsDisabled is ignored.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Disable Developer Tools
+  value: true
+- caption: Enable Developer Tools
+  value: false
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:9-
+- chrome_os:11-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowBluetooth.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowBluetooth.yaml
new file mode 100755
index 000000000..230c66d81
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowBluetooth.yaml
@@ -0,0 +1,26 @@
+caption: Allow bluetooth on device
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets users turn Bluetooth on or off.
+
+        Setting the policy to Disabled means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> turns Bluetooth off, and users can't turn it on.
+
+        Note: To turn on Bluetooth, users must sign out and in again.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: false
+items:
+- caption: Allow users to turn Bluetooth on or off
+  value: true
+- caption: Disable Bluetooth
+  value: false
+owners:
+- isandrk@chromium.org
+- sinhak@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:52-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowEnterpriseRemoteAccessConnections.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowEnterpriseRemoteAccessConnections.yaml
new file mode 100755
index 000000000..aaf306ee0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowEnterpriseRemoteAccessConnections.yaml
@@ -0,0 +1,31 @@
+caption: Allow enterprise remote access connections to this machine
+default: true
+desc: |-
+  If this policy is disabled, this policy prevents enterprise admins from connecting to managed <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices when no user is present on the device.
+
+  This policy does not affect other remote access scenarios.
+
+  This policy is not effective if enabled, left blank, or not configured.
+
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+
+items:
+- caption: Allow remote access connections from enterprise admins to this machine
+  value: true
+- caption: Prevent remote access connections from enterprise admins to this machine
+  value: false
+
+owners:
+- macinashutosh@google.com
+- jeroendh@google.com
+- file://chrome/browser/ash/app_mode/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:127-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowMGSToStoreDisplayProperties.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowMGSToStoreDisplayProperties.yaml
new file mode 100755
index 000000000..74abfb6c3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowMGSToStoreDisplayProperties.yaml
@@ -0,0 +1,24 @@
+caption: Allow Managed guest session to persist display properties
+default: false
+desc: If this policy is disabled or unset, all display settings that were set in Managed
+  guest session will be reset as soon as the session finishes. If this policy is set
+  to True, display properties will persist after exiting the managed guest session.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Managed Guest Session users can store device-wide display settings
+  value: true
+- caption: Managed Guest Session users cannot store device-wide display settings
+  value: false
+owners:
+- file://chrome/browser/ash/app_mode/OWNERS
+- apotapchuk@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:90-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowRedeemChromeOsRegistrationOffers.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowRedeemChromeOsRegistrationOffers.yaml
new file mode 100755
index 000000000..7d4c69062
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowRedeemChromeOsRegistrationOffers.yaml
@@ -0,0 +1,28 @@
+caption: Allow users to redeem offers through <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph> Registration
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets enterprise device users redeem offers through <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> Registration.
+
+        Setting the policy to Disabled means users can't redeem these offers.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow users to redeem offers through <ph name="PRODUCT_OS_NAME">$2<ex>Google
+    ChromeOS</ex></ph> Registration
+  value: true
+- caption: Prevent users from redeeming offers through <ph name="PRODUCT_OS_NAME">$2<ex>Google
+    ChromeOS</ex></ph> Registration
+  value: false
+owners:
+- oscarpan@google.com
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:26-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowedBluetoothServices.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowedBluetoothServices.yaml
new file mode 100755
index 000000000..5c751f11e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAllowedBluetoothServices.yaml
@@ -0,0 +1,31 @@
+caption: Only allow connection to the Bluetooth services in the list
+desc: |-
+  This policy allows admins to configure Bluetooth services that <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> is allowed to connect to.
+
+  When this policy is set, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> only allows users to connect to the specified Bluetooth services with an exception when the list is empty which means any service is allowed to use. UUIDs reserved by the Bluetooth SIG can be represented as <ph name="BLUETOOTH_RESERVED_UUID_WITH_0X">'0xABCD'</ph> or <ph name="BLUETOOTH_RESERVED_UUID_WITHOUT_0X">'ABCD'</ph>. Custom UUIDs can be represented as <ph name="BLUETOOTH_CUSTOM_UUID">'AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE'</ph>. UUIDs are case insensitive. Leaving this policy unset lets users connect to any Bluetooth service.
+device_only: true
+example_value:
+- '0x111E'
+- '0x110B'
+- '0x1203'
+- '0x1108'
+- '0x110C'
+- '0x110E'
+- '0x110F'
+- '0x1200'
+features:
+  dynamic_refresh: true
+owners:
+- howardchung@google.com
+- alainm@chromium.org
+- mcchou@chromium.org
+schema:
+  items:
+    pattern: ^((0x)?[0-9A-Fa-f]{4})|((0x)?[0-9A-Fa-f]{8})|([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})$
+    type: string
+  type: array
+supported_on:
+- chrome_os:91-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAppPack.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAppPack.yaml
new file mode 100755
index 000000000..6aa43586f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAppPack.yaml
@@ -0,0 +1,26 @@
+caption: List of AppPack extensions
+deprecated: true
+desc: |-
+  This policy is active in retail mode only.
+
+        Lists extensions that are automatically installed for the Demo user, for devices in retail mode. These extensions are saved in the device and can be installed while offline, after the installation.
+
+        Each list entry contains a dictionary that must include the extension ID in the 'extension-id' field, and its update URL in the 'update-url' field.
+device_only: true
+example_value:
+- '{ "extension-id": "khgabmflimjjbclkmljlpmgaleanedem", "update-url": "https://clients2.google.com/service/update2/crx"
+  }'
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:19-40
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAttributesAllowedForOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAttributesAllowedForOrigins.yaml
new file mode 100755
index 000000000..bbcb73732
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAttributesAllowedForOrigins.yaml
@@ -0,0 +1,27 @@
+caption: Allow origins to query device attributes
+desc: |-
+  Setting the policy allows listed origins to get device attributes (e.g. serial number, hostname) by using Device Attributes API.
+
+  Origins must correspond to web applications that are force-installed using <ph name="WEB_APP_INSTALL_FORCE_LIST_POLICY_NAME">WebAppInstallForceList</ph> or <ph name="ISOLATED_WEB_APP_INSTALL_FORCE_LIST_POLICY_NAME">IsolatedWebAppInstallForceList</ph> (since version 125) policy or set up as a kiosk app. For Device Attributes API specification please see https://wicg.github.io/WebApiDevice/device_attributes.
+
+  For detailed information on valid <ph name="URL_LABEL">url</ph> patterns (since version 127), please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.google.com
+- '[*.]example.com'
+- example.edu
+- '*://example.edu:*/'
+- isolated-app://ggx2sheak3vpmm7vmjqnjwuzx3xwot3vdayrlgnvbkq2mp5lg4daaaic
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- anqing@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:93-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAuthenticationURLAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAuthenticationURLAllowlist.yaml
new file mode 100755
index 000000000..27545182d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAuthenticationURLAllowlist.yaml
@@ -0,0 +1,28 @@
+caption: Allow access to a list of URLs during authentication
+desc: |-
+  Setting the policy provides access to the listed URLs during authentication (e.g. in the login screen and lock screen), as exceptions to <ph name="DEVICE_AUTHENTICATION_URL_BLOCKLIST_POLICY_NAME">DeviceAuthenticationURLBlocklist</ph>. See that policy's description for the format of entries of this list. For example, setting <ph name="DEVICE_AUTHENTICATION_URL_BLOCKLIST_POLICY_NAME">DeviceAuthenticationURLBlocklist</ph> to <ph name="WILDCARD_VALUE">*</ph> will block all requests, and you can use this policy to allow access to a limited list of URLs. Use it to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths, using the format specified at ( https://support.google.com/chrome/a?p=url_blocklist_filter_format ). The most specific filter determines if a URL is blocked or allowed. The <ph name="DEVICE_AUTHENTICATION_URL_ALLOWLIST_POLICY_NAME">DeviceAuthenticationURLAllowlist</ph> policy takes precedence over <ph name="DEVICE_AUTHENTICATION_URL_BLOCKLIST_POLICY_NAME">DeviceAuthenticationURLBlocklist</ph>. This policy is limited to 1,000 entries.
+
+  Leaving the policy unset allows no exceptions to <ph name="DEVICE_AUTHENTICATION_URL_BLOCKLIST_POLICY_NAME">DeviceAuthenticationURLBlocklist</ph>.
+device_only: true
+example_value:
+- example.com
+- https://ssl.server.com
+- hosting.com/good_path
+- https://server:8080/path
+- .exact.hostname.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- cros-3pidp@google.com
+- mgomezch@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:117-
+tags:
+- filtering
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAuthenticationURLBlocklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAuthenticationURLBlocklist.yaml
new file mode 100755
index 000000000..43d33cd1b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceAuthenticationURLBlocklist.yaml
@@ -0,0 +1,35 @@
+caption: Block access to a list of URL patterns during authentication
+desc: |-
+  Setting the policy prevents webpages with prohibited URLs from loading during user authentication (e.g. in the login screen and lock screen). It provides a list of URL patterns that specify forbidden URLs. Leaving the policy unset means no URLs are prohibited during authentication. Format the URL pattern according to this format ( https://support.google.com/chrome/a?p=url_blocklist_filter_format ).
+
+  Exceptions to these patterns can be defined in the related policy <ph name="DEVICE_AUTHENTICATION_URL_ALLOWLIST_POLICY_NAME">DeviceAuthenticationURLAllowlist</ph>.
+
+  Certain URLs are necessary for authentication to succeed, including accounts.google.com, so they should not be blocked if online sign-in is required.
+
+  Note: This policy does not apply to in-page JavaScript URLs with dynamically loaded data. If you blocked example.com/abc, then example.com could still load it using XMLHTTPRequest.
+device_only: true
+example_value:
+- example.com
+- https://ssl.server.com
+- hosting.com/bad_path
+- https://server:8080/path
+- .exact.hostname.com
+- file://*
+- custom_scheme:*
+- '*'
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- cros-3pidp@google.com
+- mgomezch@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:117-
+tags:
+- filtering
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceBlockDevmode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceBlockDevmode.yaml
new file mode 100755
index 000000000..a682c504a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceBlockDevmode.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy controls <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+  developer mode only. If you want to prevent access to Android Developer Options,
+  you need to set the <ph name="DEVELOPER_TOOLS_DISABLED_POLICY_NAME">DeveloperToolsDisabled</ph>
+  policy.
+caption: Block developer mode
+desc: |-
+  Setting the policy to Enabled means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> stops the device from going into Developer mode.
+
+         Setting the policy to Disabled or leaving it unset keeps Developer mode available for the device.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Block developer mode
+  value: true
+- caption: Allow developer mode
+  value: false
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:37-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceChromeVariations.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceChromeVariations.yaml
new file mode 100755
index 000000000..8f72d1b68
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceChromeVariations.yaml
@@ -0,0 +1,43 @@
+caption: Determine the availability of variations on <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph>
+desc: |-
+  Configuring this policy allows to specify which variations are allowed to be applied on an enterprise-managed <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device.
+
+        Variations provide a means for offering modifications to <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> without shipping a new version  by selectively enabling or disabling already existing features. See https://support.google.com/chrome/a?p=Manage_the_Chrome_variations_framework for more information.
+
+        Setting the <ph name="VARIATIONS_ENABLED_OPTION_NAME">VariationsEnabled</ph> (value 0), or leaving the policy not set allows all variations to be applied to <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+        Setting the <ph name="CRITICAL_VARIATIONS_ONLY_OPTION_NAME">CriticalFixesOnly</ph> (value 1), allows only variations considered critical security or stability fixes to be applied to <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+        Setting the <ph name="VARIATIONS_DISABLED_OPTION_NAME">VariationsDisabled</ph> (value 2), will prevent all variations from being applied to the browser on the login screen. Please note that this mode can potentially prevent the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> developers from providing critical security fixes in a timely manner and is thus not recommended.
+device_only: true
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable all variations
+  name: VariationsEnabled
+  value: 0
+- caption: Enable variations concerning critical fixes only
+  name: CriticalFixesOnly
+  value: 1
+- caption: Disable all variations
+  name: VariationsDisabled
+  value: 2
+owners:
+- pastarmovj@chromium.org
+- asvitkine@chromium.org
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:83-
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceDebugPacketCaptureAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceDebugPacketCaptureAllowed.yaml
new file mode 100755
index 000000000..c73cb8d12
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceDebugPacketCaptureAllowed.yaml
@@ -0,0 +1,29 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Allow debug network packet captures
+default: true
+desc: |-
+  Allow network packet captures on device for debugging.
+
+        If the policy is set to true or left unset, user will be able to perform network packet captures on device.
+        If set to false, network packet capture won't be available on the device.
+device_only: true
+example_value: false
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: The user will be able to perform network packet captures
+  value: true
+- caption: The user will not be able to perform network packet captures
+  value: false
+owners:
+- iremuguz@google.com
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:92-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceDlcPredownloadList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceDlcPredownloadList.yaml
new file mode 100755
index 000000000..db6c89f10
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceDlcPredownloadList.yaml
@@ -0,0 +1,30 @@
+owners:
+- nedol@google.com
+- ust@google.com
+- file://chromeos/printing/OWNERS
+caption: Select DLCs (Downloadable Content) that need to be pre downloaded
+desc: |-
+  This policy allows to set a list of DLCs (Downloadable Content) to be downloaded as soon as possible. Downloaded DLCs are then available for all users on the device.
+
+  This is useful when the administrator knows that a feature that requires the presence of the DLC will likely be used by the users of the device.
+device_only: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: string-enum-list
+schema:
+  items:
+    enum:
+    - scanner_drivers
+    type: string
+  type: array
+items:
+- caption: Scanners
+  name: scanner_drivers
+  value: scanner_drivers
+example_value:
+- scanner_drivers
+supported_on:
+- chrome_os:125-
+tags: []
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEcryptfsMigrationStrategy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEcryptfsMigrationStrategy.yaml
new file mode 100755
index 000000000..618f88361
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEcryptfsMigrationStrategy.yaml
@@ -0,0 +1,39 @@
+caption: Migration strategy for ecryptfs
+deprecated: true
+desc: |-
+  This policy was removed in M61.
+
+        Specifies how a device should behave that shipped with ecryptfs and needs to transition to ext4 encryption.
+
+        If you set this policy to 'DisallowArc', Android apps will be disabled for all users on the device (including those that have ext4 encryption already) and no migration from ecryptfs to ext4 encryption will be offered to any users.
+
+        If you set this policy to 'AllowMigration', users with ecryptfs home directories will be offered to migrate these to ext4 encryption as necessary (currently when Android N becomes available on the device).
+
+        This policy does not apply to kiosk apps - these are migrated automatically. If this policy is left not set, the device will behave as if 'DisallowArc' was chosen.
+device_only: true
+example_value: 1
+features:
+  dynamic_refresh: true
+items:
+- caption: Policy unset, disallow data migration and ARC
+  name: Unset
+  value: 0
+- caption: Disallow data migration and ARC
+  name: DisallowArc
+  value: 1
+- caption: Allow data migration
+  name: AllowMigration
+  value: 2
+owners:
+- igorcov@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:60-60
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEncryptedReportingPipelineEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEncryptedReportingPipelineEnabled.yaml
new file mode 100755
index 000000000..13350d35f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEncryptedReportingPipelineEnabled.yaml
@@ -0,0 +1,26 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Enable the Encrypted Reporting Pipeline
+default: true
+desc: |-
+  Setting the policy to True or leaving it unset allows for events, telemetry and info to be
+        reported to the Encrypted Reporting Pipeline. Setting the policy to False disables the Encrypted Reporting Pipeline.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable the Encrypted Reporting Pipeline
+  value: true
+- caption: Disable the Encrypted Reporting Pipeline
+  value: false
+owners:
+- cros-reporting-team@google.com
+- albertojuarez@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:100-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEphemeralNetworkPoliciesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEphemeralNetworkPoliciesEnabled.yaml
new file mode 100755
index 000000000..02dc32b18
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceEphemeralNetworkPoliciesEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Controls the enablement of the EphemeralNetworkPolicies feature
+desc: |-
+  This policy controls the enablement of the EphemeralNetworkPolicies feature.
+  When this policy is set to true, the DeviceOpenNetworkConfiguration entries RecommendedValuesAreEphemeral and UserCreatedNetworkConfigurationsAreEphemeral will be respected.
+  When this policy is not set or set to false, the mentioned network policies will only be respected if the EphemeralNetworkPolicies feature is enabled.
+  This policy will be removed when the EphemeralNetworkPolicies feature is enabled by default.
+default: false
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+supported_on:
+- chrome_os:119-
+items:
+- caption: Enable the EphemeralNetworkPolicies feature.
+  value: true
+- caption: Don't enable the EphemeralNetworkPolicies feature.
+  value: false
+owners:
+- acostinas@google.com
+- miersh@google.com
+- suprnet@google.com
+schema:
+  type: boolean
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceExtendedFkeysModifier.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceExtendedFkeysModifier.yaml
new file mode 100755
index 000000000..82a24345a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceExtendedFkeysModifier.yaml
@@ -0,0 +1,40 @@
+caption: Control the shortcut used to trigger F11/F12
+default: null
+deprecated: true
+desc: |-
+  This policy controls the selected shortcut option for remapping events to
+  F11/F12 in the remap keys subpage. These settings are only applicable for
+  ChromeOS keyboards and are disabled by default if the policy is unset.
+device_only: true
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: F11/F12 settings are disabled
+  name: Disabled
+  value: 0
+- caption: F11/F12 settings use the shortcut that contains the alt modifier
+  name: Alt
+  value: 1
+- caption: F11/F12 settings use the shortcut that contains the shift modifier
+  name: Shift
+  value: 2
+- caption: F11/F12 settings use the shortcut that contains the modifiers ctrl and shift
+  name: CtrlShift
+  value: 3
+owners:
+- michaelcheco@google.com
+- cros-peripherals@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:121-122
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceHardwareVideoDecodingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceHardwareVideoDecodingEnabled.yaml
new file mode 100755
index 000000000..8c7f16f40
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceHardwareVideoDecodingEnabled.yaml
@@ -0,0 +1,38 @@
+owners:
+- jeroendh@google.com
+- file://chrome/browser/ash/app_mode/OWNERS
+
+caption: Enable GPU hardware video decoding
+
+desc: |-
+  If this policy is unset or set to true, video decoding will be hardware-accelerated where available.
+
+  If this policy is set to false, video decoding will never be hardware-accelerated.
+
+  Disabling hardware-accelerated video decoding is not advised since it will result in a higher CPU load which in turn will negatively affect device performance and battery consumption.
+
+supported_on:
+- chrome_os:120-
+
+device_only: true
+
+features:
+  dynamic_refresh: false
+  per_profile: false
+
+type: main
+
+schema:
+  type: boolean
+
+items:
+- caption: Enable GPU hardware video decoding
+  value: true
+- caption: Disable GPU hardware video decoding
+  value: false
+
+default: true
+
+example_value: false
+
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceHindiInscriptLayoutEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceHindiInscriptLayoutEnabled.yaml
new file mode 100755
index 000000000..886f4124d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceHindiInscriptLayoutEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable the Hindi Inscript Layout device wide.
+default: false
+desc: |-
+  Setting the policy enables Hindi Inscript Layout on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+  If false or unset, the layout is not available. Requires reboot to take effect.
+device_only: true
+example_value: true
+features:
+  cloud_only: true
+  dynamic_refresh: false
+  per_profile: false
+  unlisted: true
+items:
+- caption: Enable Hindi Inscript Layout
+  value: true
+- caption: Disable Hindi Inscript Layout
+  value: false
+owners:
+- jshin@chromium.org
+  e14s-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:115-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceI18nShortcutsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceI18nShortcutsEnabled.yaml
new file mode 100755
index 000000000..a0f47c18c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceI18nShortcutsEnabled.yaml
@@ -0,0 +1,33 @@
+caption: ' Allows enabling/disabling international shortcut keys remaps'
+default: true
+default_for_managed_devices_doc_only: true
+desc: |2-
+   This policy controls whether the improved international keyboard shortcut mapping is enabled.
+        This feature ensures keyboard shortcuts work consistently with international keyboard layouts and deprecate legacy shortcuts.
+
+        If this policy is disabled, improved international keyboards shortcuts are disabled.
+        If this policy is enabled, improved international keyboards shortcuts are enabled.
+        If unset, this policy is enabled for managed devices and enabled for consumer-owned devices.
+        Note this is only a temporarily policy to allow managed users to still be able to use deprecated legacy shortcuts. This policy will deprecate after customized keyboard shortcuts are available.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: International keyboard shortcuts are mapped to the location of the keys
+    in the keyboard instead of the glyph of the key.
+  value: true
+- caption: International keyboard shortcuts are mapped to the glyph of the keys instead
+    of key location on the keyboard.
+  value: false
+owners:
+- jimmyxgong@chromium.org
+- cros-peripheral@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:97-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceIdleLogoutTimeout.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceIdleLogoutTimeout.yaml
new file mode 100755
index 000000000..24184c9ab
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceIdleLogoutTimeout.yaml
@@ -0,0 +1,22 @@
+caption: Timeout until idle user log-out is executed
+deprecated: true
+desc: |-
+  This policy is active in retail mode only.
+
+        When the value of this policy is set and is not 0 then the currently logged in demo user will be logged out automatically after an inactivity time of the specified duration has elapsed.
+
+        The policy value should be specified in milliseconds.
+device_only: true
+example_value: 60000
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome_os:19-40
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceIdleLogoutWarningDuration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceIdleLogoutWarningDuration.yaml
new file mode 100755
index 000000000..af074652f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceIdleLogoutWarningDuration.yaml
@@ -0,0 +1,22 @@
+caption: Duration of the idle log-out warning message
+deprecated: true
+desc: |-
+  This policy is active in retail mode only.
+
+        When DeviceIdleLogoutTimeout is specified this policy defines the duration of the warning box with a count down timer that is shown to the user before the logout is executed.
+
+        The policy value should be specified in milliseconds.
+device_only: true
+example_value: 15000
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome_os:19-40
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceKeyboardBacklightColor.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceKeyboardBacklightColor.yaml
new file mode 100755
index 000000000..102d1a4a1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceKeyboardBacklightColor.yaml
@@ -0,0 +1,59 @@
+caption: Default keyboard backlight color
+default: 0
+desc: |-
+  Setting the policy to the values will default the color for a device
+
+  keyboard backlight color during user sign in.
+device_only: true
+example_value: 0
+features:
+  dynamic_refresh: true
+items:
+- caption: Keyboard backlight color matches the current wallpaper
+  name: Wallpaper
+  value: 0
+- caption: White keyboard backlight color
+  name: White
+  value: 1
+- caption: Red keyboard backlight color
+  name: Red
+  value: 2
+- caption: Yellow keyboard backlight color
+  name: Yellow
+  value: 3
+- caption: Green keyboard backlight color
+  name: Green
+  value: 4
+- caption: Blue keyboard backlight color
+  name: Blue
+  value: 5
+- caption: Indigo keyboard backlight color
+  name: Indigo
+  value: 6
+- caption: Purple keyboard backlight color
+  name: Purple
+  value: 7
+- caption: Rainbow keyboard backlight color
+  name: Rainbow
+  value: 100
+owners:
+- lbowen@google.com
+- jasontt@google.com
+- cros-demo-mode-eng@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  - 4
+  - 5
+  - 6
+  - 7
+  - 100
+  type: integer
+supported_on:
+- chrome_os:109-
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceKeylockerForStorageEncryptionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceKeylockerForStorageEncryptionEnabled.yaml
new file mode 100755
index 000000000..40f224d77
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceKeylockerForStorageEncryptionEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Controls use of <ph name="AES_KL_NAME">AES Keylocker</ph> for user storage
+  encryption if supported
+default: false
+desc: |-
+  This policy controls whether the <ph name="AES_KL_NAME">AES Keylocker</ph> implementation is enabled for user storage encryption for <ph name="DM_CRYPT">dm-crypt</ph> user homes on ChromeOS, if supported.
+
+         This policy only applies to user homes which use <ph name="DM_CRYPT">dm-crypt</ph>) for encryption. Legacy user homes (those which do not use <ph name="DM_CRYPT">dm-crypt</ph>) do not support the use of <ph name="AES_KL_NAME">AES Keylocker</ph> and will default to using <ph name="AES_NI_NAME">AESNI</ph>.
+
+         If the policy value changes, existing <ph name="DM_CRYPT">dm-crypt</ph> user homes will be accessed using the encryption implementation configured by the policy because the <ph name="AES_ALGORITHM_NAME">AES</ph> implementations are compatible.
+         If the policy is disabled or not set, user storage encryption for <ph name="DM_CRYPT">dm-crypt</ph> user homes will default to using <ph name="AES_NI_NAME">AESNI</ph>.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Use <ph name="AES_KL_NAME">AES Keylocker</ph> as the encryption algorithm
+    for user storage encryption, if supported
+  value: true
+- caption: Do not use <ph name="AES_KL_NAME">AES Keylocker</ph> as the encryption
+    algorithm for user storage encryption
+  value: false
+owners:
+- sarthakkukreti@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:99-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLocalAccountManagedSessionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLocalAccountManagedSessionEnabled.yaml
new file mode 100755
index 000000000..f2990c6aa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLocalAccountManagedSessionEnabled.yaml
@@ -0,0 +1,22 @@
+caption: Allow managed session on device
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 88. Public sessions are no longer supported. Please use <ph name="DEVICE_LOCAL_ACCOUNTS_POLICY_NAME">DeviceLocalAccounts</ph> to configure managed-guest sessions instead.
+        If this policy is set to false, managed guest session will behave as documented in https://support.google.com/chrome/a/answer/3017014 - the standard "Public Session".
+
+        If this policy is set to true or left unset, managed guest session will take on "Managed Session" behaviour which lifts many of the restrictions that are in place for regular "Public Sessions".
+
+        If this policy is set, the user cannot change or override it.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- isandrk@chromium.org
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:70-87
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenContextAwareAccessSignalsAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenContextAwareAccessSignalsAllowlist.yaml
new file mode 100755
index 000000000..357834a6c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenContextAwareAccessSignalsAllowlist.yaml
@@ -0,0 +1,32 @@
+caption: Enable the <ph name="CHROME_ENTERPRISE_DEVICE_TRUST_CONNECTOR">Chrome Enterprise Device Trust Connector</ph> attestation flow for a list of URLs on the login screen
+desc: |-
+  Enable <ph name="CHROME_ENTERPRISE_DEVICE_TRUST_CONNECTOR">Chrome Enterprise Device Trust Connector</ph> for a list of URLs on the login and lock screen.
+
+  Setting this policy specifies for which URLs <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will offer to start the attestation flow. The latter allows those websites to get an attested set of context-aware signals from the device.
+
+  Leaving this policy unset or empty means that no website will be able to start the attestation flow nor get signals from the device.
+
+  This policy will only impact the attestation flow on the login and lock screen. To change the in-session attestation flow, please use the <ph name="CONTEXT_AWARE_ACCESS_SIGNALS_ALLOWLIST_POLICY_NAME">ContextAwareAccessSignalsAllowlist</ph> policy.
+
+  For detailed information on valid <ph name="URL_LABEL">URL</ph> patterns, please see https://support.google.com/chrome/a?p=url_blocklist_filter_format.
+device_only: true
+example_value:
+- https://example1.com
+- example2.com
+- https://foo.example3.com/path
+features:
+  cloud_only: true
+  dynamic_refresh: true
+owners:
+- lmasopust@google.com
+- rodmartin@google.com
+- cbe-device-trust-eng@google.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:108-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenGeolocationAccessLevel.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenGeolocationAccessLevel.yaml
new file mode 100755
index 000000000..26b727fa8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenGeolocationAccessLevel.yaml
@@ -0,0 +1,52 @@
+caption: Allow or deny device geolocation access
+desc: |-
+  Set the device-level geolocation access level for
+  <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> system, that is
+  effective before a user signs in. After sign-in, users can control the
+  geolocation access level via per-user setting.
+
+  If not set or set to <ph name="ALLOW">Allow</ph>, the login screen geolocation
+  access is allowed for the managed devices. If an invalid policy value is sent,
+  the access falls back to
+  <ph name="DISALLOW">Disallow</ph>. For unmanaged devices it's always
+  <ph name="ALLOW">Allow</ph>.
+
+  WARNING: Be careful when changing this setting, it could break other policies
+  involving geolocation
+  (e.g. <ph name="SYSTEM_TIMEZONE_AUTOMATIC_DETECTION_POLICY">SystemTimezoneAutomaticDetection</ph>)!
+  In particular, if this policy is set to  <ph name="DISALLOW">Disallow</ph>,
+  then the
+  <ph name="POLICY_ENUM_SYSTEMTIMEZONEAUTOMATICDETECTION_TIMEZONEAUTOMATICDETECTIONSENDWIFIACCESSPOINTS">TimezoneAutomaticDetectionSendWiFiAccessPoints</ph>
+  and
+  <ph name="POLICY_ENUM_SYSTEMTIMEZONEAUTOMATICDETECTION_TIMEZONEAUTOMATICDETECTIONSENDALLLOCATIONINFO">TimezoneAutomaticDetectionSendAllLocationInfo</ph>
+  options of the
+  <ph name="SYSTEM_TIMEZONE_AUTOMATIC_DETECTION_POLICY">SystemTimezoneAutomaticDetection</ph>
+  policy will malfunction and only use the <ph name="IP">IP</ph>-based location
+  resolution on the <ph name="LOG_IN">Log-in</ph> screen.
+device_only: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+supported_on:
+- chrome_os:114-
+type: int-enum
+schema:
+  type: integer
+  enum:
+  - 0
+  - 1
+default: 1
+default_for_managed_devices_doc_only: 1
+example_value: 0
+items:
+- caption: Disallow geolocation access on log-in screen.
+  name: Disallow
+  value: 0
+- caption: Allow geolocation access on log-in screen.
+  name: Allow
+  value: 1
+owners:
+- zauri@google.com
+- chromeos-privacyhub@google.com
+tags: []
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenPrimaryMouseButtonSwitch.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenPrimaryMouseButtonSwitch.yaml
new file mode 100755
index 000000000..7f78caf7b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenPrimaryMouseButtonSwitch.yaml
@@ -0,0 +1,34 @@
+caption: Switch the primary mouse button to the right button on the login screen
+default: null
+desc: |-
+  Switch the primary mouse button to the right button on the login screen.
+
+            If this policy is set to enabled, the right button of the mouse will always be the primary key on the login screen.
+
+            If this policy is set to disabled, the left button of the mouse will always be the primary key on the login screen.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the left button of the mouse will be the primary key on the login screen initially, but can be switched by the user anytime.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+items:
+- caption: Right button is primary on the login screen
+  value: true
+- caption: Left button is primary on the login screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:113-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenSaverId.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenSaverId.yaml
new file mode 100755
index 000000000..51bd97b2f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenSaverId.yaml
@@ -0,0 +1,20 @@
+caption: Screen saver to be used on the sign-in screen in retail mode
+deprecated: true
+desc: |-
+  This policy is active in retail mode only.
+
+        Determines the id of the extension to be used as a screen saver on the sign-in screen. The extension must be part of the AppPack that is configured for this domain through the DeviceAppPack policy.
+device_only: true
+example_value: fhblcfnmnbehmifidkddcenilbpddlfk
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_os:19-40
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenSaverTimeout.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenSaverTimeout.yaml
new file mode 100755
index 000000000..296975999
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenSaverTimeout.yaml
@@ -0,0 +1,23 @@
+caption: Duration of inactivity before the screen saver is shown on the sign-in screen
+  in retail mode
+deprecated: true
+desc: |-
+  This policy is active in retail mode only.
+
+        Determines the duration before the screen saver is shown on the sign-in screen for devices in retail mode.
+
+        The policy value should be specified in milliseconds.
+device_only: true
+example_value: 120000
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome_os:19-40
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenTouchVirtualKeyboardEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenTouchVirtualKeyboardEnabled.yaml
new file mode 100755
index 000000000..cf0548de5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenTouchVirtualKeyboardEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Enable the touch virtual keyboard on the login screen
+default: null
+desc: |-
+    Controls the touch virtual keyboard on the login screen, acting as a supplementary policy to the <ph name="VIRTUAL_KEYBOARD_ENABLED_POLICY_NAME">DeviceLoginScreenVirtualKeyboardEnabled</ph> policy.
+
+        If accessibility virtual keyboard is turned on, this policy has no effect.
+
+        Otherwise, this policy has the following effect on the login screen:
+        If this policy is not set, the virtual keyboard is displayed based on the default system heuristics, such as whether there are keyboards attached.
+        If this policy is set to True, the virtual keyboard is always displayed.
+        If this policy is set to False, the virtual keyboard is never displayed.
+
+        The virtual keyboard may change to a compact layout depending on the input method.
+device_only: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+future_on:
+- chrome_os
+items:
+- caption: Enable touch virtual keyboard on the login screen
+  value: true
+- caption: Disable touch virtual keyboard on the login screen
+  value: false
+- caption: Enable touch virtual keyboard based on the default system heuristics on the login screen
+  value: null
+owners:
+- shend@chromium.org
+- e14s-eng@google.com
+schema:
+  type: boolean
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebHidAllowDevicesForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebHidAllowDevicesForUrls.yaml
new file mode 100755
index 000000000..05e4a81e1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebHidAllowDevicesForUrls.yaml
@@ -0,0 +1,53 @@
+caption: Automatically grant permission to these sites to connect to HID devices with
+  the given vendor and product IDs on the login screen.
+desc: |-
+  Setting the policy lets you list the URLs that specify which sites are automatically granted permission to access a HID device with the given vendor and product IDs on the login screen. Each item in the list requires both <ph name="DEVICES_FIELD_NAME">devices</ph> and <ph name="URLS_FIELD_NAME">urls</ph> fields for the item to be valid, otherwise the item is ignored. Each item in the <ph name="DEVICES_FIELD_NAME">devices</ph> field must have a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> and may have a <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field. Omitting the <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field will create a policy matching any device with the specified vendor ID. An item which has a <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field without a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> field is invalid and is ignored.
+
+  Leaving the policy unset puts the global default value in use for all sites (no automatic access).
+device_only: true
+example_value:
+- devices:
+  - product_id: 5678
+    vendor_id: 1234
+  urls:
+  - https://google.com
+  - https://chromium.org
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- mattreynolds@chromium.org
+- file://third_party/blink/renderer/modules/hid/OWNERS
+schema:
+  items:
+    properties:
+      devices:
+        items:
+          properties:
+            product_id:
+              maximum: 65535
+              minimum: 0
+              type: integer
+            vendor_id:
+              maximum: 65535
+              minimum: 0
+              type: integer
+          required:
+          - vendor_id
+          type: object
+        type: array
+      urls:
+        items:
+          type: string
+        type: array
+    required:
+    - devices
+    - urls
+    type: object
+  type: array
+supported_on:
+- chrome_os:116-
+tags:
+- website-sharing
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebUILazyLoading.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebUILazyLoading.yaml
new file mode 100755
index 000000000..b410c8a85
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebUILazyLoading.yaml
@@ -0,0 +1,33 @@
+caption: Load Login WebUI only when needed.
+default: false
+desc: |-
+  This policy controls whether the WebUI part of the sign-in screen will be always loaded at start or only before showing it. This policy applies to the sign-in screen.
+
+        If this policy is enabled, the WebUI part of the sign-in UI will be loaded only before showing it. This speeds up the login process.
+
+        If this policy is disabled, the WebUI part of the sign-in screen will always be loaded on boot (legacy behavior).
+
+        If unset, behavior will be controlled by kEnableLazyLoginWebUILoading feature.
+
+        This policy should be removed after kEnableLazyLoginWebUILoading is fully rolled out.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- chrome_os
+items:
+- caption: Enable Lazy Login WebUI loading.
+  value: true
+- caption: Disable Lazy Login WebUI loading.
+  value: false
+owners:
+- alemate@chromium.org
+- rsorokin@chromium.org
+- antrim@chromium.org
+schema:
+  type: boolean
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebUsbAllowDevicesForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebUsbAllowDevicesForUrls.yaml
new file mode 100755
index 000000000..222105272
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceLoginScreenWebUsbAllowDevicesForUrls.yaml
@@ -0,0 +1,50 @@
+caption: Automatically grant permission to these sites to connect to USB devices with
+  the given vendor and product IDs on the login screen.
+desc: |-
+  Setting the policy lets you list the URL patterns that specify which sites are automatically granted permission to access a USB device with the given vendor and product IDs on the login screen. Each item in the list requires both <ph name="DEVICES_FIELD_NAME">devices</ph> and <ph name="URLS_FIELD_NAME">urls</ph> fields for the policy to be valid. Each item in the <ph name="DEVICES_FIELD_NAME">devices</ph> field can have a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> and <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field. Omitting the <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> field will create a policy matching any device. Omitting the <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field will create a policy matching any device with the given vendor ID. A policy which has a <ph name="PRODUCT_ID_FIELD_NAME">product_id</ph> field without a <ph name="VENDOR_ID_FIELD_NAME">vendor_id</ph> field is invalid.
+
+        The USB permission model will grant the specified URL permission to access the USB device as a top-level origin. If embedded frames need to access USB devices, the 'usb' <ph name="FEATURE_POLICY_HEADER_NAME">feature-policy</ph> header should be used to grant access. The URL must be valid, otherwise the policy is ignored.
+
+        Deprecated: The USB permission model used to support specifying both the requesting and embedding URLs. This is deprecated and only supported for backwards compatibility in this manner: if both a requesting and embedding URL is specified, then the embedding URL will be granted the permission as top-level origin and the requesting URL will be ignored entirely.
+
+        Leaving the policy unset puts the global default value in use for all sites (no automatic access).
+device_only: true
+example_value:
+- devices:
+  - product_id: 5678
+    vendor_id: 1234
+  urls:
+  - https://google.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reillyg@chromium.org
+- odejesush@chromium.org
+schema:
+  items:
+    properties:
+      devices:
+        items:
+          properties:
+            product_id:
+              type: integer
+            vendor_id:
+              type: integer
+          type: object
+        type: array
+      urls:
+        items:
+          type: string
+        type: array
+    required:
+    - devices
+    - urls
+    type: object
+  type: array
+supported_on:
+- chrome_os:79-
+tags:
+- website-sharing
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceNativePrintersBlacklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceNativePrintersBlacklist.yaml
new file mode 100755
index 000000000..a82401f6f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceNativePrintersBlacklist.yaml
@@ -0,0 +1,26 @@
+caption: Disabled enterprise device printers
+deprecated: true
+desc: |-
+  If <ph name="PRINTERS_BLACKLIST">BlacklistRestriction</ph> is chosen for <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, then setting <ph name="DEVICE_NATIVE_PRINTERS_BLACKLIST_POLICY_NAME">DeviceNativePrintersBlacklist</ph> specifies which printers users can't use. All printers are provided to users, except for the IDs listed in this policy. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph>.
+
+        This policy is deprecated, please use <ph name="DEVICE_PRINTERS_BLOCKLIST_POLICY_NAME">DevicePrintersBlocklist</ph> instead.
+device_only: true
+example_value:
+- id1
+- id2
+- id3
+features:
+  dynamic_refresh: true
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:73-100
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceNativePrintersWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceNativePrintersWhitelist.yaml
new file mode 100755
index 000000000..5d33ea06d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceNativePrintersWhitelist.yaml
@@ -0,0 +1,27 @@
+caption: Enabled enterprise device printers
+deprecated: true
+desc: |-
+  If <ph name="PRINTERS_WHITELIST">WhitelistPrintersOnly</ph> is chosen for <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, then setting <ph name="DEVICE_NATIVE_PRINTERS_WHITELIST_POLICY_NAME">DeviceNativePrintersWhitelist</ph> specifies which printers users can use. Only the printers with IDs matching the values in this policy are available to users. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph>.
+
+        This policy is deprecated, please use <ph name="DEVICE_PRINTERS_ALLOWLIST_POLICY_NAME">DevicePrintersAllowlist</ph> instead.
+device_only: true
+example_value:
+- id1
+- id2
+- id3
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:73-100
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceOffHours.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceOffHours.yaml
new file mode 100755
index 000000000..91489f76d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceOffHours.yaml
@@ -0,0 +1,49 @@
+caption: Off hours intervals when the specified device policies are released
+desc: Setting the policy means the specified device policies are ignored (use these
+  policies' default settings) during the specified intervals. Device policies are
+  reapplied by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> when the policy
+  period starts or ends. The user is notified and forced to sign out when this period
+  changes and device policy settings change (for example, when a user signs in with
+  a disallowed account).
+device_only: true
+example_value:
+  ignored_policy_proto_tags:
+  - 3
+  - 8
+  intervals:
+  - end:
+      day_of_week: MONDAY
+      time: 21720000
+    start:
+      day_of_week: MONDAY
+      time: 12840000
+  - end:
+      day_of_week: FRIDAY
+      time: 57600000
+    start:
+      day_of_week: FRIDAY
+      time: 38640000
+  timezone: GMT
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  properties:
+    ignored_policy_proto_tags:
+      items:
+        type: integer
+      type: array
+    intervals:
+      items:
+        $ref: WeeklyTimeIntervals
+      type: array
+    timezone:
+      type: string
+  type: object
+supported_on:
+- chrome_os:62-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePciPeripheralDataAccessEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePciPeripheralDataAccessEnabled.yaml
new file mode 100755
index 000000000..a30978ae1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePciPeripheralDataAccessEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable Thunderbolt/USB4 peripheral data access
+desc: |2-
+   If this policy is disabled user will not be able to fully connect their Thunderbolt/USB4 peripheral device through PCIe tunneling.
+
+        If this policy is enabled, user will be able to fully connect their Thunderbolt/USB4 peripheral device through PCIe tunneling.
+
+        If policy is left unset, defaults to false and the user will be able to select whichever state (true/false) for this setting.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enables PCIe tunneling for Thunderbolt/USB4 peripheral devices, peripheral
+    devices will function at their full capabilities
+  value: true
+- caption: Disables PCIe tunneling for Thunderbolt/USB4 peripheral devices, limiting
+    the device capabilities
+  value: false
+owners:
+- jimmyxgong@chromium.org
+- cros-peripheral@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:90-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePolicyRefreshRate.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePolicyRefreshRate.yaml
new file mode 100755
index 000000000..0cdb16c65
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePolicyRefreshRate.yaml
@@ -0,0 +1,22 @@
+caption: Refresh rate for Device Policy
+default: 10800000
+desc: |-
+  Setting the policy specifies the period in milliseconds at which the device management service is queried for device policy information. Valid values range from 1,800,000 (30 minutes) to 86,400,000 (1 day). Values outside this range will be clamped to the respective boundary.
+
+        Leaving the policy unset means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> uses the default value of 3 hours.
+
+        Note: Policy notifications force a refresh when the policy changes, making frequent refreshes unnecessary. So, if the platform supports these notifications, the refresh delay is 24 hours (ignoring defaults and the value of this policy).
+device_only: true
+example_value: 3600000
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome_os:11-
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePostQuantumKeyAgreementEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePostQuantumKeyAgreementEnabled.yaml
new file mode 100755
index 000000000..1f5d65150
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePostQuantumKeyAgreementEnabled.yaml
@@ -0,0 +1,39 @@
+caption: Enable post-quantum key agreement for TLS for device
+default: true
+desc: |-
+  This device-level policy configures whether <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will offer a post-quantum key agreement algorithm in TLS. In future versions, the algorithm will be ML-KEM, a NIST post-quantum standard. Initially, the algorithm was Kyber, an earlier draft iteration of the standard. This allows supporting servers to protect user traffic from being later decrypted by quantum computers.
+
+  If this policy is Enabled, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will offer a post-quantum key agreement in TLS connections. User traffic will then be protected from quantum computers when communicating with compatible servers.
+
+  If this policy is Disabled, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will not offer a post-quantum key agreement in TLS connections. User traffic will then be unprotected from quantum computers.
+
+  If this policy is not set, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will follow the default rollout process for offering a post-quantum key agreement.
+
+  Offering Kyber is backwards-compatible. Existing TLS servers and networking middleware are expected to ignore the new option and continue selecting previous options.
+
+  However, devices that do not correctly implement TLS may malfunction when offered the new option. For example, they may disconnect in response to unrecognized options or the resulting larger messages. Such devices are not post-quantum-ready and will interfere with an enterprise's post-quantum transition. If encountered, administrators should contact the vendor for a fix.
+
+  This policy is a temporary measure and will be removed sometime after <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 141. It may be Enabled to allow you to test for issues, and may be Disabled while issues are being resolved.
+
+  If both this policy and the PostQuantumKeyAgreementEnabled policy are set, this policy will take precedence.
+
+example_value: true
+device_only: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable post-quantum key agreement for TLS
+  value: true
+- caption: Disable post-quantum key agreement for TLS
+  value: false
+owners:
+- file://crypto/OWNERS
+- trusty-transport@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:128-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePowerwashAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePowerwashAllowed.yaml
new file mode 100755
index 000000000..5e5cf59aa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePowerwashAllowed.yaml
@@ -0,0 +1,25 @@
+caption: Allow the device to request powerwash
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets a device trigger powerwash.
+
+        Setting the policy to Disabled doesn't let a device trigger powerwash. An exception to still allow a powerwash can occur if <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_NAME">TPMFirmwareUpdateSettings</ph> is set to a value that lets the TPM firmware update, but it hasn't updated yet.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow the device to request powerwash
+  value: true
+- caption: Do not allow the device to request powerwash
+  value: false
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:77-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceQuirksDownloadEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceQuirksDownloadEnabled.yaml
new file mode 100755
index 000000000..1cc5afd7c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceQuirksDownloadEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable queries to Quirks Server for hardware profiles
+default: true
+desc: |-
+  The Quirks Server provides hardware-specific configuration files, like
+        ICC display profiles to adjust monitor calibration.
+
+        When this policy is set to false, the device will not attempt to
+        contact the Quirks Server to download configuration files.
+
+        If this policy is true or not configured then <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will automatically contact the Quirks Server and download configuration files, if available, and store them on the device.  Such files might, for example, be used to improve display quality of attached monitors.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow queries to the Quirks Server and potentially downloading hardware-specific
+    configuration files
+  value: true
+- caption: Do not query Quirks Servers
+  value: false
+owners:
+- glevin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:51-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRebootOnUserSignout.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRebootOnUserSignout.yaml
new file mode 100755
index 000000000..a5e5bc2be
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRebootOnUserSignout.yaml
@@ -0,0 +1,41 @@
+caption: Force device reboot when user sign out
+desc: "\n      This policy, when set to ArcSession, forces the device to reboot when\
+  \ a user sign out if Android has started.\n      This policy, when set to ArcSessionOrVMStart,\
+  \ forces the device to reboot when a user sign out if Android or a VM has started.\n\
+  \      When set to Always, it forces the device to reboot on every user sign out.\n\
+  \      If left unset, it has no effect and no reboot is forced on user sign out.\
+  \ The same applies if set to Never.\n      This policy has effect only for unaffiliated\
+  \ users.\n      "
+device_only: true
+example_value: 2
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Do not reboot on user sign out.
+  name: Never
+  value: 1
+- caption: Reboot on user sign out if Android has started.
+  name: ArcSession
+  value: 2
+- caption: Always reboot on user sign out.
+  name: Always
+  value: 3
+- caption: Reboot on user sign out if Android or a VM has started.
+  name: ArcSessionOrVMStart
+  value: 4
+owners:
+- file://components/policy/OWNERS
+schema:
+  enum:
+  - 1
+  - 2
+  - 3
+  - 4
+  type: integer
+supported_on:
+- chrome_os:76-
+tags:
+- system-security
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceReleaseLtsTag.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceReleaseLtsTag.yaml
new file mode 100755
index 000000000..4b992c75a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceReleaseLtsTag.yaml
@@ -0,0 +1,18 @@
+caption: Allow device to receive LTS updates
+desc: If this policy is set to <ph name="DEVICE_LTS_TAG_VALUE">"lts"</ph> it allows
+  the device to receive LTS (long term support) updates.
+device_only: true
+example_value: lts
+features:
+  dynamic_refresh: true
+owners:
+- vsavu@google.com
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  type: string
+supported_on:
+- chrome_os:86-
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRestrictedManagedGuestSessionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRestrictedManagedGuestSessionEnabled.yaml
new file mode 100755
index 000000000..3a402762a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRestrictedManagedGuestSessionEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Restricted managed guest sessions
+default: false
+desc: |-
+  The policy only applies to managed guest sessions. It has to be enabled for Imprivata's shared workstation mode to allow in-session user switches.
+        Setting the policy to True will forcefully override certain policies for features, which persist sensitive user data and are not handled by the clean-up mechanism used for in-session user switches with Imprivata shared workstation mode.
+        Setting the policy to False or leaving it unset will not override any policies.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable restricted managed guest session.
+  value: true
+- caption: Disable restricted managed guest session.
+  value: false
+owners:
+- mpetrisor@chromium.org
+- hendrich@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRestrictionSchedule.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRestrictionSchedule.yaml
new file mode 100755
index 000000000..c5a6dc154
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceRestrictionSchedule.yaml
@@ -0,0 +1,33 @@
+caption: Specify weekly intervals when ChromeOS devices cannot be used
+desc: |-
+  This policy specifies a list of weekly intervals during which the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device cannot be used. Any ongoing sessions will be closed and login will be blocked.
+
+  Overlapping intervals are not supported.
+
+  <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices will use the system timezone to apply these intervals.
+device_only: true
+example_value:
+- start:
+    day_of_week: WEDNESDAY
+    milliseconds_since_midnight: 43200000
+  end:
+    day_of_week: WEDNESDAY
+    milliseconds_since_midnight: 75600000
+- start:
+    day_of_week: FRIDAY
+    milliseconds_since_midnight: 64800000
+  end:
+    day_of_week: MONDAY
+    milliseconds_since_midnight: 21600000
+features:
+  dynamic_refresh: true
+owners:
+- isandrk@chromium.org
+schema:
+  items:
+    $ref: WeeklyTimeIntervalChecked
+  type: array
+future_on:
+- chrome_os
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceScheduledReboot.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceScheduledReboot.yaml
new file mode 100755
index 000000000..46a5e67df
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceScheduledReboot.yaml
@@ -0,0 +1,59 @@
+caption: Set custom schedule to reboot devices
+desc: |
+  Allows setting a custom schedule to reboot devices. Once set to True, the device will reboot to the schedule. The policy must be removed to cancel any more scheduled reboots.
+
+        In user sessions and guest sessions, the following applies:
+
+          * The users are notified that the restart will occur 1 hour before the scheduled time. They have an option to restart then or wait for the scheduled reboot. The scheduled reboot cannot be deferred.
+
+          * There is a 1 hour grace period after the device is booted. Scheduled reboots are skipped during this period and rescheduled for the next day, week, or month, depending on the setting.
+
+        In kiosk sessions, there is no grace period and no notifications about the reboot.
+device_only: true
+example_value:
+  day_of_month: 11
+  day_of_week: TUESDAY
+  frequency: WEEKLY
+  reboot_time:
+    hour: 22
+    minute: 30
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- rbock@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  properties:
+    day_of_month:
+      description: Day of month [1-31] when the reboot should happen, interpreted
+        in the device's local time zone. Only used when 'frequency' is 'MONTHLY'.
+        If this is more than the maximum number of days in a given month then the
+        last day of the month will be chosen.
+      maximum: 31
+      minimum: 1
+      type: integer
+    day_of_week:
+      $ref: WeekDay
+      description: Day of week when the reboot should happen, interpreted in the device's
+        local time zone. Only used when 'frequency' is 'WEEKLY'.
+    frequency:
+      description: Frequency at which the reboot should recur.
+      enum:
+      - DAILY
+      - WEEKLY
+      - MONTHLY
+      type: string
+    reboot_time:
+      $ref: Time
+      description: Time when the reboot should happen, interpreted in the device's
+        local time zone.
+  required:
+  - reboot_time
+  - frequency
+  type: object
+supported_on:
+- chrome_os:94-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceScheduledUpdateCheck.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceScheduledUpdateCheck.yaml
new file mode 100755
index 000000000..a2b5f14ba
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceScheduledUpdateCheck.yaml
@@ -0,0 +1,54 @@
+caption: Set custom schedule to check for updates
+desc: Allows setting a custom schedule to check for updates. This applies to all users,
+  and to all interfaces on the device. Once set, the device will check for updates
+  according to the schedule. The policy must be removed to cancel any more scheduled
+  update checks.
+device_only: true
+example_value:
+  day_of_month: 11
+  day_of_week: MONDAY
+  frequency: WEEKLY
+  update_check_time:
+    hour: 23
+    minute: 35
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- asumaneev@google.com
+- crisguerrero@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  properties:
+    day_of_month:
+      description: Day of month [1-31] when the update check should happen, interpreted
+        in the device's local time zone. Only used when 'frequency' is 'MONTHLY'.
+        If this is more than the maximum number of days in a given month then the
+        last day of the month will be chosen.
+      maximum: 31
+      minimum: 1
+      type: integer
+    day_of_week:
+      $ref: WeekDay
+      description: Day of week when the update check should happen, interpreted in
+        the device's local time zone. Only used when 'frequency' is 'WEEKLY'.
+    frequency:
+      description: Frequency with which the update check should recur.
+      enum:
+      - DAILY
+      - WEEKLY
+      - MONTHLY
+      type: string
+    update_check_time:
+      $ref: Time
+      description: Time when the update check should happen, interpreted in the device's
+        local time zone.
+  required:
+  - update_check_time
+  - frequency
+  type: object
+supported_on:
+- chrome_os:75-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceShowLowDiskSpaceNotification.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceShowLowDiskSpaceNotification.yaml
new file mode 100755
index 000000000..39d7002a1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceShowLowDiskSpaceNotification.yaml
@@ -0,0 +1,33 @@
+caption: Show notification when disk space is low
+default: false
+default_for_managed_devices_doc_only: false
+desc: |-
+  Allows enabling or disabling a notification when disk space is low. This applies to all users on the device.
+
+        Setting policy to Enabled, an notification will be shown when remaining disk space is low.
+
+        Setting policy to Disabled or not set, there won't be any low disk space notification.
+
+        This policy is ignored and the notification is always shown if the device is unmanaged or there is only one user.
+
+        If there are multiple user accounts on a managed device, the notification will only be shown when this policy is enabled.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Always show low disk space warnings
+  value: true
+- caption: Only show low disk space warnings if the device is unmanged or there is
+    only 1 user
+  value: false
+owners:
+- vsavu@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:86-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceStartUpUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceStartUpUrls.yaml
new file mode 100755
index 000000000..837c4a7c4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceStartUpUrls.yaml
@@ -0,0 +1,24 @@
+caption: Load specified urls on demo login
+deprecated: true
+desc: |-
+  This policy is active in retail mode only.
+
+        Determines the set of URLs to be loaded when the demo session is started. This policy will override any other mechanisms for setting the initial URL and thus can only be applied to a session not associated with a particular user.
+device_only: true
+example_value:
+- https://google.com
+- chrome-extension://aaaaaaaaaaaaaaaaaaaaaaaa/
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:19-40
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSwitchFunctionKeysBehaviorEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSwitchFunctionKeysBehaviorEnabled.yaml
new file mode 100755
index 000000000..76929e6fd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSwitchFunctionKeysBehaviorEnabled.yaml
@@ -0,0 +1,40 @@
+caption: Controls the setting "Use the launcher/search key to change the
+  behavior of function keys"
+desc: |-
+  This policy controls the setting "Use the launcher/search key to change the
+  behavior of function keys". This setting allows users to hold the launcher key
+  to change between function keys and system top-row keys.
+
+  If this policy is unset, users can freely choose the value of the setting "Use
+  the launcher/search key to change the behavior of function keys".
+  If this policy is disabled, the launcher/search key will be not be able to
+  change the behavior of function keys, and this setting will not be changeable
+  by users.
+  If this policy is enabled, the launcher/search key will be able to change the
+  behavior of function keys, and this setting will not be changeable by users.
+default: null
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: The launcher/search key will be able to change the behavior of
+    function keys, and this setting will not be changeable by users.
+  value: true
+- caption: The launcher/search key will not be able to change the behavior of
+    function keys, and this setting will not be changeable by users.
+  value: false
+- caption: Users can freely change the value of the setting "Use the
+    launcher/search key to change the behavior of function keys".
+  value: null
+owners:
+- cambickel@google.com
+- cros-peripherals@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:122-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSystemAecEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSystemAecEnabled.yaml
new file mode 100755
index 000000000..f70112f32
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSystemAecEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable system audio echo cancellation
+default: false
+desc: |-
+  Enable the system audio echo cancellation (AEC) feature. System AEC is an acoustic echo canceller,
+  i.e. an audio processing module which removes system audio playback (echo) from the microphone signal.
+  This policy is temporary and will be removed as soon as system audio echo cancellation is launched.
+
+    If this policy is set to true, system audio echo cancellation will always be enabled.
+
+    If this policy is set to false or unset, system audio echo cancellation may still be
+    enabled based on its launch plan, but it is not enforced by this policy.
+example_value: false
+device_only: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- chrome_os
+items:
+- caption: Enable system audio echo cancellation
+  value: true
+- caption: Do not enforce system audio echo cancellation
+  value: false
+owners:
+- file://media/audio/OWNERS
+- simonha@chromium.org
+schema:
+  type: boolean
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSystemWideTracingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSystemWideTracingEnabled.yaml
new file mode 100755
index 000000000..4b16cfddf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceSystemWideTracingEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Allow collection of system-wide performance trace
+default: false
+default_for_managed_devices_doc_only: false
+desc: |-
+  This setting allows to collect a system-wide performance trace using the system tracing service.
+
+        If this policy is disabled, the user cannot collect a system-wide trace using the system tracing service.
+        If this policy is enabled, the user can collect a system-wide trace using system tracing service.
+        If unset, this policy is disabled for managed devices and enabled for consumer-owned devices.
+        Note that setting this policy to disabled only disables system-wide trace collection. Browser trace collection is unaffected by this policy.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow users to collect a system-wide performance trace.
+  value: true
+- caption: Prevent users from colecting a system-wide performance trace.
+  value: false
+owners:
+- chinglinyu@chromium.org
+- eseckler@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:90-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceUserWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceUserWhitelist.yaml
new file mode 100755
index 000000000..7d49cc14a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceUserWhitelist.yaml
@@ -0,0 +1,35 @@
+arc_support: This policy controls who may start a <ph name="PRODUCT_OS_NAME">$2<ex>ChromiumOS</ex></ph>
+  session. It does not prevent users from signing in to additional Google accounts
+  within Android. If you want to prevent this, configure the Android-specific <ph
+  name="ACCOUNT_TYPES_WITH_MANAGEMENT_DISABLED_CLOUDDPC_POLICY_NAME">accountTypesWithManagementDisabled</ph>
+  policy as part of <ph name="ARC_POLICY_POLICY_NAME">ArcPolicy</ph>.
+caption: Login user white list
+deprecated: true
+desc: "Defines the list of users that are allowed to login to the device. Entries\
+  \ are of the form <ph name=\"USER_ALLOWLIST_ENTRY_FORMAT\">user@domain</ph>, such\
+  \ as <ph name=\"USER_ALLOWLIST_ENTRY_EXAMPLE\">madmax@managedchrome.com</ph>. To\
+  \ allow arbitrary users on a domain, use entries of the form <ph name=\"USER_ALLOWLIST_ENTRY_WILDCARD\"\
+  >*@domain</ph>.\n\n      If this policy is not configured, there are no restrictions\
+  \ on which users are allowed to sign in. Note that creating new users still requires\
+  \ the <ph name=\"DEVICE_ALLOW_NEW_USERS_POLICY_NAME\">DeviceAllowNewUsers</ph> policy\
+  \ to be configured appropriately.\n\n      This policy is deprecated, please use\
+  \ <ph name=\"DEVICE_USER_ALLOWLIST_POLICY_NAME\">DeviceUserAllowlist</ph> instead.\n\
+  \      "
+device_only: true
+example_value:
+- madmax@managedchrome.com
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- acostinas@google.com
+schema:
+  items:
+    type: string
+  sensitiveValue: true
+  type: array
+supported_on:
+- chrome_os:12-100
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceVariationsRestrictParameter.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceVariationsRestrictParameter.yaml
new file mode 100755
index 000000000..de24b84a9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DeviceVariationsRestrictParameter.yaml
@@ -0,0 +1,22 @@
+caption: Set the restriction on the fetching of the Variations seed
+desc: |-
+  Add a parameter to the fetching of the Variations seed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+        If specified, will add a query parameter called 'restrict' to the URL used to fetch the Variations seed. The value of the parameter will be the value specified in this policy.
+
+        If not specified, will not modify the Variations seed URL.
+device_only: true
+example_value: restricted
+features:
+  dynamic_refresh: false
+  internal_only: true
+owners:
+- file://components/variations/OWNERS
+- rkaplow@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_os:28-
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/Disable3DAPIs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/Disable3DAPIs.yaml
new file mode 100755
index 000000000..39e2e3ff7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/Disable3DAPIs.yaml
@@ -0,0 +1,26 @@
+caption: Disable support for 3D graphics APIs
+desc: |-
+  Setting the policy to True (or setting <ph name="HARDWARE_ACCELERATION_MODE_ENABLED_POLICY_NAME">HardwareAccelerationModeEnabled</ph> to False) prevents webpages from accessing the WebGL API, and plugins can't use the Pepper 3D API.
+
+        Setting the policy to False or leaving it unset lets webpages use the WebGL API and plugins use the Pepper 3D API, but the browser's default settings might still require command line arguments to use these APIs.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Disable support for 3D graphics APIs
+  value: true
+- caption: Enable support for 3D graphics APIs
+  value: false
+owners:
+- kbr@chromium.org
+- zmo@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:9-
+- chrome_os:11-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisablePluginFinder.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisablePluginFinder.yaml
new file mode 100755
index 000000000..a84ae6bb6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisablePluginFinder.yaml
@@ -0,0 +1,26 @@
+caption: Specify whether the plugin finder should be disabled (deprecated)
+deprecated: true
+desc: |-
+  This policy has been removed as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 64.
+
+        Automatic search and installation of missing plugins is no longer supported.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable the plugin finder
+  value: true
+- caption: Disable the plugin finder
+  value: false
+label: Disable plugin finder (deprecated)
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:11-64
+- chrome_os:11-64
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableSSLRecordSplitting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableSSLRecordSplitting.yaml
new file mode 100755
index 000000000..a413ad8ea
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableSSLRecordSplitting.yaml
@@ -0,0 +1,20 @@
+caption: Disable TLS False Start
+deprecated: true
+desc: |-
+  Specifies whether the <ph name="TLS_FALSE_START">TLS False Start</ph> optimization should be disabled. For historical reasons, this policy is named DisableSSLRecordSplitting.
+
+        If the policy is not set, or is set to false, then <ph name="TLS_FALSE_START">TLS False Start</ph> will be enabled. If it is set to true, <ph name="TLS_FALSE_START">TLS False Start</ph> will be disabled.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://crypto/OWNERS
+- agl@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:18-46
+- chrome_os:18-46
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableScreenshots.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableScreenshots.yaml
new file mode 100755
index 000000000..d2ddc5d3c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableScreenshots.yaml
@@ -0,0 +1,29 @@
+caption: Disable taking screenshots
+default: false
+desc: |-
+  Setting the policy to Enabled disallows screenshots taken with keyboard shortcuts
+  or extension APIs. Setting the policy to Disabled or not set allows screenshots.
+
+  Note that on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, <ph name="MAC_OS_NAME">macOS</ph> and <ph name="LINUX_OS_NAME">Linux</ph>,
+  this does not prevent screenshots that are taken with operating system or third party applications.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Do not allow users to take screenshots or video recordings
+  value: true
+- caption: Allow users to take screenshots and video recordings
+  value: false
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:22-
+- chrome.*:22-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableSpdy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableSpdy.yaml
new file mode 100755
index 000000000..c1125134b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisableSpdy.yaml
@@ -0,0 +1,27 @@
+caption: Disable SPDY protocol
+deprecated: true
+desc: |-
+  This policy is deprecated in M53 and removed in M54, because SPDY/3.1 support is removed.
+
+        Disables use of the SPDY protocol in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If this policy is enabled the SPDY protocol will not be available in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        Setting this policy to disabled will allow the usage of SPDY.
+
+        If this policy is left not set, SPDY will be available.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- bnc@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-53
+- chrome_os:11-53
+- android:30-53
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledPlugins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledPlugins.yaml
new file mode 100755
index 000000000..f7faee5bf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledPlugins.yaml
@@ -0,0 +1,34 @@
+caption: Specify a list of disabled plugins
+deprecated: true
+desc: |-
+  This policy is deprecated. Please use the <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> to control the availability of the Flash plugin and <ph name="ALWAYS_OPEN_PDF_EXTERNALLY_POLICY_NAME">AlwaysOpenPdfExternally</ph> to control whether the integrated PDF viewer should be used for opening PDF files.
+
+        Specifies a list of plugins that are disabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
+
+        The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them.
+
+        If you enable this setting, the specified list of plugins is never used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. The plugins are marked as disabled in 'about:plugins' and users cannot enable them.
+
+        Note that this policy can be overridden by EnabledPlugins and DisabledPluginsExceptions.
+
+        If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins.
+example_value:
+- Java
+- Shockwave Flash
+- Chrome PDF Viewer
+features:
+  dynamic_refresh: true
+  per_profile: true
+label: List of disabled plugins
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:8-87
+- chrome_os:11-87
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledPluginsExceptions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledPluginsExceptions.yaml
new file mode 100755
index 000000000..42e48f586
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledPluginsExceptions.yaml
@@ -0,0 +1,36 @@
+caption: Specify a list of plugins that the user can enable or disable
+deprecated: true
+desc: |-
+  This policy is deprecated. Please use the <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> to control the availability of the Flash plugin and <ph name="ALWAYS_OPEN_PDF_EXTERNALLY_POLICY_NAME">AlwaysOpenPdfExternally</ph> to control whether the integrated PDF viewer should be used for opening PDF files.
+
+        Specifies a list of plugins that user can enable or disable in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them.
+
+        If you enable this setting, the specified list of plugins can be used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Users can enable or disable them in 'about:plugins', even if the plugin also matches a pattern in DisabledPlugins. Users can also enable and disable plugins that don't match any patterns in DisabledPlugins, DisabledPluginsExceptions and EnabledPlugins.
+
+        This policy is meant to allow for strict plugin blocking where the 'DisabledPlugins' list contains wildcarded entries like disable all plugins '*' or disable all Java plugins '*Java*' but the administrator wishes to enable some particular version like 'IcedTea Java 2.3'. This particular versions can be specified in this policy.
+
+        Note that both the plugin name and the plugin's group name have to be exempted. Each plugin group is shown in a separate section in about:plugins; each section may have one or more plugins. For example, the "Shockwave Flash" plugin belongs to the "Adobe Flash Player" group, and both names have to have a match in the exceptions list if that plugin is to be exempted from the blocklist.
+
+        If this policy is left not set any plugin that matches the patterns in the 'DisabledPlugins' will be locked disabled and the user won't be able to enable them.
+example_value:
+- Java
+- Shockwave Flash
+- Chrome PDF Viewer
+features:
+  dynamic_refresh: true
+  per_profile: true
+label: List of exceptions to the list of disabled plugins
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-87
+- chrome_os:11-87
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledSchemes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledSchemes.yaml
new file mode 100755
index 000000000..9e241ad54
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisabledSchemes.yaml
@@ -0,0 +1,29 @@
+caption: Disable URL protocol schemes
+deprecated: true
+desc: |-
+  This policy is deprecated, please use <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> instead.
+
+        Disables the listed protocol schemes in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        URLs using a scheme from this list will not load and can not be navigated to.
+
+        If this policy is left not set or the list is empty all schemes will be accessible in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+example_value:
+- file
+- https
+features:
+  dynamic_refresh: true
+  per_profile: true
+label: List of disabled protocol schemes
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:12-
+- chrome_os:12-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DiskCacheDir.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DiskCacheDir.yaml
new file mode 100755
index 000000000..6a9cdb083
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DiskCacheDir.yaml
@@ -0,0 +1,23 @@
+caption: Set disk cache directory
+desc: |-
+  Setting the policy has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> use the directory you provide for storing cached files on the disk—whether or not users specify the --disk-cache-dir flag.
+
+        If not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the default cache directory, but users can change that setting with the --disk-cache-dir command line flag.
+
+        <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> manages the contents of a volume's root directory. So to avoid data loss or other errors, do not set this policy to the root directory or any directory used for other purposes. See the variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).
+example_value: ${user_home}/Chrome_cache
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+label: Set disk cache directory
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:13-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DiskCacheSize.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DiskCacheSize.yaml
new file mode 100755
index 000000000..b28814790
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DiskCacheSize.yaml
@@ -0,0 +1,25 @@
+caption: Set disk cache size in bytes
+desc: |-
+  Setting the policy to None has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> use the default cache size for storing cached files on the disk. Users can't change it.
+
+        If you set the policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the cache size you provide—whether or not users specify the --disk-cache-size flag. (Values below a few megabytes are rounded up.)
+
+        If not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the default size. Users can change that setting using the --disk-cache-size flag.
+
+        Note: The value specified in this policy is used as a hint to various cache subsystems in the browser. Therefore the actual total disk consumption of all caches will be higher but within the same order of magnitude as the value specified.
+example_value: 104857600
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+label: Set disk cache size
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome.*:17-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisplayCapturePermissionsPolicyEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisplayCapturePermissionsPolicyEnabled.yaml
new file mode 100755
index 000000000..bc8bf82ac
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DisplayCapturePermissionsPolicyEnabled.yaml
@@ -0,0 +1,37 @@
+caption: Specifies whether the display-capture permissions-policy is checked or skipped.
+default: true
+deprecated: true
+desc: |2-
+
+        The display-capture permissions-policy gates access to getDisplayMedia(), as per this spec: https://www.w3.org/TR/screen-capture/#feature-policy-integration. However, if this policy is Disabled, this requirement is not enforced, and getDisplayMedia() is allowed from contexts that would otherwise be forbidden. This Enterprise policy is temporary; it's intended to be removed after <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 100. It is intended to unblock Enterprise users whose application is non-spec compliant, but needs time to be fixed.
+
+        When enabled or not set, sites can only call getDisplayMedia() from contexts which are allowlisted by the display-capture permissions-policy.
+
+        When disabled, sites can call getDisplayMedia() even from contexts which are not allowlisted by the display-capture permissions policy. Note that other restrictions may still apply.
+device_only: false
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: |2-
+
+              Calls to getDisplayMedia originating from non-allowlisted contexts
+              are denied.
+  value: true
+- caption: |2-
+
+              Calls are not denied on account of originating from non-allowlisted
+              contexts. (Calls may still be denied for other reasons.)
+  value: false
+owners:
+- eladalon@chromium.org
+- guidou@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:94-107
+- chrome_os:94-107
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsOverHttpsMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsOverHttpsMode.yaml
new file mode 100755
index 000000000..a3aa1670a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsOverHttpsMode.yaml
@@ -0,0 +1,45 @@
+caption: Controls the mode of DNS-over-HTTPS
+default_for_enterprise_users: 'off'
+desc: |-
+  Controls the mode of the DNS-over-HTTPS resolver. Please note that this policy will only set the default mode for each query. The mode may be overridden for special types of queries such as requests to resolve a DNS-over-HTTPS server hostname.
+
+        The <ph name="SECURE_DNS_MODE_OFF">"off"</ph> mode will disable DNS-over-HTTPS.
+
+        The <ph name="SECURE_DNS_MODE_AUTOMATIC">"automatic"</ph> mode will send DNS-over-HTTPS queries first if a DNS-over-HTTPS server is available and may fallback to sending insecure queries on error.
+
+        The <ph name="SECURE_DNS_MODE_SECURE">"secure"</ph> mode will only send DNS-over-HTTPS queries and will fail to resolve on error.
+
+        On <ph name="ANDROID_VERSION">Android Pie</ph> and above, if DNS-over-TLS is active, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not send insecure DNS requests.
+
+        If this policy is unset the browser may send DNS-over-HTTPS requests to a resolver associated with the user's configured system resolver.
+example_value: 'off'
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Disable DNS-over-HTTPS
+  name: 'off'
+  value: 'off'
+- caption: Enable DNS-over-HTTPS with insecure fallback
+  name: automatic
+  value: automatic
+- caption: Enable DNS-over-HTTPS without insecure fallback
+  name: secure
+  value: secure
+owners:
+- ericorth@chromium.org
+- bingler@chromium.org
+schema:
+  enum:
+  - 'off'
+  - automatic
+  - secure
+  type: string
+supported_on:
+- android:85-
+- chrome_os:78-
+- chrome.*:78-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsOverHttpsTemplates.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsOverHttpsTemplates.yaml
new file mode 100755
index 000000000..d6c638a5b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsOverHttpsTemplates.yaml
@@ -0,0 +1,28 @@
+caption: Specify URI template of desired DNS-over-HTTPS resolver
+desc: |-
+  The URI template of the desired DNS-over-HTTPS resolver. To specify multiple DNS-over-HTTPS resolvers, separate the corresponding URI templates with spaces.
+
+        If the DnsOverHttpsMode is set to <ph name="SECURE_DNS_MODE_SECURE">"secure"</ph> then this policy must be set and not empty. On <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> only, either this policy or the <ph name="DOH_TEMPLATES_WITH_IDENTIFIERS_POLICY_NAME">DnsOverHttpsTemplatesWithIdentifiers</ph> must be set, otherwise the DNS resolution will fail.
+
+        If the DnsOverHttpsMode is set to <ph name="SECURE_DNS_MODE_AUTOMATIC">"automatic"</ph> and this policy is set then the URI templates specified will be used; if this policy is unset then hardcoded mappings will be used to attempt to upgrade the user's current DNS resolver to a DoH resolver operated by the same provider.
+
+        If the URI template contains a <ph name="HTTP_VARIABLE_DNS">dns</ph> variable, requests to the resolver will use <ph name="HTTP_METHOD_GET">GET</ph>; otherwise requests will use <ph name="HTTP_METHOD_POST">POST</ph>.
+
+        Incorrectly formatted templates will be ignored.
+example_value: https://dns.example.net/dns-query{?dns}
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- ericorth@chromium.org
+- bingler@chromium.org
+schema:
+  type: string
+supported_on:
+- android:85-
+- chrome_os:80-
+- chrome.*:80-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsPrefetchingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsPrefetchingEnabled.yaml
new file mode 100755
index 000000000..41f223737
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DnsPrefetchingEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable network prediction
+deprecated: true
+desc: |-
+  This policy is deprecated in M48 in favor of <ph name="NETWORK_PREDICTION_OPTIONS_POLICY_NAME">NetworkPredictionOptions</ph>, and removed in M54.
+
+        Enables network prediction in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
+
+        This controls not only DNS prefetching but also TCP and SSL preconnection and prerendering of web pages. The policy name refers to DNS prefetching for historical reasons.
+
+        If you enable or disable this setting, users cannot change or override this setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If this policy is left not set, this will be enabled but the user will be able to change it.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-53
+- chrome_os:11-53
+- android:30-53
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DocumentScanAPITrustedExtensions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DocumentScanAPITrustedExtensions.yaml
new file mode 100755
index 000000000..425f44cfd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DocumentScanAPITrustedExtensions.yaml
@@ -0,0 +1,25 @@
+caption: Extensions allowed to skip confirmation dialogs when accessing scanners via
+  chrome.documentScan API
+desc: |-
+  This policy specifies extensions that are allowed to skip confirmation dialogs when they use the <ph name="DOCUMENTSCAN_API">Document Scanning API</ph> functions <ph name="GET_SCANNER_LIST_FUNCTION">chrome.documentScan.getScannerList()</ph> and <ph name="START_SCAN_FUNCTION">chrome.documentScan.startScan()</ph>.
+
+  If the policy is set to a non-empty list and an extension is in the list, the scanning confirmation dialogs normally shown to the user when <ph name="GET_SCANNER_LIST_FUNCTION">chrome.documentScan.getScannerList()</ph> or <ph name="START_SCAN_FUNCTION">chrome.documentScan.startScan()</ph> are called will be suppressed for that extension.
+
+  If the policy is unset or set to an empty list, scanning confirmation dialogs will be shown to the user when <ph name="GET_SCANNER_LIST_FUNCTION">chrome.documentScan.getScannerList()</ph> or <ph name="START_SCAN_FUNCTION">chrome.documentScan.startScan()</ph> are called.
+example_value:
+- abcdefghabcdefghabcdefghabcdefgh
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- bmgordon@chromium.org
+- chromeos-commercial-printing@google.com
+- nmuggli@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:123-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DomainReliabilityAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DomainReliabilityAllowed.yaml
new file mode 100755
index 000000000..7cec39e4d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DomainReliabilityAllowed.yaml
@@ -0,0 +1,29 @@
+caption: Allow reporting of domain reliability related data
+desc: |-
+  If this policy is set false, domain reliability diagnostic data reporting is disabled and no data is sent to Google.
+  If this policy is set true or not set, domain reliability diagnostic data reporting will follow the behavior of MetricsReportingEnabled for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> or DeviceMetricsReportingEnabled for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+default: true
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Domain Reliability data may be sent to Google depending on Chrome User Metrics (UMA) policy
+  value: true
+- caption: Never send domain reliability data to Google
+  value: false
+owners:
+- alexwchen@chromium.org
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- android:111-
+- chrome.*:111-
+- chrome_os:111-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadBubbleEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadBubbleEnabled.yaml
new file mode 100755
index 000000000..0b3bf707c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadBubbleEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable download bubble UI
+default: true
+deprecated: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset shows the new download bubble UI in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        Setting the policy to Disabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> keeps showing the old download shelf UI.
+
+        This policy was intended to be temporary and was removed after the new download bubble UI was fully launched.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable download bubble UI
+  value: true
+- caption: Disable download bubble UI
+  value: false
+owners:
+- file://components/safe_browsing/OWNERS
+- chlily@chromium.org
+- xinghuilu@chromium.org
+schema:
+  type: boolean
+supported_on:
+- 'chrome.*: 102-118'
+- 'chrome_os: 102-118'
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadDirectory.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadDirectory.yaml
new file mode 100755
index 000000000..7bd51dd71
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadDirectory.yaml
@@ -0,0 +1,33 @@
+arc_support: This policy has no effect on Android apps. Android apps always use the
+  default downloads directory and cannot access any files downloaded by <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph> into a non-default downloads directory.
+caption: Set download directory
+desc: |-
+  Setting the policy sets up the directory Chrome uses for downloading files. It uses the provided directory, whether or not users specify one or turned on the flag to be prompted for download location every time.
+
+        This policy overrides the <ph name="DEFAULT_DOWNLOAD_DIRECTORY_POLICY_NAME">DefaultDownloadDirectory</ph> policy.
+
+        Leaving the policy unset means Chrome uses the default download directory, and users can change it.
+
+        On <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> it's possible to set it only to Google Drive directories.
+
+        Note: See a list of variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).
+example_value: /home/${user_name}/Downloads
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+label: Set download directory
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:11-
+- chrome_os:35-
+tags:
+- local-data-access
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadManagerSaveToDriveSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadManagerSaveToDriveSettings.yaml
new file mode 100755
index 000000000..909e4a751
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadManagerSaveToDriveSettings.yaml
@@ -0,0 +1,32 @@
+caption: Allow saving files directly to <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph>
+default: 0
+desc: This policy controls whether the user is allowed to save files to <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph>
+  directly from the download manager.
+
+  Setting the policy to Enabled or leaving it unset allows the user to save files to <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> from the download manager.
+  Setting the policy to Disabled prevent users seeing the option in the download manager.
+
+  This policy does not prevent users from saving files to <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> using other ways beside the download manager.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: The download manager will have an option to save files to <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph>.
+  name: Enabled
+  value: 0
+- caption: The download manager will not have an option to save files to <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph>.
+  name: Disabled
+  value: 1
+owners:
+- qpubert@google.com
+- olivierrobin@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+supported_on:
+- ios:123-
+tags: []
+type: int-enum
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadRestrictions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadRestrictions.yaml
new file mode 100755
index 000000000..fdec4fe53
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DownloadRestrictions.yaml
@@ -0,0 +1,65 @@
+caption: Allow download restrictions
+desc: |-
+  Setting the policy means users can't bypass download security decisions.
+
+        There are many types of download warnings within Chrome, which roughly break down into these categories (learn more about Safe Browsing verdicts https://support.google.com/chrome/?p=ib_download_blocked):
+
+        * Malicious, as flagged by the Safe Browsing server
+        * Uncommon or unwanted, as flagged by the Safe Browsing server
+        * A dangerous file type (e.g. all SWF downloads and many EXE downloads)
+
+        Setting the policy blocks different subsets of these, depending on it's value:
+
+        0: No special restrictions. Default.
+
+        1: Blocks malicious files flagged by the Safe Browsing server AND Blocks all dangerous file types. Only recommended for OUs/browsers/users that have a high tolerance for False Positives.
+
+        2: Blocks malicious files flagged by the Safe Browsing server AND Blocks uncommon or unwanted files flagged by the Safe Browsing server AND Blocks all dangerous file types. Only recommended for OUs/browsers/users that have a high tolerance for False Positives.
+
+        3: Blocks all downloads. Not recommended, except for special use cases.
+
+        4: Blocks malicious files flagged by the Safe Browsing server, does not block dangerous file types. Recommended.
+
+        Note: These restrictions apply to downloads triggered from webpage content, as well as the Download link... menu option. They don't apply to the download of the currently displayed page or to saving as PDF from the printing options. Read more about Safe Browsing ( https://developers.google.com/safe-browsing ).
+example_value: 4
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: No special restrictions. Default.
+  name: DefaultDownloadSecurity
+  value: 0
+- caption: Block malicious downloads and dangerous file types.
+  name: BlockDangerousDownloads
+  value: 1
+- caption: Block malicious downloads, uncommon or unwanted downloads and dangerous
+    file types.
+  name: BlockPotentiallyDangerousDownloads
+  value: 2
+- caption: Block all downloads.
+  name: BlockAllDownloads
+  value: 3
+- caption: Block malicious downloads. Recommended.
+  name: BlockMaliciousDownloads
+  value: 4
+label: Download restrictions
+owners:
+- dpr-eng@google.com
+- zmin@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  - 4
+  type: integer
+supported_on:
+- chrome.*:61-
+- chrome_os:61-
+tags:
+- local-data-access
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DynamicCodeSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DynamicCodeSettings.yaml
new file mode 100755
index 000000000..67346cb7d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/DynamicCodeSettings.yaml
@@ -0,0 +1,36 @@
+caption: Dynamic Code Settings
+default: 0
+desc: |-
+  This policy controls the dynamic code settings for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+  Disabling dynamic code improves the security of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> by preventing potentially hostile dynamic code and third-party code from making changes to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s behavior, but might cause compatibility issues with third-party software that must run inside the browser process.
+
+  If the policy is set to 0 - Default or left unset then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the default settings.
+
+  If the policy is set to 1 - DisabledForBrowser then the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> browser process will be prevented from creating dynamic code.
+
+  Note: Read more about process mitigation policies ( https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md#Process-mitigation-policies ).
+example_value: 1
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Default dynamic code settings
+  name: Default
+  value: 0
+- caption: Prevent the browser process from creating dynamic code
+  name: DisabledForBrowser
+  value: 1
+owners:
+- wfh@chromium.org
+- file://sandbox/win/OWNERS
+schema:
+  type: integer
+  enum:
+  - 0
+  - 1
+supported_on:
+- chrome.win:127-
+tags:
+- system-security
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EasyUnlockAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EasyUnlockAllowed.yaml
new file mode 100755
index 000000000..e1ae4df58
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EasyUnlockAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Allow Smart Lock to be used
+default_for_enterprise_users: false
+desc: |-
+  If you enable this setting, users will be allowed to use Smart Lock if the requirements for the feature are satisfied.
+
+        If you disable this setting, users will not be allowed to use Smart Lock.
+
+        If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow Smart Lock
+  value: true
+- caption: Do not allow Smart Lock
+  value: false
+owners:
+- file://chrome/browser/ash/login/smart_lock/OWNERS
+- hansberry@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:38-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EcheAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EcheAllowed.yaml
new file mode 100755
index 000000000..1c68918fd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EcheAllowed.yaml
@@ -0,0 +1,29 @@
+caption: Allow Eche to be enabled.
+default: true
+desc: |-
+  If this setting is enabled, users will be able to launch the Eche application, for example by clicking on a Phone Hub notification.
+
+        If this setting is disabled, users will not be able to launch the Eche application.
+
+        If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allows users to click on Phone Hub notification to launch Eche application.
+  value: true
+- caption: Disallows users to click on Phone Hub notification to launch Eche application.
+  value: false
+owners:
+- andychou@google.com
+- dhnishi@google.com
+- exo-core@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:99-
+tags:
+- local-data-access
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EcryptfsMigrationStrategy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EcryptfsMigrationStrategy.yaml
new file mode 100755
index 000000000..5f718f7ca
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EcryptfsMigrationStrategy.yaml
@@ -0,0 +1,51 @@
+caption: Migration strategy for ecryptfs
+deprecated: true
+desc: |-
+  This policy was removed in M87 and home directories will automatically migrate to ext4 at sign-in.
+        Setting the policy specifies the action to take when the user's home directory was created with ecryptfs encryption. Unless ecryptfs-encrypted home directories migrate to ext4-encryption, Android apps might stop running.
+
+        Setting the policy to:
+
+        * Migrate (or an unsupported option such as AskUser or AskForEcryptfsArcUsers) means directories automatically migrate to ext4 at sign-in, without asking for user consent.
+
+        * Wipe or MinimalMigrate means that, at sign-in, new ext4-encrypted home directories replace old ecryptfs-encrypted directories. To help the user avoid repeated sign-ins, MinimalMigrate tries to preserve sign-in tokens.
+
+        * DisallowArc or leaving it unset prevents migration, and the user's Android apps stop running.
+
+        This policy doesn't apply to kiosk users.
+
+        Warning: Wipe and MinimalMigrate remove local data.
+device_only: false
+example_value: 2
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Disallow data migration and ARC.
+  name: DisallowArc
+  value: 0
+- caption: Migrate automatically, don’t ask for user consent.
+  name: Migrate
+  value: 1
+- caption: Wipe the user’s ecryptfs home directory and start with a fresh ext4-encrypted
+    home directory.
+  name: Wipe
+  value: 2
+- caption: Similar to Wipe (value 2), but tries to preserve login tokens so the user
+    does not have to sign in again.
+  name: MinimalMigrate
+  value: 4
+owners:
+- file://components/policy/OWNERS
+- igorcov@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 4
+  type: integer
+supported_on:
+- chrome_os:61-87
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EditBookmarksEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EditBookmarksEnabled.yaml
new file mode 100755
index 000000000..11fd06777
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EditBookmarksEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable or disable bookmark editing
+desc: |-
+  Setting the policy to True or leaving it unset lets users add, remove, or modify bookmarks.
+
+        Setting the policy to False means users can't add, remove, or modify bookmarks. They can still use existing bookmarks.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable bookmark editing
+  value: true
+- caption: Disable bookmark editing
+  value: false
+owners:
+- file://components/policy/OWNERS
+- hendrich@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:12-
+- chrome_os:12-
+- android:30-
+- ios:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EmojiPickerGifSupportEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EmojiPickerGifSupportEnabled.yaml
new file mode 100755
index 000000000..5a2e9a9d6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EmojiPickerGifSupportEnabled.yaml
@@ -0,0 +1,39 @@
+owners:
+- dvallet@chromium.org
+- shend@chromium.org
+- jopalmer@chromium.org
+- greywang@chromium.org
+- essential-inputs-team@google.com
+
+caption: GIF Support in Emoji Picker
+
+desc: |-
+  This policy enables GIF support for Emoji Picker on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+  If this policy is set to Enabled, Emoji picker will support GIF emoji.
+  If this policy is set to Disabled or not set, Emoji picker will not support GIF emoji.
+  If this policy is not set, Emoji picker will be enabled for normal users but disabled for managed users.
+
+
+supported_on:
+- chrome_os:117-
+
+features:
+  dynamic_refresh: true
+  per_profile: true
+
+type: main
+
+schema:
+  type: boolean
+
+items:
+- caption: Enable GIF support.
+  value: true
+- caption: Disable GIF support.
+  value: false
+
+default: true
+default_for_enterprise_users: false
+
+example_value: false
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EmojiSuggestionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EmojiSuggestionEnabled.yaml
new file mode 100755
index 000000000..3a5de8b3a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EmojiSuggestionEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable Emoji Suggestion
+default_for_enterprise_users: false
+desc: |-
+  This policy enables <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> to suggest emojis when users type text with their virtual or physical keyboards.
+        If this policy is set to true, the feature will be enabled, and users will be able to change it.
+        This policy is defaulted to false, no emoji will be suggested and users cannot override it.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable emoji suggestions when users type
+  value: true
+- caption: Disable emoji suggestions when users type
+  value: false
+owners:
+- myy@chromium.org
+- essential-inputs-team@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:86-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableCommonNameFallbackForLocalAnchors.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableCommonNameFallbackForLocalAnchors.yaml
new file mode 100755
index 000000000..cbeaa7e9b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableCommonNameFallbackForLocalAnchors.yaml
@@ -0,0 +1,31 @@
+caption: Allow certificates issued by local trust anchors without subjectAlternativeName
+  extension
+deprecated: true
+desc: |-
+  When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the commonName of a server certificate to match a hostname if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificates.
+
+        Note that this is not recommended, as this may allow bypassing the nameConstraints extension that restricts the hostnames that a given certificate can be authorized for.
+
+        If this policy is not set, or is set to false, server certificates that lack a subjectAlternativeName extension containing either a DNS name or IP address will not be trusted.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow certificates lacking a subjectAlternativeName extension when issued
+    by local trust anchors
+  value: true
+- caption: Disallow certificates lacking a subjectAlternativeName extension
+  value: false
+owners:
+- file://net/cert/OWNERS
+- rsleevi@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:58-65
+- chrome_os:58-65
+- android:58-65
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedPrivetPrinting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedPrivetPrinting.yaml
new file mode 100755
index 000000000..5ffa5bfd1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedPrivetPrinting.yaml
@@ -0,0 +1,26 @@
+caption: Enable deprecated privet printing
+default: false
+deprecated: true
+desc: |-
+  This policy controls whether any available privet printers are shown to users in the print preview dialog.
+        Setting this policy to Enabled will show available privet printers.
+        Setting this policy to Disabled or leaving it unset will result in privet printers not appearing in print preview, as this printing method is deprecated.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable deprecated privet printing
+  value: true
+- caption: Disable deprecated privet printing
+  value: false
+owners:
+- file://printing/OWNERS
+- rbpotter@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:89-93
+- chrome_os:89-93
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedWebBasedSignin.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedWebBasedSignin.yaml
new file mode 100755
index 000000000..e452d3403
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedWebBasedSignin.yaml
@@ -0,0 +1,23 @@
+caption: Enable the old web-based signin flow
+deprecated: true
+desc: |-
+  This setting was named EnableWebBasedSignin prior to Chrome 42, and support for it will be removed entirely in Chrome 43.
+
+        This setting is useful for enterprise customers who are using SSO solutions that are not compatible with the new inline signin flow yet.
+        If you enable this setting, the old web-based signin flow would be used.
+        If you disable this setting or leave it not set, the new inline signin flow would be used by default. Users may still enable the old web-based signin flow through the command line flag --enable-web-based-signin.
+
+        The experimental setting will be removed in the future when the inline signin fully supports all SSO signin flows.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:35-42
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedWebPlatformFeatures.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedWebPlatformFeatures.yaml
new file mode 100755
index 000000000..a5773986f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableDeprecatedWebPlatformFeatures.yaml
@@ -0,0 +1,40 @@
+caption: Enable deprecated web platform features for a limited time
+deprecated: true
+desc: "Specify a list of deprecated web platform features to re-enable temporarily.\n\
+  \n      This policy gives administrators the ability to re-enable deprecated web\
+  \ platform features for a limited time. Features are identified by a string tag\
+  \ and the features corresponding to the tags included in the list specified by this\
+  \ policy will get re-enabled.\n\n      If this policy is left not set, or the list\
+  \ is empty or does not match one of the supported string tags, all deprecated web\
+  \ platform features will remain disabled.\n\n      While the policy itself is supported\
+  \ on the above platforms, the feature it is enabling may be available on fewer platforms.\
+  \ Not all deprecated Web Platform features can be re-enabled. Only the ones explicitly\
+  \ listed below can be for a limited period of time, which is different per feature.\
+  \ The general format of the string tag will be [DeprecatedFeatureName]_EffectiveUntil[yyyymmdd].\
+  \ As reference, you can find the intent behind the Web Platform feature changes\
+  \ at https://bit.ly/blinkintents.\n      "
+example_value:
+- ExampleDeprecatedFeature_EffectiveUntil20080902
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable ExampleDeprecatedFeature API through 2008/09/02
+  name: ExampleDeprecatedFeature
+  value: ExampleDeprecatedFeature_EffectiveUntil20080902
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  items:
+    enum:
+    - ExampleDeprecatedFeature_EffectiveUntil20080902
+    type: string
+  type: array
+supported_on:
+- chrome.*:37-87
+- chrome_os:37-87
+- android:37-87
+tags:
+- system-security
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableExperimentalPolicies.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableExperimentalPolicies.yaml
new file mode 100755
index 000000000..6da3c7252
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableExperimentalPolicies.yaml
@@ -0,0 +1,36 @@
+caption: Enables experimental policies
+desc: |-
+  Allows <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to load experimental policies.
+
+          WARNING: Experimental policies are unsupported and subject to change or be removed without notice in future version of the browser!
+
+          An experimental policy may not be finished or still have known or unknown defects. It may be changed or even removed without any notification. By enabling experimental policies, you could lose browser data or compromise your security or privacy.
+
+          If a policy is not in the list and it's not officially released, its value will be ignored on Beta and Stable channel.
+
+          If a policy is in the list and it's not officially released, its value will be applied.
+
+          This policy has no effect on already released policies.
+example_value:
+- ExtensionInstallAllowlist
+- ExtensionInstallBlocklist
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:85-
+- chrome_os:85-
+- android:85-
+- webview_android:85-
+- ios:85-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableOnlineRevocationChecks.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableOnlineRevocationChecks.yaml
new file mode 100755
index 000000000..449e55908
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableOnlineRevocationChecks.yaml
@@ -0,0 +1,30 @@
+caption: Enable online OCSP/CRL checks
+desc: |-
+  Setting the policy to True means online <ph name="OCSP_CRL_LABEL">OCSP/CRL</ph> checks are performed.
+
+        Setting the policy to False or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won't perform online revocation checks in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 19 and later.
+
+        Note: <ph name="OCSP_CRL_LABEL">OCSP/CRL</ph> checks provide no effective security benefit.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow online <ph name="OCSP_CRL_LABEL">OCSP/CRL</ph> checks to be performed
+  value: true
+- caption: Prevent online <ph name="OCSP_CRL_LABEL">OCSP/CRL</ph> checks from being
+    performed
+  value: false
+owners:
+- file://net/cert/OWNERS
+- mattm@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:19-
+- chrome_os:19-
+tags:
+- website-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSha1ForLocalAnchors.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSha1ForLocalAnchors.yaml
new file mode 100755
index 000000000..d7868d9ae
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSha1ForLocalAnchors.yaml
@@ -0,0 +1,29 @@
+caption: Allow SHA-1 signed certificates issued by local trust anchors
+deprecated: true
+desc: |-
+  When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> allows SHA-1 signed certificates as long as they successfully validate and chain to a locally-installed CA certificates.
+
+        Note that this policy depends on the operating system certificate verification stack allowing SHA-1 signatures. If an OS update changes the OS handling of SHA-1 certificates, this policy may no longer have effect.  Further, this policy is intended as a temporary workaround to give enterprises more time to move away from SHA-1.  This policy will be removed on or around January 1st 2019.
+
+        If this policy is not set, or it is set to false, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> follows the publicly announced SHA-1 deprecation schedule.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow SHA-1 signed certificates issued by local trust anchors
+  value: true
+- caption: Disallow SHA-1 signed certificates
+  value: false
+owners:
+- mattm@chromium.org
+- rsleevi@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:54-71
+- chrome_os:54-71
+- android:54-71
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSymantecLegacyInfrastructure.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSymantecLegacyInfrastructure.yaml
new file mode 100755
index 000000000..23aea713d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSymantecLegacyInfrastructure.yaml
@@ -0,0 +1,31 @@
+caption: Enable trust in Symantec Corporation's Legacy PKI Infrastructure
+deprecated: true
+desc: |-
+  When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> allows certificates issued by Symantec Corporation's Legacy PKI operations to be trusted if they otherwise successfully validate and chain to a recognized CA certificate.
+
+        Note that this policy depends on the operating system still recognizing certificates from Symantec's legacy infrastructure. If an OS update changes the OS handling of such certificates, this policy no longer has effect.  Further, this policy is intended as a temporary workaround to give enterprises more time to transition away from legacy Symantec certificates.  This policy will be removed on or around January 1st 2019.
+
+        If this policy is not set, or it is set to false, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> follows the publicly announced deprecation schedule.
+
+        See https://g.co/chrome/symantecpkicerts for more details on this deprecation.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable trust in certificates issued by Symantec Corporation Legacy PKI
+  value: true
+- caption: Disable trust in certificates issued by Symantec Corporation Legacy PKI
+  value: false
+owners:
+- file://net/cert/OWNERS
+- rsleevi@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:66-75
+- chrome_os:66-75
+- android:66-75
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSyncConsent.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSyncConsent.yaml
new file mode 100755
index 000000000..c07aa9985
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnableSyncConsent.yaml
@@ -0,0 +1,23 @@
+caption: Enable displaying Sync Consent during sign-in
+desc: |-
+  This policy controls if Sync Consent can be shown to the user during first sign-in. It should be set to false if Sync Consent is never needed for the user.
+        If set to false, Sync Consent will not be displayed.
+        If set to true or unset, Sync Consent can be displayed.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Display Sync Consent during sign-in
+  value: true
+- caption: Do not display Sync Consent during sign-in
+  value: false
+owners:
+- agawronska@chromium.org
+- alemate@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:66-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnabledPlugins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnabledPlugins.yaml
new file mode 100755
index 000000000..0f1649071
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnabledPlugins.yaml
@@ -0,0 +1,35 @@
+caption: Specify a list of enabled plugins
+deprecated: true
+desc: |-
+  This policy is deprecated. Please use the <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph> to control the availability of the Flash plugin and <ph name="ALWAYS_OPEN_PDF_EXTERNALLY_POLICY_NAME">AlwaysOpenPdfExternally</ph> to control whether the integrated PDF viewer should be used for opening PDF files.
+
+        Specifies a list of plugins that are enabled in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing this setting.
+
+        The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them.
+
+        The specified list of plugins is always used in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> if they are installed. The plugins are marked as enabled in 'about:plugins' and users cannot disable them.
+
+        Note that this policy overrides both DisabledPlugins and DisabledPluginsExceptions.
+
+        If this policy is left not set the user can disable any plugin installed on the system.
+example_value:
+- Java
+- Shockwave Flash
+- Chrome PDF Viewer
+features:
+  dynamic_refresh: true
+  per_profile: true
+label: List of enabled plugins
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:11-87
+- chrome_os:11-87
+tags:
+- system-security
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EncryptedClientHelloEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EncryptedClientHelloEnabled.yaml
new file mode 100755
index 000000000..21dbe8f72
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EncryptedClientHelloEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Enable TLS Encrypted ClientHello
+default: true
+desc: |-
+  Encrypted ClientHello (ECH) is an extension to TLS to encrypt sensitive fields of the ClientHello and improve privacy.
+
+        If this policy is not configured, or is set to enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will follow the default rollout process for ECH. If it is disabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not enable ECH.
+
+        When the feature is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may or may not use ECH depending on server support, availability of the HTTPS DNS record, or rollout status.
+
+        ECH is an evolving protocol, so <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s implementation is subject to change. As such, this policy is a temporary measure to control the initial experimental implementation. It will be replaced with final controls as the protocol finalizes.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable the TLS Encrypted ClientHello experiment
+  value: true
+- caption: Disable the TLS Encrypted ClientHello experiment
+  value: false
+owners:
+- davidben@chromium.org
+- trusty-transport@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:105-
+- chrome_os:105-
+- android:105-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnforceLocalAnchorConstraintsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnforceLocalAnchorConstraintsEnabled.yaml
new file mode 100755
index 000000000..ee46d358a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnforceLocalAnchorConstraintsEnabled.yaml
@@ -0,0 +1,56 @@
+caption: Determines whether the built-in certificate verifier
+  will enforce constraints encoded into trust anchors loaded from the platform
+  trust store.
+default: true
+deprecated: true
+desc: |-
+  X.509 certificates may encode constraints, such as Name Constraints,
+  in extensions in the certificate. RFC 5280 specifies that enforcing such
+  constraints on trust anchor certificates is optional. Starting in
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 112, such constraints
+  in certificates loaded from the platform certificate store will now be
+  enforced.
+
+  This policy exists as a temporary opt-out in case an enterprise encounters
+  issues with the constraints encoded in their private roots. In that case this
+  policy may be used to temporarily disable enforcement of the constraints
+  while correcting the certificate issues.
+
+  When this policy is not set, or is set to enabled,
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will enforce
+  constraints encoded into trust anchors loaded from the platform trust store.
+
+  When this policy is set to disabled,
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not enforce
+  constraints encoded into trust anchors loaded from the platform trust store.
+
+  In <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 112,
+  this policy has no effect if the
+  <ph name="CHROME_ROOT_STORE_ENABLED_POLICY_NAME">ChromeRootStoreEnabled</ph>
+  policy is disabled.
+
+  This policy was removed in
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 126. Starting
+  that version, constraints in trust anchors are always enforced.
+
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enforce constraints in locally added trust anchors
+  value: true
+- caption: Do not enforce constraints in locally added trust anchors
+  value: false
+owners:
+- mattm@chromium.org
+- file://net/cert/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.win:112-127
+- chrome.mac:112-127
+- chrome.linux:112-127
+- chrome_os:112-127
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseAuthenticationAppLinkPolicy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseAuthenticationAppLinkPolicy.yaml
new file mode 100755
index 000000000..a74c43434
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseAuthenticationAppLinkPolicy.yaml
@@ -0,0 +1,33 @@
+caption: External authentication app launch URLs
+desc: "Allows you to specify configs for authentication urls in <ph name=\"WEBVIEW_PRODUCT_NAME\"\
+  >Android WebView</ph>.\n\n      These Authentication urls would be treated special\
+  \ by <ph name=\"WEBVIEW_PRODUCT_NAME\">Android WebView</ph>, such that during authentication\
+  \ when webpage in <ph name=\"WEBVIEW_PRODUCT_NAME\">Android WebView</ph>\n     \
+  \ is navigated to authentication urls, corresponding Identity providers authenticator\
+  \ app that can handle this authentication URL would be launched.\n\n      This flow\
+  \ of launching the Identity providers authenticator app would be used by the Identity\
+  \ providers to enable\n      use cases like providing SSO across apps or provide\
+  \ better security by collecting zero trust device signals to understand device posture\
+  \ during authentication.\n\n      If there is no valid app installed to handle authentication\
+  \ url on the device, navigation will continue in <ph name=\"WEBVIEW_PRODUCT_NAME\"\
+  >Android WebView</ph>.\n\n      Authentication URL pattern has to be formatted according\
+  \ to https://support.google.com/chrome/a?p=url_blocklist_filter_format.\n      "
+example_value:
+- url: https://www.abc.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- ayushsha@google.com
+- afw-security-team@google.com
+schema:
+  items:
+    properties:
+      url:
+        type: string
+    type: object
+  type: array
+supported_on:
+- webview_android:105-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseBadgingTemporarySetting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseBadgingTemporarySetting.yaml
new file mode 100755
index 000000000..1ae83fdcb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseBadgingTemporarySetting.yaml
@@ -0,0 +1,47 @@
+caption: Control the visibility of enterprise badging
+default: 0
+deprecated: true
+example_value: 1
+desc: |-
+  This is a temporary policy that will be removed in M127.
+  This policy controls the visibility of the enterprise badging on managed profiles which consists of an account specific management label shown in the profile menu, a new label associated to a profile managed by your organization shown in the toolbar and controlled by the policy <ph name="PROFILE_LABEL_POLICY_NAME">ProfileLabel</ph>, and an enterprise logo shown in the profile menu next to the profile picture and controlled by the policy <ph name="ENTERPRISE_LOGO_URL_POLICY_NAME">EnterpriseLogoUrl</ph>.
+
+  Leaving this policy unset or setting this policy to "Hide all enterprise badging (value 0)" will hide all of the badging regardless of the policies that control each component.
+
+  Setting this policy to "Show enterprise badging on unmanaged devices only (value 1)" will show all of the badging if a user from your organization uses a managed profile on an unmanaged device.
+
+  Setting this policy to "Show enterprise badging on all devices (value 2)" will show all of the badging if a user from your organization uses a managed profile on any device.
+
+  Setting this policy to "Show enterprise badging on managed devices only (value 3)" will show all of the badging if a user from your organization uses a managed profile on a managed device.
+
+  A device is considered managed if an enterprise version of the OS is used, or if any policies are set at the machine level and affect the browser.
+features:
+  dynamic_refresh: true
+  per_profile: true
+  cloud_only: true
+supported_on:
+- chrome.*:125-127
+items:
+- caption: Hide all enterprise badging
+  name: hide_enterprise_badging
+  value: 0
+- caption: Show enterprise badging on unmanaged devices only
+  name: show_enterprise_badging_unmanaged_devices
+  value: 1
+- caption: Show enterprise badging on all devices
+  name: show_enterprise_badging_all_devices
+  value: 2
+- caption: Show enterprise badging on managed devices only
+  name: show_enterprise_badging_managed_devices
+  value: 3
+owners:
+- ydago@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseCustomLabel.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseCustomLabel.yaml
new file mode 100755
index 000000000..7f58238ba
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseCustomLabel.yaml
@@ -0,0 +1,28 @@
+caption: Set a custom enterprise label
+default: null
+desc: |-
+  This policy controls a custom label used to identify who managed a profile or browser.
+
+  This label will be shown in the toolbar.
+
+  If this policy is set at the browser level, all profiles will have this label in the toolbar.
+
+  If this policy is set at the profile level, only that profile will have this label.
+
+  Unlike other policies, this policy set at the profile level takes precedence over a policy set at the browser level.
+
+  The custom label will not be translated.
+example_value: Chromium
+features:
+  dynamic_refresh: true
+  per_profile: true
+  user_only: true
+supported_on:
+- chrome.*:128-
+owners:
+- file://components/enterprise/OWNERS
+- ydago@chromium.org
+schema:
+  type: string
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseHardwarePlatformAPIEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseHardwarePlatformAPIEnabled.yaml
new file mode 100755
index 000000000..d2b595d33
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseHardwarePlatformAPIEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enables managed extensions to use the Enterprise Hardware Platform API
+desc: |-
+  Setting the policy to True lets extensions installed by enterprise policy use the Enterprise Hardware Platform API.
+
+        Setting the policy to False or leaving it unset prevents extensions from using this API.
+
+        Note: This policy also applies to component extensions, such as the Hangout Services extension.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow managed extensions to use the Enterprise Hardware Platform API
+  value: true
+- caption: Do not allow managed extensions to use the Enterprise Hardware Platform
+    API
+  value: false
+owners:
+- guidou@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:71-
+- chrome_os:71-
+- android:71-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseLogoUrl.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseLogoUrl.yaml
new file mode 100755
index 000000000..075c2f3a4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseLogoUrl.yaml
@@ -0,0 +1,30 @@
+caption: Enterprise Logo URL
+default: null
+desc: |-
+  A URL to an image that will be used as an enterprise badge for the profile. The URL must point to an image.
+
+  This badge will be shown in the toolbar.
+
+  If this policy is set at the browser level, all profiles will have this logo in the toolbar.
+
+  If this policy is set at the profile level, only that profile will have this logo.
+
+  If this policy is not set, a default building icon will be shown.
+
+  If an error happens while trying to get and show the image, a default building icon will be shown.
+
+  Unlike other policies, this policy set at the profile level takes precedence over a policy set at the browser level.
+example_value: https://example.com/image.png
+features:
+  dynamic_refresh: true
+  per_profile: true
+  user_only: true
+supported_on:
+- chrome.*:125-
+owners:
+- file://components/policy/OWNERS
+- ydago@chromium.org
+schema:
+  type: string
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseProfileCreationKeepBrowsingData.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseProfileCreationKeepBrowsingData.yaml
new file mode 100755
index 000000000..5523149f9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseProfileCreationKeepBrowsingData.yaml
@@ -0,0 +1,31 @@
+caption: Keep browsing data when creating enterprise profile by default
+default: false
+desc: |
+  If this policy is Enabled, the option to keep any existing browsing data when creating an enterprise profile will be checked by default.
+
+  If this policy is unset or Disabled, the option to keep any existing browsing data when creating an enterprise profile will not be checked by default.
+
+  Regardless of the value, the user will be able to decide whether or not to keep any existing browsing data when creating an enterprise profile.
+
+  This policy has no effect if the option to keep existing browsing data is not available; this happens if enterprise profile separation is strictly enforced, or if the data would be from an already managed profile.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Check the option to keep existing browsing data by default
+  value: true
+- caption: Do not check the option to keep existing browsing data by default
+  value: false
+owners:
+- ydago@chromium.org
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:106-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseRealTimeUrlCheckMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseRealTimeUrlCheckMode.yaml
new file mode 100755
index 000000000..1bd173fe8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseRealTimeUrlCheckMode.yaml
@@ -0,0 +1,39 @@
+caption: Check Safe Browsing status of URLs in real time
+default: 0
+desc: |-
+  This policy controls checking URLs in real time to identify unsafe URLs.
+
+        If this policy is left not set or set to ‘Disabled’, the consumer Safe Browsing checks will be applied. Consumer Safe Browsing checks can still include real time lookups, depending on the value of the “Make searches and browsing better” setting and the value of the UrlKeyedAnonymizedDataCollectionEnabled policy.
+
+        If this policy is set to ‘Enabled’, URLs will be sent to be scanned in real time under enterprise ToS. It will result in Chrome sending URLs to Google Cloud or third parties of your choosing to check them in real time. The consumer version of Safe Browsing real time lookup will be switched off.
+
+        This policy requires additional setup to take effect, please visit https://support.google.com/chrome/a?p=chrome_enterprise_connector_policies_setting for more information.
+example_value: 1
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Real time URL check is disabled.
+  name: Disabled
+  value: 0
+- caption: Real time check for main frame URLs is enabled.
+  name: Enabled
+  value: 1
+owners:
+- xinghuilu@chromium.org
+- file://components/safe_browsing/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+future_on:
+- android
+supported_on:
+- chrome.*:86-
+- chrome_os:86-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseWebStoreName.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseWebStoreName.yaml
new file mode 100755
index 000000000..8c14badd2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseWebStoreName.yaml
@@ -0,0 +1,21 @@
+caption: Enterprise web store name (deprecated)
+deprecated: true
+desc: This setting has been retired as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  version 29. The recommended way to set up organization-hosted extension/app collections
+  is to include the site hosting the CRX packages in ExtensionInstallSources and put
+  direct download links to the packages on a web page. A launcher for that web page
+  can be created using the ExtensionInstallForcelist policy.
+example_value: WidgCo Chrome Apps
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:17-28
+- chrome_os:17-28
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseWebStoreURL.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseWebStoreURL.yaml
new file mode 100755
index 000000000..8469650f7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EnterpriseWebStoreURL.yaml
@@ -0,0 +1,21 @@
+caption: Enterprise web store URL (deprecated)
+deprecated: true
+desc: This setting has been retired as of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  version 29. The recommended way to set up organization-hosted extension/app collections
+  is to include the site hosting the CRX packages in ExtensionInstallSources and put
+  direct download links to the packages on a web page. A launcher for that web page
+  can be created using the ExtensionInstallForcelist policy.
+example_value: https://company-intranet/chromeapps
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- anqing@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:17-28
+- chrome_os:17-28
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EssentialSearchEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EssentialSearchEnabled.yaml
new file mode 100755
index 000000000..9b91668a6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EssentialSearchEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable only essential cookies and data in search
+default: false
+desc: |-
+  This policy lets admins control how Google processes cookies and data sent to Search through <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+  When the policy is enabled, the user will be able to use the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> Launcher search box, and the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Browser address box in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>, the cookies and data may be used only for essential purposes.
+  When the policy is unset or disabled, the cookies and data may be used for non-essential purposes.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome_os:123-
+items:
+- caption: Use only essential cookies and data in search.
+  value: true
+- caption: Use essential and non-essential cookies in search.
+  value: false
+owners:
+- ayag@chromium.org
+- mohammedabdon@chromium.org
+- dp-chromeos-eng@google.com
+schema:
+  type: boolean
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EventPathEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EventPathEnabled.yaml
new file mode 100755
index 000000000..ec9a50b07
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/EventPathEnabled.yaml
@@ -0,0 +1,37 @@
+caption: Re-enable the Event.path API until M115.
+default: null
+deprecated: true
+desc: |2-
+   Starting in M109, the non-standard API Event.path will be removed to improve web compatibility. This policy re-enables the API until M115.
+
+        If this policy is set to enabled, the Event.path API will be available.
+
+        If this policy is set to disabled, the Event.path API will be unavailable.
+
+        If this policy is not set, the Event.path API will be in the default status: available before M109, and unavailable in M109 to 114.
+
+        This policy will be removed after Chrome 115.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Event.path API will be available.
+  value: true
+- caption: Event.path API will be unavailable.
+  value: false
+- caption: 'Event.path API will be in the default status: available before M109, and
+    unavailable in M109 to 114.'
+  value: null
+owners:
+- xiaochengh@chromium.org
+- masonf@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:105-115
+- chrome_os:105-115
+- android:105-115
+- webview_android:105-115
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExemptDomainFileTypePairsFromFileTypeDownloadWarnings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExemptDomainFileTypePairsFromFileTypeDownloadWarnings.yaml
new file mode 100755
index 000000000..16f5921bf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExemptDomainFileTypePairsFromFileTypeDownloadWarnings.yaml
@@ -0,0 +1,53 @@
+caption: Disable download file type extension-based warnings for specified file types
+  on domains
+desc: |-
+  You can enable this policy to create a dictionary of file type extensions with a corresponding list of domains that will be exempted from file type extension-based download warnings. This lets enterprise administrators block file type extension-based download warnings for files that are associated with a listed domain. For example, if  the "jnlp" extension is associated with "website1.com", users would not see a warning when downloading "jnlp" files from "website1.com", but see a download warning when downloading "jnlp" files from "website2.com".
+
+        Files with file type extensions specified for domains identified by this policy will still be subject to non-file type extension-based security warnings such as mixed-content download warnings and Safe Browsing warnings.
+
+        If you disable this policy or don't configure it, file types that trigger extension-based download warnings will show warnings to the user.
+
+        If you enable this policy:
+
+        * The URL pattern should be formatted according to https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
+        * The file type extension entered must be in lower-cased ASCII. The leading separator should not be included when listing the file type extension, so list "jnlp" should be used instead of ".jnlp".
+
+        Example:
+
+        The following example value would prevent file type extension-based download warnings on swf, exe, and jnlp extensions for *.example.com domains. It will show the user a file type extension-based download warning on any other domain for exe and jnlp files, but not for swf files.
+
+        [
+          { "file_extension": "jnlp", "domains": ["example.com"] },
+          { "file_extension": "exe", "domains": ["example.com"] },
+          { "file_extension": "swf", "domains": ["*"] }
+        ]
+
+        Note that while the preceding example shows the suppression of file type extension-based download warnings for "swf" files for all domains, applying suppression of such warnings for all domains for any dangerous file type extension is not recommended due to security concerns. It is shown in the example merely to demonstrate the ability to do so.
+
+        If this policy is enabled alongside <ph name="DOWNLOAD_RESTRICTIONS_POLICY_NAME">DownloadRestrictions</ph> and DownloadRestrictions is set to block dangerous file types, download blocks determined by DownloadRestrictions take precedence. For example, if this policy is set to enable "exe" extension downloads from "website1.com", and DownloadRestrictions is set to block malicious downloads and dangerous file types, then "exe" extension downloads will still be blocked in all domains. If DownloadRestrictions is not set to block dangerous file types, then file types specified in this policy will be exempted from file-type extension-based download warnings in the specified domains. Read more about DownloadRestrictions (https://chromeenterprise.google/policies/?policy=DownloadRestrictions).
+example_value:
+- domains:
+  - https://example.com
+  - example2.com
+  file_extension: jnlp
+- domains:
+  - '*'
+  file_extension: swf
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- flowerhorne@google.com
+schema:
+  items:
+    $ref: DomainFiletypePair
+  type: array
+supported_on:
+- chrome.*:100-
+- chrome_os:100-
+tags:
+- system-security
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExplicitlyAllowedNetworkPorts.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExplicitlyAllowedNetworkPorts.yaml
new file mode 100755
index 000000000..f6fee3e1d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExplicitlyAllowedNetworkPorts.yaml
@@ -0,0 +1,84 @@
+caption: Explicitly allowed network ports
+desc: |-
+  There is a list of restricted ports built into <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Connections to these ports will fail. This setting permits bypassing that list. The value is a comma-separated list of zero or more ports that outgoing connections will be permitted on.
+
+        Ports are restricted to prevent <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> being used as a vector to exploit various network vulnerabilities. Setting this policy may expose your network to attacks. This policy is intended as a temporary workaround for errors with code "ERR_UNSAFE_PORT" while migrating a service running on a blocked port to a standard port (ie. port 80 or 443).
+
+        Malicious websites can easily detect that this policy is set, and for what ports, and use that information to target attacks.
+
+        Each port here is labelled with a date that it can be unblocked until. After that date the port will be restricted regardless of this setting.
+
+        Leaving the value empty or unset means that all restricted ports will be blocked. If there is a mixture of valid and invalid values, the valid ones will be applied.
+
+        This policy overrides the "--explicitly-allowed-ports" command-line option.
+example_value:
+- '10080'
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: port 554 (can be unblocked until 2021/10/15)
+  name: '554'
+  supported_on:
+  - chrome.*:91-95
+  - android:91-95
+  - chrome_os:91-95
+  - webview_android:91-95
+  value: '554'
+- caption: port 10080 (can be unblocked until 2022/04/01)
+  name: '10080'
+  supported_on:
+  - chrome.*:91-99
+  - android:91-99
+  - chrome_os:91-99
+  - webview_android:91-99
+  value: '10080'
+- caption: port 6566 (can be unblocked until 2021/10/15)
+  name: '6566'
+  supported_on:
+  - chrome.*:91-94
+  - android:91-94
+  - chrome_os:91-94
+  - webview_android:91-94
+  value: '6566'
+- caption: port 989 (can be unblocked until 2022/02/01)
+  name: '989'
+  supported_on:
+  - chrome.*:93-100
+  - android:93-100
+  - chrome_os:93-100
+  - webview_android:93-100
+  value: '989'
+- caption: port 990 (can be unblocked until 2022/02/01)
+  name: '990'
+  supported_on:
+  - chrome.*:93-100
+  - android:93-100
+  - chrome_os:93-100
+  - webview_android:93-100
+  value: '990'
+owners:
+- ricea@chromium.org
+- yhirano@chromium.org
+schema:
+  items:
+    enum:
+    - '554'
+    - '10080'
+    - '6566'
+    - '989'
+    - '990'
+    type: string
+  type: array
+supported_on:
+- chrome.*:91-
+- android:91-
+- chrome_os:91-
+- webview_android:91-
+tags:
+- system-security
+- website-sharing
+- local-data-access
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionCacheSize.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionCacheSize.yaml
new file mode 100755
index 000000000..9a1de3886
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionCacheSize.yaml
@@ -0,0 +1,22 @@
+arc_support: The cache is not used for Android apps. If multiple users install the
+  same Android app, it will be downloaded anew for each user.
+caption: Set Apps and Extensions cache size (in bytes)
+default: 268435456
+desc: Setting to lower than 1 MB or leaving it unset means <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph> uses the default size of 256 MiB for caching apps and extensions
+  for installation by multiple users of a single device, avoiding the need to redownload
+  each one for every user.
+device_only: true
+example_value: 104857600
+features:
+  dynamic_refresh: false
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome_os:43-
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallBlacklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallBlacklist.yaml
new file mode 100755
index 000000000..124888266
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallBlacklist.yaml
@@ -0,0 +1,22 @@
+caption: Configure extension installation blocklist
+deprecated: true
+desc: This policy is deprecated and unsupported, please use the '<ph name="EXTENSION_INSTALL_BLOCKLIST_POLICY_NAME">ExtensionInstallBlocklist</ph>' policy instead.
+example_value:
+- extension_id1
+- extension_id2
+features:
+  dynamic_refresh: true
+  per_profile: true
+label: Extension IDs the user should be prevented from installing (or * for all)
+owners:
+- lazyboy@chromium.org
+- file://extensions/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:8-100
+- chrome_os:11-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallEventLoggingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallEventLoggingEnabled.yaml
new file mode 100755
index 000000000..01e65dcb5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallEventLoggingEnabled.yaml
@@ -0,0 +1,20 @@
+caption: Log events for policy based extension installs
+default: true
+deprecated: true
+desc: Setting the policy to True sends reports of key, policy-triggered extension
+  installation events to Google. Setting the policy to False means no events are captured.
+  If the policy is unset, default value is set to True.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- swapnilgupta@google.com
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:85-106
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallWhitelist.yaml
new file mode 100755
index 000000000..25e38aeaa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExtensionInstallWhitelist.yaml
@@ -0,0 +1,22 @@
+caption: Configure extension installation allowlist
+deprecated: true
+desc: This policy is deprecated and unsupported, please use the '<ph name="EXTENSION_INSTALL_ALLOWLIST_POLICY_NAME">ExtensionInstallAllowlist</ph>' policy instead.
+example_value:
+- extension_id1
+- extension_id2
+features:
+  dynamic_refresh: true
+  per_profile: true
+label: Extension IDs to exempt from the blocklist
+owners:
+- rdevlin.cronin@chromium.org
+- file://extensions/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:8-100
+- chrome_os:11-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalPrintServersWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalPrintServersWhitelist.yaml
new file mode 100755
index 000000000..e9cd20ac8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalPrintServersWhitelist.yaml
@@ -0,0 +1,30 @@
+caption: Enabled external print servers
+deprecated: true
+desc: |-
+  Specifies the subset of print servers that will be queried for server printers.
+
+        If this policy is used, only the server printers with ids matching the values in this policy are available to the user.
+
+        The ids must correspond to the "id" field in the file specified in <ph name="EXTERNAL_PRINT_SERVERS_POLICY">ExternalPrintServers</ph>.
+
+        If this policy is not set, filtering is omitted and all print servers are taken into account.
+
+        This policy is deprecated, please use <ph name="EXTERNAL_PRINT_SERVERS_ALLOWLIST">ExternalPrintServersAllowlist</ph> instead.
+example_value:
+- id1
+- id2
+- id3
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chromeos/printing/OWNERS
+- luum@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:79-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalProtocolDialogShowAlwaysOpenCheckbox.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalProtocolDialogShowAlwaysOpenCheckbox.yaml
new file mode 100755
index 000000000..7df73156f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalProtocolDialogShowAlwaysOpenCheckbox.yaml
@@ -0,0 +1,29 @@
+caption: Show an "Always open" checkbox in external protocol dialog.
+default: true
+desc: |2-
+   This policy controls whether or not the "Always open" checkbox is shown on external protocol launch confirmation prompts.
+
+        If this policy is set to True or not set, when an external protocol confirmation is shown, the user can select "Always allow" to skip all future confirmation prompts for the protocol on this site.
+
+        If this policy is set to False, the "Always allow" checkbox is not displayed and the user will be prompted each time an external protocol is invoked.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow users to select "Always allow" when an external protocol dialog is
+    shown to skip future confirmation prompts
+  value: true
+- caption: Always require users to confrim external protocol prompts
+  value: false
+owners:
+- ydago@chromium.org
+- mkwst@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:79-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalStorageDisabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalStorageDisabled.yaml
new file mode 100755
index 000000000..0731c86bd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalStorageDisabled.yaml
@@ -0,0 +1,23 @@
+caption: Disable mounting of external storage
+desc: |-
+  Setting the policy to True makes all types of external storage media (USB flash drives, external hard drives, SD and other memory cards, optical storage) unavailable in the file browser. Setting the policy to False or leaving it unset means users can use external storage on their device.
+
+        Note: The policy doesn't affect Google Drive and internal storage. Users can still access files saved in the Downloads folder.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Disallow external storage devices
+  value: true
+- caption: Allow external storage devices
+  value: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:22-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalStorageReadOnly.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalStorageReadOnly.yaml
new file mode 100755
index 000000000..daa945798
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ExternalStorageReadOnly.yaml
@@ -0,0 +1,22 @@
+caption: Treat external storage devices as read-only
+desc: |-
+  Setting the policy to True prevents users from writing to external storage devices.
+
+        Unless external storage is blocked, if you set ExternalStorageReadOnly to False or leave it unset, users can create and modify files of physically writable, external storage devices. (You can block external storage by setting ExternalStorageDisable to True.)
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Disallow writing to external storage devices
+  value: true
+- caption: Allow writing to external storage devices
+  value: false
+owners:
+- yamaguchi@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:54-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/F11KeyModifier.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/F11KeyModifier.yaml
new file mode 100755
index 000000000..9c00b6951
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/F11KeyModifier.yaml
@@ -0,0 +1,40 @@
+caption: Control the shortcut used to trigger F11
+desc: |-
+  This policy controls the selected shortcut option for remapping events to
+  F11 in the remap keys subpage. These settings are only applicable for
+  <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> keyboards
+  and are disabled by default if the policy is unset. If you set this policy,
+  users cannot change or override it.
+example_value: 0
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: F11 settings are disabled
+  name: Disabled
+  value: 0
+- caption: F11 settings use the shortcut that contains the alt modifier
+  name: Alt
+  value: 1
+- caption: F11 settings use the shortcut that contains the shift modifier
+  name: Shift
+  value: 2
+- caption: F11 settings use the shortcut that contains the modifiers ctrl and shift
+  name: CtrlShift
+  value: 3
+owners:
+- michaelcheco@google.com
+- cros-peripherals@google.com
+schema:
+  # These values correspond to the `ExtendedFkeysModifier` mojom enum.
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:123-
+tags: []
+type: int-enum
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/F12KeyModifier.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/F12KeyModifier.yaml
new file mode 100755
index 000000000..08a65cbc9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/F12KeyModifier.yaml
@@ -0,0 +1,40 @@
+caption: Control the shortcut used to trigger F12
+default: null
+desc: |-
+  This policy controls the selected shortcut option for remapping events to
+  F12 in the remap keys subpage. These settings are only applicable for
+  <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> keyboards
+  and are disabled by default if the policy is unset. If you set this policy,
+  users cannot change or override it.
+example_value: 0
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: F12 settings are disabled
+  name: Disabled
+  value: 0
+- caption: F12 settings use the shortcut that contains the alt modifier
+  name: Alt
+  value: 1
+- caption: F12 settings use the shortcut that contains the shift modifier
+  name: Shift
+  value: 2
+- caption: F12 settings use the shortcut that contains the modifiers ctrl and shift
+  name: CtrlShift
+  value: 3
+owners:
+- michaelcheco@google.com
+- cros-peripherals@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:123-
+tags: []
+type: int-enum
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FastPairEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FastPairEnabled.yaml
new file mode 100755
index 000000000..5fffacc0c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FastPairEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Enable Fast Pair (fast Bluetooth pairing)
+default: true
+default_for_enterprise_users: false
+desc: |-
+  Setting this policy will force Fast Pair to be enabled or disabled.
+        Fast Pair is a new Bluetooth pairing flow that links paired peripherals with a GAIA account.
+        This allows other ChromeOS (and Android) devices signed in with the same GAIA account to pair automatically.
+        If unset, the default value is disabled for enterprise users and enabled for non
+        managed accounts.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Force Fast Pair (fast Bluetooth pairing) to be enabled.
+  value: true
+- caption: Force Fast Pair (fast Bluetooth pairing) to be disabled.
+  value: false
+owners:
+- file://ash/quick_pair/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:100-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FeedbackSurveysEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FeedbackSurveysEnabled.yaml
new file mode 100755
index 000000000..8e857a741
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FeedbackSurveysEnabled.yaml
@@ -0,0 +1,32 @@
+owners:
+- fjacky@chromium.org
+- permissions-core@google.com
+- file://components/policy/OWNERS
+caption: Specifies whether in-product <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> surveys are shown to users.
+desc: |-
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> in-product surveys collect user feedback for the browser. Survey responses are not associated with user accounts.
+  When this policy is Enabled or not set, in-product surveys may be shown to users.
+  When this policy is Disabled, in-product surveys are not shown to users.
+
+  This policy has no effect if <ph name="METRICS_REPORTING_ENABLED_POLICY_NAME">MetricsReportingEnabled</ph> is set to Disabled, which disables in-product surveys as well.
+supported_on:
+- android:120-
+- chrome.*:120-
+- chrome_os:120-
+future_on:
+- fuchsia
+features:
+  dynamic_refresh: true
+  per_profile: true
+type: main
+schema:
+  type: boolean
+items:
+- caption: Enable in-product surveys
+  value: true
+- caption: Disable in-product surveys
+  value: false
+default: true
+example_value: true
+tags:
+- google-sharing
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FetchKeepaliveDurationSecondsOnShutdown.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FetchKeepaliveDurationSecondsOnShutdown.yaml
new file mode 100755
index 000000000..5e10e694a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FetchKeepaliveDurationSecondsOnShutdown.yaml
@@ -0,0 +1,26 @@
+caption: Fetch keepalive duration on Shutdown
+default: 0
+desc: |-
+  Controls the duration (in seconds) allowed for keepalive requests on browser shutdown.
+
+        When specified, browser shutdown can be blocked up to the specified seconds,
+        to process keepalive (https://fetch.spec.whatwg.org/#request-keepalive-flag) requests.
+
+        The default value (0) means this feature is disabled.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+- fuchsia
+owners:
+- yhirano@chromium.org
+schema:
+  maximum: 5
+  minimum: 0
+  type: integer
+supported_on:
+- chrome.*:90-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FileOrDirectoryPickerWithoutGestureAllowedForOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FileOrDirectoryPickerWithoutGestureAllowedForOrigins.yaml
new file mode 100755
index 000000000..3e92dfe55
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FileOrDirectoryPickerWithoutGestureAllowedForOrigins.yaml
@@ -0,0 +1,38 @@
+caption: Allow file or directory picker APIs to be called without prior user gesture
+desc: |-
+  For security reasons, the
+  <ph name="SHOW_OPEN_FILE_PICKER_API_NAME">showOpenFilePicker()</ph>,
+  <ph name="SHOW_SAVE_FILE_PICKER_API_NAME">showSaveFilePicker()</ph> and
+  <ph name="SHOW_DIRECTORY_PICKER_API_NAME">showDirectoryPicker()</ph> web APIs
+  require a prior user gesture ("transient activation") to be called or will
+  otherwise fail.
+
+  With this policy set, admins can specify origins on which these APIs can be
+  called without prior user gesture.
+
+  For detailed information on valid url patterns, please see
+  https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is
+  not an accepted value for this policy.
+
+  If this policy is unset, all origins will require a prior user gesture to call
+  these APIs.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://content/browser/file_system_access/OWNERS
+- hendrich@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:113-
+- chrome_os:113-
+future_on:
+- fuchsia
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FloatingWorkspaceEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FloatingWorkspaceEnabled.yaml
new file mode 100755
index 000000000..808b0dc52
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FloatingWorkspaceEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Enable Floating Workspace Service
+default: false
+desc: |-
+  When a user switches between <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices, <ph name="PRODUCT_NAME">$1<ex>Floating Workspace</ex></ph> Service will launch browser and app windows from the previous device onto the new device.
+  Setting the policy to Enabled will launch browser and app windows from current user's last used <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device automatically upon login.
+  Setting the policy to Disabled or leaving it unset will let full restore settings determine what to be launched upon login.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable <ph name="PRODUCT_NAME">$1<ex>Floating Workspace</ex></ph> Service and launch remote desk upon login
+  value: true
+- caption: Disable <ph name="PRODUCT_NAME">$1<ex>Floating Workspace</ex></ph> Service and do not launch remote desk upon
+    login
+  value: false
+owners:
+- ligeng@chromium.org
+- yzd@chromium.org
+- aprilzhou@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:100-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FloatingWorkspaceV2Enabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FloatingWorkspaceV2Enabled.yaml
new file mode 100755
index 000000000..242621452
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FloatingWorkspaceV2Enabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable <ph name="PRODUCT_NAME">$1<ex>Floating Workspace</ex></ph> V2 Service
+default: false
+desc: |-
+  When a user switches between <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices, <ph name="PRODUCT_NAME">$1<ex>Floating Workspace</ex></ph> V2 Service V2 Service will launch browser and app windows from the previous device onto the new device.
+  Setting the policy to Enabled will launch browser and app windows from current user's last used <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device automatically upon login.
+  Setting the policy to Disabled or leaving it unset will let full restore settings determine what to be launched upon login.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable <ph name="PRODUCT_NAME">$1<ex>Floating Workspace</ex></ph> V2 Service and launch remote desk upon login
+  value: true
+- caption: Disable <ph name="PRODUCT_NAME">$1<ex>Floating Workspace</ex></ph> V2 Service and do not launch remote desk upon
+    login
+  value: false
+owners:
+- ligeng@chromium.org
+- yzd@chromium.org
+schema:
+  type: boolean
+future_on:
+- chrome_os
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FocusModeSoundsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FocusModeSoundsEnabled.yaml
new file mode 100755
index 000000000..b40e1b6e9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FocusModeSoundsEnabled.yaml
@@ -0,0 +1,40 @@
+caption: Enable Sounds in Focus Mode for ChromeOS
+default_for_enterprise_users: disabled
+desc: |-
+  Focus Mode is a feature that controls Do Not Disturb on a timer and is intended to reduce user distraction. A feature of Focus Mode allows users to listen to a limited set of music to help them focus. This policy controls access to this feature.
+
+  If the policy is unset, all sounds are disabled for managed users.
+
+  Setting the policy to Enabled will allow access to all sounds in Focus Mode.
+
+  Setting the policy to EnabledFocusSoundsOnly will enable the sound feature with just Focus Sounds.
+
+  Setting the policy to Disabled will disable sounds in Focus Mode.
+example_value: focus-sounds
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable all sounds in Focus Mode.
+  name: Enabled
+  value: enabled
+- caption: Enable Focus Mode with only Focus Sounds.
+  name: EnabledFocusSoundsOnly
+  value: focus-sounds
+- caption: Disable sounds in Focus Mode.
+  name: Disabled
+  value: disabled
+owners:
+- richui@chromium.org
+- nupurjain@google.com
+- skau@chromium.org
+schema:
+  enum:
+  - enabled
+  - focus-sounds
+  - disabled
+  type: string
+supported_on:
+- chrome_os:129-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceBrowserSignin.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceBrowserSignin.yaml
new file mode 100755
index 000000000..9fb4ed47b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceBrowserSignin.yaml
@@ -0,0 +1,30 @@
+caption: Enable force sign in for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+deprecated: true
+desc: |-
+  This policy is deprecated, consider using BrowserSignin instead.
+
+        If this policy is set to true, user has to sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> with their profile before using the browser. And the default value of BrowserGuestModeEnabled will be set to false. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article.
+
+        If this policy is set to false or not configured, user can use the browser without sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- chrome.linux
+items:
+- caption: Force the user to sign in before using the browser
+  value: true
+- caption: Allow the user to use the browser without signing in
+  value: false
+owners:
+- zmin@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:64-
+- chrome.mac:66-
+- android:65-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceEnablePepperVideoDecoderDevAPI.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceEnablePepperVideoDecoderDevAPI.yaml
new file mode 100755
index 000000000..8f3a1b71d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceEnablePepperVideoDecoderDevAPI.yaml
@@ -0,0 +1,40 @@
+owners:
+- blundell@chromium.org
+- vasilyt@chromium.org
+caption: Enable support for the PPB_VideoDecoder(Dev) API.
+desc: |-
+  This policy can be temporarily used to force-enable support for the
+  PPB_VideoDecoder(Dev) API.
+
+  When the policy is left unset or set to Disabled, the browser will decide whether
+  the API is supported.
+  When the policy is set to Enabled, the API will be supported.
+
+  This policy can be used in case our ongoing elimination of support for this API
+  exposes problems. If you must use the policy, please file a bug on crbug.com
+  explaining your use case and CC {blundell, vasilyt}@chromium.org. The policy is
+  available through <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  version 114, after which support for this API was eliminated unconditionally.
+
+  NOTE: Only newly-started renderer processes will reflect changes to this
+  policy while the browser is running.
+
+supported_on:
+- chrome.*:111-114
+- chrome_os:111-114
+deprecated: true
+device_only: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: Enable support
+  value: true
+- caption: Let browser decide support
+  value: false
+default: false
+example_value: true
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceEphemeralProfiles.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceEphemeralProfiles.yaml
new file mode 100755
index 000000000..7cb1e811a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceEphemeralProfiles.yaml
@@ -0,0 +1,29 @@
+caption: Ephemeral profile
+desc: |-
+  If set to enabled this policy forces the profile to be switched to ephemeral mode. If this policy is specified as an OS policy (e.g. GPO on Windows) it will apply to every profile on the system; if the policy is set as a Cloud policy it will apply only to a profile signed in with a managed account.
+
+        In this mode the profile data is persisted on disk only for the length of the user session. Features like browser history, extensions and their data, web data like cookies and web databases are not preserved after the browser is closed. However this does not prevent the user from downloading any data to disk manually, save pages or print them.
+
+        If the user has enabled sync all this data is preserved in their sync profile just like with regular profiles. Incognito mode is also available if not explicitly disabled by policy.
+
+        If the policy is set to disabled or left not set signing in leads to regular profiles.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Clear profile data on disk when user session ends
+  value: true
+- caption: Persist profile data on disk when user session ends
+  value: false
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:32-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceGoogleSafeSearch.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceGoogleSafeSearch.yaml
new file mode 100755
index 000000000..21053d711
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceGoogleSafeSearch.yaml
@@ -0,0 +1,29 @@
+caption: Force Google SafeSearch
+desc: |-
+  Setting the policy to Enabled means SafeSearch in Google Search is always active, and users can't change this setting.
+
+        Setting the policy to Disabled or leaving it unset means SafeSearch in Google Search is not enforced.
+example_value: false
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Force the use of SafeSearch in Google Search
+  value: true
+- caption: Do not enforce the use of SafeSearch in Google Search
+  value: false
+owners:
+- treib@chromium.org
+- igorcov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:41-
+- chrome_os:41-
+- android:41-
+tags:
+- filtering
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceLegacyDefaultReferrerPolicy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceLegacyDefaultReferrerPolicy.yaml
new file mode 100755
index 000000000..7b6eec0e7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceLegacyDefaultReferrerPolicy.yaml
@@ -0,0 +1,29 @@
+caption: Use a default referrer policy of no-referrer-when-downgrade.
+deprecated: true
+desc: |-
+  This enterprise policy is for short-term adaptation and will be removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 88.
+
+        Chrome's default referrer policy is being strengthened from its current value of no-referrer-when-downgrade to the more secure strict-origin-when-cross-origin through a gradual rollout targeting Chrome 85 stable.
+
+        Before the rollout, this enterprise policy will have no effect. After the rollout, when this enterprise policy is enabled, Chrome's default referrer policy will be set to its previous value of no-referrer-when-downgrade.
+
+        This enterprise policy is disabled by default.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Use a default referrer policy of no-referrer-when-downgrade
+  value: true
+- caption: Do not use a default referrer policy of no-referrer-when-downgrade
+  value: false
+owners:
+- kaustubhag@chromium.org
+- chrome-network-stack@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:80-87
+- chrome_os:80-87
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceLogoutUnauthenticatedUserEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceLogoutUnauthenticatedUserEnabled.yaml
new file mode 100755
index 000000000..4b82d6fbe
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceLogoutUnauthenticatedUserEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Force logout the user when their account becomes unauthenticated
+desc: |-
+  Force logout the user when their primary account's authentication token becomes invalid.
+          This policy can protect the user from access to restricted content on Google web properties.
+          If this policy is set to True, the user will be logged out as soon as their authentication token becomes invalid and attempts to restore this token fail.
+          If this policy is set to False or unset, the user can continue working in an unauthenticated state.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Log the user out as soon as their account becomes unauthenticated
+  value: true
+- caption: Allow the user to remain logged in after their account becomes unauthenticated
+  value: false
+owners:
+- solovey@google.com
+- sinhak@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:81-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceMajorVersionToMinorPositionInUserAgent.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceMajorVersionToMinorPositionInUserAgent.yaml
new file mode 100755
index 000000000..99e1fc4f2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceMajorVersionToMinorPositionInUserAgent.yaml
@@ -0,0 +1,57 @@
+caption: Freeze User-Agent string major version at 99
+default: 0
+deprecated: true
+desc: |-
+  This policy controls whether the User-Agent string major
+        version should be frozen at 99.
+
+        The User-Agent request header lets websites identify the application,
+        operating system, vendor, and/or version of the requesting user agent.
+        Some websites make assumptions about how this header is formatted and may
+        encounter issues with version strings that include three digits in the
+        major position (e.g. 100.0.0.0).
+
+        Setting the policy to 'Default' or leaving it unset will default to
+        browser settings for the User-Agent string major version.
+        If set to 'ForceDisabled', the User-Agent string will not freeze the
+        major version.
+        If set to 'ForceEnabled', the User-Agent string will always report the
+        major version as 99 and include the browser's major version in the minor
+        position. For example, browser version 101.0.0.0 would send a User-Agent
+        request header that reports version 99.101.0.0.
+
+        This policy is temporary and will be deprecated in the future. Note that
+        if this policy and
+        <ph name="USER_AGENT_REDUCTION_POLICY_NAME">User-Agent Reduction</ph> are
+        both enabled, the User-Agent version string will always be 99.0.0.0.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Default to browser settings for User-Agent string version.
+  name: Default
+  value: 0
+- caption: The User-Agent string will not freeze the major version.
+  name: ForceDisabled
+  value: 1
+- caption: The User-Agent string will freeze the major version as 99 and include the
+    browser's major version in the minor position.
+  name: ForceEnabled
+  value: 2
+owners:
+- miketaylr@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:99-117
+- chrome.*:99-117
+- android:99-117
+- webview_android:99-117
+tags:
+- website-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceMaximizeOnFirstRun.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceMaximizeOnFirstRun.yaml
new file mode 100755
index 000000000..6459986de
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceMaximizeOnFirstRun.yaml
@@ -0,0 +1,23 @@
+caption: Maximize the first browser window on first run
+desc: |-
+  Setting the policy to True means Chrome maximizes the first window shown on first run.
+
+        Setting the policy to False or leaving it unset means that Chrome might maximize the first window, depending on the screen size.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Maximize the first browser window on first run
+  value: true
+- caption: Default system behavior (depends on screen size)
+  value: false
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:43-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceNetworkInProcess.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceNetworkInProcess.yaml
new file mode 100755
index 000000000..9cf86675e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceNetworkInProcess.yaml
@@ -0,0 +1,16 @@
+caption: Force networking code to run in the browser process
+deprecated: true
+desc: This policy is deprecated.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://services/network/OWNERS
+- jam@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:72-83
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForcePermissionPolicyUnloadDefaultEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForcePermissionPolicyUnloadDefaultEnabled.yaml
new file mode 100755
index 000000000..9e8610d3d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForcePermissionPolicyUnloadDefaultEnabled.yaml
@@ -0,0 +1,55 @@
+caption: "Controls whether <ph name=\"UNLOAD_EVENT_NAME\">unload</ph> event \
+handlers can be disabled."
+default: false
+desc: "<ph name=\"UNLOAD_EVENT_NAME\">unload</ph> event handlers are being \
+deprecated. Whether they fire depends on the <ph name=\"UNLOAD_EVENT_NAME\"> \
+unload</ph> <ph name=\"PERMISSIONS_POLICY_NAME\">Permissions-Policy</ph>. \
+Currently, they are allowed by policy by default. In the future they will \
+gradually move to being disallowed by default and sites must explicitly enable \
+them using <ph name=\"PERMISSIONS_POLICY_NAME\">Permissions-Policy</ph> \
+headers. This enterprise policy can be used to opt out of this gradual \
+deprecation by forcing the default to remain as enabled.\n\ \
+\n\
+Pages may depend on <ph name=\"UNLOAD_EVENT_NAME\">unload</ph> event
+handlers to save data or signal the end of a user session to the server. This
+is not recommended as it is unreliable and impacts performance by blocking
+use of <ph name=\"PRODUCT_NAME\">BackForwardCache</ph>. Recommended
+alternatives exist, however the <ph name=\"UNLOAD_EVENT_NAME\">unload</ph>
+event has been used for a long time. Some applications may still rely on
+them.\n\
+\n\
+If this policy is set to false or not set, then
+<ph name=\"UNLOAD_EVENT_NAME\">unload</ph> events handlers will be gradually
+deprecated in-line with the deprecation rollout and sites which do not
+set <ph name=\"PERMISSIONS_POLICY_NAME\">Permissions-Policy</ph> header will
+stop firing `unload` events.\n\
+\n\
+If this policy is set to true then <ph name=\"UNLOAD_EVENT_NAME\">unload</ph> \
+event handlers will continue to work by default.\n\
+\n\
+NOTE: This policy had an incorrectly documented default of `true` in M117. \
+The unload event did and will not change in M117, so this policy has no effect \
+in that version.\n"
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: "Force unload event handlers to remain enabled by default during \
+deprecation"
+  value: true
+- caption: "Allow unload event handlers to be disabled by default during \
+deprecation"
+  value: false
+owners:
+- chrome-bfcache@google.com
+- fergal@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:117-
+- chrome.*:117-
+- chrome_os:117-
+- fuchsia:117-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceSafeSearch.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceSafeSearch.yaml
new file mode 100755
index 000000000..8e5a6973d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceSafeSearch.yaml
@@ -0,0 +1,34 @@
+caption: Force SafeSearch
+deprecated: true
+desc: |-
+  This policy is deprecated, please use <ph name="FORCE_GOOGLE_SAFE_SEARCH_POLICY_NAME">ForceGoogleSafeSearch</ph> and <ph name="FORCE_YOUTUBE_RESTRICT_POLICY_NAME">ForceYouTubeRestrict</ph> instead. This policy is ignored if either the <ph name="FORCE_GOOGLE_SAFE_SEARCH_POLICY_NAME">ForceGoogleSafeSearch</ph>, the <ph name="FORCE_YOUTUBE_RESTRICT_POLICY_NAME">ForceYouTubeRestrict</ph> or the (deprecated) <ph name="FORCE_YOUTUBE_SAFETY_MODE_POLICY_NAME">ForceYouTubeSafetyMode</ph> policies are set.
+
+        Forces queries in Google Web Search to be done with SafeSearch set to active and prevents users from changing this setting. This setting also forces Moderate Restricted Mode on YouTube.
+
+        If you enable this setting, SafeSearch in Google Search and Moderate Restricted Mode YouTube is always active.
+
+        If you disable this setting or do not set a value, SafeSearch in Google Search and Restricted Mode in YouTube is not enforced.
+example_value: false
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Force the use of SafeSearch in Google Search and YouTube Restricted Mode
+    to be at least Moderate
+  value: true
+- caption: Do not enforce the use of SafeSearch in Google Search or YouTube Restricted
+    Mode
+  value: false
+owners:
+- sergiu@chromium.org
+- igorcov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:25-
+- chrome_os:25-
+- android:30-
+tags:
+- filtering
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceYouTubeRestrict.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceYouTubeRestrict.yaml
new file mode 100755
index 000000000..396e88d5f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceYouTubeRestrict.yaml
@@ -0,0 +1,45 @@
+arc_support: This policy has no effect on the Android YouTube app. If Safety Mode
+  on YouTube should be enforced, installation of the Android YouTube app should be
+  disallowed.
+caption: Force minimum YouTube Restricted Mode
+desc: |-
+  Setting the policy enforces a minimum Restricted mode on YouTube and prevents users from picking a less restricted mode. If you set it to:
+
+        * Strict, Strict Restricted mode on YouTube is always active.
+
+        * Moderate, the user may only pick Moderate Restricted mode and Strict Restricted mode on YouTube, but can't turn off Restricted mode.
+
+        * Off or if no value is set, Restricted mode on YouTube isn't enforced by Chrome. External policies such as YouTube policies might still enforce Restricted mode.
+example_value: 0
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not enforce Restricted Mode on YouTube
+  name: 'Off'
+  value: 0
+- caption: Enforce at least Moderate Restricted Mode on YouTube
+  name: Moderate
+  value: 1
+- caption: Enforce Strict Restricted Mode for YouTube
+  name: Strict
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:55-
+- chrome_os:55-
+- android:55-
+tags:
+- filtering
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceYouTubeSafetyMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceYouTubeSafetyMode.yaml
new file mode 100755
index 000000000..dc98f8821
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForceYouTubeSafetyMode.yaml
@@ -0,0 +1,35 @@
+arc_support: This policy has no effect on the Android YouTube app. If Safety Mode
+  on YouTube should be enforced, installation of the Android YouTube app should be
+  disallowed.
+caption: Force YouTube Safety Mode
+deprecated: true
+desc: |-
+  This policy is deprecated. Consider using <ph name="FORCE_YOUTUBE_RESTRICT_POLICY_NAME">ForceYouTubeRestrict</ph>, which overrides this policy and allows more fine-grained tuning.
+
+        Forces YouTube Moderate Restricted Mode and prevents users from changing this setting.
+
+        If this setting is enabled, Restricted Mode on YouTube is always enforced to be at least Moderate.
+
+        If this setting is disabled or no value is set, Restricted Mode on YouTube is not enforced by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. External policies such as YouTube policies might still enforce Restricted Mode, though.
+example_value: false
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Force YouTube Restricted Mode to be at least Moderate
+  value: true
+- caption: Do not enforce YouTube Restricted Mode
+  value: false
+owners:
+- treib@chromium.org
+- igorcov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:41-
+- chrome_os:41-
+- android:41-
+tags:
+- filtering
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForcedLanguages.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForcedLanguages.yaml
new file mode 100755
index 000000000..4ee8554aa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ForcedLanguages.yaml
@@ -0,0 +1,27 @@
+caption: Configure the content and order of preferred languages
+default: null
+desc: |-
+  This policy allows admins to configure the order of the preferred languages in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s settings.
+
+        The order of the list will appear in the same order under the "Order languages based on your preference" section in chrome://settings/languages. Users won't be able to remove or reorder languages set by the policy, but will be able to add languages underneath those set by the policy. Users will also have full control over the browser's UI language and translation/spell check settings, unless enforced by other policies.
+
+        Leaving the policy unset lets users manipulate the entire list of preferred languages.
+example_value:
+- en-US
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+- fuchsia
+owners:
+- igorruvinov@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:91-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullRestoreEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullRestoreEnabled.yaml
new file mode 100755
index 000000000..3a8f9fa91
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullRestoreEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable the full restore feature
+default: true
+desc: |-
+  Setting the policy to enable the full restore feature.
+        If this policy is true, apps and app windows will be restored or not restored after a crash or reboot based on the restore app setting.
+        If this policy is false, only browser windows are automatcially launched.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Enable the full restore feature.
+  value: true
+- caption: Disable the full restore feature.
+  value: false
+owners:
+- nancylingwang@chromium.org
+- sammiequon@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullRestoreMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullRestoreMode.yaml
new file mode 100755
index 000000000..268e69b10
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullRestoreMode.yaml
@@ -0,0 +1,34 @@
+caption: Configure app restore on login
+default: 2
+desc: |-
+  Controls whether and how <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> restores the last session on login.
+  This policy has an effect only if the <ph name="FULL_RESTORE_ENABLED_NAME">FullRestoreEnabled</ph> policy is set to true.
+example_value: 2
+features:
+  can_be_mandatory: true
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- name: Always
+  value: 1
+  caption: Always restore the last session.
+- name: AskEveryTime
+  caption: Ask the user on login whether to restore the last session.
+  value: 2
+- name: DoNotRestore
+  caption: Do not restore the last session.
+  value: 3
+owners:
+- aninak@chromium.org
+- imprivata-eng@google.com
+schema:
+  enum:
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:121-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullscreenAlertEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullscreenAlertEnabled.yaml
new file mode 100755
index 000000000..241597b01
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullscreenAlertEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable fullscreen alert
+default: null
+desc: |-
+  Specifies whether the fullscreen alert should be shown when the device returns from sleep or dark screen.
+
+        When the policy is unset or set to True, an alert will be shown to remind the users to exit fullscreen before entering password. When the policy is set to False, no alert would be shown.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable fullscreen alert
+  value: true
+- caption: Disable show fullscreen alert
+  value: false
+- caption: Enable fullscreen alert
+  value: null
+owners:
+- zxdan@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullscreenAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullscreenAllowed.yaml
new file mode 100755
index 000000000..51ef714ab
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/FullscreenAllowed.yaml
@@ -0,0 +1,29 @@
+arc_support: This policy has no effect on the Android apps. They will be able to enter
+  fullscreen mode even if this policy is set to <ph name="FALSE">False</ph>.
+caption: Allow fullscreen mode
+desc: |-
+  Setting the policy to True or leaving it unset means that, with appropriate permissions, users, apps, and extensions can enter Fullscreen mode (in which only web content appears).
+
+        Setting the policy to False means users, apps, and extensions can't enter Fullscreen mode.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow fullscreen mode
+  value: true
+- caption: Do not allow fullscreen mode
+  value: false
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:31-
+- chrome.linux:31-
+- chrome_os:31-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GCFUserDataDir.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GCFUserDataDir.yaml
new file mode 100755
index 000000000..155b7bd06
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GCFUserDataDir.yaml
@@ -0,0 +1,23 @@
+caption: Set <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> user
+  data directory
+deprecated: true
+desc: |-
+  Configures the directory that <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> will use for storing user data.
+
+        If you set this policy, <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph> will use the provided directory.
+
+        See https://support.google.com/chrome/a?p=Supported_directory_variables for a list of variables that can be used.
+
+        If this setting is left not set the default profile directory will be used.
+example_value: ${user_home}/Chrome Frame
+features:
+  dynamic_refresh: false
+label: Set user data directory
+owners:
+- grt@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_frame:12-32
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GaiaLockScreenOfflineSigninTimeLimitDays.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GaiaLockScreenOfflineSigninTimeLimitDays.yaml
new file mode 100755
index 000000000..a3bbc8367
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GaiaLockScreenOfflineSigninTimeLimitDays.yaml
@@ -0,0 +1,33 @@
+caption: Limit the time for which a user authenticated via GAIA without SAML can log
+  in offline at the lock screen
+default: null
+desc: |-
+  While logging in through the lock screen, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> can authenticate against a server (online) or using a cached password (offline).
+
+        When this policy is set to -2, it will match the value of the login screen offline signin time limit which comes from <ph name="POLICY">GaiaOfflineSigninTimeLimitDays</ph>.
+
+        When the policy is unset, or set to a value of -1, it will not enforce online authentication on the lock screen and will allow the user to use offline authentication unless a different reason than this policy enforces an online authentication.
+
+        If the policy is set to a value of 0, online authentication will always be required.
+
+        When this policy is set to any other value, it specifies the number of days since the last online authentication after which the user must use online authentication again in the next login through the lock screen.
+
+        This policy affects users who authenticated using GAIA without SAML.
+
+        The policy value should be specified in days.
+example_value: 32
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- ayag@chromium.org
+- chromeos-commercial-identity@google.com
+- file://components/policy/OWNERS
+schema:
+  maximum: 365
+  minimum: -2
+  type: integer
+supported_on:
+- chrome_os:92-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GhostWindowEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GhostWindowEnabled.yaml
new file mode 100755
index 000000000..d4c11ede3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GhostWindowEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable the ghost window feature
+default: true
+desc: |-
+  Setting the policy to enable the ghost window feature.
+        If this policy is true, ARC ghost windows will be created before ARC boots after a crash or reboot based on the restore app setting.
+        If this policy is false, there is no ghost window created before ARC boots. Arc apps are restored after ARC boots
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Enable the ghost window feature.
+  value: true
+- caption: Disable the ghost window feature.
+  value: false
+owners:
+- nancylingwang@chromium.org
+- sstan@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GlanceablesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GlanceablesEnabled.yaml
new file mode 100755
index 000000000..a5ae7003f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GlanceablesEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Glanceables on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+deprecated: true
+default: true
+default_for_enterprise_users: false
+desc: |-
+  Enables the presence of Glanceables widgets on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>. Specifically, the widgets accessible via the date chip on shelf.
+  When this policy is enabled, Glanceables are enabled on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+  When this policy is disabled or unset, Glanceables are not enabled on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+example_value: false
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+  unlisted: true
+items:
+- caption: Glanceables are enabled for users.
+  value: true
+- caption: Glanceables are not enabled for users.
+  value: false
+owners:
+- file://ash/glanceables/OWNERS
+- anasalazar@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:118-124
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GloballyScopeHTTPAuthCacheEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GloballyScopeHTTPAuthCacheEnabled.yaml
new file mode 100755
index 000000000..a2947bcf9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GloballyScopeHTTPAuthCacheEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Enable globally scoped HTTP auth cache
+desc: |-
+  This policy configures a single global per profile cache with HTTP server authentication credentials.
+
+        If this policy is unset or disabled, the browser will use the default behavior of cross-site auth, which as of version 80, will be to scope HTTP server authentication credentials by top-level site, so if two sites use resources from the same authenticating domain, credentials will need to be provided independently in the context of both sites. Cached proxy credentials will be reused across sites.
+
+        If the policy is enabled, HTTP auth credentials entered in the context of one site will automatically be used in the context of another.
+
+        Enabling this policy leaves sites open to some types of cross-site attacks, and allows users to be tracked across sites even without cookies by adding entries to the HTTP auth cache using credentials embedded in URLs.
+
+        This policy is intended to give enterprises depending on the legacy behavior a chance to update their login procedures, and will be removed in the future.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable globally scoped HTTP authentication cache
+  value: true
+- caption: Disable globally scoped HTTP authentication cache
+  value: false
+owners:
+- file://net/OWNERS
+- mmenke@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:80-
+- chrome_os:80-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GoogleLocationServicesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GoogleLocationServicesEnabled.yaml
new file mode 100755
index 000000000..f026cf263
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GoogleLocationServicesEnabled.yaml
@@ -0,0 +1,38 @@
+caption: Control <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> access to Google location services
+desc: |-
+  Set <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> geolocation system availability level.
+
+  This is an additional layer of control, sitting below the permission layer for apps and websites. E.g. If this policy is set to either <ph name="GLS_BLOCKED">Block</ph> or <ph name="GLS_ONLY_ALLOWED_FOR_SYSTEM">OnlyAllowedForSystemServices</ph>, no apps or websites can resolve location, regardless of their respective location permission. But if it's set to <ph name="GLS_ALLOWED">Allow</ph>, apps and websites can individually get location if they have permission.
+
+  Users can't override the admin selection. Leaving the policy unset gives users the consumer experience, i.e. they can freely modify the system location setting, and where the default is <ph name="GLS_ALLOWED">Allow</ph>.
+
+  Note: This policy deprecates the <ph name="ARC_GLS_POLICY_NAME">ArcGoogleLocationServicesEnabled</ph> policy. Also when this policy is set, <ph name="DEFAULT_GEO_SETTING_POLICY_NAME">DefaultGeolocationSetting</ph> will no longer affect the <ph name="ANDROID_NAME">Android</ph> location preference on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+supported_on:
+- chrome_os:124-
+features:
+  dynamic_refresh: true
+  per_profile: false
+schema:
+  type: integer
+  enum:
+  - 0
+  - 1
+  - 2
+type: int-enum
+items:
+- caption: Block system geolocation access to all clients
+  name: Block
+  value: 0
+- caption: Allow system geolocation access
+  name: Allow
+  value: 1
+- caption: Only allow system geolocation access to system services
+  name: OnlyAllowedForSystemServices
+  value: 2
+default: null
+example_value: 1
+owners:
+- zauri@google.com
+- chromeos-privacyhub@google.com
+- file://components/policy/OWNERS
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GoogleSearchSidePanelEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GoogleSearchSidePanelEnabled.yaml
new file mode 100755
index 000000000..ef369f21f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/GoogleSearchSidePanelEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable <ph name="SEARCH_SIDE_PANEL_FEATURE_NAME">Google Search Side Panel</ph>
+
+desc: |-
+  If set to Enabled or not set, <ph name="SEARCH_SIDE_PANEL_FEATURE_NAME">Google Search Side Panel</ph> is allowed on all web pages.
+
+  If set to Disabled, <ph name="SEARCH_SIDE_PANEL_FEATURE_NAME">Google Search Side Panel</ph> is not available on any webpage.
+
+  GenAI capabilities that are part of this feature are not available for Educational or Enterprise accounts.
+default: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable <ph name="SEARCH_SIDE_PANEL_FEATURE_NAME">Google Search Side Panel</ph> on all web pages
+  value: true
+- caption: Disable <ph name="SEARCH_SIDE_PANEL_FEATURE_NAME">Google Search Side Panel</ph> on all web pages
+  value: false
+owners:
+- file://chrome/browser/companion/OWNERS
+- tbansal@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:115-
+- chrome_os:115-
+tags:
+- google-sharing
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HSTSPolicyBypassList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HSTSPolicyBypassList.yaml
new file mode 100755
index 000000000..c3b599a8c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HSTSPolicyBypassList.yaml
@@ -0,0 +1,29 @@
+caption: List of names that will bypass the HSTS policy check
+desc: |-
+  Setting the policy specifies a list of hostnames that bypass preloaded HSTS upgrades from http to https.
+
+        Only single-label hostnames are allowed in this policy, and this policy only applies to "static" HSTS-preloaded entries (for instance, <ph name="EXAMPLE_HSTS_PRELOAD_TLDS">"app", "new", "search", "play"</ph>). This policy does not prevent HSTS upgrades for servers that have "dynamically" requested HSTS upgrades using a <ph name="HSTS_HEADER_NAME">Strict-Transport-Security</ph> response header.
+
+        Supplied hostnames must be canonicalized: Any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase. This policy only applies to the specific single-label hostnames specified, not to subdomains of those names.
+example_value:
+- meet
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- asymmetric@chromium.org
+- rsleevi@chromium.org
+schema:
+  items:
+    pattern: ^[a-z0-9-]*$
+    type: string
+  type: array
+supported_on:
+- chrome.*:78-
+- android:78-
+- chrome_os:78-
+tags:
+- system-security
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HardwareAccelerationModeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HardwareAccelerationModeEnabled.yaml
new file mode 100755
index 000000000..96192429b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HardwareAccelerationModeEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Use graphics acceleration when available
+desc: |-
+  Setting the policy to Enabled or leaving it unset turns on graphics acceleration, if available.
+
+        Setting the policy to Disabled turns off graphics acceleration.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable graphics acceleration
+  value: true
+- caption: Disable graphics acceleration
+  value: false
+owners:
+- zmo@chromium.org
+- kbr@chromium.org
+- file://gpu/GRAPHICS_TEAM_OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:46-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HeadlessMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HeadlessMode.yaml
new file mode 100755
index 000000000..0376a3a37
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HeadlessMode.yaml
@@ -0,0 +1,32 @@
+caption: Control use of the Headless Mode
+default: 1
+desc: Setting this policy to <ph name="ENABLED">Enabled</ph> or leaving the policy
+  unset allows use of the headless mode. Setting this policy to <ph name="DISABLED">Disabled</ph>
+  denies use of the headless mode.
+example_value: 2
+features:
+  dynamic_refresh: false
+  per_profile: false
+  platform_only: true
+items:
+- caption: Allow use of the Headless Mode
+  name: Enabled
+  value: 1
+- caption: Do not allow use of the Headless Mode
+  name: Disabled
+  value: 2
+owners:
+- kvitekp@chromium.org
+- file://headless/OWNERS
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:91-
+- fuchsia:106-
+future_on:
+- chrome_os
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HideWebStoreIcon.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HideWebStoreIcon.yaml
new file mode 100755
index 000000000..663103ba9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HideWebStoreIcon.yaml
@@ -0,0 +1,30 @@
+caption: Hide the web store from the New Tab Page and app launcher
+desc: |-
+  Hide the Chrome Web Store app and footer link from the New Tab Page and <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> app launcher.
+
+        When this policy is set to true, the icons are hidden.
+
+        When this policy is set to false or is not configured, the icons are visible.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not show the Chrome Web Store icon in the <ph name="PRODUCT_OS_NAME">$2<ex>Google
+    ChromeOS</ex></ph> launcher or on the new tab page
+  value: true
+- caption: Show the Chrome Web Store icon in the <ph name="PRODUCT_OS_NAME">$2<ex>Google
+    ChromeOS</ex></ph> launcher and on the new tab page
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:26-
+- chrome_os:68-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HideWebStorePromo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HideWebStorePromo.yaml
new file mode 100755
index 000000000..23757d045
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HideWebStorePromo.yaml
@@ -0,0 +1,19 @@
+caption: Prevent app promotions from appearing on the new tab page
+deprecated: true
+desc: |-
+  When set to True, promotions for Chrome Web Store apps will not appear on the new tab page.
+
+        Setting this option to False or leaving it not set will make the promotions for Chrome Web Store apps appear on the new tab page
+example_value: false
+features:
+  dynamic_refresh: false
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:15-21
+- chrome_os:15-21
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HighEfficiencyModeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HighEfficiencyModeEnabled.yaml
new file mode 100755
index 000000000..bb6a13717
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HighEfficiencyModeEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable High Efficiency Mode
+default: null
+desc: "This policy enables or disables the High Efficiency Mode setting. This setting\
+  \ makes it so that tabs are discarded after some period of time in the background\
+  \ to reclaim memory.\n      If this policy is unset, the end user can control this\
+  \ setting in chrome://settings/performance.\n      "
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: High Efficiency Mode will be enabled.
+  value: true
+- caption: High Efficiency Mode will be disabled.
+  value: false
+- caption: The end user can enable or disable High Efficiency Mode.
+  value: null
+owners:
+- anthonyvd@chromium.org
+- file://components/performance_manager/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:108-
+- chrome_os:108-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HindiInscriptLayoutEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HindiInscriptLayoutEnabled.yaml
new file mode 100755
index 000000000..820c24d45
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HindiInscriptLayoutEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Enable the Hindi Inscript Layout
+default: false
+desc: Setting the policy enables Hindi Inscript Layout on <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph>. If false or unset, the layout is not available.
+device_only: false
+example_value: true
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+  unlisted: true
+items:
+- caption: Enable Hindi Inscript Layout
+  value: true
+- caption: Disable Hindi Inscript Layout
+  value: false
+owners:
+- jshin@chromium.org
+- tranbaoduy@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:108-114
+deprecated: true
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HistoryClustersVisible.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HistoryClustersVisible.yaml
new file mode 100755
index 000000000..0a2fc4093
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HistoryClustersVisible.yaml
@@ -0,0 +1,36 @@
+caption: Show a view of Chrome history with groups of pages
+default: null
+desc: "This policy controls the visibility of the Chrome history page organized into groups of pages.\n\
+  \n      If the policy is set to Enabled, a Chrome history page organized into groups will be visible at chrome://history/grouped.\n\
+  \n      If the policy is set to Disabled, a Chrome history page organized into groups will not be visible at chrome://history/grouped.\n\
+  \n      If the policy is left unset, a Chrome history page organized into groups will be visible at chrome://history/grouped\
+  \ by default.\n\n      Please note,\
+  \ if <ph name=\"COMPONENT_UPDATES_ENABLED_POLICY_NAME\">ComponentUpdatesEnabled</ph>\
+  \ policy is set to Disabled, but <ph name=\"HISTORY_CLUSTERS_VISIBLE_POLICY_NAME\"\
+  >HistoryClustersVisible</ph> is set to Enabled or unset, a Chrome history page organized into groups will still be\
+  \ available at chrome://history/grouped, but may be less relevant to the user.\n"
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Chrome history page organized into groups will be visible at chrome://history/grouped.
+  value: true
+- caption: Chrome history page organized into groups will not be visible at chrome://history/grouped.
+  value: false
+- caption: Chrome history page organized into groups will be visible at chrome://history/grouped by default.
+  value: null
+owners:
+- file://components/history_clusters/OWNERS
+- mahmadi@chromium.org
+- chrome-journeys@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:97-
+- chrome_os:97-
+- android:107-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HomeAndEndKeysModifier.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HomeAndEndKeysModifier.yaml
new file mode 100755
index 000000000..031c7ce13
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HomeAndEndKeysModifier.yaml
@@ -0,0 +1,38 @@
+caption: Control the shortcut used to trigger the Home/End "six pack" keys
+default: 2
+desc: |-
+  This policy determines the behavior for remapping the Home/End keys
+  within the 'remap keys' subpage. The 'remap keys' subpage allows users to
+  customize keyboard keys. If enabled, this policy prevents users from
+  customizing these specific remappings. If the policy is not set,
+  search-based shortcuts will act as the default and allows users to
+  configure the shortcuts.
+example_value: 0
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Home/End settings are disabled
+  name: None
+  value: 0
+- caption: Home/End settings use the shortcut that contains the alt modifier
+  name: Alt
+  value: 1
+- caption: Home/End settings use the shortcut that contains the search modifier
+  name: Launcher/Search
+  value: 2
+owners:
+- michaelcheco@google.com
+- cros-peripherals@google.com
+schema:
+  # These values correspond to the `SixPackShortcutModifier` mojom enum.
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:123-
+tags: []
+type: int-enum
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/Http09OnNonDefaultPortsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/Http09OnNonDefaultPortsEnabled.yaml
new file mode 100755
index 000000000..4d8437f6c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/Http09OnNonDefaultPortsEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable HTTP/0.9 support on non-default ports
+deprecated: true
+desc: |-
+  This policy is deprecated, and slated for removal in Chrome 78, with no replacement.
+
+        This policy enables HTTP/0.9 on ports other than 80 for HTTP and 443 for HTTPS.
+
+        This policy is disabled by default, and if enabled, leaves users open to the security issue https://crbug.com/600352.
+
+        This policy is intended to give enterprises a chance to migrate existing servers off of HTTP/0.9, and will be removed in the future.
+
+        If this policy is not set, HTTP/0.9 will be disabled on non-default ports.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable HTTP/0.9 support on non-default ports
+  value: true
+- caption: Disable HTTP/0.9 support on non-default ports
+  value: false
+owners:
+- file://components/policy/OWNERS
+- anqing@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:54-77
+- chrome_os:54-77
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpAllowlist.yaml
new file mode 100755
index 000000000..012c5ba3e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpAllowlist.yaml
@@ -0,0 +1,51 @@
+owners:
+- cthomp@chromium.org
+- trusty-transport@chromium.org
+
+caption: HTTP Allowlist
+
+desc: |-
+  Setting the policy specifies a list of hostnames or hostname patterns (such as
+  '[*.]example.com') that will not be upgraded to HTTPS and will not show an
+  error interstitial if HTTPS-First Mode is enabled. Organizations can use this
+  policy to maintain access to servers that do not support HTTPS, without
+  needing to disable HTTPS Upgrades and/or HTTPS-First Mode.
+
+  Supplied hostnames must be canonicalized: Any IDNs must be converted to their
+  A-label format, and all ASCII letters must be lowercase.
+
+  Blanket host wildcards (i.e., "*" or "[*]") are not allowed. Instead,
+  HTTPS-First Mode and HTTPS Upgrades should be explicitly disabled via their
+  specific policies.
+
+  Note: This policy does not apply to HSTS upgrades.
+
+supported_on:
+- android:112-
+- chrome.*:112-
+- chrome_os:112-
+- fuchsia:112-
+
+features:
+  # Whether Chrome respects the changes to the policy immediately without having
+  # to restart the browser.
+  dynamic_refresh: true
+
+  # Whether a user policy applies to every user logging into the browser or only
+  # one profile.
+  per_profile: true
+
+type: list
+
+schema:
+  items:
+    type: string
+  type: array
+
+example_value:
+- 'testserver.example.com'
+- '[*.]example.org'
+
+# This policy disables HTTPS upgrades for some hostnames, potentially decreasing
+# user security.
+tags: [ system-security ]
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpsOnlyMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpsOnlyMode.yaml
new file mode 100755
index 000000000..43e6673d4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpsOnlyMode.yaml
@@ -0,0 +1,49 @@
+caption: Allow HTTPS-Only Mode to be enabled
+default: allowed
+desc: |-
+  This policy controls whether users can enable HTTPS-Only Mode (Always Use Secure Connections) in Settings. HTTPS-Only Mode upgrades all navigations to HTTPS.
+        If this setting is not set or set to allowed, users will be allowed to enable HTTPS-Only Mode.
+        If this setting is set to disallowed, users will not be allowed to enable HTTPS-Only Mode.
+        If this setting is set to force_enabled, HTTPS-Only Mode will be enabled in Strict mode and users will not be able to disable it.
+        If this setting is set to force_balanced_enabled, HTTPS-Only Mode will be enabled in Balanced mode and users will not be able to disable it.
+        force_enabled is supported from M112 onwards, force_balanced_enabled is supported from M129 onwards.
+        If you set this policy to a value that is not supported by the version of Chrome that receives the policy, Chrome will default to the allowed setting.
+
+  The separate <ph name="HTTP_ALLOWLIST_POLICY_NAME">HttpAllowlist</ph> policy
+  can be used to exempt specific hostnames or hostname patterns from being
+  upgraded to HTTPS by this feature.
+
+example_value: disallowed
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Do not restrict users' HTTPS-Only Mode setting
+  name: allowed
+  value: allowed
+- caption: Do not allow users to enable any HTTPS-Only Mode
+  name: disallowed
+  value: disallowed
+- caption: Force enable HTTPS-Only Mode in Strict mode
+  name: force_enabled
+  value: force_enabled
+- caption: Force enable HTTPS-Only Mode in Balanced Mode
+  name: force_balanced_enabled
+  value: force_balanced_enabled
+owners:
+- cthomp@chromium.org
+- trusty-transport@chromium.org
+schema:
+  enum:
+  - allowed
+  - disallowed
+  - force_enabled
+  - force_balanced_enabled
+  type: string
+supported_on:
+- chrome.*:94-
+- chrome_os:94-
+- android:94-
+- fuchsia:112-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpsUpgradesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpsUpgradesEnabled.yaml
new file mode 100755
index 000000000..2245fd47d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/HttpsUpgradesEnabled.yaml
@@ -0,0 +1,46 @@
+owners:
+- cthomp@chromium.org
+- trusty-transport@chromium.org
+
+caption: Enable automatic HTTPS upgrades
+
+desc: |-
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> attempts to upgrade some
+  navigations from HTTP to HTTPS, when possible. This policy can be used to
+  disable this behavior. If set to "true" or left unset, this feature will be
+  enabled by default.
+
+  The separate <ph name="HTTP_ALLOWLIST_POLICY_NAME">HttpAllowlist</ph> policy
+  can be used to exempt specific hostnames or hostname patterns from being
+  upgraded to HTTPS by this feature.
+
+  See also the <ph name="HTTPS_ONLY_MODE_POLICY_NAME">HttpsOnlyMode</ph> policy.
+
+supported_on:
+- android:112-
+- chrome.*:112-
+- chrome_os:112-
+- fuchsia:112-
+
+features:
+  dynamic_refresh: true
+  per_profile: true
+
+type: main
+
+schema:
+  type: boolean
+
+items:
+- caption: HTTPS Upgrades may be applied depending on feature launch status.
+  value: true
+- caption: Disable HTTPS Upgrades.
+  value: false
+- caption: HTTPS Upgrades may be applied depending on feature launch status.
+  value: null
+
+default: null
+
+example_value: false
+
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportAutofillFormData.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportAutofillFormData.yaml
new file mode 100755
index 000000000..0c5946db5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportAutofillFormData.yaml
@@ -0,0 +1,28 @@
+caption: Import autofill form data from default browser on first run
+desc: |-
+  Setting the policy to Enabled imports autofill form data from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no autofill form data is imported on first run.
+
+        Users can trigger an import dialog and the autofill form data checkbox will be checked or unchecked to match this policy's value.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable import of autofill form data on first run
+  value: true
+- caption: Disable import of autofill form data on first run
+  value: false
+label: Import autofill form data from default browser on first run
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:39-
+tags:
+- local-data-access
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportBookmarks.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportBookmarks.yaml
new file mode 100755
index 000000000..aac946e0b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportBookmarks.yaml
@@ -0,0 +1,29 @@
+caption: Import bookmarks from default browser on first run
+default: false
+desc: |-
+  Setting the policy to Enabled imports bookmarks from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no bookmarks are imported on first run.
+
+        Users can trigger an import dialog and the bookmarks checkbox will be checked or unchecked to match this policy's value.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable import of bookmarks on first run
+  value: true
+- caption: Disable import of bookmarks on first run
+  value: false
+label: Import bookmarks from default browser on first run
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:15-
+tags:
+- local-data-access
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportHistory.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportHistory.yaml
new file mode 100755
index 000000000..e3fac7871
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportHistory.yaml
@@ -0,0 +1,29 @@
+caption: Import browsing history from default browser on first run
+default: false
+desc: |-
+  Setting the policy to Enabled imports browsing history from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no browsing history is imported on first run.
+
+        Users can trigger an import dialog and the browsing history checkbox will be checked or unchecked to match this policy's value.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable import of browsing history on first run
+  value: true
+- caption: Disable import of browsing history on first run
+  value: false
+label: Import browsing history from default browser on first run
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:15-
+tags:
+- local-data-access
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportHomepage.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportHomepage.yaml
new file mode 100755
index 000000000..6a0519521
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportHomepage.yaml
@@ -0,0 +1,27 @@
+caption: Import of homepage from default browser on first run
+desc: |-
+  Setting the policy to Enabled imports the homepage from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means the homepage isn't imported on first run.
+
+        Users can trigger an import dialog and the homepage checkbox will be checked or unchecked to match this policy's value.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable import of homepage on first run
+  value: true
+- caption: Disable import of homepage on first run
+  value: false
+label: Import of homepage from default browser on first run
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:15-
+tags:
+- local-data-access
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportSavedPasswords.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportSavedPasswords.yaml
new file mode 100755
index 000000000..0ab3ae85a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportSavedPasswords.yaml
@@ -0,0 +1,30 @@
+caption: Import saved passwords from default browser on first run
+desc: |-
+  This policy controls only the first run import behavior after installation. It enables more seamless transition to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> in environments where a different browser was extensively used prior to installing the browser. This policy does not affect password manager capabilities for Google accounts.
+
+  Setting the policy to Enabled imports saved passwords from the previous default browser on first run and manual importing from the settings page is also possible.
+  Setting the policy to Disabled means no saved passwords are imported on first run and manual importing from the Settings page is blocked.
+  Leaving the policy unset means no saved passwords are imported on first run but the user can choose to do that from the settings page.
+default: true
+example_value: false
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable import of saved passwords on first run
+  value: true
+- caption: Disable import of saved passwords on first run
+  value: false
+label: Import saved passwords from default browser on first run
+owners:
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:15-
+tags:
+- local-data-access
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportSearchEngine.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportSearchEngine.yaml
new file mode 100755
index 000000000..3a4e2530f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ImportSearchEngine.yaml
@@ -0,0 +1,28 @@
+caption: Import search engines from default browser on first run
+desc: |-
+  Setting the policy to Enabled imports the default search engine from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means the default search engine isn't imported on first run.
+
+        Users can trigger an import dialog and the default search engine checkbox will be checked or unchecked to match this policy's value.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable import of default search engine on first run
+  value: true
+- caption: Disable import of default search engine on first run
+  value: false
+label: Import search engines from default browser on first run
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:15-
+tags:
+- local-data-access
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IncognitoEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IncognitoEnabled.yaml
new file mode 100755
index 000000000..4b71b49de
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IncognitoEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable Incognito mode
+deprecated: true
+desc: |-
+  This policy is deprecated. Please, use IncognitoModeAvailability instead.
+        Enables Incognito mode in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If this setting is enabled or not configured, users can open web pages in incognito mode.
+
+        If this setting is disabled, users cannot open web pages in incognito mode.
+
+        If this policy is left not set, this will be enabled and the user will be able to use incognito mode.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Incognito mode
+  value: true
+- caption: Disable Incognito mode
+  value: false
+owners:
+- file://components/policy/OWNERS
+- hendrich@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:11-
+- chrome_os:11-
+- android:30-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IncognitoModeAvailability.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IncognitoModeAvailability.yaml
new file mode 100755
index 000000000..79927e940
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IncognitoModeAvailability.yaml
@@ -0,0 +1,48 @@
+caption: Incognito mode availability
+desc: |-
+  Specifies whether the user may open pages in Incognito mode in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode.
+
+        If 'Disabled' is selected, pages may not be opened in Incognito mode.
+
+        If 'Forced' is selected, pages may be opened ONLY in Incognito mode. Note that 'Forced' does not work for Android-on-Chrome
+
+        Note: On iOS, if the policy is changed during a session, it will only take effect on relaunch.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Incognito mode available
+  name: Enabled
+  value: 0
+- caption: Incognito mode disabled
+  name: Disabled
+  value: 1
+- caption: Incognito mode forced
+  name: Forced
+  supported_on:
+  - chrome.*:14-
+  - chrome_os:14-
+  - ios:90-
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:14-
+- chrome_os:14-
+- android:30-
+- ios:90-
+tags:
+- filtering
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsecureFormsWarningsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsecureFormsWarningsEnabled.yaml
new file mode 100755
index 000000000..43e72320a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsecureFormsWarningsEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Enable warnings for insecure forms
+default: true
+deprecated: true
+desc: |-
+  This policy controls the treatment for insecure forms (forms that submit over HTTP) embedded in secure (HTTPS) sites in the browser.
+         If the policy is enabled or unset, a full page warning will be shown when an insecure form is submitted. Additionally, a warning bubble will be shown next to the form fields when they are focused, and autofill will be disabled for those forms.
+         If the policy is disabled, warnings will not be shown for insecure forms, and autofill will work normally.
+
+         This policy is intended to be removed in Chrome 130.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Show warnings and disable autofill on insecure forms
+  value: true
+- caption: Do not show warnings or disable autofill on insecure forms
+  value: false
+owners:
+- carlosil@chromium.org
+- estark@chromium.org
+schema:
+  type: boolean
+# TODO(crbug.com/333954426): Remove in M130.
+supported_on:
+- chrome.*:86-
+- chrome_os:86-
+- android:86-
+- ios:122-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsecureHashesInTLSHandshakesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsecureHashesInTLSHandshakesEnabled.yaml
new file mode 100755
index 000000000..c40d61ea2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsecureHashesInTLSHandshakesEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Insecure Hashes in TLS Handshakes Enabled
+default: null
+deprecated: true
+desc: |-
+  This policy was removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 124. Starting that version, insecure hashes always disallowed. In prior versions, this policy controlled whether the browser allowed legacy insecure hashes during the TLS handshake process.
+
+        If this policy is not configured, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> would follow the default rollout process for disallowing insecure hashes. If it is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> would allow insecure hashes to be used by a server when negotiating a TLS handshake. If it is disabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> would disallow insecure hashes to be used by a server when negotiating a TLS handshake.
+
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Use Default Value for Hashes Allowed in TLS Handshakes.
+  value: null
+- caption: Do Not Allow Insecure Hashes in TLS Handshakes
+  value: false
+- caption: Allow Insecure Hashes in TLS Handshakes
+  value: true
+owners:
+- bbe@chromium.org
+- trusty-transport@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:114-123
+- chrome_os:114-123
+- android:114-123
+- fuchsia:114-123
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsertKeyModifier.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsertKeyModifier.yaml
new file mode 100755
index 000000000..7a1a7a89f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsertKeyModifier.yaml
@@ -0,0 +1,34 @@
+caption: Control the shortcut used to trigger the Insert "six pack" key
+default: 2
+desc: |-
+  This policy determines the default behavior for remapping the Insert key
+  within the 'remap keys' subpage. The 'remap keys' subpage allows users to
+  customize keyboard keys. If enabled, this policy prevents users from
+  customizing these specific remappings. If the policy is not set,
+  search-based shortcuts will act as the default.
+example_value: 0
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Setting a shortcut for the "Insert" action is disabled.
+  name: None
+  value: 0
+- caption: Insert shortcut setting uses the shortcut that contains the search modifier
+  name: Search
+  value: 2
+owners:
+- michaelcheco@google.com
+- cros-peripherals@google.com
+schema:
+  # These values correspond to the `SixPackShortcutModifier` mojom enum.
+  # "1" is omitted since there is no alt-based shortcut for the "Insert" key
+  enum:
+  - 0
+  - 2
+  type: integer
+supported_on:
+- chrome_os:123-
+tags: []
+type: int-enum
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsightsExtensionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsightsExtensionEnabled.yaml
new file mode 100755
index 000000000..015f3af1f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InsightsExtensionEnabled.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy has no effect on the reporting done by Android.
+caption: Enable insights extension for reporting usage metrics
+default: false
+desc: |-
+  The insights extension reports user internet download and upload speed, user idle time, and application insights.
+
+        If the policy is set to enabled, the insights extension will be installed and report metrics.
+
+        If the policy is not set or set to disabled, then the insights extension will not be installed and will not report metrics.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable insights extension
+  value: true
+- caption: Disable insights extension
+  value: false
+owners:
+- cros-reporting-team@google.com
+- vshenvi@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:103-
+tags:
+- admin-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InstantEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InstantEnabled.yaml
new file mode 100755
index 000000000..6b74ca816
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InstantEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable Instant
+deprecated: true
+desc: |-
+  Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Instant feature and prevents users from changing this setting.
+
+        If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Instant is enabled.
+
+        If you disable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Instant is disabled.
+
+        If you enable or disable this setting, users cannot change or override this setting.
+
+        If this setting is left not set the user can decide to use this function or not.
+
+        This setting has been removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 29 and higher versions.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- anqing@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:11-28
+- chrome_os:11-28
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InstantTetheringAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InstantTetheringAllowed.yaml
new file mode 100755
index 000000000..969a273e7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/InstantTetheringAllowed.yaml
@@ -0,0 +1,28 @@
+caption: Allow Instant Tethering to be used.
+default_for_enterprise_users: false
+desc: |-
+  If this setting is enabled, users will be allowed to use Instant Tethering, which allows their Google phone to share its mobile data with their device.
+
+        If this setting is disabled, users will not be allowed to use Instant Tethering.
+
+        If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow users to use Instant Tethering
+  value: true
+- caption: Do not allow users to use Instant Tethering
+  value: false
+owners:
+- hansberry@chromium.org
+- khorimoto@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:60-
+tags:
+- local-data-access
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IntensiveWakeUpThrottlingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IntensiveWakeUpThrottlingEnabled.yaml
new file mode 100755
index 000000000..5d1f2e56c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IntensiveWakeUpThrottlingEnabled.yaml
@@ -0,0 +1,46 @@
+caption: Control the <ph name="PRODUCT_NAME">IntensiveWakeUpThrottling</ph> feature.
+default: null
+desc: "When enabled the <ph name=\"PRODUCT_NAME\">IntensiveWakeUpThrottling</ph> feature\
+  \ causes JavaScript timers in background tabs to be aggressively throttled and coalesced,\
+  \ running no more than once per minute after a page has been backgrounded for 5\
+  \ minutes or more.\n\n          This is a web standards compliant feature, but it\
+  \ may break functionality\n          on some websites by causing certain actions\
+  \ to be delayed by up to a\n          minute. However, it results in significant\
+  \ CPU and battery savings when\n          enabled. See https://bit.ly/30b1XR4 for\
+  \ more details.\n\n          If this policy is set to enabled then the feature will\
+  \ be force enabled, and\n          users will not be able to override this.\n\n\
+  \          If this policy is set to disabled then the feature will be force disabled,\
+  \ and\n          users will not be able to override this.\n\n          If this policy\
+  \ is left unset then the feature will be controlled by its\n          own internal\
+  \ logic, which can be manually configured by users.\n\n          Note that the policy\
+  \ is applied per renderer process, with the most recent\n          value of the\
+  \ policy setting in force when a renderer process starts. A full\n          restart\
+  \ is required to ensure that all loaded tabs receive a consistent\n          policy\
+  \ setting. It is harmless for processes to be running with different\n         \
+  \ values of this policy.\n          "
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Force throttling of background JavaScript timers
+  value: true
+- caption: Force no throttling of background JavaScript timers
+  value: false
+- caption: Allow throttling of background JavaScript timers to be controlled by Chrome
+    logic and configured by users
+  value: null
+owners:
+- file://components/performance_manager/OWNERS
+- chrisha@google.com
+- chrisha@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:85-
+- chrome.*:85-
+- android:85-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IntranetRedirectBehavior.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IntranetRedirectBehavior.yaml
new file mode 100755
index 000000000..68fe7f392
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IntranetRedirectBehavior.yaml
@@ -0,0 +1,45 @@
+caption: Intranet Redirection Behavior
+default: 0
+desc: |-
+  This policy configures behavior for intranet redirection via DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
+
+        If this policy is not set, the browser will use the default behavior of DNS interception checks and intranet redirect suggestions. In M88, they are enabled by default but will be disabled by default in the future release.
+
+        <ph name="DNS_INTERCEPTION_CHECKS_ENABLED_POLICY_NAME">DNSInterceptionChecksEnabled</ph> is a related policy that may also disable DNS interception checks; this policy is a more flexible version which may separately control intranet redirection infobars and may be expanded in the future.
+        If either <ph name="DNS_INTERCEPTION_CHECKS_ENABLED_POLICY_NAME">DNSInterceptionChecksEnabled</ph> or this policy requests to disable interception checks, the checks will be disabled.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Use default browser behavior.
+  name: Default
+  value: 0
+- caption: Disable DNS interception checks and did-you-mean "http://intranetsite/"
+    infobars.
+  name: DisableInterceptionChecksDisableInfobar
+  value: 1
+- caption: Disable DNS interception checks; allow did-you-mean "http://intranetsite/"
+    infobars.
+  name: DisableInterceptionChecksEnableInfobar
+  value: 2
+- caption: Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars.
+  name: EnableInterceptionChecksEnableInfobar
+  value: 3
+owners:
+- jdonnelly@chromium.org
+- tommycli@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome.*:88-
+- chrome_os:88-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolateOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolateOrigins.yaml
new file mode 100755
index 000000000..7cef65aea
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolateOrigins.yaml
@@ -0,0 +1,31 @@
+caption: Enable Site Isolation for specified origins
+desc: |-
+  Setting the policy means each of the named origins in a comma-separated list runs in a dedicated process. Each named origin's process will only be allowed to contain documents from that origin and its subdomains. For example, specifying https://a1.example.com/ allows https://a2.a1.example.com/ in the same process, but not https://example.com or https://b.example.com.
+
+        Since <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 77, you can also specify a range of origins to isolate using a wildcard. For example, specifying https://[*.]corp.example.com will give every origin underneath https://corp.example.com its own dedicated process, including https://corp.example.com itself, https://a1.corp.example.com, and https://a2.a1.corp.example.com.
+
+        Note that all sites (i.e., scheme plus eTLD+1, such as https://example.com) are already isolated by default on Desktop platforms, as noted in the <ph name="SITE_PER_PROCESS_POLICY_NAME">SitePerProcess</ph> policy. This <ph name="ISOLATE_ORIGINS_POLICY_NAME">IsolateOrigins</ph> policy is useful to isolate specific origins at a finer granularity (e.g., https://a.example.com).
+
+        Also note that origins isolated by this policy will be unable to script other origins in the same site, which is otherwise possible if two same-site documents modify their document.domain values to match. Administrators should confirm this uncommon behavior is not used on an origin before isolating it.
+
+        Setting the policy to off or leaving it unset lets users change this setting.
+
+        Note: For Android, use the <ph name="ISOLATE_ORIGINS_ANDROID_POLICY_NAME">IsolateOriginsAndroid</ph> policy instead.
+device_only: false
+example_value: https://a.example.com/,https://othersite.org/,https://[*.]corp.example.com
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- alexmos@chromium.org
+- creis@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:63-
+- chrome_os:63-
+tags:
+- system-security
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolateOriginsAndroid.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolateOriginsAndroid.yaml
new file mode 100755
index 000000000..205a4ce4f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolateOriginsAndroid.yaml
@@ -0,0 +1,28 @@
+caption: Enable Site Isolation for specified origins on Android devices
+desc: |-
+  Setting the policy means each of the named origins in a comma-separated list runs in a dedicated process on Android. Each named origin's process will only be allowed to contain documents from that origin and its subdomains. For example, specifying https://a1.example.com/ allows https://a2.a1.example.com/ in the same process, but not https://example.com or https://b.example.com. Note that Android isolates certain sensitive sites by default starting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 77, and this policy extends that mode to isolate specific additional origins.
+
+        Since <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 77, you can also specify a range of origins to isolate using a wildcard. For example, specifying https://[*.]corp.example.com will give every origin underneath https://corp.example.com its own dedicated process, including https://corp.example.com itself, https://a1.corp.example.com, and https://a2.a1.corp.example.com.
+
+        Note that origins isolated by this policy will be unable to script other origins in the same site, which is otherwise possible if two same-site documents modify their document.domain values to match. Administrators should confirm this uncommon behavior is not used on an origin before isolating it.
+
+        Setting the policy to Disabled turns off any form of site isolation, including isolation of sensitive sites and field trials of IsolateOriginsAndroid, SitePerProcessAndroid, and other site isolation modes. Users can still turn on IsolateOrigins manually, through the command line flag.
+
+        Leaving the policy unset lets users change this setting.
+
+        Note: Isolating too many sites on Android may cause performance problems, especially on low-memory devices. This policy applies only to Chrome on Android running on devices with strictly more than 1 GB of RAM. To apply the policy on non-Android platforms, use <ph name="ISOLATE_ORIGINS_POLICY_NAME">IsolateOrigins</ph>.
+device_only: false
+example_value: https://a.example.com/,https://othersite.org/,https://[*.]corp.example.com
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- alexmos@chromium.org
+- creis@chromium.org
+schema:
+  type: string
+supported_on:
+- android:68-
+tags:
+- system-security
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolatedWebAppInstallForceList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolatedWebAppInstallForceList.yaml
new file mode 100755
index 000000000..49c296b2e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/IsolatedWebAppInstallForceList.yaml
@@ -0,0 +1,33 @@
+caption: Configure list of force-installed Isolated Web Apps
+desc: |-
+  Setting the policy specifies a list of isolated web apps (IWAs) that install silently.
+        IWAs are applications that have useful security properties unavailable to normal web pages. They are packaged in a Signed Web Bundle. The public key of the Signed Web Bundle is used to create the Web Bundle ID that identifies the IWA.
+        So far this policy works for Managed Guest Session only.
+
+        Each list item of the policy is an object with the update manifest <ph name="URL_LABEL">URL</ph> and Web Bundle ID of the Isolated Web App. Both fields are mandatory.
+example_value:
+- update_manifest_url: https://example.com/isolated_web_app/update_manifest.json
+  web_bundle_id: aerugqztij5biqquuk3mfwpsaibuegaqcitgfchwuosuofdjabzqaaic
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome_os:128-
+owners:
+- file://chrome/browser/web_applications/isolated_web_apps/OWNERS
+- iwa-team@google.com
+- simonha@google.com
+schema:
+  items:
+    properties:
+      update_manifest_url:
+        type: string
+      web_bundle_id:
+        type: string
+    required:
+    - update_manifest_url
+    - web_bundle_id
+    type: object
+  type: array
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/JavascriptEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/JavascriptEnabled.yaml
new file mode 100755
index 000000000..a2cb82b2b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/JavascriptEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Enable JavaScript
+deprecated: true
+desc: |-
+  This policy is deprecated, please use DefaultJavaScriptSetting instead.
+
+        Can be used to disabled JavaScript in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If this setting is disabled, web pages cannot use JavaScript and the user cannot change that setting.
+
+        If this setting is enabled or not set, web pages can use JavaScript but the user can change that setting.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable JavaScript
+  value: true
+- caption: Disable JavaScript
+  value: false
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeepFullscreenWithoutNotificationUrlAllowList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeepFullscreenWithoutNotificationUrlAllowList.yaml
new file mode 100755
index 000000000..96d42575d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeepFullscreenWithoutNotificationUrlAllowList.yaml
@@ -0,0 +1,24 @@
+caption: List of URLs which are allowed to remain in full screen mode without showing
+  a notification
+desc: |-
+  Configure a list of URLs that are allowed to stay in full screen mode without showing a notification when the device returns from the lock screen.
+
+            Normally, full screen mode is turned off when returning from the lock screen in order to reduce the risk of phishing attacks. This policy allows to specify URLs that will be considered trusted sources which are permitted to continue full screen mode on unlock. It is set by specifying a list of URL patterns formatted according to this format ( https://support.google.com/chrome/a?p=url_blocklist_filter_format ). E.g., it is possible to always keep full screen mode on unlock and disable the notifications altogether by specifying the wildcard character <ph name="WILDCARD_VALUE">*</ph> matching all URLs.
+
+            Setting this policy to an empty list or leaving it unset means no URLs are allowed to continue full screen mode without a notification.
+example_value:
+- '*'
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- aninak@chromium.org
+- file://ash/session/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:99-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeyPermissions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeyPermissions.yaml
new file mode 100755
index 000000000..b533515ee
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeyPermissions.yaml
@@ -0,0 +1,37 @@
+arc_support: Corporate keys can be used by Android applications that are installed
+  and listed in this policy.
+caption: Key Permissions
+desc: |-
+  Setting the policy grants access to corporate keys to extensions or Android applications. Keys are designated for corporate usage only if they're generated using the chrome.enterprise.platformKeys API on a managed account. Users can't grant or withdraw access to corporate keys to or from extensions or Android applications.
+
+        By default, an extension or an Android applications can't use a key designated for corporate usage, which is equivalent to setting allowCorporateKeyUsage to False for it. Only if allowCorporateKeyUsage is set to True for an extension or an Android application can it use any platform key marked for corporate usage to sign arbitrary data. Only grant this permission if the extension or the Android application is trusted to secure access to the key against attackers.
+example_value:
+  com.example.app:
+    allowCorporateKeyUsage: true
+  com.example.app2:
+    allowCorporateKeyUsage: false
+  extension1:
+    allowCorporateKeyUsage: true
+  extension2:
+    allowCorporateKeyUsage: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- miersh@google.com
+schema:
+  additionalProperties:
+    properties:
+      allowCorporateKeyUsage:
+        description: If set to true, this extension can use all keys that are designated
+          for corporate usage to sign arbitrary data. If set to false, it cannot access
+          any such keys and the user cannot grant such permission either. As an exception,
+          an extension can access such a key exactly once if the same extension generated
+          that key.
+        type: boolean
+    type: object
+  type: object
+supported_on:
+- chrome_os:45-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeyboardFocusableScrollersEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeyboardFocusableScrollersEnabled.yaml
new file mode 100755
index 000000000..0e9525279
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KeyboardFocusableScrollersEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Enable keyboard focusable scrollers
+default: true
+desc: |-
+  This policy provides a temporary opt-out for the new keyboard focusable scrollers behavior.
+
+  When this policy is Enabled or unset, scrollers without focusable children are keyboard-focusable by default.
+
+  When this policy is Disabled, scrollers will not be keyboard-focusable by default.
+
+  This policy is a temporary workaround, and will be removed in M135.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+  - fuchsia
+items:
+  - caption: "Enabled: Scrollers are focusable by default."
+    value: true
+  - caption: "Disabled: Scrollers are not focusable by default."
+    value: false
+owners:
+  - dizhangg@chromium.org
+schema:
+  type: boolean
+supported_on:
+  - chrome.*:127-
+  - chrome_os:127-
+  - android:127-
+  - webview_android:127-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KioskBrowserPermissionsAllowedForOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KioskBrowserPermissionsAllowedForOrigins.yaml
new file mode 100755
index 000000000..98ccd0b5d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KioskBrowserPermissionsAllowedForOrigins.yaml
@@ -0,0 +1,24 @@
+caption: Allow origins to access browser permissions available to the web kiosk install origin.
+desc: |-
+  Setting the policy allows listed additional origins to access browser permissions (e.g. geo location, camera, microphone) which are already available to the web kiosk applications install origin.
+
+  For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy.
+example_value:
+- https://www.google.com
+- '[*.]example.com'
+- example.edu
+- '*://example.edu:*/'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chrome/browser/ash/app_mode/OWNERS
+- macinashutosh@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:129-
+tags: []
+type: list
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KioskCRXManifestUpdateURLIgnored.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KioskCRXManifestUpdateURLIgnored.yaml
new file mode 100755
index 000000000..cef8bf76e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/KioskCRXManifestUpdateURLIgnored.yaml
@@ -0,0 +1,31 @@
+caption: Use only policy-provided update URL when downloading and updating Kiosk Chrome
+  apps
+default: false
+desc: "\n        Setting the policy to Disabled will disable in-session Kiosk Chrome\
+  \ apps update (which uses update URL from the extension manifest) and leaves only\
+  \ CRX pre-fetching as the update mechanism.\n        Setting the policy to Enabled\
+  \ or not set will allow in-session Kiosk Chrome apps update.\n        "
+device_only: true
+example_value: true
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  unlisted: true
+items:
+- caption: 'New behaviour: Kiosk Chrome Apps will be only updated using update URL
+    from the policy'
+  value: true
+- caption: 'Legacy behavior: Kiosk Chrome Apps will be updated by the extension system
+    using update URL from the extension manifest, as well as by caching manager using
+    update URL from the policy'
+  value: false
+owners:
+- file://chrome/browser/extensions/forced_extensions/OWNERS
+- burunduk@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:98-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosAllowed.yaml
new file mode 100755
index 000000000..a64b6a360
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosAllowed.yaml
@@ -0,0 +1,28 @@
+caption: Allow usage of <ph name="LACROS_NAME">Lacros</ph>
+default: false
+default_for_enterprise_users: false
+deprecated: true
+desc: |-
+  This setting is deprecated. Use <ph name="LACROS_AVAILABILITY_POLICY_NAME">LacrosAvailability</ph> instead.
+
+        If this policy is set to Disabled or unset, the user cannot use <ph name="LACROS_NAME">Lacros</ph>.
+
+        If this policy is set to Enabled, the user can use the <ph name="LACROS_NAME">Lacros</ph> browser.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Allow users to use the <ph name="LACROS_NAME">Lacros</ph> browser
+  value: true
+- caption: Prevent users from using the <ph name="LACROS_NAME">Lacros</ph> browser
+  value: false
+owners:
+- igorcov@chromium.org
+- okalitova@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:88-95
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosAvailability.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosAvailability.yaml
new file mode 100755
index 000000000..2d3294726
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosAvailability.yaml
@@ -0,0 +1,53 @@
+caption: Make the <ph name="LACROS_NAME">Lacros</ph> browser available
+default: user_choice
+default_for_enterprise_users: lacros_disallowed
+desc: |-
+  This setting provides several availability options for the <ph name="LACROS_NAME">Lacros</ph> browser.
+
+        If the policy is set to <ph name="LACROS_AVAILABILITY_USER_CHOICE_VALUE">user_choice</ph>, the user can enable <ph name="LACROS_NAME">Lacros</ph> and make it primary.
+
+        If the policy is set to <ph name="LACROS_AVAILABILITY_LACROS_DISALLOWED_VALUE">lacros_disallowed</ph>, the user cannot use <ph name="LACROS_NAME">Lacros</ph>.
+
+        If the policy is set to <ph name="LACROS_AVAILABILITY_SIDE_BY_SIDE_VALUE">side_by_side</ph>, <ph name="LACROS_NAME">Lacros</ph> is enabled but is not the primary browser.
+
+        If the policy is set to <ph name="LACROS_AVAILABILITY_LACROS_PRIMARY_VALUE">lacros_primary</ph>, <ph name="LACROS_NAME">Lacros</ph> is enabled and is the primary browser.
+
+        If the policy is unset, the default is <ph name="LACROS_AVAILABILITY_LACROS_DISALLOWED_VALUE">lacros_disallowed</ph> for enterprise-managed users and <ph name="LACROS_AVAILABILITY_USER_CHOICE_VALUE">user_choice</ph> for non-managed users.
+
+        In the future it will be possible to make <ph name="LACROS_NAME">Lacros</ph> the only available browser in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> with <ph name="LACROS_AVAILABILITY_LACROS_ONLY_VALUE">lacros_only</ph> value.
+example_value: lacros_primary
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Allow users to enable <ph name="LACROS_NAME">Lacros</ph> and make it the
+    primary browser
+  name: user_choice
+  value: user_choice
+- caption: Prevent users from using <ph name="LACROS_NAME">Lacros</ph>
+  name: lacros_disallowed
+  value: lacros_disallowed
+- caption: Enable <ph name="LACROS_NAME">Lacros</ph>
+  name: side_by_side
+  value: side_by_side
+- caption: Enable <ph name="LACROS_NAME">Lacros</ph> and make it the primary browser
+  name: lacros_primary
+  value: lacros_primary
+- caption: Make <ph name="LACROS_NAME">Lacros</ph> the only available browser (not
+    implemented yet)
+  name: lacros_only
+  value: lacros_only
+owners:
+- asumaneev@google.com
+schema:
+  enum:
+  - user_choice
+  - lacros_disallowed
+  - side_by_side
+  - lacros_primary
+  - lacros_only
+  type: string
+supported_on:
+- chrome_os:92-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosDataBackwardMigrationMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosDataBackwardMigrationMode.yaml
new file mode 100755
index 000000000..00c8da307
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosDataBackwardMigrationMode.yaml
@@ -0,0 +1,49 @@
+caption: Choose what happens with user data after <ph name="LACROS_NAME">Lacros</ph>
+  is disabled
+default: none
+desc: |-
+  This setting decides how much user data is kept after <ph name="LACROS_NAME">Lacros</ph> is disabled.
+
+        If the policy is set to <ph name="LACROS_BACKWARD_MIGRATION_NONE">none</ph> or unset, backward data migration is not performed.
+
+        If the policy is set to <ph name="LACROS_BACKWARD_MIGRATION_KEEP_NONE">keep_none</ph>, all user data is removed. This is the safest option.
+
+        If the policy is set to <ph name="LACROS_BACKWARD_MIGRATION_KEEP_SAFE_DATA">keep_safe_data</ph>, most user data is removed. Only browser independent files are kept (such as Downloads).
+
+        If the policy is set to <ph name="LACROS_BACKWARD_MIGRATION_KEEP_ALL">keep_all</ph>, all user data is kept. This option has a high risk of failure, requiring a powerwash to recover.
+example_value: keep_all
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: After <ph name="LACROS_NAME">Lacros</ph> is disabled, data migration is
+    not performed. The <ph name="LACROS_NAME">Lacros</ph> folder is removed and users
+    continue using the remaining data.
+  name: none
+  value: none
+- caption: After <ph name="LACROS_NAME">Lacros</ph> is disabled, all user data is
+    removed on next login.
+  name: keep_none
+  value: keep_none
+- caption: After <ph name="LACROS_NAME">Lacros</ph> is disabled, we attempt to keep
+    as much user data as possible, while removing all browser data.
+  name: keep_safe_data
+  value: keep_safe_data
+- caption: After <ph name="LACROS_NAME">Lacros</ph> is disabled, we attempt to migrate
+    all data.
+  name: keep_all
+  value: keep_all
+owners:
+- janagrill@google.com
+- vsavu@google.com
+schema:
+  enum:
+  - none
+  - keep_none
+  - keep_safe_data
+  - keep_all
+  type: string
+supported_on:
+- chrome_os:110-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosSecondaryProfilesAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosSecondaryProfilesAllowed.yaml
new file mode 100755
index 000000000..e7d7337ea
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosSecondaryProfilesAllowed.yaml
@@ -0,0 +1,32 @@
+caption: Allow users to create and use secondary profiles, and use guest mode in the
+  <ph name="LACROS_NAME">Lacros</ph> browser
+default: true
+default_for_enterprise_users: false
+desc: |-
+  This setting allows users to create and use secondary profiles, and use guest mode in the <ph name="LACROS_NAME">Lacros</ph> browser.
+
+        Similar to both <ph name="BROWSER_ADD_PERSON_ENABLED_POLICY_NAME">BrowserAddPersonEnabled</ph> and <ph name="BROWSER_GUEST_MODE_ENABLED_POLICY_NAME">BrowserGuestModeEnabled</ph>, if this policy is set to false or unset, the user cannot create or use secondary profiles, and use guest mode. Previously created secondary profiles, if any, will be unavailable.
+
+        If this policy is set to true, the user can create and use secondary profiles, and use guest mode.
+
+        Note: If this policy is set to true but <ph name="BROWSER_ADD_PERSON_ENABLED_POLICY_NAME">BrowserAddPersonEnabled</ph> is set to false, the user cannot create secondary profiles. The same for <ph name="BROWSER_GUEST_MODE_ENABLED_POLICY_NAME">BrowserGuestModeEnabled</ph> and guest mode.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow users to create and use secondary profiles, and use guest mode in
+    the <ph name="LACROS_NAME">Lacros</ph> browser
+  value: true
+- caption: Prevent users from creating and using secondary profiles, and from using
+    guest mode in the <ph name="LACROS_NAME">Lacros</ph> browser
+  value: false
+owners:
+- asumaneev@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.linux:91-92
+- chrome_os:91-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosSelection.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosSelection.yaml
new file mode 100755
index 000000000..c1318d3d5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LacrosSelection.yaml
@@ -0,0 +1,55 @@
+caption: Select <ph name="LACROS_NAME">Lacros</ph> browser binary
+default: user_choice
+default_for_enterprise_users: rootfs
+desc: |-
+  This setting configures which <ph name="LACROS_NAME">Lacros</ph> browser to use.
+
+  If the policy is set to <ph name="LACROS_SELECTION_USER_CHOICE_VALUE">user_choice</ph>,
+  the user can decide which <ph name="LACROS_NAME">Lacros</ph> browser to load: binary from
+  <ph name="LACROS_ROOTFS_NAME">rootfs</ph> or <ph name="LACROS_STATEFUL_NAME">stateful</ph> partition.
+  If the user has not set any preference, the binary with the newest version will be chosen.
+
+  If the policy is set to <ph name="LACROS_SELECTION_ROOTFS_VALUE">rootfs</ph>,
+  always load <ph name="LACROS_ROOTFS_NAME">rootfs</ph> binary of
+  <ph name="LACROS_NAME">Lacros</ph> browser.
+
+  If the policy is unset, the default is <ph name="LACROS_SELECTION_ROOTFS_VALUE">rootfs</ph> for enterprise-managed users and
+  <ph name="LACROS_SELECTION_USER_CHOICE_VALUE">user_choice</ph> for non-managed users.
+
+  Note that changing the policy's value may cause
+  <ph name="LACROS_NAME">Lacros</ph> browser's data loss if the browser's
+  version it changes to is older than the current one. For example, if the
+  policy changes from <ph name="LACROS_SELECTION_USER_CHOICE_VALUE">user_choice</ph>
+  to <ph name="LACROS_SELECTION_ROOTFS_VALUE">rootfs</ph>, and the first one was
+  updated. Or if <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> was
+  updated together with <ph name="LACROS_ROOTFS_NAME">rootfs</ph>
+  <ph name="LACROS_NAME">Lacros</ph> browser, and
+  <ph name="LACROS_STATEFUL_NAME">stateful</ph> has not been updated yet.
+  In such scenarios the correct data migration is not guaranteed.
+
+  Using <ph name="LACROS_SELECTION_USER_CHOICE_VALUE">user_choice</ph> or <ph name="LACROS_SELECTION_ROOTFS_VALUE">rootfs</ph>
+  is a safe option. Switching from <ph name="LACROS_SELECTION_ROOTFS_VALUE">rootfs</ph> to <ph name="LACROS_SELECTION_USER_CHOICE_VALUE">user_choice</ph>
+  is safe as well.
+
+example_value: user_choice
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Allow users to select <ph name="LACROS_NAME">Lacros</ph> browser binary
+  name: user_choice
+  value: user_choice
+- caption: Always load <ph name="LACROS_ROOTFS_NAME">rootfs</ph> <ph name="LACROS_NAME">Lacros</ph> browser
+  name: rootfs
+  value: rootfs
+owners:
+- asumaneev@google.com
+schema:
+  enum:
+  - user_choice
+  - rootfs
+  type: string
+supported_on:
+- chrome_os:112-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensCameraAssistedSearchEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensCameraAssistedSearchEnabled.yaml
new file mode 100755
index 000000000..1d1767109
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensCameraAssistedSearchEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Allow <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> camera assisted
+  search
+default: true
+desc: Leaving the policy unset or setting it to Enabled allows users to search with
+  their cameras using <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph>. Setting
+  the policy to Disabled means users can't see the <ph name="GOOGLE_LENS_PRODUCT_NAME">Google
+  Lens</ph> button in the search box when <ph name="GOOGLE_LENS_PRODUCT_NAME">Google
+  Lens</ph> camera assisted search is supported.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> camera assisted
+    search for Enterprise user
+  value: true
+- caption: Disable <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> camera assisted
+    search for Enterprise user
+  value: false
+owners:
+- yusuyoutube@google.com
+- hujasonx@google.com
+- benwgold@google.com
+- wylieb@chromium.org
+- fgorski@chromium.org
+- lens-chrome@google.com
+schema:
+  type: boolean
+supported_on:
+- android:91-
+- ios:113-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensDesktopNTPSearchEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensDesktopNTPSearchEnabled.yaml
new file mode 100755
index 000000000..8157dc9b2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensDesktopNTPSearchEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Allow <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> button to
+  be shown in the search box on the New Tab page if supported.
+default: true
+desc: Leaving the policy unset or setting it to Enabled allows users to view and
+  use the <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> button in the
+  search box on the New Tab page. Setting the policy to Disabled means users
+  will not see the <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> button
+  in the search box on the New Tab page.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Show the Google Lens button in the search box on the New Tab page.
+  value: true
+- caption: Do not show the Google Lens button in the search box on the New Tab
+    page.
+  value: false
+owners:
+- nguyenbryan@google.com
+- yowakita@google.com
+- bbonnet@google.com
+- lens-chrome@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:109-
+- chrome_os:109-
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensOnGalleryEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensOnGalleryEnabled.yaml
new file mode 100755
index 000000000..95145617d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensOnGalleryEnabled.yaml
@@ -0,0 +1,28 @@
+owners:
+- jopalmer@chromium.org
+- file://ash/webui/media_app_ui/OWNERS
+caption: Enables the Lens / Gallery App integration on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+desc: |-
+  This policy controls the availability of the Lens integration in the Gallery App on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+
+  When the policy is enabled or not set, users can use Lens to search selections of media that they are viewing in the Gallery App.
+  When the policy is disabled this feature is disabled.
+supported_on:
+- chrome_os:128-
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+type: main
+schema:
+  type: boolean
+items:
+- caption: Enable the Lens integration
+  value: true
+- caption: Disable the Lens integration
+  value: false
+default: true
+example_value: true
+tags: [
+  google-sharing
+]
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensOverlaySettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensOverlaySettings.yaml
new file mode 100755
index 000000000..3168c439c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensOverlaySettings.yaml
@@ -0,0 +1,38 @@
+caption: Settings for the Lens Overlay feature
+desc: |-
+  Lens Overlay lets users issue Google searches by interacting with a screenshot of the current page laid over the actual web contents.
+
+  There is no user setting to control this feature, it is generally made available to all users with Google as their default search engine unless disabled by this policy.
+
+  When policy is set to 0 - Enabled or not set, the feature will be available to users.
+  When policy is set to 1 - Disabled, the feature will not be available.
+
+default: 0
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable
+  name: Enabled
+  value: 0
+- caption: Disable
+  name: Disabled
+  value: 1
+owners:
+- jdonnelly@google.com
+- mahmadi@google.com
+- file://components/lens/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+supported_on:
+- chrome.*:126-
+- chrome_os:126-
+- ios:128-
+tags:
+- google-sharing
+type: int-enum
+
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensRegionSearchEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensRegionSearchEnabled.yaml
new file mode 100755
index 000000000..a5771b187
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LensRegionSearchEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Allow <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> region search
+  menu item to be shown in context menu if supported.
+default: true
+desc: Leaving the policy unset or setting it to Enabled allows users to view and use
+  the <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> region search menu item
+  in the context menu. Setting the policy to Disabled means users will not see the
+  <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> region search menu item in
+  the context menu when <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> region
+  search is supported.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> region search.
+  value: true
+- caption: Disable <ph name="GOOGLE_LENS_PRODUCT_NAME">Google Lens</ph> region search.
+  value: false
+owners:
+- juanmojica@google.com
+- benwgold@google.com
+- lens-chrome@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:94-
+- chrome_os:94-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ListenToThisPageEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ListenToThisPageEnabled.yaml
new file mode 100755
index 000000000..d5cfbff7b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ListenToThisPageEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable read aloud (text distillation and text-to-speech synthesis) for web pages
+default: true
+desc: |-
+  Setting the policy to be true allows users to have eligible web
+  pages read aloud using text-to-speech. This is achieved by server
+  side content distillation and audio synthesis. Setting to false
+  disables this feature. If this policy is set to default or unset,
+  read aloud is enabled.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Always allow read aloud
+  value: true
+- caption: Never allow read aloud
+  value: false
+owners:
+- basiaz@chromium.org
+- file://chrome/browser/readaloud/OWNERS
+schema:
+  type: boolean
+supported_on:
+- android:122-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LoadCryptoTokenExtension.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LoadCryptoTokenExtension.yaml
new file mode 100755
index 000000000..624905fe4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LoadCryptoTokenExtension.yaml
@@ -0,0 +1,27 @@
+caption: Load the CryptoToken component extension at startup
+default: false
+deprecated: true
+desc: If set to Enabled, the built-in CryptoToken component extension is loaded at
+  startup. If set to Disabled or not set, CryptoToken is not loaded at browser startup.
+  This policy is meant as a temporary workaround for sites broken by `chrome.runtime`
+  being undefined as a side effect of the removal of CryptoToken in M106. Websites
+  must not depend on `chrome.runtime` being defined unconditionally.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Load the extension
+  value: true
+- caption: Apply default behavior
+  value: false
+owners:
+- martinkr@google.com
+- rdcronin@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:106-107
+- chrome_os:106-107
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LocalDiscoveryEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LocalDiscoveryEnabled.yaml
new file mode 100755
index 000000000..70fa77e10
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LocalDiscoveryEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable <ph name="CHROME_DEVICES_LINK">chrome://devices</ph>
+default: true
+deprecated: true
+desc: "This policy controls access to controllable features in the local discovery\
+  \ UI (<ph name=\"CHROME_DEVICES_LINK\">chrome://devices</ph>) which shows discoverable\
+  \ devices near the user as well as cloud devices registered to them. On all operating\
+  \ systems except for <ph name=\"PRODUCT_OS_NAME\">$2<ex>Google ChromeOS</ex></ph>,\
+  \ the local discovery UI also allows users to add classic printers connected to\
+  \ their computers to <ph name=\"CLOUD_PRINT_NAME\">Google Cloud Print</ph>.\n\n\
+  \      Setting the policy to Enabled or not set allow local device discovery.\n\n\
+  \      Setting the policy to Disabled prevents local device discovery.\n      "
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow local device discovery
+  value: true
+- caption: Prevent local device discovery
+  value: false
+owners:
+- thestig@chromium.org
+- weili@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:81-87
+- chrome_os:81-87
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockIconInAddressBarEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockIconInAddressBarEnabled.yaml
new file mode 100755
index 000000000..ae188a375
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockIconInAddressBarEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable lock icon in the omnibox for secure connections
+default: false
+deprecated: true
+desc: |-
+  This policy controls the treatment for lock icon in the omnibox.
+         From Chrome M93, there is a new omnibox icon for secure connections.
+         If the policy is Enabled, Chrome will use the existing lock icon for secure connections.
+         If the policy is Disabled or not set, Chrome will use the default icon for secure connections.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Use lock icon for secure connections
+  value: true
+- caption: Use default icons for secure connections
+  value: false
+owners:
+- meacer@chromium.org
+- trusty-transport@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:93-102
+- chrome_os:93-102
+- android:93-102
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockScreenAutoStartOnlineReauth.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockScreenAutoStartOnlineReauth.yaml
new file mode 100755
index 000000000..a88a27d79
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockScreenAutoStartOnlineReauth.yaml
@@ -0,0 +1,36 @@
+caption: Automatic start of online re-authentication on the lock screen
+default: false
+desc: |-
+  On the lock screen users have an option to open an online re-authentication
+  window and use it for authentication process to re-enter their session. This
+  policy can be used to automatically open the window if online
+  re-authentication is required.
+
+  If the policy is set to Enabled and online re-authentication is required, the
+  online re-authentication window is opened automatically.
+
+  If the policy is set to Disabled or unset, the online re-authentication window
+  has to be opened manually.
+
+  Online re-authentication can become required for a number of reasons, such as
+  password change, but it can be also enforced by certain policies such as
+  <ph name="GAIA_LOCK_SCREEN_OFFLINE_SIGNIN_TIME_LIMIT_DAYS_POLICY_NAME">GaiaLockScreenOfflineSigninTimeLimitDays</ph> or
+  <ph name="SAML_LOCK_SCREEN_OFFLINE_SIGNIN_TIME_LIMIT_DAYS_POLICY_NAME">SamlLockScreenOfflineSigninTimeLimitDays</ph>.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable automatic online re-authentication start.
+  value: true
+- caption: Disable automatic online re-authentication start.
+  value: false
+owners:
+- andreydav@google.com
+- chromeos-commercial-identity@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:126-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockScreenMediaPlaybackEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockScreenMediaPlaybackEnabled.yaml
new file mode 100755
index 000000000..3b63aa5b6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LockScreenMediaPlaybackEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Allows users to play media when the device is locked
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset displays media controls on the lock screen if users lock the device when media is playing.
+
+        Setting the policy to Disabled turns media controls on the lock screen off.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow users to play media when the device is locked
+  value: true
+- caption: Do not allow users to play media when the device is locked
+  value: false
+owners:
+- file://services/media_session/OWNERS
+- mlamouri@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:78-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LoginDisplayPasswordButtonEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LoginDisplayPasswordButtonEnabled.yaml
new file mode 100755
index 000000000..fa2b44085
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LoginDisplayPasswordButtonEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Show the display password button on the login and lock screen
+default_for_enterprise_users: false
+desc: "When enabled, this feature shows a button on the login and lock screen that\
+  \ allows the password to be displayed.\n          It is represented as an eye icon\
+  \ on the password textfield. The button is absent when the feature is disabled.\n\
+  \      "
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Show the display password button on the login and lock screen
+  value: true
+- caption: Do not show the display password button on the login and lock screen
+  value: false
+owners:
+- rsorokin@chromium.org
+- cros-oac@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:86-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LookalikeWarningAllowlistDomains.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LookalikeWarningAllowlistDomains.yaml
new file mode 100755
index 000000000..83744c6cc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/LookalikeWarningAllowlistDomains.yaml
@@ -0,0 +1,32 @@
+caption: Suppress lookalike domain warnings on domains
+desc: |-
+  This policy prevents the display of lookalike URL warnings on the sites listed. These warnings are typically shown on sites that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> believes might be trying to spoof another site the user is familiar with.
+
+         If the policy is enabled and set to one or more domains, no lookalike warnings pages will be shown when the user visits pages on that domain.
+
+         If the policy is not set, or set to an empty list, warnings may appear on any site the user visits.
+
+         A hostname can be allowed with a complete host match, or any domain match. For example, a URL like "https://foo.example.com/bar" may have warnings suppressed if this list includes either "foo.example.com" or "example.com".
+example_value:
+- foo.example.com
+- example.org
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://chrome/browser/lookalikes/OWNERS
+- jdeblasio@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:86-
+- chrome_os:86-
+- android:86-
+tags:
+- system-security
+- website-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MachineLevelUserCloudPolicyEnrollmentToken.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MachineLevelUserCloudPolicyEnrollmentToken.yaml
new file mode 100755
index 000000000..0d9717b15
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MachineLevelUserCloudPolicyEnrollmentToken.yaml
@@ -0,0 +1,19 @@
+caption: The enrollment token of cloud policy on desktop
+deprecated: true
+desc: "\n        This policy is deprecated in M72. Please use CloudManagementEnrollmentToken\
+  \ instead.\n        "
+example_value: 37185d02-e055-11e7-80c1-9a214cf093ae
+features:
+  dynamic_refresh: false
+  per_profile: false
+  platform_only: true
+owners:
+- zmin@chromium.org
+- pastarmovj@chromium.org
+- rogerta@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:66-80
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedAccountsSigninRestriction.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedAccountsSigninRestriction.yaml
new file mode 100755
index 000000000..d867eb49d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedAccountsSigninRestriction.yaml
@@ -0,0 +1,71 @@
+caption: Add restrictions on managed accounts
+default: none
+desc: |2-
+
+  Default behavior (Policy unset)
+  When an account is added in the content area a small dialog may appear asking the user to create a new profile. This dialog is dismissable.
+
+  <ph name="MANAGED_ACCOUNTS_SIGNIN_RESTRICTION_POLICY_NAME">ManagedAccountsSigninRestriction</ph> = <ph name="POLICY_VALUE_PRIMARY_ACCOUNT">'primary_account'</ph>
+  If a user signs into a Google service for the first time in a <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> browser, a dialog will appear asking the user to create a new profile for their enterprise account. The user may click Cancel and get signed out, or Continue to create a new profile. Any existing browsing data will not be added to the new profile. The newly created profile is allowed to have secondary accounts, for example the user can sign into another account in the content area.
+
+  <ph name="MANAGED_ACCOUNTS_SIGNIN_RESTRICTION_POLICY_NAME">ManagedAccountsSigninRestriction</ph> = <ph name="POLICY_VALUE_PRIMARY_ACCOUNT_STRICT">'primary_account_strict'</ph>
+  This is the same behavior as <ph name="POLICY_VALUE_PRIMARY_ACCOUNT">'primary_account'</ph> except the newly created profile is not allowed to have secondary accounts.
+
+  <ph name="MANAGED_ACCOUNTS_SIGNIN_RESTRICTION_POLICY_NAME">ManagedAccountsSigninRestriction</ph> = <ph name="POLICY_VALUE_PRIMARY_ACCOUNT_KEEP_EXISTING_DATA">'primary_account_keep_existing_data'</ph>
+  This is the same behavior as <ph name="POLICY_VALUE_PRIMARY_ACCOUNT">'primary_account'</ph> except a checkbox will be added to the dialog to allow the user to keep local browsing data.
+  If the user checks the box, then the existing profile data becomes associated with the Managed account.
+  -  All existing browsing data will be present in the new profile.
+  -  This data includes bookmarks, history, password, autofill data, open tabs, cookies, cache, web storage, extensions, etc.
+  If the user does not check the box:
+  -  The old profile will continue to exist, no data will be lost.
+  -  A new profile will be created.
+
+  <ph name="MANAGED_ACCOUNTS_SIGNIN_RESTRICTION_POLICY_NAME">ManagedAccountsSigninRestriction</ph> = <ph name="POLICY_VALUE_PRIMARY_ACCOUNT_STRICT_KEEP_EXISTING_DATA">'primary_account_strict_keep_existing_data'</ph>
+  This is the same behavior as <ph name="POLICY_VALUE_PRIMARY_ACCOUNT_KEEP_EXISTING_DATA">'primary_account_keep_existing_data'</ph> except the newly created profile is not allowed to have secondary accounts.
+example_value: primary_account
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- chrome_os
+- fuchsia
+items:
+- caption: A Managed account must be a primary account and importing existing browsing
+    data is allowed at the time of profile creation
+  name: PrimaryAccount
+  value: primary_account
+- caption: A Managed account must be a primary account and have no secondary accounts
+    and importing existing browsing data is allowed at the time of profile creation
+  name: PrimaryAccountStrict
+  value: primary_account_strict
+- caption: No restrictions on managed accounts
+  name: None
+  value: none
+- caption: A Managed account must be a primary account and the user can import existing
+    data at the time of its creation
+  name: PrimaryAccountKeepExistingData
+  supported_on:
+  - chrome.*:102-
+  value: primary_account_keep_existing_data
+- caption: A Managed account must be a primary account and have no secondary accounts
+    and the user can import existing data at the time of its creation
+  name: PrimaryAccountStrictKeepExistingData
+  supported_on:
+  - chrome.*:102-
+  value: primary_account_strict_keep_existing_data
+owners:
+- ydago@chromium.org
+- pastarmovj@chromium.org
+schema:
+  enum:
+  - primary_account
+  - primary_account_strict
+  - affiliated_device
+  - none
+  - primary_account_keep_existing_data
+  - primary_account_strict_keep_existing_data
+  type: string
+supported_on:
+- chrome.*:94-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedBookmarks.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedBookmarks.yaml
new file mode 100755
index 000000000..cde4a85b0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedBookmarks.yaml
@@ -0,0 +1,36 @@
+caption: Managed Bookmarks
+desc: |-
+  Setting the policy sets up a list of bookmarks where each one is a dictionary with the keys "<ph name="NAME">name</ph>" and "<ph name="URL_LABEL">url</ph>". These keys hold the bookmark's name and target. Admins can set up a subfolder by defining a bookmark without a "<ph name="URL_LABEL">url</ph>" key, but with an additional "<ph name="CHILDREN">children</ph>" key. This key also has a list of bookmarks, some of which can also be folders. Chrome amends incomplete URLs as if they were submitted through the address bar. For example, "<ph name="GOOGLE_COM">google.com</ph>" becomes "<ph name="HTTPS_GOOGLE_COM">https://google.com/</ph>".
+
+        Users can't change the folders the bookmarks are placed in (though they can hide it from the bookmark bar). The default folder name for managed bookmarks is "Managed bookmarks" but it can be changed by adding a new sub-dictionary to the policy with a single key named "<ph name="TOPLEVEL_NAME">toplevel_name</ph>" with the desired folder name as its value. Managed bookmarks are not synced to the user account and extensions can't modify them.
+example_value:
+- toplevel_name: My managed bookmarks folder
+- name: Google
+  url: google.com
+- name: Youtube
+  url: youtube.com
+- children:
+  - name: Chromium
+    url: chromium.org
+  - name: Chromium Developers
+    url: dev.chromium.org
+  name: Chrome links
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- anqing@chromium.org
+schema:
+  items:
+    $ref: BookmarkType
+  type: array
+supported_on:
+- android:30-
+- chrome.*:37-
+- chrome_os:37-
+- ios:88-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedConfigurationPerOrigin.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedConfigurationPerOrigin.yaml
new file mode 100755
index 000000000..70c827b5e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedConfigurationPerOrigin.yaml
@@ -0,0 +1,42 @@
+caption: Sets managed configuration values to websites to specific origins
+desc: "Setting the policy defines the return value of Managed Configuration API for\
+  \ given origin.\n\n      Managed configuration API is a key-value configuration\
+  \ that can be accessed via navigator.managed.getManagedConfiguration() javascript\
+  \ call. This API is only available to origins which correspond to force-installed\
+  \ web applications via <ph name=\"WEB_APP_INSTALL_FORCE_LIST_POLICY_NAME\">WebAppInstallForceList</ph>.\n\
+  \     "
+example_value:
+- managed_configuration_hash: asd891jedasd12ue9h
+  managed_configuration_url: https://gstatic.google.com/configuration.json
+  origin: https://www.google.com
+- managed_configuration_hash: djio12easd89u12aws
+  managed_configuration_url: https://gstatic.google.com/configuration2.json
+  origin: https://www.example.com
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://chrome/browser/device_api/OWNERS
+- apotapchuk@chromium.org
+schema:
+  items:
+    properties:
+      managed_configuration_hash:
+        type: string
+      managed_configuration_url:
+        type: string
+      origin:
+        type: string
+    required:
+    - origin
+    - managed_configuration_url
+    - managed_configuration_hash
+    type: object
+  type: array
+supported_on:
+- chrome.*:89-
+- chrome_os:89-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedGuestSessionAutoLaunchNotificationReduced.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedGuestSessionAutoLaunchNotificationReduced.yaml
new file mode 100755
index 000000000..49cd3d32e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedGuestSessionAutoLaunchNotificationReduced.yaml
@@ -0,0 +1,24 @@
+caption: Reduce Managed-guest session auto-launch notifications
+deprecated: true
+desc: |2-
+   Note that this policy is deprecated in M87 and removed in M89. Please use <ph name="MANAGED_GUEST_SESSION_PRIVACY_WARNINGS_POLICY_NAME">ManagedGuestSessionPrivacyWarningsEnabled</ph> to configure the privacy warnings of managed-guest sessions instead.
+
+        Control the auto launch notification of the managed guest session on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+        If this policy is set to True, the privacy warning notification will be closed after some seconds.
+
+        If the policy is set to False or not set, the privacy warning notification will be pinned until the user dismisses it.
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:83-88
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedGuestSessionPrivacyWarningsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedGuestSessionPrivacyWarningsEnabled.yaml
new file mode 100755
index 000000000..c6cae5b10
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ManagedGuestSessionPrivacyWarningsEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Reduce Managed-guest session auto-launch notifications
+desc: |2-
+   Controls the privacy warning of the managed-guest session on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+        If this policy is set to False, the privacy warnings on the login screen and the auto-launch notification inside the managed-guest session will get deactivated.
+
+        This policy should not be used for devices used by the general public.
+
+        If the policy is set to True or not set, the privacy warning notification in the auto-launched managed-guest session will be pinned until the user dismisses it.
+device_only: true
+example_value: false
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Show privacy notifications until dismissed by the user
+  value: true
+- caption: Do not show privacy notifications
+  value: false
+owners:
+- file://components/policy/OWNERS
+- ayaelattar@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- 'chrome_os: 84-'
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MaxConnectionsPerProxy.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MaxConnectionsPerProxy.yaml
new file mode 100755
index 000000000..8b00ed559
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MaxConnectionsPerProxy.yaml
@@ -0,0 +1,22 @@
+caption: Maximal number of concurrent connections to the proxy server
+default: 32
+desc: |-
+  Setting the policy specifies the maximal number of simultaneous connections to the proxy server. Some proxy servers can't handle a high number of concurrent connections per client, which is solved by setting this policy to a lower value. The value should be lower than 100 and higher than 6. Some web apps are known to consume many connections with hanging GETs, so setting a value below 32 may lead to browser networking hangs if there are too many web apps with hanging connections open. Lower below the default at your own risk.
+
+        Leaving the policy unset means a default of 32 is used.
+example_value: 32
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- chrome_os
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome.*:14-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MaxInvalidationFetchDelay.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MaxInvalidationFetchDelay.yaml
new file mode 100755
index 000000000..a3875b539
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MaxInvalidationFetchDelay.yaml
@@ -0,0 +1,24 @@
+caption: Maximum fetch delay after a policy invalidation
+default: 10000
+desc: |-
+  Setting the policy specifies the maximum delay in milliseconds between receiving a policy invalidation and fetching the new policy from the device management service. Valid values range from 1,000 (1 second) to 300,000 (5 minutes). Values outside this range will be clamped to the respective boundary.
+
+        Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the default value of 10 seconds.
+example_value: 10000
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- stepco@chromium.org
+- poromov@chromium.org
+schema:
+  maximum: 300000
+  minimum: 1000
+  type: integer
+supported_on:
+- chrome.*:30-
+- chrome_os:30-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MediaCacheSize.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MediaCacheSize.yaml
new file mode 100755
index 000000000..b467680a1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MediaCacheSize.yaml
@@ -0,0 +1,22 @@
+caption: Set media disk cache size in bytes
+deprecated: true
+desc: |-
+  Setting the policy configures the cache size that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses for storing cached media files on the disk, regardless of whether or not users specify the --media-cache-size flag. The value specified in this policy isn't a hard boundary, but a suggestion to the caching system. Any value below a few megabytes is rounded up.
+
+        Setting the value of the policy to 0 uses the default cache size, and users can't change it.
+
+        Leaving the policy unset uses the default cache size and users can change it with the --media-cache-size flag.
+example_value: 104857600
+features:
+  dynamic_refresh: false
+  per_profile: false
+label: Set media disk cache size
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome.*:17-71
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MediaRecommendationsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MediaRecommendationsEnabled.yaml
new file mode 100755
index 000000000..1d6185659
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MediaRecommendationsEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable Media Recommendations
+default: true
+desc: By default the browser will show media recommendations that are personalized
+  to the user. Setting this policy to Disabled will result in these recommendations
+  being hidden from the user. Setting this policy to Enabled or leaving it unset will
+  result in the media recommendations being shown to the user.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Show media recommendations to the user
+  value: true
+- caption: Hide media recommendations from the user
+  value: false
+owners:
+- beccahughes@chromium.org
+- steimel@chromium.org
+- mlamouri@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:87-
+- chrome_os:87-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MemorySaverModeSavings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MemorySaverModeSavings.yaml
new file mode 100755
index 000000000..7b7f694fd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MemorySaverModeSavings.yaml
@@ -0,0 +1,42 @@
+caption: Change Memory Saver Mode Savings
+default: null
+desc: |-
+  This policy changes the savings level of Memory Saver.
+
+  This only takes effect when Memory Saver is enabled through settings or through the <ph name="HIGH_EFFICIENCY_MODE_ENABLED_POLICY_NAME">HighEfficiencyModeEnabled</ph> policy, and will affect how heuristics are used to determine when to discard tabs. For example, reducing the lifetime of an inactive tab before discarding it can save memory, but it also means that tabs will be reloaded more frequently which can lead to bad user experience and cost more network traffic.
+
+  Setting the policy to 0 - Memory Saver will get moderate memory savings. Tabs become inactive after a longer period of time
+
+  Setting the policy to 1 - Memory Saver will get balanced memory savings. Tabs become inactive after an optimal period of time.
+
+  Setting the policy to 2 - Memory Saver will get maximum memory savings. Tabs become inactive after a shorter period of time.
+
+  If this policy is unset, the end user can control this setting in chrome://settings/performance.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Moderate memory savings.
+  name: Moderate
+  value: 0
+- caption: Balanced memory savings.
+  name: Balanced
+  value: 1
+- caption: Maximum memory savings.
+  name: Maximum
+  value: 2
+owners:
+- charlesmeng@chromium.org
+- file://chrome/browser/ui/performance_controls/OWNERS
+schema:
+  type: integer
+  enum:
+  - 0
+  - 1
+  - 2
+supported_on:
+- chrome.*:126-
+- chrome_os:126-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MetricsReportingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MetricsReportingEnabled.yaml
new file mode 100755
index 000000000..3aa917168
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MetricsReportingEnabled.yaml
@@ -0,0 +1,40 @@
+caption: Enable reporting of usage and crash-related data
+default:  null
+desc: |-
+  When this policy is Enabled, anonymous reporting of usage and crash-related data about <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to Google is recommended to be enabled by default. Users will still be able to change this setting.
+
+  When this policy is Disabled, anonymous reporting is disabled and no usage or crash data is sent to Google. Users won't be able to change this setting.
+
+  When this policy is not set, users can choose the anonymous reporting behavior at installation or first run, and can change this setting later.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  (For <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>, see <ph name="DEVICE_METRICS_REPORTING_ENABLED_POLICY_NAME">DeviceMetricsReportingEnabled</ph>.)
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable reporting of usage and crash-related data
+  value: true
+- caption: Disable reporting of usage and crash-related data
+  value: false
+- caption: Allow users to choose
+  value: null
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- ios:88-
+- android:110-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MixedContentAutoupgradeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MixedContentAutoupgradeEnabled.yaml
new file mode 100755
index 000000000..e7006218b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MixedContentAutoupgradeEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Enable mixed content autoupgrading on HTTPS sites
+desc: |-
+  Chrome attempts to upgrade some types of mixed content (HTTP on an HTTPS site) subresources on iOS.
+  See https://chromium.googlesource.com/chromium/src/+/main/docs/security/autoupgrade-mixed.md for details.
+
+  This policy was used to disable mixed content autoupgrading on iOS. The policy is now deprecated and unsupported.
+
+deprecated: true
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Enable mixed content autoupgrading
+  value: true
+- caption: Disable mixed content autoupgrading
+  value: false
+owners:
+- meacer@chromium.org
+- trusty-transport@chromium.org
+schema:
+  type: boolean
+supported_on:
+- ios:111-122
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MutationEventsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MutationEventsEnabled.yaml
new file mode 100755
index 000000000..fa239cf0f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/MutationEventsEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Re-enable deprecated/removed Mutation Events
+default: false
+desc: |-
+  This policy provides a temporary opt-back-in to a deprecated and removed set of platform events called Mutation Events.
+  When this policy is Enabled, mutation events will continue to be fired, even if they've been disabled by default for normal web users. When this policy is Disabled or unset, these events may not be fired.
+  This policy is a temporary workaround, and will be removed in M135.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: 'Enabled: Temporarily re-enable mutation events.'
+  value: true
+- caption: 'Disabled: Normal behavior for mutation events, which will mean not firing these events after the removal date.'
+  value: false
+owners:
+- masonf@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:124-
+- chrome_os:124-
+- android:124-
+- webview_android:124-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPCardsVisible.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPCardsVisible.yaml
new file mode 100755
index 000000000..2b9ed2bde
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPCardsVisible.yaml
@@ -0,0 +1,33 @@
+caption: Show cards on the New Tab Page
+default: null
+desc: "This policy controls the visibility of cards on the New Tab Page. Cards surface\
+  \ entry points to launch common user journeys based on the user's browsing behavior.\n\
+  \n      If the policy is set to Enabled, the New Tab Page will show cards if content\
+  \ is available.\n\n      If the policy is set to Disabled, the New Tab Page won't\
+  \ show cards.\n\n      If the policy is not set, the user can control the card visibility.\
+  \ The default is visible.\n      "
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: New Tab Page will show cards if content is available
+  value: true
+- caption: New Tab Page will not show cards
+  value: false
+- caption: New Tab Page will show cards if content is available, but allow the user
+    to change this setting
+  value: null
+owners:
+- danielms@chromium.org
+- tiborg@chromium.org
+- yyushkina@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:88-
+- chrome_os:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPContentSuggestionsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPContentSuggestionsEnabled.yaml
new file mode 100755
index 000000000..0458b6f27
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPContentSuggestionsEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Show content suggestions on the New Tab page
+default: true
+default_for_enterprise_users: false
+desc: |-
+  Setting the policy to True or leaving it unset displays autogenerated content suggestions on the New Tab page, based on the user's browsing history, interests, or location.
+
+        Setting the policy to False prevents autogenerated content suggestions from appearing on the New Tab page.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Show content suggestions on the New Tab page
+  value: true
+- caption: Do not show content suggestions on the New Tab page
+  value: false
+owners:
+- treib@chromium.org
+- carlosk@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:54-
+- ios:93-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPCustomBackgroundEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPCustomBackgroundEnabled.yaml
new file mode 100755
index 000000000..e47378eeb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPCustomBackgroundEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Allow users to customize the background on the New Tab page
+default: true
+default_for_enterprise_users: true
+desc: |-
+  If the policy is set to false, the New Tab page won't allow users to customize the background. Any existing custom background will be permanently removed even if the policy is set to true later.
+
+        If the policy is set to true or unset, users can customize the background on the New Tab page.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Users can customize the New Tab page background
+  value: true
+- caption: Users can not customize the New Tab page background
+  value: false
+owners:
+- mahmadi@chromium.org
+- yyushkina@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:80-
+- chrome_os:80-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPMiddleSlotAnnouncementVisible.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPMiddleSlotAnnouncementVisible.yaml
new file mode 100755
index 000000000..35e19325f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NTPMiddleSlotAnnouncementVisible.yaml
@@ -0,0 +1,29 @@
+caption: Show the middle slot announcement on the New Tab Page
+default: true
+desc: "This policy controls the visibility of the middle slot announcement on the\
+  \ New Tab Page.\n\n      If the policy is set to Enabled, the New Tab Page will\
+  \ show the middle slot announcement if it is available.\n\n      If the policy is\
+  \ set to Disabled, the New Tab Page will not show the middle slot announcement even\
+  \ if it is available.\n      "
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: New Tab Page will show the middle slot announcement if it is available
+  value: true
+- caption: New Tab Page will not show the middle slot announcement even if it is available
+  value: false
+owners:
+- danpeng@google.com
+- tiborg@chromium.org
+- chrome-desktop-ntp@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:99-
+- chrome_os:99-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeClientForceAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeClientForceAllowed.yaml
new file mode 100755
index 000000000..114816d82
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeClientForceAllowed.yaml
@@ -0,0 +1,25 @@
+caption: Forces Native Client (NaCl) to be allowed to run.
+default: false
+default_for_enterprise_users: false
+desc: |-
+  Setting the policy to True allows Native Client to continue to run even if the default behavior is that Native Client is disabled.
+  Setting the policy to False will use the default behavior.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Allow Native Client to Run
+  value: true
+- caption: Use Default Behavior
+  value: false
+owners:
+- erikchen@chromium.org
+- file://ATL_OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:116-
+- chrome.*:116-119
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeHostsExecutablesLaunchDirectly.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeHostsExecutablesLaunchDirectly.yaml
new file mode 100755
index 000000000..f01d7ec59
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeHostsExecutablesLaunchDirectly.yaml
@@ -0,0 +1,30 @@
+caption: Force Windows executable Native Messaging hosts to launch directly
+default: null
+desc: |-
+  This policy controls whether native host executables launch directly on Windows.
+
+        Setting the policy to Enabled forces <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to launch native messaging hosts implemented as executables directly.
+
+        Setting the policy to Disabled will result in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> launching hosts using cmd.exe as an intermediary process.
+
+        Leaving the policy unset allows <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to decide which approach to use.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Directly launch executable Native Messaging Hosts on Windows
+  value: true
+- caption: Force Windows Native Messaging Hosts to launch via cmd.exe
+  value: false
+- caption: Allows <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to decide which approach to use
+  value: null
+owners:
+- file://components/policy/OWNERS
+- gesanc@microsoft.com
+schema:
+  type: boolean
+supported_on:
+- chrome.win:120-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeMessagingBlacklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeMessagingBlacklist.yaml
new file mode 100755
index 000000000..90a6aba6c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeMessagingBlacklist.yaml
@@ -0,0 +1,21 @@
+caption: Configure native messaging blocklist
+deprecated: true
+desc: This policy is deprecated and unsupported, please use the '<ph name="NATIVE_MESSAGING_BLOCKLIST_POLICY_NAME">NativeMessagingBlocklist</ph>' policy instead.
+example_value:
+- com.native.messaging.host.name1
+- com.native.messaging.host.name2
+features:
+  dynamic_refresh: true
+  per_profile: true
+label: Names of the forbidden native messaging hosts (or * for all)
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:34-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeMessagingWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeMessagingWhitelist.yaml
new file mode 100755
index 000000000..95f38d5ba
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeMessagingWhitelist.yaml
@@ -0,0 +1,21 @@
+caption: Configure native messaging allowlist
+deprecated: true
+desc: This policy is deprecated and unsupported, please use the '<ph name="NATIVE_MESSAGING_ALLOWLIST_POLICY_NAME">NativeMessagingAllowlist</ph>' policy instead.
+example_value:
+- com.native.messaging.host.name1
+- com.native.messaging.host.name2
+features:
+  dynamic_refresh: true
+  per_profile: true
+label: Names of the native messaging hosts to exempt from the blocklist
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:34-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativePrintersBulkBlacklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativePrintersBulkBlacklist.yaml
new file mode 100755
index 000000000..039e5a245
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativePrintersBulkBlacklist.yaml
@@ -0,0 +1,25 @@
+caption: Disabled enterprise printers
+deprecated: true
+desc: |-
+  If <ph name="PRINTERS_BLACKLIST">BlacklistRestriction</ph> is chosen for <ph name="BULK_PRINTERS_ACCESS_MODE_POLICY_NAME">NativePrintersBulkAccessMode</ph>, then setting <ph name="NATIVE_PRINTERS_BULK_BLACKLIST_POLICY_NAME">NativePrintersBulkBlacklist</ph> specifies which printers users can't use. All printers are provided to the user, except for the IDs listed in this policy. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="BULK_PRINTERS_POLICY_NAME">NativePrintersBulkConfiguration</ph>.
+
+        This policy is deprecated, please use <ph name="PRINTERS_BULK_BLOCKLIST">PrintersBulkBlocklist</ph> instead.
+example_value:
+- id1
+- id2
+- id3
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chromeos/printing/OWNERS
+- thestig@chromium.org
+- skau@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:65-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativePrintersBulkWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativePrintersBulkWhitelist.yaml
new file mode 100755
index 000000000..d72041337
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativePrintersBulkWhitelist.yaml
@@ -0,0 +1,25 @@
+caption: Enabled enterprise printers
+deprecated: true
+desc: |-
+  If <ph name="PRINTERS_WHITELIST">WhitelistPrintersOnly</ph> is chosen for <ph name="BULK_PRINTERS_ACCESS_MODE_POLICY_NAME">NativePrintersBulkAccessMode</ph>, then setting <ph name="NATIVE_PRINTERS_BULK_WHITELIST_POLICY_NAME">NativePrintersBulkWhitelist</ph> specifies which printers users can use. Only the printers with IDs matching the values in this policy are available to the user. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="NATIVE_PRINTERS_BULK_CONFIGURATION_POLICY_NAME">NativePrintersBulkConfiguration</ph>.
+
+        This policy is deprecated, please use <ph name="PRINTERS_BULK_ALLOWLIST_POLICY_NAME">PrintersBulkAllowlist</ph> instead.
+example_value:
+- id1
+- id2
+- id3
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chromeos/printing/OWNERS
+- thestig@chromium.org
+- skau@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:65-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeWindowOcclusionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeWindowOcclusionEnabled.yaml
new file mode 100755
index 000000000..094edeba4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NativeWindowOcclusionEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable Native Window Occlusion
+deprecated: true
+desc: |-
+  This policy is deprecated, please use the '<ph name="WINDOW_OCCLUSION_ENABLED_POLICY_NAME">WindowOcclusionEnabled</ph>' policy instead.
+
+        Enables native window occlusion in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If you enable this setting, to reduce CPU and power consumption <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will detect when a window is covered by other windows, and will suspend work painting pixels.
+
+        If you disable this setting <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not detect when a window is covered by other windows.
+
+        If this policy is left not set, occlusion detection will be enabled.
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Detect covered window and suspend its painting
+  value: true
+- caption: Do not detect covered window
+  value: false
+owners:
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.win:84-100
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NearbyShareAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NearbyShareAllowed.yaml
new file mode 100755
index 000000000..ddea78b3a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NearbyShareAllowed.yaml
@@ -0,0 +1,29 @@
+caption: Allow Nearby Share to be enabled.
+default_for_enterprise_users: false
+desc: |-
+  If this setting is enabled, users will be allowed to opt in to Nearby Share, which allows them to send and receive files from people closeby.
+
+        If this setting is disabled, users will not be allowed to opt in to Nearby Share.
+
+        If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow users to enable Nearby Share
+  value: true
+- caption: Prevent users from enabling Nearby Share
+  value: false
+owners:
+- danlee@google.com
+- hansberry@chromium.org
+- better-together-dev@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:91-
+tags:
+- local-data-access
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NetworkPredictionOptions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NetworkPredictionOptions.yaml
new file mode 100755
index 000000000..bac0412ca
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NetworkPredictionOptions.yaml
@@ -0,0 +1,39 @@
+caption: Enable network prediction
+desc: |-
+  This policy controls network prediction in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. It controls DNS prefetching, TCP, and SSL preconnection and prerendering of webpages.
+
+        If you set the policy, users can't change it. Leaving it unset turns on network prediction, but the user can change it.
+example_value: 1
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Predict network actions on any network connection
+  name: NetworkPredictionAlways
+  value: 0
+- caption: |-
+    Predict network actions on any network that is not cellular.
+              (Deprecated in 50, removed in 52. After 52, if value 1 is set, it will be treated as 0 - predict network actions on any network connection.)
+  name: NetworkPredictionWifiOnly
+  value: 1
+- caption: Do not predict network actions on any network connection
+  name: NetworkPredictionNever
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:38-
+- chrome_os:38-
+- android:38-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NetworkServiceSandboxEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NetworkServiceSandboxEnabled.yaml
new file mode 100755
index 000000000..ba95b9637
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NetworkServiceSandboxEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable the network service sandbox
+desc: |-
+  This policy controls whether or not the network service process runs sandboxed.
+        If this policy is enabled, the network service process will run sandboxed.
+        If this policy is disabled, the network service process will run unsandboxed. This leaves users open to additional security risks related to running the network service unsandboxed.
+        If this policy is not set, the default configuration for the network sandbox will be used. This may vary depending on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> release, currently running field trials, and platform.
+        This policy is intended to give enterprises flexibility to disable the network sandbox if they use third party software that interferes with the network service sandbox.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable the network service sandbox
+  value: true
+- caption: Disable the network service sandbox
+  value: false
+owners:
+- wfh@chromium.org
+- file://services/network/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.win:96-
+- chrome.linux:117-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NewBaseUrlInheritanceBehaviorAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NewBaseUrlInheritanceBehaviorAllowed.yaml
new file mode 100755
index 000000000..31f9955fb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NewBaseUrlInheritanceBehaviorAllowed.yaml
@@ -0,0 +1,33 @@
+caption: Allows enabling the feature NewBaseUrlInheritanceBehavior
+deprecated: true
+owners:
+- wjmaclean@chromium.org
+- creis@chromium.org
+- domenic@chromium.org
+desc: |-
+  NewBaseUrlInheritanceBehavior is a <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> feature that causes <ph name="ABOUT_BLANK_PAGE">about:blank</ph> and <ph name="ABOUT_SRCDOC_PAGE">about:srcdoc</ph> frames to consistently inherit their base url values via snapshots of their initiator's base url. For more details, refer to https://chromestatus.com/feature/5161101671530496.
+
+  When the policy is set to disabled, it prevents users or <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> variations from enabling NewBaseUrlInheritanceBehavior, in case compatibility issues are discovered. When the policy is set to enabled or not set, it allows enabling NewBaseUrlInheritanceBehavior.
+future_on:
+- fuchsia
+supported_on:
+- android:110-124
+- chrome.*:110-124
+- chrome_os:110-124
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption:
+    NewBaseUrlInheritanceBehavior feature available
+  value: true
+- caption:
+    NewBaseUrlInheritanceBehavior feature disabled
+  value: false
+default: true
+example_value: true
+tags: []
+
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NoteTakingAppsLockScreenAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NoteTakingAppsLockScreenAllowlist.yaml
new file mode 100755
index 000000000..3a463f903
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NoteTakingAppsLockScreenAllowlist.yaml
@@ -0,0 +1,25 @@
+caption: The list of note-taking apps allowed on the <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph> lock screen
+desc: |-
+  Setting the policy specifies the apps that users can turn on as a note-taking app on the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> lock screen.
+
+        If the preferred app is on the lock screen, a UI element for launching the preferred note-taking app appears on the screen. When launched, the app can create a window on top of the lock screen and create notes in this context. The app can import created notes to the primary user session, when the session is unlocked. Only <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> note-taking apps are supported on the lock screen.
+
+        Setting the policy means users can turn on an app on the lock screen if the app's extension ID is in the policy list value. So, setting it to an empty list will turn off note-taking on the lock screen. The policy with an app ID doesn't necessarily mean that users can turn the app on as a note-taking app on the lock screen. For example, on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 61, the set of available apps is also restricted by the platform.
+
+        Leaving the policy unset amounts to no restrictions on the set of apps users can enable on the lock screen imposed by the policy.
+example_value:
+- abcdefghabcdefghabcdefghabcdefgh
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- tbarzic@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NoteTakingAppsLockScreenWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NoteTakingAppsLockScreenWhitelist.yaml
new file mode 100755
index 000000000..6f590c5cb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/NoteTakingAppsLockScreenWhitelist.yaml
@@ -0,0 +1,19 @@
+caption: Allowlist note-taking apps allowed on the <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph> lock screen
+deprecated: true
+desc: This policy is deprecated and unsupported, please use <ph name="NOTE_TAKING_APPS_LOCK_SCREEN_ALLOWLIST">NoteTakingAppsLockScreenAllowlist</ph> instead.
+example_value:
+- abcdefghabcdefghabcdefghabcdefgh
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- tbarzic@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:61-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OffsetParentNewSpecBehaviorEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OffsetParentNewSpecBehaviorEnabled.yaml
new file mode 100755
index 000000000..fd281c05b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OffsetParentNewSpecBehaviorEnabled.yaml
@@ -0,0 +1,38 @@
+caption: Control the new behavior of <ph name="OFFSET_PARENT">HTMLElement.offsetParent</ph>
+default: null
+deprecated: true
+desc: |2-
+  The <ph name="OFFSET_PARENT">HTMLElement.offsetParent</ph> API is being changed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> in order to comply with changes that have been made in <ph name="FIREFOX_PRODUCT_NAME">Firefox</ph> and <ph name="SAFARI_PRODUCT_NAME">Safari</ph>. This policy brings back the old behavior until M120.
+
+  The new behavior may break some <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>-only websites which use <ph name="OFFSET_PARENT">HTMLElement.offsetParent</ph>, <ph name="OFFSET_TOP">HTMLElement.offsetTop</ph>, or <ph name="OFFSET_LEFT">HTMLElement.offsetLeft</ph> in conjunction with Shadow DOM.
+
+  Here are some polyfills which bring back the old behavior to help migrate https://github.com/josepharhar/offsetparent-polyfills
+
+  If this policy is enabled, then the new behavior will be used.
+
+  If this policy is disabled, then the old behavior will be used.
+
+  If this policy is not set, then the new behavior will be used just like the rest of chromium users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: New offsetParent behavior will be used.
+  value: true
+- caption: Old offsetParent behavior will be used.
+  value: false
+- caption: New offsetParent behavior will be used by default.
+  value: null
+owners:
+- jarhar@chromium.org
+- masonf@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:109-120
+- chrome_os:109-120
+- android:109-120
+- webview_android:109-120
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnBulkDataEntryEnterpriseConnector.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnBulkDataEntryEnterpriseConnector.yaml
new file mode 100755
index 000000000..99443519d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnBulkDataEntryEnterpriseConnector.yaml
@@ -0,0 +1,157 @@
+caption: Configuration policy for the OnBulkDataEntry Chrome Enterprise Connector
+desc: |-
+  List of Chrome Enterprise Connectors services settings to be applied to the <ph name="ON_BULK_DATA_ENTRY_ENTERPRISE_CONNECTOR">OnBulkDataEntry</ph> Enterprise Connector, which triggers when data is entered in Chrome from the clipboard or by drag and dropping web content.
+
+        The <ph name="ENTERPRISE_CONNECTOR_URL_LIST_FIELD">url_list</ph>, <ph name="ENTERPRISE_CONNECTOR_TAGS_FIELD">tags</ph>, <ph name="ENTERPRISE_CONNECTOR_ENABLE_FIELD">enable</ph> and <ph name="ENTERPRISE_CONNECTOR_DISABLE_FIELD">disable</ph> fields are used to determine if the connector should send data for analysis when it is entered in a specific page and what tags to include in the analysis request for that data. A tag corresponding to an 'enable' pattern will be included in the analysis request if the page URL matches a pattern associated to that tag as long as no 'disable' pattern with that same tag matches the page URL. The analysis occurs if at least 1 tag is to be included in the request.
+
+        The <ph name="ENTERPRISE_CONNECTOR_SERVICE_PROVIDER_FIELD">service_provider</ph> field identifies which analysis service provider the settings correspond to.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_UNTIL_VERDICT_FIELD">block_until_verdict</ph> field being set to 1 means Chrome will wait to get a response from the analysis service before giving the page access to the data. Any other integer value means Chrome gives the page access to the data immediately.
+
+        The <ph name="ENTERPRISE_CONNECTOR_DEFAULT_ACTION_FIELD">default_action</ph> field being set to block means Chrome will not give the page access to the data if an error occurs while communicating with the analysis service. Any other value means Chrome gives the page access to the data.
+
+        The <ph name="ENTERPRISE_CONNECTOR_MINIMUM_DATA_SIZE">minimum_data_size</ph> field indicates the minimum size (in bytes) data entered in Chrome must equal or surpass to be scanned. The default value is 100 bytes if the field is unset.
+
+        The <ph name="ENTERPRISE_CONNECTOR_REQUIRE_JUSTIFICATION_TAGS_FIELD">require_justification_tags</ph> field is used to determine for which tags the connector should require the user to enter a justification to bypass a scan that results in a bypassable warning. If the field is not set, it's assumed that a justification is not required.
+
+        The <ph name="ENTERPRISE_CONNECTOR_CUSTOM_MESSAGES_FIELD">custom_messages</ph>, <ph name="ENTERPRISE_CONNECTOR_MESSAGE_FIELD">message</ph>, <ph name="ENTERPRISE_CONNECTOR_LEARN_MORE_URL_FIELD">learn_more_url</ph>, <ph name="ENTERPRISE_CONNECTOR_LANGUAGE_FIELD">language</ph> and <ph name="ENTERPRISE_CONNECTOR_TAG_FIELD">tag</ph> fields are used to configure a message to show the user when a warning is shown after a scan had a non-clean verdict. The message field contains the text to show the user and should have at most 200 characters. The learn_more_url field contains an admin-provided URL that will be clickable by the user to get more customer-provided information about why the action was blocked. The language field is optional and contains the language of the message. An empty language field or a value of 'default' indicates a message to be used when the user's language doesn't have a message. The tag field specifies for which type of scans the message is displayed. The custom_messages list can have zero or more entries, where each entry is required to have non-empty message and tag fields.
+
+        This policy requires additional setup to take effect, please visit https://support.google.com/chrome/a?p=chrome_enterprise_connector_policies_setting for more information.
+example_value:
+- block_until_verdict: 0
+  default_action: allow
+  custom_messages:
+  - language: default
+    learn_more_url: moreinfo.example.com
+    message: Custom message for potential sensitive data leaks.
+    tag: dlp
+  - language: en-US
+    learn_more_url: moreinfo.example.com/en
+    message: Custom message for potential malware file transfer.
+    tag: malware
+  - language: fr-CA
+    learn_more_url: moreinfo.example.com/fr
+    message: Message pour le transfert de logiciel malveillant.
+    tag: malware
+  disable:
+  - tags:
+    - malware
+    url_list:
+    - '*.us.com'
+  enable:
+  - tags:
+    - malware
+    url_list:
+    - '*'
+  - tags:
+    - dlp
+    url_list:
+    - '*.them.com'
+    - '*.others.com'
+  minimum_data_size: 100
+  require_justification_tags:
+  - malware
+  - dlp
+  service_provider: google
+  verification:
+    linux:
+    - key
+    mac:
+    - key
+    windows:
+    - key
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- dpr-eng@google.com
+- domfc@chromium.org
+schema:
+  items:
+    properties:
+      block_until_verdict:
+        type: integer
+      default_action:
+        enum:
+        - allow
+        - block
+        type: string
+      custom_messages:
+        items:
+          properties:
+            language:
+              type: string
+            learn_more_url:
+              type: string
+            message:
+              type: string
+            tag:
+              type: string
+          type: object
+        type: array
+      disable:
+        items:
+          properties:
+            tags:
+              items:
+                type: string
+              type: array
+            url_list:
+              items:
+                type: string
+              type: array
+          type: object
+        type: array
+      enable:
+        items:
+          properties:
+            tags:
+              items:
+                type: string
+              type: array
+            url_list:
+              items:
+                type: string
+              type: array
+          type: object
+        type: array
+      minimum_data_size:
+        minimum: 0
+        type: integer
+      require_justification_tags:
+        items:
+          type: string
+        type: array
+      service_provider:
+        enum:
+        - google
+        - local_user_agent
+        - local_system_agent
+        - brcm_chrm_cas
+        - trellix
+        type: string
+      verification:
+        properties:
+          linux:
+            items:
+              type: string
+            type: array
+          mac:
+            items:
+              type: string
+            type: array
+          windows:
+            items:
+              type: string
+            type: array
+        type: object
+    type: object
+  type: array
+supported_on:
+- chrome.*:84-
+- chrome_os:84-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileAttachedEnterpriseConnector.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileAttachedEnterpriseConnector.yaml
new file mode 100755
index 000000000..1db4702e2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileAttachedEnterpriseConnector.yaml
@@ -0,0 +1,161 @@
+caption: Configuration policy for the OnFileAttached Chrome Enterprise Connector
+desc: |-
+  List of Chrome Enterprise Connectors services settings to be applied to the <ph name="ON_FILE_ATTACHED_ENTERPRISE_CONNECTOR">OnFileAttached</ph> Enterprise Connector, which triggers when a file is attached to Chrome.
+
+        The <ph name="ENTERPRISE_CONNECTOR_URL_LIST_FIELD">url_list</ph>, <ph name="ENTERPRISE_CONNECTOR_TAGS_FIELD">tags</ph>, <ph name="ENTERPRISE_CONNECTOR_ENABLE_FIELD">enable</ph> and <ph name="ENTERPRISE_CONNECTOR_DISABLE_FIELD">disable</ph> fields are used to determine if the connector should send a file for analysis when it is attached to a specific page and what tags to include in the analysis request for that file. A tag corresponding to an 'enable' pattern will be included in the analysis request if the page URL matches a pattern associated to that tag as long as no 'disable' pattern with that same tag matches the page URL. The analysis occurs if at least 1 tag is to be included in the request.
+
+        The <ph name="ENTERPRISE_CONNECTOR_SERVICE_PROVIDER_FIELD">service_provider</ph> field identifies which analysis service provider the settings correspond to.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_UNTIL_VERDICT_FIELD">block_until_verdict</ph> field being set to 1 means Chrome will wait to get a response from the analysis service before giving the page access to the file. Any other integer value means Chrome gives the page access to the file immediately.
+
+        The <ph name="ENTERPRISE_CONNECTOR_DEFAULT_ACTION_FIELD">default_action</ph> field being set to block means Chrome will not give the page access to the file if an error occurs while communicating with the analysis service. Any other value means Chrome gives the page access to the file.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_PASSWORD_PROTECTED_FIELD">block_password_protected</ph> field controls whether Chrome blocks or allows files that are password protected.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_LARGE_FILES_FIELD">block_large_files</ph> fields controls whether Chrome blocks or allows files that are too large to be analyzed.
+
+        The <ph name="ENTERPRISE_CONNECTOR_REQUIRE_JUSTIFICATION_TAGS_FIELD">require_justification_tags</ph> field is used to determine for which tags the connector should require the user to enter a justification to bypass a scan that results in a bypassable warning. If the field is not set, it's assumed that a justification is not required.
+
+        The <ph name="ENTERPRISE_CONNECTOR_CUSTOM_MESSAGES_FIELD">custom_messages</ph>, <ph name="ENTERPRISE_CONNECTOR_MESSAGE_FIELD">message</ph>, <ph name="ENTERPRISE_CONNECTOR_LEARN_MORE_URL_FIELD">learn_more_url</ph>, <ph name="ENTERPRISE_CONNECTOR_LANGUAGE_FIELD">language</ph> and <ph name="ENTERPRISE_CONNECTOR_TAG_FIELD">tag</ph> fields are used to configure a message to show the user when a warning is shown after a scan had a non-clean verdict. The message field contains the text to show the user and should have at most 200 characters. The learn_more_url field contains an admin-provided URL that will be clickable by the user to get more customer-provided information about why the action was blocked. The language field is optional and contains the language of the message. An empty language field or a value of 'default' indicates a message to be used when the user's language doesn't have a message. The tag field specifies for which type of scans the message is displayed. The custom_messages list can have zero or more entries, where each entry is required to have non-empty message and tag fields.
+
+        This policy requires additional setup to take effect, please visit https://support.google.com/chrome/a?p=chrome_enterprise_connector_policies_setting for more information.
+example_value:
+- block_large_files: false
+  block_password_protected: true
+  block_until_verdict: 0
+  default_action: allow
+  custom_messages:
+  - language: default
+    learn_more_url: moreinfo.example.com
+    message: Custom message for potential sensitive data leaks.
+    tag: dlp
+  - language: en-US
+    learn_more_url: moreinfo.example.com/en
+    message: Custom message for potential malware file transfer.
+    tag: malware
+  - language: fr-CA
+    learn_more_url: moreinfo.example.com/fr
+    message: Message pour le transfert de logiciel malveillant.
+    tag: malware
+  disable:
+  - tags:
+    - malware
+    url_list:
+    - '*.us.com'
+  enable:
+  - tags:
+    - malware
+    url_list:
+    - '*'
+  - tags:
+    - dlp
+    url_list:
+    - '*.them.com'
+    - '*.others.com'
+  require_justification_tags:
+  - malware
+  - dlp
+  service_provider: google
+  verification:
+    linux:
+    - key
+    mac:
+    - key
+    windows:
+    - key
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- dpr-eng@google.com
+- domfc@chromium.org
+schema:
+  items:
+    properties:
+      block_large_files:
+        type: boolean
+      block_password_protected:
+        type: boolean
+      block_until_verdict:
+        type: integer
+      default_action:
+        enum:
+        - allow
+        - block
+        type: string
+      custom_messages:
+        items:
+          properties:
+            language:
+              type: string
+            learn_more_url:
+              type: string
+            message:
+              type: string
+            tag:
+              type: string
+          type: object
+        type: array
+      disable:
+        items:
+          properties:
+            tags:
+              items:
+                type: string
+              type: array
+            url_list:
+              items:
+                type: string
+              type: array
+          type: object
+        type: array
+      enable:
+        items:
+          properties:
+            tags:
+              items:
+                type: string
+              type: array
+            url_list:
+              items:
+                type: string
+              type: array
+          type: object
+        type: array
+      require_justification_tags:
+        items:
+          type: string
+        type: array
+      service_provider:
+        enum:
+        - google
+        - local_user_agent
+        - local_system_agent
+        - brcm_chrm_cas
+        - trellix
+        type: string
+      verification:
+        properties:
+          linux:
+            items:
+              type: string
+            type: array
+          mac:
+            items:
+              type: string
+            type: array
+          windows:
+            items:
+              type: string
+            type: array
+        type: object
+    type: object
+  type: array
+supported_on:
+- chrome.*:84-
+- chrome_os:84-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileDownloadedEnterpriseConnector.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileDownloadedEnterpriseConnector.yaml
new file mode 100755
index 000000000..14dd0207c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileDownloadedEnterpriseConnector.yaml
@@ -0,0 +1,162 @@
+caption: Configuration policy for the OnFileDownloaded Chrome Enterprise Connector
+desc: |-
+  List of Chrome Enterprise Connectors services settings to be applied to the <ph name="ON_FILE_DOWNLOADED_ENTERPRISE_CONNECTOR">OnFileDownloaded</ph> Enterprise Connector, which triggers when a file is downloaded in Chrome.
+
+        The <ph name="ENTERPRISE_CONNECTOR_URL_LIST_FIELD">url_list</ph>, <ph name="ENTERPRISE_CONNECTOR_TAGS_FIELD">tags</ph>, <ph name="ENTERPRISE_CONNECTOR_ENABLE_FIELD">enable</ph> and <ph name="ENTERPRISE_CONNECTOR_DISABLE_FIELD">disable</ph> fields are used to determine if the connector should send a file for analysis when it is downloaded from a specific page and what tags to include in the analysis request for that file. A tag corresponding to an 'enable' pattern will be included in the analysis request if the page URL matches a pattern associated to that tag as long as no 'disable' pattern with that same tag matches the page URL. The analysis occurs if at least 1 tag is to be included in the request.
+
+        The <ph name="ENTERPRISE_CONNECTOR_SERVICE_PROVIDER_FIELD">service_provider</ph> field identifies which analysis service provider the settings correspond to.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_UNTIL_VERDICT_FIELD">block_until_verdict</ph> field being set to 1 means Chrome will wait to get a response from the analysis service before giving the user access to the downloaded file. Any other integer value means Chrome gives the user access to the file immediately.
+
+        The <ph name="ENTERPRISE_CONNECTOR_DEFAULT_ACTION_FIELD">default_action</ph> field being set to block means Chrome will not give the user access to the downloaded file if an error occurs while communicating with the analysis service. Any other value means Chrome gives the user access to the downloaded file.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_PASSWORD_PROTECTED_FIELD">block_password_protected</ph> field controls whether Chrome blocks or allows files that are password protected.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_LARGE_FILES_FIELD">block_large_files</ph> fields controls whether Chrome blocks or allows files that are too large to be analyzed.
+
+        The <ph name="ENTERPRISE_CONNECTOR_REQUIRE_JUSTIFICATION_TAGS_FIELD">require_justification_tags</ph> field is used to determine for which tags the connector should require the user to enter a justification to bypass a scan that results in a bypassable warning. If the field is not set, it's assumed that a justification is not required.
+
+        The <ph name="ENTERPRISE_CONNECTOR_CUSTOM_MESSAGES_FIELD">custom_messages</ph>, <ph name="ENTERPRISE_CONNECTOR_MESSAGE_FIELD">message</ph>, <ph name="ENTERPRISE_CONNECTOR_LEARN_MORE_URL_FIELD">learn_more_url</ph>, <ph name="ENTERPRISE_CONNECTOR_LANGUAGE_FIELD">language</ph> and <ph name="ENTERPRISE_CONNECTOR_TAG_FIELD">tag</ph> fields are used to configure a message to show the user when a warning is shown after a scan had a non-clean verdict. The message field contains the text to show the user and should have at most 200 characters. The learn_more_url field contains an admin-provided URL that will be clickable by the user to get more customer-provided information about why the action was blocked. The language field is optional and contains the language of the message. An empty language field or a value of 'default' indicates a message to be used when the user's language doesn't have a message. The tag field specifies for which type of scans the message is displayed. The custom_messages list can have zero or more entries, where each entry is required to have non-empty message and tag fields.
+
+        This policy requires additional setup to take effect, please visit https://support.google.com/chrome/a?p=chrome_enterprise_connector_policies_setting for more information.
+example_value:
+- block_large_files: true
+  block_password_protected: false
+  block_until_verdict: 1
+  default_action: allow
+  custom_messages:
+  - language: default
+    learn_more_url: moreinfo.example.com
+    message: Custom message for potential sensitive data leaks.
+    tag: dlp
+  - language: en-US
+    learn_more_url: moreinfo.example.com/en
+    message: Custom message for potential malware file transfer.
+    tag: malware
+  - language: fr-CA
+    learn_more_url: moreinfo.example.com/fr
+    message: Message pour le transfert de logiciel malveillant.
+    tag: malware
+  disable:
+  - tags:
+    - malware
+    url_list:
+    - '*.us.com'
+  enable:
+  - tags:
+    - malware
+    url_list:
+    - '*'
+  - tags:
+    - dlp
+    url_list:
+    - '*.them.com'
+    - '*.others.com'
+  require_justification_tags:
+  - malware
+  - dlp
+  service_provider: google
+  verification:
+    linux:
+    - key
+    mac:
+    - key
+    windows:
+    - key
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- dpr-eng@google.com
+- drubery@chromium.org
+- domfc@chromium.org
+schema:
+  items:
+    properties:
+      block_large_files:
+        type: boolean
+      block_password_protected:
+        type: boolean
+      block_until_verdict:
+        type: integer
+      default_action:
+        enum:
+        - allow
+        - block
+        type: string
+      custom_messages:
+        items:
+          properties:
+            language:
+              type: string
+            learn_more_url:
+              type: string
+            message:
+              type: string
+            tag:
+              type: string
+          type: object
+        type: array
+      disable:
+        items:
+          properties:
+            tags:
+              items:
+                type: string
+              type: array
+            url_list:
+              items:
+                type: string
+              type: array
+          type: object
+        type: array
+      enable:
+        items:
+          properties:
+            tags:
+              items:
+                type: string
+              type: array
+            url_list:
+              items:
+                type: string
+              type: array
+          type: object
+        type: array
+      require_justification_tags:
+        items:
+          type: string
+        type: array
+      service_provider:
+        enum:
+        - google
+        - local_user_agent
+        - local_system_agent
+        - brcm_chrm_cas
+        - trellix
+        type: string
+      verification:
+        properties:
+          linux:
+            items:
+              type: string
+            type: array
+          mac:
+            items:
+              type: string
+            type: array
+          windows:
+            items:
+              type: string
+            type: array
+        type: object
+    type: object
+  type: array
+supported_on:
+- chrome.*:84-
+- chrome_os:84-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileTransferEnterpriseConnector.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileTransferEnterpriseConnector.yaml
new file mode 100755
index 000000000..fb54a632d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnFileTransferEnterpriseConnector.yaml
@@ -0,0 +1,115 @@
+caption: Configuration policy for the OnFileTransfer Chrome Enterprise Connector
+desc: |-
+  List of Chrome Enterprise Connectors services settings to be applied to the <ph name="ON_FILE_TRANSFER_ENTERPRISE_CONNECTOR">OnFileTransfer</ph> Enterprise Connector, which triggers when a file is transferred within <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+        The <ph name="ENTERPRISE_CONNECTOR_SOURCE_DESTINATION_LIST_FIELD">source_destination_list</ph>, <ph name="ENTERPRISE_CONNECTOR_TAGS_FIELD">tags</ph>, <ph name="ENTERPRISE_CONNECTOR_ENABLE_FIELD">enable</ph> and <ph name="ENTERPRISE_CONNECTOR_DISABLE_FIELD">disable</ph> fields are used to determine if the connector should send a file for analysis when it is transferred between a source and a destination and what tags to include in the analysis request for that file. A tag corresponding to an 'enable' rule will be included in the analysis request if the source and destination match the rule associated to that tag as long as no 'disable' rule with that same tag matches the transfer. The analysis occurs if at least 1 tag is to be included in the request. A <ph name="ENTERPRISE_CONNECTOR_SOURCE_DESTINATION_LIST_FIELD">source_destination_list</ph> rule is defined by a list of pairs, where each pair contains a list of sources and a list of destinations. The <ph name="ENTERPRISE_CONNECTOR_FILE_SYSTEM_TYPE_FIELD">file_system_type</ph> defines for which file system a rule should apply.
+
+        The <ph name="ENTERPRISE_CONNECTOR_SERVICE_PROVIDER_FIELD">service_provider</ph> field identifies which analysis service provider the settings correspond to.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_UNTIL_VERDICT_FIELD">block_until_verdict</ph> field being set to 1 means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will wait to get a response from the analysis service before allowing the transfer. Any other integer value means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> allows the transfer immediately.
+
+        The <ph name="ENTERPRISE_CONNECTOR_DEFAULT_ACTION_FIELD">default_action</ph> field being set to block means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will not allow users to transfer the file if an error occurs while communicating with the analysis service. Any other value means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> allows transfers of the file if an error occurs while communicating with the analysis service.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_PASSWORD_PROTECTED_FIELD">block_password_protected</ph> field controls whether <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> blocks or allows files that are password protected.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_LARGE_FILES_FIELD">block_large_files</ph> fields controls whether <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> blocks or allows files that are too large to be analyzed.
+
+        The <ph name="ENTERPRISE_CONNECTOR_REQUIRE_JUSTIFICATION_TAGS_FIELD">require_justification_tags</ph> field is used to determine for which tags the connector should require the user to enter a justification to bypass a scan that results in a bypassable warning. If the field is not set, it's assumed that a justification is not required.
+
+        The <ph name="ENTERPRISE_CONNECTOR_CUSTOM_MESSAGES_FIELD">custom_messages</ph>, <ph name="ENTERPRISE_CONNECTOR_MESSAGE_FIELD">message</ph>, <ph name="ENTERPRISE_CONNECTOR_LEARN_MORE_URL_FIELD">learn_more_url</ph>, <ph name="ENTERPRISE_CONNECTOR_LANGUAGE_FIELD">language</ph> and <ph name="ENTERPRISE_CONNECTOR_TAG_FIELD">tag</ph> fields are used to configure a message to show the user when a warning is shown after a scan had a non-clean verdict. The message field contains the text to show the user and should have at most 200 characters. The <ph name="ENTERPRISE_CONNECTOR_LEARN_MORE_URL_FIELD">learn_more_url</ph> field contains an admin-provided URL that will be clickable by the user to get more customer-provided information about why the action was blocked. The <ph name="ENTERPRISE_CONNECTOR_LANGUAGE_FIELD">language</ph> field is optional and contains the language of the message. An empty <ph name="ENTERPRISE_CONNECTOR_LANGUAGE_FIELD">language</ph> field or a value of 'default' indicates a message to be used when the user's language doesn't have a message. The tag field specifies for which type of scans the message is displayed. The <ph name="ENTERPRISE_CONNECTOR_CUSTOM_MESSAGES_FIELD">custom_messages</ph> list can have zero or more entries, where each entry is required to have non-empty message and tag fields.
+
+        This policy requires additional setup to take effect, please visit https://support.google.com/chrome/a?p=chrome_enterprise_connector_policies_setting for more information.
+example_value:
+- block_large_files: false
+  block_password_protected: true
+  block_until_verdict: 0
+  default_action: allow
+  custom_messages:
+  - language: default
+    learn_more_url: moreinfo.example.com
+    message: Custom message for potential sensitive data leaks.
+    tag: dlp
+  - language: fr-CA
+    learn_more_url: moreinfo.example.com/fr
+    message: Message pour une fuite de données potentielle.
+    tag: dlp
+  disable:
+  - source_destination_list:
+    - destinations:
+      - file_system_type: ARC
+      - file_system_type: SMB
+      - file_system_type: MY_FILES
+      sources:
+      - file_system_type: '*'
+    tags:
+    - dlp
+  enable:
+  - source_destination_list:
+    - destinations:
+      - file_system_type: MY_FILES
+      sources:
+      - file_system_type: '*'
+    tags:
+    - malware
+  - source_destination_list:
+    - destinations:
+      - file_system_type: '*'
+      sources:
+      - file_system_type: MY_FILES
+      - file_system_type: SMB
+    tags:
+    - dlp
+  require_justification_tags:
+  - dlp
+  service_provider: Google
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- dpr-eng@google.com
+- sseckler@google.com
+- domfc@chromium.org
+schema:
+  items:
+    properties:
+      block_large_files:
+        type: boolean
+      block_password_protected:
+        type: boolean
+      block_until_verdict:
+        type: integer
+      default_action:
+        enum:
+        - allow
+        - block
+        type: string
+      custom_messages:
+        items:
+          properties:
+            language:
+              type: string
+            learn_more_url:
+              type: string
+            message:
+              type: string
+            tag:
+              type: string
+          type: object
+        type: array
+      disable:
+        $ref: file_transfer_enable_disable_schema
+      enable:
+        $ref: file_transfer_enable_disable_schema
+      require_justification_tags:
+        items:
+          type: string
+        type: array
+      service_provider:
+        type: string
+    type: object
+  type: array
+supported_on:
+- chrome_os:108-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnPrintEnterpriseConnector.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnPrintEnterpriseConnector.yaml
new file mode 100755
index 000000000..29b671267
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnPrintEnterpriseConnector.yaml
@@ -0,0 +1,151 @@
+caption: Configuration policy for the OnPrint <ph name="PRODUCT_NAME">$1<ex>Google
+  Chrome</ex></ph> Enterprise Connector
+desc: |-
+  List of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> Enterprise Connectors services settings to be applied to the <ph name="ON_PRINT_ENTERPRISE_CONNECTOR">OnPrint</ph> Enterprise Connector, which triggers when a page or file is printed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        The <ph name="ENTERPRISE_CONNECTOR_URL_LIST_FIELD">url_list</ph>, <ph name="ENTERPRISE_CONNECTOR_TAGS_FIELD">tags</ph>, <ph name="ENTERPRISE_CONNECTOR_ENABLE_FIELD">enable</ph> and <ph name="ENTERPRISE_CONNECTOR_DISABLE_FIELD">disable</ph> fields are used to determine if the connector should send data for analysis when printing is triggered on a specific page and what tags to include in the analysis request. The analysis occurs if at least 1 tag is to be included in the request.
+
+        The <ph name="ENTERPRISE_CONNECTOR_SERVICE_PROVIDER_FIELD">service_provider</ph> field identifies which analysis service provider the settings correspond to.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_UNTIL_VERDICT_FIELD">block_until_verdict</ph> field being set to 1 means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will wait to get a response from the analysis service before allowing the print preview dialog to be shown for the printed page. Any other integer value means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> shows the print preview dialog immediately.
+
+        The <ph name="ENTERPRISE_CONNECTOR_DEFAULT_ACTION_FIELD">default_action</ph> field being set to block means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will block the page from printing if an error occurs while communicating with the analysis service. Any other value means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> allows the page to be printed.
+
+        The <ph name="ENTERPRISE_CONNECTOR_BLOCK_LARGE_FILES_FIELD">block_large_files</ph> fields controls whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> blocks or allows files/pages that are too large to be analyzed.
+
+        The <ph name="ENTERPRISE_CONNECTOR_REQUIRE_JUSTIFICATION_TAGS_FIELD">require_justification_tags</ph> field is used to determine for which tags the connector should require the user to enter a justification to bypass a scan that results in a bypassable warning. If the field is not set, it's assumed that a justification is not required.
+
+        The <ph name="ENTERPRISE_CONNECTOR_CUSTOM_MESSAGES_FIELD">custom_messages</ph>, <ph name="ENTERPRISE_CONNECTOR_MESSAGE_FIELD">message</ph>, <ph name="ENTERPRISE_CONNECTOR_LEARN_MORE_URL_FIELD">learn_more_url</ph>, <ph name="ENTERPRISE_CONNECTOR_LANGUAGE_FIELD">language</ph> and <ph name="ENTERPRISE_CONNECTOR_TAG_FIELD">tag</ph> fields are used to configure a message to show the user when a warning is shown after a scan had a non-clean verdict. The administrator is able to configure messages of up to 200 characters.
+
+        This policy requires additional setup to take effect, please visit https://support.google.com/chrome/a?p=chrome_enterprise_connector_policies_setting for more information.
+example_value:
+- block_large_files: true
+  block_until_verdict: 0
+  default_action: allow
+  custom_messages:
+  - language: default
+    learn_more_url: moreinfo.example.com
+    message: Custom message for potential sensitive data leaks.
+    tag: dlp
+  - language: fr-CA
+    learn_more_url: moreinfo.example.com/fr
+    message: Message pour une fuite de données potentielle.
+    tag: dlp
+  disable:
+  - tags:
+    - dlp
+    url_list:
+    - '*.us.com'
+  enable:
+  - tags:
+    - dlp
+    url_list:
+    - '*.them.com'
+    - '*.others.com'
+  require_justification_tags:
+  - dlp
+  service_provider: google
+  verification:
+    linux:
+    - key
+    mac:
+    - key
+    windows:
+    - key
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://chrome/browser/enterprise/connectors/OWNERS
+- domfc@chromium.org
+schema:
+  items:
+    properties:
+      block_large_files:
+        type: boolean
+      block_until_verdict:
+        enum:
+        - 0
+        - 1
+        type: integer
+      default_action:
+        enum:
+        - allow
+        - block
+        type: string
+      custom_messages:
+        items:
+          properties:
+            language:
+              type: string
+            learn_more_url:
+              type: string
+            message:
+              type: string
+            tag:
+              type: string
+          type: object
+        type: array
+      disable:
+        items:
+          properties:
+            tags:
+              items:
+                type: string
+              type: array
+            url_list:
+              items:
+                type: string
+              type: array
+          type: object
+        type: array
+      enable:
+        items:
+          properties:
+            tags:
+              items:
+                type: string
+              type: array
+            url_list:
+              items:
+                type: string
+              type: array
+          type: object
+        type: array
+      require_justification_tags:
+        items:
+          type: string
+        type: array
+      service_provider:
+        enum:
+        - google
+        - local_user_agent
+        - local_system_agent
+        - brcm_chrm_cas
+        - trellix
+        type: string
+      verification:
+        properties:
+          linux:
+            items:
+              type: string
+            type: array
+          mac:
+            items:
+              type: string
+            type: array
+          windows:
+            items:
+              type: string
+            type: array
+        type: object
+    type: object
+  type: array
+supported_on:
+- chrome.*:106-
+- chrome_os:106-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnSecurityEventEnterpriseConnector.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnSecurityEventEnterpriseConnector.yaml
new file mode 100755
index 000000000..5f41b7608
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OnSecurityEventEnterpriseConnector.yaml
@@ -0,0 +1,58 @@
+caption: Configuration policy for the OnSecurityEvent Chrome Enterprise Connector
+desc: |-
+  List of Chrome Enterprise Connectors services settings to be applied to the <ph name="ON_SECURITY_EVENT_ENTERPRISE_CONNECTOR">OnSecurityEvent</ph> Enterprise Connector, which triggers when a security event occurs in Chrome. This includes negative verdicts from analysis Enterprise Connectors, password reuse, navigations to unsafe pages and other security sensitive user actions.
+
+        The <ph name="ENTERPRISE_CONNECTOR_SERVICE_PROVIDER_FIELD">service_provider</ph> field identifies which reporting service provider the settings correspond to and the <ph name="ENTERPRISE_CONNECTOR_ENABLED_EVENT_NAMES_FIELD">enabled_event_names</ph> field identifies which events are enabled for this provider.
+
+        This policy requires additional setup to take effect, please visit https://support.google.com/chrome/a?p=chrome_enterprise_connector_policies_setting for more information.
+example_value:
+- enabled_event_names:
+  - passwordChangedEvent
+  - sensitiveDataEvent
+  enabled_opt_in_events:
+  - name: loginEvent
+    url_patterns:
+    - '*'
+  - name: passwordBreachEvent
+    url_patterns:
+    - example.com
+    - other.example.com
+  service_provider: google
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- dpr-eng@google.com
+- domfc@chromium.org
+schema:
+  items:
+    properties:
+      enabled_event_names:
+        items:
+          type: string
+        type: array
+      enabled_opt_in_events:
+        items:
+          properties:
+            name:
+              type: string
+            url_patterns:
+              items:
+                type: string
+              type: array
+          type: object
+        type: array
+      service_provider:
+        enum:
+        - google
+        type: string
+    type: object
+  type: array
+supported_on:
+- chrome.*:84-
+- chrome_os:84-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OpenNetworkConfiguration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OpenNetworkConfiguration.yaml
new file mode 100755
index 000000000..386a752ab
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OpenNetworkConfiguration.yaml
@@ -0,0 +1,24 @@
+arc_support: Android apps can use the network configurations and CA certificates set
+  via this policy, but do not have access to some configuration options.
+caption: User-level network configuration
+desc: Setting the policy allows pushing network configuration per-user for each <ph
+  name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> device. The network configuration
+  is a JSON-formatted string, as defined by the Open Network Configuration format.
+example_value: '{ "NetworkConfigurations": [ { "GUID": "{4b224dfd-6849-7a63-5e394343244ae9c9}",
+  "Name": "my WiFi", "Type": "WiFi", "WiFi": { "SSID": "my WiFi", "HiddenSSID": false,
+  "Security": "None", "AutoConnect": true } } ] }'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- acostinas@google.com
+- miersh@google.com
+- file://components/policy/OWNERS
+schema:
+  type: string
+supported_on:
+- chrome_os:16-
+tags:
+- full-admin-access
+type: string
+url_schema: https://chromium.googlesource.com/chromium/src/+/HEAD/components/onc/docs/onc_spec.md
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OptimizationGuideFetchingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OptimizationGuideFetchingEnabled.yaml
new file mode 100755
index 000000000..3a5ff3472
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OptimizationGuideFetchingEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable Optimization Guide Fetching
+default: true
+deprecated: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset will enable the fetching of page load metadata and machine learning models that enhance the browsing experience.
+        Setting the policy to Disabled may cause some features to not work appropriately.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Enable fetching of page load metadata and machine learning models to enhance
+    the browsing experience
+  value: true
+- caption: Disable fetching of page load metadata and machine learning models that
+    enhance the browsing experience
+  value: false
+owners:
+- file://components/optimization_guide/OWNERS
+- sophiechang@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:101-103
+- chrome.*:101-103
+- chrome_os:101-103
+- ios:101-103
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OrcaEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OrcaEnabled.yaml
new file mode 100755
index 000000000..6816b9969
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OrcaEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Control the enablement of ChromeOS "Help me write" feature
+desc: |-
+  This policy enables or disables "Help me write" for ChromeOS.
+
+  If this policy is set to Enabled, "Help me write" will be enabled.
+
+  If this policy is set to Disabled, "Help me write" will be disabled.
+
+  If this policy is set to Unset, "Help me write" will be enabled on non-managed devices and disabled for enterprise-managed devices.
+
+example_value: false
+default: true
+default_for_enterprise_users: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- curtismcmullan@chromium.org
+- mehrab@chromium.org
+- hdchuong@chromium.org
+- essential-inputs-team@google.com
+items:
+- caption: Enable Orca
+  value: true
+- caption: Disable Orca
+  value: false
+schema:
+  type: boolean
+supported_on:
+- chrome_os:124-
+tags: []
+type: main
+
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml
new file mode 100755
index 000000000..c608e786e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml
@@ -0,0 +1,48 @@
+caption: Allows origin-keyed agent clustering by default.
+default: true
+desc: |-
+  This policy allows origin-keyed agent clustering by default.
+
+  The Origin-Agent-Cluster HTTP header controls whether a document is
+  isolated in an origin-keyed agent cluster, or in a site-keyed agent
+  cluster. This has security implications since an origin-keyed agent
+  cluster allows isolating documents by origin. The developer-visible
+  consequence of this is that the document.domain accessor can no longer
+  be set.
+
+  The default behaviour - when no Origin-Agent-Cluster header has been set -
+  changes in M111 from site-keyed to origin-keyed.
+
+  If this policy is enabled or not set, the browser will follow this
+  new default from that version on.
+
+  If this policy is disabled this change is reversed and
+  documents without Origin-Agent-Cluster headers will be assigned to
+  site-keyed agent clusters. As a consequence, the document.domain accessor
+  remains settable by default. This matches the legacy behaviour.
+
+  See https://developer.chrome.com/blog/immutable-document-domain/ for
+  additional details.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: By default, documents may be put in origin-keyed agent clusters. document.domain
+    is not settable for such documents.
+  value: true
+- caption: By default, documents are put in site-keyed agent clusters. document.domain
+    remains settable.
+  value: false
+owners:
+- vogelheim@chromium.org
+- chrome-security-owp-team@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:100-
+- chrome_os:100-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OsColorMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OsColorMode.yaml
new file mode 100755
index 000000000..3e52a3ffc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OsColorMode.yaml
@@ -0,0 +1,37 @@
+caption: ChromeOS color mode
+default: light
+default_for_enterprise_users: light
+default_policy_level: recommended
+desc: |-
+  Controls the theme used to render UI during OOBE and in session (dark/light/auto).
+        The auto mode automatically switches between dark and light themes on sunrise and sunset.
+        This policy should be recommended, giving users the possibility to change the theme in system settings.
+example_value: light
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Use the Light theme
+  name: light
+  value: light
+- caption: Use the Dark theme
+  name: dark
+  value: dark
+- caption: Use the Auto mode
+  name: auto
+  value: auto
+owners:
+- jaflis@google.com
+- cros-oobe@google.com
+- chromeos-wmp@google.com
+schema:
+  enum:
+  - light
+  - dark
+  - auto
+  type: string
+supported_on:
+- chrome_os:104-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OverrideSecurityRestrictionsOnInsecureOrigin.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OverrideSecurityRestrictionsOnInsecureOrigin.yaml
new file mode 100755
index 000000000..61763e6b7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/OverrideSecurityRestrictionsOnInsecureOrigin.yaml
@@ -0,0 +1,28 @@
+caption: Origins or hostname patterns for which restrictions on insecure origins should not apply
+desc: |-
+  Setting the policy specifies a list of origins (URLs) or hostname patterns (such as *.example.com) for which security restrictions on insecure origins won't apply. Organizations can specify origins for legacy applications that can't deploy TLS or set up a staging server for internal web development, so developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy also prevents the origin from being labeled "Not Secure" in the address bar.
+
+  Setting a list of URLs in this policy amounts to setting the command-line flag --unsafely-treat-insecure-origin-as-secure to a comma-separated list of the same URLs. The policy overrides the command-line flag and UnsafelyTreatInsecureOriginAsSecure, if present.
+
+  For more information on secure contexts, see Secure Contexts ( https://www.w3.org/TR/secure-contexts ).
+example_value:
+- http://testserver.example.com/
+- '*.example.org'
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- estark@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:69-
+- chrome_os:69-
+- android:69-
+tags:
+- system-security
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PPAPISharedImagesForVideoDecoderAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PPAPISharedImagesForVideoDecoderAllowed.yaml
new file mode 100755
index 000000000..a2bf426b1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PPAPISharedImagesForVideoDecoderAllowed.yaml
@@ -0,0 +1,38 @@
+owners:
+- vasilyt@chromium.org
+- blundell@chromium.org
+caption: Allow <ph name="PEPPER_NAME">Pepper</ph> to use shared images for
+  video decoding.
+desc: |-
+  This policy controls the recent refactor for VideoDecoder APIs in PPAPI plugin.
+
+  The migration only affects internal implementation details and should not
+  change any behavior. However, this policy can be used in case any PPAPI
+  applications do not work as expected.
+
+  When the policy is left unset or set to Enabled, the browser will decide which
+  implementation is used.
+  When the policy is set to Disabled, browser will use the old implementation
+  until the policy is expired.
+
+  NOTE: Only newly-started renderer processes will reflect changes to this
+  policy while the browser is running.
+
+supported_on:
+- chrome_os:119-121
+deprecated: true
+device_only: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: Allow new implementation
+  value: true
+- caption: Force old implementation
+  value: false
+default: true
+example_value: false
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PPAPISharedImagesSwapChainAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PPAPISharedImagesSwapChainAllowed.yaml
new file mode 100755
index 000000000..47a763178
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PPAPISharedImagesSwapChainAllowed.yaml
@@ -0,0 +1,43 @@
+owners:
+- vasilyt@chromium.org
+- blundell@chromium.org
+caption: Allow modern buffer allocation for Graphics3D APIs PPAPI plugin.
+desc: |-
+  This policy controls the recent refactor for Graphics3D APIs in PPAPI plugin.
+
+  The migration only affects internal implementation details and should not
+  change any behavior. However, this policy can be used in case any PPAPI
+  applications do not work as expected.
+
+  When the policy is left unset or set to Enabled, the browser will decide which
+  implementation is used.
+  When the policy is set to Disabled, browser will use the old implementation
+  until the policy is expired.
+
+  If you must use the policy, please file a bug on crbug.com explaining your
+  use case and CC {blundell, vasilyt}@chromium.org. The policy is scheduled to
+  be offered through <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  version 114, after which the old implementation will be removed.
+
+  NOTE: Only newly-started renderer processes will reflect changes to this
+  policy while the browser is running.
+
+supported_on:
+- chrome.*:110-114
+- chrome_os:110-114
+deprecated: true
+device_only: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: Allow new implementation
+  value: true
+- caption: Force old implementation
+  value: false
+default: true
+example_value: false
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PacHttpsUrlStrippingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PacHttpsUrlStrippingEnabled.yaml
new file mode 100755
index 000000000..3279b9206
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PacHttpsUrlStrippingEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Enable PAC URL stripping (for https://)
+deprecated: true
+desc: |-
+  Strips privacy and security sensitive parts of https:// URLs before passing them on to PAC scripts (Proxy Auto Config) used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> during proxy resolution.
+
+        When True, the security feature is enabled, and https:// URLs are
+        stripped before submitting them to a PAC script. In this manner the PAC
+        script is not able to view data that is ordinarily protected by an
+        encrypted channel (such as the URL's path and query).
+
+        When False, the security feature is disabled, and PAC scripts are
+        implicitly granted the ability to view all components of an https://
+        URL. This applies to all PAC scripts regardless of origin (including
+        those fetched over an insecure transport, or discovered insecurely
+        through WPAD).
+
+        This defaults to True (security feature enabled).
+
+        It is recommended that this be set to True. The only reason to set it to
+        False is if it causes a compatibility problem with existing PAC scripts.
+
+        The policy will be removed in M75.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- net-dev@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:52-74
+- chrome_os:52-74
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PageUpAndPageDownKeysModifier.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PageUpAndPageDownKeysModifier.yaml
new file mode 100755
index 000000000..6c283974f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PageUpAndPageDownKeysModifier.yaml
@@ -0,0 +1,38 @@
+caption: Control the shortcut used to trigger the PageUp/PageDown "six pack" keys
+default: 2
+desc: |-
+  This policy determines the behavior for remapping the PageUp/PageDown
+  keys within the 'remap keys' subpage. The 'remap keys' subpage allows users
+  to customize keyboard keys. If enabled, this policy prevents users from
+  customizing these specific remappings. If the policy is not set,
+  search-based shortcuts will act as the default and allows users to
+  configure the shortcuts.
+example_value: 0
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: PageUp/PageDown settings are disabled
+  name: None
+  value: 0
+- caption: PageUp/PageDown settings use the shortcut that contains the alt modifier
+  name: Alt
+  value: 1
+- caption: PageUp/PageDown settings use the shortcut that contains the search modifier
+  name: Search
+  value: 2
+owners:
+- michaelcheco@google.com
+- cros-peripherals@google.com
+schema:
+  # These values correspond to the `SixPackShortcutModifier` mojom enum.
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:123-
+tags: []
+type: int-enum
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ParcelTrackingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ParcelTrackingEnabled.yaml
new file mode 100755
index 000000000..015c6f4d3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ParcelTrackingEnabled.yaml
@@ -0,0 +1,23 @@
+owners:
+- hiramahmood@google.com
+- file://ios/chrome/browser/parcel_tracking/OWNERS
+caption: Allows users to track their packages on Chrome.
+desc: |-
+  When the policy is not set or set to Enabled, users will be able to track their packages on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> through the New Tab Page.
+  When the policy is set to Disabled, users will not be able to track their packages on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> through the New Tab Page.
+supported_on:
+- ios:120-
+features:
+  dynamic_refresh: false
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: Allow Parcel Tracking on Chrome
+  value: true
+- caption: Do not allow Parcel Tracking on Chrome
+  value: false
+default: true
+example_value: false
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PaymentMethodQueryEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PaymentMethodQueryEnabled.yaml
new file mode 100755
index 000000000..6380e837e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PaymentMethodQueryEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Allow websites to query for available payment methods.
+desc: |-
+  Allows you to set whether websites are allowed to check if the user has payment methods saved.
+
+        If this policy is set to disabled, websites that use PaymentRequest.canMakePayment or PaymentRequest.hasEnrolledInstrument API will be informed that no payment methods are available.
+
+        If the setting is enabled or not set then websites are allowed to check if the user has payment methods saved.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow websites to check if the user has payment methods saved
+  value: true
+- caption: Always tell websites that no payment methods are saved
+  value: false
+owners:
+- file://components/payments/OWNERS
+- nburris@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:80-
+- chrome_os:80-
+- android:80-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfAnnotationsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfAnnotationsEnabled.yaml
new file mode 100755
index 000000000..80de3ee55
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfAnnotationsEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Enable PDF Annotations
+default: true
+desc: |-
+  Controls if the PDF viewer in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can annotate PDFs.
+
+        When this policy is not set, or is set to true, then the PDF viewer will be able to annotate PDFs.
+
+        When this policy is set to false, then the PDF viewer will not be able to annotate PDFs.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: The PDF viewer can annotate PDFs
+  value: true
+- caption: The PDF viewer cannot annotate PDFs
+  value: false
+owners:
+- thestig@chromium.org
+- file://pdf/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:91-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfUseSkiaRendererEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfUseSkiaRendererEnabled.yaml
new file mode 100755
index 000000000..a6948ce71
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfUseSkiaRendererEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Use Skia renderer for PDF rendering
+default: null
+desc: |-
+  Controls whether the PDF viewer in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses Skia renderer.
+
+  When this policy is enabled, the PDF viewer uses Skia renderer.
+
+  When this policy is disabled, the PDF viewer uses its current AGG renderer.
+
+  When this policy is not set, the PDF renderer will be chosen by the browser.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: The PDF viewer uses Skia renderer.
+  value: true
+- caption: The PDF viewer uses AGG renderer.
+  value: false
+- caption: Use the default renderer based on the field trial config.
+  value: null
+owners:
+- nigi@chromium.org
+- file://pdf/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:115-
+- chrome_os:115-
+- fuchsia:115-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfViewerOutOfProcessIframeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfViewerOutOfProcessIframeEnabled.yaml
new file mode 100755
index 000000000..4ebfc1132
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PdfViewerOutOfProcessIframeEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Use out-of-process iframe PDF Viewer
+default: true
+desc: |-
+  Controls whether the PDF viewer in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses an out-of-process iframe (OOPIF). This will be the new PDF viewer architecture in the future, as it is simpler and makes adding new features easier. The existing GuestView PDF viewer is an outdated, complex architecture that is being deprecated.
+
+  When this policy is set to Enabled or not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will be able to use the OOPIF PDF viewer architecture. Once Enabled or not set, the default behavior will be decided by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+  When this policy is set to Disabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will strictly use the existing GuestView PDF viewer. It embeds a web page with a separate frame tree into another web page.
+
+  This policy will be removed in the future, after the OOPIF PDF viewer feature has fully rolled out.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- chrome_os
+items:
+- caption: PDF viewer uses the OOPIF architecture.
+  value: true
+- caption: PDF viewer uses the GuestView architecture.
+  value: false
+owners:
+- andyphan@chromium.org
+- file://pdf/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:126-
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PerAppTimeLimitsWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PerAppTimeLimitsWhitelist.yaml
new file mode 100755
index 000000000..55d68daff
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PerAppTimeLimitsWhitelist.yaml
@@ -0,0 +1,46 @@
+caption: Per-App Time Limits Allowlist
+deprecated: true
+desc: This policy is deprecated and unsupported , please use <ph name="PER_APP_TIME_LIMITS_ALLOWLIST">PerAppTimeLimitsAllowlist</ph> instead.
+example_value:
+  app_list:
+  - app_id: pjkljhegncpnkpknbcohdijeoejaedia
+    app_type: EXTENSION
+  - app_id: iniodglblcgmngkgdipeiclkdjjpnlbn
+    app_type: BUILT-IN
+  url_list:
+  - chrome://*
+  - file://*
+  - https://www.support.google.com
+  - https://www.policies.google.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- yilkal@chromium.org
+- cros-families-eng@google.com
+schema:
+  properties:
+    app_list:
+      items:
+        properties:
+          app_id:
+            type: string
+          app_type:
+            enum:
+            - ARC
+            - BUILT-IN
+            - EXTENSION
+            - WEB
+            - CROSTINI
+            type: string
+        type: object
+      type: array
+    url_list:
+      items:
+        type: string
+      type: array
+  type: object
+supported_on:
+- 'chrome_os: 80-100'
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PersistentQuotaEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PersistentQuotaEnabled.yaml
new file mode 100755
index 000000000..608ab92c3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PersistentQuotaEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Force persistent quota to be enabled
+default: false
+deprecated: true
+desc: "Starting in M106 persistent quota will no longer be supported. This policy\
+  \ will re-enable persistent quota functionality until M107.\n\n      If this policy\
+  \ is set to enabled, webkitRequestFileSystem with persistent type will operate with\
+  \ persistent quota.\n\n      If this policy is unset or disabled, webkitRequestFileSystem\
+  \ with persistent type will operate with temporary quota.\n      "
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Enable persistent quota.
+  value: true
+- caption: Disable persistent quota.
+  value: false
+owners:
+- ayui@chromium.org
+- chrome-owp-storage@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:106-107
+- chrome_os:106-107
+- android:106-107
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubAllowed.yaml
new file mode 100755
index 000000000..ba48d9a82
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubAllowed.yaml
@@ -0,0 +1,29 @@
+caption: Allow Phone Hub to be enabled.
+default_for_enterprise_users: false
+desc: |-
+  If this setting is enabled, users will be allowed to opt in to Phone Hub, which allows them to interact with their phone on a ChromeOS device.
+
+        If this setting is disabled, users will not be allowed to opt in to Phone Hub.
+
+        If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow Phone Hub to be enabled
+  value: true
+- caption: Do not allow Phone Hub to be enabled
+  value: false
+owners:
+- khorimoto@google.com
+- danlee@google.com
+- better-together-dev@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:89-
+tags:
+- local-data-access
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubCameraRollAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubCameraRollAllowed.yaml
new file mode 100755
index 000000000..fcb9d5159
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubCameraRollAllowed.yaml
@@ -0,0 +1,32 @@
+caption: Allow recent photos and videos taken on the phone to be accessed via Phone
+  Hub.
+default: true
+desc: |-
+  If this setting is enabled, users who have already opted in to Phone Hub will be able to view and download recent photos and videos taken on their phone on ChromeOS.
+
+        If this setting is disabled, users will not be allowed to use this feature. If the <ph name="PHONE_HUB_ALLOWED_POLICY_NAME">PhoneHubAllowed</ph> policy is disabled, users also will not be allowed to use this feature.
+
+        If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome_os:111-
+items:
+- caption: Allows users who have opted in to Phone Hub to access recent photos and
+    videos taken on their phone
+  value: true
+- caption: Disallows users who have opted in to Phone Hub to access recent photos
+    and videos taken on their phone
+  value: false
+owners:
+- jasonsun@google.com
+- jonmann@google.com
+- better-together-dev@google.com
+schema:
+  type: boolean
+tags:
+- local-data-access
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubNotificationsAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubNotificationsAllowed.yaml
new file mode 100755
index 000000000..ba70f263e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubNotificationsAllowed.yaml
@@ -0,0 +1,28 @@
+caption: Allow Phone Hub notifications to be enabled.
+desc: |-
+  If this setting is enabled, users who have already opted in to Phone Hub, will be able to send/receive their phone's notifications on ChromeOS.
+
+        If this setting is disabled, users will not be allowed to use this feature. If the PhoneHubAllowed policy is disabled, users also will not be allowed to use this feature.
+
+        If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow Phone Hub notifications to be enabled
+  value: true
+- caption: Do not allow Phone Hub notifications to be enabled
+  value: false
+owners:
+- khorimoto@google.com
+- danlee@google.com
+- better-together-dev@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:89-
+tags:
+- local-data-access
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubTaskContinuationAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubTaskContinuationAllowed.yaml
new file mode 100755
index 000000000..fba0e8619
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhoneHubTaskContinuationAllowed.yaml
@@ -0,0 +1,28 @@
+caption: Allow Phone Hub task continuation to be enabled.
+desc: |-
+  If this setting is enabled, users who have already opted in to Phone Hub, will be able to continue tasks such as viewing their phone's webpages on ChromeOS.
+
+        If this setting is disabled, users will not be allowed to use this feature. If the PhoneHubAllowed policy is disabled, users also will not be allowed to use this feature.
+
+        If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow Phone Hub task continuation to be enabled
+  value: true
+- caption: Do not allow Phone Hub task continuation to be enabled
+  value: false
+owners:
+- khorimoto@google.com
+- danlee@google.com
+- better-together-dev@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:89-
+tags:
+- local-data-access
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhysicalKeyboardAutocorrect.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhysicalKeyboardAutocorrect.yaml
new file mode 100755
index 000000000..28ab0208b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhysicalKeyboardAutocorrect.yaml
@@ -0,0 +1,30 @@
+caption: Control the autocorrect feature on the physical keyboard
+desc: |-
+  Enable or disable the autocorrect feature on the physical keyboard.
+
+  If this policy is set to Enabled or left unset, it will allow the autocorrect feature on the physical keyboard.
+
+  If this policy is set to Disabled, it will disallow the autocorrect feature on the physical keyboard.
+
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- curtismcmullan@chromium.org
+- dvallet@chromium.org
+- mehrab@chromium.org
+- shend@chromium.org
+- essential-inputs-team@google.com
+items:
+- caption: Enable physical keyboard autocorrect when users type
+  value: true
+- caption: Disable physical keyboard autocorrect when users type
+  value: false
+schema:
+  type: boolean
+supported_on:
+- chrome_os:116-
+tags: []
+type: main
+
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhysicalKeyboardPredictiveWriting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhysicalKeyboardPredictiveWriting.yaml
new file mode 100755
index 000000000..a6f9ee5a5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PhysicalKeyboardPredictiveWriting.yaml
@@ -0,0 +1,30 @@
+caption: Control the predictive writing feature on the physical keyboard
+desc: |-
+  Enable or disable the predictive writing feature on the physical keyboard.
+
+  If this policy is set to Enabled or left unset, it will allow the predictive writing feature on the physical keyboard.
+
+  If this policy is set to Disabled, it will disallow the predictive writing feature on the physical keyboard.
+
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- curtismcmullan@chromium.org
+- dvallet@chromium.org
+- mehrab@chromium.org
+- shend@chromium.org
+- essential-inputs-team@google.com
+items:
+- caption: Enable physical keyboard predictive writing when users type
+  value: true
+- caption: Disable physical keyboard predictive writing when users type
+  value: false
+schema:
+  type: boolean
+supported_on:
+- chrome_os:116-
+tags: []
+type: main
+
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PinnedLauncherApps.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PinnedLauncherApps.yaml
new file mode 100755
index 000000000..ae7c3e6ab
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PinnedLauncherApps.yaml
@@ -0,0 +1,33 @@
+arc_support: This policy can also be used to pin Android apps.
+caption: List of pinned apps to show in the launcher
+desc: |-
+  Setting the policy fixes which application identifiers <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> shows as pinned apps in the launcher bar, and users can't change them.
+
+  Specify Chrome apps by their ID, such as pjkljhegncpnkpknbcohdijeoejaedia;
+  Android apps by their package name, such as com.google.android.gm;
+  web apps by the URL used in <ph name="WEB_APP_INSTALL_FORCE_LIST_POLICY_NAME">WebAppInstallForceList</ph>, such as https://google.com/maps;
+  System Web Apps by their snake case name, such as <ph name="PINNED_LAUNCHER_APPS_POLICY_SYSTEM_WEB_APP_EXAMPLE">camera</ph>.
+  Isolated Web Apps by their web bundle ID, such as <ph name="PINNED_LAUNCHER_APPS_POLICY_ISOLATED_WEB_APP_EXAMPLE">egoxo6biqdjrk62rman4vvr5cbq2ozsyydig7jmdxcmohdob2ecaaaic</ph>.
+
+  Leaving it unset lets users change the list of pinned apps in the launcher.
+example_value:
+- pjkljhegncpnkpknbcohdijeoejaedia
+- com.google.android.gm
+- https://google.com/maps
+- camera
+- egoxo6biqdjrk62rman4vvr5cbq2ozsyydig7jmdxcmohdob2ecaaaic
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:20-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyAtomicGroupsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyAtomicGroupsEnabled.yaml
new file mode 100755
index 000000000..ea93bf6f3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyAtomicGroupsEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enables the concept of policy atomic groups
+desc: |-
+  Setting the policy to Enabled means policies coming from an atomic group that don't share the source with the highest priority from that group get ignored.
+
+        Setting the policy to Disabled means no policy is ignored because of its source. Policies are ignored only if there's a conflict, and the policy doesn't have the highest priority.
+
+        If this policy is set from a cloud source, it can't target a specific user.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable policy atomic groups
+  value: true
+- caption: Disable policy atomic groups
+  value: false
+owners:
+- ydago@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:78-
+- chrome_os:78-
+- android:105-
+- ios:105-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyDictionaryMultipleSourceMergeList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyDictionaryMultipleSourceMergeList.yaml
new file mode 100755
index 000000000..c4119950f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyDictionaryMultipleSourceMergeList.yaml
@@ -0,0 +1,66 @@
+caption: Allow merging dictionary policies from different sources
+desc: |-
+  Setting the policy allows merging of selected policies when they come from different sources, with the same scopes and level. This merging is in the first level keys of the dictionary from each source. The key coming from the highest priority source takes precedence.
+
+        Use the wildcard character '*' to allow merging of all supported dictionary policies.
+
+        If a policy is in the list and there's conflict between sources with:
+
+        * The same scopes and level: The values merge into a new policy dictionary.
+
+        * Different scopes or level: The policy with the highest priority applies.
+
+        If a policy isn't in the list and there's conflict between sources, scopes, or level, the policy with the highest priority applies.
+example_value:
+- ExtensionSettings
+features:
+  dynamic_refresh: true
+  metapolicy_type: merge
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Managed user manual exception URLs
+  name: ContentPackManualBehaviorURLs
+  value: ContentPackManualBehaviorURLs
+- caption: Power management on the login screen
+  name: DeviceLoginScreenPowerManagement
+  value: DeviceLoginScreenPowerManagement
+- caption: Extension management settings
+  name: ExtensionSettings
+  value: ExtensionSettings
+- caption: Key Permissions
+  name: KeyPermissions
+  value: KeyPermissions
+- caption: Power management settings when the user becomes idle
+  name: PowerManagementIdleSettings
+  value: PowerManagementIdleSettings
+- caption: Screen brightness percent
+  name: ScreenBrightnessPercent
+  value: ScreenBrightnessPercent
+- caption: Screen lock delays
+  name: ScreenLockDelays
+  value: ScreenLockDelays
+label: Allow merging dictionary policies from different sources
+owners:
+- ydago@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    enum:
+    - ContentPackManualBehaviorURLs
+    - ExtensionSettings
+    - DeviceLoginScreenPowerManagement
+    - KeyPermissions
+    - PowerManagementIdleSettings
+    - ScreenBrightnessPercent
+    - ScreenLockDelays
+    type: string
+  type: array
+supported_on:
+- chrome.*:76-
+- chrome_os:76-
+- android:105-
+- ios:105-
+tags: []
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyListMultipleSourceMergeList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyListMultipleSourceMergeList.yaml
new file mode 100755
index 000000000..7bcf76f34
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyListMultipleSourceMergeList.yaml
@@ -0,0 +1,37 @@
+caption: Allow merging list policies from different sources
+desc: |-
+  Setting the policy allows merging of selected policies when they come from different sources, with the same scopes and level.
+
+        Use the wildcard character '*' to allow merging of all list policies.
+
+        If a policy is in the list and there's conflict between sources with:
+
+        * The same scopes and level: The values merge into a new policy list.
+
+        * Different scopes or level: The policy with the highest priority applies.
+
+        If a policy isn't in the list and there's conflict between sources, scopes, or level, the policy with the highest priority applies.
+example_value:
+- ExtensionInstallAllowlist
+- ExtensionInstallBlocklist
+features:
+  dynamic_refresh: true
+  metapolicy_type: merge
+  per_profile: true
+future_on:
+- fuchsia
+label: Allow merging list policies from different sources
+owners:
+- ydago@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:75-
+- chrome_os:75-
+- android:97-
+- ios:105-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyRefreshRate.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyRefreshRate.yaml
new file mode 100755
index 000000000..b41bf9969
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyRefreshRate.yaml
@@ -0,0 +1,26 @@
+caption: Refresh rate for user policy
+desc: |-
+  Setting the policy specifies the period in milliseconds at which the device management service is queried for user policy information. Valid values range from 1,800,000 (30 minutes) to 86,400,000 (1 day). Values outside this range will be clamped to the respective boundary.
+
+        Leaving the policy unset uses the default value of 3 hours.
+
+        Note: Policy notifications force a refresh when the policy changes, making frequent refreshes unnecessary. So, if the platform supports these notifications, the refresh delay is 24 hours (ignoring defaults and the value of this policy).
+example_value: 3600000
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- anqing@chromium.org
+schema:
+  maximum: 86400000
+  minimum: 1800000
+  type: integer
+supported_on:
+- chrome_os:11-
+- chrome.*:79-
+- ios:90-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyScopeDetection.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyScopeDetection.yaml
new file mode 100755
index 000000000..c3f4c9de2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyScopeDetection.yaml
@@ -0,0 +1,28 @@
+caption: Allow policy scope detection on <ph name="MAC_OS_NAME">macOS</ph>
+default: true
+deprecated: true
+desc: " Controls whether browser can detect mandatory policy scope on <ph name=\"\
+  MAC_OS_NAME\">macOS</ph> or not.\n\n      If the policy is set to Enabled or not\
+  \ set, each policy's scope will be determined by the scope of <ph name=\"MAC_OS_NAME\"\
+  >macOS</ph> managed profile.\n      If the policy is set to Disabled, all policies\
+  \ will be reconized as machine scope policy.\n\n      This policy is temporary in\
+  \ order to facilitate smooth transition to properly scoped policies on <ph name=\"\
+  MAC_OS_NAME\">macOS</ph> and will be removed in <ph name=\"PRODUCT_NAME\">$1<ex>Google\
+  \ Chrome</ex></ph> 107.\n\n      "
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow Policy scope detection.
+  value: true
+- caption: Block Policy scope detection.
+  value: false
+owners:
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.mac:105-107
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyTestPageEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyTestPageEnabled.yaml
new file mode 100755
index 000000000..856cf4a47
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PolicyTestPageEnabled.yaml
@@ -0,0 +1,37 @@
+owners:
+- jayee@google.com
+- ydago@google.com
+- file://components/policy/OWNERS
+caption: Allow access to the policy test page
+desc: |-
+  This policy will provide access to the policy test page,
+  while policies are tested on this page, all other policies will be ignored.
+  Feature will only be available on Canary channel.
+
+  If policy is Enabled or not set, the page will be accessible.
+  If policy is Disabled, the page will be blocked.
+future_on:
+- ios
+- android
+- chrome.*
+- chrome_os
+- fuchsia
+features:
+  dynamic_refresh: true
+  per_profile: true
+type: main
+schema:
+  type: boolean
+items:
+- caption: Policy test page is accessible
+  value: true
+- caption: Policy test page is blocked
+  value: false
+default: true
+example_value: true
+tags: []
+
+
+
+
+
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PostQuantumKeyAgreementEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PostQuantumKeyAgreementEnabled.yaml
new file mode 100755
index 000000000..1b0b61014
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PostQuantumKeyAgreementEnabled.yaml
@@ -0,0 +1,42 @@
+caption: Enable post-quantum key agreement for TLS
+default: null
+desc: |-
+  This policy configures whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will offer a post-quantum key agreement algorithm in TLS. In future versions, the algorithm will be ML-KEM, a NIST post-quantum standard. Initially, the algorithm was Kyber, an earlier draft iteration of the standard. This allows supporting servers to protect user traffic from being later decrypted by quantum computers.
+
+  If this policy is Enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will offer a post-quantum key agreement in TLS connections. User traffic will then be protected from quantum computers when communicating with compatible servers.
+
+  If this policy is Disabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not offer a post-quantum key agreement in TLS connections. User traffic will then be unprotected from quantum computers.
+
+  If this policy is not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will follow the default rollout process for offering a post-quantum key agreement.
+
+  Offering a post-quantum key agreement is backwards-compatible. Existing TLS servers and networking middleware are expected to ignore the new option and continue selecting previous options.
+
+  However, devices that do not correctly implement TLS may malfunction when offered the new option. For example, they may disconnect in response to unrecognized options or the resulting larger messages. Such devices are not post-quantum-ready and will interfere with an enterprise's post-quantum transition. If encountered, administrators should contact the vendor for a fix.
+
+  This policy is a temporary measure and will be removed sometime after <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 141. It may be Enabled to allow you to test for issues, and may be Disabled while issues are being resolved.
+
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Use Default Value for post-quantum key agreement for TLS
+  value: null
+- caption: Enable post-quantum key agreement for TLS
+  value: true
+- caption: Disable post-quantum key agreement for TLS
+  value: false
+owners:
+- file://crypto/OWNERS
+- trusty-transport@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:116-
+- chrome_os:116-
+- android:116-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PreconfiguredDeskTemplates.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PreconfiguredDeskTemplates.yaml
new file mode 100755
index 000000000..a5ef7ff58
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PreconfiguredDeskTemplates.yaml
@@ -0,0 +1,28 @@
+caption: Allow users to select a preconfigured desktop layout to load
+desc: |-
+  If set, this policy contains information to download a desk template file.  The file contains a desk template to be provisioned for the current user.
+        If not set, no preconfigured desk template will be included in the list of desk templates.  If the <ph name="DESK_TEMPLATES_ENABLED_POLICY_NAME">DeskTemplatesEnabled</ph>
+        policy is not set to true, this policy has no effect.
+example_value:
+  hash: 842841a4c75a55ad050d686f4ea5f77e83ae059877fe9b6946aa63d3d057ed32
+  url: https://example.com/a.json
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+max_size: 1048576
+owners:
+- brianbeck@chromium.org
+- yzd@chromium.org
+schema:
+  properties:
+    hash:
+      description: The SHA-256 hash of the desk template.
+      type: string
+    url:
+      description: The URL from which the desk template can be downloaded.
+      type: string
+  type: object
+tags: []
+type: external
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrefixedStorageInfoEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrefixedStorageInfoEnabled.yaml
new file mode 100755
index 000000000..a325738f8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrefixedStorageInfoEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Re-enable the deprecated window.webkitStorageInfo API
+default: false
+deprecated: true
+desc: |-
+  Starting in M110, the non-standard API window.webkitStorageInfo will be removed. This policy re-enables the API.
+  If this policy is set to Enabled, the window.webkitStorageInfo API will be available.
+  If this policy is set to Disabled or not set, the window.webkitStorageInfo API will be unavailable.
+  This was removed in M112.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: window.webkitStorageInfo will be available.
+  value: true
+- caption: window.webkitStorageInfo will be unavailable.
+  value: false
+owners:
+- ayui@chromium.org
+- chrome-owp-storage@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:106-112
+- chrome_os:106-112
+- android:106-112
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrefixedVideoFullscreenApiAvailability.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrefixedVideoFullscreenApiAvailability.yaml
new file mode 100755
index 000000000..f08edf135
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrefixedVideoFullscreenApiAvailability.yaml
@@ -0,0 +1,55 @@
+owners:
+- tguilbert@chromium.org
+- file://media/OWNERS
+
+caption: Manage the deprecated prefixed video fullscreen API's availability
+
+desc: |-
+  Setting the policy to <ph name="ENABLED_VALUE_NAME">enabled</ph> will allow the prefixed video-specific fullscreen APIs (e.g. Video.webkitEnterFullscreen()) to be used from Javascript.
+
+  Setting the policy to <ph name="DISABLED_VALUE_NAME">disabled</ph> will prevent the prefixed video-specific fullscreen APIs from being used in Javascript, leaving only the standard fullscreen APIs (e.g. Element.requestFullscreen()).
+
+  Setting the policy to <ph name="RUNTIME_ENABLED_VALUE_NAME">runtime-enabled</ph> will allow the PrefixedFullscreenVideo runtime enabled feature flag to determine whether the prefixed video-specific fullscreen APIs are available to websites.
+
+  If the policy is unset, the behavior defaults to <ph name="RUNTIME_ENABLED_VALUE_NAME">runtime-enabled</ph>.
+
+  Note: this policy is a temporary solution to help transition away from webkit-prefixed fullscreen APIs. It will tentatively be removed in M130, or in the few following releases.
+
+
+supported_on:
+- android:124-
+- chrome.*:124-
+- chrome_os:124-
+- fuchsia:124-
+
+deprecated: false
+
+features:
+  dynamic_refresh: true
+  per_profile: true
+
+type: string-enum
+
+schema:
+  type: string
+  enum:
+  - disabled
+  - enabled
+  - runtime-enabled
+
+items:
+- caption: Follows regular deprecation timelines for the PrefixedVideoFullscreen API
+  name: RuntimeEnabled
+  value: runtime-enabled
+- caption: Disables prefixed video fullscreen APIs
+  name: Disabled
+  value: disabled
+- caption: Enables prefixed video fullscreen APIs
+  name: Enabled
+  value: enabled
+
+default: runtime-enabled
+
+example_value: disabled
+
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrimaryMouseButtonSwitch.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrimaryMouseButtonSwitch.yaml
new file mode 100755
index 000000000..dcf2a3737
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrimaryMouseButtonSwitch.yaml
@@ -0,0 +1,33 @@
+caption: Switch the primary mouse button to the right button
+default: null
+desc: |-
+  Switch the primary mouse button to the right button.
+
+            If this policy is set to enabled, the right button of the mouse will always be the primary key.
+
+            If this policy is set to disabled, the left button of the mouse will always be the primary key.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the left button of the mouse will be the primary key initially, but can be switched by the user anytime.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Right button is primary
+  value: true
+- caption: Left button is primary
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- amraboelkher@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:81-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrintingAPIExtensionsWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrintingAPIExtensionsWhitelist.yaml
new file mode 100755
index 000000000..0e68a0f7f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PrintingAPIExtensionsWhitelist.yaml
@@ -0,0 +1,26 @@
+caption: Extensions allowed to skip confirmation dialog when sending print jobs via
+  chrome.printing API
+deprecated: true
+desc: |-
+  This policy specifies the allowed extensions to skip print job confirmation dialog when they use the <ph name="PRINTING_API">Printing API</ph> function <ph name="SUBMIT_JOB_FUNCTION">chrome.printing.submitJob()</ph> for sending a print job.
+
+        If an extension is not in the list, or the list is not set, the print job confirmation dialog will be shown to the user for every <ph name="SUBMIT_JOB_FUNCTION">chrome.printing.submitJob()</ph> function call.
+
+        This policy is deprecated, please use <ph name="PRINTING_API_EXTENSIONS_ALLOWLIST_POLICY_NAME">PrintingAPIExtensionsAllowlist</ph> instead.
+example_value:
+- abcdefghabcdefghabcdefghabcdefgh
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:81-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfileLabel.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfileLabel.yaml
new file mode 100755
index 000000000..7a22c44c0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfileLabel.yaml
@@ -0,0 +1,39 @@
+caption: Profile Label
+default: null
+desc: |-
+  This policy controls a label used to identify a signed in profile. This label will be shown in various locations to help users identify the profile such as next to the toolbar profile icon.
+  This label will also be used as a default name for newly created profiles that can be modified by the users.
+
+  If this policy is left unset the default label, either "Work" or "School" will be used.
+
+  If this policy is set to "Label the profile as Work (0)", the "Work" label will be used.
+
+  If this policy is set to "Label the profile as School (1)", the "School" label will be used.
+
+  This policy will be overridden by the <ph name="CUSTOM_PROFILE_LABEL_POLICY_NAME">CustomProfileLabel</ph> policy if that policy is set.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: true
+  cloud_only: true
+  user_only: true
+supported_on:
+- chrome.*:125-
+items:
+- caption: Work
+  name: Work
+  value: 0
+- caption: School
+  name: School
+  value: 1
+owners:
+- file://components/enterprise/OWNERS
+- ydago@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfilePickerOnStartupAvailability.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfilePickerOnStartupAvailability.yaml
new file mode 100755
index 000000000..ec3203752
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfilePickerOnStartupAvailability.yaml
@@ -0,0 +1,42 @@
+caption: Profile picker availability on startup
+default: 0
+desc: |-
+  Specifies whether the profile picker is enabled, disabled or forced at the browser startup.
+
+        By default the profile picker is not shown if the browser starts in guest or incognito mode, a profile directory and/or urls are specified by command line, an app is explicitly requested to open, the browser was launched by a native notification, there is only one profile available or the policy ForceBrowserSignin is set to true.
+
+        If 'Enabled' (0) is selected or the policy is left unset, the profile picker will be shown at startup by default, but users will be able to enable/disable it.
+
+        If 'Disabled' (1) is selected, the profile picker will never be shown, and users will not be able to change the setting.
+
+        If 'Forced' (2) is selected, the profile picker cannot be suppressed by the user. The profile picker will be shown even if there is only one profile available.
+example_value: 0
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Profile picker available at startup
+  name: Enabled
+  value: 0
+- caption: Profile picker disabled at startup
+  name: Disabled
+  value: 1
+- caption: Profile picker forced at startup
+  name: Forced
+  value: 2
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:89-
+- chrome_os:105-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfileReauthPrompt.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfileReauthPrompt.yaml
new file mode 100755
index 000000000..b7abde0de
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProfileReauthPrompt.yaml
@@ -0,0 +1,25 @@
+caption: Prompt users to re-authenticate to the profile
+desc: |-
+  When set to DoNotPrompt or left unset, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> does not automatically prompt the user to re-authenticate to the browser.
+
+  When set to PromptInTab, when the user's authentication expires, immediately open a new tab with the Google login page. This only happens if using <ph name="CHROME_SYNC_NAME">Chrome Sync</ph>.
+default: 0
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome.*:121-
+items:
+- caption: Do not prompt for reauth
+  name: DoNotPrompt
+  value: 0
+- caption: Prompt for reauth in a tab
+  name: PromptInTab
+  value: 1
+owners:
+- nicolaso@chromium.org
+schema:
+  type: integer
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromotionalTabsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromotionalTabsEnabled.yaml
new file mode 100755
index 000000000..0787d8e96
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromotionalTabsEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable showing full-tab promotional content
+desc: |-
+  Setting the policy to True or leaving it unset lets <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> show users product information as full-tab content.
+
+        Setting the policy to False prevents <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from showing product information as full-tab content.
+
+        Setting the policy controls the presentation of the welcome pages that help users sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as users' default browser, or otherwise inform them of product features.
+
+        This is deprecated - use <ph name="PROMOTIONS_ENABLED_POLICY_NAME">PromotionsEnabled</ph> instead.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable showing full-tab promotional content
+  value: true
+- caption: Disable showing full-tab promotional content
+  value: false
+owners:
+- grt@chromium.org
+- rbpotter@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:69-
+- chrome_os:93-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromotionsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromotionsEnabled.yaml
new file mode 100755
index 000000000..ffc40c5cb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromotionsEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Enable showing promotional content
+default: true
+desc: |-
+  Setting the policy to True or leaving it unset lets <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> show users product promotional content.
+
+  Setting the policy to False prevents <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from showing product promotional content.
+
+  Setting the policy controls the presentation of promotional content, including the welcome pages that help users sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as users' default browser, or otherwise inform them of product features.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable showing promotional content
+  value: true
+- caption: Disable showing promotional content
+  value: false
+owners:
+- grt@chromium.org
+- rbpotter@chromium.org
+- davidbienvenu@chromium.org
+- jessemckenna@google.com
+- chrome-windows-seakir@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:128-
+- chrome_os:128-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromptForDownloadLocation.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromptForDownloadLocation.yaml
new file mode 100755
index 000000000..0eb6bd6ec
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromptForDownloadLocation.yaml
@@ -0,0 +1,30 @@
+caption: Ask where to save each file before downloading
+default: null
+desc: |-
+  Setting the policy to Enabled means users are asked where to save each file before downloading. Setting the policy to Disabled has downloads start immediately, and users aren't asked where to save the file.
+
+        Leaving the policy unset lets users change this setting.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Ask the user where to save the file before downloading
+  value: true
+- caption: Do not ask the user (downloads start immediately)
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- macourteau@chromium.org
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:64-
+- chrome_os:64-
+- android:92-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromptOnMultipleMatchingCertificates.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromptOnMultipleMatchingCertificates.yaml
new file mode 100755
index 000000000..f07906434
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/PromptOnMultipleMatchingCertificates.yaml
@@ -0,0 +1,28 @@
+caption: Prompt when multiple certificates match
+default: false
+desc: |-
+  This policy controls whether the user is prompted to select a client certificate when more than one certificate matches <ph name="AUTO_SELECT_CERTIFICATE_FOR_URLS_POLICY_NAME">AutoSelectCertificateForUrls</ph>.
+        If this policy is set to Enabled, the user is prompted to select a client certificate whenever the auto-selection policy matches multiple certificates.
+        If this policy is set to Disabled or not set, the user may only be prompted when no certificate matches the auto-selection.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Prompt the user to select the client certificate whenever the auto-selection
+    policy matches multiple certificates.
+  value: true
+- caption: Only prompt the user when no certificate matches the auto-selection.
+  value: false
+owners:
+- emaxx@chromium.org
+- miersh@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-
+- chrome.*:96-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProvisionManagedClientCertificateForUser.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProvisionManagedClientCertificateForUser.yaml
new file mode 100755
index 000000000..1f3dab870
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProvisionManagedClientCertificateForUser.yaml
@@ -0,0 +1,33 @@
+owners:
+- seblalancette@chromium.org
+- file://components/enterprise/client_certificates/OWNERS
+caption: Enables the provisioning of client certificates for a managed user or profile
+desc: |-
+  Setting this policy to <ph name="PROVISION_MANAGED_CLIENT_CERTIFICATE_FOR_USER_ENABLED">Enabled</ph> (value 1) will make the browser request a client certificate from the device management server for a managed user or profile. This certificate will be made available for, e.g., mTLS connections.
+
+  Setting this policy to <ph name="PROVISION_MANAGED_CLIENT_CERTIFICATE_FOR_USER_DISABLED">Disabled</ph> (value 0) will prevent the browser from requesting the client certificate. If a profile's managed client certificate had already been provisioned, due to this policy being enabled before, it will not be deleted, but it won't be available for mTLS connections and won't be renewed when it expires.
+
+supported_on:
+- chrome.win:126-
+- chrome.mac:126-
+- chrome.linux:128-
+features:
+  dynamic_refresh: true
+  per_profile: true
+  cloud_only: true
+type: int-enum
+schema:
+  type: integer
+  enum:
+  - 0
+  - 1
+items:
+- caption: Disable client certificate provisioning
+  name: Disabled
+  value: 0
+- caption: Enable client certificate provisioning
+  name: Enabled
+  value: 1
+default: 0
+example_value: 0
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProxySettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProxySettings.yaml
new file mode 100755
index 000000000..e2cfea0d2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ProxySettings.yaml
@@ -0,0 +1,66 @@
+arc_support: Only a subset of proxy configuration options are made available to Android
+  apps. Android apps may voluntarily choose to use the proxy. You cannot force them
+  to use a proxy.
+caption: Proxy settings
+desc: |-
+  Setting the policy configures the proxy settings for Chrome and ARC-apps, which ignore all proxy-related options specified from the command line.
+
+         Leaving the policy unset lets users choose their proxy settings.
+
+         Setting the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy accepts the following fields:
+           * <ph name="PROXY_MODE_PROXY_SETTINGS_FIELD">ProxyMode</ph>, which lets you specify the proxy server Chrome uses and prevents users from changing proxy settings
+           * <ph name="PROXY_PAC_URL_PROXY_SETTINGS_FIELD">ProxyPacUrl</ph>, a URL to a proxy .pac file, or a PAC script encoded as a data URL with MIME type application/x-ns-proxy-autoconfig
+           * <ph name="PROXY_PAC_MANDATORY_PROXY_SETTINGS_FIELD">ProxyPacMandatory</ph>, which prevents the network stack from falling back to direct connections with invalid or unavailable PAC script
+           * <ph name="PROXY_SERVER_PROXY_SETTINGS_FIELD">ProxyServer</ph>, a URL of the proxy server
+           * <ph name="PROXY_BYPASS_LIST_PROXY_SETTINGS_FIELD">ProxyBypassList</ph>, a list of hosts for which the proxy will be bypassed
+
+         The <ph name="PROXY_SERVER_MODE_PROXY_SETTINGS_FIELD">ProxyServerMode</ph> field is deprecated in favor of the <ph name="PROXY_MODE_PROXY_SETTINGS_FIELD">ProxyMode</ph> field.
+
+          For <ph name="PROXY_MODE_PROXY_SETTINGS_FIELD">ProxyMode</ph>, if you choose the value:
+            * <ph name="PROXY_MODE_ENUM_DIRECT">direct</ph>, a proxy is never used and all other fields are ignored.
+            * <ph name="PROXY_MODE_ENUM_SYSTEM">system</ph>, the systems's proxy is used and all other fields are ignored.
+            * <ph name="PROXY_MODE_ENUM_AUTO_DETECT">auto_detect</ph>, all other fields are ignored.
+            * <ph name="PROXY_MODE_ENUM_FIXED_SERVERS">fixed_servers</ph>, the <ph name="PROXY_SERVER_PROXY_SETTINGS_FIELD">ProxyServer</ph> and <ph name="PROXY_BYPASS_LIST_PROXY_SETTINGS_FIELD">ProxyBypassList</ph> fields are used.
+            * <ph name="PROXY_MODE_ENUM_PAC_SCRIPT">pac_script</ph>, the <ph name="PROXY_BYPASS_LIST_PROXY_PAC_URL">ProxyPacUrl</ph>, <ph name="PROXY_PAC_MANDATORY_PROXY_SETTINGS_FIELD">ProxyPacMandatory</ph> and <ph name="PROXY_BYPASS_LIST_PROXY_SETTINGS_FIELD">ProxyBypassList</ph> fields are used.
+
+        Note: For more detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).
+example_value:
+  ProxyBypassList: https://www.example1.com,https://www.example2.com,https://internalsite/
+  ProxyMode: fixed_servers
+  ProxyServer: 123.123.123.123:8080
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- acostinas@google.com
+- file://components/proxy_config/OWNERS
+schema:
+  properties:
+    ProxyBypassList:
+      type: string
+    ProxyMode:
+      enum:
+      - direct
+      - auto_detect
+      - pac_script
+      - fixed_servers
+      - system
+      type: string
+    ProxyPacMandatory:
+      type: boolean
+    ProxyPacUrl:
+      type: string
+    ProxyServer:
+      type: string
+    ProxyServerMode:
+      $ref: ProxyServerMode
+  type: object
+supported_on:
+- chrome.*:18-
+- chrome_os:18-
+- android:30-
+tags:
+- system-security
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QRCodeGeneratorEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QRCodeGeneratorEnabled.yaml
new file mode 100755
index 000000000..59aeb60fa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QRCodeGeneratorEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable QR Code Generator
+desc: |-
+  This policy enables the QR Code generator feature in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+  If you enable this policy or don't configure it, the QR Code Generator feature is enabled.
+
+  If you disable this policy, the QR Code Generator feature is disabled.
+example_value: false
+features:
+  can_be_mandatory: true
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: The QR Code Generator feature is enabled.
+  value: true
+- caption: The QR Code Generator feature is disabled.
+  value: false
+owners:
+- file://chrome/browser/ui/qrcode_generator/OWNERS
+schema:
+  type: boolean
+supported_on:
+- android:128-
+- chrome.*:128-
+- chrome_os:128-
+- fuchsia:128-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuicAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuicAllowed.yaml
new file mode 100755
index 000000000..8aed5087b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuicAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Allow QUIC protocol
+desc: |-
+  Setting the policy to Enabled or leaving it unset allows the use of QUIC protocol in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        Setting the policy to Disabled disallows the use of QUIC protocol.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow QUIC
+  value: true
+- caption: Disallow QUIC
+  value: false
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:43-
+- chrome_os:43-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuickOfficeForceFileDownloadEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuickOfficeForceFileDownloadEnabled.yaml
new file mode 100755
index 000000000..5c1ac0969
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuickOfficeForceFileDownloadEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Force downloading of Office documents (e.g. .docx) instead of opening them in the <ph name="BASIC_EDITOR_NAME">Basic Editor</ph>
+default: true
+default_for_enterprise_users: false
+desc: |-
+  When enabled, this policy forces navigations to any Office documents with a MIME type normally handled by the <ph name="BASIC_EDITOR_NAME">Basic Editor</ph> to download the file.
+
+  If the policy is disabled then these documents will instead be automatically opened in the <ph name="BASIC_EDITOR_NAME">Basic Editor</ph>.
+
+  Leaving this policy unset for regular users is functionally equivalent to it being enabled (i.e. files will be downloaded); leaving the policy unset for enterprise users is functionally equivalent to it being disabled (i.e. files will be opened in the <ph name="BASIC_EDITOR_NAME">Basic Editor</ph>).
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: When navigating to Office documents handled by <ph name="BASIC_EDITOR_NAME">Basic Editor</ph>, force them to be downloaded
+  value: true
+- caption: When navigating to Office documents handled by <ph name="BASIC_EDITOR_NAME">Basic Editor</ph>, open them in <ph name="BASIC_EDITOR_NAME">Basic Editor</ph>
+  value: false
+owners:
+- simmonsjosh@google.com
+- file://ui/file_manager/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:118-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuickUnlockModeWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuickUnlockModeWhitelist.yaml
new file mode 100755
index 000000000..8b8863f6d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/QuickUnlockModeWhitelist.yaml
@@ -0,0 +1,41 @@
+caption: Configure allowed quick unlock modes
+default_for_enterprise_users: []
+deprecated: true
+desc: |-
+  Setting the policy controls which quick unlock modes can unlock the lock screen.
+
+        To allow:
+
+        * Every quick unlock mode, use ["all"] (includes modes added in the future).
+
+        * Only PIN unlock, use ["PIN"].
+
+        * PIN and fingerprint, use ["PIN", "FINGERPRINT"].
+
+        If the policy is unset or set to an empty list, no quick unlock modes are available for managed devices.
+
+        This policy is deprecated, please use <ph name="QUICK_UNLOCK_MODE_ALLOW_LIST_POLICY_NAME">QuickUnlockModeAllowlist</ph> instead
+example_value:
+- PIN
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: All
+  name: all
+  value: all
+- caption: PIN
+  name: PIN
+  value: PIN
+- caption: Fingerprint
+  name: FINGERPRINT
+  value: FINGERPRINT
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  $ref: QuickUnlockModeWhitelist
+supported_on:
+- chrome_os:56-100
+tags: []
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RC4Enabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RC4Enabled.yaml
new file mode 100755
index 000000000..091adbf3a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RC4Enabled.yaml
@@ -0,0 +1,22 @@
+caption: Enable RC4 cipher suites in TLS
+deprecated: true
+desc: |-
+  This policy was removed in M53 after RC4 was removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If the policy is not set, or is set to false, then RC4 cipher suites in TLS will not be enabled. Otherwise it may be set to true to retain compatibility with an outdated server. This is a stopgap measure and the server should be reconfigured.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://crypto/OWNERS
+- davidben@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:48-52
+- chrome_os:48-52
+- android:48-52
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RSAKeyUsageForLocalAnchorsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RSAKeyUsageForLocalAnchorsEnabled.yaml
new file mode 100755
index 000000000..f179cb257
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RSAKeyUsageForLocalAnchorsEnabled.yaml
@@ -0,0 +1,62 @@
+caption: Check RSA key usage for server certificates issued by local trust anchors
+default: null
+deprecated: true
+desc: |-
+  The X.509 key usage extension declares how the key in a certificate may be
+  used. Such instructions ensure certificates are not used in an unintended
+  context, which protects against a class of cross-protocol attacks on HTTPS and
+  other protocols. For this to work, HTTPS clients must check that server
+  certificates match the connection's TLS parameters.
+
+  Starting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 124, this
+  check is always enabled.
+
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 123 and earlier have the
+  following behavior:
+
+  If this policy is set to enabled,
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will perform this check.
+  This helps prevent attacks where an attacker manipulates the browser into
+  interpreting a key in ways that the certificate owner did not intend.
+
+  If this policy is set to disabled,
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will skip this check in
+  HTTPS connections that both negotiate TLS 1.2 and use an RSA certificate that
+  chains to a local trust anchor. Examples of local trust anchors include
+  policy-provided or user-installed root certificates. In all other cases, the
+  check is performed independent of this policy's setting.
+
+  If the policy is not configured,
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will behave as if the
+  policy is enabled.
+
+  Connections which fail this check will fail with the error
+  ERR_SSL_KEY_USAGE_INCOMPATIBLE. Sites which fail with this error likely have a
+  misconfigured certificate. Modern ECDHE_RSA cipher suites use the
+  "digitalSignature" key usage option, while legacy RSA decryption cipher suites
+  use the "keyEncipherment" key usage option. If unsure, adminstrators should
+  include both in RSA certificates meant for HTTPS.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable RSA key usage checking
+  value: true
+- caption: Disable RSA key usage checking
+  value: false
+- caption: Use the default setting for RSA key usage checking
+  value: null
+owners:
+- davidben@chromium.org
+- trusty-transport@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:116-123
+- chrome_os:116-123
+- android:116-123
+- fuchsia:116-123
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchHeadsUpPeriod.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchHeadsUpPeriod.yaml
new file mode 100755
index 000000000..c6a8f0b3e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchHeadsUpPeriod.yaml
@@ -0,0 +1,23 @@
+caption: Set the time of the first user relaunch notification
+desc: |-
+  Allows you to set the time period, in milliseconds, between the first notification that a <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device must be restarted to apply a pending update and the end of the time period specified by the <ph name="RELAUNCH_NOTIFICATION_PERIOD_POLICY_NAME">RelaunchNotificationPeriod</ph> policy.
+
+        If not set, the default period of 259200000 milliseconds (three days) is used for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices.
+
+        For rollback and other <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> updates that will powerwash the device, the user is always notified immediately when the update is available, independently of the value of this policy.
+example_value: 86400000
+features:
+  dynamic_refresh: true
+  per_profile: false
+label: Time period (milliseconds)
+owners:
+- zmin@chromium.org
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  minimum: 3600000
+  type: integer
+supported_on:
+- chrome_os:76-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchNotification.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchNotification.yaml
new file mode 100755
index 000000000..5dd5ec6be
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchNotification.yaml
@@ -0,0 +1,35 @@
+caption: Notify a user that a browser relaunch or device restart is recommended or
+  required
+desc: |-
+  Notify users that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> must be relaunched or <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> must be restarted to apply a pending update.
+
+        This policy setting enables notifications to inform the user that a browser relaunch or device restart is recommended or required. If not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> indicates to the user that a relaunch is needed via subtle changes to its menu, while <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> indicates such via a notification in the system tray. If set to 'Recommended', a recurring warning will be shown to the user that a relaunch is recommended. The user can dismiss this warning to defer the relaunch. If set to 'Required', a recurring warning will be shown to the user indicating that a browser relaunch will be forced once the notification period passes. The default period is seven days for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and four days for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>, and may be configured via the <ph name="RELAUNCH_NOTIFICATION_PERIOD_POLICY_NAME">RelaunchNotificationPeriod</ph> policy setting.
+
+        The user's session is restored following the relaunch/restart.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Show a recurring prompt to the user indicating that a relaunch is recommended
+  name: Recommended
+  value: 1
+- caption: Show a recurring prompt to the user indicating that a relaunch is required
+  name: Required
+  value: 2
+owners:
+- grt@chromium.org
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:66-
+- chrome_os:70-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchNotificationPeriod.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchNotificationPeriod.yaml
new file mode 100755
index 000000000..0d864af80
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchNotificationPeriod.yaml
@@ -0,0 +1,26 @@
+caption: Set the time period for update notifications
+desc: |-
+  Allows you to set the time period, in milliseconds, over which users are notified that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> must be relaunched or that a <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device must be restarted to apply a pending update.
+
+        Over this time period, the user will be repeatedly informed of the need for an update. For <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices, a restart notification appears in the system tray according to the <ph name="RELAUNCH_HEADS_UP_PERIOD_POLICY_NAME">RelaunchHeadsUpPeriod</ph> policy. For <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> browsers, the app menu changes to indicate that a relaunch is needed once one third of the notification period passes. This notification changes color once two thirds of the notification period passes, and again once the full notification period has passed. The additional notifications enabled by the <ph name="RELAUNCH_NOTIFICATION_POLICY_NAME">RelaunchNotification</ph> policy follow this same schedule.
+
+        If not set, the default period of 604800000 milliseconds (one week) is used.
+example_value: 604800000
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+label: Time period (milliseconds)
+owners:
+- grt@chromium.org
+- mpolzer@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  minimum: 3600000
+  type: integer
+supported_on:
+- chrome.*:67-
+- chrome_os:67-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchWindow.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchWindow.yaml
new file mode 100755
index 000000000..654718a9f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RelaunchWindow.yaml
@@ -0,0 +1,51 @@
+caption: Set the time interval for relaunch
+desc: |-
+  Specify a target time window for the end of the relaunch notification period.
+
+        Users are notified of the need for a browser relaunch or device restart based on the <ph name="RELAUNCH_NOTIFICATION_POLICY_NAME">RelaunchNotification</ph> and <ph name="RELAUNCH_NOTIFICATION_PERIOD_POLICY_NAME">RelaunchNotificationPeriod</ph> policy settings. Browsers and devices are forcibly restarted at the end of the notification period when the <ph name="RELAUNCH_NOTIFICATION_POLICY_NAME">RelaunchNotification</ph> policy is set to 'Required'. This <ph name="RELAUNCH_WINDOW_POLICY_NAME">RelaunchWindow</ph> policy can be used to defer the end of the notification period so that it falls within a specific time window.
+
+        If this policy is not set, the default target time window for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> is between 2 AM and 4 AM. The default target time window for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is the whole day (i.e., the end of the notification period is never deferred).
+
+        Note: Though the policy can accept multiple items in <ph name="ENTRIES_FIELD_NAME">entries</ph>, all but the first item are ignored.
+        Warning: Setting this policy may delay application of software updates.
+example_value:
+  entries:
+  - duration_mins: 240
+    start:
+      hour: 2
+      minute: 15
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+label: Relaunch time window
+owners:
+- mpolzer@google.com
+- crisguerrero@google.com
+- chromeos-commercial-remote-management@google.com
+schema:
+  properties:
+    entries:
+      items:
+        properties:
+          duration_mins:
+            description: Time period (minutes) that specifies the length of the relaunch
+              window.
+            maximum: 1440
+            minimum: 1
+            type: integer
+          start:
+            $ref: Time
+            description: Time interpreted in local wall-clock 24h format.
+        required:
+        - start
+        - duration_mins
+        type: object
+      type: array
+  type: object
+supported_on:
+- chrome.*:93-
+- chrome_os:93-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RemoteDebuggingAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RemoteDebuggingAllowed.yaml
new file mode 100755
index 000000000..978a7057e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RemoteDebuggingAllowed.yaml
@@ -0,0 +1,28 @@
+caption: Allow remote debugging
+default: true
+desc: |-
+  Controls whether users may use remote debugging.
+
+        If this policy is set to Enabled or not set, users may use remote debugging by specifying --remote-debugging-port and --remote-debugging-pipe command line switches.
+
+        If this policy is set to Disabled, users are not allowed to use remote debugging.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow use of the remote debugging
+  value: true
+- caption: Do not allow use of the remote debugging
+  value: false
+owners:
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:93-
+- chrome_os:93-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RendererAppContainerEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RendererAppContainerEnabled.yaml
new file mode 100755
index 000000000..f53810c5d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RendererAppContainerEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable Renderer App Container
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset means Renderer App Container configuration will be enabled on supported platforms.
+
+        Setting the policy to Disabled has a detrimental effect on the security and stability of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> as it will weaken the sandbox that renderer processes use. Only turn off the policy if there are compatibility issues with third-party software that must run inside renderer processes.
+
+        Note: Read more about Process mitigation policies ( https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md#Process-mitigation-policies ).
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable the Renderer App Container sandbox
+  value: true
+- caption: Disable the Renderer App Container sandbox
+  value: false
+owners:
+- wfh@chromium.org
+- adetaylor@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:104-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RendererCodeIntegrityEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RendererCodeIntegrityEnabled.yaml
new file mode 100755
index 000000000..aee797a07
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RendererCodeIntegrityEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable Renderer Code Integrity
+deprecated: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset turns Renderer Code Integrity on.
+
+        Setting the policy to Disabled has a detrimental effect on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s security and stability as unknown and potentially hostile code can load inside <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s renderer processes. Only turn off the policy if there are compatibility issues with third-party software that must run inside <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s renderer processes.
+
+        This policy was removed in Chrome 118 and is ignored if set.
+
+        Note: Read more about Process mitigation policies ( https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md#Process-mitigation-policies ).
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable Renderer Code Integrity
+  value: true
+- caption: Disable Renderer Code Integrity
+  value: false
+owners:
+- wfh@chromium.org
+- adetaylor@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:78-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ReportCrostiniUsageEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ReportCrostiniUsageEnabled.yaml
new file mode 100755
index 000000000..3a3408ca5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ReportCrostiniUsageEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Report information about usage of Linux apps
+desc: |-
+  If <ph name="LINUX_OS_NAME">Linux</ph> app support is on, setting the policy to Enabled sends information about <ph name="LINUX_OS_NAME">Linux</ph> apps usage back to the server.
+
+        Setting the policy to Disabled or leaving it unset means no usage information is reported.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Linux apps usage reporting
+  value: true
+- caption: Disable Linux apps usage reporting
+  value: false
+owners:
+- cros-reporting-team@google.com
+- lbaraz@chromium.org
+- aoldemeier@chromium.org
+- okalitova@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:70-
+tags:
+- admin-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RequireOnlineRevocationChecksForLocalAnchors.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RequireOnlineRevocationChecksForLocalAnchors.yaml
new file mode 100755
index 000000000..140b9693e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RequireOnlineRevocationChecksForLocalAnchors.yaml
@@ -0,0 +1,32 @@
+caption: Require online OCSP/CRL checks for local trust anchors
+default: false
+desc: |-
+  Setting the policy to True means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> always performs revocation checking for successfully validated server certificates signed by locally installed CA certificates. If <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can't get revocation status information, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> treats these certificates as revoked (hard-fail).
+
+        Setting the policy to False or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses existing online revocation-checking settings.
+
+        On <ph name="MAC_OS_NAME">macOS</ph>, this policy has no effect if the <ph name="CHROME_ROOT_STORE_ENABLED_POLICY_NAME">ChromeRootStoreEnabled</ph> policy is set to False.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Perform revocation checks for successfully validated server certificates
+    signed by locally installed CA certificates
+  value: true
+- caption: Use existing online revocation-checking settings
+  value: false
+owners:
+- file://net/cert/OWNERS
+- mattm@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:30-
+- chrome.linux:30-
+- chrome.win:30-
+- chrome.mac:109-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictAccountsToPatterns.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictAccountsToPatterns.yaml
new file mode 100755
index 000000000..692240d9a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictAccountsToPatterns.yaml
@@ -0,0 +1,28 @@
+caption: Restrict accounts that are visible in <ph name="PRODUCT_NAME">$1<ex>Google
+  Chrome</ex></ph>
+desc: |-
+  Contains a list of patterns which are used to control the visibility of accounts in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        Each Google account on the device will be compared to patterns stored in this policy to determine the account visibility in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. The account will be visible if its name matches any pattern on the list. Otherwise, the account will be hidden.
+
+        Use the wildcard character '*' to match zero or more arbitrary characters. The escape character is '\', so to match actual '*' or '\' characters, put a '\' in front of them.
+
+        If this policy is not set, all Google accounts on the device will be visible in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+example_value:
+- '*@example.com'
+- user@managedchrome.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- bsazonov@chromium.org
+- file://components/signin/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- android:65-
+- ios:97-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictSigninToPattern.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictSigninToPattern.yaml
new file mode 100755
index 000000000..fa4f7ad5e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictSigninToPattern.yaml
@@ -0,0 +1,23 @@
+caption: Restrict which Google accounts are allowed to be set as browser primary accounts
+  in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+desc: |-
+  Contains a regular expression which is used to determine which Google accounts can be set as browser primary accounts in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> (i.e. the account that is chosen during the Sync opt-in flow).
+
+        An appropriate error is displayed if a user tries to set a browser primary account with a username that does not match this pattern.
+
+        If this policy is left not set or blank, then the user can set any Google account as a browser primary account in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+example_value: .*@example\.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:21-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictedManagedGuestSessionExtensionCleanupExemptList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictedManagedGuestSessionExtensionCleanupExemptList.yaml
new file mode 100755
index 000000000..f5ac3554d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RestrictedManagedGuestSessionExtensionCleanupExemptList.yaml
@@ -0,0 +1,24 @@
+caption: Configure the list of extension IDs exempt from the restricted managed guest
+  session clean-up procedure
+desc: |-
+  The policy only applies to managed guest sessions.
+        Setting the policy specifies a list of extension IDs that are exempt from the restricted managed guest session clean-up procedure (see <ph name="DEVICE_RESTRICTED_MANAGED_GUEST_SESSION_ENABLED_POLICY_NAME">DeviceRestrictedManagedGuestSessionEnabled</ph>).
+        Leaving the policy unset means no extensions are exempt from the reset procedure.
+example_value:
+- abcdefghijklmnopabcdefghijklmnop
+- bcdefghijklmnopabcdefghijklmnopa
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- mpetrisor@chromium.org
+- hendrich@chromium.org
+schema:
+  items:
+    pattern: ^[a-p]{32}$
+    type: string
+  type: array
+supported_on:
+- chrome_os:96-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RoamingProfileLocation.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RoamingProfileLocation.yaml
new file mode 100755
index 000000000..b44ea8d18
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RoamingProfileLocation.yaml
@@ -0,0 +1,28 @@
+caption: Set the roaming profile directory
+desc: |-
+  Configures the directory that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing the roaming copy of the profiles.
+
+        If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided directory to store the roaming copy of the profiles if the <ph name="ROAMING_PROFILE_SUPPORT_ENABLED_POLICY_NAME">RoamingProfileSupportEnabled</ph> policy has been enabled. If the <ph name="ROAMING_PROFILE_SUPPORT_ENABLED_POLICY_NAME">RoamingProfileSupportEnabled</ph> policy is disabled or left unset the value stored in this policy is not used.
+
+        See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.
+
+        On non-Windows platforms, this policy must be set for roaming profiles to work.
+
+        On Windows, if this policy is left unset, the default roaming profile path will be used.
+example_value: ${roaming_app_data}\chrome-profile
+features:
+  dynamic_refresh: false
+  per_profile: false
+label: Set the roaming profile directory
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.win:57-
+- chrome.mac:88-
+- chrome.linux:88-
+tags:
+- local-data-access
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RoamingProfileSupportEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RoamingProfileSupportEnabled.yaml
new file mode 100755
index 000000000..7ad6c2e89
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RoamingProfileSupportEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable the creation of roaming copies for <ph name="PRODUCT_NAME">$1<ex>Google
+  Chrome</ex></ph> profile data
+desc: |-
+  If you enable this setting, the settings stored in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> profiles like bookmarks, autofill data, passwords, etc. will also be written to a file stored in the Roaming user profile folder or a location specified by the Administrator through the <ph name="ROAMING_PROFILE_LOCATION_POLICY_NAME">RoamingProfileLocation</ph> policy. Enabling this policy disables cloud sync.
+
+        If this policy is disabled or left not set only the regular local profiles will be used.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable creation of roaming profiles
+  value: true
+- caption: Disable creation of roaming profiles
+  value: false
+label: Enable the creation of roaming copies for <ph name="PRODUCT_NAME">$1<ex>Google
+  Chrome</ex></ph> profile data.
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:57-
+- chrome.mac:88-
+- chrome.linux:88-
+tags:
+- local-data-access
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RunAllFlashInAllowMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RunAllFlashInAllowMode.yaml
new file mode 100755
index 000000000..6e8476a43
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/RunAllFlashInAllowMode.yaml
@@ -0,0 +1,30 @@
+caption: Extend Flash content setting to all content (deprecated)
+deprecated: true
+desc: |-
+  This policy has been removed since <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 89 because <ph name="FLASH_PLUGIN_NAME">Flash</ph> has been deprecated.
+
+        Setting the policy to True runs all <ph name="FLASH_PLUGIN_NAME">Flash</ph> content embedded on websites that allow <ph name="FLASH_PLUGIN_NAME">Flash</ph>, including content from other origins or small content.
+
+        Setting the policy to False or leaving it unset might block <ph name="FLASH_PLUGIN_NAME">Flash</ph> content from other origins or small content.
+
+        Note: To control which websites can run <ph name="FLASH_PLUGIN_NAME">Flash</ph>, see these policies: <ph name="DEFAULT_PLUGINS_SETTING_POLICY_NAME">DefaultPluginsSetting</ph>, <ph name="PLUGINS_ALLOWED_FOR_URLS_POLICY_NAME">PluginsAllowedForUrls</ph>, and <ph name="PLUGINS_BLOCKED_FOR_URLS_POLICY_NAME">PluginsBlockedForUrls</ph>.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Run all <ph name="FLASH_PLUGIN_NAME">Flash</ph> content
+  value: true
+- caption: Allow certain <ph name="FLASH_PLUGIN_NAME">Flash</ph> content to be blocked
+  value: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:63-88
+- chrome_os:63-88
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLErrorOverrideAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLErrorOverrideAllowed.yaml
new file mode 100755
index 000000000..54ecab78c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLErrorOverrideAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Allow proceeding from the SSL warning page
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets users click through warning pages <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> shows when users navigate to sites that have SSL errors.
+
+        Setting the policy to Disabled prevent users from clicking through any warning pages.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow users to click through SSL warning pages
+  value: true
+- caption: Prevent users from clicking through SSL warning pages
+  value: false
+owners:
+- agl@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:44-
+- chrome_os:44-
+- android:44-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLErrorOverrideAllowedForOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLErrorOverrideAllowedForOrigins.yaml
new file mode 100755
index 000000000..19d666952
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLErrorOverrideAllowedForOrigins.yaml
@@ -0,0 +1,30 @@
+caption: Allow proceeding from the SSL warning page on specific origins
+desc: |-
+  If <ph name="SSL_ERROR_OVERRIDE_ALLOWED_POLICY_NAME">SSLErrorOverrideAllowed</ph> is Disabled, setting the policy lets you set a list of origin patterns that specify the sites where a user can click through warning pages <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> shows when users navigate to sites that have SSL errors. Users will not be able to click through SSL warning pages on origins that are not on this list.
+
+        If <ph name="SSL_ERROR_OVERRIDE_ALLOWED_POLICY_NAME">SSLErrorOverrideAllowed</ph> is Enabled or unset, this policy does nothing.
+
+        Leaving the policy unset means <ph name="SSL_ERROR_OVERRIDE_ALLOWED_POLICY_NAME">SSLErrorOverrideAllowed</ph> applies for all sites.
+
+        For detailed information on valid input patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. <ph name="WILDCARD_VALUE">*</ph> is not an accepted value for this policy. This policy only matches based on origin, so any path in the URL pattern is ignored.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- agl@chromium.org
+- niarci@microsoft.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:90-
+- chrome_os:90-
+- android:90-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionFallbackMin.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionFallbackMin.yaml
new file mode 100755
index 000000000..5108c7c31
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionFallbackMin.yaml
@@ -0,0 +1,36 @@
+caption: Minimum TLS version to fallback to
+deprecated: true
+desc: |-
+  This policy was removed in M53 after TLS version fallback was removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        When a TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> would previously retry the connection with a lesser version of TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly (i.e. without breaking the connection) then this setting doesn't apply. Regardless, the resulting connection must still comply with SSLVersionMin.
+
+        If this policy is not configured or if it is set to "tls1.2" then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> no longer performs this fallback. Note this does not disable support for older TLS versions, only whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will work around buggy servers which cannot negotiate versions correctly.
+
+        Otherwise, if compatibility with a buggy server must be maintained, this policy may be set to "tls1.1". This is a stopgap measure and the server should be rapidly fixed.
+example_value: tls1.1
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: TLS 1.1
+  name: TLSv1.1
+  value: tls1.1
+- caption: TLS 1.2
+  name: TLSv1.2
+  value: tls1.2
+owners:
+- file://crypto/OWNERS
+- agl@chromium.org
+schema:
+  enum:
+  - tls1.1
+  - tls1.2
+  type: string
+supported_on:
+- chrome.*:50-52
+- chrome_os:50-52
+- android:50-52
+tags:
+- system-security
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionMax.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionMax.yaml
new file mode 100755
index 000000000..0b69f7db9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionMax.yaml
@@ -0,0 +1,34 @@
+caption: Maximum SSL version enabled
+deprecated: true
+desc: |-
+  This policy was removed in M75 after the max TLS version policy was removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the default maximum version.
+
+        Otherwise it may be set to one of the following values: "tls1.2" or "tls1.3". When set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not use SSL/TLS versions greater than the specified version. An unrecognized value will be ignored.
+example_value: tls1.2
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: TLS 1.2
+  name: TLSv1.2
+  value: tls1.2
+- caption: TLS 1.3
+  name: TLSv1.3
+  value: tls1.3
+owners:
+- file://crypto/OWNERS
+- agl@chromium.org
+schema:
+  enum:
+  - tls1.2
+  - tls1.3
+  type: string
+supported_on:
+- chrome.*:58-74
+- chrome_os:58-74
+- android:58-74
+tags:
+- system-security
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionMin.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionMin.yaml
new file mode 100755
index 000000000..98b937275
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SSLVersionMin.yaml
@@ -0,0 +1,47 @@
+caption: Minimum SSL version enabled
+deprecated: true
+desc: |-
+  Setting the policy to a valid value means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won't use SSL/TLS versions less than the specified version. Unrecognized values are ignored.
+
+        If this policy is not set, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will show an error for TLS 1.0 and TLS 1.1, but the user will be able to bypass it.
+
+        If this policy is set to "tls1.2", the user will not be able to bypass this error.
+
+        Support for setting this policy to "tls1" or "tls1.1" was removed in version 91. Suppressing the TLS 1.0/1.1 warning is no longer supported.
+example_value: tls1.2
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: TLS 1.0
+  name: TLSv1
+  supported_on:
+  - chrome.*:66-90
+  - chrome_os:66-90
+  - android:66-90
+  value: tls1
+- caption: TLS 1.1
+  name: TLSv1.1
+  supported_on:
+  - chrome.*:66-90
+  - chrome_os:66-90
+  - android:66-90
+  value: tls1.1
+- caption: TLS 1.2
+  name: TLSv1.2
+  value: tls1.2
+owners:
+- file://crypto/OWNERS
+- agl@chromium.org
+schema:
+  enum:
+  - tls1
+  - tls1.1
+  - tls1.2
+  type: string
+supported_on:
+- chrome.*:66-97
+- chrome_os:66-97
+- android:66-97
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingExtendedReportingOptInAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingExtendedReportingOptInAllowed.yaml
new file mode 100755
index 000000000..934ab1bc9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingExtendedReportingOptInAllowed.yaml
@@ -0,0 +1,22 @@
+caption: Allow users to opt in to Safe Browsing extended reporting
+deprecated: true
+desc: |-
+  This policy is deprecated in M82 and removed in M85, use <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph> instead. Disabling <ph name="SAFE_BROWSING_EXTENDED_REPORTING_OPT_IN_ALLOWED_POLICY_NAME">SafeBrowsingExtendedReportingOptInAllowed</ph> is equivalent to disabling <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph>. Enabling <ph name="SAFE_BROWSING_EXTENDED_REPORTING_OPT_IN_ALLOWED_POLICY_NAME">SafeBrowsingExtendedReportingOptInAllowed</ph> or leaving this setting unset is equivalent to leaving <ph name="SAFE_BROWSING_EXTENDED_REPORTING_ENABLED_POLICY_NAME">SafeBrowsingExtendedReportingEnabled</ph> unset.
+
+        Setting this policy to false stops users from choosing to send some system information and page content to Google servers. If this setting is true or not configured, then users will be allowed to send some system information and page content to Safe Browsing to help detect dangerous apps and sites.
+
+        See https://developers.google.com/safe-browsing for more info on Safe Browsing.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- estark@chromium.org
+- meacer@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:44-84
+- chrome_os:44-84
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingForTrustedSourcesEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingForTrustedSourcesEnabled.yaml
new file mode 100755
index 000000000..6db8b12ce
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingForTrustedSourcesEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable Safe Browsing for trusted sources
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset means downloaded files are sent to be analyzed by Safe Browsing, even when it's from a trusted source.
+
+  Setting the policy to Disabled means downloaded files won't be sent to be analyzed by Safe Browsing when it's from a trusted source.
+
+  These restrictions apply to downloads triggered from webpage content, as well as the Download link menu option. These restrictions don't apply to the save or download of the currently displayed page or to saving as PDF from the printing options.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Perform Safe Browsing checks on all downloaded files
+  value: true
+- caption: Skip Safe Browsing checks for files download from trusted sources
+  value: false
+label: Safe Browsing enable state for trusted sources
+owners:
+- dpr-eng@google.com
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:61-
+tags:
+- local-data-access
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingWhitelistDomains.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingWhitelistDomains.yaml
new file mode 100755
index 000000000..e057c15fb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeBrowsingWhitelistDomains.yaml
@@ -0,0 +1,28 @@
+caption: Configure the list of domains on which Safe Browsing will not trigger warnings.
+deprecated: true
+desc: |-
+  This policy is deprecated, please use <ph name="SAFE_BROWSING_ALLOWLIST_DOMAINS_POLICY_NAME">SafeBrowsingAllowlistDomains</ph> instead.
+
+        Setting the policy to Enabled means Safe Browsing will trust the domains you designate. It won't check them for dangerous resources such as phishing, malware, or unwanted software. Safe Browsing's download protection service won't check downloads hosted on these domains. Its password protection service won't check for password reuse.
+
+        Setting the policy to Disabled or leaving it unset means default Safe Browsing protection applies to all resources.
+
+         On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
+example_value:
+- mydomain.com
+- myuniversity.edu
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- nwokedi@chromium.org
+- nparker@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:68-100
+- chrome_os:68-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeSitesFilterBehavior.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeSitesFilterBehavior.yaml
new file mode 100755
index 000000000..771268f09
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SafeSitesFilterBehavior.yaml
@@ -0,0 +1,38 @@
+caption: Control SafeSites adult content filtering.
+desc: |-
+  Setting the policy controls the SafeSites URL filter, which uses the Google Safe Search API to classify URLs as pornographic or not.
+
+        When this policy is set to:
+
+        * Do not filter sites for adult content, or not set, sites aren't filtered
+
+        * Filter top level sites for adult content, pornographic sites are filtered
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not filter sites for adult content
+  name: SafeSitesFilterDisabled
+  value: 0
+- caption: Filter top level sites (but not embedded iframes) for adult content
+  name: SafeSitesFilterEnabled
+  value: 1
+owners:
+- michaelpg@chromium.org
+- ftirelo@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+supported_on:
+- android:116-
+- chrome.*:69-
+- chrome_os:69-
+tags:
+- filtering
+- google-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SamlLockScreenOfflineSigninTimeLimitDays.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SamlLockScreenOfflineSigninTimeLimitDays.yaml
new file mode 100755
index 000000000..4ab2223c3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SamlLockScreenOfflineSigninTimeLimitDays.yaml
@@ -0,0 +1,33 @@
+caption: Limit the time for which a user authenticated via SAML can log in offline
+  at the lock screen
+default: null
+desc: |-
+  While logging in through the lock screen, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> can authenticate against a server (online) or using a cached password (offline).
+
+        When this policy is set to -2, it will match the value of the login screen offline signin time limit which comes from <ph name="POLICY">SAMLOfflineSigninTimeLimit</ph>.
+
+        When the policy is unset or set to a value of -1, it will not enforce online authentication on the lock screen and will allow the user to use offline authentication unless a different reason than this policy enforces an online authentication.
+
+        If the policy is set to a value of 0, online authentication will always be required.
+
+        When this policy is set to any other value, it specifies the number of days since the last online authentication after which the user must use online authentication again in the next login through the lock screen.
+
+        This policy affects users who authenticated using SAML.
+
+        The policy value should be specified in days.
+example_value: 32
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- ayag@chromium.org
+- chromeos-commercial-identity@google.com
+- file://components/policy/OWNERS
+schema:
+  maximum: 365
+  minimum: -2
+  type: integer
+supported_on:
+- chrome_os:92-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SandboxExternalProtocolBlocked.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SandboxExternalProtocolBlocked.yaml
new file mode 100755
index 000000000..d10638849
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SandboxExternalProtocolBlocked.yaml
@@ -0,0 +1,35 @@
+caption: Allow Chrome to block navigations toward external protocols in sandboxed
+  iframes
+default: true
+desc: "Chrome will block navigations toward external protocols inside\n      sandboxed\
+  \ iframe. See https://chromestatus.com/features/5680742077038592.\n\n      When\
+  \ True, this lets Chrome blocks those navigations.\n\n      When False, this prevents\
+  \ Chrome from blocking those navigations.\n\n      This defaults to True: security\
+  \ feature enabled.\n\n      This can be used by administrators who need more time\
+  \ to update their internal website affected by this new restriction. This Enterprise\
+  \ policy is temporary; it's intended to be removed after <ph name=\"PRODUCT_NAME\"\
+  >$1<ex>Google Chrome</ex></ph> version 117.\n      "
+device_only: false
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow Chrome to block navigations to external protocols inside sandboxed
+    iframe
+  value: true
+- caption: Prevent Chrome to block navigations to external protocols inside sandboxed
+    iframe
+  value: false
+owners:
+- arthursonzogni@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:96-
+- chrome_os:96-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SavingBrowserHistoryDisabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SavingBrowserHistoryDisabled.yaml
new file mode 100755
index 000000000..ed9495269
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SavingBrowserHistoryDisabled.yaml
@@ -0,0 +1,28 @@
+caption: Disable saving browser history
+desc: |-
+  Setting the policy to Enabled means browsing history is not saved, tab syncing is off and users can't change this setting.
+
+        Setting the policy to Disabled or leaving it unset saves browsing history.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Disable saving browser history
+  value: true
+- caption: Enable saving browser history
+  value: false
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+- ios:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SchedulerConfiguration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SchedulerConfiguration.yaml
new file mode 100755
index 000000000..db9728878
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SchedulerConfiguration.yaml
@@ -0,0 +1,29 @@
+caption: Select task scheduler configuration
+desc: |-
+  Setting the policy instructs <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> to use the task scheduler configuration identified by the specified name. This policy can be set to <ph name="CONSERVATIVE_VALUE">Conservative</ph> or <ph name="PERFORMANCE_VALUE">Performance</ph>, which tune the task scheduler for stability or maximum performance, respectively.
+
+        If unset, users make their own choice.
+example_value: performance
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Optimize for stability.
+  name: Conservative
+  value: conservative
+- caption: Optimize for performance.
+  name: Performance
+  value: performance
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  enum:
+  - conservative
+  - performance
+  type: string
+supported_on:
+- chrome_os:74-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScreenCaptureLocation.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScreenCaptureLocation.yaml
new file mode 100755
index 000000000..e4affcdcc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScreenCaptureLocation.yaml
@@ -0,0 +1,27 @@
+caption: Set location to store screen captures
+desc: |-
+  Sets the directory where Screen Captures (both screenshot and screen recordings) are being saved.
+  If the policy is set as recommended, the value will be used by default, but user will be able to change it.
+  Otherwise the user can't change it and the captures are always saved to the defined directory.
+
+  The policy uses same format as <ph name="DOWNLOAD_DIRECTORY_POLICY_NAME">DownloadDirectory</ph> policy
+  The location could be set to either local filesystem or <ph name="GOOGLE_DRIVE_NAME">Google Drive</ph> (with '${google_drive}' prefix) or <ph name="MICROSOFT_ONE_DRIVE_NAME">Microsoft OneDrive</ph> (with '${microsoft_onedrive}' prefix).
+  If the policy is set to empty string, it'll force the screen captures to be stored in the local "Downloads" directory.
+  See a list of variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).
+
+  Leaving the policy unset means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> uses the default "Downloads" directory to store screen captures, and users can change it.
+example_value: ${google_drive}/ScreenCapture
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_os:126-
+tags:
+- local-data-access
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScreenCaptureWithoutGestureAllowedForOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScreenCaptureWithoutGestureAllowedForOrigins.yaml
new file mode 100755
index 000000000..5136d0ed9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScreenCaptureWithoutGestureAllowedForOrigins.yaml
@@ -0,0 +1,36 @@
+caption: Allow screen capture without prior user gesture
+desc: |-
+  For security reasons, the
+  <ph name="GET_DISPLAY_MEDIA_API_NAME">getDisplayMedia()</ph> web API requires
+  a prior user gesture ("transient activation") to be called or will otherwise
+  fail.
+
+  With this policy set, admins can specify origins on which this API can be
+  called without prior user gesture.
+
+  For detailed information on valid url patterns, please see
+  https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is
+  not an accepted value for this policy.
+
+  If this policy is unset, all origins will require a prior user gesture to call
+  this API.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://third_party/blink/renderer/modules/mediastream/OWNERS
+- hendrich@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:113-
+- chrome_os:113-
+future_on:
+- fuchsia
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScrollToTextFragmentEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScrollToTextFragmentEnabled.yaml
new file mode 100755
index 000000000..2b99e5fdd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ScrollToTextFragmentEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable scrolling to text specified in URL fragments
+default: true
+desc: |-
+  This feature allows for hyperlinks and address bar URL navigations to target specific text within a web page, which will be scrolled to once the loading of the web page is complete.
+
+  If you enable or don't configure this policy, web page scrolling to specific text fragments via URL will be enabled.
+
+  If you disable this policy, web page scrolling to specific text fragments via URL will be disabled.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow sites to scroll to specific text fragments via URL
+  value: true
+- caption: Do not allow sites to scroll to specific text fragments via URL
+  value: false
+owners:
+- dlibby@microsoft.com
+- bokan@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:83-
+- chrome_os:83-
+- android:83-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SearchSuggestEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SearchSuggestEnabled.yaml
new file mode 100755
index 000000000..1bf3821cc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SearchSuggestEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable search suggestions
+desc: |-
+  Setting the policy to True turns on search suggestions in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s address bar. Setting the policy to False turns off these search suggestions.
+
+        Suggestions based on bookmarks or history are unaffected by the policy.
+
+        If you set the policy, users can't change it. If not set, search suggestions are on at first, but users can turn them off any time.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable search suggestions
+  value: true
+- caption: Disable search suggestions
+  value: false
+owners:
+- chrome-desktop-search@google.com
+- jdonnelly@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+- ios:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecondaryGoogleAccountSigninAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecondaryGoogleAccountSigninAllowed.yaml
new file mode 100755
index 000000000..1aa6873d7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecondaryGoogleAccountSigninAllowed.yaml
@@ -0,0 +1,29 @@
+caption: Allow Sign-in To Additional Google Accounts
+desc: |-
+  This setting allows users to switch between Google Accounts within the content area of their browser window and in Android applications, after they sign into their <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device.
+
+        If this policy is set to false, signing in to a different Google Account from a non-Incognito browser content area and Android applications will not be allowed.
+
+        If this policy is unset or set to true, the default behavior will be used: signing in to a different Google Account from the browser content area and Android applications will be allowed, except for child accounts where it will be blocked for non-Incognito content area.
+
+        In case signing in to a different account shouldn't be allowed via the Incognito mode, consider blocking that mode using the IncognitoModeAvailability policy.
+
+        Note that users will be able to access Google services in an unauthenticated state by blocking their cookies.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable signing in with additional Google accounts
+  value: true
+- caption: Disable signing in with additional Google accounts
+  value: false
+owners:
+- sinhak@chromium.org
+- emaamari@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:65-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecondaryGoogleAccountUsage.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecondaryGoogleAccountUsage.yaml
new file mode 100755
index 000000000..48dcf5113
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecondaryGoogleAccountUsage.yaml
@@ -0,0 +1,35 @@
+caption: Add restrictions on a managed account's usage as a secondary account on ChromeOS
+default: all
+deprecated: true
+desc: |-
+  Removed in M122 - this is a server-side-only policy that never used the ChromeOS policy infrastructure for its propagation.
+  If this policy is set to <ph name="POLICY_VALUE_ALL">'all'</ph> or not set, all usages of managed accounts are allowed. This may result in a managed account being a secondary account, which would only receive policies when the account is signed-in as a primary account in a browser Profile.
+        Policies set to the account won't be enforced in the following scenarios:
+          -  Being a secondary account at the OS level (Account Settings)
+          -  Being a secondary account in a browser Profile
+
+        If this policy is set to <ph name="POLICY_VALUE_PRIMARY_ACCOUNT_SIGNIN">'primary_account_signin'</ph> on an account, this account will be allowed to sign in as a primary account only. It won't be allowed to sign in as a secondary account.
+example_value: primary_account_signin
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: All usages of managed accounts are allowed
+  name: All
+  value: all
+- caption: Block addition of a managed account as Secondary Account on ChromeOS (in-session)
+  name: PrimaryAccountSignin
+  value: primary_account_signin
+owners:
+- rodmartin@google.com
+- sinhak@chromium.org
+- chromeos-commercial-identity@google.com
+schema:
+  enum:
+  - all
+  - primary_account_signin
+  type: string
+supported_on:
+- chrome_os:103-121
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityKeyPermitAttestation.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityKeyPermitAttestation.yaml
new file mode 100755
index 000000000..b5d83399a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityKeyPermitAttestation.yaml
@@ -0,0 +1,23 @@
+caption: URLs/domains automatically permitted direct Security Key attestation
+desc: |-
+  Setting the policy specifies WebAuthn RP IDs for which no prompt appears when attestation certificates from security keys are requested. A signal is also sent to the security key indicating that enterprise attestation may be used. Without this, when sites request attestation of security keys, users are prompted in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 65 and later.
+example_value:
+- example.com
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- agl@chromium.org
+- martinkr@google.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:65-
+- chrome_os:65-
+tags:
+- website-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityTokenSessionBehavior.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityTokenSessionBehavior.yaml
new file mode 100755
index 000000000..2786b950b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityTokenSessionBehavior.yaml
@@ -0,0 +1,35 @@
+caption: Action on security token removal (e.g., smart card) for <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph>.
+desc: 'Specifies what happens when a user who is authenticating via a security token
+  (e.g., with a smart card) removes that token while in a session. <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_IGNORE">IGNORE</ph>:
+  Nothing happens. <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_LOCK">LOCK</ph>: The
+  screen is locked until the user authenticates again. <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_LOGOUT">LOGOUT</ph>:
+  The session is ended and the user is logged out. If this policy is not set, it defaults
+  to <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_IGNORE">IGNORE</ph>.'
+example_value: LOGOUT
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: No action happens.
+  name: ignore
+  value: IGNORE
+- caption: Log the user out.
+  name: logout
+  value: LOGOUT
+- caption: Lock the current session.
+  name: lock
+  value: LOCK
+owners:
+- fabiansommer@chromium.org, emaxx@chromium.org
+- fabiansommer@chromium.org
+schema:
+  enum:
+  - IGNORE
+  - LOGOUT
+  - LOCK
+  type: string
+supported_on:
+- chrome_os:90-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityTokenSessionNotificationSeconds.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityTokenSessionNotificationSeconds.yaml
new file mode 100755
index 000000000..c86440160
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SecurityTokenSessionNotificationSeconds.yaml
@@ -0,0 +1,26 @@
+caption: Duration of the notification on smart card removal for <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph>.
+desc: This policy only takes effect when the policy <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_POLICY_NAME">SecurityTokenSessionBehavior</ph>
+  is set to <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_LOCK">LOCK</ph> or <ph name="SECURITY_TOKEN_SESSION_BEHAVIOR_LOGOUT">LOGOUT</ph>,
+  and a user who authenticates via a smart card removes that smart card. Then, this
+  policy specifies for how many seconds a notification which informs the user of the
+  impending action is displayed. This notification is blocking the screen. The action
+  will only happen after this notification expires. The user can prevent the action
+  from happening by re-inserting the smart card before the notification expires. If
+  this policy is set to zero, no notification will be displayed and the action happens
+  immediately.
+example_value: 10
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- fabiansommer@chromium.org, emaxx@chromium.org
+- fabiansommer@chromium.org
+schema:
+  maximum: 9999
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:90-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SendMouseEventsDisabledFormControlsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SendMouseEventsDisabledFormControlsEnabled.yaml
new file mode 100755
index 000000000..14016007e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SendMouseEventsDisabledFormControlsEnabled.yaml
@@ -0,0 +1,40 @@
+caption: Control the new behavior for event dispatching on disabled form controls
+default: null
+deprecated: true
+desc: |2-
+  Event dispatching on disabled form controls is being changed in chromium in order to improve compatibility with other browsers and to improve developer experience.
+
+  This change makes MouseEvents get dispatched on disabled form control elements except click, mouseup, and mousedown. The new events will include mousemove, mouseenter, and mouseleave for example.
+
+  This change also truncates the event path of click, mouseup, and mousedown when they are dispatched on children of disabled form controls so they are not dispatched on the disabled form control or any of its ancestors.
+
+  The new behavior may break some websites.
+
+  If this policy is enabled, then the new behavior will be used.
+
+  If this policy is disabled, then the old behavior will be used.
+
+  If this policy is not set, then the new behavior will be used just like the rest of chromium users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: New event dispatching on disabled form controls behavior will be used.
+  value: true
+- caption: Old event dispatching on disabled form controls behavior will be used.
+  value: false
+- caption: New event dispatching on disabled form controls behavior will be used by default.
+  value: null
+owners:
+- jarhar@chromium.org
+- masonf@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:109-120
+- chrome_os:109-120
+- android:109-120
+- webview_android:109-120
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SessionLengthLimit.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SessionLengthLimit.yaml
new file mode 100755
index 000000000..5ee861fa9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SessionLengthLimit.yaml
@@ -0,0 +1,22 @@
+caption: Limit the length of a user session
+desc: |-
+  When this policy is set, it specifies the length of time after which a user is automatically logged out, terminating the session. The user is informed about the remaining time by a countdown timer shown in the system tray.
+
+        When this policy is not set, the session length is not limited.
+
+        If you set this policy, users cannot change or override it.
+
+        The policy value should be specified in milliseconds. Values are clamped to a range of 30 seconds to 24 hours.
+example_value: 3600000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome_os:25-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SessionLocales.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SessionLocales.yaml
new file mode 100755
index 000000000..9f4783de6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SessionLocales.yaml
@@ -0,0 +1,29 @@
+caption: Set the recommended locales for a managed session
+desc: |-
+  Setting the policy (as recommended only) moves recommended locales for a managed session to the top of the list, in the order in which they appear in the policy. The first recommended locale is preselected.
+
+        If not set, the current UI locale is preselected.
+
+        For more than one recommended locale, the assumption is that users want to choose among these locales. Locale and keyboard layout selection is prominent when starting a managed session. Otherwise, the assumption is that most users want the preselected locale. Locale and keyboard layout selection is less prominent when starting a managed session.
+
+        If you set the policy and turn automatic sign-in on (see the <ph name="DEVICE_LOCAL_ACCOUNT_AUTO_LOGIN_ID_POLICY_NAME">DeviceLocalAccountAutoLoginId</ph> and <ph name="DEVICE_LOCAL_ACCOUNT_AUTO_LOGIN_DELAY_POLICY_NAME">DeviceLocalAccountAutoLoginDelay</ph> policies), the managed session uses the first recommended locale and the most popular matching keyboard layout.
+
+        The preselected keyboard layout is always the most popular layout matching the preselected locale. Users can always choose any locale supported by <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> for their session.
+example_value:
+- de
+- fr
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:38-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SetTimeoutWithout1MsClampEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SetTimeoutWithout1MsClampEnabled.yaml
new file mode 100755
index 000000000..f2a9b52b3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SetTimeoutWithout1MsClampEnabled.yaml
@@ -0,0 +1,39 @@
+caption: Control Javascript setTimeout() function minimum timeout.
+default: null
+deprecated: true
+desc: "When the policy is set to Enabled, the Javascript setTimeout() with a timeout\
+  \ of 0ms will not clamp to 1ms.\n          When the policy is set to Disabled, \
+  \ the Javascript setTimeout() with a timeout of 0ms will clamp to 1ms.\n       \
+  \   When the policy is unset, use the browser's default behavior for setTimeout()\
+  \ function clamp.\n\n          This is a web standards compliant feature, but it\
+  \ may change task ordering\n          on a web page, leading to unexpected behavior\
+  \ on sites that are dependent on\n          a certain ordering in some way. It also\
+  \ may affect sites with a lot of setTimeout()\n          with a timeout of 0ms usage,\
+  \ e.g. increasing CPU load.\n\n          For users where this policy is unset, Chrome\
+  \ will roll out the change gradually on the stable channel.\n\n          This policy\
+  \ was removed in Chrome 110.\n                                        "
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Javascript setTimeout() with a timeout of 0ms will not clamp to 1ms.
+  value: true
+- caption: Javascript setTimeout() with a timeout of 0ms will clamp to 1ms.
+  value: false
+- caption: '''Default behavior for setTimeout() function clamp.'
+  value: null
+owners:
+- file://third_party/blink/renderer/core/frame/OWNERS
+- shaseley@chromium.org
+- bokan@chromium.org
+- dcheng@chromium.org
+- japhet@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:101-109
+- chrome.*:101-109
+- android:101-109
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SharedArrayBufferUnrestrictedAccessAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SharedArrayBufferUnrestrictedAccessAllowed.yaml
new file mode 100755
index 000000000..b0c0c96cd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SharedArrayBufferUnrestrictedAccessAllowed.yaml
@@ -0,0 +1,33 @@
+caption: Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated
+  context
+default: false
+desc: |2-
+
+        Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will require cross-origin isolation when using SharedArrayBuffers from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 91 onward (2021-05-25) for Web Compatibility reasons. Additional details can be found on: https://developer.chrome.com/blog/enabling-shared-array-buffer/.
+
+        When set to Enabled, sites can use SharedArrayBuffer with no restrictions.
+
+        When set to Disabled or not set, sites can only use SharedArrayBuffers when cross-origin isolated.
+device_only: false
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow sites to use SharedArrayBuffers
+  value: true
+- caption: Prevent sites from using SharedArrayBuffers
+  value: false
+owners:
+- arthursonzogni@chromium.org
+- vahl@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:91-
+- chrome_os:91-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SharedClipboardEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SharedClipboardEnabled.yaml
new file mode 100755
index 000000000..e34465994
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SharedClipboardEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Enable the Shared Clipboard Feature
+desc: |-
+  Enable the Shared Clipboard feature which allows users to send text between Chrome Desktops and an Android device when Sync is enabled and the user is Signed-in.
+
+            If this policy is set to true, the capability of sending text, cross device, for chrome user is enabled.
+
+            If this policy is set to false, the capability of sending text, cross device, for chrome user is disabled.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, the shared clipboard feature is enabled by default.
+
+            It is up to the admins to set policies in all platforms they care about. It's recommended to set this policy to one value in all platforms.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable the shared clipboard feature
+  value: true
+- caption: Disable the shared clipboard feature
+  value: false
+owners:
+- mvanouwerkerk@chromium.org
+- yasmo@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:79-
+- chrome_os:79-
+- android:79-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShelfAlignment.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShelfAlignment.yaml
new file mode 100755
index 000000000..33c0821bf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShelfAlignment.yaml
@@ -0,0 +1,41 @@
+caption: Control the shelf position
+desc: |-
+  Control the position of the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> shelf.
+
+        If this policy is set to 'Bottom', the shelf will be placed at the bottom of the screen.
+
+        If this policy is set to 'Left', the shelf will be placed on the left side of the screen.
+
+        If this policy is set to 'Right', the shelf will be placed on the right side of the screen.
+
+        If you set this policy as mandatory, users cannot change or override it.
+
+        If the policy is left not set, the shelf will be be positioned at the bottom of the screen by default and the user can change the shelf's position.
+example_value: Bottom
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Position the shelf on the left side of the screen
+  name: Left
+  value: Left
+- caption: Position the shelf at the bottom of the screen
+  name: Bottom
+  value: Bottom
+- caption: Position the shelf on the right side of the screen
+  name: Right
+  value: Right
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  enum:
+  - Left
+  - Bottom
+  - Right
+  type: string
+supported_on:
+- chrome_os:79-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShelfAutoHideBehavior.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShelfAutoHideBehavior.yaml
new file mode 100755
index 000000000..634a628f1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShelfAutoHideBehavior.yaml
@@ -0,0 +1,29 @@
+caption: Control shelf auto-hiding
+desc: |-
+  Setting the policy to Always will autohide the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> shelf. Setting the policy to Never ensures the shelf never autohides.
+
+        If you set the policy, users can't change it. If not set, users decide whether the shelf autohides.
+example_value: Always
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Always auto-hide the shelf
+  name: AlwaysAutoHideShelf
+  value: Always
+- caption: Never auto-hide the shelf
+  name: NeverAutoHideShelf
+  value: Never
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  enum:
+  - Always
+  - Never
+  type: string
+supported_on:
+- chrome_os:25-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShoppingListEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShoppingListEnabled.yaml
new file mode 100755
index 000000000..a65094a74
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShoppingListEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Allow the shopping list feature to be enabled
+default: true
+desc: "This policy controls the availability of the shopping list feature.\n     \
+  \ If enabled, users will be presented with UI to track the price of the product\
+  \ displayed on the current page. The tracked product will be shown in the bookmarks\
+  \ side panel.\n      If this policy is set to Enabled or not set, the shopping list\
+  \ feature will be available to users.\n      If this policy is set to Disabled,\
+  \ the shopping list feature will be unavailable.\n      "
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: The shopping list feature will be available to users.
+  value: true
+- caption: The shopping list feature will not be available to users.
+  value: false
+owners:
+- aymana@chromium.org
+- mdjones@chromium.org
+- chrome-shopping-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:107-
+- chrome_os:107-
+- android:107-
+- ios:112-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShortcutCustomizationAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShortcutCustomizationAllowed.yaml
new file mode 100755
index 000000000..d98b99047
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShortcutCustomizationAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Allow customization of system shortcuts
+desc: |-
+  This policy controls whether customization of system shortcuts is allowed.
+
+  When this policy is enabled or unset, users will be able to customize system shortcuts through the Key Shortcuts App.
+
+  When this policy is disabled, the Key Shortcuts app will be in read-only mode, disallowing any customization.
+default: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- jimmyxgong@chromium.org
+- cros-peripheral@google.com
+items:
+- caption: Allow the user to customize system shortcuts
+  value: true
+- caption: Disallow the user to customize system shortcuts
+  value: false
+schema:
+  type: boolean
+supported_on:
+- chrome_os:123-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowAiIntroScreenEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowAiIntroScreenEnabled.yaml
new file mode 100755
index 000000000..5fb397303
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowAiIntroScreenEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable displaying the introduction screen for in-session AI features during sign-in flow
+desc: |-
+  This policy controls if the introduction screen for in-session AI features is shown to the user during the first sign-in flow.
+
+        If set to disabled, the AI introduction screen will not be displayed.
+
+        If set to enabled, the AI introduction screen will be displayed.
+
+        If unset, the AI introduction screen will be skipped for enterprise-managed users and displayed for unmanaged users.
+default: true
+default_for_enterprise_users: false
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Display the AI introduction screen during sign-in
+  value: true
+- caption: Do not display the AI introduction screen during sign-in
+  value: false
+owners:
+- ziegltrum@google.com
+- cros-oobe@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:125-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowAppsShortcutInBookmarkBar.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowAppsShortcutInBookmarkBar.yaml
new file mode 100755
index 000000000..10d8bbe54
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowAppsShortcutInBookmarkBar.yaml
@@ -0,0 +1,28 @@
+caption: Show the apps shortcut in the bookmark bar
+default: null
+desc: |-
+  Setting the policy to True displays the apps shortcut. Setting the policy to False means this shortcut never appears.
+
+        If you set the policy, users can't change it. If not set, users decide to show or hide the apps shortcut from the bookmark bar context menu.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Show the apps shortcut in the bookmark bar
+  value: true
+- caption: Do not show the apps shortcut in the bookmark bar
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/policy/OWNERS
+- hendrich@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:37-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowDisplaySizeScreenEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowDisplaySizeScreenEnabled.yaml
new file mode 100755
index 000000000..644d984d4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowDisplaySizeScreenEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable displaying display size setting screen during sign-in
+desc: |-
+  This policy controls if the display size setting screen is shown to the user during the first sign-in.
+        If set to false, the display size setting screen will not be displayed.
+        If set to true, the display size setting screen will be displayed.
+default: true
+default_for_enterprise_users: false
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Display the display size setting screen during sign-in
+  value: true
+- caption: Do not display the display size setting screen during sign-in
+  value: false
+owners:
+- bchikhaoui@google.com
+- cros-oobe@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:119-
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowFullUrlsInAddressBar.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowFullUrlsInAddressBar.yaml
new file mode 100755
index 000000000..8242e27c5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowFullUrlsInAddressBar.yaml
@@ -0,0 +1,35 @@
+caption: Show Full URLs
+default: null
+default_for_enterprise_users: false
+desc: "This feature enables display of the full URL in the address bar.\n      If\
+  \ this policy is set to True, then the full URL will be shown in the address bar,\
+  \ including schemes and subdomains.\n      If this policy is set to False, then\
+  \ the default URL display will apply.\n      If this policy is left unset, then\
+  \ the default URL display will apply and the user will be able to toggle between\
+  \ default and full URL display with a context menu option.\n      "
+example_value: false
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Display the full URL
+  value: true
+- caption: Display the default URL
+  value: false
+- caption: Display the default URL, allow users to switch to the full URL
+  value: null
+owners:
+- jdeblasio@google.com
+- meacer@google.com
+- cthomp@google.com
+- carlosil@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:86-
+- chrome.*:86-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowGeminiIntroScreenEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowGeminiIntroScreenEnabled.yaml
new file mode 100755
index 000000000..fbb775fa5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowGeminiIntroScreenEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable displaying the introduction screen for Gemini during sign-in flow
+desc: |-
+  This policy controls if the introduction screen for Gemini is shown to the user during the first sign-in flow.
+
+        If set to disabled, the Gemini introduction screen will not be displayed.
+
+        If set to enabled, the Gemini introduction screen will be displayed.
+
+        If unset, the Gemini introduction screen will be skipped for enterprise-managed users and displayed for unmanaged users.
+default: true
+default_for_enterprise_users: false
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Display the Gemini introduction screen during sign-in
+  value: true
+- caption: Do not display the Gemini introduction screen during sign-in
+  value: false
+owners:
+- ziegltrum@google.com
+- cros-oobe@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:128-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowHumanPresenceSensorScreenEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowHumanPresenceSensorScreenEnabled.yaml
new file mode 100755
index 000000000..dd67252ea
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowHumanPresenceSensorScreenEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Enable displaying human presence sensor screen during sign-in
+desc: |-
+  This policy controls if the human presence sensor screen is shown to the user during the first sign-in.
+      If set to false, the human presence sensor screen will not be displayed.
+      If set to true, the human presence sensor screen will be displayed.
+      If the policy is left not set, the default value false applies for enterprise-managed users and true will be used for non-managed users.
+default: true
+default_for_enterprise_users: false
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Display the human presence sensor screen during sign-in
+  value: true
+- caption: Do not display the human presence sensor screen during sign-in
+  value: false
+owners:
+- bchikhaoui@google.com
+- cros-oobe@google.com
+schema:
+  type: boolean
+future_on:
+- chrome_os
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowLogoutButtonInTray.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowLogoutButtonInTray.yaml
new file mode 100755
index 000000000..494b32eff
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowLogoutButtonInTray.yaml
@@ -0,0 +1,23 @@
+caption: Add a logout button to the system tray
+desc: |-
+  Setting the policy to True displays a big, red sign-out button in the system tray during active sessions while the screen isn't locked.
+
+        Setting the policy to False or leaving it unset means no button appears.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Show logout button in tray
+  value: true
+- caption: Do not show logout button in tray
+  value: false
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:25-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowTouchpadScrollScreenEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowTouchpadScrollScreenEnabled.yaml
new file mode 100755
index 000000000..caea600a8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ShowTouchpadScrollScreenEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable displaying touchpad scrolling direction screen during sign-in
+desc: |-
+  This policy controls if the touchpad scrolling direction screen is shown to the user during the first sign-in.
+        If set to false, the touchpad scrolling direction screen will not be displayed.
+        If set to true, the touchpad scrolling direction screen will be displayed.
+default: true
+default_for_enterprise_users: false
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Display the touchpad scrolling direction screen during sign-in
+  value: true
+- caption: Do not display the touchpad scrolling direction screen during sign-in
+  value: false
+owners:
+- bchikhaoui@google.com
+- cros-oobe@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:119-
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SideSearchEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SideSearchEnabled.yaml
new file mode 100755
index 000000000..86de885f4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SideSearchEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Allow showing the most recent default search engine results page in a Browser
+  side panel
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving the policy unset means that users can bring up their most recent default search engine results page in a side panel via toggling an icon in the toolbar.
+
+        Setting the policy to Disabled removes the icon from the toolbar that opens the side panel with the default search engine results page.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable showing default search engine results pages in a Browser side panel.
+  value: true
+- caption: Disable showing default search engine results pages in a Browser side panel.
+  value: false
+owners:
+- tluk@chromium.org
+- chrome-cros@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-
+- chrome.*:101-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SignedHTTPExchangeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SignedHTTPExchangeEnabled.yaml
new file mode 100755
index 000000000..1d03a3795
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SignedHTTPExchangeEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable Signed HTTP Exchange (SXG) support
+default: true
+desc: |-
+  Setting the policy to True or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will accept web contents served as Signed HTTP Exchanges.
+
+        Setting the policy to False prevents Signed HTTP Exchanges from loading.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Accept web contents served as Signed HTTP Exchanges
+  value: true
+- caption: Prevent Signed HTTP Exchanges from loading
+  value: false
+owners:
+- file://content/browser/web_package/OWNERS
+- ksakamoto@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:75-
+- chrome_os:75-
+tags:
+- filtering
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SigninAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SigninAllowed.yaml
new file mode 100755
index 000000000..41892d960
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SigninAllowed.yaml
@@ -0,0 +1,28 @@
+caption: Allow sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+deprecated: true
+desc: "This policy is deprecated, consider using <ph name=\"BROWSER_SIGNIN_POLICY_NAME\"\
+  >BrowserSignin</ph> instead.\n\n      Allows the user to sign in to <ph name=\"\
+  PRODUCT_NAME\">$1<ex>Google Chrome</ex></ph>.\n\n      Setting this policy to Enabled\
+  \ will allow the user to sign in to <ph name=\"PRODUCT_NAME\">$1<ex>Google Chrome</ex></ph>.\n\
+  \      Setting this policy to Disabled will prevent sign in. It also blocks apps\
+  \ and extensions that use the chrome.identity API from functioning. To avoid that,\
+  \ use <ph name=\"SYNC_DISABLED_POLICY_NAME\">SyncDisabled</ph> instead.\n      "
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow users to sign in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  value: true
+- caption: Prevent users from signing in to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  value: false
+owners:
+- akuegel@chromium.org
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:27-
+- android:38-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SigninInterceptionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SigninInterceptionEnabled.yaml
new file mode 100755
index 000000000..e6b5b3add
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SigninInterceptionEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable signin interception
+default: null
+desc: |-
+  This settings enables or disables signin interception.
+
+        When this policy not set or is enabled, the signin interception dialog triggers when a Google account is added on the web, and the user may benefit from moving this account to another (new or existing) profile.
+
+        When this is disabled, the signin interception dialog does not trigger.
+        When this is disabled, a dialog will still be shown if managed account profile separation is enforced by <ph name="MANAGED_ACCOUNTS_SIGNIN_RESTRICTION_POLICY_NAME">ManagedAccountsSigninRestriction</ph>.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable signin interception
+  value: true
+- caption: Disable signin interception
+  value: false
+- caption: Enable signin interception
+  value: null
+owners:
+- ydago@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:89-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SitePerProcess.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SitePerProcess.yaml
new file mode 100755
index 000000000..600008c9d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SitePerProcess.yaml
@@ -0,0 +1,32 @@
+caption: Require Site Isolation for every site
+desc: |-
+  Since <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 67, site isolation has been enabled by default on all Desktop platforms, causing every site to run in its own process. A site is a scheme plus eTLD+1 (e.g., https://example.com). Setting this policy to Enabled does not change that behavior; it only prevents users from opting out (for example, using Disable site isolation in chrome://flags). Since <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 76, setting the policy to Disabled or leaving it unset doesn't turn off site isolation, but instead allows users to opt out.
+
+        <ph name="ISOLATE_ORIGINS_POLICY_NAME">IsolateOrigins</ph> might also be useful for isolating specific origins at a finer granularity than site (e.g., https://a.example.com).
+
+        On <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 76 and earlier, set the <ph name="DEVICE_LOGIN_SCREEN_SITE_PER_PROCESS_POLICY_NAME">DeviceLoginScreenSitePerProcess</ph> device policy to the same value. (If the values don't match, a delay can occur when entering a user session.)
+
+        Note: For Android, use the <ph name="SITE_PER_PROCESS_ANDROID_POLICY_NAME">SitePerProcessAndroid</ph> policy instead.
+device_only: false
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Require site isolation for all websites
+  value: true
+- caption: Enable site isolation for all websites, but allow the user to opt out
+  value: false
+owners:
+- alexmos@chromium.org
+- creis@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:63-
+- chrome_os:63-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SitePerProcessAndroid.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SitePerProcessAndroid.yaml
new file mode 100755
index 000000000..b124ed946
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SitePerProcessAndroid.yaml
@@ -0,0 +1,34 @@
+caption: Enable Site Isolation for every site
+default: null
+desc: |-
+  Setting the policy to Enabled isolates all sites on Android, such that each site runs in its own process, and it prevents users from opting out. A site is a scheme plus eTLD+1 (e.g., https://example.com). Note that Android isolates certain sensitive sites by default starting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 77, and this policy extends that default site isolation mode to apply to all sites.
+
+        Setting the policy to Disabled turns off any form of site isolation, including isolation of sensitive sites and field trials of IsolateOriginsAndroid, SitePerProcessAndroid, and other site isolation modes. Users can still turn the policy on manually.
+
+        Leaving the policy unset means users can change this setting.
+
+        <ph name="ISOLATE_ORIGINS_ANDROID_POLICY_NAME">IsolateOriginsAndroid</ph> might also be useful for isolating specific origins at a finer granularity than site (e.g., https://a.example.com).
+
+        Note: Support for isolating every site on Android will improve, but currently it may cause performance problems, especially on low-end devices. This policy applies only to Chrome on Android running on devices with strictly more than 1 GB of RAM. To isolate specific sites while limiting performance impact for users, use <ph name="ISOLATE_ORIGINS_ANDROID_POLICY_NAME">IsolateOriginsAndroid</ph> with a list of the sites you want to isolate.  To apply the policy on non-Android platforms, use <ph name="SITE_PER_PROCESS_POLICY_NAME">SitePerProcess</ph>.
+device_only: false
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Require site isolation for all websites
+  value: true
+- caption: Disable site isolation for all websites, but allow the user to enable it
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- alexmos@chromium.org
+- creis@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:68-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SiteSearchSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SiteSearchSettings.yaml
new file mode 100755
index 000000000..d22497765
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SiteSearchSettings.yaml
@@ -0,0 +1,58 @@
+caption: Site search settings
+desc: |-
+  This policy provides a list of sites that users can quickly search using shortcuts in the address bar. Users can initiate a search by typing the shortcut or @shortcut (e.g. @work), followed by Space or Tab, in the address bar.
+
+  The following fields are required for each site: <ph name="NAME_SITE_SEARCH_SETTINGS_FIELD">name</ph>, <ph name="SHORTCUT_SITE_SEARCH_SETTINGS_FIELD">shortcut</ph>, <ph name="URL_SITE_SEARCH_SETTINGS_FIELD">url</ph>.
+
+  The <ph name="NAME_SITE_SEARCH_SETTINGS_FIELD">name</ph> field corresponds to the site or search engine name to be shown to the user in the address bar.
+
+  The <ph name="SHORTCUT_SITE_SEARCH_SETTINGS_FIELD">shortcut</ph> can include plain words and characters, but cannot include spaces or start with the @ symbol. Shortcuts must also be unique.
+
+  For each entry, the <ph name="URL_SITE_SEARCH_SETTINGS_FIELD">url</ph> field specifies the URL of the search engine used during a search with the corresponding keyword. The URL must include the string <ph name="SEARCH_TERM_MARKER">'{searchTerms}'</ph>, replaced in the query by the user's search terms. Invalid entries and entries with duplicate shortcuts are ignored.
+
+  Site search entries configured as featured are displayed in the address bar when the user types "@". Up to three entries can be selected as featured.
+
+  Users cannot edit or disable site search entries set by policy, but they can add new shortcuts for the same URL. In addition, users cannot create new site search entries with a shortcut previously created via this policy.
+
+  In case of a conflict with a shortcut previously created by the user, the user setting takes precedence. However, users can still trigger the option created by the policy by typing "@" in the search bar. For example, if the user already defined "work" as a shortcut to URL1 and the policy defines "work" as a shortcut to URL2, then typing "work" in the search bar will trigger a search to URL1, but typing "@work" in the search bar will trigger a search to URL2.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+example_value:
+- featured: true
+  name: Google Wikipedia
+  shortcut: wikipedia
+  url: https://www.google.com/search?q=site%3Awikipedia.com+%s
+- name: YouTube
+  shortcut: youtube
+  url: https://www.youtube.com/results?search_query=%s
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- ftirelo@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: array
+  items:
+    type: object
+    properties:
+      featured:
+        type: boolean
+      name:
+        type: string
+      shortcut:
+        type: string
+      url:
+        type: string
+    required:
+    - shortcut
+    - name
+    - url
+supported_on:
+- chrome.*:128-
+- chrome_os:128-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SmartLockSigninAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SmartLockSigninAllowed.yaml
new file mode 100755
index 000000000..1d428964f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SmartLockSigninAllowed.yaml
@@ -0,0 +1,29 @@
+caption: Allow Smart Lock Signin to be used.
+default_for_enterprise_users: false
+desc: |-
+  If this setting is enabled, users will be allowed to sign into their account with Smart Lock. This is more permissive than usual Smart Lock behavior which only allows users to unlock their screen.
+
+        If this setting is disabled, users will not be allowed to use Smart Lock Signin.
+
+        If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow users to sign into their device with Smart Lock
+  value: true
+- caption: Do not allow users to sign into their device with Smart Lock
+  value: false
+owners:
+- hansberry@chromium.org
+- jhawkins@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:71-103
+deprecated: true
+tags:
+- local-data-access
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SmsMessagesAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SmsMessagesAllowed.yaml
new file mode 100755
index 000000000..2e11c048b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SmsMessagesAllowed.yaml
@@ -0,0 +1,28 @@
+caption: Allow SMS Messages to be synced from phone to Chromebook.
+default_for_enterprise_users: false
+desc: |-
+  Setting the policy to Enabled lets users set up their devices to sync their text messages to Chromebooks. Users must explicitly opt in to this feature by completing a setup flow. On completion, users can send and receive texts on their Chromebooks.
+
+        Setting the policy to Disabled means users can't set up text syncing.
+
+        Leaving the policy unset means that by default, the feature isn't allowed for managed users but is allowed for other users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow users to sync SMS messages between their phone and Chromebook
+  value: true
+- caption: Do not allow users to sync SMS messages between their phone and Chromebook
+  value: false
+owners:
+- jlklein@chromium.org
+- jonmann@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:70-
+tags:
+- local-data-access
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellCheckServiceEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellCheckServiceEnabled.yaml
new file mode 100755
index 000000000..ef7600fe5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellCheckServiceEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Enable or disable spell checking web service
+default: null
+desc: |-
+  Setting the policy to Enabled puts a Google web service in use to help resolve spelling errors. This policy only controls the use of the online service. Setting the policy to Disabled means this service is never used.
+
+        Leaving the policy unset lets users choose whether to use the spellcheck service.
+
+        The spell check can always use a downloaded dictionary locally unless the feature is disabled by <ph name="SPELLCHECK_ENABLED_POLICY_NAME">SpellcheckEnabled</ph> in which case this policy will have no effect.
+example_value: false
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Use a Google web service to help resolve spelling errors
+  value: true
+- caption: Do not use any Google web services to help resolve spelling errors
+  value: false
+- caption: Allow the user to choose if Google web services are used to resolve spelling
+    errors
+  value: null
+owners:
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:22-
+- chrome_os:22-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckEnabled.yaml
new file mode 100755
index 000000000..9aec32071
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckEnabled.yaml
@@ -0,0 +1,38 @@
+caption: Enable spellcheck
+default: null
+desc: "Setting the policy to Enabled turns spellcheck on, and users can't turn it\
+  \ off. On <ph name=\"MS_WIN_NAME\">Microsoft® Windows®</ph>, <ph name=\"PRODUCT_OS_NAME\"\
+  >$2<ex>Google ChromeOS</ex></ph> and <ph name=\"LINUX_OS_NAME\">Linux®</ph>, spellcheck\
+  \ languages can be switched on or off individually, so users can still turn spellcheck\
+  \ off by switching off every spellcheck language. To avoid that, use the <ph name=\"\
+  SPELLCHECK_LANGUAGE_POLICY_NAME\">SpellcheckLanguage</ph> to force-enable specific\
+  \ spellcheck languages.\n\n      Setting the policy to Disabled turns off spellcheck\
+  \ from all sources, and users can't turn it on. The <ph name=\"SPELL_CHECK_SERVICE_ENABLED_POLICY_NAME\"\
+  >SpellCheckServiceEnabled</ph>, <ph name=\"SPELLCHECK_LANGUAGE_POLICY_NAME\">SpellcheckLanguage</ph>\
+  \ and <ph name=\"SPELLCHECK_LANGUAGE_BLOCKLIST_POLICY_NAME\">SpellcheckLanguageBlocklist</ph>\
+  \ policies have no effect when this policy is set to False.\n\n      Leaving the\
+  \ policy unset lets users turn spellcheck on or off in the language settings. "
+example_value: false
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable spellcheck
+  value: true
+- caption: Disable spellcheck
+  value: false
+- caption: Allow the user to enable or disable spellcheck
+  value: null
+owners:
+- macourteau@chromium.org
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:65-
+- chrome_os:65-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguage.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguage.yaml
new file mode 100755
index 000000000..be527e587
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguage.yaml
@@ -0,0 +1,33 @@
+caption: Force enable spellcheck languages
+desc: |-
+  Force-enables spellcheck languages. Unrecognized languages in the list will be ignored.
+
+        If you enable this policy, spellcheck will be enabled for the languages specified, in addition to the languages for which the user has enabled spellcheck.
+
+        If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.
+
+        If the <ph name="SPELLCHECK_ENABLED_POLICY_NAME">SpellcheckEnabled</ph> policy is set to false, this policy will have no effect.
+
+        If a language is included in both this policy and the <ph name="SPELLCHECK_LANGUAGE_BLOCKLIST_POLICY_NAME">SpellcheckLanguageBlocklist</ph> policy, this policy is prioritized and the spellcheck language is enabled.
+
+        The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.
+example_value:
+- fr
+- es
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- macourteau@chromium.org
+- zmin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.win:65-
+- chrome.linux:65-
+- chrome_os:65-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguageBlacklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguageBlacklist.yaml
new file mode 100755
index 000000000..c2a1b2d21
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguageBlacklist.yaml
@@ -0,0 +1,35 @@
+caption: Force disable spellcheck languages
+deprecated: true
+desc: |-
+  This policy is deprecated, please use <ph name="SPELLCHECK_LANGUAGE_BLOCKLIST_POLICY_NAME">SpellcheckLanguageBlocklist</ph> instead.
+
+        Force-disables spellcheck languages. Unrecognized languages in that list will be ignored.
+
+        If you enable this policy, spellcheck will be disabled for the languages specified. The user can still enable or disable spellcheck for languages not in the list.
+
+        If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.
+
+        If the <ph name="SPELLCHECK_ENABLED_POLICY_NAME">SpellcheckEnabled</ph> policy is set to false, this policy will have no effect.
+
+        If a language is included in both this policy and the <ph name="SPELLCHECK_LANGUAGE_POLICY_NAME">SpellcheckLanguage</ph> policy, the latter is prioritized and the spellcheck language will be enabled.
+
+        The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.
+example_value:
+- fr
+- es
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- gujen@google.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.win:75-100
+- chrome.linux:75-100
+- chrome_os:75-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguageBlocklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguageBlocklist.yaml
new file mode 100755
index 000000000..f5641da37
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SpellcheckLanguageBlocklist.yaml
@@ -0,0 +1,32 @@
+caption: Force disable spellcheck languages
+desc: |-
+  Force-disables spellcheck languages. Unrecognized languages in that list will be ignored.
+
+        If you enable this policy, spellcheck will be disabled for the languages specified. The user can still enable or disable spellcheck for languages not in the list.
+
+        If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.
+
+        If the <ph name="SPELLCHECK_ENABLED_POLICY_NAME">SpellcheckEnabled</ph> policy is set to false, this policy will have no effect.
+
+        If a language is included in both this policy and the <ph name="SPELLCHECK_LANGUAGE_POLICY_NAME">SpellcheckLanguage</ph> policy, the latter is prioritized and the spellcheck language will be enabled.
+
+        The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.
+example_value:
+- fr
+- es
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- gujen@google.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.win:86-
+- chrome.linux:86-
+- chrome_os:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StandardizedBrowserZoomEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StandardizedBrowserZoomEnabled.yaml
new file mode 100755
index 000000000..6e37ed131
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StandardizedBrowserZoomEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Enable Standardized Browser Zoom Behavior
+owners:
+  - szager@chromium.org
+  - pdr@chromium.org
+desc: |-
+  This policy enables conformance to the newly-adopted specification of CSS zoom.
+
+  When this policy is Enabled or unset, the CSS "zoom" property will adhere to the specification:
+
+    https://drafts.csswg.org/css-viewport/#zoom-property
+
+  When Disabled, the CSS "zoom" property will fall back to its legacy pre-standardized behavior.
+
+  This policy is a temporary reprieve to allow time to migrate web content to the new behavior. There is also an origin trial ("DisableStandardizedBrowserZoom") that corresponds to the behavior when this policy is Disabled. This policy will be removed and the "Enabled" behavior made permanent in milestone 134.
+supported_on:
+  - chrome.*:128-
+  - chrome_os:128-
+  - android:128-
+  - webview_android:128-
+features:
+  dynamic_refresh: true
+  per_profile: true
+type: main
+schema:
+  type: boolean
+items:
+  - caption: "Enabled: CSS zoom conforms to the standard specification."
+    value: true
+  - caption: "Disabled: CSS zoom preserves its legacy pre-standard behavior."
+    value: false
+default: true
+example_value: true
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StartupBrowserWindowLaunchSuppressed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StartupBrowserWindowLaunchSuppressed.yaml
new file mode 100755
index 000000000..863363140
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StartupBrowserWindowLaunchSuppressed.yaml
@@ -0,0 +1,25 @@
+caption: Suppress launching of browser window
+desc: |-
+  Setting the policy to True prevents the browser window from launching at the start of the session.
+
+        Setting the policy to False or leaving it unset allows the window to launch.
+
+        Note: The browser window might not launch due to other policies or command-line flags.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Do not launch the browser on startup
+  value: true
+- caption: Automatically launch the browser on startup
+  value: false
+owners:
+- file://components/policy/OWNERS
+- hendrich@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:76-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StrictMimetypeCheckForWorkerScriptsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StrictMimetypeCheckForWorkerScriptsEnabled.yaml
new file mode 100755
index 000000000..2fa0033a0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StrictMimetypeCheckForWorkerScriptsEnabled.yaml
@@ -0,0 +1,44 @@
+caption: Enable strict MIME type checking for worker scripts
+default: true
+desc: "This policy enables strict MIME type checking for worker scripts.\n\n     \
+  \ When enabled or unset, then worker scripts will use strict MIME type checking\
+  \ for JavaScript, which is the new default behaviour. Worker scripts with legacy\
+  \ MIME types will be rejected.\n\n      When disabled, then worker scripts will\
+  \ use lax MIME type checking, so that worker scripts with legacy MIME types, e.g.\
+  \ <ph name=\"MIMETYPE_TEXT_ASCII\">text/ascii</ph>, will continue to be loaded and\
+  \ executed.\n\n      Browsers traditionally used lax MIME type checking, so that\
+  \ resources with a number of legacy MIME types were supported. E.g. for JavaScript\
+  \ resources, <ph name=\"MIMETYPE_TEXT_ASCII\">text/ascii</ph> is a legacy supported\
+  \ MIME type. This may cause security issues, by allowing to load resources as scripts\
+  \ that were never intended to be used as such. Chrome will transition to use strict\
+  \ MIME type checking in the near future. The enabled policy will track the default\
+  \ behaviour. Disabling this policy allows administrators to retain the legacy behaviour,\
+  \ if desired.\n\n      See https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguage\
+  \ for details about JavaScript / ECMAScript media types.\n      "
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Scripts for workers (Web Workers, Service Workers, etc.) require a JavaScript
+    MIME type, like <ph name="MIMETYPE_TEXT_JAVASCRIPT">text/javascript</ph>. Worker
+    scripts with legacy MIME types, like <ph name="MIMETYPE_TEXT_ASCII">text/ascii</ph>,
+    will be rejected.
+  value: true
+- caption: Scripts for workers (Web Workers, Service Workers, etc.) use lax MIME type
+    checking. Worker scripts with legacy MIME types, like <ph name="MIMETYPE_TEXT_ASCII">text/ascii</ph>,
+    will work.
+  value: false
+owners:
+- vogelheim@chromium.org
+- chrome-security-owp-team@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:107-
+- chrome_os:107-
+- android:107-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StricterMixedContentTreatmentEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StricterMixedContentTreatmentEnabled.yaml
new file mode 100755
index 000000000..cc2ae78b2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/StricterMixedContentTreatmentEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable stricter treatment for mixed content
+deprecated: true
+desc: |-
+  This policy has been removed as of M85, please use <ph name="POLICY_NAME">InsecureContentAllowedForUrls</ph> to allow insecure content on a per-site basis instead.
+         This policy controls the treatment for mixed content (HTTP content in HTTPS sites) in the browser.
+         If the policy is set to true or unset, audio and video mixed content will be autoupgraded to HTTPS (i.e. the URL will be rewritten as HTTPS, without a fallback if the resource is not available over HTTPS) and a 'Not Secure' warning will be shown in the URL bar for image mixed content.
+         If the policy is set to false, autoupgrades will be disabled for audio and video, and no warning will be shown for images.
+         This policy does not affect other types of mixed content other than audio, video, and images.
+         This policy will no longer take effect starting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 84.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable autoupgrades to HTTPS for audio and video, and show 'Not Secure' warning for images.
+  value: true
+- caption: Disable autoupgrades to HTTPS for audio and video, and show no warning for images.
+  value: false
+owners:
+- carlosil@chromium.org
+- estark@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:80-84
+- chrome_os:80-84
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SubAppsAPIsAllowedWithoutGestureAndAuthorizationForOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SubAppsAPIsAllowedWithoutGestureAndAuthorizationForOrigins.yaml
new file mode 100755
index 000000000..d1303c49d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SubAppsAPIsAllowedWithoutGestureAndAuthorizationForOrigins.yaml
@@ -0,0 +1,39 @@
+caption: Allow subApps APIs to be called without prior user gesture or requiring
+  user confirmation.
+desc: |-
+  For security reasons, the
+  <ph name="SHOW_SUBAPPS_APP_API_NAME">subApps.add()</ph>,
+  <ph name="SHOW_SUBAPPS_REMOVE_API_NAME">subApps.remove()</ph> and
+  <ph name="SHOW_SUBAPPS_LIST_API_NAME">subApps.list()</ph> web APIs
+  require a prior user gesture ("transient activation") to be called or will
+  otherwise fail. In addition, the user will be requested to confirm the
+  operation via a confirmation dialog.
+
+  With this policy set, admins can specify origins on which these APIs can be
+  called without prior user gesture, nor asking the user for confirmation.
+
+  For detailed information on valid url patterns, please see
+  https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is
+  not an accepted value for this policy.
+
+  If this policy is unset, all origins will require a prior user gesture to call
+  these APIs, and will present a confirmation dialog to the user.
+example_value:
+  - https://www.example.com
+  - '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+  - file://chrome/browser/web_applications/OWNERS
+  - giovax@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+  - chrome_os:123-
+future_on:
+  - fuchsia
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuggestLogoutAfterClosingLastWindow.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuggestLogoutAfterClosingLastWindow.yaml
new file mode 100755
index 000000000..b9c0491f2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuggestLogoutAfterClosingLastWindow.yaml
@@ -0,0 +1,24 @@
+caption: Display the logout confirmation dialog
+default: true
+desc: |-
+  The policy only applies to managed guest sessions.
+        Setting the policy to True or leaving it unset will show a dialog asking the user to confirm or deny logout when the last window is closed.
+        Setting the policy to False will prevent the dialog from being displayed and therefore also disables auto-logout after closing the last window.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Show logout dialog on last window closed.
+  value: true
+- caption: Suppress showing logout dialog on last window closed.
+  value: false
+owners:
+- mpetrisor@chromium.org
+- hendrich@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:92-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuggestedContentEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuggestedContentEnabled.yaml
new file mode 100755
index 000000000..28edbe73a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuggestedContentEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Enable Suggested Content
+default_for_enterprise_users: false
+desc: "This feature enables suggestions for new content to explore. Includes apps,\
+  \ webpages, and more.\n      If this policy is set to True, then suggestions for\
+  \ new content to explore will be enabled.\n      If this policy is set to False,\
+  \ then suggestions for new content to explore will be disabled.\n      If this policy\
+  \ is left unset, then suggestions for new content to explore will be disabled for\
+  \ managed users and enabled for other users.\n      "
+example_value: false
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable suggested content
+  value: true
+- caption: Disable suggested content
+  value: false
+owners:
+- chrome-knowledge-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:85-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressChromeFrameTurndownPrompt.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressChromeFrameTurndownPrompt.yaml
new file mode 100755
index 000000000..918fdc63d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressChromeFrameTurndownPrompt.yaml
@@ -0,0 +1,17 @@
+caption: Suppress the <ph name="PRODUCT_FRAME_NAME">$3<ex>Google Chrome Frame</ex></ph>
+  turndown prompt
+deprecated: true
+desc: Suppresses the turndown prompt that appears when a site is rendered by <ph name="PRODUCT_FRAME_NAME">$3<ex>Google
+  Chrome Frame</ex></ph>.
+example_value: true
+features:
+  dynamic_refresh: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_frame:29-32
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressDifferentOriginSubframeDialogs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressDifferentOriginSubframeDialogs.yaml
new file mode 100755
index 000000000..ce37992a4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressDifferentOriginSubframeDialogs.yaml
@@ -0,0 +1,32 @@
+caption: Suppress JavaScript Dialogs triggered from different origin subframes
+default: true
+desc: |-
+  As described in https://www.chromestatus.com/feature/5148698084376576 , JavaScript modal dialogs, triggered by <ph name="JS_ALERT">window.alert</ph>, <ph name="JS_CONFIRM">window.confirm</ph>, and <ph name="JS_PROMPT">window.prompt</ph>, will be blocked in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> if triggered from a subframe whose origin is different from the main frame origin.
+
+  This policy allows overriding that change.
+  If the policy is set to enabled or unset, JavaScript dialogs triggered from a different origin subframe will be blocked.
+  If the policy is set to disabled, JavaScript dialogs triggered from a different origin subframe will not be blocked.
+
+  This policy will be removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> in the future.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Block JavaScript dialogs triggered from a different origin subframe.
+  value: true
+- caption: Allow JavaScript dialogs triggered from a different origin subframe.
+  value: false
+owners:
+- carlosil@chromium.org
+- meacer@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:91-
+- chrome_os:91-
+- android:91-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressUnsupportedOSWarning.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressUnsupportedOSWarning.yaml
new file mode 100755
index 000000000..95387cdaa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SuppressUnsupportedOSWarning.yaml
@@ -0,0 +1,26 @@
+caption: Suppress the unsupported OS warning
+desc: |-
+  Setting the policy to Enabled suppresses the warning that appears when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is running on an unsupported computer or operating system.
+
+        Setting the policy to Disabled or leaving it unset means the warnings appear on unsupported systems.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Suppress warnings when Chrome is running on an unsupported system
+  value: true
+- caption: Allow Chrome to display warnings when running on an unsupported system
+  value: false
+owners:
+- grt@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:49-
+- chrome_os:49-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml
new file mode 100755
index 000000000..8103bed2c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml
@@ -0,0 +1,36 @@
+arc_support: Disabling <ph name="CHROME_SYNC_NAME">Chrome Sync</ph> will cause Android
+  Backup and Restore to not function properly.
+caption: Disable synchronization of data with Google
+desc: |-
+  Setting the policy to Enabled turns off data synchronization in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> using Google-hosted synchronization services.
+        To fully turn off <ph name="CHROME_SYNC_NAME">Chrome Sync</ph> services, we recommend that you turn off the service in the <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph>.
+
+        If the policy is set to Disabled or not set, users are allowed to choose whether to use <ph name="CHROME_SYNC_NAME">Chrome Sync</ph>.
+
+        Note: Do not turn on this policy when <ph name="ROAMING_PROFILE_SUPPORT_ENABLED_POLICY_NAME">RoamingProfileSupportEnabled</ph> is Enabled, because that feature shares the same client-side functionality. The Google-hosted synchronization is off completely in this case.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- android
+- fuchsia
+items:
+- caption: Disable <ph name="CHROME_SYNC_NAME">Chrome Sync</ph>
+  value: true
+- caption: Allow users to choose whether to enable <ph name="CHROME_SYNC_NAME">Chrome
+    Sync</ph>
+  value: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- ios:96-
+tags:
+- filtering
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncTypesListDisabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncTypesListDisabled.yaml
new file mode 100755
index 000000000..41331df81
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncTypesListDisabled.yaml
@@ -0,0 +1,29 @@
+caption: List of types that should be excluded from synchronization
+desc: |-
+  If this policy is set all specified data types will be excluded from synchronization both for <ph name="CHROME_SYNC_NAME">Chrome Sync</ph> as well as for roaming profile synchronization. This can be beneficial to reduce the size of the roaming profile or limit the type of data uploaded to the <ph name="CHROME_SYNC_NAME">Chrome Sync</ph> Servers.
+
+        The current data types for this policy are: "apps", "autofill", "bookmarks", "extensions", "preferences", "passwords", "payments", "productComparison", "readingList", "savedTabGroups", "tabs", "themes", "typedUrls", "wifiConfigurations". Those names are case sensitive!
+
+        Notes: Dynamic Policy Refresh is supported only in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 123 and later. Disabling "autofill" also disables "payments". "typedUrls" refers to all browsing history.
+example_value:
+- bookmarks
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- pastarmovj@chromium.org
+- mastiz@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:79-
+- android:79-
+- chrome_os:79-
+- ios:97-
+tags:
+- system-security
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemFeaturesDisableList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemFeaturesDisableList.yaml
new file mode 100755
index 000000000..896ee9261
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemFeaturesDisableList.yaml
@@ -0,0 +1,90 @@
+caption: Configure the camera, browser settings, os settings, scanning, web store,
+  canvas, explore, crosh, gallery, terminal and recorder features to be disabled
+desc: |-
+  Allows you to set a list of <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> features to be disabled.
+
+        Disabling any of these features means that the user can't access it from the UI and will see it as "disabled by admin". The user experience of disabled features is decided by <ph name="SYSTEM_FEATURES_DISABLE_MODE">SystemFeaturesDisableMode</ph>
+
+        If the policy is left not set, all <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> features will be enabled by default and the user can use any of them.
+
+        Note: The scanning feature is currently disabled by default via a feature flag. If the user enables the feature via the feature flag, the feature can still be disabled by this policy.
+example_value:
+- camera
+- browser_settings
+- os_settings
+- scanning
+- web_store
+- canvas
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Browser Settings
+  name: browser_settings
+  value: browser_settings
+- caption: OS Settings
+  name: os_settings
+  value: os_settings
+- caption: Camera
+  name: camera
+  value: camera
+- caption: Scanning (supported since version 87)
+  name: scanning
+  value: scanning
+- caption: Web Store (supported since version 89)
+  name: web_store
+  value: web_store
+- caption: Canvas (supported since version 90)
+  name: canvas
+  value: canvas
+- caption: Unsupported
+  name: google_news
+  value: google_news
+- caption: Explore (supported since version 91)
+  name: explore
+  value: explore
+- caption: Crosh (supported since version 99)
+  name: crosh
+  value: crosh
+- caption: Gallery (supported since version 117)
+  name: gallery
+  value: gallery
+- caption: Terminal (supported since version 117)
+  name: terminal
+  value: terminal
+- caption: Print Jobs (supported since version 129)
+  name: print_jobs
+  value: print_jobs
+- caption: Key Shortcuts (supported since version 129)
+  name: key_shortcuts
+  value: key_shortcuts
+- caption: Recorder (supported since version 130)
+  name: recorder
+  value: recorder
+owners:
+- file://components/policy/OWNERS
+- ayaelattar@chromium.org
+schema:
+  items:
+    enum:
+    - browser_settings
+    - os_settings
+    - camera
+    - scanning
+    - web_store
+    - canvas
+    - google_news
+    - explore
+    - crosh
+    - gallery
+    - terminal
+    - print_jobs
+    - key_shortcuts
+    - recorder
+    type: string
+  type: array
+supported_on:
+- chrome_os:84-
+tags: []
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemFeaturesDisableMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemFeaturesDisableMode.yaml
new file mode 100755
index 000000000..0462bd158
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemFeaturesDisableMode.yaml
@@ -0,0 +1,33 @@
+caption: Set the user experience of disabled features
+default: blocked
+desc: |-
+  Controls the user experience of disabled features listed in <ph name="SYSTEM_FEATURES_DISABLE_LIST_POLICY_NAME">SystemFeaturesDisableList</ph>.
+
+        If this policy is set to "blocked", the disabled features will become unusable but still visible to users.
+
+        If this policy is set to "hidden", the disabled features will become unusable and invisible to users.
+
+        If this policy is left unset or has an invalid value, the disable mode of system features will be "blocked".
+example_value: blocked
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Block the disabled features
+  name: blocked
+  value: blocked
+- caption: Hide and block the disabled features
+  name: hidden
+  value: hidden
+owners:
+- anqing@chromium.org
+schema:
+  enum:
+  - blocked
+  - hidden
+  type: string
+supported_on:
+- chrome_os:91-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemProxySettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemProxySettings.yaml
new file mode 100755
index 000000000..3711df013
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemProxySettings.yaml
@@ -0,0 +1,52 @@
+caption: Configures System-proxy service for <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph>.
+desc: |-
+  Configures the availability of System-proxy service and the proxy credentials for system services.
+        If the policy is not set, System-proxy service will not be available.
+device_only: true
+example_value:
+  policy_credentials_auth_schemes:
+  - basic
+  - ntlm
+  system_proxy_enabled: true
+  system_services_password: '0000'
+  system_services_username: test_user
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- acostinas@google.com
+schema:
+  properties:
+    policy_credentials_auth_schemes:
+      description: |-
+        The authentication schemes for which the policy credentials can be applied. Can be one of:
+                    * basic
+                    * digest
+                    * ntlm
+                    Leaving this option empty will allow all three schemes to be used.
+      items:
+        enum:
+        - basic
+        - digest
+        - ntlm
+        type: string
+      type: array
+    system_proxy_enabled:
+      type: boolean
+    system_services_password:
+      description: The password for authenticating system services to the remote web
+        proxy.
+      sensitiveValue: true
+      type: string
+    system_services_username:
+      description: The username for authenticating system services to the remote web
+        proxy.
+      sensitiveValue: true
+      type: string
+  type: object
+supported_on:
+- chrome_os:87-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemShortcutBehavior.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemShortcutBehavior.yaml
new file mode 100755
index 000000000..d495d406f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/SystemShortcutBehavior.yaml
@@ -0,0 +1,51 @@
+caption: Allows applications to capture and override default system shortcuts.
+desc: |-
+  This policy controls shortcut behavior on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+  If this policy is unset or set to <ph name="NORMAL_SYSTEM_PRIORITY">NormalSystemPriority</ph>, all <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> system shortcuts will always activate as expected.
+
+  If this policy is set to <ph name="SHOULD_IGNORE_COMMON_VDI_SHORTCUTS">ShouldIgnoreCommonVdiShortcuts</ph>, a predetermined list of Launcher key shortcuts will never activate a shortcut.
+
+  If this policy is set to <ph name="SHOULD_IGNORE_COMMON_VDI_SHORTCUTS_FULLSCREEN_ONLY">ShouldIgnoreCommonVdiShortcutsFullscreenOnly</ph>, a predetermined list of Launcher key shortcuts will never activate a shortcut while an app is fullscreen.
+
+  If this policy is set to <ph name="ALLOW_PASSTHROUGH_OF_SEARCH_BASED_SHORTCUTS">AllowPassthroughOfSearchBasedShortcuts</ph>, shortcuts with the Search key flow through to apps and are not consumed by the OS.
+
+  If this policy is set to <ph name="ALLOW_PASSTHROUGH_OF_SEARCH_BASED_SHORTCUTS_FULLSCREEN_ONLY">AllowPassthroughOfSearchBasedShortcutsFullscreenOnly</ph>, shortcuts with the Search key flow through to apps and are not consumed by the OS, but only when the focused app is fullscreen.
+default: 0
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: All system shortcuts will always activate as expected.
+  name: Default
+  value: 0
+- caption: A predetermined list of shortcuts with the launcher key will never perform an action.
+  name: ShouldIgnoreCommonVdiShortcuts
+  value: 1
+- caption: A predetermined list of shortcuts with the launcher key will never perform an action while fullscreen only.
+  name: ShouldIgnoreCommonVdiShortcutsFullscreenOnly
+  value: 2
+- caption: Shortcuts with the search key are sent to the app first before being handled by the OS.
+  name: AllowPassthroughOfSearchBasedShortcuts
+  value: 3
+- caption: Shortcuts with the search key are sent to the app first before being handled by the OS only when the focused app is fullscreen.
+  name: AllowPassthroughOfSearchBasedShortcutsFullscreenOnly
+  value: 4
+
+owners:
+- gavinwill@google.com
+- dpad@google.com
+- cros-peripherals@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  - 4
+  type: integer
+supported_on:
+- chrome_os:127-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TLS13HardeningForLocalAnchorsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TLS13HardeningForLocalAnchorsEnabled.yaml
new file mode 100755
index 000000000..01aecfa20
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TLS13HardeningForLocalAnchorsEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Enable a TLS 1.3 security feature for local trust anchors.
+deprecated: true
+desc: "This policy controls a security feature in TLS 1.3 which protects connections\
+  \ against downgrade attacks. It is backwards-compatible and will not affect connections\
+  \ to compliant TLS 1.2 servers or proxies. However, older versions of some TLS-intercepting\
+  \ proxies have an implementation flaw which causes them to be incompatible.\n\n\
+  \      If this policy is set to True or not set, <ph name=\"PRODUCT_NAME\">$1<ex>Google\
+  \ Chrome</ex></ph> will enable these security protections for all connections.\n\
+  \n      If this policy is set to False, <ph name=\"PRODUCT_NAME\">$1<ex>Google Chrome</ex></ph>\
+  \ will disable these security protections for connections authenticated with locally-installed\
+  \ CA certificates. These protections are always enabled for connections authenticated\
+  \ with publicly-trusted CA certificates.\n\n      The default value for this policy\
+  \ was changed in <ph name=\"PRODUCT_NAME\">$1<ex>Google Chrome</ex></ph> 81 from\
+  \ false to true. Affected proxies are expected to fail connections with an error\
+  \ code of ERR_TLS13_DOWNGRADE_DETECTED. Administrators who need more time to upgrade\
+  \ affected proxies may use this policy to temporarily disable this security feature.\
+  \ This policy was removed in version 86.\n      "
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://net/ssl/OWNERS
+- davidben@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:79-85
+- chrome_os:79-85
+- android:79-85
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TPMFirmwareUpdateSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TPMFirmwareUpdateSettings.yaml
new file mode 100755
index 000000000..688b5c584
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TPMFirmwareUpdateSettings.yaml
@@ -0,0 +1,50 @@
+caption: Configure <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware update behavior
+desc: |-
+  Setting the policy configures availability and behavior of <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates.
+
+        Specify individual settings in JSON properties:
+
+        * <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_ALLOW_USER_INITIATED_POWERWASH">allow-user-initiated-powerwash</ph>: If set to <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_ALLOW_USER_INITIATED_POWERWASH_TRUE">true</ph>, users can trigger the powerwash flow to install a <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware update.
+
+        * <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_ALLOW_USER_INITIATED_PRESERVE_DEVICE_STATE">allow-user-initiated-preserve-device-state</ph> (available starting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 68): If set to <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_ALLOW_USER_INITIATED_PRESERVE_DEVICE_STATE_TRUE">true</ph>, users can invoke the <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware update flow that preserves device-wide state, including enterprise enrollment, but loses user data.
+
+        * <ph name="TPM_FIRMWARE_UPDATE_SETTINGS_AUTO_UPDATE_MODE">auto-update-mode</ph> (available starting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 75): Controls how automatic <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates are enforced for vulnerable <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware. All flows preserve local device state. If set to:
+
+          * 1 or left not set, <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates are not enforced.
+
+          * 2, <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates at the next reboot after user acknowledges the update.
+
+          * 3, <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates at the next reboot.
+
+          * 4, <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware updates after enrollment, before user sign-in.
+
+        Leaving the policy unset renders <ph name="TPM_FIRMWARE_UPDATE_TPM">TPM</ph> firmware update unavailable.
+device_only: true
+example_value:
+  allow-user-initiated-powerwash: true
+  allow-user-initiated-preserve-device-state: true
+  auto-update-mode: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+schema:
+  properties:
+    allow-user-initiated-powerwash:
+      type: boolean
+    allow-user-initiated-preserve-device-state:
+      type: boolean
+    auto-update-mode:
+      enum:
+      - 1
+      - 2
+      - 3
+      - 4
+      type: integer
+  type: object
+supported_on:
+- chrome_os:63-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabDiscardingExceptions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabDiscardingExceptions.yaml
new file mode 100755
index 000000000..5a36446d5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabDiscardingExceptions.yaml
@@ -0,0 +1,26 @@
+caption: URL pattern Exceptions to tab discarding
+desc: "This policy makes it so that any URL matching one or more of the patterns it\
+  \ specifies (using the <ph name=\"URL_BLOCKLIST_POLICY_NAME\">URLBlocklist</ph>\
+  \ filter format) will never be discarded by the browser.\n      This applies to\
+  \ memory pressure and high efficiency mode discarding.\n      A discarded page is\
+  \ unloaded and its resources fully reclaimed. The tab its associated with remains\
+  \ in the tabstrip, but making it visible will trigger a full reload.\n      "
+example_value:
+- example.com
+- https://*
+- '*'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- anthonyvd@chromium.org
+- file://components/performance_manager/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:108-
+- chrome_os:108-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabFreezingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabFreezingEnabled.yaml
new file mode 100755
index 000000000..3660bb597
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabFreezingEnabled.yaml
@@ -0,0 +1,21 @@
+caption: Allow background tabs freeze
+deprecated: true
+desc: |-
+  Controls whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can freeze tabs that have been in the background for at least 5 minutes.
+
+        If the policy is set to true, tabs that have been in the background for at least 5 minutes may be frozen. Tab freezing reduces CPU, battery and memory usage. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses heuristics to avoid freezing tabs that do useful work in the background (e.g. display notifications, play sound, stream video). Web developers can also opt-out their site from freezing (https://chromium.googlesource.com/chromium/src/+/HEAD/chrome/browser/performance_manager/docs/freezing_opt_out_opt_in.md).
+
+        If the policy is set to false, no tabs will be frozen.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- catan-team@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:79-79
+- chrome_os:79-79
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabUnderAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabUnderAllowed.yaml
new file mode 100755
index 000000000..b1c61e037
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TabUnderAllowed.yaml
@@ -0,0 +1,22 @@
+caption: Allow sites to simultaneously navigate and open pop-ups
+deprecated: true
+desc: |-
+  Deprecated in M68. Use DefaultPopupsSetting instead.
+
+        For a full explanation, see https://www.chromestatus.com/feature/5675755719622656.
+        If this policy is enabled, sites will be allowed to simultaneously navigate and open new windows/tabs.
+        If this policy is disabled or not set, sites will be disallowed from simultaneously navigating and opening a new window/tab.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- chrisha@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:67-67
+- chrome_os:67-67
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TargetBlankImpliesNoOpener.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TargetBlankImpliesNoOpener.yaml
new file mode 100755
index 000000000..94f9f2200
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TargetBlankImpliesNoOpener.yaml
@@ -0,0 +1,35 @@
+caption: Do not set <ph name="WINDOW_OPENER_PROPERTY">window.opener</ph> for links
+  targeting <ph name="BLANK_PAGE_NAME">_blank</ph>
+default: true
+deprecated: true
+desc: |-
+  Setting the policy to Disabled allows pop-ups targeting <ph name="BLANK_PAGE_NAME">_blank</ph> to access (via JavaScript) the page that requested to open the pop-up.
+
+        Setting the policy to Enabled or leaving it unset causes the <ph name="WINDOW_OPENER_PROPERTY">window.opener</ph> property to be set to <ph name="NULL_VALUE">null</ph> unless the anchor specifies <ph name="REL_OPENER_ATTRIBUTE">rel="opener"</ph>.
+
+        This policy was removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 102.
+
+        See https://chromestatus.com/feature/6140064063029248.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Only allow pop-ups opened with a target of <ph name="BLANK_PAGE_NAME">_blank</ph>
+    to interact with the page that opened the pop-up if the opener page explicitly
+    opts-in to such interaction
+  value: true
+- caption: 'Allow all pop-ups opened with a target of <ph name="BLANK_PAGE_NAME">_blank</ph>
+    to interact the page that requested to open the pop-up unless the opener page
+    explicitly opts-out of such interaction '
+  value: false
+owners:
+- ericlaw@microsoft.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:88-102
+- chrome_os:88-102
+- android:88-102
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TaskManagerEndProcessEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TaskManagerEndProcessEnabled.yaml
new file mode 100755
index 000000000..c0dd74c4b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TaskManagerEndProcessEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Enable ending processes in Task Manager
+desc: |-
+  Setting the policy to Disabled prevents users from ending processes in the Task Manager.
+
+        Setting the policy to Enabled or leaving it unset lets users end processes in the Task Manager.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow users to end processes with the Chrome task manager
+  value: true
+- caption: Block users from ending processes with the Chrome task manager
+  value: false
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:52-
+- chrome_os:52-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TermsOfServiceURL.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TermsOfServiceURL.yaml
new file mode 100755
index 000000000..ff797368f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TermsOfServiceURL.yaml
@@ -0,0 +1,20 @@
+caption: Set the Terms of Service for a device-local account
+desc: |-
+  Setting the policy means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> downloads the Terms of Service and presents them to users whenever a device-local account session starts. Users can only sign in to the session after accepting the Terms of Service.
+
+        Leaving the policy unset means no Terms of Service appear.
+
+        The policy should be set to a URL from which <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> can download the Terms of Service. The Terms of Service must be plain text, served as MIME type text/plain. No markup is allowed.
+example_value: https://www.example.com/terms_of_service.txt
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_os:26-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ThirdPartyBlockingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ThirdPartyBlockingEnabled.yaml
new file mode 100755
index 000000000..09bab216b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ThirdPartyBlockingEnabled.yaml
@@ -0,0 +1,23 @@
+caption: Enable third party software injection blocking
+desc: |-
+  Setting the policy to Enabled or leaving it unset prevents third-party software from injecting executable code into <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s processes.
+
+        Setting the policy to Disabled allows this software to inject such code into <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s processes.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Prevent third party code from being injected into Chrome
+  value: true
+- caption: Allow third party code to be injected into Chrome
+  value: false
+owners:
+- chrisha@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:65-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ThrottleNonVisibleCrossOriginIframesAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ThrottleNonVisibleCrossOriginIframesAllowed.yaml
new file mode 100755
index 000000000..b06e183fb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ThrottleNonVisibleCrossOriginIframesAllowed.yaml
@@ -0,0 +1,31 @@
+caption: Allows enabling throttling of non-visible, cross-origin iframes
+deprecated: true
+owners:
+- wjmaclean@chromium.org
+- creis@chromium.org
+desc: |-
+  ThrottleDisplayNoneAndVisibilityHiddenCrossOriginIframes is a Chrome feature designed to make cross-process and same-process cross-origin iframes consistent in their rendering behavior. For further details on cross-process vs. same-process throttling, refer to https://chromestatus.com/feature/5175574929080320.
+
+  This enterprise policy exists to allow administrators to control whether their users are able to turn the additional throttling on or not. When the policy is set to disabled it prevents enabling the throttling. When the policy is set to enabled or not set, the user can opt-in to throttling, or it may be enabled via Chrome variations.
+future_on:
+- fuchsia
+supported_on:
+- android:110-123
+- chrome.*:110-123
+- chrome_os:110-123
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption:
+    ThrottleDisplayNoneAndVisibilityHiddenCrossOriginIframes feature available
+  value: true
+- caption:
+    ThrottleDisplayNoneAndVisibilityHiddenCrossOriginIframes feature disabled
+  value: false
+default: true
+example_value: true
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ToolbarAvatarLabelSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ToolbarAvatarLabelSettings.yaml
new file mode 100755
index 000000000..08c6f0e86
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/ToolbarAvatarLabelSettings.yaml
@@ -0,0 +1,29 @@
+caption: Managed toolbar avatar label setting
+default: 0
+desc: |-
+  Leaving this policy unset or setting it to <ph name="DISPLAY_MANAGEMENT_LABEL_PERMAMENT_VALUE">display_management_label_permanent</ph> (value 0) will show a Work or School label next to the toolbar avatar.
+  These labels will only be shown if the signed in account is managed.
+
+  Setting it to <ph name="DISPLAY_MANAGEMENT_LABEL_TRANSIENT_VALUE">display_management_label_transient</ph> (value 1) will show a Work or School label next to the toolbar avatar for 30 seconds after opening the profile.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+supported_on:
+- chrome.*:125-
+items:
+- caption: Always display management label
+  name: display_management_label_permanent
+  value: 0
+- caption: Display management labels for 30s
+  name: display_management_label_transient
+  value: 1
+owners:
+- ydago@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TosDialogBehavior.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TosDialogBehavior.yaml
new file mode 100755
index 000000000..b64f31fdb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TosDialogBehavior.yaml
@@ -0,0 +1,39 @@
+caption: Configuring the ToS behavior during first-run for CCT
+default: 1
+desc: |-
+  By default the Terms of Service are shown when CCT is first-run. Setting this policy to <ph name="SKIP_TOS_DIALOG">SkipTosDialog</ph> will cause the Terms of Service dialog to not appear during the first-run-experience or subsequent runs. Setting this policy to <ph name="STANDARD_TOS_DIALOG">StandardTosDialog</ph> or leaving it unset will cause the Terms of Service dialog to appear during the first-run-experience. The other caveats are:
+
+        - This policy only works on fully managed Android devices that can be configured by Unified Endpoint Management vendors.
+
+        - If this policy is <ph name="SKIP_TOS_DIALOG">SkipTosDialog</ph> the BrowserSignin policy will have no effect.
+
+        - If this policy is <ph name="SKIP_TOS_DIALOG">SkipTosDialog</ph> metrics​ will not be sent to the server.
+
+        - If this policy is <ph name="SKIP_TOS_DIALOG">SkipTosDialog</ph> the browser will have limited functionality.
+
+        - If this policy is <ph name="SKIP_TOS_DIALOG">SkipTosDialog</ph> admins must communicate this to end users of the device.
+example_value: 2
+features:
+  dynamic_refresh: false
+  per_profile: false
+  platform_only: true
+items:
+- caption: Use default browser behavior, shows the ToS and waits for the user to accept.
+  name: StandardTosDialog
+  value: 1
+- caption: Automatically skips ToS and loads the browser.
+  name: SkipTosDialog
+  value: 2
+owners:
+- skym@chromium.org
+- wenyufu@chromium.org
+- twellington@chromium.org
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+- android:87-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TotalMemoryLimitMb.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TotalMemoryLimitMb.yaml
new file mode 100755
index 000000000..a55df064a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TotalMemoryLimitMb.yaml
@@ -0,0 +1,22 @@
+caption: Set limit on megabytes of memory a single Chrome instance can use.
+desc: |-
+  Configures the amount of memory that a single <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> instance can use before tabs start being discarded (I.E. the memory used by the tab will be freed and the tab will have to be reloaded when switched to) to save memory.
+
+        If the policy is set, browser will begin to discard tabs to save memory once the limitation is exceeded. However, there is no guarantee that the browser is always running under the limit. Any value under 1024 will be rounded up to 1024.
+
+        If this policy is not set, the browser will only begin attempts to save memory once it has detected that the amount of physical memory on its machine is low.
+example_value: 2048
+features:
+  dynamic_refresh: true
+  per_profile: false
+label: Set memory limit for Chrome instances
+owners:
+- catan-team@chromium.org
+schema:
+  minimum: 1024
+  type: integer
+supported_on:
+- chrome.win:79-
+- chrome.mac:79-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TouchVirtualKeyboardEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TouchVirtualKeyboardEnabled.yaml
new file mode 100755
index 000000000..24f1a53d8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TouchVirtualKeyboardEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Enable the touch virtual keyboard
+default: null
+desc: |-
+  Controls the touch virtual keyboard, acting as a supplementary policy to the <ph name="VIRTUAL_KEYBOARD_ENABLED_POLICY_NAME">VirtualKeyboardEnabled</ph> policy.
+
+        If accessibility virtual keyboard is turned on, this policy has no effect.
+
+        Otherwise, this policy has the following effect:
+        If this policy is not set, the virtual keyboard is displayed based on the default system heuristics, such as whether there are keyboards attached.
+        If this policy is set to True, the virtual keyboard is always displayed.
+        If this policy is set to False, the virtual keyboard is never displayed.
+
+        The virtual keyboard may change to a compact layout depending on the input method.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable touch virtual keyboard
+  value: true
+- caption: Disable touch virtual keyboard
+  value: false
+- caption: Enable touch virtual keyboard based on the default system heuristics
+  value: null
+owners:
+- shend@chromium.org
+- e14s-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:37-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TranslateEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TranslateEnabled.yaml
new file mode 100755
index 000000000..c551f792f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TranslateEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Enable Translate
+default: null
+desc: |-
+  Setting the policy to True provides translation functionality when it's appropriate for users by showing an integrated translate toolbar in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and a translate option on the right-click context menu. Setting the policy to False shuts off all built-in translate features.
+
+        If you set the policy, users can't change this function. Leaving it unset lets them change the setting.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Always offer translation
+  value: true
+- caption: Never offer translation
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://components/translate/OWNERS
+- megjablon@chromium.org
+- perrier@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:12-
+- chrome_os:12-
+- android:30-
+- ios:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TrashEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TrashEnabled.yaml
new file mode 100755
index 000000000..bda6b8508
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TrashEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable capability to send files to the Trash (on supported filesystems) in
+  the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> Files app
+default: true
+desc: |-
+  Setting the policy to True allows users of <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> Files app to see a Trash bin and files under My files and Downloads (including their user created descendants) will be sent there on deletion.
+
+        If the policy is set to False the files that previously resided in trash will still be available by showing hidden files and finding the .Trash directory under My files or Downloads.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome_os:109-
+items:
+- caption: Trash is enabled for the user.
+  value: true
+- caption: Trash is disabled for the user.
+  value: false
+owners:
+- file://ui/file_manager/OWNERS
+- benreich@chromium.org
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TripleDESEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TripleDESEnabled.yaml
new file mode 100755
index 000000000..8e807fcc5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/TripleDESEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Enable 3DES cipher suites in TLS
+default: null
+deprecated: true
+desc: "This policy was removed in M97 after 3DES was removed from <ph name=\"PRODUCT_NAME\"\
+  >$1<ex>Google Chrome</ex></ph>.\n\n      If the policy is set to true, then 3DES\
+  \ cipher suites in TLS will be enabled. If it is set to false, they will be disabled.\
+  \ If the policy is unset, 3DES cipher suites are disabled by default. This policy\
+  \ may be used to temporarily retain compatibility with an outdated server. This\
+  \ is a stopgap measure and the server should be reconfigured.\n      "
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: 3DES cipher suites will be enabled in TLS
+  value: true
+- caption: 3DES cipher suites will be disabled in TLS
+  value: false
+- caption: Use the default setting for 3DES cipher suites in TLS
+  value: null
+owners:
+- file://net/ssl/OWNERS
+- davidben@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:92-96
+- chrome_os:92-96
+- android:92-96
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/U2fSecurityKeyApiEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/U2fSecurityKeyApiEnabled.yaml
new file mode 100755
index 000000000..a98041dfd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/U2fSecurityKeyApiEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Allow using the deprecated U2F Security Key API
+default: false
+deprecated: true
+desc: |-
+  If set to Enabled, the deprecated U2F Security Key API can be used and the deprecation reminder prompt shown for U2F API requests is suppressed.
+
+        If the policy is set to Disabled or left unset, the default behavior will apply.
+
+        The U2F Security Key API is deprecated and it will be disabled by default in Chrome 98.
+
+        This is a temporary opt-out mechanism. The U2F API will be removed from Chrome in Chrome 104, at which point this policy will cease to be supported.
+
+        For more information about the deprecation of the U2F Security Key API, please refer to https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow using the U2F Security Key API.
+  value: true
+- caption: Apply default settings for U2F API deprecation.
+  value: false
+owners:
+- martinkr@google.com
+- agl@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:96-103
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLAllowlist.yaml
new file mode 100755
index 000000000..b2c0d53ea
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLAllowlist.yaml
@@ -0,0 +1,37 @@
+arc_support: Android apps may voluntarily choose to honor this list. You cannot force
+  them to honor it.
+caption: Allow access to a list of URLs
+desc: |-
+  Setting the policy provides access to the listed URLs, as exceptions to <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>. See that policy's description for the format of entries of this list. For example, setting <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> to * will block all requests, and you can use this policy to allow access to a limited list of URLs. Use it to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths, using the format specified at ( https://support.google.com/chrome/a?p=url_blocklist_filter_format ). The most specific filter determines if a URL is blocked or allowed. The <ph name="URL_ALLOWLIST_POLICY_NAME">URLAllowlist</ph> policy takes precedence over <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>. This policy is limited to 1,000 entries.
+
+  This policy also allows enabling the automatic invocation by the browser of external application registered as protocol handlers for the listed protocols like "tel:" or "ssh:".
+
+  Leaving the policy unset allows no exceptions to <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>.
+
+  From <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 92, this policy is also supported in the headless mode.
+example_value:
+- example.com
+- https://ssl.server.com
+- hosting.com/good_path
+- https://server:8080/path
+- .exact.hostname.com
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- hendrich@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:86-
+- chrome_os:86-
+- android:86-
+- webview_android:86-
+- ios:98-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLBlacklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLBlacklist.yaml
new file mode 100755
index 000000000..4b5c4d0ea
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLBlacklist.yaml
@@ -0,0 +1,32 @@
+arc_support: Android apps may voluntarily choose to honor this list. You cannot force
+  them to honor it.
+caption: Block access to a list of URLs
+deprecated: true
+desc: This policy is deprecated and unsupported, please use the '<ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph>' policy instead.
+example_value:
+- example.com
+- https://ssl.server.com
+- hosting.com/bad_path
+- https://server:8080/path
+- .exact.hostname.com
+- file://*
+- custom_scheme:*
+- '*'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- hendrich@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:15-100
+- chrome_os:15-100
+- android:30-100
+- webview_android:47-100
+tags:
+- filtering
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLBlocklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLBlocklist.yaml
new file mode 100755
index 000000000..62b8575a8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLBlocklist.yaml
@@ -0,0 +1,45 @@
+arc_support: Android apps may voluntarily choose to honor this list and can't be forced to do this.
+caption: Block access to a list of URLs
+desc: |-
+  Setting the <ph name="URL_BLOCKLIST_POLICY_NAME">URLBlocklist</ph> policy stops web pages with prohibited URLs from loading. Administrators can specify the list of URL patterns to be blocked. If left unset, no URLs are blocked in the browser. Up to 1,000 exceptions can be defined in <ph name="URL_ALLOWLIST_POLICY_NAME">URLAllowlist</ph>. See how to format a URL pattern ( https://support.google.com/chrome/a?p=url_blocklist_filter_format ).
+
+  Note: This policy does not apply to in-page JavaScript URLs with dynamically loaded data. If you blocked example.com/abc, then example.com could still load it using XMLHTTPRequest. Additionally, this policy does not prevent web pages from updating the URL shown in the omnibox to a blocked one using the JavaScript History API.
+
+  From <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 73, you can block javascript://* URLs. But, this only affects JavaScript entered in the address bar or, for example, bookmarklets.
+
+  From <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 92, this policy is also supported in the headless mode.
+
+  Note: Blocking internal chrome://* and chrome-untrusted://* URLs can lead to unexpected errors or can be circumvented in some cases. Instead of blocking certain internal URLs, see if there are more specific policies available. For example:
+
+  - Instead of blocking chrome://settings/certificates, use <ph name="CA_CERTIFICATE_MANAGEMENT_ALLOWED_POLICY_NAME">CACertificateManagementAllowed</ph>.
+
+  - Instead of blocking chrome-untrusted://crosh, use <ph name="SYSTEM_FEATURES_DISABLE_LIST_POLICY_NAME">SystemFeaturesDisableList</ph>.
+example_value:
+- example.com
+- https://ssl.server.com
+- hosting.com/bad_path
+- https://server:8080/path
+- .exact.hostname.com
+- file://*
+- custom_scheme:*
+- '*'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- hendrich@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:86-
+- chrome_os:86-
+- android:86-
+- webview_android:86-
+- ios:98-
+- fuchsia:106-
+tags:
+- filtering
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLWhitelist.yaml
new file mode 100755
index 000000000..5adc6868a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/URLWhitelist.yaml
@@ -0,0 +1,28 @@
+arc_support: Android apps may voluntarily choose to honor this list. You cannot force
+  them to honor it.
+caption: Allow access to a list of URLs
+deprecated: true
+desc: This policy is deprecated and unsupported, please use the '<ph name="URL_ALLOWLIST_POLICY_NAME">URLAllowlist</ph>' policy instead.
+example_value:
+- example.com
+- https://ssl.server.com
+- hosting.com/good_path
+- https://server:8080/path
+- .exact.hostname.com
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- hendrich@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:15-100
+- chrome_os:15-100
+- android:30-100
+- webview_android:47-100
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnifiedDesktopEnabledByDefault.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnifiedDesktopEnabledByDefault.yaml
new file mode 100755
index 000000000..03ca93842
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnifiedDesktopEnabledByDefault.yaml
@@ -0,0 +1,23 @@
+caption: Make Unified Desktop available and turn on by default
+desc: |-
+  Setting the policy to True turns on Unified Desktop, which allows applications to span multiple displays. Users can turn off Unified Desktop for individual displays.
+
+        Setting the policy to False or leaving it unset turns off Unified Desktop, and users can't turn it on.
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Make Unified Desktop mode available to the user
+  value: true
+- caption: Do not make Unified Desktop mode available to the user
+  value: false
+owners:
+- giovax@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:47-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnmanagedDeviceSignalsConsentFlowEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnmanagedDeviceSignalsConsentFlowEnabled.yaml
new file mode 100755
index 000000000..e70bbfe46
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnmanagedDeviceSignalsConsentFlowEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Ask for consent from managed users to share device signals on unmanaged devices
+  to gain access
+default: false
+desc: |2-
+
+        Setting the policy to Enabled (True) lets <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> asks for managed users' consent prior to sharing device signals on unmanaged devices in order to gain access.
+
+        Setting the policy to Disabled (False) or leaving it unset disallows <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from collecting device signals.
+
+        Examples of device signals include (but are not limited to) OS information, registry, file presesnce.
+example_value: true
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome_os
+items:
+- caption: Enable device signal consenting for managed users on unmanaged devices
+  value: true
+- caption: Disable device signal consenting for managed users on unmanaged devices
+  value: false
+owners:
+- xzonghan@chromium.org
+- cbe-device-trust-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:116-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnsafelyTreatInsecureOriginAsSecure.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnsafelyTreatInsecureOriginAsSecure.yaml
new file mode 100755
index 000000000..898844067
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnsafelyTreatInsecureOriginAsSecure.yaml
@@ -0,0 +1,34 @@
+caption: Origins or hostname patterns for which restrictions on insecure origins should not apply
+deprecated: true
+desc: |-
+  Deprecated in M69. Use OverrideSecurityRestrictionsOnInsecureOrigin instead.
+
+  The policy specifies a list of origins (URLs) or hostname patterns (such as "*.example.com") for which security restrictions on insecure origins will not apply.
+
+  The intent is to allow organizations to allow origins for legacy applications that cannot deploy TLS, or to set up a staging server for internal web development so that their developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy will also prevent the origin from being labeled "Not Secure" in the omnibox.
+
+  Setting a list of URLs in this policy has the same effect as setting the command-line flag '--unsafely-treat-insecure-origin-as-secure' to a comma-separated list of the same URLs. If the policy is set, it will override the command-line flag.
+
+  This policy is deprecated in M69 in favor of OverrideSecurityRestrictionsOnInsecureOrigin. If both policies are present, OverrideSecurityRestrictionsOnInsecureOrigin will override this policy.
+
+  For more information on secure contexts, see https://www.w3.org/TR/secure-contexts/
+example_value:
+- http://testserver.example.com/
+- '*.example.org'
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- vogelheim@chromium.org
+- pastarmovj@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:65-
+tags:
+- system-security
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnthrottledNestedTimeoutEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnthrottledNestedTimeoutEnabled.yaml
new file mode 100755
index 000000000..017a66a26
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UnthrottledNestedTimeoutEnabled.yaml
@@ -0,0 +1,42 @@
+caption: Control the nesting threshold before which Javascript setTimeout() function
+  start being clamped
+default: null
+deprecated: true
+desc: "setTimeout(…, 0) is commonly used to break down long Javascript tasks.\n  \
+  \        When the policy is set to Enabled, setTimeouts and setIntervals with an\
+  \ interval smaller than 4ms are not clamped as aggressively.\n          This improves\
+  \ short horizon performance, but websites abusing the API will still eventually\
+  \ have their setTimeouts clamped.\n\n          When the policy is set to Disabled,\
+  \ setTimeouts and setIntervals with an interval smaller than 4ms will be clamped.\n\
+  \n          This may change task ordering on a web page, leading to unexpected behavior\
+  \ on sites that are dependent on a certain ordering in some way.\n          It also\
+  \ may affect sites with a lot of setTimeout() with a timeout of 0ms usage, e.g.\
+  \ increasing CPU load.\n\n          For users where this policy is unset, <ph name=\"\
+  PRODUCT_NAME\">$1<ex>Google Chrome</ex></ph> will roll out the change gradually\
+  \ on the stable channel.\n\n          This is a temporary policy that is planned\
+  \ be removed in <ph name=\"PRODUCT_NAME\">$1<ex>Google Chrome</ex></ph> 107. This\
+  \ deadline may be extended if there is a need for it among enterprises.\n      \
+  \    "
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Javascript setTimeout() will not be clamped until a higher nesting threshold.
+  value: true
+- caption: Javascript setTimeout() will be clamped after a normal nesting threshold.
+  value: false
+- caption: Default behavior for setTimeout() function nested clamp.
+  value: null
+owners:
+- file://third_party/blink/renderer/core/frame/OWNERS
+- etiennep@chromium.org
+- shaseley@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:104-106
+- chrome.*:104-106
+- android:104-106
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlKeyedAnonymizedDataCollectionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlKeyedAnonymizedDataCollectionEnabled.yaml
new file mode 100755
index 000000000..5598daeb8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlKeyedAnonymizedDataCollectionEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Enable URL-keyed anonymized data collection
+default: null
+desc: |-
+  Setting the policy to Enabled means URL-keyed anonymized data collection, which sends URLs of pages the user visits to Google to make searches and browsing better, is always active.
+
+  Setting the policy to Disabled results in no URL-keyed anonymized data collection.
+
+  If this policy is left unset, the user will be able to change this setting manually.
+
+  In <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> Kiosk, this policy doesn't offer the option to "Allow the user to decide". If this policy is unset for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> Kiosk, URL-keyed anonymized data collection is always active.
+  When set for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> Kiosk, this policy enables URL-keyed metrics collection for kiosk apps.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: URL-keyed anonymized data collection is always active
+  value: true
+- caption: URL-keyed anonymized data collection is never active
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- file://base/metrics/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:69-
+- chrome_os:69-
+- android:70-
+- ios:90-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlKeyedMetricsAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlKeyedMetricsAllowed.yaml
new file mode 100755
index 000000000..2c6769109
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlKeyedMetricsAllowed.yaml
@@ -0,0 +1,32 @@
+caption: Allow URL-keyed metrics collection
+default: null
+desc: |-
+  If this policy is set to allowed or unset, URL-keyed metrics collection is allowed.
+  If allowed and URL-keyed metrics collection is enabled by the user, URL-keyed metrics collection sends URLs of pages the user visits to Google to make searches and browsing better along with per-page usage statistics.
+  URL-keyed metrics also includes the identifiers and usage statistics of other browser components that can modify or provide content, such as extensions.
+
+  If this policy is set to disallowed, users cannot enable URL-keyed metrics collection.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- chrome.*
+- chrome_os
+- android
+- ios
+- fuchsia
+items:
+- caption: URL-keyed metrics collection is allowed
+  value: true
+- caption: URL-keyed metrics collection is not allowed
+  value: false
+- caption: URL-keyed metrics collection is allowed
+  value: null
+owners:
+- file://base/metrics/OWNERS
+schema:
+  type: boolean
+tags:
+- google-sharing
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlParamFilterEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlParamFilterEnabled.yaml
new file mode 100755
index 000000000..f829940af
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UrlParamFilterEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Control the URL parameter filter feature
+default: true
+deprecated: true
+desc: |-
+  When enabled or not set, the URL parameter filter may remove some parameters when a user selects "Open Link in Incognito Window" from the context menu.
+        When disabled, no filtering is performed.
+        This policy is temporary and may be removed in a future release.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow the browser to filter URL parameters.
+  value: true
+- caption: Disallow any filtering of URL parameters.
+  value: false
+owners:
+- bcl@google.com
+- mreichhoff@chromium.org
+- file://chrome/browser/url_param_filter/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:102-108
+- chrome.*:102-108
+- android:102-108
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetachableAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetachableAllowlist.yaml
new file mode 100755
index 000000000..d8df11c7a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetachableAllowlist.yaml
@@ -0,0 +1,26 @@
+caption: Allowlist of USB detachable devices
+desc: |-
+  Setting the policy defines the list of USB devices users can detach from their kernel driver to use through the chrome.usb API directly inside a web app. Entries are pairs of USB Vendor Identifier and Product Identifier to identify specific hardware.
+
+        If not set, the list of a detachable USB devices is empty.
+device_only: true
+example_value:
+- product_id: 24577
+  vendor_id: 1027
+- product_id: 8453
+  vendor_id: 16700
+features:
+  dynamic_refresh: false
+owners:
+- vpalatin@chromium.org
+- hendrich@chromium.org
+schema:
+  items:
+    $ref: UsbDeviceIdInclusive
+  type: array
+supported_on:
+- chrome_os:87-
+tags:
+- system-security
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetachableWhitelist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetachableWhitelist.yaml
new file mode 100755
index 000000000..299f77bd7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetachableWhitelist.yaml
@@ -0,0 +1,24 @@
+caption: Allowlist of USB detachable devices
+deprecated: true
+desc: This policy is deprecated and unsupported, please use <ph name="USB_DETACHABLE_ALLOWLIST_POLICY_NAME">UsbDetachableAllowlist</ph> instead.
+device_only: true
+example_value:
+- product_id: 24577
+  vendor_id: 1027
+- product_id: 8453
+  vendor_id: 16700
+features:
+  dynamic_refresh: false
+owners:
+- vpalatin@chromium.org
+- hendrich@chromium.org
+schema:
+  items:
+    $ref: UsbDeviceId
+  type: array
+supported_on:
+- chrome_os:51-100
+tags:
+- system-security
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetectorNotificationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetectorNotificationEnabled.yaml
new file mode 100755
index 000000000..57c24a2a0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UsbDetectorNotificationEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Show a notification when a USB device is detected
+default: true
+desc: |-
+  If this setting is enabled, a notification is shown to the user when a USB device gets plugged in on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+        If this setting is disabled, no notifications about plugged-in USB devices will be shown to the user.
+
+        If this policy is left unset, users will receive the notifications about plugged-in USB devices.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Show notifications when USB devices are detected
+  value: true
+- caption: Do not show notifications when USB devices are detected
+  value: false
+owners:
+- mpetrisor@chromium.org
+- imprivata-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:110-
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UseLegacyFormControls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UseLegacyFormControls.yaml
new file mode 100755
index 000000000..f174c39bb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UseLegacyFormControls.yaml
@@ -0,0 +1,28 @@
+caption: Use Legacy Form Controls until M84.
+deprecated: true
+desc: |2-
+   Starting in M81, the standard form control elements (e.g. &lt;select&gt;, &lt;button&gt;, &lt;input type=date&gt;) were given a refreshed look and feel, with improved accessibility and better platform uniformity. This policy restores the old "legacy" form control elements until M84.
+
+        If this policy is set to True, the "legacy" form control elements will be used for all sites.
+
+        If this policy is set to False or not set, the form control elements will be enabled as they are launched in M81, M82, and M83.
+
+        This policy will be removed after Chrome 84.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+owners:
+- masonf@chromium.org
+- chrishtr@chromium.org
+- hwi@chromium.org
+- nsull@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:81-84
+- chrome_os:81-84
+- android:81-84
+- webview_android:81-84
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UseMojoVideoDecoderForPepperAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UseMojoVideoDecoderForPepperAllowed.yaml
new file mode 100755
index 000000000..e20e299c9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UseMojoVideoDecoderForPepperAllowed.yaml
@@ -0,0 +1,48 @@
+owners:
+- pmolinalopez@chromium.org
+- andrescj@chromium.org
+- blundell@chromium.org
+caption: Allow <ph name="PEPPER_NAME">Pepper</ph> to use a new decoder
+  for hardware accelerated video decoding.
+desc: |-
+  This policy controls whether <ph name="PEPPER_NAME">Pepper</ph> plugins can
+  use the new decoder to talk to hardware decoders instead of the legacy video
+  decoder.
+
+  The migration only affects internal implementation details and should not
+  change any behavior. However, this policy can be used in case any PPAPI
+  applications do not work as expected.
+
+  When the policy is left unset or set to Enabled the browser will decide which
+  implementation is used.
+  When the policy is set to Disabled, the browser will use the old implementation
+  until this policy expires.
+
+  If you must use the policy, please file a bug on crbug.com explaining your
+  use case and CC {andrescj, blundell, pmolinalopez, vasilyt}@chromium.org. The
+  policy is scheduled to be offered through <ph
+  name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 114, after which
+  the old implementation will be removed.
+
+  NOTE: Only newly-started renderer processes will reflect changes to this
+  policy while the browser is running.
+
+supported_on:
+- chrome.*:110-114
+- chrome_os:110-114
+deprecated: true
+device_only: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: Allow <ph name="PEPPER_NAME">Pepper</ph> to use the new video decoder.
+  value: true
+- caption: Force <ph name="PEPPER_NAME">Pepper</ph> to use the legacy video decoder.
+  value: false
+default: true
+example_value: false
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentClientHintsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentClientHintsEnabled.yaml
new file mode 100755
index 000000000..a894e3cae
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentClientHintsEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Control the <ph name="PRODUCT_NAME">User-Agent Client Hints</ph> feature.
+default: true
+deprecated: true
+desc: |-
+  Note that this policy was removed in M94.  This policy was intended for short-term adaptation purposes only.
+
+        When enabled the <ph name="PRODUCT_NAME">User-Agent Client Hints</ph> feature sends granular request headers providing information about the user browser and environment.
+        This is an additive feature, but the new headers may break some websites that restrict the characters that requests may contain.
+        If this policy is enabled or not set the <ph name="PRODUCT_NAME">User-Agent Client Hints</ph> feature is enabled. If the policy is disabled the feature is unavailable.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://components/client_hints/OWNERS
+- yoavweiss@google.com
+- aarontag@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:84-93
+- chrome.*:84-93
+- android:84-93
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentClientHintsGREASEUpdateEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentClientHintsGREASEUpdateEnabled.yaml
new file mode 100755
index 000000000..e1bc9df17
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentClientHintsGREASEUpdateEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Control the User-Agent Client Hints GREASE Update feature.
+default: true
+deprecated: true
+desc: |-
+   This policy is deprecated as the updated GREASE algorithm has been on by default since M103.
+   When enabled the User-Agent Client Hints GREASE Update feature aligns the User-Agent GREASE algorithm with the latest spec.
+        The updated spec may break some websites that restrict the characters that requests may contain. See the spec for more information: https://wicg.github.io/ua-client-hints/#grease
+        This policy will be removed in a future release.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Allow the updated User-Agent GREASE algorithm to be run.
+  value: true
+- caption: Force the prior User-Agent GREASE algorithm to be used.
+  value: false
+owners:
+- miketaylr@google.com
+- mreichhoff@chromium.org
+- file://components/client_hints/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:98-126
+- chrome.*:98-126
+- android:98-126
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentReduction.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentReduction.yaml
new file mode 100755
index 000000000..9c1d3d104
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAgentReduction.yaml
@@ -0,0 +1,43 @@
+caption: Enable or disable the <ph name="USER_AGENT_REDUCTION_FEATURE_NAME">User-Agent
+  Reduction</ph>.
+default: 0
+desc: "The <ph name=\"USER_AGENT_HEADER_NAME\">User-Agent</ph> HTTP request header\
+  \ is scheduled to be reduced. In order to facilitate testing and compatibility,\
+  \ this policy can enable the reduction feature for all websites, or disable the\
+  \ ability for origin trials or field trials to enable the feature.\n\n      To learn\
+  \ more about the <ph name=\"USER_AGENT_REDUCTION_FEATURE_NAME\">User-Agent Reduction</ph>\
+  \ and its timeline, read here:\n\n      https://blog.chromium.org/2021/09/user-agent-reduction-origin-trial-and-dates.html\n\
+  \      "
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: User Agent reduction will be controllable via Field-Trials and Origin-Trials.
+  name: Default
+  value: 0
+- caption: User Agent reduction disabled, and not enabled by Field-Trials or Origin-Trials.
+  name: ForceDisabled
+  value: 1
+- caption: User Agent reduction will be enabled for all origins.
+  name: ForceEnabled
+  value: 2
+owners:
+- abeyad@chromium.org
+- aarontag@chromium.org
+- miketaylr@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:98-
+- chrome.*:98-
+- android:98-
+tags:
+- website-sharing
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAvatarCustomizationSelectorsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAvatarCustomizationSelectorsEnabled.yaml
new file mode 100755
index 000000000..42ffe342c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAvatarCustomizationSelectorsEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Allow customization of user avatar image using Google profile image or local images.
+desc: |-
+  If this policy is disabled, the user's <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> avatar image cannot be set using local files, the device camera, or the user's Google profile image.
+
+  The user may set the avatar image from any of these options if this policy is enabled or not set.
+example_value: true
+default: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow user avatar selection from local filesystem, camera and Google profile
+  value: true
+- caption: Prevent user avatar selection from local filesystem, camera and Google profile
+  value: false
+owners:
+- file://ash/webui/personalization_app/OWNERS
+- crmullins@google.com
+- cowmoo@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:114-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAvatarImage.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAvatarImage.yaml
new file mode 100755
index 000000000..a92a90672
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserAvatarImage.yaml
@@ -0,0 +1,34 @@
+caption: User avatar image
+desc: |-
+  This policy allows you to configure the avatar image representing the user on the login screen. The policy is set by specifying the URL from which <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> can download the avatar image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its size must not exceed 512kB. The URL must be accessible without any authentication.
+
+        The avatar image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.
+
+        If this policy is set, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will download and use the avatar image.
+
+        If you set this policy, users cannot change or override it.
+
+        If the policy is left not set, the user can choose the avatar image representing them on the login screen.
+example_value:
+  hash: deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+  url: https://example.com/avatar.jpg
+features:
+  dynamic_refresh: true
+  per_profile: true
+max_size: 524288
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  properties:
+    hash:
+      description: The SHA-256 hash of the avatar image.
+      type: string
+    url:
+      description: The URL from which the avatar image can be downloaded.
+      type: string
+  type: object
+supported_on:
+- chrome_os:34-
+tags: []
+type: external
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserContextAwareAccessSignalsAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserContextAwareAccessSignalsAllowlist.yaml
new file mode 100755
index 000000000..e683536c3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserContextAwareAccessSignalsAllowlist.yaml
@@ -0,0 +1,34 @@
+caption: Enable the <ph name="CHROME_ENTERPRISE_DEVICE_TRUST_CONNECTOR">Chrome Enterprise Device Trust Connector</ph> attestation flow for a list of URLs on Managed Profiles
+desc: |-
+  Enable <ph name="CHROME_ENTERPRISE_DEVICE_TRUST_CONNECTOR">Chrome Enterprise Device Trust Connector</ph> for a list of URLs.
+
+  Setting this policy specifies for which URLs <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will offer to start the attestation flow for managed profiles. The latter allows those websites to get an attested set of context-aware signals from the device.
+  This policy can only be configured via the Chrome Enterprise Connectors page on the <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph>.
+
+  Leaving this policy unset or empty means that no website will be able to start a user-level attestation flow and get signals from the device. However if the corresponding
+  <ph name="BROWSER_CONTEXT_AWARE_ACCESS_SIGNALS_ALLOWLIST">BrowserContextAwareAccessSignalsAllowlist</ph> policy is enabled then the attestation flow can be started for the managed browser and device signals can be collected.
+
+  For <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>, this policy is related to remote attestation where a certificate is automatically generated and uploaded to the server. For usage of the attestation flow on the device's login screen, please use the <ph name="DEVICE_LOGIN_SCREEN_CONTEXT_AWARE_ACCESS_SIGNALS_ALLOWLIST_POLICY_NAME">DeviceLoginScreenContextAwareAccessSignalsAllowlist</ph> policy.
+
+  For detailed information on valid <ph name="URL_LABEL">URL</ph> patterns, please see https://support.google.com/chrome/a?p=url_blocklist_filter_format.
+example_value:
+- https://example1.com
+- example2.com
+- https://foo.example3.com/path
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome.*:116-
+- chrome_os:116-
+owners:
+- hmare@google.com
+- seblalancette@chromium.org
+- cbe-device-trust-eng@google.com
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDataDir.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDataDir.yaml
new file mode 100755
index 000000000..24c1fcb46
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDataDir.yaml
@@ -0,0 +1,26 @@
+caption: Set user data directory
+desc: |-
+  Configures the directory that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use for storing user data.
+
+        If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. To avoid data loss or other unexpected errors this policy should not be set to a directory used for other purposes, because <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> manages its contents.
+
+        See https://support.google.com/chrome/a?p=Supported_directory_variables for a list of variables that can be used.
+
+        If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.
+example_value: ${users}/${user_name}/Chrome
+features:
+  dynamic_refresh: false
+  per_profile: false
+  platform_only: true
+label: Set user data directory
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.win:11-
+- chrome.mac:11-
+tags:
+- local-data-access
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDataSnapshotRetentionLimit.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDataSnapshotRetentionLimit.yaml
new file mode 100755
index 000000000..1695493a3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDataSnapshotRetentionLimit.yaml
@@ -0,0 +1,25 @@
+caption: Limits the number of user data snapshots retained for use in case of emergency
+  rollback.
+default: 3
+desc: |-
+  Following each major version update, Chrome will create a snapshot of certain portions of the user's browsing data for use in case of a later emergency version rollback. If an emergency rollback is performed to a version for which a user has a corresponding snapshot, the data in the snapshot is restored. This allows users to retain such settings as bookmarks and autofill data.
+
+        If this policy is not set, the default value of 3 is used
+
+        If the policy is set, old snapshots are deleted as needed to respect the limit. If the policy is set to 0, no snapshots will be taken
+example_value: 3
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- ydago@chromium.org
+- grt@chromium.org
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome.*:83-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDisplayName.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDisplayName.yaml
new file mode 100755
index 000000000..ee7ecf1a8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserDisplayName.yaml
@@ -0,0 +1,22 @@
+caption: Set the display name for device-local accounts
+desc: |-
+  Controls the account name <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> shows on the login screen for the corresponding device-local account.
+
+        If this policy is set, the login screen will use the specified string in the picture-based login chooser for the corresponding device-local account.
+
+        If the policy is left not set, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will use the device-local account's email account ID as the display name on the login screen.
+
+        This policy is ignored for regular user accounts.
+example_value: Policy User
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_os:25-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserFeedbackAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserFeedbackAllowed.yaml
new file mode 100755
index 000000000..47c3af39c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserFeedbackAllowed.yaml
@@ -0,0 +1,27 @@
+caption: Allow user feedback
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets users send feedback to Google through Menu > Help > Report an Issue or key combination.
+
+        Setting the policy to Disabled means users can't send feedback to Google.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow users to file feedback
+  value: true
+- caption: Prevent users from filing feedback
+  value: false
+owners:
+- apotapchuk@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:77-
+- chrome_os:77-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserFeedbackWithLowLevelDebugDataAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserFeedbackWithLowLevelDebugDataAllowed.yaml
new file mode 100755
index 000000000..d820d41b1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/UserFeedbackWithLowLevelDebugDataAllowed.yaml
@@ -0,0 +1,34 @@
+caption: Allow low level debug data in user feedback
+desc: |-
+  Setting this policy to a list of device types allows low level debug data from the mentioned device types to be included in user feedback.
+
+        The special entry "all" includes all device types, including device types to be added in the future.
+
+        If the policy is unset or set to an empty list, no low level debug data is attached to the user feedback.
+        See the description of each device type for the specific type of low level debug data.
+example_value:
+- wifi
+features:
+  dynamic_refresh: true
+  per_profile: false
+  internal_only: true
+items:
+- caption: Allow users to include low level debug data from all device types available below in user feedback
+  name: all
+  value: all
+- caption: Allow users to include WiFi low level debug data in user feedback
+  name: wifi
+  value: wifi
+owners:
+- chromeos-wifi-champs@google.com
+- file://components/policy/OWNERS
+schema:
+  type: array
+  items:
+    type: string
+    enum:
+    - wifi
+supported_on:
+- chrome_os:120-
+tags: []
+type: string-enum-list
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VariationsRestrictParameter.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VariationsRestrictParameter.yaml
new file mode 100755
index 000000000..41da188fd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VariationsRestrictParameter.yaml
@@ -0,0 +1,24 @@
+caption: Set the restriction on the fetching of the Variations seed
+desc: |-
+  Add a parameter to the fetching of the Variations seed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If specified, will add a query parameter called 'restrict' to the URL used to fetch the Variations seed. The value of the parameter will be the value specified in this policy.
+
+        If not specified, will not modify the Variations seed URL.
+example_value: restricted
+features:
+  dynamic_refresh: false
+  internal_only: true
+  per_profile: false
+future_on:
+- fuchsia
+owners:
+- file://components/variations/OWNERS
+- mpearson@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:27-
+- android:34-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VideoCaptureAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VideoCaptureAllowed.yaml
new file mode 100755
index 000000000..ce230d64f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VideoCaptureAllowed.yaml
@@ -0,0 +1,28 @@
+caption: Allow or deny video capture
+desc: |-
+  Setting the policy to Enabled or leaving it unset means that, with the exception of URLs set in the VideoCaptureAllowedUrls list, users get prompted for video capture access.
+
+        Setting the policy to Disabled turns off prompts, and video capture is only available to URLs set in the VideoCaptureAllowedUrls list.
+
+        Note: The policy affects all video input (not just the built-in camera).
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable video input
+  value: true
+- caption: Disable video input
+  value: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:25-
+- chrome_os:25-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VideoCaptureAllowedUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VideoCaptureAllowedUrls.yaml
new file mode 100755
index 000000000..4bcc58ca6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VideoCaptureAllowedUrls.yaml
@@ -0,0 +1,25 @@
+caption: URLs that will be granted access to video capture devices without prompt
+desc: |-
+  Setting the policy means you specify the URL list whose patterns get matched to the security origin of the requesting URL. A match grants access to video capture devices without prompt
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Note, however, that the pattern "*", which matches any URL, is not supported by this policy.
+example_value:
+- https://www.example.com/
+- https://[*.]example.edu/
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- guidou@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:29-
+- chrome_os:29-
+tags:
+- website-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VirtualKeyboardResizesLayoutByDefault.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VirtualKeyboardResizesLayoutByDefault.yaml
new file mode 100755
index 000000000..4eed9120f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VirtualKeyboardResizesLayoutByDefault.yaml
@@ -0,0 +1,27 @@
+caption: The virtual keyboard resizes the layout viewport by default
+default: false
+desc: "Setting the policy to True causes the virtual keyboard to resize the layout\
+  \ viewport by default.\n      Other states (False/unset) have no effect.\n\n   \
+  \   Note that this only affects the default resizing behavior: if a page requests\
+  \ a specific behavior using a &lt;meta&gt; tag or the Virtual Keyboard API, then\
+  \ that requested behavior will still apply.\n\n      Note also that this is an \"\
+  escape hatch\" policy that's intended to be short-lived.\n      "
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: The default virtual keyboard resize behavior is changed to resize the layout
+    viewport
+  value: true
+- caption: The default virtual keyboard resize behavior is not modified
+  value: false
+owners:
+- andruud@chromium.org
+- bokan@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:108-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VirtualKeyboardSmartVisibilityEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VirtualKeyboardSmartVisibilityEnabled.yaml
new file mode 100755
index 000000000..4a5e32b11
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VirtualKeyboardSmartVisibilityEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Let the on-screen keyboard appear when appropriate.
+default: true
+desc: |-
+  When the policy is set to True or unset, the on-screen keyboard can appear when it predicts that the user is about to use it.
+
+  When the policy to set to False, the on-screen keyboard only appears if the user explicitly taps on an input field or if an application requests it.
+
+  For example, suppose the user uses the virtual keyboard to type their username in a two-stage login screen. When the login screen transitions to the password stage, if the policy is True, the virtual keyboard may remain visible, even though the user did not tap on the password input field. If the policy is False, then the virtual keyboard will disappear.
+
+  This policy does not apply if the virtual keyboard is disabled (e.g. using the <ph name="TOUCH_VIRTUAL_KEYBOARD_ENABLED_POLICY_NAME">TouchVirtualKeyboardEnabled</ph> policy, or if the device is connected to a physical keyboard).
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+  - chrome_os:123-
+items:
+- caption: Show the on-screen keyboard when appropriate.
+  value: true
+- caption: Only show the on-screen keyboard if the user or application requests it.
+  value: false
+owners:
+- shend@chromium.org
+- e14s-eng@google.com
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VmManagementCliAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VmManagementCliAllowed.yaml
new file mode 100755
index 000000000..7af84cb5f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VmManagementCliAllowed.yaml
@@ -0,0 +1,23 @@
+caption: Specify VM CLI permission
+desc: "Instructs <ph name=\"PRODUCT_OS_NAME\">$2<ex>Google ChromeOS</ex></ph> to enable\
+  \ or disable virtual machine management console tools.\n\n      If the policy is\
+  \ set to true or left unset, the user will be able to use VM management CLI.\n \
+  \     Otherwise, all of VM management CLI is disabled and hidden.\n      "
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable virtual machine command line access
+  value: true
+- caption: Disable virtual machine command line access
+  value: false
+owners:
+- aoldemeier@chromium.org
+- okalitova@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:77-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VpnConfigAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VpnConfigAllowed.yaml
new file mode 100755
index 000000000..00f8181ab
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/VpnConfigAllowed.yaml
@@ -0,0 +1,22 @@
+caption: Allow the user to manage VPN connections
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets users manage (disconnect or modify) VPN connections. If the VPN connection is created using a VPN app, the UI inside the app isn't affected. So, users might still be able to use the app to modify the VPN connection. Use this policy with the Always on VPN feature, which lets the admin decide to establish a VPN connection when starting a device.
+
+        Setting the policy to Disabled turns off the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> user interfaces that would let the user disconnect or modify VPN connections.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow the user to manually disconnect or modify a VPN
+  value: true
+- caption: Do not allow the user to manually disconnect or modify a VPN
+  value: false
+owners:
+- giovax@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:71-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WPADQuickCheckEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WPADQuickCheckEnabled.yaml
new file mode 100755
index 000000000..ca1f01198
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WPADQuickCheckEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable WPAD optimization
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset turns on WPAD (Web Proxy Auto-Discovery) optimization in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        Setting the policy to Disabled turns off WPAD optimization, causing <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to wait longer for DNS-based WPAD servers.
+
+        Whether or not this policy is set, users can't change the WPAD optimization setting.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Enable Web Proxy Auto-Discovery (WPAD) optimizations
+  value: true
+- caption: Disable Web Proxy Auto-Discovery (WPAD) optimization
+  value: false
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:35-
+- chrome_os:35-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WallpaperGooglePhotosIntegrationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WallpaperGooglePhotosIntegrationEnabled.yaml
new file mode 100755
index 000000000..7e919b3ba
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WallpaperGooglePhotosIntegrationEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Wallpaper selection from Google Photos
+default: true
+desc: |-
+  If this policy is disabled, the user's <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> wallpaper image cannot be selected from a Google Photos album.
+
+  The user can choose a Google Photos image as wallpaper if this policy is enabled or not set.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow Google Photos access from personalization app
+  value: true
+- caption: Prevent Google Photos access from personalization app
+  value: false
+owners:
+- file://ash/wallpaper/OWNERS
+- crmullins@google.com
+- cowmoo@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:113-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WallpaperImage.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WallpaperImage.yaml
new file mode 100755
index 000000000..1ec23b5c8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WallpaperImage.yaml
@@ -0,0 +1,32 @@
+caption: Wallpaper image
+desc: |-
+  If you set the policy, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+
+        downloads and uses the wallpaper image you set for the user's desktop and sign-in screen background, and users can't change it. Specify the URL (that's accessible without authentication) which <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+
+        can download the wallpaper image from, as well as a cryptographic hash (in JPEG format with a file size up to 16 MB) to verify its integrity.
+
+        If not set, users choose the image for the desktop and sign-in screen background.
+example_value:
+  hash: baddecafbaddecafbaddecafbaddecafbaddecafbaddecafbaddecafbaddecaf
+  url: https://example.com/wallpaper.jpg
+features:
+  dynamic_refresh: true
+  per_profile: true
+max_size: 16777216
+owners:
+- file://components/policy/OWNERS
+- anqing@chromium.org
+schema:
+  properties:
+    hash:
+      description: The SHA-256 hash of the wallpaper image.
+      type: string
+    url:
+      description: The URL from which the wallpaper image can be downloaded.
+      type: string
+  type: object
+supported_on:
+- chrome_os:35-
+tags: []
+type: external
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WarnBeforeQuittingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WarnBeforeQuittingEnabled.yaml
new file mode 100755
index 000000000..1f385a5bf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WarnBeforeQuittingEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Show a warning dialog when the user is attempting to quit
+default: true
+desc: |-
+  Controls "Warn Before Quitting (⌘Q)" dialog when the user is attempting to quit browser.
+
+        If this policy is set to Enabled or not set, a warning dialog is shown when the user is attempting to quit.
+
+        If this policy is set to Disabled, a warning dialog is not shown when the user is attempting to quit.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Show a warning dialog when the user is attempting to quit
+  value: true
+- caption: Do not show a warning dialog when the user is attempting to quit
+  value: false
+owners:
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.mac:102-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAnnotations.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAnnotations.yaml
new file mode 100755
index 000000000..3d4d5102f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAnnotations.yaml
@@ -0,0 +1,95 @@
+caption: Allow detecting plain text entities in web pages.
+default: 0
+desc: |-
+  This policy decides if plain text entities are detected on webpages, letting users trigger contextual actions by interacting with them.
+  The policy has multiple properties, one for each entity type.
+  The entity types are <ph name="DEFAULT_ENUM_VALUE">default</ph>, <ph name="ADDRESS_ENUM_VALUE">addresses</ph> ... .
+
+  If the value for an entity is unset, the behavior of the <ph name="DEFAULT_ENUM_VALUE">default</ph> entity is applied.
+  The default behavior for <ph name="DEFAULT_ENUM_VALUE">default</ph> is <ph name="ENABLED_ENUM_VALUE">enabled</ph>.
+
+  The values for each entity types are <ph name="DEFAULT_ENUM_VALUE">default</ph>, <ph name="ENABLED_ENUM_VALUE">enabled</ph>,
+  <ph name="DISABLED_ENUM_VALUE">disabled</ph> or <ph name="LONGPRESSONLY_ENUM_VALUE">longpressonly</ph>.
+  If the value is set to <ph name="DEFAULT_ENUM_VALUE">default</ph>, the behavior of the <ph name="DEFAULT_ENUM_VALUE">default</ph> entity is applied.
+  If the value is set to <ph name="ENABLED_ENUM_VALUE">enabled</ph>, entities are detected, underlines and triggered either by one tap or long press.
+  If the value is set to <ph name="DISABLED_ENUM_VALUE">disabled</ph>, entities are not detected and not actionable.
+  If the value is set to <ph name="LONGPRESSONLY_ENUM_VALUE">longpressonly</ph>, entities are detected and only actionable using long press.
+example_value:
+  default: enabled
+  addresses: longpressonly
+  calendar: default
+  email: disabled
+  package: default
+  phonenumbers: default
+  units: default
+default:
+  default: enabled
+  addresses: default
+  calendar: default
+  email: default
+  package: default
+  phonenumbers: default
+  units: default
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- olivierrobin@google.com
+- djean@google.com
+- erahmaoui@google.com
+schema:
+  properties:
+    default:
+      enum:
+      - enabled
+      - disabled
+      - longpressonly
+      type: string
+    addresses:
+      enum:
+      - default
+      - enabled
+      - disabled
+      - longpressonly
+      type: string
+    calendar:
+      enum:
+      - default
+      - enabled
+      - disabled
+      - longpressonly
+      type: string
+    email:
+      enum:
+      - default
+      - enabled
+      - disabled
+      - longpressonly
+      type: string
+    package:
+      enum:
+      - default
+      - enabled
+      - disabled
+      - longpressonly
+      type: string
+    phonenumbers:
+      enum:
+      - default
+      - enabled
+      - disabled
+      - longpressonly
+      type: string
+    units:
+      enum:
+      - default
+      - enabled
+      - disabled
+      - longpressonly
+      type: string
+  type: object
+supported_on:
+- ios:123-
+tags: []
+type: dict
+
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAppInstallForceList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAppInstallForceList.yaml
new file mode 100755
index 000000000..2a38d2900
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAppInstallForceList.yaml
@@ -0,0 +1,111 @@
+caption: Configure list of force-installed Web Apps
+desc: |-
+  Setting the policy specifies a list of web apps that install silently, without user interaction, and which users can't uninstall or turn off.
+
+        Each list item of the policy is an object with a mandatory member:
+        <ph name="URL_LABEL">url</ph> (the URL of the web app to install)
+
+        and 6 optional members:
+        - <ph name="DEFAULT_LAUNCH_CONTAINER_LABEL">default_launch_container</ph>
+        (for how the web app opens—a new tab is the default)
+
+        - <ph name="CREATE_DESKTOP_SHORTCUT_LABEL">create_desktop_shortcut</ph>
+        (True if you want to create <ph name="LINUX_OS_NAME">Linux</ph> and
+        <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> desktop shortcuts).
+
+        - <ph name="FALLBACK_APP_NAME_LABEL">fallback_app_name</ph>
+        (Starting with <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 90,
+        allows you to override the app name if it is not a
+        Progressive Web App (PWA), or the app name that is temporarily
+        installed if it is a PWA but authentication is required before the
+        installation can be completed. If both
+        <ph name="CUSTOM_NAME_LABEL">custom_name</ph> and
+        <ph name="FALLBACK_APP_NAME_LABEL">fallback_app_name</ph> are provided,
+        the latter will be ignored.)
+
+        - <ph name="OVERRIDE_APP_NAME_LABEL">custom_name</ph>
+        (Starting with <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+        version 99, and version 112 on all other desktop operating systems, allows you to
+        permanently override the app name for all web apps and PWAs.)
+
+        - <ph name="CUSTOM_ICON_LABEL">custom_icon</ph>
+        (Starting with <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+        version 99, and version 112 on all other desktop operating systems, allows you to
+        override the app icon of installed apps. The icons have to be square,
+        maximal 1 MB in size, and in one of the following formats: jpeg, png, gif, webp, ico.
+        The hash value has to be the SHA256 hash of the icon file.)
+
+        - <ph name="INSTALL_AS_SHORTCUT_LABEL">install_as_shortcut</ph>
+        (Starting with <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+        version 107). If enabled the given <ph name="URL_LABEL">url</ph>
+        will be installed as a shortcut, as if done via the "Create Shortcut..."
+        option in the desktop browser GUI.
+        Note that when installed as a shortcut it won't be updated if the
+        manifest in <ph name="URL_LABEL">url</ph> changes.
+        If disabled or unset, the web app at the given
+        <ph name="URL_LABEL">url</ph> will be installed normally.
+
+        See <ph name="PINNED_LAUNCHER_APPS_POLICY_NAME">PinnedLauncherApps</ph> for pinning apps to the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> shelf.
+example_value:
+- create_desktop_shortcut: true
+  default_launch_container: window
+  url: https://www.google.com/maps
+- default_launch_container: tab
+  url: https://docs.google.com
+- default_launch_container: window
+  fallback_app_name: Editor
+  url: https://docs.google.com/editor
+- custom_name: My important document
+  default_launch_container: window
+  install_as_shortcut: true
+  url: https://docs.google.com/document/d/ds187akjqih89
+- custom_icon:
+    hash: c28f469c450e9ab2b86ea47038d2b324c6ad3b1e9a4bd8960da13214afd0ca38
+    url: https://mydomain.example.com/sunny_icon.png
+  url: https://weather.example.com
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+label: URLs for Web Apps to be silently installed.
+owners:
+- file://chrome/browser/web_applications/OWNERS
+- ortuno@chromium.org
+schema:
+  items:
+    properties:
+      create_desktop_shortcut:
+        type: boolean
+      custom_icon:
+        properties:
+          hash:
+            type: string
+          url:
+            type: string
+        required:
+        - url
+        - hash
+        type: object
+      custom_name:
+        type: string
+      default_launch_container:
+        enum:
+        - tab
+        - window
+        type: string
+      fallback_app_name:
+        type: string
+      install_as_shortcut:
+        type: boolean
+      url:
+        type: string
+    required:
+    - url
+    type: object
+  type: array
+supported_on:
+- chrome.*:75-
+- chrome_os:75-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAppSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAppSettings.yaml
new file mode 100755
index 000000000..120af5839
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAppSettings.yaml
@@ -0,0 +1,54 @@
+caption: Web App management settings
+desc: |-
+  This policy allows an admin to specify settings for installed web apps. This policy maps a Web App ID to its specific setting. A default configuration can be set using the special ID <ph name="DEFAULT_SCOPE">*</ph>, which applies to all web apps without a custom configuration in this policy.
+
+  The <ph name="MANIFEST_ID_FIELD">manifest_id</ph> field is the Manifest ID for the Web App. See <ph name="WEB_APP_ID_REFERENCE_URL">https://developer.chrome.com/blog/pwa-manifest-id/<ex>https://developer.chrome.com/blog/pwa-manifest-id/</ex></ph> for instructions on how to determine the Manifest ID for an installed web app.
+  The <ph name="RUN_ON_OS_LOGIN_FIELD">run_on_os_login</ph> field specifies if a web app can be run during OS login. If this field is set to <ph name="BLOCKED">blocked</ph>, the web app will not run during OS login and the user will not be able to enable this later. If this field is set to <ph name="RUN_WINDOWED">run_windowed</ph>, the web app will run during OS login and the user will not be able to disable this later. If this field is set to <ph name="ALLOWED">allowed</ph>, the user will be able to configure the web app to run at OS login. The default configuration only allows the <ph name="ALLOWED">allowed</ph> and <ph name="BLOCKED">blocked</ph> values.
+  (Since version 117) The <ph name="PREVENT_CLOSE_FIELD">prevent_close_after_run_on_os_login</ph> field specifies if a web app shall be prevented from closing in any way (e.g. by the user, task manager, web APIs). This behavior can only be enabled if <ph name="RUN_ON_OS_LOGIN_FIELD">run_on_os_login</ph> is set to <ph name="RUN_WINDOWED">run_windowed</ph>. If the app were already running, this property will only come into effect after the app is restarted. If this field is not defined, apps will be closable by users.
+  (Since version 118) The <ph name="FORCE_UNREGISTER_OS_INTEGRATION">force_unregister_os_integration</ph> field specifies if all OS integration for a web app, i.e. shortcuts, file handlers, protocol handlers etc will be removed or not. If an app is already running, this property will come into effect after the app has restarted. This should be used with caution, since this can override any OS integration that is set automatically during the startup of the web applications system. Currently only works on Windows, Mac and Linux platforms.
+example_value:
+- manifest_id: https://foo.example/index.html
+  run_on_os_login: allowed
+- manifest_id: https://bar.example/index.html
+  run_on_os_login: allowed
+- manifest_id: https://foobar.example/index.html
+  run_on_os_login: run_windowed
+  prevent_close_after_run_on_os_login: true
+- manifest_id: '*'
+  run_on_os_login: blocked
+- manifest_id: https://foo.example/index.html
+  force_unregister_os_integration: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- mjackson@microsoft.com
+- cmp@chromium.org
+- file://chrome/browser/web_applications/OWNERS
+- dmurph@chromium.org
+schema:
+  items:
+    properties:
+      manifest_id:
+        type: string
+      run_on_os_login:
+        enum:
+        - allowed
+        - blocked
+        - run_windowed
+        type: string
+      prevent_close_after_run_on_os_login:
+        type: boolean
+      force_unregister_os_integration:
+        type: boolean
+    required:
+    - manifest_id
+    type: object
+  type: array
+supported_on:
+- chrome.*:102-
+- chrome_os:120-
+future_on:
+- fuchsia
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAuthenticationRemoteProxiedRequestsAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAuthenticationRemoteProxiedRequestsAllowed.yaml
new file mode 100755
index 000000000..97f738720
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAuthenticationRemoteProxiedRequestsAllowed.yaml
@@ -0,0 +1,34 @@
+caption: Allow <ph name="CHROME_REMOTE_DESKTOP_PRODUCT_NAME">Chrome Remote Desktop</ph>
+  to execute WebAuthn API requests proxied from a remote host.
+default: false
+desc: |-
+  If set to Enabled, <ph name="CHROME_REMOTE_DESKTOP_PRODUCT_NAME">Chrome Remote Desktop</ph> may execute WebAuthn API requests that originate from a browsing session on a remote host.
+
+        If the policy is set to Disabled or left unset, the default behavior will apply.
+
+        Note that this feature is only supported inside Google's internal network environment.
+example_value: true
+features:
+  dynamic_refresh: true
+  internal_only: true
+  per_profile: true
+  platform_only: true
+future_on:
+- fuchsia
+items:
+- caption: Allow CRD to execute WebAuthn API requests proxied from a remote host.
+  value: true
+- caption: Do not allow CRD to execute WebAuthn API requests proxied from a remote
+    host.
+  value: false
+owners:
+- martinkr@google.com
+- agl@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:103-
+- chrome_os:103-
+tags:
+- full-admin-access
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAuthnFactors.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAuthnFactors.yaml
new file mode 100755
index 000000000..f94a83112
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebAuthnFactors.yaml
@@ -0,0 +1,38 @@
+caption: Configure allowed WebAuthn factors
+desc: |-
+  Setting the policy controls which WebAuthn factors can be used.
+
+        To allow:
+
+        * Every WebAuthn factor, use ["all"] (includes factors added in the future).
+
+        * Only PIN, use ["PIN"].
+
+        * PIN and fingerprint, use ["PIN", "FINGERPRINT"].
+
+        If the policy is unset or set to an empty list, no WebAuthn factors are available for managed devices.
+example_value:
+- PIN
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: All
+  name: all
+  value: all
+- caption: PIN
+  name: PIN
+  value: PIN
+- caption: Fingerprint
+  name: FINGERPRINT
+  value: FINGERPRINT
+owners:
+- hcyang@google.com
+- cros-hwsec@google.com
+- cros-lurs@google.com
+schema:
+  $ref: WebAuthnFactors
+supported_on:
+- chrome_os:101-
+tags: []
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebComponentsV0Enabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebComponentsV0Enabled.yaml
new file mode 100755
index 000000000..444da36a3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebComponentsV0Enabled.yaml
@@ -0,0 +1,26 @@
+caption: Re-enable Web Components v0 API until M84.
+deprecated: true
+desc: |2-
+   The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were deprecated in 2018, and have been disabled by default starting in M80. This policy allows these features to be selectively re-enabled until M84.
+
+        If this policy is set to True, the Web Components v0 features will be enabled for all sites.
+
+        If this policy is set to False or not set, the Web Components v0 features will be disabled by default, starting in M80.
+
+        This policy will be removed after Chrome 84.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+owners:
+- masonf@chromium.org
+- chrishtr@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:80-84
+- chrome_os:80-84
+- android:80-84
+- webview_android:80-84
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebDriverOverridesIncompatiblePolicies.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebDriverOverridesIncompatiblePolicies.yaml
new file mode 100755
index 000000000..75ddd6a8c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebDriverOverridesIncompatiblePolicies.yaml
@@ -0,0 +1,29 @@
+caption: Allow WebDriver to Override Incompatible Policies
+deprecated: true
+desc: |2-
+
+        This policy was removed in M80, because it is not necessary anymore as
+        WebDriver is now compatible with all existing policies.
+
+        This policy allows users of the WebDriver feature to override policies which can interfere with its operation.
+
+        Currently this policy disables SitePerProcess and IsolateOrigins policies.
+
+        If the policy is enabled, WebDriver will be able to override incompatible policies.
+
+        If the policy is disabled or not configured, WebDriver will not be allowed to override incompatible policies.
+device_only: false
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:65-79
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcAllowLegacyTLSProtocols.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcAllowLegacyTLSProtocols.yaml
new file mode 100755
index 000000000..90f214776
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcAllowLegacyTLSProtocols.yaml
@@ -0,0 +1,30 @@
+caption: Allow legacy TLS/DTLS downgrade in WebRTC
+default: false
+deprecated: true
+desc: |-
+  If enabled, WebRTC peer connections can downgrade to obsolete
+        versions of the TLS/DTLS (DTLS 1.0, TLS 1.0 and TLS 1.1) protocols.
+        When this policy is disabled or not set, these TLS/DTLS versions are
+        disabled.
+
+        This policy was removed in version M121 of
+        <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Allow WebRTC to use obsolete versions of the TLD/DTLS protocol
+  value: true
+- caption: Prevent WebRTC from using obsolete versions of TLS/DTLS
+  value: false
+owners:
+- hta@chromium.org
+- guidou@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:87-120
+- chrome_os:87-120
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcEventLogCollectionAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcEventLogCollectionAllowed.yaml
new file mode 100755
index 000000000..bbfede696
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcEventLogCollectionAllowed.yaml
@@ -0,0 +1,28 @@
+caption: Allow collection of WebRTC event logs from Google services
+desc: |-
+  Setting the policy to Enabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can collect WebRTC event logs from Google services such as Hangouts Meet and upload them to Google. These logs have diagnostic information for debugging issues with audio or video meetings in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, such as the time and size of RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. These logs have no audio or video content from the meeting. To make debugging easier, Google might associate these logs, by means of a session ID, with other logs collected by the Google service itself.
+
+        Setting the policy to Disabled results in no collection or uploading of such logs.
+
+        Leaving the policy unset on versions up to and including M76 means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> defaults to not being able to collect and upload these logs. Starting at M77, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> defaults to being able to collect and upload these logs from most profiles affected by cloud-based, user-level enterprise policies. From M77 up to and including M80, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can also collect and upload these logs by default from profiles affected by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> on-premise management.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow WebRTC event log collection from Google services
+  value: true
+- caption: Do not allow WebRTC event log collection from Google services
+  value: false
+owners:
+- eladalon@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:70-
+- chrome_os:70-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcIPHandling.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcIPHandling.yaml
new file mode 100755
index 000000000..b6f2f6656
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcIPHandling.yaml
@@ -0,0 +1,43 @@
+caption: The IP handling policy of WebRTC
+default: default
+desc: This policy allows restricting which IP addresses and interfaces WebRTC uses
+  when attempting to find the best available connection. See RFC 8828 section 5.2
+  (https://tools.ietf.org/html/rfc8828.html#section-5.2). When unset, defaults to
+  using all available interfaces.
+example_value: default
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: WebRTC will use all available interfaces when searching for the best path.
+  name: default
+  value: default
+- caption: WebRTC will only use the interface connecting to the public Internet, but
+    may connect using private IP addresses.
+  name: default_public_and_private_interfaces
+  value: default_public_and_private_interfaces
+- caption: WebRTC will only use the interface connecting to the public Internet, and
+    will not connect using private IP addresses.
+  name: default_public_interface_only
+  value: default_public_interface_only
+- caption: WebRTC will use TCP on the public-facing interface, and will only use UDP
+    if supported by a configured proxy.
+  name: disable_non_proxied_udp
+  value: disable_non_proxied_udp
+owners:
+- file://third_party/blink/renderer/modules/peerconnection/OWNERS
+- toprice@chromium.org
+schema:
+  enum:
+  - default
+  - default_public_and_private_interfaces
+  - default_public_interface_only
+  - disable_non_proxied_udp
+  type: string
+supported_on:
+- chrome.*:91-
+- chrome_os:91-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcLocalIpsAllowedUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcLocalIpsAllowedUrls.yaml
new file mode 100755
index 000000000..6cd45d243
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcLocalIpsAllowedUrls.yaml
@@ -0,0 +1,25 @@
+caption: URLs for which local IPs are exposed in WebRTC ICE candidates
+desc: |-
+  Patterns in this list will be matched against the security origin of the requesting URL.
+        If a match is found or chrome://flags/#enable-webrtc-hide-local-ips-with-mdns is Disabled, the local IP addresses are shown in WebRTC ICE candidates.
+        Otherwise, local IP addresses are concealed with mDNS hostnames.
+        Please note that this policy weakens the protection of local IPs if needed by administrators.
+example_value:
+- https://www.example.com
+- '*example.com*'
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- qingsi@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:79-
+- chrome_os:79-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcTextLogCollectionAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcTextLogCollectionAllowed.yaml
new file mode 100755
index 000000000..5c6c2caee
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcTextLogCollectionAllowed.yaml
@@ -0,0 +1,27 @@
+caption: Allow WebRTC text logs collection from Google Services
+desc: |-
+  Setting the policy to enabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can collect WebRTC text logs from Google services such as Google Meet and upload them to Google. These logs have diagnostic information for debugging issues with audio or video meetings in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, such as textual metadata describing incoming and outgoing WebRTC streams, WebRTC specific log entries and additional system information. These logs have no audio or video content from the meeting.
+  Setting the policy to disabled results in no uploading of such logs to Google. Logs would still accumulate locally on the user's device.
+  Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> defaults to being able to collect and upload these logs.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+  - fuchsia
+items:
+  - caption: Allow WebRTC text log collection from Google Services
+    value: true
+  - caption: Do not allow WebRTC text log collection from Google Services
+    value: false
+owners:
+  - sugandhagoyal@chromium.org
+  - file://chrome/browser/media/webrtc/OWNERS
+schema:
+  type: boolean
+supported_on:
+  - chrome.*:113-
+  - chrome_os:113-
+tags:
+  - google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcUdpPortRange.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcUdpPortRange.yaml
new file mode 100755
index 000000000..be0c1dbff
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebRtcUdpPortRange.yaml
@@ -0,0 +1,21 @@
+caption: Restrict the range of local UDP ports used by WebRTC
+desc: |-
+  If the policy is set, the UDP port range used by WebRTC is restricted to the specified port interval (endpoints included).
+
+        If the policy is not set, or if it is set to the empty string or an invalid port range, WebRTC is allowed to use any available local UDP port.
+example_value: 10000-11999
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- guidou@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:54-
+- chrome_os:54-
+- android:54-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLAccess.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLAccess.yaml
new file mode 100755
index 000000000..d59d88289
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLAccess.yaml
@@ -0,0 +1,26 @@
+caption: Force WebSQL to be enabled.
+default: false
+deprecated: true
+desc: |-
+  As of M119, if this policy is set to false or unset, WebSQL is disabled, but can be enabled via Chrome flag "web-sql-access". If the policy is set to true, WebSQL access is enabled.
+  This policy is deprecated as of M124.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Force WebSQL to be enabled.
+  value: true
+- caption: Allow WebSQL to be enabled by Chrome flag.
+  value: false
+owners:
+- ayui@chromium.org
+- chrome-owp-storage@google.com
+schema:
+  type: boolean
+supported_on:
+- android:101-123
+- chrome.*:101-123
+- chrome_os:101-123
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLInThirdPartyContextEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLInThirdPartyContextEnabled.yaml
new file mode 100755
index 000000000..60fd689d9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLInThirdPartyContextEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Force WebSQL in third-party contexts to be re-enabled.
+default: false
+deprecated: true
+desc: |-
+  WebSQL in third-party contexts (e.g., cross-site iframes) is off by default as of M97 and will be fully removed in M101.
+            If this policy is set to false or unset, WebSQL in third party contexts will remain off.
+            If this policy is set to true, WebSQL in third-party contexts will be re-enabled.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Force WebSQL in third-party contexts to be re-enabled.
+  value: true
+- caption: Allow WebSQL in third-party contexts to be disabled by default.
+  value: false
+owners:
+- arichiv@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:96-100
+- chrome.*:96-100
+- chrome_os:96-100
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLNonSecureContextEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLNonSecureContextEnabled.yaml
new file mode 100755
index 000000000..f5259a055
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebSQLNonSecureContextEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Force WebSQL in non-secure contexts to be enabled.
+default: false
+deprecated: true
+desc: |-
+  WebSQL in non-secure contexts will be removed starting M110. This policy re-enables the API.
+            If this policy is set to true, WebSQL in non-secure contexts will be available.
+            If this policy is set to false or unset, WebSQL in non-secure contexts will remain available until M109, then unavailable starting M110.
+  This was removed in M112.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: WebSQL in non-secure contexts will be available.
+  value: true
+- caption: WebSQL in non-secure contexts will remain available until M109, then unavailable starting M110.
+  value: false
+owners:
+- ayui@chromium.org
+- chrome-owp-storage@google.com
+schema:
+  type: boolean
+supported_on:
+- android:105-112
+- chrome.*:105-112
+- chrome_os:105-112
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebXRImmersiveArEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebXRImmersiveArEnabled.yaml
new file mode 100755
index 000000000..1039da241
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WebXRImmersiveArEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Allow creating <ph name="WEBXR_API_NAME_SHORT">WebXR</ph>'s <ph name="WEBXR_AR_SESSION_ENUM_VALUE">"immersive-ar"</ph>
+  sessions
+default: true
+desc: |-
+  Configures whether the sites that the user navigates to are allowed to create immersive Augmented Reality sessions using <ph name="WEBXR_API_NAME">WebXR Device API</ph>.
+
+        When this policy is unset or enabled, the <ph name="WEBXR_API_NAME">WebXR Device API</ph> will accept <ph name="WEBXR_AR_SESSION_ENUM_VALUE">"immersive-ar"</ph> during session creation, thus allowing the users to enter Augmented Reality experiences.
+
+        When this policy is disabled, the <ph name="WEBXR_API_NAME">WebXR Device API</ph> will reject requests to create sessions with mode set to <ph name="WEBXR_AR_SESSION_ENUM_VALUE">"immersive-ar"</ph>. The existing <ph name="WEBXR_AR_SESSION_ENUM_VALUE">"immersive-ar"</ph> sessions (if any) will not be terminated.
+
+        For more details about <ph name="WEBXR_AR_SESSION_ENUM_VALUE">"immersive-ar"</ph> sessions, please see <ph name="WEBXR_AR_MODULE_API_NAME">WebXR Augmented Reality Module</ph> specification.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow creating <ph name="WEBXR_API_NAME_SHORT">WebXR</ph>'s <ph name="WEBXR_AR_SESSION_ENUM_VALUE">"immersive-ar"</ph>
+    sessions
+  value: true
+- caption: Prevent creating <ph name="WEBXR_API_NAME_SHORT">WebXR</ph>'s <ph name="WEBXR_AR_SESSION_ENUM_VALUE">"immersive-ar"</ph>
+    sessions
+  value: false
+owners:
+- bialpio@chromium.org
+- xr-dev@chromium.org
+schema:
+  type: boolean
+supported_on:
+- android:90-
+tags:
+- website-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WelcomePageOnOSUpgradeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WelcomePageOnOSUpgradeEnabled.yaml
new file mode 100755
index 000000000..256d90067
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WelcomePageOnOSUpgradeEnabled.yaml
@@ -0,0 +1,19 @@
+caption: Enable showing the welcome page on the first browser launch following OS
+  upgrade
+deprecated: true
+desc: |-
+  If this policy is set to true or not configured, the browser will re-show the welcome page on the first launch following an OS upgrade.
+
+        If this policy is set to false, the browser will not re-show the welcome page on the first launch following an OS upgrade.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- grt@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:45-62
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WifiSyncAndroidAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WifiSyncAndroidAllowed.yaml
new file mode 100755
index 000000000..342d3bcb5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WifiSyncAndroidAllowed.yaml
@@ -0,0 +1,33 @@
+caption: Allow Wi-Fi network configurations to be synced across <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph> devices and a connected Android phone.
+default_for_enterprise_users: false
+desc: |-
+  If this setting is enabled, users will be allowed to sync Wi-Fi network configurations between their <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device(s) and a connected Android phone. Before Wi-Fi network configurations can sync, users must explicitly opt in to this feature by completing a setup flow.
+
+        If this setting is disabled, users will not be allowed to sync Wi-Fi network configurations.
+
+        This feature depends on the <ph name="WIFI_CONFIGURATIONS_DATATYPE_NAME">wifiConfigurations</ph> datatype in <ph name="CHROME_SYNC_NAME">Chrome Sync</ph> being enabled. If <ph name="WIFI_CONFIGURATIONS_DATATYPE_NAME">wifiConfigurations</ph> is disabled in the <ph name="SYNC_TYPES_LIST_DISABLED_POLICY_NAME">SyncTypesListDisabled</ph> policy, or <ph name="CHROME_SYNC_NAME">Chrome Sync</ph> is disabled in the <ph name="SYNC_DISABLED_POLICY_NAME">SyncDisabled</ph> policy this feature will not be enabled.
+
+        If this policy is left not set, the default is not allowed for managed users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow Wi-Fi network configurations to be synced across <ph name="PRODUCT_OS_NAME">$2<ex>Google
+    ChromeOS</ex></ph> devices and a connected Android phone
+  value: true
+- caption: Do not allow Wi-Fi network configurations to be synced across <ph name="PRODUCT_OS_NAME">$2<ex>Google
+    ChromeOS</ex></ph> devices and a connected Android phone
+  value: false
+owners:
+- jonmann@chromium.org
+- chromeos-cross-device-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:89-
+tags:
+- local-data-access
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WindowOcclusionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WindowOcclusionEnabled.yaml
new file mode 100755
index 000000000..c9d2684a9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Miscellaneous/WindowOcclusionEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable Window Occlusion
+default: true
+desc: |-
+  Enables window occlusion in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If you enable this setting, to reduce CPU and power consumption <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will detect when a window is covered by other windows, and will suspend work painting pixels.
+
+        If you disable this setting <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not detect when a window is covered by other windows.
+
+        If this policy is left not set, occlusion detection will be enabled.
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Detect covered window and suspend its painting
+  value: true
+- caption: Do not detect covered window
+  value: false
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:90-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/.group.details.yaml
new file mode 100755
index 000000000..2e4548052
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/.group.details.yaml
@@ -0,0 +1,3 @@
+caption: Native Messaging
+desc: Configures policies for Native Messaging. Blocked native messaging hosts won't
+  be allowed unless they are whitelisted.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingAllowlist.yaml
new file mode 100755
index 000000000..a846a0d72
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingAllowlist.yaml
@@ -0,0 +1,25 @@
+caption: Configure native messaging allowlist
+desc: |-
+  Setting the policy specifies which native messaging hosts aren't subject to the deny list. A deny list value of <ph name="WILDCARD_VALUE">*</ph> means all native messaging hosts are denied, unless they're explicitly allowed.
+
+        All native messaging hosts are allowed by default. But, if all native messaging hosts are denied by policy, the admin can use the allow list to change that policy.
+example_value:
+- com.native.messaging.host.name1
+- com.native.messaging.host.name2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+label: Names of the native messaging hosts to exempt from the blocklist
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingBlocklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingBlocklist.yaml
new file mode 100755
index 000000000..c6cc98103
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingBlocklist.yaml
@@ -0,0 +1,25 @@
+caption: Configure native messaging blocklist
+desc: |-
+  Setting the policy specifies which native messaging hosts shouldn't be loaded. A deny list value of <ph name="WILDCARD_VALUE">*</ph> means all native messaging hosts are denied, unless they're explicitly allowed.
+
+        Leaving the policy unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> loads all installed native messaging hosts.
+example_value:
+- com.native.messaging.host.name1
+- com.native.messaging.host.name2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+label: Names of the forbidden native messaging hosts (or * for all)
+owners:
+- file://components/policy/OWNERS
+- atwilson@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingUserLevelHosts.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingUserLevelHosts.yaml
new file mode 100755
index 000000000..3fcb58a30
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/NativeMessagingUserLevelHosts.yaml
@@ -0,0 +1,25 @@
+caption: Allow user-level Native Messaging hosts (installed without admin permissions)
+desc: |-
+  Setting the policy to Enabled or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can use native messaging hosts installed at the user level.
+
+        Setting the policy to Disabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can only use these hosts if installed at the system level.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow both user-level and system-level native messaging hosts
+  value: true
+- caption: Allow only system-level native messaging hosts
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:34-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/policy_atomic_groups.yaml
new file mode 100755
index 000000000..0687d6068
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NativeMessaging/policy_atomic_groups.yaml
@@ -0,0 +1,6 @@
+NativeMessaging:
+  caption: Native messaging
+  policies:
+  - NativeMessagingBlocklist
+  - NativeMessagingAllowlist
+  - NativeMessagingUserLevelHosts
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/.group.details.yaml
new file mode 100755
index 000000000..240e343e9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Network settings
+desc: Controls device-wide network configuration.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/AccessControlAllowMethodsInCORSPreflightSpecConformant.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/AccessControlAllowMethodsInCORSPreflightSpecConformant.yaml
new file mode 100755
index 000000000..f16c0f5ae
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/AccessControlAllowMethodsInCORSPreflightSpecConformant.yaml
@@ -0,0 +1,37 @@
+caption: Make <ph name="ACAM_HEADER_NAME">Access-Control-Allow-Methods</ph> matching in <ph name="CORS">CORS</ph> preflight spec conformant
+default: true
+desc: |-
+  This policy controls whether request methods are uppercased when matching with <ph name="ACAM_HEADER_NAME">Access-Control-Allow-Methods</ph> response headers in <ph name="CORS">CORS</ph> preflight.
+
+  If the policy is Disabled, request methods are uppercased.
+  This is the behavior on or before <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 108.
+
+  If the policy is Enabled or not set, request methods are not uppercased, unless matching case-insensitively with <ph name="DELETE_METHOD_NAME">DELETE</ph>, <ph name="GET_METHOD_NAME">GET</ph>, <ph name="HEAD_METHOD_NAME">HEAD</ph>, <ph name="OPTIONS_METHOD_NAME">OPTIONS</ph>, <ph name="POST_METHOD_NAME">POST</ph>, or <ph name="PUT_METHOD_NAME">PUT</ph>.
+  This would reject <ph name="REJECTED_CASE">fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: FOO"</ph> response header,
+  and would accept <ph name="ACCEPTED_CASE">fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: Foo"</ph> response header.
+
+  Note: request methods <ph name="POST_LOWERCASE_METHOD_NAME">"post"</ph> and <ph name="PUT_LOWERCASE_METHOD_NAME">"put"</ph> are not affected, while <ph name="PATCH_LOWERCASE_METHOD_NAME">"patch"</ph> is affected.
+
+  This policy is intended to be temporary and will be removed in the future.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not uppercase request methods except for DELETE/GET/HEAD/OPTIONS/POST/PUT
+  value: true
+- caption: Always uppercase request methods
+  value: false
+owners:
+- toyoshim@chromium.org
+- hiroshige@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:109-
+- chrome.*:109-
+- android:109-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/BlockTruncatedCookies.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/BlockTruncatedCookies.yaml
new file mode 100755
index 000000000..b6f9b6a89
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/BlockTruncatedCookies.yaml
@@ -0,0 +1,35 @@
+caption: Block truncated cookies
+default: true
+deprecated: true
+desc: |-
+  Note: No site breakage has been reported since Chrome began blocking these cookies by default starting in M118, so this functionality won't be configurable (and this policy will have no effect) starting in M127.
+
+  This policy provides a temporary opt-out for changes to how Chrome handles cookies set via JavaScript that contain certain control characters (NULL, carriage return, and line feed).
+  Previously, the presence of any of these characters in a cookie string would cause it to be truncated but still set.
+  Now, the presence of these characters will cause the whole cookie string to be ignored.
+
+  When this policy is set to True (the default), the new behavior is enabled.
+
+  When this policy is set to False, the old behavior is enabled.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Block truncated cookies
+  value: true
+- caption: Allow truncated cookies
+  value: false
+owners:
+- awillia@chromium.org
+- file://net/cookies/OWNERS
+schema:
+  type: boolean
+supported_on:
+- android:118-126
+- chrome_os:118-126
+- chrome.*:118-126
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/CompressionDictionaryTransportEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/CompressionDictionaryTransportEnabled.yaml
new file mode 100755
index 000000000..4eb32220d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/CompressionDictionaryTransportEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable compression dictionary transport support
+default: true
+desc: |-
+  This feature enables the use of dictionary-specific content encodings in the Accept-Encoding request header ("sbr" and "zst-d") when dictionaries are available for use.
+
+  Setting the policy to Enabled or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will accept web contents using the compression dictionary transport feature.
+  Setting the policy to Disabled turns off the compression dictionary transport feature.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Accept web contents use compression dictionary transport feature
+  value: true
+- caption: Do not allow using compression dictionary transport feature
+  value: false
+owners:
+- horo@chromium.org
+- file://services/network/OWNERS
+future_on:
+- fuchsia
+schema:
+  type: boolean
+supported_on:
+- chrome.*:118-
+- chrome_os:118-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DataURLWhitespacePreservationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DataURLWhitespacePreservationEnabled.yaml
new file mode 100755
index 000000000..90362e6bf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DataURLWhitespacePreservationEnabled.yaml
@@ -0,0 +1,32 @@
+caption: DataURL Whitespace Preservation for all media types
+default: true
+desc: |-
+  This policy provides a temporary opt-out for changes to how Chrome handles whitepsace in <ph name="DATA_URL_SCHEME">data</ph> URLS.
+  Previously, whitespace would be kept only if the top level media type was <ph name="TEXT_MEDIA_TYPE">text</ph> or contained the media type string <ph name="XML">xml</ph>.
+  Now, whitespace will be preserved in all data URLs, regardless of media type.
+
+  If this policy is left unset or is set to True, the new behavior is enabled.
+
+  When this policy is set to False, the old behavior is enabled.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- fuchsia
+items:
+- caption: Keep whitespace for all mime-types
+  value: true
+- caption: Only keep whitespace for text and xml mime-types
+  value: false
+owners:
+- dtapuska@chromium.org
+- file://net/cookies/OWNERS
+schema:
+  type: boolean
+supported_on:
+- android:130-
+- chrome_os:130-
+- chrome.*:130-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceDataRoamingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceDataRoamingEnabled.yaml
new file mode 100755
index 000000000..9882cf290
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceDataRoamingEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable data roaming
+desc: |-
+  Setting the policy to Enabled allows data roaming for the device.
+
+        Setting the policy to Disabled or leaving it unset renders data roaming unavailable.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow mobile data roaming
+  value: true
+- caption: Do not allow mobile data roaming
+  value: false
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:12-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceDockMacAddressSource.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceDockMacAddressSource.yaml
new file mode 100755
index 000000000..c3b7ec348
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceDockMacAddressSource.yaml
@@ -0,0 +1,43 @@
+caption: Device MAC address source when docked
+desc: |-
+  Setting the policy lets the administrator change the MAC (media access control) address when connecting a device to the dock. When a dock is connected to some device models, by default, the device's designated dock's MAC address helps identify the device on Ethernet.
+
+        If 'DeviceDockMacAddress' is selected or the policy is left unset, the device's designated dock MAC address will be used.
+
+        If 'DeviceNicMacAddress' is selected, the device's NIC (network interface controller) MAC address will be used.
+
+        If 'DockNicMacAddress' is selected, the dock's NIC MAC address will be used.
+
+        Users can't change this setting.
+device_only: true
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Device's designated dock MAC address
+  name: DeviceDockMacAddress
+  value: 1
+- caption: Device's built-in NIC MAC address
+  name: DeviceNicMacAddress
+  value: 2
+- caption: Dock's built-in NIC MAC address
+  name: DockNicMacAddress
+  value: 3
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  enum:
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:75-
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceHostnameTemplate.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceHostnameTemplate.yaml
new file mode 100755
index 000000000..5051ec7ce
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceHostnameTemplate.yaml
@@ -0,0 +1,19 @@
+caption: Device network hostname template
+desc: |-
+  Setting the policy to a string applies the string as the device hostname during DHCP request. The string can have variables <ph name="ASSET_ID_PLACEHOLDER">${ASSET_ID}</ph>, <ph name="SERIAL_NUM_PLACEHOLDER">${SERIAL_NUM}</ph>, <ph name="MAC_ADDR_PLACEHOLDER">${MAC_ADDR}</ph>, <ph name="MACHINE_NAME_PLACEHOLDER">${MACHINE_NAME}</ph>, <ph name="LOCATION_PLACEHOLDER">${LOCATION}</ph> to be replaced with values on the device before using it as a hostname. The resulting substitution should be a valid hostname (per RFC 1035, section 3.1).
+
+        Leaving the policy unset or if the value after substitution isn't a valid hostname, no hostname is set in DHCP request.
+device_only: true
+example_value: chromebook-${ASSET_ID}
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- antrim@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_os:65-
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceHostnameUserConfigurable.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceHostnameUserConfigurable.yaml
new file mode 100755
index 000000000..24cd72210
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceHostnameUserConfigurable.yaml
@@ -0,0 +1,29 @@
+caption: Allow user to configure their device hostname
+default: false
+desc: |-
+  Determine whether a user is allowed to configure the device hostname.
+
+        If <ph name="DEVICE_HOSTNAME_TEMPLATE_POLICY_NAME">DeviceHostnameTemplate</ph> is set, the admininistrator sets hostname and the user cannot choose regardless of what this policy is set to.
+        If this policy is set to True and <ph name="DEVICE_HOSTNAME_TEMPLATE_POLICY_NAME">DeviceHostnameTemplate</ph> is not set, the admininistrator does not set hostname and the user can choose one.
+        If this policy is set to False and <ph name="DEVICE_HOSTNAME_TEMPLATE_POLICY_NAME">DeviceHostnameTemplate</ph> is not set, the admininistrator does not set hostname and the user cannot choose one, hence the default name is used.
+device_only: true
+example_value: true
+features:
+  can_be_mandatory: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow managed user to configure device hostname
+  value: true
+- caption: Prevent managed user from configuring device hostname
+  value: false
+owners:
+- khorimoto@google.com
+- cros-connectivity@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:97-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceOpenNetworkConfiguration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceOpenNetworkConfiguration.yaml
new file mode 100755
index 000000000..c705f7f44
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceOpenNetworkConfiguration.yaml
@@ -0,0 +1,25 @@
+arc_support: Android apps can use the network configurations and CA certificates set
+  via this policy, but do not have access to some configuration options.
+caption: Device-level network configuration
+desc: Setting the policy allows pushing network configuration for all users of a <ph
+  name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device. The network configuration
+  is a JSON-formatted string, as defined by the Open Network Configuration format.
+device_only: true
+example_value: '{ "NetworkConfigurations": [ { "GUID": "{4b224dfd-6849-7a63-5e394343244ae9c9}",
+  "Name": "my WiFi", "Type": "WiFi", "WiFi": { "SSID": "my WiFi", "HiddenSSID": false,
+  "Security": "None", "AutoConnect": true } } ] }'
+features:
+  dynamic_refresh: true
+owners:
+- acostinas@google.com
+- miersh@google.com
+- file://components/policy/OWNERS
+schema:
+  type: string
+supported_on:
+- chrome_os:16-
+tags:
+- full-admin-access
+type: string
+url_schema: https://chromium.googlesource.com/chromium/src/+/HEAD/components/onc/docs/onc_spec.md
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceWiFiAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceWiFiAllowed.yaml
new file mode 100755
index 000000000..bf1ef8b50
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceWiFiAllowed.yaml
@@ -0,0 +1,24 @@
+caption: Enable WiFi
+desc: |-
+  Setting the policy to Disabled means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> turns off Wi-Fi, and users can't change it.
+
+        Setting the policy to Enabled or leaving it unset lets users turn Wi-Fi on or off.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow users to turn WiFi on or off
+  value: true
+- caption: Disable WiFi
+  value: false
+owners:
+- apotapchuk@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:75-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceWiFiFastTransitionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceWiFiFastTransitionEnabled.yaml
new file mode 100755
index 000000000..edea93fa9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DeviceWiFiFastTransitionEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable 802.11r Fast Transition
+desc: |-
+  Setting the policy to Enabled means that Fast Transition is used when the wireless access point supports it. It applies to all users and interfaces on the device.
+
+        Setting the policy to Disabled or leaving it unset means that Fast Transition isn't used.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Use Fast Transition when the wireless access point supports it
+  value: true
+- caption: Disable Fast Transition
+  value: false
+owners:
+- matthewmwang@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:72-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsExcludedDomains.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsExcludedDomains.yaml
new file mode 100755
index 000000000..3ab415f14
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsExcludedDomains.yaml
@@ -0,0 +1,26 @@
+caption: Specify domains to be excluded from being resolved using DNS-over-HTTPS
+desc: |-
+  List of domains to be excluded from being resolved using DNS-over-HTTPS. This policy is ignored when the secure DNS mode is set to off (always use plain-text DNS).
+
+  If <ph name="DOH_TEMPLATES_POLICY_NAME">DnsOverHttpsIncludedDomains</ph> is also set, a more specific domain is preferred. Specificity refers to the number of dots ('.') in the domain. When a domain matches both policies, default to use DNS-over-HTTPS for the domain.
+
+  The domains are expected to be in the form of a fully qualified domain name (FQDN) or as domain suffixes noted using a special wildcard prefix '*'.
+
+  Incorrectly formatted domains will be ignored.
+example_value:
+- google.com
+- '*.google.com'
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- chrome_os
+owners:
+- cros-networking@google.com
+- jasongustaman@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsIncludedDomains.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsIncludedDomains.yaml
new file mode 100755
index 000000000..d1e8bfe88
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsIncludedDomains.yaml
@@ -0,0 +1,28 @@
+caption: Specify domains to be resolved using DNS-over-HTTPS
+desc: |-
+  List of domains to be resolved using DNS-over-HTTPS. Other domains not included in the list will not be resolved using DNS-over-HTTPS. This policy is ignored when the secure DNS mode is set to off (always use plain-text DNS).
+
+  If the list is empty or unset, all domains will be resolved using DNS-over-HTTPS whenever possible. This is the same behavior with an included domains list with the value of ["*"].
+
+  If <ph name="DOH_TEMPLATES_POLICY_NAME">DnsOverHttpsExcludedDomains</ph> is also set, a more specific domain is preferred. Specificity refers to the number of dots ('.') in the domain. When a domain matches both policies, default to use DNS-over-HTTPS for the domain.
+
+  The domains are expected to be in the form of a fully qualified domain name (FQDN) or as domain suffixes noted using a special wildcard prefix '*'.
+
+  Incorrectly formatted domains will be ignored.
+example_value:
+- google.com
+- '*.google.com'
+features:
+  dynamic_refresh: true
+  per_profile: false
+future_on:
+- chrome_os
+owners:
+- cros-networking@google.com
+- jasongustaman@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsSalt.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsSalt.yaml
new file mode 100755
index 000000000..73bd68d67
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsSalt.yaml
@@ -0,0 +1,20 @@
+caption: Specify a salt value to be used in <ph name="DOH_TEMPLATES_WITH_IDENTIFIERS_POLICY_NAME">DnsOverHttpsTemplatesWithIdentifiers</ph> when evaluating identity information
+desc: |-
+  This salt is used as a salt value when hashing identity information included in the <ph name="DOH_TEMPLATES_WITH_IDENTIFIERS_POLICY_NAME">DnsOverHttpsTemplatesWithIdentifiers</ph> string.
+
+  The salt must be a string between 8 and 32 characters.
+
+  In version 114 and later, this policy is optional if the <ph name="DOH_TEMPLATES_WITH_IDENTIFIERS_POLICY_NAME">DnsOverHttpsTemplatesWithIdentifiers</ph> policy is set. If this policy is not set, then the identifiers in the template URIs configured via the <ph name="DOH_TEMPLATES_WITH_IDENTIFIERS_POLICY_NAME">DnsOverHttpsTemplatesWithIdentifiers</ph> policy are hashed without a salt.
+example_value: salt-for-hashing
+features:
+  dynamic_refresh: true
+  per_profile: false
+supported_on:
+- chrome_os:110-
+owners:
+- chromeos-commercial-networking@google.com
+- acostinas@google.com
+schema:
+  type: string
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsTemplatesWithIdentifiers.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsTemplatesWithIdentifiers.yaml
new file mode 100755
index 000000000..4b2123c3e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/DnsOverHttpsTemplatesWithIdentifiers.yaml
@@ -0,0 +1,33 @@
+caption: Specify URI template of desired DNS-over-HTTPS resolver with identity information
+desc: |-
+  The URI template of the desired DNS-over-HTTPS resolver. To specify multiple DNS-over-HTTPS resolvers, separate the corresponding URI templates with spaces. This policy is very similar to <ph name="DOH_TEMPLATES_POLICY_NAME">DnsOverHttpsTemplates</ph> which it will override if specified.
+  In contrast to the <ph name="DOH_TEMPLATES_POLICY_NAME">DnsOverHttpsTemplates</ph> policy, this policy supports specifying identity information.
+  Identifiers are specified using variable placeholders which are replaced with user or device information in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. The identifiers are not sent to the DNS server in plain text; instead they are hashed with the <ph name="SHA256">SHA-256</ph> algorithm and uppercase hex encoded.
+
+  Identifiers are specified between curly brackets, preceded by the dollar sign. For user identification, use the following placeholders <ph name="USER_EMAIL">USER_EMAIL</ph>, <ph name="USER_EMAIL_DOMAIN">USER_EMAIL_DOMAIN</ph> and <ph name="USER_EMAIL_NAME">USER_EMAIL_NAME</ph>. For device identification, use the following placeholders <ph name="DEVICE_DIRECTORY_ID">DEVICE_DIRECTORY_ID</ph>, <ph name="DEVICE_SERIAL_NUMBER">DEVICE_SERIAL_NUMBER</ph>, <ph name="DEVICE_ASSET_ID">DEVICE_ASSET_ID</ph> and <ph name="DEVICE_ANNOTATED_LOCATION">DEVICE_ANNOTATED_LOCATION</ph>.
+
+  Before version 122, device identifiers were not replaced for unaffiliated users. Starting version 122, the device placeholders are replaced with the value <ph name="DEVICE_NOT_MANAGED">DEVICE_NOT_MANAGED</ph>, which is hashed and hex encoded.
+
+  Starting version 125, the device ip addresses can be added as template URI using the placeholder <ph name="DEVICE_IP_ADDRESSES">DEVICE_IP_ADDRESSES</ph>. This placeholder will be replaced by a hex string representing the network byte order of the IPv4 address and/or IPv6 address associated with the current network, if the network is managed by policy.
+  The IPv4 address is prefixed with the value 0010; the IPv6 address is prefixed with 0020. For dual-stack networks, both the IPv4 and IPv6 addresses will be used for the placeholder replacement. Multiple addresses are added consecutively, without a delimiter. For unaffiliated users, the replacement only happens if the network is managed by user policy. If the IP addresses placeholder cannot be replaced by the device IP address, it is replaced with an empty string.
+
+  If the <ph name="DOH_MODE_POLICY_NAME">DnsOverHttpsMode</ph> is set to <ph name="SECURE_DNS_MODE_SECURE">"secure"</ph> then either this policy or <ph name="DOH_TEMPLATES_POLICY_NAME">DnsOverHttpsTemplates</ph> must be set and not empty.
+
+  If the <ph name="DOH_MODE_POLICY_NAME">DnsOverHttpsMode</ph> is set to <ph name="SECURE_DNS_MODE_AUTOMATIC">"automatic"</ph> and this policy is set then the URI templates specified will be used; if this policy is unset then hardcoded mappings will be used to attempt to upgrade the users current DNS resolver to a DoH resolver operated by the same provider.
+
+  If the URI template contains a <ph name="HTTP_VARIABLE_DNS">dns</ph> variable, requests to the resolver will use <ph name="HTTP_METHOD_GET">GET</ph>; otherwise requests will use <ph name="HTTP_METHOD_POST">POST</ph>.
+
+  In version 114 and later, <ph name="DOH_SALT_POLICY_NAME">DnsOverHttpsSalt</ph> is optional if this policy is set.
+example_value: https://dns.example.net/${USER_EMAIL_DOMAIN}/dns-query{?dns}
+features:
+  dynamic_refresh: true
+  per_profile: false
+supported_on:
+- chrome_os:110-
+owners:
+- chromeos-commercial-networking@google.com
+- acostinas@google.com
+schema:
+  type: string
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/IPv6ReachabilityOverrideEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/IPv6ReachabilityOverrideEnabled.yaml
new file mode 100755
index 000000000..756454fd9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/IPv6ReachabilityOverrideEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable IPv6 reachability check override
+default: false
+desc: |-
+  Setting the policy to true overrides the IPv6 reachability check. This means that the
+  system will always query AAAA records when resolving host names. It applies to
+  all users and interfaces on the device.
+
+  Setting the policy to false or leaving it unset does not overrides the IPv6 reachability check.
+  The system only queries AAAA records when it is reachable to a global IPv6 host.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Override the IPv6 reachability check. Always query AAAA record for host name resolution.
+  value: true
+- caption: Do not override the IPv6 reachability check. Only query AAAA record for host name resolution when the device is reachable to a global IPv6 host.
+  value: false
+owners:
+- bashi@chromium.org
+- file://net/OWNERS
+schema:
+  type: boolean
+supported_on:
+- android:120-
+- chrome.*:120-
+- chrome_os:120-
+- fuchsia:120-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/NetworkThrottlingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/NetworkThrottlingEnabled.yaml
new file mode 100755
index 000000000..41142bf29
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/NetworkThrottlingEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Enable throttling network bandwidth
+desc: Setting the policy turns network throttling on or off. This means that the system
+  is throttled to achieve the provided upload and download rates (in kbits/s). It
+  applies to all users and interfaces on the device.
+device_only: true
+example_value:
+  download_rate_kbits: 5600
+  enabled: true
+  upload_rate_kbits: 5600
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- acostinas@google.com
+schema:
+  properties:
+    download_rate_kbits:
+      description: Desired download rate in kbits/s.
+      type: integer
+    enabled:
+      description: A boolean flag indicating if throttling is enabled.
+      type: boolean
+    upload_rate_kbits:
+      description: Desired upload rate in kbits/s.
+      type: integer
+  required:
+  - enabled
+  - upload_rate_kbits
+  - download_rate_kbits
+  type: object
+supported_on:
+- chrome_os:56-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/OutOfProcessSystemDnsResolutionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/OutOfProcessSystemDnsResolutionEnabled.yaml
new file mode 100755
index 000000000..0d71dada1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/OutOfProcessSystemDnsResolutionEnabled.yaml
@@ -0,0 +1,30 @@
+owners:
+- mpdenton@google.com
+- file://services/network/OWNERS
+caption: Enable system DNS resolution outside of the network service
+desc: |-
+  Setting this policy to true causes system DNS resolution (getaddrinfo()) to possibly run outside of the network process, depending on system configuration and feature flags.
+
+        Setting this policy to false causes system DNS resolution (getaddrinfo()) to run in the network process rather than the browser process. This may force the network service sandbox to be disabled, degrading the security of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If this policy is not set, system DNS resolution may run in the network service, outside of the network service, or partially inside and partially outside, depending on system configuration and feature flags.
+supported_on:
+  - chrome.linux:111-
+  - android:111-
+features:
+  dynamic_refresh: false
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: System DNS resolution may be run in or out of the network process depending on system configuration and feature flags.
+  value: true
+- caption: System DNS resolution will be run in the network process.
+  value: false
+- caption: System DNS resolution may be run in or out of the network process, or partially in and partially out of the network process, depending on system configuration and feature flags.
+  value: null
+default: null
+example_value: false
+tags:
+  - system-security
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/ZstdContentEncodingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/ZstdContentEncodingEnabled.yaml
new file mode 100755
index 000000000..317495fdf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/ZstdContentEncodingEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Enable <ph name="ZSTANDARD_SHORTNAME">zstd</ph> content-encoding support
+desc: |-
+  This feature enables the use of "zstd" in the Accept-Encoding request header,
+  and support for decompressing
+  <ph name="ZSTANDARD_SHORTNAME">zstd</ph>-compressed web content.
+
+  Setting the policy to Enabled or leaving it unset means
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will accept web contents
+  compressed with <ph name="ZSTANDARD_SHORTNAME">zstd</ph>.
+  Setting the policy to Disabled turns off the
+  <ph name="ZSTANDARD_SHORTNAME">zstd</ph> content-encoding feature.
+
+  This policy is intended to be temporary and will be removed in the future.
+default: true
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable advertising <ph name="ZSTANDARD_SHORTNAME">zstd</ph> content-encoding in the Accept-Encoding header
+  value: true
+- caption: Do not allow using the <ph name="ZSTANDARD_SHORTNAME">zstd</ph> content-encoding feature
+  value: false
+owners:
+- nidhijaju@chromium.org
+- file://net/OWNERS
+future_on:
+- fuchsia
+schema:
+  type: boolean
+supported_on:
+- android:119-
+- chrome.*:119-
+- chrome_os:119-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/policy_atomic_groups.yaml
new file mode 100755
index 000000000..f0ec85baf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Network/policy_atomic_groups.yaml
@@ -0,0 +1,5 @@
+WiFi:
+  caption: WiFi
+  policies:
+  - DeviceWiFiFastTransitionEnabled
+  - DeviceWiFiAllowed
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/.group.details.yaml
new file mode 100755
index 000000000..95abfe20a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Network File Shares settings
+desc: Configure Network File Share related policies.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NTLMShareAuthenticationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NTLMShareAuthenticationEnabled.yaml
new file mode 100755
index 000000000..286ff8f95
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NTLMShareAuthenticationEnabled.yaml
@@ -0,0 +1,23 @@
+caption: Controls enabling NTLM as an authentication protocol for SMB mounts
+default_for_enterprise_users: false
+desc: |-
+  Setting the policy to Enabled means the Network File Shares feature for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> uses NTLM for authentication to SMB shares if necessary. Setting the policy to Disabled turns off NTLM authentication to SMB shares.
+
+        Leaving the policy unset means the behavior defaults to off for managed users and on for other users.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Use NTLM authentication
+  value: true
+- caption: Do not use NTLM authentication
+  value: false
+owners:
+- amistry@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:71-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetBiosShareDiscoveryEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetBiosShareDiscoveryEnabled.yaml
new file mode 100755
index 000000000..d5ec64636
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetBiosShareDiscoveryEnabled.yaml
@@ -0,0 +1,23 @@
+caption: Controls Network File Share discovery via <ph name="NETBIOS_NAME">NetBIOS</ph>
+default_for_enterprise_users: false
+desc: |-
+  Setting the policy to Enabled means share discovery (the Network File Shares feature for <ph name="PRODUCT_NAME">$2<ex>Google ChromeOS</ex></ph>) uses the <ph name="NETBIOS_PROTOCOL">NetBIOS Name Query Request protocol</ph> to discover shares on the network. Setting the policy to Disabled means share discovery won't use this protocol to discover shares.
+
+        Leaving the policy unset means the behavior defaults to off for managed users and on for other users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow NetBIOS share discovery
+  value: true
+- caption: Do not allow NetBIOS share discovery
+  value: false
+owners:
+- amistry@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:70-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetworkFileSharesAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetworkFileSharesAllowed.yaml
new file mode 100755
index 000000000..e7615c726
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetworkFileSharesAllowed.yaml
@@ -0,0 +1,20 @@
+caption: Controls Network File Shares for ChromeOS availability
+desc: Setting the policy to Enabled lets users use Network File Shares for <ph name="PRODUCT_NAME">$2<ex>Google
+  ChromeOS</ex></ph>. Setting the policy to Disabled means users can't use this feature.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Allow network file shares
+  value: true
+- caption: Block network file shares
+  value: false
+owners:
+- amistry@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:70-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetworkFileSharesPreconfiguredShares.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetworkFileSharesPreconfiguredShares.yaml
new file mode 100755
index 000000000..70030e569
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/NetworkFileSharesPreconfiguredShares.yaml
@@ -0,0 +1,40 @@
+caption: List of preconfigured network file shares.
+desc: |-
+  Setting the policy specifies a list of preset network file shares. Each item is an object with 2 properties: <ph name="SHARE_URL_FIELD_NAME">share_url</ph> and <ph name="MODE_FIELD_NAME">mode</ph>.
+
+        The share URL should be <ph name="SHARE_URL_FIELD_NAME">share_url</ph>.
+
+        For <ph name="MODE_FIELD_NAME">mode</ph>, it should be <ph name="MODE_ENUM_DROP_DOWN">drop_down</ph> or <ph name="MODE_ENUM_PRE_MOUNT">pre_mount</ph>:
+
+        * <ph name="MODE_ENUM_DROP_DOWN">drop_down</ph> indicates that <ph name="SHARE_URL_FIELD_NAME">share_url</ph> will be added to the share discovery list.
+
+        * <ph name="MODE_ENUM_PRE_MOUNT">pre_mount</ph> indicates that <ph name="SHARE_URL_FIELD_NAME">share_url</ph> will be mounted.
+example_value:
+- mode: drop_down
+  share_url: smb://server/share
+- mode: drop_down
+  share_url: \\server\share
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- amistry@chromium.org
+schema:
+  items:
+    properties:
+      mode:
+        enum:
+        - drop_down
+        - pre_mount
+        type: string
+      share_url:
+        type: string
+    required:
+    - share_url
+    - mode
+    type: object
+  type: array
+supported_on:
+- chrome_os:71-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/policy_atomic_groups.yaml
new file mode 100755
index 000000000..044bc22ea
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/NetworkFileShares/policy_atomic_groups.yaml
@@ -0,0 +1,7 @@
+NetworkFileShares:
+  caption: Network File Shares settings
+  policies:
+  - NetworkFileSharesAllowed
+  - NetBiosShareDiscoveryEnabled
+  - NTLMShareAuthenticationEnabled
+  - NetworkFileSharesPreconfiguredShares
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/.group.details.yaml
new file mode 100755
index 000000000..735bac526
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/.group.details.yaml
@@ -0,0 +1,4 @@
+caption: Parental supervision settings
+desc: |-
+  Controls parental supervision policies, that are applied to child accounts only.
+        These policies are not set in the admin console, but configured directly by Kids API Server.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/EduCoexistenceToSVersion.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/EduCoexistenceToSVersion.yaml
new file mode 100755
index 000000000..77ad25798
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/EduCoexistenceToSVersion.yaml
@@ -0,0 +1,26 @@
+caption: The valid version of Edu Coexistence Terms of Service
+desc: |-
+  This policy indicates current valid version of Edu Coexistence Terms of Service.
+        It is compared with the version last accepted by the parent and used to prompt parent permission renewal when needed.
+
+        When this policy is set Terms of Service version can be validated.
+        When this policy is unset it is not possible to verify validity of Edu Coexistence Terms of Service.
+
+        This policy is only used for Family Link users.
+example_value: '333024512'
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- agawronska@chromium.org
+- danan@chromium.org
+- yilkal@chromium.org
+- cros-families-eng@google.com
+schema:
+  description: The valid version of Terms of Service derived from Google3 cl that
+    introduced new Terms version.
+  type: string
+supported_on:
+- chrome_os:89-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/ParentAccessCodeConfig.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/ParentAccessCodeConfig.yaml
new file mode 100755
index 000000000..2e7edbf05
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/ParentAccessCodeConfig.yaml
@@ -0,0 +1,50 @@
+caption: Parent Access Code Configuration
+desc: |-
+  This policy specifies configuration that is used to generate and verify Parent Access Code.
+
+        |current_config| is always used for generating access code and should be used for validating access code only when it cannot be validated with |future_config|.
+        |future_config| is the primary config used for validating access code.
+        |old_configs| should be used for validating access code only when it cannot be validated with |future_config| nor |current_config|.
+
+        The expected way of using this policy is to gradually rotate access code configuration. New configuration is always put into |future_config| and at the same
+        time the existing value is moved into |current_config|. |current_config|'s previous values are moved into |old_configs| and removed after rotation cycle is finished.
+
+        This policy applies only to child user.
+        When this policy is set Parent Access Code can be verified on child user's device.
+        When this policy is unset it is not possible to verify Parent Access Code on child user's device.
+example_value:
+  current_config:
+    access_code_ttl: 600
+    clock_drift_tolerance: 300
+    shared_secret: oOA9nX02LdhYdOzwMsGof+QA3wUKP4YMNlk9S/W3o+w=
+  future_config:
+    access_code_ttl: 600
+    clock_drift_tolerance: 300
+    shared_secret: KMsoIjnpvcWmiU1GHchp2blR96mNyJwS
+  old_configs:
+  - access_code_ttl: 600
+    clock_drift_tolerance: 300
+    shared_secret: sTr6jqMTJGCbLhWI5plFTQb/VsqxwX2Q
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://chrome/browser/ash/child_accounts/OWNERS
+- agawronska@chromium.org
+schema:
+  properties:
+    current_config:
+      $ref: Config
+      description: Configuration used to generate and verify Parent Access Code.
+    future_config:
+      $ref: Config
+    old_configs:
+      items:
+        $ref: Config
+      type: array
+  sensitiveValue: true
+  type: object
+supported_on:
+- chrome_os:73-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/PerAppTimeLimits.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/PerAppTimeLimits.yaml
new file mode 100755
index 000000000..d138a224b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/PerAppTimeLimits.yaml
@@ -0,0 +1,101 @@
+caption: Per-App Time Limits
+desc: |-
+  Allows to set per-app usage restrictions.
+          Usage restrictions can be applied to the apps installed on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> for the given user.
+          Restrictions should be passed in |app_limits| list. Only one entry per-app is allowed. Apps not included in the list have no restrictions.
+          It is not possible to block apps that are essential for the operating system, the restrictions for such apps will be ignored.
+          App is uniquely identified by |app_id|. Since different types of apps can use different id format |app_type| needs to be specified next to |app_id|.
+          Per-App Time Limits only support |ARC| apps currently. Android package name is used as |app_id|.
+          Support for other types of applications will be added in the future, for now they can be specified in the policy, but the restrictions will take no effect.
+          There are two types of available restrictions: |BLOCK| and |TIME_LIMIT|.
+          |BLOCK| makes app unavailable for the user. If |daily_limit_mins| is specified with |BLOCK| restriction |daily_limit_mins| will be ignored.
+          |TIME_LIMITS| applies daily usage limit and makes app unavailable after the limit is reached on the given day. Usage limit is specified in |daily_limit_mins|. Usage limit is reset daily at the UTC time passed in |reset_at|.
+          This policy is only used for child users.
+          This policy is complementary to 'UsageTimeLimit'. Restrictions specified in 'UsageTimeLimit' like screen time and bedtime will be enforced regardless of 'PerAppTimeLimits'.
+example_value:
+  activity_reporting_enabled: false
+  app_limits:
+  - app_info:
+      app_id: com.example.myapp
+      app_type: ARC
+    daily_limit_mins: 30
+    last_updated_millis: '1570223060437'
+    restriction: TIME_LIMIT
+  - app_info:
+      app_id: pjkljhegncpnkpknbcohdijeoejaedia
+      app_type: EXTENSION
+    daily_limit_mins: 10
+    last_updated_millis: '1570223000000'
+    restriction: TIME_LIMIT
+  - app_info:
+      app_id: iniodglblcgmngkgdipeiclkdjjpnlbn
+      app_type: BUILT-IN
+    last_updated_millis: '1570223000000'
+    restriction: BLOCK
+  reset_at:
+    hour: 6
+    minute: 0
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- agawronska@chromium.org
+- cros-families-eng@google.com
+schema:
+  properties:
+    activity_reporting_enabled:
+      description: The value of app activity collection toggle. If set to true user
+        app activity will be reported to the server with purpose of being displayed
+        in child and parent <ph name="PRODUCT_NAME">$1<ex>Family Link</ex></ph> app.
+        If set to false Per-app time limits feature will still work, but no data will
+        be reported to the server and therefore displayed in <ph name="PRODUCT_NAME">$1<ex>Family
+        Link</ex></ph>.
+      type: boolean
+    app_limits:
+      items:
+        properties:
+          app_info:
+            properties:
+              app_id:
+                type: string
+              app_type:
+                enum:
+                - ARC
+                - BUILT-IN
+                - EXTENSION
+                - WEB
+                - CROSTINI
+                type: string
+            type: object
+          daily_limit_mins:
+            maximum: 1440
+            minimum: 0
+            type: integer
+          last_updated_millis:
+            description: UTC timestamp for the last time this entry was updated. Sent
+              as a string because the timestamp would not fit in an integer
+            type: string
+          restriction:
+            enum:
+            - BLOCK
+            - TIME_LIMIT
+            type: string
+        type: object
+      type: array
+    reset_at:
+      description: The time of the day in local time when usage quota is renewed.
+      properties:
+        hour:
+          maximum: 23
+          minimum: 0
+          type: integer
+        minute:
+          maximum: 59
+          minimum: 0
+          type: integer
+      type: object
+  type: object
+supported_on:
+- 'chrome_os: 80-'
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/PerAppTimeLimitsAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/PerAppTimeLimitsAllowlist.yaml
new file mode 100755
index 000000000..9f5c6721e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/PerAppTimeLimitsAllowlist.yaml
@@ -0,0 +1,55 @@
+caption: Per-App Time Limits Allowlist
+desc: "This policy specifies which applications and URLs should be allowed for per-app\
+  \ usage restrictions.\n        The configured allowlist is applied to the apps installed\
+  \ on <ph name=\"PRODUCT_OS_NAME\">$2<ex>Google ChromeOS</ex></ph> for the given\
+  \ user with per-app time limits.\n        The configured allowlist can only be applied\
+  \ to child user accounts and take effect when <ph name=\"PER_APP_TIME_LIMITS_POLICY_NAME\"\
+  >PerAppTimeLimits</ph> policy is set.\n        The configured allowlist is applied\
+  \ to applications and URLs so that they will not be blocked by per-app time limits.\n\
+  \        Accessing allowed URLs will not count towards the chrome time limit.\n\
+  \        Add url regular expressions to |url_list| to allow urls that match any\
+  \ of the regular expressions in the list.\n        Add an application with its |app_id|\
+  \ and |app_type| to |app_list| to allow the application.\n       "
+example_value:
+  app_list:
+  - app_id: pjkljhegncpnkpknbcohdijeoejaedia
+    app_type: EXTENSION
+  - app_id: iniodglblcgmngkgdipeiclkdjjpnlbn
+    app_type: BUILT-IN
+  url_list:
+  - chrome://*
+  - file://*
+  - https://www.support.google.com
+  - https://www.policies.google.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- yilkal@chromium.org
+- cros-families-eng@google.com
+schema:
+  properties:
+    app_list:
+      items:
+        properties:
+          app_id:
+            type: string
+          app_type:
+            enum:
+            - ARC
+            - BUILT-IN
+            - EXTENSION
+            - WEB
+            - CROSTINI
+            type: string
+        type: object
+      type: array
+    url_list:
+      items:
+        type: string
+      type: array
+  type: object
+supported_on:
+- 'chrome_os: 86-'
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/UsageTimeLimit.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/UsageTimeLimit.yaml
new file mode 100755
index 000000000..27cb913d0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ParentalSupervision/UsageTimeLimit.yaml
@@ -0,0 +1,122 @@
+caption: Time Limit
+desc: |-
+  Allows you to lock the user's session based on the client time or the usage quota of the day.
+
+            The |time_window_limit| specifies a daily window in which the user's session should be locked. We only support one rule for each day of the week, therefore the |entries| array may vary from 0-7 in size. |starts_at| and |ends_at| are the beginning and the end of the window limit, when |ends_at| is smaller than |starts_at| it means that the |time_limit_window| ends on the following day. |last_updated_millis| is the UTC timestamp for the last time this entry was updated, it is sent as a string because the timestamp wouldn't fit in an integer.
+
+            The |time_usage_limit| specifies a daily screen quota, so when the user reaches it, the user's session is locked. There is a property for each day of the week, and it should be set only if there is an active quota for that day. |usage_quota_mins| is the amount of time that the managed device can be use in a day and |reset_at| is the time when the usage quota is renewed. The default value for |reset_at| is midnight ({'hour': 0, 'minute': 0}). |last_updated_millis| is the UTC timestamp for the last time this entry was updated, it is sent as a string because the timestamp wouldn't fit in an integer.
+
+            |overrides| is provided to invalidate temporarily one or more of the previous rules.
+            * If neither time_window_limit nor time_usage_limit is active |LOCK| can be used to lock the device.
+            * |LOCK| temporarily locks a user session until the next time_window_limit or time_usage_limit starts.
+            * |UNLOCK| unlocks a user's session locked by time_window_limit or time_usage_limit.
+            |created_time_millis| is the UTC timestamp for the override creation, it is sent as a String because the timestamp wouldn't fit in an integer It is used to determine whether this override should still be applied. If the current active time limit feature (time usage limit or time window limit) started after the override was created, it should not take action. Also if the override was created before the last change of the active time_window_limit or time_usage_window it should not be applied.
+
+            Multiple overrides may be sent, the newest valid entry is the one that is going to be applied.
+example_value:
+  overrides:
+  - action: UNLOCK
+    action_specific_data:
+      duration_mins: 30
+    created_at_millis: '1250000'
+  time_usage_limit:
+    friday:
+      last_updated_millis: '1200000'
+      usage_quota_mins: 120
+    monday:
+      last_updated_millis: '1200000'
+      usage_quota_mins: 120
+    reset_at:
+      hour: 6
+      minute: 0
+    saturday:
+      last_updated_millis: '1200000'
+      usage_quota_mins: 120
+    sunday:
+      last_updated_millis: '1200000'
+      usage_quota_mins: 120
+    thursday:
+      last_updated_millis: '1200000'
+      usage_quota_mins: 120
+    tuesday:
+      last_updated_millis: '1200000'
+      usage_quota_mins: 120
+    wednesday:
+      last_updated_millis: '1200000'
+      usage_quota_mins: 120
+  time_window_limit:
+    entries:
+    - effective_day: WEDNESDAY
+      ends_at:
+        hour: 7
+        minute: 30
+      last_updated_millis: '1000000'
+      starts_at:
+        hour: 21
+        minute: 0
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- hgrandinetti@chromium.org
+- vtrmc@chromium.org
+schema:
+  properties:
+    overrides:
+      items:
+        properties:
+          action:
+            enum:
+            - LOCK
+            - UNLOCK
+            type: string
+          action_specific_data:
+            properties:
+              duration_mins:
+                minimum: 0
+                type: integer
+            type: object
+          created_at_millis:
+            type: string
+        type: object
+      type: array
+    time_usage_limit:
+      properties:
+        friday:
+          $ref: TimeUsageLimitEntry
+        monday:
+          $ref: TimeUsageLimitEntry
+        reset_at:
+          $ref: Time
+        saturday:
+          $ref: TimeUsageLimitEntry
+        sunday:
+          $ref: TimeUsageLimitEntry
+        thursday:
+          $ref: TimeUsageLimitEntry
+        tuesday:
+          $ref: TimeUsageLimitEntry
+        wednesday:
+          $ref: TimeUsageLimitEntry
+      type: object
+    time_window_limit:
+      properties:
+        entries:
+          items:
+            properties:
+              effective_day:
+                $ref: WeekDay
+              ends_at:
+                $ref: Time
+              last_updated_millis:
+                type: string
+              starts_at:
+                $ref: Time
+            type: object
+          type: array
+      type: object
+  type: object
+supported_on:
+- chrome_os:69-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/.group.details.yaml
new file mode 100755
index 000000000..fe6ad1702
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Password manager
+desc: Configures the password manager.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/DeletingUndecryptablePasswordsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/DeletingUndecryptablePasswordsEnabled.yaml
new file mode 100755
index 000000000..3103841d7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/DeletingUndecryptablePasswordsEnabled.yaml
@@ -0,0 +1,31 @@
+arc_support: This policy has no effect on Android apps.
+caption: Enable deleting undecryptable passwords
+desc: |-
+  This policy controls whether the built-in password manager can delete undecryptable passwords from its database. This is required to restore the full functionality of the built-in password manager, but it may include a permanent data loss. Undecryptable password values will not become decryptable on their own and, if fixing them is possible, it usually requires complex user actions.
+
+  Setting the policy to Enabled or leaving it unset means that users with undecryptable passwords saved to the built-in password manager will lose them. Passwords that are still in a working state will remain untouched.
+
+  Setting the policy to Disabled means users will leave their password manager data untouched, but will experience a broken password manager functionality.
+
+  If the policy is set, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+default: true
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: false
+  per_profile: true
+items:
+- caption: Enable deleting undecryptable passwords
+  value: true
+- caption: Disable deleting undecryptable passwords
+  value: false
+owners:
+- file://components/password_manager/OWNERS
+- vasilii@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:128-
+- ios:128-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordDismissCompromisedAlertEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordDismissCompromisedAlertEnabled.yaml
new file mode 100755
index 000000000..151d6cbae
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordDismissCompromisedAlertEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable dismissing compromised password alerts for entered credentials
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset gives the user the option to dismiss/restore compromised password alerts.
+
+        If you disable this setting, users will not be able to dismiss alerts about compromised passwords. If enabled, users will be able to dismiss alerts about compromised passwords.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable dismissing compromised password alerts
+  value: true
+- caption: Disable dismissing compromised password alerts
+  value: false
+owners:
+- file://components/password_manager/OWNERS
+- eliaskh@chromium.org
+schema:
+  type: boolean
+supported_on:
+- 'chrome.*: 100-'
+- 'chrome_os: 100-'
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordLeakDetectionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordLeakDetectionEnabled.yaml
new file mode 100755
index 000000000..15038b001
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordLeakDetectionEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable leak detection for entered credentials
+desc: |-
+  Setting the policy to Enabled lets users have <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> check whether usernames and passwords entered were part of a leak.
+
+        If the policy is set, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, credential leak checking is allowed, but the user can turn it off.
+
+        This behavior will not trigger if Safe Browsing is disabled (either by policy or by the user). In order to force Safe Browsing on, use the <ph name="SAFE_BROWSING_ENABLED_POLICY_NAME">SafeBrowsingEnabled</ph> policy or the <ph name="SAFE_BROWSING_PROTETION_LEVEL_POLICY_NAME">SafeBrowsingProtectionLevel</ph> policy.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable password leak detection
+  value: true
+- caption: Disable password leak detection
+  value: false
+owners:
+- file://components/password_manager/OWNERS
+- mamir@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:79-
+- chrome_os:79-
+- android:79-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordManagerAllowShowPasswords.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordManagerAllowShowPasswords.yaml
new file mode 100755
index 000000000..c40ee1e6f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordManagerAllowShowPasswords.yaml
@@ -0,0 +1,24 @@
+caption: Allow users to show passwords in Password Manager (deprecated)
+deprecated: true
+desc: |-
+  The associated setting was used before reauthentication on viewing passwords was introduced. Since then, the setting and hence this policy had no effect on the behavior of Chrome. The current behavior of Chrome is now the same as if the policy was set to disable showing passwords in clear text in the password manager settings page. That means that the settings page contains just a placeholder, and only upon the user clicking "Show" (and reauthenticating, if applicable) Chrome shows the password. Original description of the policy follows below.
+
+            Controls whether the user may show passwords in clear text in the password manager.
+
+            If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window.
+
+            If you enable or do not set this policy, users can view their passwords in clear text in the password manager.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-50
+- chrome_os:11-50
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordManagerEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordManagerEnabled.yaml
new file mode 100755
index 000000000..ec0441f5b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordManagerEnabled.yaml
@@ -0,0 +1,35 @@
+arc_support: This policy has no effect on Android apps.
+caption: Enable saving passwords to the password manager
+desc: |-
+  This policy controls the browser's ability to automatically remember passwords on websites and save them in the built-in password manager. It does not limit access or change the contents of passwords saved in the password manager and possibly synchronized to the Google account profile and <ph name="ANDROID_NAME">Android</ph>.
+
+  Setting the policy to Enabled means users have <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> remember passwords and provide them the next time they sign in to a site.
+
+  Setting the policy to Disabled means users can't save new passwords, but previously saved passwords will still work.
+
+  If the policy is set, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, the user can turn off password saving.
+default: true
+example_value: false
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable saving passwords using the password manager
+  value: true
+- caption: Disable saving passwords using the password manager
+  value: false
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+- ios:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordSharingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordSharingEnabled.yaml
new file mode 100755
index 000000000..11b8f08d6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/PasswordSharingEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Enable sharing user credentials with other users
+desc: |-
+  Setting the policy to Enabled lets users send to and receive from family members (according to Family Service) their passwords.
+  When the policy is Enabled or not set, there is a button in the Password Manager allowing to send a password.
+  The received passwords are stored into user's account and are available in the Password Manager.
+
+  Setting the policy to Disabled means users can't send passwords from Password Manager to other users, and can't receive passwords from other users.
+
+  The feature is not available if synchronization of Passwords is turned off (either via user settings or <ph name="SYNC_DISABLED">SyncDisabled</ph> policy is Enabled).
+
+  Managed accounts aren't eligible to join or create a family group and therefore cannot share passwords.
+default: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+supported_on:
+- android:120-
+- chrome.*:120-
+- chrome_os:120-
+- ios:120-
+items:
+- caption: Enable sharing user credentials
+  value: true
+- caption: Disable sharing user credentials
+  value: false
+owners:
+- file://components/password_manager/OWNERS
+- mamir@chromium.org
+schema:
+  type: boolean
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/ThirdPartyPasswordManagersAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/ThirdPartyPasswordManagersAllowed.yaml
new file mode 100755
index 000000000..366292935
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/ThirdPartyPasswordManagersAllowed.yaml
@@ -0,0 +1,41 @@
+caption: Allow using Third-Party Password Managers in
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> on
+  <ph name="ANDROID_NAME">Android</ph>
+desc: |-
+  Setting the policy to true lets users use a third-party password manager.
+  That password manager will handle saving and filling for all password, payment
+  and autofill data.
+  When the policy is true or not set, a setting will allow to switch between
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s buit-in password
+  manager and the password manager configured in Android settings.
+  Since <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the same data
+  as Autofill with Google, the setting can only be changed to use third-party
+  password managers if a manager other than Autofill with Google is configured
+  in Android's system settings.
+
+  Setting the policy to false means
+  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will always use the
+  built-in password manager.
+
+  This policy doesn't affect third-party password managers that use
+  accessibility APIs.
+default: true
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- android
+items:
+- caption: Allow using third-party password manager in Chrome
+  value: true
+- caption: Block switching to a third-party password manager
+  value: false
+owners:
+- fhorschig@chromium.org
+- file://components/android_autofill/OWNERS
+- file://components/autofill/android/OWNERS
+schema:
+  type: boolean
+type: main
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/policy_atomic_groups.yaml
new file mode 100755
index 000000000..0f6bda32e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PasswordManager/policy_atomic_groups.yaml
@@ -0,0 +1,8 @@
+PasswordManager:
+  caption: Password manager
+  policies:
+  - DeletingUndecryptablePasswordsEnabled
+  - PasswordManagerEnabled
+  - PasswordManagerAllowShowPasswords
+  - PasswordSharingEnabled
+  - ThirdPartyPasswordManagersAllowed
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/.group.details.yaml
new file mode 100755
index 000000000..946efeb76
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: PluginVm
+desc: Configure <ph name="PLUGIN_VM_NAME">PluginVm</ph> related policies.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmAllowed.yaml
new file mode 100755
index 000000000..6d5e10b43
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmAllowed.yaml
@@ -0,0 +1,25 @@
+caption: Allow devices to use a <ph name="PLUGIN_VM_NAME">PluginVm</ph> on <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph>
+desc: |-
+  Setting the policy to Enabled turns on <ph name="PLUGIN_VM_NAME">PluginVm</ph> for the device, as long as other settings also allow it. <ph name="PLUGIN_VM_ALLOWED_POLICY_NAME">PluginVmAllowed</ph> and <ph name="USER_PLUGIN_VM_ALLOWED_POLICY_NAME">UserPluginVmAllowed</ph> must be True, and either <ph name="PLUGIN_VM_LICENSE_KEY_POLICY_NAME">PluginVmLicenseKey</ph> or <ph name="PLUGIN_VM_USER_ID_POLICY_NAME">PluginVmUserId</ph> must be set for <ph name="PLUGIN_VM_NAME">PluginVm</ph> to run.
+
+        Setting the policy to Disabled or leaving it unset means <ph name="PLUGIN_VM_NAME">PluginVm</ph> isn't on for the device.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow devices to use a PluginVm
+  value: true
+- caption: Do not allow devices to use a PluginVm
+  value: false
+owners:
+- timloh@google.com
+- parallels-cros@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:72-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmDataCollectionAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmDataCollectionAllowed.yaml
new file mode 100755
index 000000000..a755b7060
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmDataCollectionAllowed.yaml
@@ -0,0 +1,24 @@
+caption: Allow <ph name="PLUGIN_VM_NAME">PluginVm</ph> Product Analytics
+desc: |-
+  Allow <ph name="PLUGIN_VM_NAME">PluginVm</ph> to collect <ph name="PLUGIN_VM_NAME">PluginVm</ph> usage data.
+
+        If the policy is set to false or left unset, <ph name="PLUGIN_VM_NAME">PluginVm</ph> is not allowed to collect data.
+        If set to true, <ph name="PLUGIN_VM_NAME">PluginVm</ph> might collect <ph name="PLUGIN_VM_NAME">PluginVm</ph> usage data that is then combined and thoroughly analyzed to improve <ph name="PLUGIN_VM_NAME">PluginVm</ph> experience.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable sharing diagnostics data to PluginVm
+  value: true
+- caption: Disable sharing diagnostics data to PluginVm
+  value: false
+owners:
+- timloh@google.com
+- parallels-cros@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:85-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmImage.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmImage.yaml
new file mode 100755
index 000000000..f67d5d448
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmImage.yaml
@@ -0,0 +1,29 @@
+caption: <ph name="PLUGIN_VM_NAME">PluginVm</ph> image
+desc: Setting the policy specifies the <ph name="PLUGIN_VM_NAME">PluginVm</ph> image
+  for a user. Specify this policy as a JSON format string, with <ph name="URL_PLUGIN_VM_IMAGE_FIELD">URL</ph>
+  stating where to download the image and <ph name="HASH_PLUGIN_VM_IMAGE_FIELD">hash</ph>
+  as a SHA-256 hash used to verify the integrity of the download.
+example_value:
+  hash: 842841a4c75a55ad050d686f4ea5f77e83ae059877fe9b6946aa63d3d057ed32
+  url: https://example.com/plugin_vm_image
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- timloh@google.com
+- parallels-cros@google.com
+schema:
+  properties:
+    hash:
+      description: The SHA-256 hash of the <ph name="PLUGIN_VM_NAME">PluginVm</ph>
+        image.
+      type: string
+    url:
+      description: The URL from which the <ph name="PLUGIN_VM_NAME">PluginVm</ph>
+        image can be downloaded.
+      type: string
+  type: object
+supported_on:
+- chrome_os:72-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmLicenseKey.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmLicenseKey.yaml
new file mode 100755
index 000000000..903e9fd06
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmLicenseKey.yaml
@@ -0,0 +1,21 @@
+caption: <ph name="PLUGIN_VM_NAME">PluginVm</ph> license key
+deprecated: true
+desc: |-
+  Setting the policy specifies the <ph name="PLUGIN_VM_NAME">PluginVm</ph> license key for this device.
+
+        This policy was removed in M94.
+device_only: true
+example_value: LICENSE_KEY
+features:
+  dynamic_refresh: true
+owners:
+- timloh@google.com
+- parallels-cros@google.com
+schema:
+  sensitiveValue: true
+  type: string
+supported_on:
+- chrome_os:73-93
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmRequiredFreeDiskSpace.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmRequiredFreeDiskSpace.yaml
new file mode 100755
index 000000000..28b04787e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmRequiredFreeDiskSpace.yaml
@@ -0,0 +1,21 @@
+caption: Required free disk space for <ph name="PLUGIN_VM_NAME">PluginVm</ph>
+desc: |-
+  Free disk space (in GB) required to install <ph name="PLUGIN_VM_NAME">PluginVm</ph>.
+
+        If this policy is left unset, <ph name="PLUGIN_VM_NAME">PluginVm</ph> installation fails if free disk space available on the device is less than 20 GB (default value).
+        If this policy is set, <ph name="PLUGIN_VM_NAME">PluginVm</ph> installation fails if free disk space available on the device is less than required by policy.
+example_value: 20
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- timloh@google.com
+- parallels-cros@google.com
+schema:
+  maximum: 1000
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:85-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmUserId.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmUserId.yaml
new file mode 100755
index 000000000..15d5d0b0d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/PluginVmUserId.yaml
@@ -0,0 +1,17 @@
+caption: <ph name="PLUGIN_VM_NAME">PluginVm</ph> user id
+desc: This policy specifies the <ph name="PLUGIN_VM_NAME">PluginVm</ph> licensing
+  user id for this device.
+example_value: USER_ID
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- traciechan@google.com
+- zatrudo@google.com
+schema:
+  sensitiveValue: true
+  type: string
+supported_on:
+- chrome_os:84-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/UserPluginVmAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/UserPluginVmAllowed.yaml
new file mode 100755
index 000000000..ce396fcac
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/UserPluginVmAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Allow users to use a <ph name="PLUGIN_VM_NAME">PluginVm</ph> on <ph name="PRODUCT_OS_NAME">$2<ex>Google
+  ChromeOS</ex></ph>
+default: false
+desc: |-
+  Allow this user to run PluginVm.
+
+        If the policy is set to false or left unset, <ph name="PLUGIN_VM_NAME">PluginVm</ph> is not enabled for the user.
+        If set to true, <ph name="PLUGIN_VM_NAME">PluginVm</ph> is enabled for the user as long as other settings also allow it. <ph name="PLUGIN_VM_ALLOWED_POLICY_NAME">PluginVmAllowed</ph> and <ph name="USER_PLUGIN_VM_ALLOWED_POLICY_NAME">UserPluginVmAllowed</ph> need to be true, and either <ph name="PLUGIN_VM_LICENSE_KEY_POLICY_NAME">PluginVmLicenseKey</ph> or <ph name="PLUGIN_VM_USER_ID_POLICY_NAME">PluginVmUserId</ph> need to be set for <ph name="PLUGIN_VM_NAME">PluginVm</ph> to be allowed to run.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow users to use a PluginVm
+  value: true
+- caption: Do not allow users to use a PluginVm
+  value: false
+owners:
+- timloh@google.com
+- parallels-cros@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:84-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/policy_atomic_groups.yaml
new file mode 100755
index 000000000..b7c491462
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PluginVm/policy_atomic_groups.yaml
@@ -0,0 +1,10 @@
+PluginVm:
+  caption: PluginVm
+  policies:
+  - PluginVmAllowed
+  - PluginVmDataCollectionAllowed
+  - PluginVmImage
+  - PluginVmLicenseKey
+  - PluginVmRequiredFreeDiskSpace
+  - PluginVmUserId
+  - UserPluginVmAllowed
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/.group.details.yaml
new file mode 100755
index 000000000..8fe091134
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Power and shutdown
+desc: Controls settings related to power management and rebooting.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/DeviceLoginScreenPowerManagement.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/DeviceLoginScreenPowerManagement.yaml
new file mode 100755
index 000000000..7c95136c0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/DeviceLoginScreenPowerManagement.yaml
@@ -0,0 +1,60 @@
+caption: Power management on the login screen
+desc: |-
+  Setting the policy lets you set how <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> behaves when there is no user activity for some amount of time while the sign-in screen appears. The policy controls multiple settings. For their individual semantics and value ranges, see the corresponding policies that control power management within a session.
+
+        The deviations from these policies are:
+
+        * The actions to take on idle or lid close cannot be to end the session.
+
+        * The default action taken on idle when running on AC power is to shut down.
+
+        Leaving the policy or any of its settings unset results in the use of the default values for the various power settings.
+device_only: true
+example_value:
+  AC:
+    Delays:
+      Idle: 30000
+      ScreenDim: 10000
+      ScreenOff: 20000
+    IdleAction: DoNothing
+  Battery:
+    Delays:
+      Idle: 30000
+      ScreenDim: 10000
+      ScreenOff: 20000
+    IdleAction: DoNothing
+  LidCloseAction: Suspend
+  UserActivityScreenDimDelayScale: 110
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  properties:
+    AC:
+      $ref: DeviceLoginScreenPowerSettings
+      description: Power management settings applicable only when running on AC power
+    Battery:
+      $ref: DeviceLoginScreenPowerSettings
+      description: Power management settings applicable only when running on battery
+        power
+    LidCloseAction:
+      description: Action to take when the lid is closed
+      enum:
+      - Suspend
+      - Shutdown
+      - DoNothing
+      type: string
+    UserActivityScreenDimDelayScale:
+      description: Percentage by which the screen dim delay is scaled when user activity
+        is observed while the screen is dimmed or soon after the screen has been turned
+        off
+      minimum: 100
+      type: integer
+  type: object
+supported_on:
+- chrome_os:30-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/DeviceRebootOnShutdown.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/DeviceRebootOnShutdown.yaml
new file mode 100755
index 000000000..1e14d41ee
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/DeviceRebootOnShutdown.yaml
@@ -0,0 +1,25 @@
+caption: Automatic reboot on device shutdown
+desc: |-
+  Setting the policy to Enabled means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> triggers a restart when users shut down the device. <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> replaces all shutdown buttons in the UI with restart buttons. If the users shut down devices using the power button, they won't automatically restart, even if the policy is on.
+
+        Setting the policy to Disabled or leaving it unset means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> lets them shut down the device.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Only allow users to turn off the device using the physical power button
+  value: true
+- caption: Allow users to turn off the device using either the shut down icon or the
+    physical power button
+  value: false
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:41-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/UptimeLimit.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/UptimeLimit.yaml
new file mode 100755
index 000000000..0882371a4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerAndShutdown/UptimeLimit.yaml
@@ -0,0 +1,21 @@
+caption: Limit device uptime by automatically rebooting
+desc: |-
+  Setting the policy limits the device uptime by scheduling automatic restarts, which you can delay by up to 24 hours if a user is on the device. The policy value should be specified in seconds. Values are clamped to be at least 3,600 (one hour).
+
+        If you set the policy, users can't change it. If not set, the device uptime isn't limited.
+
+        Note: Automatic restarts are only on while the sign-in screen appears or during a kiosk app session.
+device_only: true
+example_value: 86400
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome_os:29-
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/.group.details.yaml
new file mode 100755
index 000000000..8ae82d4e8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/.group.details.yaml
@@ -0,0 +1,5 @@
+caption: Power management
+desc: |-
+  Configure power management in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+
+        These policies let you configure how <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> behaves when the user remains idle for some amount of time.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/AllowScreenWakeLocks.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/AllowScreenWakeLocks.yaml
new file mode 100755
index 000000000..bb653228f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/AllowScreenWakeLocks.yaml
@@ -0,0 +1,24 @@
+caption: Allow screen wake locks
+default: true
+desc: |-
+  Unless <ph name="ALLOW_WAKE_LOCKS_POLICY_NAME">AllowWakeLocks</ph> is set to Disabled, setting <ph name="ALLOW_SCREEN_WAKE_LOCKS_POLICY_NAME">AllowScreenWakeLocks</ph> to Enabled or leaving it unset allows screen wake locks for power management. Extensions can request screen wake locks through the power management extension API and ARC apps.
+
+        Setting the policy to Disabled demotes screen wake lock requests to system wake lock requests.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow screen wake locks for power management
+  value: true
+- caption: Demote screen wake lock requests to system wake lock requests
+  value: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:28-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/AllowWakeLocks.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/AllowWakeLocks.yaml
new file mode 100755
index 000000000..6bb4241ac
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/AllowWakeLocks.yaml
@@ -0,0 +1,24 @@
+caption: Allow wake locks
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset allows wake locks for power management. Extensions can request wake locks through the power management extension API and ARC apps.
+
+        Setting the policy to Disabled means wake lock requests are ignored.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow wake locks for power management
+  value: true
+- caption: Ignore requests for wake locks for power management
+  value: false
+owners:
+- file://chrome/browser/ash/login/demo_mode/OWNERS
+- michaelpg@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:71-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceAdvancedBatteryChargeModeDayConfig.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceAdvancedBatteryChargeModeDayConfig.yaml
new file mode 100755
index 000000000..41c82710b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceAdvancedBatteryChargeModeDayConfig.yaml
@@ -0,0 +1,56 @@
+caption: Set advanced battery charge mode day config
+desc: |-
+  If <ph name="DEVICE_ADVANCED_BATTERY_CHARGE_MODE_ENABLED_POLICY_NAME">DeviceAdvancedBatteryChargeModeEnabled</ph> is set to Enabled, then setting <ph name="DEVICE_ADVANCED_BATTERY_CHARGE_MODE_DAY_CONFIG_POLICY_NAME">DeviceAdvancedBatteryChargeModeDayConfig</ph> lets you set up advanced battery charge mode. From <ph name="CHARGE_START_TIME_FIELD_NAME">charge_start_time</ph> until <ph name="CHARGE_END_TIME_FIELD_NAME">charge_end_time</ph>, the device's battery will only be allowed to charge to full once. For the remainder of the period, the batteries are kept in a lower charging state. The value for <ph name="CHARGE_START_TIME_FIELD_NAME">charge_start_time</ph> must be less than <ph name="CHARGE_END_TIME_FIELD_NAME">charge_end_time</ph>.
+
+        Leaving the policy unset keeps advanced battery charge mode off.
+
+        Valid values for <ph name="MINUTE_FIELD_NAME">minute</ph> field in <ph name="CHARGE_START_TIME_FIELD_NAME">charge_start_time</ph> and <ph name="CHARGE_END_TIME_FIELD_NAME">charge_end_time</ph> are 0, 15, 30, 45.
+device_only: true
+example_value:
+  entries:
+  - charge_end_time:
+      hour: 23
+      minute: 0
+    charge_start_time:
+      hour: 20
+      minute: 30
+    day: TUESDAY
+  - charge_end_time:
+      hour: 6
+      minute: 45
+    charge_start_time:
+      hour: 4
+      minute: 15
+    day: FRIDAY
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  properties:
+    entries:
+      items:
+        properties:
+          charge_end_time:
+            $ref: Time
+            description: Time when the device will stop charging, interpreted in the
+              device's local time zone.
+          charge_start_time:
+            $ref: Time
+            description: Time when the device will start charging, interpreted in
+              the device's local time zone.
+          day:
+            $ref: WeekDay
+        type: object
+      type: array
+  type: object
+supported_on:
+- chrome_os:75-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceAdvancedBatteryChargeModeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceAdvancedBatteryChargeModeEnabled.yaml
new file mode 100755
index 000000000..461a8c789
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceAdvancedBatteryChargeModeEnabled.yaml
@@ -0,0 +1,32 @@
+caption: Enable advanced battery charge mode
+desc: |-
+  The policy prolongs the usable life of a system batteries by charging them to full capacity only once per day. For the remainder of the day, batteries are kept in a lower charge state that is better for storage, even when the system is plugged into a power source.
+
+        If <ph name="DEVICE_ADVANCED_BATTERY_CHARGE_MODE_DAY_CONFIG_POLICY_NAME">DeviceAdvancedBatteryChargeModeDayConfig</ph> is set, setting <ph name="DEVICE_ADVANCED_BATTERY_CHARGE_MODE_ENABLED_POLICY_NAME">DeviceAdvancedBatteryChargeModeEnabled</ph> to Enabled keeps advanced battery charge mode power management policy on (if supported on the device). Using a standard charging algorithm and other techniques outside work hours, this mode lets users maximize battery health. During work hours, the system uses an express charge, which lets the battery charge faster. Specify the time when the system is used most each day by the start time and the duration.
+
+        Setting the policy to Disabled or leaving it unset keeps advanced battery charge mode off.
+
+        Users are unable to change this setting.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable advanced battery charge mode
+  value: true
+- caption: Disable advanced battery charge mode
+  value: false
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:75-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeCustomStartCharging.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeCustomStartCharging.yaml
new file mode 100755
index 000000000..5b0a8c3c0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeCustomStartCharging.yaml
@@ -0,0 +1,25 @@
+caption: Set battery charge custom start charging in percent
+desc: |-
+  If <ph name="DEVICE_BATTERY_CHARGE_MODE_NAME">DeviceBatteryChargeMode</ph> is set to <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_MODE_NAME">"custom"</ph>, then setting <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_START_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStartCharging</ph> customizes when the battery starts charging, based the percentage of battery charge. The value must be at least 5 percentage points below <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_STOP_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStopCharging</ph>.
+
+        Leaving the policy unset applies the standard battery charge mode.
+device_only: true
+example_value: 60
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  maximum: 95
+  minimum: 50
+  type: integer
+supported_on:
+- chrome_os:75-
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeCustomStopCharging.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeCustomStopCharging.yaml
new file mode 100755
index 000000000..8a8f12bb8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeCustomStopCharging.yaml
@@ -0,0 +1,25 @@
+caption: Set battery charge custom stop charging in percent
+desc: |-
+  If <ph name="DEVICE_BATTERY_CHARGE_MODE_POLICY_NAME">DeviceBatteryChargeMode</ph> is set to <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_MODE_NAME">"custom"</ph>, then setting <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_STOP_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStopCharging</ph> customizes when the battery stops charging, based on the percentage of battery charge. <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_START_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStartCharging</ph> must be at least 5 percentage points below <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_STOP_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStopCharging</ph>.
+
+        Leaving the policy unset applies the <ph name="DEVICE_BATTERY_CHARGE_STANDARD_MODE_NAME">"standard"</ph> battery charge mode.
+device_only: true
+example_value: 90
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  maximum: 100
+  minimum: 55
+  type: integer
+supported_on:
+- chrome_os:75-
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeMode.yaml
new file mode 100755
index 000000000..ae0d14c4b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBatteryChargeMode.yaml
@@ -0,0 +1,48 @@
+caption: Battery charge mode
+desc: |-
+  Unless <ph name="DEVICE_ADVANCED_BATTERY_CHARGE_MODE_ENABLED_POLICY_NAME">DeviceAdvancedBatteryChargeModeEnabled</ph> is specified, which overrides <ph name="DEVICE_BATTERY_CHARGE_MODE_POLICY_NAME">DeviceBatteryChargeMode</ph>, then setting <ph name="DEVICE_BATTERY_CHARGE_MODE_POLICY_NAME">DeviceBatteryChargeMode</ph> specifies battery charge mode power management policy (if supported on the device). To extend battery life, the policy dynamically controls battery charging by minimizing stress and wear-out.
+
+        Leaving the policy unset (if supported on the device) applies the standard battery charge mode, and users can't change it.
+
+        Note: If Custom battery charge mode is selected, then also specify <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_START_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStartCharging</ph> and <ph name="DEVICE_BATTERY_CHARGE_CUSTOM_STOP_CHARGING_POLICY_NAME">DeviceBatteryChargeCustomStopCharging</ph>.
+device_only: true
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Fully charge battery at a standard rate.
+  name: Standard
+  value: 1
+- caption: Charge battery using fast charging technology.
+  name: ExpressCharge
+  value: 2
+- caption: Charge battery for devices that are primarily connected to an external
+    power source.
+  name: PrimarilyAcUse
+  value: 3
+- caption: Adaptive charge battery based on battery usage pattern.
+  name: Adaptive
+  value: 4
+- caption: Charge battery while it is within a fixed range.
+  name: Custom
+  value: 5
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  enum:
+  - 1
+  - 2
+  - 3
+  - 4
+  - 5
+  type: integer
+supported_on:
+- chrome_os:75-
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBootOnAcEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBootOnAcEnabled.yaml
new file mode 100755
index 000000000..f46d29369
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceBootOnAcEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable boot on AC (alternating current)
+desc: |-
+  Setting the policy to Enabled keeps boot on AC on, if supported on the device. Boot on AC provides an opportunity for the system to restart from Off or Hibernate after inserting the line power.
+
+        Setting the policy to Disabled keeps boot on AC off.
+
+        If you set this policy, users can't change it. If not set, boot on AC is off, and users can't turn it on.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable boot on AC
+  value: true
+- caption: Disable boot on AC
+  value: false
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:75-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceChargingSoundsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceChargingSoundsEnabled.yaml
new file mode 100755
index 000000000..4d4b41f13
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceChargingSoundsEnabled.yaml
@@ -0,0 +1,37 @@
+caption: Enable Charging Sounds
+default: null
+desc: |-
+  Enable the charging sounds feature.
+
+            This feature is responsible to play the charging sounds.
+
+            If this policy is set to enabled, the charging sounds will be played when the device is connected to an AC charger.
+
+            If this policy is set to disabled, no charging sound will be played.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, this feature is disabled initially on the managed <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices, but users can enable or disable it at any time.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable charging sounds
+  value: true
+- caption: Disable charging sounds
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- hongyulong@chromium.org
+- bicioglu@google.com
+- chromeos-wms@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:117-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceLowBatterySoundEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceLowBatterySoundEnabled.yaml
new file mode 100755
index 000000000..9c1e75d0c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceLowBatterySoundEnabled.yaml
@@ -0,0 +1,37 @@
+caption: Enable Low Battery Sound
+default: null
+desc: |-
+  Enable the low battery sound feature.
+
+            This feature is responsible to play the low battery sound.
+
+            If this policy is set to enabled, the low battery sound will be played when the battery level or the remaining time drops below a threshold.
+
+            If this policy is set to disabled, no low battery sound will be played.
+
+            If you set this policy, users cannot change or override it.
+
+            If this policy is left unset, this feature is disabled for existing users, or enabled for new users initially on the managed <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices, but users can enable or disable it at any time.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable low battery sound
+  value: true
+- caption: Disable low battery sound
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- hongyulong@chromium.org
+- bicioglu@google.com
+- chromeos-wms@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:117-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerAdaptiveChargingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerAdaptiveChargingEnabled.yaml
new file mode 100755
index 000000000..0a1a8ff71
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerAdaptiveChargingEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable adaptive charging model to hold charging process to extend battery
+  life
+default: true
+default_for_enterprise_users: false
+desc: |-
+  Specifies whether an adaptive charging model is allowed to hold charging process to extend battery life.
+
+        When the device is on AC, the adaptive charging model evaluates if charging process should be hold to extend battery life. If the adaptive charging model holds the charging process, it'll keep the battery at a certain level (i.e. 80%) and then charge the device to 100% when the user needs it.
+        If this policy is set to True, the adaptive charging model will be enabled and allowed to hold the charging process to extend battery life. If this policy is set to False or unset, the adaptive charging model will not influence the charging process.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  can_be_recommended: true
+items:
+- caption: Enable adaptive charging model on <ph name="PRODUCT_OS_NAME">$2<ex>Google
+    ChromeOS</ex></ph>
+  value: true
+- caption: Disable adaptive charging model on <ph name="PRODUCT_OS_NAME">$2<ex>Google
+    ChromeOS</ex></ph>
+  value: false
+owners:
+- thanhdng@chromium.org
+- napper@chromium.org
+- dbasehore@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:102-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftBatteryThreshold.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftBatteryThreshold.yaml
new file mode 100755
index 000000000..70bada76e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftBatteryThreshold.yaml
@@ -0,0 +1,25 @@
+caption: Set power peak shift battery threshold in percent
+desc: |-
+  If <ph name="DEVICE_POWER_PEAK_SHIFT_ENABLED_POLICY_NAME">DevicePowerPeakShiftEnabled</ph> is Enabled, then setting <ph name="DEVICE_POWER_PEAK_SHIFT_BATTERY_THRESHOLD_POLICY_NAME">DevicePowerPeakShiftBatteryThreshold</ph> sets power peak shift battery threshold in percent.
+
+         Leaving the policy unset keeps power peak shift off.
+device_only: true
+example_value: 20
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  maximum: 100
+  minimum: 15
+  type: integer
+supported_on:
+- chrome_os:75-
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftDayConfig.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftDayConfig.yaml
new file mode 100755
index 000000000..3b2e59f2c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftDayConfig.yaml
@@ -0,0 +1,66 @@
+caption: Set power peak shift day config
+desc: |-
+  If <ph name="DEVICE_POWER_PEAK_SHIFT_ENABLED_POLICY_NAME">DevicePowerPeakShiftEnabled</ph> is Enabled, setting <ph name="DEVICE_POWER_PEAK_SHIFT_DAY_CONFIG_POLICY_NAME">DevicePowerPeakShiftDayConfig</ph> sets power peak shift day configuration.
+
+        Leaving the policy unset keeps power peak shift off.
+
+        Valid values for the <ph name="MINUTE_FIELD_NAME">minute</ph> field in <ph name="START_TIME_FIELD_NAME">start_time</ph>, <ph name="END_TIME_FIELD_NAME">end_time</ph> and <ph name="CHARGE_START_TIME_FIELD_NAME">charge_start_time</ph> are 0, 15, 30, 45.
+device_only: true
+example_value:
+  entries:
+  - charge_start_time:
+      hour: 20
+      minute: 45
+    day: MONDAY
+    end_time:
+      hour: 15
+      minute: 15
+    start_time:
+      hour: 9
+      minute: 0
+  - charge_start_time:
+      hour: 23
+      minute: 45
+    day: FRIDAY
+    end_time:
+      hour: 21
+      minute: 0
+    start_time:
+      hour: 2
+      minute: 30
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  properties:
+    entries:
+      items:
+        properties:
+          charge_start_time:
+            $ref: Time
+            description: Time when the device will use alternating current to charge
+              battery, interpreted in the device's local time zone.
+          day:
+            $ref: WeekDay
+          end_time:
+            $ref: Time
+            description: Time when the device will run from alternating current, interpreted
+              in the device's local time zone.
+          start_time:
+            $ref: Time
+            description: Time when the device will start running from the battery,
+              interpreted in the device's local time zone.
+        type: object
+      type: array
+  type: object
+supported_on:
+- chrome_os:75-
+tags: []
+type: dict
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftEnabled.yaml
new file mode 100755
index 000000000..a83d21f4a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DevicePowerPeakShiftEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable peak shift power management
+desc: |-
+  Setting the policy to Enabled and setting <ph name="DEVICE_POWER_PEAK_SHIFT_BATTERY_THRESHOLD_POLICY_NAME">DevicePowerPeakShiftBatteryThreshold</ph> and <ph name="DEVICE_POWER_PEAK_SHIFT_DAY_CONFIG_POLICY_NAME">DevicePowerPeakShiftDayConfig</ph> keeps power peak shift on, if supported on the device. Power peak shift power management policy is a power-saving policy that minimizes alternating current usage during peak times. For each weekday, you can set a start and end time to run in power peak shift mode. As long as the battery stays above the threshold specified, during these times, the device runs from the battery (even if the alternating current is attached). After the specified end time, the device runs from alternating current (if attached), but won't charge the battery. The device will again function normally using alternating current and recharging the battery after the specified charge start time.
+
+        Setting the policy to Disabled keeps power peak shift off.
+
+        If unset, power peak shift is off at first. Users can't change this setting.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable peak shift power management
+  value: true
+- caption: Disable peak shift power management
+  value: false
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:75-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceUsbPowerShareEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceUsbPowerShareEnabled.yaml
new file mode 100755
index 000000000..9c99c9272
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/DeviceUsbPowerShareEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable USB power share
+desc: |-
+  Setting the policy to Enabled turns on the USB power share power management policy.
+
+        Certain devices have a specific USB port with a lightning bolt or battery icon for charging devices using the system battery. This policy affects the charging behavior of this port while the system is in sleep and shut down modes. It doesn't affect the other USB ports and the charging behavior while the system is awake, when the USB port always provides power.
+
+        When sleeping, power is supplied to the USB port when the device is plugged in to the wall charger or if the battery level exceeds 50%. When shut down, power is supplied to the USB port when the device is plugged in to the wall charger.
+
+        Setting the policy to Disabled means no power is supplied.
+
+        Leaving the policy unset means the policy is on, and users can't turn it off.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable USB power share
+  value: true
+- caption: Disable USB power share
+  value: false
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:75-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleAction.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleAction.yaml
new file mode 100755
index 000000000..6295cbcc4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleAction.yaml
@@ -0,0 +1,39 @@
+caption: Action to take when the idle delay is reached
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
+
+            This policy provides a fallback value for the more-specific <ph name="IDLE_ACTION_AC_POLICY_NAME">IdleActionAC</ph> and <ph name="IDLE_ACTION_BATTERY_POLICY_NAME">IdleActionBattery</ph> policies. If this policy is set, its value gets used if the respective more-specific policy is not set.
+
+            When this policy is unset, behavior of the more-specific policies remains unaffected.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Suspend
+  name: IdleActionSuspend
+  value: 0
+- caption: Log the user out
+  name: IdleActionLogout
+  value: 1
+- caption: Shut down
+  name: IdleActionShutdown
+  value: 2
+- caption: Do nothing
+  name: IdleActionDoNothing
+  value: 3
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:26-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleActionAC.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleActionAC.yaml
new file mode 100755
index 000000000..9ac236775
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleActionAC.yaml
@@ -0,0 +1,41 @@
+caption: Action to take when the idle delay is reached while running on AC power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
+
+            When this policy is set, it specifies the action that <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.
+
+            When this policy is unset, the default action is taken, which is suspend.
+
+            If the action is suspend, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> can separately be configured to either lock or not lock the screen before suspending.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Suspend
+  name: IdleActionSuspend
+  value: 0
+- caption: Log the user out
+  name: IdleActionLogout
+  value: 1
+- caption: Shut down
+  name: IdleActionShutdown
+  value: 2
+- caption: Do nothing
+  name: IdleActionDoNothing
+  value: 3
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:30-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleActionBattery.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleActionBattery.yaml
new file mode 100755
index 000000000..a891ec44e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleActionBattery.yaml
@@ -0,0 +1,41 @@
+caption: Action to take when the idle delay is reached while running on battery power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
+
+            When this policy is set, it specifies the action that <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.
+
+            When this policy is unset, the default action is taken, which is suspend.
+
+            If the action is suspend, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> can separately be configured to either lock or not lock the screen before suspending.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Suspend
+  name: IdleActionSuspend
+  value: 0
+- caption: Log the user out
+  name: IdleActionLogout
+  value: 1
+- caption: Shut down
+  name: IdleActionShutdown
+  value: 2
+- caption: Do nothing
+  name: IdleActionDoNothing
+  value: 3
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:30-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleDelayAC.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleDelayAC.yaml
new file mode 100755
index 000000000..156561f22
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleDelayAC.yaml
@@ -0,0 +1,26 @@
+caption: Idle delay when running on AC power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
+
+            Specifies the length of time without user input after which the idle action is taken when running on AC power.
+
+            When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> takes the idle action, which can be configured separately.
+
+            When this policy is unset, a default length of time is used.
+
+            The policy value should be specified in milliseconds.
+example_value: 1800000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:26-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleDelayBattery.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleDelayBattery.yaml
new file mode 100755
index 000000000..f83c9c69a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleDelayBattery.yaml
@@ -0,0 +1,26 @@
+caption: Idle delay when running on battery power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
+
+            Specifies the length of time without user input after which the idle action is taken when running on battery power.
+
+            When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> takes the idle action, which can be configured separately.
+
+            When this policy is unset, a default length of time is used.
+
+            The policy value should be specified in milliseconds.
+example_value: 600000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:26-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleWarningDelayAC.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleWarningDelayAC.yaml
new file mode 100755
index 000000000..080c4c5db
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleWarningDelayAC.yaml
@@ -0,0 +1,28 @@
+caption: Idle warning delay when running on AC power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
+
+            Specifies the length of time without user input after which a warning dialog is shown when running on AC power.
+
+            When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> shows a warning dialog telling the user that the idle action is about to be taken.
+
+            When this policy is unset, no warning dialog is shown.
+
+            The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.
+
+            The warning message is only shown if the idle action is to logout or shut down.
+example_value: 545000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:27-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleWarningDelayBattery.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleWarningDelayBattery.yaml
new file mode 100755
index 000000000..ba6322a2c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/IdleWarningDelayBattery.yaml
@@ -0,0 +1,28 @@
+caption: Idle warning delay when running on battery power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
+
+            Specifies the length of time without user input after which a warning dialog is shown when running on battery power.
+
+            When this policy is set, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> shows a warning dialog telling the user that the idle action is about to be taken.
+
+            When this policy is unset, no warning dialog is shown.
+
+            The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.
+
+            The warning message is only shown if the idle action is to logout or shut down.
+example_value: 545000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:27-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/LidCloseAction.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/LidCloseAction.yaml
new file mode 100755
index 000000000..985a9df19
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/LidCloseAction.yaml
@@ -0,0 +1,38 @@
+caption: Action to take when the user closes the lid
+desc: |-
+  Setting the policy specifies the action that <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> takes when the user closes the device's lid.
+
+        Leaving the policy unset means the Suspend action is taken.
+
+        Note: If the action is Suspend, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> can separately be set up to lock or not lock the screen before suspending.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Suspend
+  name: LidCloseActionSuspend
+  value: 0
+- caption: Log the user out
+  name: LidCloseActionLogout
+  value: 1
+- caption: Shut down
+  name: LidCloseActionShutdown
+  value: 2
+- caption: Do nothing
+  name: LidCloseActionDoNothing
+  value: 3
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:26-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementIdleSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementIdleSettings.yaml
new file mode 100755
index 000000000..00187b78a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementIdleSettings.yaml
@@ -0,0 +1,69 @@
+caption: Power management settings when the user becomes idle
+desc: |-
+  Setting the policy controls the power management strategy when the user idles.
+
+        There are 4 actions:
+
+        * The screen dims if the user is idle for the time specified by <ph name="SCREEN_DIM_FIELD_NAME">ScreenDim</ph>.
+
+        * The screen turns off if the user is idle for the time specified by <ph name="SCREEN_OFF_FIELD_NAME">ScreenOff</ph>.
+
+        * A warning dialog appears if the user remains idle for the time specified by <ph name="IDLE_WARNING_FIELD_NAME">IdleWarning</ph>. It warns the user that the idle action will be taken and only appears if the idle action is to sign out or shut down.
+
+        * The action specified by <ph name="IDLE_ACTION_FIELD_NAME">IdleAction</ph> is taken if the user is idle for the time specified by <ph name="IDLE_FIELD_NAME">Idle</ph>.
+
+        For each of the above actions, the delay should be specified in milliseconds and must be set to a value greater than zero to trigger the corresponding action. If the delay is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> won't take the corresponding action.
+
+        For each of the above delays, when the time is unset, a default value is used.
+
+        <ph name="SCREEN_DIM_FIELD_NAME">ScreenDim</ph> values will be clamped to be less than or equal to <ph name="SCREEN_OFF_FIELD_NAME">ScreenOff</ph>. <ph name="SCREEN_OFF_FIELD_NAME">ScreenOff</ph> and <ph name="IDLE_WARNING_FIELD_NAME">IdleWarning</ph> will be clamped to be less than or equal to <ph name="IDLE_FIELD_NAME">Idle</ph>.
+
+        <ph name="IDLE_ACTION_FIELD_NAME">IdleAction</ph> can be one of 4 actions:
+
+        * <ph name="IDLE_ACTION_ENUM_SUSPEND">Suspend</ph>
+
+        * <ph name="IDLE_ACTION_ENUM_LOGOUT">Logout</ph>
+
+        * <ph name="IDLE_ACTION_ENUM_SHUTDOWN">Shutdown</ph>
+
+        * <ph name="IDLE_ACTION_ENUM_DO_NOTHING">DoNothing</ph>
+
+        If the <ph name="IDLE_ACTION_FIELD_NAME">IdleAction</ph> is not set, <ph name="IDLE_ACTION_ENUM_SUSPEND">Suspend</ph> is taken.
+
+        Note: There are separate settings for AC power and battery.
+example_value:
+  AC:
+    Delays:
+      Idle: 30000
+      IdleWarning: 5000
+      ScreenDim: 10000
+      ScreenOff: 20000
+    IdleAction: DoNothing
+  Battery:
+    Delays:
+      Idle: 30000
+      IdleWarning: 5000
+      ScreenDim: 10000
+      ScreenOff: 20000
+    IdleAction: DoNothing
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  properties:
+    AC:
+      $ref: PowerManagementDelays
+      description: Delays and actions to take when the device is idle and running
+        on AC power
+    Battery:
+      $ref: PowerManagementDelays
+      description: Delays and actions to take when the device is idle and running
+        on battery
+  type: object
+supported_on:
+- chrome_os:35-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementUsesAudioActivity.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementUsesAudioActivity.yaml
new file mode 100755
index 000000000..39ab43520
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementUsesAudioActivity.yaml
@@ -0,0 +1,23 @@
+caption: Specify whether audio activity affects power management
+desc: |-
+  Setting the policy to Enabled or leaving it unset means the user is not considered idle while audio plays. This prevents the idle timeout from being reached and the idle action from being taken. However, screen dimming, screen off, and screen lock will still occur after their configured timeouts despite audio activity.
+
+        Setting the policy to Disabled means the system can consider users idle despite audio activity.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Do not consider the user as idle while audio plays
+  value: true
+- caption: Consider the user as idle while audio plays
+  value: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:26-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementUsesVideoActivity.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementUsesVideoActivity.yaml
new file mode 100755
index 000000000..370fc1e45
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerManagementUsesVideoActivity.yaml
@@ -0,0 +1,25 @@
+arc_support: Video playing in Android apps is not taken into consideration, even if
+  this policy is set to <ph name="TRUE">True</ph>.
+caption: Specify whether video activity affects power management
+desc: |-
+  Setting the policy to Enabled or leaving it unset means the user is not considered idle while video plays. This prevents the idle delay, screen dim delay, screen off delay, and screen lock delay from being reached and the corresponding actions from being taken.
+
+        Setting the policy to Disabled means the system can consider users idle despite video activity.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Do not consider the user as idle while video plays
+  value: true
+- caption: Consider the user as idle while video plays
+  value: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:26-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerSmartDimEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerSmartDimEnabled.yaml
new file mode 100755
index 000000000..d00e3c9ed
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PowerSmartDimEnabled.yaml
@@ -0,0 +1,23 @@
+caption: Enable smart dim model to extend the time until the screen is dimmed
+desc: |-
+  Setting the policy to Enabled or leaving it unset turns the smart dim model on and can extend the time until the screen dims. If it delays the time, the screen off, screen lock, and idle delays adjust to maintain the same distances from the screen dim delay as originally set.
+
+        Setting the policy to Disabled means the smart dim model won't influence screen dimming.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Allow the smart dim model to extend the time until the screen dims
+  value: true
+- caption: Do not allow the smart dim model to extend the time until the screen dims
+  value: false
+owners:
+- jiameng@chromium.org
+- ejcaruso@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:70-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PresentationIdleDelayScale.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PresentationIdleDelayScale.yaml
new file mode 100755
index 000000000..1ce58f794
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PresentationIdleDelayScale.yaml
@@ -0,0 +1,17 @@
+caption: Percentage by which to scale the idle delay in presentation mode (deprecated)
+deprecated: true
+desc: This policy has been retired as of <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
+  version 29. Please use the PresentationScreenDimDelayScale policy instead.
+example_value: 200
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  type: integer
+supported_on:
+- chrome_os:26-28
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PresentationScreenDimDelayScale.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PresentationScreenDimDelayScale.yaml
new file mode 100755
index 000000000..e201e7407
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/PresentationScreenDimDelayScale.yaml
@@ -0,0 +1,20 @@
+caption: Percentage by which to scale the screen dim delay in presentation mode
+desc: |-
+  If <ph name="POWER_SMART_DIM_ENABLED_POLICY_NAME">PowerSmartDimEnabled</ph> is Disabled, then setting <ph name="PRESENTATION_SCREEN_DIM_DELAY_SCALE_POLICY_NAME">PresentationScreenDimDelayScale</ph> specifies the percent that the screen dim delay scales when the device is presenting. When the screen dim delay scales, the screen off, screen lock, and idle delays adjust to maintain the same distances from the screen dim delay as originally set.
+
+        Leaving the policy unset puts a default scale factor in use.
+
+        Note: The scale factor must be 100% or more.
+example_value: 200
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  type: integer
+supported_on:
+- chrome_os:29-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenBrightnessPercent.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenBrightnessPercent.yaml
new file mode 100755
index 000000000..7786ec9ae
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenBrightnessPercent.yaml
@@ -0,0 +1,33 @@
+caption: Screen brightness percent
+desc: |-
+  Setting the policy specifies screen brightness percent, turning autobrightness features off. Initial screen brightness adjusts to the policy value, but users can change it.
+
+        Leaving the policy unset doesn't affect user screen controls or autobrightness features.
+
+        Note: The policy values should be specified in percents from 0 to 100.
+example_value:
+  BrightnessAC: 90
+  BrightnessBattery: 75
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- file://chrome/browser/ash/login/demo_mode/OWNERS
+- agawronska@chromium.org
+schema:
+  properties:
+    BrightnessAC:
+      description: Screen brightness percent when running on AC power
+      maximum: 100
+      minimum: 0
+      type: integer
+    BrightnessBattery:
+      description: Screen brightness percent when running on battery power
+      maximum: 100
+      minimum: 0
+      type: integer
+  type: object
+supported_on:
+- chrome_os:72-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenDimDelayAC.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenDimDelayAC.yaml
new file mode 100755
index 000000000..f286f8675
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenDimDelayAC.yaml
@@ -0,0 +1,28 @@
+caption: Screen dim delay when running on AC power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
+
+            Specifies the length of time without user input after which the screen is dimmed when running on AC power.
+
+            When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> dims the screen.
+
+            When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> does not dim the screen when the user becomes idle.
+
+            When this policy is unset, a default length of time is used.
+
+            The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.
+example_value: 420000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:26-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenDimDelayBattery.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenDimDelayBattery.yaml
new file mode 100755
index 000000000..7f8ea61b5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenDimDelayBattery.yaml
@@ -0,0 +1,28 @@
+caption: Screen dim delay when running on battery power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
+
+            Specifies the length of time without user input after which the screen is dimmed when running on battery power.
+
+            When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> dims the screen.
+
+            When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> does not dim the screen when the user becomes idle.
+
+            When this policy is unset, a default length of time is used.
+
+            The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.
+example_value: 300000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:26-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelayAC.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelayAC.yaml
new file mode 100755
index 000000000..00480004f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelayAC.yaml
@@ -0,0 +1,30 @@
+caption: Screen lock delay when running on AC power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="SCREEN_LOCK_DELAYS_POLICY_NAME">ScreenLockDelays</ph> instead.
+
+            Specifies the length of time without user input after which the screen is locked when running on AC power.
+
+            When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> locks the screen.
+
+            When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> does not lock the screen when the user becomes idle.
+
+            When this policy is unset, a default length of time is used.
+
+            The recommended way to lock the screen on idle is to enable screen locking on suspend and have <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.
+
+            The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.
+example_value: 600000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:26-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelayBattery.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelayBattery.yaml
new file mode 100755
index 000000000..4006407fe
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelayBattery.yaml
@@ -0,0 +1,30 @@
+caption: Screen lock delay when running on battery power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="SCREEN_LOCK_DELAYS_POLICY_NAME">ScreenLockDelays</ph> instead.
+
+            Specifies the length of time without user input after which the screen is locked when running on battery power.
+
+            When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> locks the screen.
+
+            When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> does not lock the screen when the user becomes idle.
+
+            When this policy is unset, a default length of time is used.
+
+            The recommended way to lock the screen on idle is to enable screen locking on suspend and have <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.
+
+            The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.
+example_value: 600000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:26-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelays.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelays.yaml
new file mode 100755
index 000000000..ba6ce5f2f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenLockDelays.yaml
@@ -0,0 +1,33 @@
+caption: Screen lock delays
+desc: |-
+  Setting the policy specifies the length of time in milliseconds without user input after which the screen locks when running on AC power or battery. Values are clamped to be less than the idle delay in <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph>.
+
+        When set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> doesn't lock the screen when the user becomes idle. If unset, a default time is used.
+
+        Recommendation: Lock the screen on idle by turning on screen locking on suspend and have <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> suspend after the idle delay. Only use this policy when screen locking should occur a significant amount of time sooner than suspend or when you don't want suspend on idle.
+example_value:
+  AC: 600000
+  Battery: 300000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  properties:
+    AC:
+      description: The length of time without user input after which the screen is
+        locked when running on AC power, in milliseconds
+      minimum: 0
+      type: integer
+    Battery:
+      description: The length of time without user input after which the screen is
+        locked when running on battery, in milliseconds
+      minimum: 0
+      type: integer
+  type: object
+supported_on:
+- chrome_os:35-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenOffDelayAC.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenOffDelayAC.yaml
new file mode 100755
index 000000000..2c324c088
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenOffDelayAC.yaml
@@ -0,0 +1,28 @@
+caption: Screen off delay when running on AC power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
+
+            Specifies the length of time without user input after which the screen is turned off when running on AC power.
+
+            When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> turns off the screen.
+
+            When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> does not turn off the screen when the user becomes idle.
+
+            When this policy is unset, a default length of time is used.
+
+            The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.
+example_value: 480000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:26-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenOffDelayBattery.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenOffDelayBattery.yaml
new file mode 100755
index 000000000..0278d8528
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/ScreenOffDelayBattery.yaml
@@ -0,0 +1,28 @@
+caption: Screen off delay when running on battery power
+deprecated: true
+desc: |-
+  Note that this policy is deprecated and will be removed in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> version 85. Please use <ph name="POWER_MANAGEMENT_IDLE_SETTINGS_POLICY_NAME">PowerManagementIdleSettings</ph> instead.
+
+            Specifies the length of time without user input after which the screen is turned off when running on battery power.
+
+            When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> turns off the screen.
+
+            When this policy is set to zero, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> does not turn off the screen when the user becomes idle.
+
+            When this policy is unset, a default length of time is used.
+
+            The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.
+example_value: 360000
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:26-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/UserActivityScreenDimDelayScale.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/UserActivityScreenDimDelayScale.yaml
new file mode 100755
index 000000000..7f222e704
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/UserActivityScreenDimDelayScale.yaml
@@ -0,0 +1,21 @@
+caption: Percentage by which to scale the screen dim delay if the user becomes active
+  after dimming
+desc: |-
+  If <ph name="POWER_SMART_DIM_ENABLED_POLICY_NAME">PowerSmartDimEnabled</ph> is Disabled, then setting <ph name="USER_ACTIVITY_SCREEN_DIM_DELAY_SCALE_POLICY_NAME">UserActivityScreenDimDelayScale</ph> specifies the percent that the screen dim delay scales when there's user activity while the screen dims or soon after the screen turns off. When the dim delay scales, the screen off, screen lock and idle delays adjust to maintain the same distances from the screen dim delay as originally set.
+
+        Leaving the policy unset puts a default scale factor in use.
+
+        Note: The scale factor must be 100% or more.
+example_value: 200
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  type: integer
+supported_on:
+- chrome_os:29-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/WaitForInitialUserActivity.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/WaitForInitialUserActivity.yaml
new file mode 100755
index 000000000..c2a9cbdc8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PowerManagement/WaitForInitialUserActivity.yaml
@@ -0,0 +1,24 @@
+caption: Wait for initial user activity
+desc: |-
+  Setting the policy to Enabled means that power management delays and session length limits don't start until after the first user activity occurs in a session.
+
+        Setting the policy to Disabled or leaving it unset means power management delays and the time limit begin immediately at session start.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Start power management delays and session length limits after initial user
+    activity
+  value: true
+- caption: Start power management delays and session length limits at session start
+  value: false
+owners:
+- reinauer@google.com
+- chromeos-power@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:32-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/.group.details.yaml
new file mode 100755
index 000000000..49be1e1c8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Printing
+desc: Controls printing settings.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintProxyEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintProxyEnabled.yaml
new file mode 100755
index 000000000..aa7b43a12
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintProxyEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> proxy
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> act as a proxy between <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> and legacy printers connected to the machine. Using their Google Account, users may turn on the cloud print proxy by authentication.
+
+        Setting the policy to Disabled means users can't turn on the proxy, and the machine can't share its printers with <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph>.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> proxy
+  value: true
+- caption: Disable <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> proxy
+  value: false
+owners:
+- file://printing/OWNERS
+- rbpotter@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:17-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintSubmitEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintSubmitEnabled.yaml
new file mode 100755
index 000000000..c793d1bee
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintSubmitEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Enable submission of documents to <ph name="CLOUD_PRINT_NAME">Google Cloud
+  Print</ph>
+deprecated: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets users print to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> print dialog. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can submit documents to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> for printing. This doesn't prevent users from submitting print jobs on websites.
+
+        Setting the policy to Disabled means users can't print to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> print dialog.
+
+        In order to keep <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> destinations discoverable, this policy must be set to Enabled and <ph name="POLICY_ENUM_PRINTERTYPEDENYLIST_CLOUD">cloud</ph> must not be included in the <ph name="PRINTER_TYPE_DENY_LIST_POLICY_NAME">PrinterTypeDenyList</ph> policy.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable submission of documents to <ph name="CLOUD_PRINT_NAME">Google Cloud
+    Print</ph>
+  value: true
+- caption: Disable submission of documents to <ph name="CLOUD_PRINT_NAME">Google Cloud
+    Print</ph>
+  value: false
+owners:
+- file://printing/OWNERS
+- weili@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:17-101
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintWarningsSuppressed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintWarningsSuppressed.yaml
new file mode 100755
index 000000000..d7bc10efd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/CloudPrintWarningsSuppressed.yaml
@@ -0,0 +1,27 @@
+caption: Suppress <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> deprecation
+  messages
+default: false
+deprecated: true
+desc: |-
+  This policy controls whether <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> deprecation warnings are shown to users in the print preview dialog or settings pages.
+        Setting this policy to True will hide the deprecation warnings.
+        Setting this policy to False or leaving it unset will show the deprecation warnings.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Hide <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> deprecation warnings
+  value: true
+- caption: Show <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> deprecation warnings
+  value: false
+owners:
+- file://printing/OWNERS
+- rbpotter@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:86-87
+- chrome_os:86-87
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DefaultPrinterSelection.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DefaultPrinterSelection.yaml
new file mode 100755
index 000000000..790400345
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DefaultPrinterSelection.yaml
@@ -0,0 +1,42 @@
+arc_support: This policy has no effect on Android apps.
+caption: Default printer selection rules
+desc: |-
+  Setting the policy sets the rules for selecting the default printer in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, overriding the default rules. Printer selection occurs the first time users try to print, when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> seeks a printer matching the specified attributes. In case of a less than perfect match, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can be set to select any matching printer, depending on the order printers are discovered.
+
+  Leaving the policy unset or set to attributes for which there's no match means the built-in PDF printer is the default. If there's no PDF printer, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> defaults to none.
+
+  Currently, all printers are classified as <ph name="PRINTER_TYPE_LOCAL">"local"</ph>. Printers connected to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> are considered <ph name="PRINTER_TYPE_CLOUD">"cloud"</ph>, but <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> is no longer supported.
+
+  Note: Omitting a field means all values match for that particular field. For example, not specifying idPattern means Print Preview accepts all printer IDs. Regular expression patterns must follow the JavaScript RegExp syntax, and matches are case sensistive.
+example_value: '{ "kind": "local", "idPattern": ".*public", "namePattern": ".*Color" }'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://printing/OWNERS
+- thestig@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:48-
+- chrome_os:48-
+tags: []
+type: string
+validation_schema:
+  properties:
+    idPattern:
+      description: Regular expression to match printer ID.
+      type: string
+    kind:
+      description: Whether to limit the search of the matching printer to a specific
+        set of printers.
+      enum:
+      - local
+      - cloud
+      type: string
+    namePattern:
+      description: Regular expression to match printer display name.
+      type: string
+  type: object
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeletePrintJobHistoryAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeletePrintJobHistoryAllowed.yaml
new file mode 100755
index 000000000..40febbace
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeletePrintJobHistoryAllowed.yaml
@@ -0,0 +1,28 @@
+caption: Allow print job history to be deleted
+default: true
+desc: |-
+  Controls whether print job history can be deleted.
+
+        Locally stored print jobs can be deleted through the print management app or through deleting the users's browser history.
+
+        When this policy is enabled or unset, the user will be able to delete their print job history through the print management app or through deleting their browser history.
+
+        When this policy is disabled, the user will not be able to delete their print job history through the print management app or through deleting their browser history.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow print job history to be deleted
+  value: true
+- caption: Do not allow print job history to be deleted
+  value: false
+owners:
+- jimmyxgong@chromium.org
+- file://printing/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:85-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceExternalPrintServers.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceExternalPrintServers.yaml
new file mode 100755
index 000000000..db5c346b3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceExternalPrintServers.yaml
@@ -0,0 +1,41 @@
+caption: External print servers
+desc: "Provides configurations of available print servers.\n\n      This policy allows\
+  \ you to provide configuration of external print servers to <ph name=\"PRODUCT_OS_NAME\"\
+  >$2<ex>Google ChromeOS</ex></ph> devices as JSON file.\n\n      The size of the\
+  \ file must not exceed 1MB and must contain an array of records (JSON objects).\
+  \ Each record must contain fields \"id\", \"url\" and \"display_name\" with strings\
+  \ as values. Values of \"id\" fields must be unique.\n\n      The file is downloaded\
+  \ and cached. The cryptographic hash is used to verify the integrity of the download.\
+  \ The file will be re-downloaded whenever the URL or the hash changes.\n\n     \
+  \ When this policy is set to correct value, devices will try to query specified\
+  \ print servers for available printers using IPP protocol.\n\n      If this policy\
+  \ is unset or set to incorrect value, none of the provided server printers are visible\
+  \ to users.\n\n      Currently, the number of print servers is limited to 16. Only\
+  \ the first 16 print servers from the list will be queried.\n\n      This policy\
+  \ is similar to <ph name=\"EXTERNAL_PRINT_SERVERS_POLICY\">ExternalPrintServers</ph>,\
+  \ except this policy is applied by device.\n      "
+device_only: true
+example_value:
+  hash: deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef
+  url: https://example.com/printserverpolicy
+features:
+  dynamic_refresh: true
+  per_profile: false
+max_size: 1048576
+owners:
+- mattme@google.com
+- file://chromeos/printing/OWNERS
+schema:
+  properties:
+    hash:
+      description: The SHA-256 hash of the file.
+      type: string
+    url:
+      description: URL to a JSON file with a list of print servers.
+      type: string
+  type: object
+supported_on:
+- chrome_os:87-
+tags: []
+type: external
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceExternalPrintServersAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceExternalPrintServersAllowlist.yaml
new file mode 100755
index 000000000..3a7ad5afa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceExternalPrintServersAllowlist.yaml
@@ -0,0 +1,29 @@
+caption: Enabled external print servers
+desc: |-
+  Specifies the subset of print servers that will be queried for server printers. This applies only to the <ph name="DEVICE_EXTERNAL_PRINT_SERVERS_POLICY">DeviceExternalPrintServers</ph> policy.
+
+        If this policy is used, only the server printers with ids matching the values in this policy are available to the user through device policy.
+
+        The ids must correspond to the "id" field in the file specified in <ph name="DEVICE_EXTERNAL_PRINT_SERVERS_POLICY">DeviceExternalPrintServers</ph>.
+
+        If this policy is not set, filtering is omitted and all print servers provided by <ph name="DEVICE_EXTERNAL_PRINT_SERVERS_POLICY">DeviceExternalPrintServers</ph> are taken into account.
+device_only: true
+example_value:
+- id1
+- id2
+- id3
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- mattme@google.com
+- file://chromeos/printing/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:87-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceNativePrinters.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceNativePrinters.yaml
new file mode 100755
index 000000000..df0ff0b3f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceNativePrinters.yaml
@@ -0,0 +1,38 @@
+caption: Enterprise printer configuration file for devices
+deprecated: true
+desc: |-
+  Setting the policy provides configurations for enterprise printers bound to devices. Its format matches the <ph name="NATIVE_PRINTERS_POLICY_NAME">NativePrinters</ph> dictionary, with an additional required "id" or "guid" field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> downloads the file for printer configurations and makes printers available along with <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, <ph name="DEVICE_PRINTERS_ALLOWLIST_POLICY_NAME">DevicePrintersAllowlist</ph>, and <ph name="DEVICE_PRINTERS_BLOCKLIST_POLICY_NAME">DevicePrintersBlocklist</ph>.
+
+        This policy:
+
+        * doesn't affect whether users can configure printers on individual devices
+
+        * supplements <ph name="BULK_PRINTERS_POLICY_NAME">NativePrintersBulkConfiguration</ph> and individual users' printer setups
+
+        If unset, there are no device printers, and the other <ph name="DEVICE_NATIVE_PRINTERS_POLICY_PATTERN">DeviceNativePrinter*</ph> policies are ignored.
+
+        This policy is deprecated, please use <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph> instead.
+device_only: true
+example_value:
+  hash: deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef
+  url: https://example.com/printerpolicy
+features:
+  dynamic_refresh: true
+  per_profile: false
+max_size: 5242880
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  properties:
+    hash:
+      type: string
+    url:
+      type: string
+  type: object
+supported_on:
+- chrome_os:73-100
+tags: []
+type: external
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceNativePrintersAccessMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceNativePrintersAccessMode.yaml
new file mode 100755
index 000000000..f2197f501
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DeviceNativePrintersAccessMode.yaml
@@ -0,0 +1,33 @@
+caption: Device printers configuration access policy.
+deprecated: true
+desc: This policy is deprecated and unsupported, please use <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph> instead.
+device_only: true
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: All printers are shown except those in the blocklist.
+  name: BlocklistRestriction
+  value: 0
+- caption: Only printers in the allowlist are shown to users
+  name: AllowlistPrintersOnly
+  value: 1
+- caption: Allow all printers from the configuration file.
+  name: AllowAll
+  value: 2
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:73-100
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrinters.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrinters.yaml
new file mode 100755
index 000000000..e9b7d8322
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrinters.yaml
@@ -0,0 +1,35 @@
+caption: Enterprise printer configuration file for devices
+desc: |-
+  Setting the policy provides configurations for enterprise printers bound to devices. Its format matches the <ph name="PRINTERS_POLICY_NAME">Printers</ph> dictionary, with an additional required "id" or "guid" field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> downloads the file for printer configurations and makes printers available along with <ph name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, <ph name="DEVICE_PRINTERS_ALLOWLIST_POLICY_NAME">DevicePrintersAllowlist</ph>, and <ph name="DEVICE_PRINTERS_BLOCKLIST_POLICY_NAME">DevicePrintersBlocklist</ph>.
+
+        This policy:
+
+        * doesn't affect whether users can configure printers on individual devices
+
+        * supplements <ph name="PRINTERS_BULK_CONFIGURATION_POLICY_NAME">PrintersBulkConfiguration</ph> and individual users' printer setups
+
+        If unset, there are no device printers, and the other <ph name="DEVICE_PRINTERS_POLICY_PATTERN">DevicePrinter*</ph> policies are ignored.
+device_only: true
+example_value:
+  hash: deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef
+  url: https://example.com/printerpolicy
+features:
+  dynamic_refresh: true
+  per_profile: false
+max_size: 5242880
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  properties:
+    hash:
+      type: string
+    url:
+      type: string
+  type: object
+supported_on:
+- chrome_os:87-
+tags: []
+type: external
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersAccessMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersAccessMode.yaml
new file mode 100755
index 000000000..42dbdd62c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersAccessMode.yaml
@@ -0,0 +1,41 @@
+caption: Device printers configuration access policy.
+desc: |-
+  Setting the policy designates which access policy applies to bulk printer configuration, controlling which printers from <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph> are available for users.
+
+        * <ph name="POLICY_ENUM_DEVICEPRINTERSACCESSMODE_BLOCKLISTRESTRICTIONS">BlocklistRestriction</ph> (value 0), <ph name="DEVICE_PRINTERS_BLOCKLIST_POLICY_NAME">DevicePrintersBlocklist</ph> can restrict access to the specified printers
+
+        * <ph name="POLICY_ENUM_DEVICEPRINTERSACCESSMODE_ALLOWLISTPRINTERSONLY">AllowlistPrintersOnly</ph> (value 1), <ph name="DEVICE_PRINTERS_ALLOWLIST_POLICY_NAME">DevicePrintersAllowlist</ph> designates only those printers which are selectable
+
+        * <ph name="POLICY_ENUM_DEVICEPRINTERSACCESSMODE_ALLOWALL">AllowAll</ph> (value 2), all printers are allowed.
+
+        Leaving the policy unset applies <ph name="PRINTERS_ALLOW_ALL">AllowAll</ph>.
+device_only: true
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: All printers are shown except those in the blocklist.
+  name: BlocklistRestriction
+  value: 0
+- caption: Only printers in the allowlist are shown to users
+  name: AllowlistPrintersOnly
+  value: 1
+- caption: Allow all printers from the configuration file.
+  name: AllowAll
+  value: 2
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:87-
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersAllowlist.yaml
new file mode 100755
index 000000000..ba083d4b3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersAllowlist.yaml
@@ -0,0 +1,29 @@
+caption: Enabled enterprise device printers
+desc: If <ph name="PRINTERS_ALLOWLIST">AllowlistPrintersOnly</ph> is chosen for <ph
+  name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, then
+  setting <ph name="DEVICE_PRINTERS_ALLOWLIST_POLICY_NAME">DevicePrintersAllowlist</ph>
+  specifies which printers users can use. Only the printers with IDs matching the
+  values in this policy are available to users. The IDs must correspond to the <ph
+  name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> fields in the file
+  specified in <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph>
+device_only: true
+example_value:
+- id1
+- id2
+- id3
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:87-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersBlocklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersBlocklist.yaml
new file mode 100755
index 000000000..8e8c11532
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintersBlocklist.yaml
@@ -0,0 +1,27 @@
+caption: Disabled enterprise device printers
+desc: If <ph name="PRINTERS_BLOCKLIST">BlocklistRestriction</ph> is chosen for <ph
+  name="DEVICE_PRINTERS_ACCESS_MODE_POLICY_NAME">DevicePrintersAccessMode</ph>, then
+  setting <ph name="DEVICE_PRINTERS_BLOCKLIST_POLICY_NAME">DevicePrintersBlocklist</ph>
+  specifies which printers users can't use. All printers are provided to users, except
+  for the IDs listed in this policy. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph>
+  or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="DEVICE_PRINTERS_POLICY_NAME">DevicePrinters</ph>.
+device_only: true
+example_value:
+- id1
+- id2
+- id3
+features:
+  dynamic_refresh: true
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:87-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintingClientNameTemplate.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintingClientNameTemplate.yaml
new file mode 100755
index 000000000..bd5e4f1fa
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DevicePrintingClientNameTemplate.yaml
@@ -0,0 +1,48 @@
+caption: Template for the <ph name="CLIENT_NAME_IPP_ATTRIBUTE">'client-name'</ph>
+  <ph name="INTERNET_PRINTING_PROTOCOL">Internet Printing Protocol</ph> <ph name="IPP_ATTRIBUTE">attribute</ph>
+desc: "This policy controls the value of the <ph name=\"CLIENT_INFO_IPP_ATTRIBUTE\">'client-info'</ph>\
+  \ <ph name=\"INTERNET_PRINTING_PROTOCOL\">Internet Printing Protocol</ph> (<ph name=\"IPP_PROTOCOL\">IPP</ph>)\
+  \ <ph name=\"IPP_ATTRIBUTE\">attribute</ph> in print jobs.\n\n\
+  \ Setting the policy has the effect of sending an additional\
+  \ <ph name=\"CLIENT_INFO_IPP_ATTRIBUTE\">'client-info'</ph> value to print jobs submitted to\
+  \ <ph name=\"IPP_PROTOCOL\">IPP</ph> printers.\
+  \ The <ph name=\"CLIENT_TYPE_IPP_ATTRIBUTE\">'client-type'</ph> member of the\
+  \ added <ph name=\"CLIENT_INFO_IPP_ATTRIBUTE\">'client-info'</ph> value will be set\
+  \ to <ph name=\"CLIENT_TYPE_OTHER\">'other'</ph>.\
+  \ The <ph name=\"CLIENT_NAME_IPP_ATTRIBUTE\">'client-name'</ph> member of the\
+  \ added <ph name=\"CLIENT_INFO_IPP_ATTRIBUTE\">'client-info'</ph> value will be set\
+  \ to the value of the policy after substitution of placeholder variables.\
+  \ Supported placeholder variables are\
+  \ <ph name=\"DIRECTORY_ID_PLACEHOLDER\">${DEVICE_DIRECTORY_API_ID}</ph>,\
+  \ <ph name=\"SERIAL_NUMBER_PLACEHOLDER\">${DEVICE_SERIAL_NUMBER}</ph>,\
+  \ <ph name=\"ASSET_ID_PLACEHOLDER\">${DEVICE_ASSET_ID}</ph>,\
+  \ <ph name=\"ANNOTATED_LOCATION_PLACEHOLDER\">${DEVICE_ANNOTATED_LOCATION}</ph>.\
+  \ Unsupported placeholder variables will not be substituted.\n\n\
+  \ The resulting value after substitution of placeholder variables is considered\
+  \ valid if it is not longer than 127 characters and only contains the following characters:\
+  \ lowercase and uppercase letters of the English alphabet, digits, dashes ('-'), dots ('.')\
+  \ and underscores ('_').\n\n\
+  \ Note that, for privacy reasons, this policy takes effect only when the connection to the\
+  \ printer is secure (<ph name=\"IPPS_SCHEME\">ipps://</ph> URI scheme) and the user\
+  \ submitting the print job is affiliated.\
+  \ Also, note that this policy only applies to printers that support\
+  \ <ph name=\"CLIENT_INFO_IPP_ATTRIBUTE\">'client-info'</ph>.\n\n\
+  \ If the policy is unset, set to an empty or invalid value, an additional\
+  \ <ph name=\"CLIENT_INFO_IPP_ATTRIBUTE\">'client-info'</ph> value will not be added to print\
+  \ job requests.\n"
+device_only: true
+example_value: chromebook-${DEVICE_ASSET_ID}
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- ust@google.com
+- ust@google.com
+- chromeos-commercial-printing@google.com
+schema:
+  type: string
+supported_on:
+- chrome_os:111-
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DisablePrintPreview.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DisablePrintPreview.yaml
new file mode 100755
index 000000000..70b16f7bf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/DisablePrintPreview.yaml
@@ -0,0 +1,26 @@
+caption: Disable Print Preview
+desc: |-
+  Setting the policy to Enabled has <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> open the system print dialog instead of the built-in print preview when users request a printout.
+
+        Setting the policy to Disabled or leaving it unset has print commands trigger the print preview screen.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Disable print preview
+  value: true
+- caption: Enable print preview
+  value: false
+owners:
+- file://printing/OWNERS
+- rbpotter@chomium.org
+- thestig@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:18-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/ExternalPrintServers.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/ExternalPrintServers.yaml
new file mode 100755
index 000000000..61ebc8359
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/ExternalPrintServers.yaml
@@ -0,0 +1,37 @@
+caption: External print servers
+desc: "Provides configurations of available print servers.\n\n      This policy allows\
+  \ you to provide configuration of external print servers to <ph name=\"PRODUCT_OS_NAME\"\
+  >$2<ex>Google ChromeOS</ex></ph> devices as JSON file.\n\n      The size of the\
+  \ file must not exceed 1MB and must contain an array of records (JSON objects).\
+  \ Each record must contain fields \"id\", \"url\" and \"display_name\" with strings\
+  \ as values. Values of \"id\" fields must be unique.\n\n      The file is downloaded\
+  \ and cached. The cryptographic hash is used to verify the integrity of the download.\
+  \ The file will be re-downloaded whenever the URL or the hash changes.\n\n     \
+  \ When this policy is set to correct value, devices will try to query specified\
+  \ print servers for available printers using IPP protocol.\n\n      If this policy\
+  \ is unset or set to incorrect value, none of the provided server printers are visible\
+  \ to users.\n\n      Currently, the number of print servers is limited to 16. Only\
+  \ the first 16 print servers from the list will be queried.\n      "
+example_value:
+  hash: deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef
+  url: https://example.com/printserverpolicy
+features:
+  dynamic_refresh: true
+  per_profile: true
+max_size: 1048576
+owners:
+- file://chromeos/printing/OWNERS
+- luum@chromium.org
+schema:
+  properties:
+    hash:
+      description: The SHA-256 hash of the file.
+      type: string
+    url:
+      description: URL to a JSON file with a list of print servers.
+      type: string
+  type: object
+supported_on:
+- chrome_os:79-
+tags: []
+type: external
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/ExternalPrintServersAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/ExternalPrintServersAllowlist.yaml
new file mode 100755
index 000000000..252b5703b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/ExternalPrintServersAllowlist.yaml
@@ -0,0 +1,27 @@
+caption: Enabled external print servers
+desc: |-
+  Specifies the subset of print servers that will be queried for server printers.
+
+        If this policy is used, only the server printers with ids matching the values in this policy are available to the user.
+
+        The ids must correspond to the "id" field in the file specified in <ph name="EXTERNAL_PRINT_SERVERS_POLICY">ExternalPrintServers</ph>.
+
+        If this policy is not set, filtering is omitted and all print servers are taken into account.
+example_value:
+- id1
+- id2
+- id3
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chromeos/printing/OWNERS
+- thestig@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrinters.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrinters.yaml
new file mode 100755
index 000000000..235797920
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrinters.yaml
@@ -0,0 +1,75 @@
+caption: Native Printing
+deprecated: true
+desc: |-
+  Setting the policy lets administrators set up a list of printers for their users. Printer selection occurs the first time users try to print.
+
+        Using the policy:
+
+        * Customize free-form <ph name="PRINTER_DISPLAY_NAME">display_name</ph> and <ph name="PRINTER_DESCRIPTION">description</ph> for ease of printer selection.
+
+        * Help users identify printers using <ph name="PRINTER_MANUFACTURER">manufacturer</ph> and <ph name="PRINTER_MODEL">model</ph>.
+
+        * <ph name="PRINTER_URI">uri</ph> should be an address reachable from a client computer, including the <ph name="URI_SCHEME">scheme</ph>, <ph name="URI_PORT">port</ph>, and <ph name="URI_QUEUE">queue</ph>.
+
+        * Optionally provide <ph name="PRINTER_UUID">uuid</ph> to help deduplicate <ph name="ZEROCONF_DISCOVERY">zeroconf</ph> printers.
+
+        * Either use the model name for <ph name="PRINTER_EFFECTIVE_MODEL">effective_model</ph> or set <ph name="PRINTER_AUTOCONF">autoconf</ph> to True. Printers with both or no properties get ignored.
+
+        PPDs are downloaded after the printer is used, and frequently used PPDs are cached. This policy doesn't affect whether users can configure printers on individual devices.
+
+        Note: For <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> managed devices, this policy supports expansion of <ph name="MACHINE_NAME_VARIABLE">${MACHINE_NAME[,pos[,count]]}</ph> to the <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> machine name or a substring of it. For example, if the machine name is <ph name="MACHINE_NAME_EXAMPLE">CHROMEBOOK</ph>, then <ph name="MACHINE_NAME_VARIABLE_EXAMPLE">${MACHINE_NAME,6,4}</ph> gets replaced by the 4 characters starting after the 6th position, in other words, <ph name="MACHINE_NAME_PART_EXAMPLE">BOOK</ph>. The position is zero-based.
+
+        This policy is deprecated, please use <ph name="PRINTERS_POLICY_NAME">Printers</ph> instead.
+example_value:
+- '{ "display_name": "Color Laser", "description": "The printer next to the water
+  cooler.", "manufacturer": "Printer Manufacturer", "model": "Color Laser 2004", "uri":
+  "ipps://print-server.intranet.example.com:443/ipp/cl2k4", "uuid": "1c395fdb-5d93-4904-b246-b2c046e79d12",
+  "ppd_resource": { "effective_model": "Printer Manufacturer ColorLaser2k4", "autoconf":
+  false } }'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chromeos/printing/OWNERS
+- skau@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:57-100
+tags: []
+type: list
+validation_schema:
+  items:
+    id: PrinterType
+    properties:
+      description:
+        type: string
+      display_name:
+        type: string
+      manufacturer:
+        type: string
+      model:
+        type: string
+      ppd_resource:
+        id: PpdResource
+        properties:
+          autoconf:
+            description: Boolean flag indicating whether IPP Everywhere should be
+              used to set up the printer. This flag is supported on <ph name="PRODUCT_OS_NAME">$2<ex>Google
+              ChromeOS</ex></ph> version 76 and higher.
+            type: boolean
+          effective_model:
+            description: This field must match one of the strings which represent
+              a <ph name="PRODUCT_NAME">$2<ex>Google ChromeOS</ex></ph> supported
+              printer. The string will be used to identify and install the appropriate
+              PPD for the printer. More information can be found at https://support.google.com/chrome?p=noncloudprint.
+            type: string
+        type: object
+      uri:
+        type: string
+      uuid:
+        type: string
+    type: object
+  type: array
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrintersBulkAccessMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrintersBulkAccessMode.yaml
new file mode 100755
index 000000000..35cfaeb8d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrintersBulkAccessMode.yaml
@@ -0,0 +1,33 @@
+caption: Printer configuration access policy.
+deprecated: true
+desc: This policy is deprecated and unsupported, please use <ph name="PRINTERS_BULK_ACCESS_MODE_POLICY_NAME_POLICY_NAME">PrintersBulkAccessMode</ph> instead.
+example_value: 1
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: All printers are shown except those in the blocklist.
+  name: BlocklistRestriction
+  value: 0
+- caption: Only printers in the allowlist are shown to users
+  name: AllowlistPrintersOnly
+  value: 1
+- caption: Allow all printers from the configuration file.
+  name: AllowAll
+  value: 2
+owners:
+- file://chromeos/printing/OWNERS
+- jimmyxgong@chromium.org
+- skau@chromium.org
+- cros-peripheral@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:65-100
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrintersBulkConfiguration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrintersBulkConfiguration.yaml
new file mode 100755
index 000000000..dfc19d5dd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/NativePrintersBulkConfiguration.yaml
@@ -0,0 +1,32 @@
+caption: Enterprise printer configuration file
+deprecated: true
+desc: |-
+  Setting this policy configure enterprise printers. Its format matches the <ph name="NATIVE_PRINTERS_POLICY_NAME">NativePrinters</ph> dictionary, with an additional required <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> downloads the file for printer configurations and makes printers available along with <ph name="BULK_PRINTERS_ACCESS_MODE_POLICY_NAME">NativePrintersBulkAccessMode</ph>, <ph name="BULK_PRINTERS_WHITELIST">NativePrintersBulkWhitelist</ph>, and <ph name="BULK_PRINTERS_BLACKLIST">NativePrintersBulkBlacklist</ph>.
+
+        This policy has no effect on whether users can configure printers on individual devices. It is intended to be supplementary to the configuration of printers by individual users.
+
+        If you set the policy, users can't change it.
+
+        This policy is deprecated, please use <ph name="PRINTERS_BULK_CONFIGURATION_POLICY_NAME">PrintersBulkConfiguration</ph> instead.
+example_value:
+  hash: deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef
+  url: https://example.com/printerpolicy
+features:
+  dynamic_refresh: true
+  per_profile: true
+max_size: 5242880
+owners:
+- file://chromeos/printing/OWNERS
+- luum@chromium.org
+- skau@chromium.org
+schema:
+  properties:
+    hash:
+      type: string
+    url:
+      type: string
+  type: object
+supported_on:
+- chrome_os:65-100
+tags: []
+type: external
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/OopPrintDriversAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/OopPrintDriversAllowed.yaml
new file mode 100755
index 000000000..df670d0e6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/OopPrintDriversAllowed.yaml
@@ -0,0 +1,30 @@
+caption: Out-of-process print drivers allowed
+default: true
+desc: |-
+  Controls if <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> interacts with printer drivers from a separate service process. Platform printing calls to query available printers, get print driver settings, and submit documents for printing to local printers are made from a service process. Moving such calls out of the browser process helps improve stability and reduce frozen UI behavior in Print Preview.
+
+  When this policy is set to Enabled or not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use a separate service process for platform printing tasks.
+
+  When this policy is set to Disabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the browser process for platform printing tasks.
+
+  This policy will be removed in the future, after the out-of-process print drivers feature has fully rolled out.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+future_on:
+- chrome_os
+items:
+- caption: Platform printing uses service process.
+  value: true
+- caption: Platform printing from browser process.
+  value: false
+owners:
+- awscreen@chromium.org
+- file://printing/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:120-
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintHeaderFooter.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintHeaderFooter.yaml
new file mode 100755
index 000000000..5cda26b74
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintHeaderFooter.yaml
@@ -0,0 +1,30 @@
+caption: Print Headers and Footers
+default: null
+desc: |-
+  Setting the policy to Enabled turns headers and footers on in print preview. Setting the policy to Disabled turns them off in print preview.
+
+        If you set the policy, users can't change it. If unset, users decides whether headers and footers appear.
+example_value: false
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Show headers and footers in print preview
+  value: true
+- caption: Hide headers and footers in print preview
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- nicolaso@chromium.org
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:70-
+- chrome.*:70-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintJobHistoryExpirationPeriod.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintJobHistoryExpirationPeriod.yaml
new file mode 100755
index 000000000..cd5ceda7b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintJobHistoryExpirationPeriod.yaml
@@ -0,0 +1,24 @@
+caption: Set the time period in days for storing print jobs metadata
+desc: |-
+  This policy controls how long print jobs metadata is stored on the device, in days.
+
+        When this policy is set to a value of -1, the print jobs metadata is stored indefinitely. When this policy is set to a value of 0, the print jobs metadata is not stored at all. When this policy is set to any other value, it specifies the period of time during which the metadata of completed print jobs is stored on the device.
+
+        If not set, the default period of 90 days is used for <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices.
+
+        The policy value should be specified in days.
+example_value: 90
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  minimum: -1
+  type: integer
+supported_on:
+- chrome_os:79-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPdfAsImageAvailability.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPdfAsImageAvailability.yaml
new file mode 100755
index 000000000..379db6b89
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPdfAsImageAvailability.yaml
@@ -0,0 +1,30 @@
+caption: Print PDF as Image Available
+default: false
+desc: |-
+  Controls how <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> makes the Print as image option available on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> and <ph name="MAC_OS_NAME">macOS</ph> when printing PDFs.
+
+        When printing a PDF on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> or <ph name="MAC_OS_NAME">macOS</ph>, sometimes print jobs need to be rasterized to an image for certain printers to get correct looking output.
+
+        When this policy is set to Enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will make the Print as image option available in the Print Preview when printing a PDF.
+
+        When this policy is set to Disabled or not set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> the Print as image option will not be available to users in Print Preview and PDFs will be printed as usual without being rasterized to an image before being sent to the destination.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Print as image option available to user to allow PDF rasterization prior
+    to sending print job to destination.
+  value: true
+- caption: Print as image option not available for user selection.
+  value: false
+owners:
+- awscreen@chromium.org
+- file://printing/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.win:94-
+- chrome.mac:94-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPdfAsImageDefault.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPdfAsImageDefault.yaml
new file mode 100755
index 000000000..999089712
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPdfAsImageDefault.yaml
@@ -0,0 +1,33 @@
+caption: Print PDF as Image Default
+default: false
+desc: |-
+  Controls if <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> makes the Print as image option default to set when printing PDFs.
+
+        When this policy is set to Enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will default to setting the Print as image option in the Print Preview when printing a PDF.
+
+        When this policy is set to Disabled or not set <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> then the user selection for Print as image option will be initially unset.  The user will be allowed to select it for each individual PDFs print job, if the option is available.
+
+        For <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> or <ph name="MAC_OS_NAME">macOS</ph> this policy only has an effect if <ph name="PRINT_PDF_AS_IMAGE_AVAILABILITY_POLICY_NAME">PrintPdfAsImageAvailability</ph> is also enabled.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Print as image option defaults to set for print previews of PDF documents
+    when it is available.
+  value: true
+- caption: Print as image option defaults to unset for print previews of PDF documents
+    when it is available.
+  value: false
+owners:
+- awscreen@chromium.org
+- file://printing/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:95-
+- chrome_os:95-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPostScriptMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPostScriptMode.yaml
new file mode 100755
index 000000000..6f1317454
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPostScriptMode.yaml
@@ -0,0 +1,35 @@
+caption: Print PostScript Mode
+default: 0
+desc: |-
+  Controls how <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> prints on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>.
+
+        When printing to a PostScript printer on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> different PostScript generation methods can affect printing performance.
+
+        When this policy is set to Default, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use a set of default options when generating PostScript. For text in particular, text will always be rendered using Type 3 fonts.
+
+        When this policy is set to Type42, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will render text using Type 42 fonts if possible. This should increase printing speed for some PostScript printers.
+
+        When this policy is not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will be in Default mode.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Default
+  name: Default
+  value: 0
+- caption: Type42
+  name: Type42
+  value: 1
+owners:
+- thestig@chromium.org
+- file://printing/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+supported_on:
+- chrome.win:95-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPreviewUseSystemDefaultPrinter.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPreviewUseSystemDefaultPrinter.yaml
new file mode 100755
index 000000000..0b8bd0f16
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintPreviewUseSystemDefaultPrinter.yaml
@@ -0,0 +1,28 @@
+caption: Use System Default Printer as Default
+default: false
+desc: |-
+  Setting the policy to Enabled means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the OS default printer as the default destination for print preview.
+
+        Setting the policy to Disabled or leaving it unset means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses the most recently used printer as the default destination for print preview.
+example_value: false
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Use the system default printer as the default choice in Print Preview
+  value: true
+- caption: Use the most recently used printer as the default choice in Print Preview
+  value: false
+owners:
+- file://printing/OWNERS
+- thestig@chromium.org
+- rbpotter@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:61-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintRasterizationMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintRasterizationMode.yaml
new file mode 100755
index 000000000..ad63efdbb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintRasterizationMode.yaml
@@ -0,0 +1,35 @@
+caption: Print Rasterization Mode
+default: 0
+desc: |-
+  Controls how <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> prints on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>.
+
+        When printing to a non-PostScript printer on <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, sometimes print jobs need to be rasterized to print correctly.
+
+        When this policy is set to Full, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will do full page rasterization if necessary.
+
+        When this policy is set to Fast, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will avoid rasterization if possible, reducing the amount of rasterization can help reduce print job sizes and increase printing speed.
+
+        When this policy is not set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will be in Full mode.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Full
+  name: Full
+  value: 0
+- caption: Fast
+  name: Fast
+  value: 1
+owners:
+- thestig@chromium.org
+- file://printing/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+supported_on:
+- chrome.win:84-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintRasterizePdfDpi.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintRasterizePdfDpi.yaml
new file mode 100755
index 000000000..9464c25fe
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintRasterizePdfDpi.yaml
@@ -0,0 +1,27 @@
+caption: Print Rasterize PDF DPI
+default: 0
+desc: |-
+  Controls print image resolution when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> prints PDFs with rasterization.
+
+        When printing a PDF using the Print to image option, it can be beneficial to specify a print resolution other than a device's printer setting or the PDF default.  A high resolution will significantly increase the processing and printing time while a low resolution can lead to poor imaging quality.
+
+        This policy allows a particular resolution to be specified for use when rasterizing PDFs for printing.
+
+        If this policy is set to zero or not set at all then the system default resolution will be used during rasterization of page images.
+example_value: 300
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- awscreen@chromium.org
+- file://printing/OWNERS
+schema:
+  minimum: 0
+  type: integer
+supported_on:
+- chrome.*:94-
+- chrome_os:94-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrinterTypeDenyList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrinterTypeDenyList.yaml
new file mode 100755
index 000000000..8d5ff86d7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrinterTypeDenyList.yaml
@@ -0,0 +1,61 @@
+caption: Disable printer types on the deny list
+desc: |-
+  The printers of types placed on the deny list will be disabled from being discovered or having their capabilities fetched.
+
+        Placing all printer types on the deny list effectively disables printing, as there would be no available destinations to send a document for printing.
+
+        In versions before 102, including <ph name="POLICY_ENUM_PRINTERTYPEDENYLIST_CLOUD">cloud</ph> on the deny list has the same effect as setting the <ph name="POLICY_CLOUDPRINTSUBMITENABLED">CloudPrintSubmitEnabled</ph> policy to false. In order to keep <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> destinations discoverable, the <ph name="POLICY_CLOUDPRINTSUBMITENABLED">CloudPrintSubmitEnabled</ph> policy must be set to true and <ph name="POLICY_ENUM_PRINTERTYPEDENYLIST_CLOUD">cloud</ph> must not be on the deny list. Beginning in version 102, <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> destinations are not supported and will not appear regardless of policy values.
+
+        If the policy is not set, or is set to an empty list, all printer types will be available for discovery.
+
+        Extension printers are also known as print provider destinations, and include any destination that belongs to a <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> extension.
+
+        Local printers are also known as native printing destinations, and include destinations available to the local machine and shared network printers.
+example_value:
+- local
+- pdf
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Zeroconf-based (mDNS + DNS-SD) protocol destinations (Deprecated)
+  name: privet
+  supported_on:
+  - chrome_os:80-101
+  - chrome.*:80-101
+  value: privet
+- caption: Extension-based destinations
+  name: extension
+  value: extension
+- caption: The 'Save as PDF' destination, as well as the 'Save to Google Drive' destination on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices
+  name: pdf
+  value: pdf
+- caption: Local printer destinations
+  name: local
+  value: local
+- caption: <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> (Deprecated)
+  name: cloud
+  supported_on:
+  - chrome_os:80-101
+  - chrome.*:80-101
+  value: cloud
+owners:
+- file://printing/OWNERS
+- weili@chromium.org
+schema:
+  items:
+    enum:
+    - privet
+    - extension
+    - pdf
+    - local
+    - cloud
+    type: string
+  type: array
+supported_on:
+- chrome_os:80-
+- chrome.*:80-
+tags: []
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/Printers.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/Printers.yaml
new file mode 100755
index 000000000..22e074e51
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/Printers.yaml
@@ -0,0 +1,71 @@
+caption: Configures a list of printers
+desc: |-
+  Setting the policy lets administrators set up a list of printers for their users. Printer selection occurs the first time users try to print.
+
+        Using the policy:
+
+        * Customize free-form <ph name="PRINTER_DISPLAY_NAME">display_name</ph> and <ph name="PRINTER_DESCRIPTION">description</ph> for ease of printer selection.
+
+        * Help users identify printers using <ph name="PRINTER_MANUFACTURER">manufacturer</ph> and <ph name="PRINTER_MODEL">model</ph>.
+
+        * <ph name="PRINTER_URI">uri</ph> should be an address reachable from a client computer, including the <ph name="URI_SCHEME">scheme</ph>, <ph name="URI_PORT">port</ph>, and <ph name="URI_QUEUE">queue</ph>.
+
+        * Optionally provide <ph name="PRINTER_UUID">uuid</ph> to help deduplicate <ph name="ZEROCONF_DISCOVERY">zeroconf</ph> printers.
+
+        * Either use the model name for <ph name="PRINTER_EFFECTIVE_MODEL">effective_model</ph> or set <ph name="PRINTER_AUTOCONF">autoconf</ph> to True. Printers with both or no properties get ignored.
+
+        PPDs are downloaded after the printer is used, and frequently used PPDs are cached. This policy doesn't affect whether users can configure printers on individual devices.
+
+        Note: For <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> managed devices, this policy supports expansion of <ph name="MACHINE_NAME_VARIABLE">${MACHINE_NAME[,pos[,count]]}</ph> to the <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> machine name or a substring of it. For example, if the machine name is <ph name="MACHINE_NAME_EXAMPLE">CHROMEBOOK</ph>, then <ph name="MACHINE_NAME_VARIABLE_EXAMPLE">${MACHINE_NAME,6,4}</ph> gets replaced by the 4 characters starting after the 6th position, in other words, <ph name="MACHINE_NAME_PART_EXAMPLE">BOOK</ph>. The position is zero-based.
+example_value:
+- '{ "display_name": "Color Laser", "description": "The printer next to the water
+  cooler.", "manufacturer": "Printer Manufacturer", "model": "Color Laser 2004", "uri":
+  "ipps://print-server.intranet.example.com:443/ipp/cl2k4", "uuid": "1c395fdb-5d93-4904-b246-b2c046e79d12",
+  "ppd_resource": { "effective_model": "Printer Manufacturer ColorLaser2k4", "autoconf":
+  false } }'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chromeos/printing/OWNERS
+- skau@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:86-
+tags: []
+type: list
+validation_schema:
+  items:
+    id: PrinterTypeInclusive
+    properties:
+      description:
+        type: string
+      display_name:
+        type: string
+      manufacturer:
+        type: string
+      model:
+        type: string
+      ppd_resource:
+        id: PpdResourceInclusive
+        properties:
+          autoconf:
+            description: Boolean flag indicating whether IPP Everywhere should be
+              used to set up the printer.
+            type: boolean
+          effective_model:
+            description: This field must match one of the strings which represent
+              a <ph name="PRODUCT_NAME">$2<ex>Google ChromeOS</ex></ph> supported
+              printer. The string will be used to identify and install the appropriate
+              PPD for the printer. More information can be found at https://support.google.com/chrome?p=noncloudprint.
+            type: string
+        type: object
+      uri:
+        type: string
+      uuid:
+        type: string
+    type: object
+  type: array
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkAccessMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkAccessMode.yaml
new file mode 100755
index 000000000..10d050f07
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkAccessMode.yaml
@@ -0,0 +1,41 @@
+caption: Printer configuration access policy.
+desc: |-
+  Setting the policy designates which access policy applies to bulk printer configuration, controlling which printers from <ph name="PRINTERS_BULK_CONFIGURATION_POLICY_NAME">PrintersBulkConfiguration</ph> are available for users.
+
+        * <ph name="PRINTERS_BLOCKLIST">BlocklistRestriction</ph> (value 0) uses <ph name="PRINTERS_BULK_BLOCKLIST">PrintersBulkBlocklist</ph> to restrict access to the specified printers
+
+        * <ph name="PRINTERS_ALLOWLIST">AllowlistPrintersOnly</ph> (value 1) uses <ph name="PRINTERS_BULK_ALLOWLIST">PrintersBulkAllowlist</ph> to designate only those printers which are selectable
+
+        * <ph name="PRINTERS_ALLOW_ALL">AllowAll</ph> (value 2) displays all printers
+
+        Leaving the policy unset puts <ph name="PRINTERS_ALLOW_ALL">AllowAll</ph> in use.
+example_value: 1
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: All printers are shown except those in the blocklist.
+  name: BlocklistRestriction
+  value: 0
+- caption: Only printers in the allowlist are shown to users
+  name: AllowlistPrintersOnly
+  value: 1
+- caption: Allow all printers from the configuration file.
+  name: AllowAll
+  value: 2
+owners:
+- file://chromeos/printing/OWNERS
+- jimmyxgong@chromium.org
+- thestig@chromium.org
+- cros-peripheral@google.com
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:86-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkAllowlist.yaml
new file mode 100755
index 000000000..0780f220f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkAllowlist.yaml
@@ -0,0 +1,25 @@
+caption: Enabled enterprise printers
+desc: If <ph name="PRINTERS_ALLOWLIST">AllowlistPrintersOnly</ph> is chosen for <ph
+  name="PRINTERS_BULK_ACCESS_MODE_POLICY_NAME">PrintersBulkAccessMode</ph>, then setting
+  <ph name="PRINTERS_BULK_ALLOWLIST_POLICY_NAME">PRINTERS_BULK_ALLOWLIST</ph> specifies
+  which printers users can use. Only the printers with IDs matching the values in
+  this policy are available to the user. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph>
+  or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="PRINTERS_BULK_CONFIGURATION_POLICY_NAME">PrintersBulkConfiguration</ph>.
+example_value:
+- id1
+- id2
+- id3
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chromeos/printing/OWNERS
+- thestig@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkBlocklist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkBlocklist.yaml
new file mode 100755
index 000000000..cbb11672a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkBlocklist.yaml
@@ -0,0 +1,25 @@
+caption: Disabled enterprise printers
+desc: If <ph name="PRINTERS_BLOCKLIST">BlocklistRestriction</ph> is chosen for <ph
+  name="PRINTERS_BULK_ACCESS_MODE_POLICY_NAME">PrintersBulkAccessMode</ph>, then setting
+  <ph name="PRINTERS_BULK_BLOCKLIST_POLICY_NAME">PrintersBulkBlocklist</ph> specifies
+  which printers users can't use. All printers are provided to the user, except for
+  the IDs listed in this policy. The IDs must correspond to the <ph name="ID_FIELD">"id"</ph>
+  or <ph name="GUID_FIELD">"guid"</ph> fields in the file specified in <ph name="PRINTERS_BULK_CONFIGURATION_POLICY_NAME">PrintersBulkConfiguration</ph>.
+example_value:
+- id1
+- id2
+- id3
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://chromeos/printing/OWNERS
+- thestig@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkConfiguration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkConfiguration.yaml
new file mode 100755
index 000000000..f7706c794
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintersBulkConfiguration.yaml
@@ -0,0 +1,28 @@
+caption: Enterprise printer configuration file
+desc: |-
+  Setting this policy configure enterprise printers. Its format matches the <ph name="PRINTERS_POLICY_NAME">Printers</ph> dictionary, with an additional required <ph name="ID_FIELD">"id"</ph> or <ph name="GUID_FIELD">"guid"</ph> field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> downloads the file for printer configurations and makes printers available along with <ph name="PRINTERS_BULK_ACCESS_MODE_POLICY_NAME">PrintersBulkAccessMode</ph>, <ph name="PRINTERS_BULK_ALLOWLIST_POLICY_NAME">PrintersBulkAllowlist</ph>, and <ph name="PRINTERS_BULK_BLOCKLIST_POLICY_NAME">PrintersBulkBlocklist</ph>.
+
+        This policy has no effect on whether users can configure printers on individual devices. It is intended to be supplementary to the configuration of printers by individual users.
+
+        If you set the policy, users can't change it.
+example_value:
+  hash: deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef
+  url: https://example.com/printerpolicy
+features:
+  dynamic_refresh: true
+  per_profile: true
+max_size: 5242880
+owners:
+- file://chromeos/printing/OWNERS
+- luum@chromium.org
+schema:
+  properties:
+    hash:
+      type: string
+    url:
+      type: string
+  type: object
+supported_on:
+- chrome_os:86-
+tags: []
+type: external
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAPIExtensionsAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAPIExtensionsAllowlist.yaml
new file mode 100755
index 000000000..c72e12b0a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAPIExtensionsAllowlist.yaml
@@ -0,0 +1,23 @@
+caption: Extensions allowed to skip confirmation dialog when sending print jobs via
+  chrome.printing API
+desc: |-
+  This policy specifies the allowed extensions to skip print job confirmation dialog when they use the <ph name="PRINTING_API">Printing API</ph> function <ph name="SUBMIT_JOB_FUNCTION">chrome.printing.submitJob()</ph> for sending a print job.
+
+        If an extension is not in the list, or the list is not set, the print job confirmation dialog will be shown to the user for every <ph name="SUBMIT_JOB_FUNCTION">chrome.printing.submitJob()</ph> function call.
+example_value:
+- abcdefghabcdefghabcdefghabcdefgh
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:87-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedBackgroundGraphicsModes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedBackgroundGraphicsModes.yaml
new file mode 100755
index 000000000..0883b7137
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedBackgroundGraphicsModes.yaml
@@ -0,0 +1,34 @@
+caption: Restrict background graphics printing mode
+desc: Restricts background graphics printing mode. Unset policy is treated as no restriction.
+example_value: enabled
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow printing both with and without background graphics
+  name: any
+  value: any
+- caption: Allow printing only with background graphics
+  name: enabled
+  value: enabled
+- caption: Allow printing only without background graphics
+  name: disabled
+  value: disabled
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  enum:
+  - any
+  - enabled
+  - disabled
+  type: string
+supported_on:
+- chrome_os:79-
+- chrome.*:80-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedColorModes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedColorModes.yaml
new file mode 100755
index 000000000..1d4cfaccf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedColorModes.yaml
@@ -0,0 +1,32 @@
+caption: Restrict printing color mode
+desc: Setting the policy sets printing to color only, monochrome only, or no color
+  mode restriction. Leaving the policy unset results in no restriction.
+example_value: monochrome
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow all color modes
+  name: any
+  value: any
+- caption: Color printing only
+  name: color
+  value: color
+- caption: Monochrome printing only
+  name: monochrome
+  value: monochrome
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  enum:
+  - any
+  - color
+  - monochrome
+  type: string
+supported_on:
+- chrome_os:71-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedDuplexModes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedDuplexModes.yaml
new file mode 100755
index 000000000..4d8f847db
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedDuplexModes.yaml
@@ -0,0 +1,34 @@
+caption: Restrict printing duplex mode
+desc: |-
+  Setting the policy restricts printing duplex mode.
+
+        Leaving the policy unset or empty results in no restriction.
+example_value: duplex
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow all duplex modes
+  name: any
+  value: any
+- caption: Simplex printing only
+  name: simplex
+  value: simplex
+- caption: Duplex printing only
+  name: duplex
+  value: duplex
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  enum:
+  - any
+  - simplex
+  - duplex
+  type: string
+supported_on:
+- chrome_os:71-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedPinModes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedPinModes.yaml
new file mode 100755
index 000000000..1ac4fb7bd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingAllowedPinModes.yaml
@@ -0,0 +1,33 @@
+caption: Restrict PIN printing mode
+desc: Restricts PIN printing mode. Unset policy is treated as no restriction. If the
+  mode is unavailable this policy is ignored. Note that PIN printing feature is enabled
+  only for printers that use one of IPPS, HTTPS, USB or IPP-over-USB protocols.
+example_value: pin
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow printing both with and without PIN
+  name: any
+  value: any
+- caption: Allow printing only with PIN
+  name: pin
+  value: pin
+- caption: Allow printing only without PIN
+  name: no_pin
+  value: no_pin
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  enum:
+  - any
+  - pin
+  - no_pin
+  type: string
+supported_on:
+- chrome_os:75-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingBackgroundGraphicsDefault.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingBackgroundGraphicsDefault.yaml
new file mode 100755
index 000000000..bd96e4d16
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingBackgroundGraphicsDefault.yaml
@@ -0,0 +1,30 @@
+caption: Default background graphics printing mode
+desc: Overrides default background graphics printing mode.
+example_value: enabled
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable background graphics printing mode by default
+  name: enabled
+  value: enabled
+- caption: Disable background graphics printing mode by default
+  name: disabled
+  value: disabled
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  enum:
+  - enabled
+  - disabled
+  type: string
+supported_on:
+- chrome_os:79-
+- chrome.*:80-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingColorDefault.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingColorDefault.yaml
new file mode 100755
index 000000000..2917fe4a4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingColorDefault.yaml
@@ -0,0 +1,28 @@
+caption: Default printing color mode
+desc: Setting the policy overrides the default printing color mode. If the mode is
+  unavailable, this policy is ignored.
+example_value: monochrome
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable color printing
+  name: color
+  value: color
+- caption: Enable monochrome printing
+  name: monochrome
+  value: monochrome
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  enum:
+  - color
+  - monochrome
+  type: string
+supported_on:
+- chrome_os:72-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingDuplexDefault.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingDuplexDefault.yaml
new file mode 100755
index 000000000..a85cfb24d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingDuplexDefault.yaml
@@ -0,0 +1,32 @@
+caption: Default printing duplex mode
+desc: Setting the policy overrides the default printing duplex mode. If the mode is
+  unavailable, this policy is ignored.
+example_value: long-edge
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable simplex printing
+  name: simplex
+  value: simplex
+- caption: Enable short edge duplex printing
+  name: short-edge
+  value: short-edge
+- caption: Enable long edge duplex printing
+  name: long-edge
+  value: long-edge
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  enum:
+  - simplex
+  - short-edge
+  - long-edge
+  type: string
+supported_on:
+- chrome_os:72-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingEnabled.yaml
new file mode 100755
index 000000000..41c80ffbc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingEnabled.yaml
@@ -0,0 +1,30 @@
+arc_support: This policy has no effect on Android apps.
+caption: Enable printing
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets users print in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, and users can't change this setting.
+
+        Setting the policy to Disabled means users can't print from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. Printing is off in the three dots menu, extensions, and JavaScript applications.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable printing
+  value: true
+- caption: Disable printing
+  value: false
+owners:
+- file://printing/OWNERS
+- thestig@chromium.org
+- rbpotter@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:39-
+- ios:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingLPACSandboxEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingLPACSandboxEnabled.yaml
new file mode 100755
index 000000000..0a083f7b9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingLPACSandboxEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Enable Printing LPAC Sandbox
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset enables the LPAC Sandbox for printing services whenever the system configuration supports it.
+
+  Setting the policy to Disabled has a detrimental effect on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s security as services used for printing might run in a weaker sandbox configuration.
+
+  Only turn off the policy if there are compatibility issues with third party software that prevent printing services from operating correctly inside the LPAC Sandbox.
+example_value: false
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Enable LPAC Sandbox for printing services
+  value: true
+- caption: Disable LPAC Sandbox for printing services
+  value: false
+owners:
+- awscreen@chromium.org
+- wfh@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:128-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingMaxSheetsAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingMaxSheetsAllowed.yaml
new file mode 100755
index 000000000..a8910339d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingMaxSheetsAllowed.yaml
@@ -0,0 +1,20 @@
+caption: Maximal number of sheets allowed to use for a single print job
+desc: |-
+  Specifies the maximal number of sheets user is allowed to print for a single print job.
+
+        If not set, no limitations are applied and user can print any documents.
+example_value: 10
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  minimum: 1
+  type: integer
+supported_on:
+- chrome_os:84-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingPaperSizeDefault.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingPaperSizeDefault.yaml
new file mode 100755
index 000000000..2c440bfda
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingPaperSizeDefault.yaml
@@ -0,0 +1,182 @@
+caption: Default printing page size
+desc: |-
+  Overrides default printing page size.
+
+        <ph name="PAGE_SIZE_NAME">name</ph> should contain one of the listed formats or 'custom' if required paper size is not in the list. If 'custom' value is provided <ph name="PAGE_SIZE_CUSTOM_SIZE">custom_size</ph> property should be specified. It describes the desired height and width in micrometers. Otherwise <ph name="PAGE_SIZE_CUSTOM_SIZE">custom_size</ph> property shouldn't be specified. Policy that violates these rules is ignored.
+
+        If the page size is unavailable on the printer chosen by the user this policy is ignored.
+example_value:
+  custom_size:
+    height: 297000
+    width: 210000
+  name: custom
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  properties:
+    custom_size:
+      properties:
+        height:
+          description: Height of the page in micrometers
+          type: integer
+        width:
+          description: Width of the page in micrometers
+          type: integer
+      required:
+      - width
+      - height
+      type: object
+    name:
+      enum:
+      - custom
+      - asme_f_28x40in
+      - iso_2a0_1189x1682mm
+      - iso_a0_841x1189mm
+      - iso_a10_26x37mm
+      - iso_a1_594x841mm
+      - iso_a2_420x594mm
+      - iso_a3_297x420mm
+      - iso_a4-extra_235.5x322.3mm
+      - iso_a4-tab_225x297mm
+      - iso_a4_210x297mm
+      - iso_a5-extra_174x235mm
+      - iso_a5_148x210mm
+      - iso_a6_105x148mm
+      - iso_a7_74x105mm
+      - iso_a8_52x74mm
+      - iso_a9_37x52mm
+      - iso_b0_1000x1414mm
+      - iso_b10_31x44mm
+      - iso_b1_707x1000mm
+      - iso_b2_500x707mm
+      - iso_b3_353x500mm
+      - iso_b4_250x353mm
+      - iso_b5-extra_201x276mm
+      - iso_b5_176x250mm
+      - iso_b6_125x176mm
+      - iso_b6c4_125x324mm
+      - iso_b7_88x125mm
+      - iso_b8_62x88mm
+      - iso_b9_44x62mm
+      - iso_c0_917x1297mm
+      - iso_c10_28x40mm
+      - iso_c1_648x917mm
+      - iso_c2_458x648mm
+      - iso_c3_324x458mm
+      - iso_c4_229x324mm
+      - iso_c5_162x229mm
+      - iso_c6_114x162mm
+      - iso_c6c5_114x229mm
+      - iso_c7_81x114mm
+      - iso_c7c6_81x162mm
+      - iso_c8_57x81mm
+      - iso_c9_40x57mm
+      - iso_dl_110x220mm
+      - jis_exec_216x330mm
+      - jpn_chou2_111.1x146mm
+      - jpn_chou3_120x235mm
+      - jpn_chou4_90x205mm
+      - jpn_hagaki_100x148mm
+      - jpn_kahu_240x322.1mm
+      - jpn_kaku2_240x332mm
+      - jpn_oufuku_148x200mm
+      - jpn_you4_105x235mm
+      - na_10x11_10x11in
+      - na_10x13_10x13in
+      - na_10x14_10x14in
+      - na_10x15_10x15in
+      - na_11x12_11x12in
+      - na_11x15_11x15in
+      - na_12x19_12x19in
+      - na_5x7_5x7in
+      - na_6x9_6x9in
+      - na_7x9_7x9in
+      - na_9x11_9x11in
+      - na_a2_4.375x5.75in
+      - na_arch-a_9x12in
+      - na_arch-b_12x18in
+      - na_arch-c_18x24in
+      - na_arch-d_24x36in
+      - na_arch-e_36x48in
+      - na_b-plus_12x19.17in
+      - na_c5_6.5x9.5in
+      - na_c_17x22in
+      - na_d_22x34in
+      - na_e_34x44in
+      - na_edp_11x14in
+      - na_eur-edp_12x14in
+      - na_f_44x68in
+      - na_fanfold-eur_8.5x12in
+      - na_fanfold-us_11x14.875in
+      - na_foolscap_8.5x13in
+      - na_govt-legal_8x13in
+      - na_govt-letter_8x10in
+      - na_index-3x5_3x5in
+      - na_index-4x6-ext_6x8in
+      - na_index-4x6_4x6in
+      - na_index-5x8_5x8in
+      - na_invoice_5.5x8.5in
+      - na_ledger_11x17in
+      - na_legal-extra_9.5x15in
+      - na_legal_8.5x14in
+      - na_letter-extra_9.5x12in
+      - na_letter-plus_8.5x12.69in
+      - na_letter_8.5x11in
+      - na_number-10_4.125x9.5in
+      - na_number-11_4.5x10.375in
+      - na_number-12_4.75x11in
+      - na_number-14_5x11.5in
+      - na_personal_3.625x6.5in
+      - na_super-a_8.94x14in
+      - na_super-b_13x19in
+      - na_wide-format_30x42in
+      - om_dai-pa-kai_275x395mm
+      - om_folio-sp_215x315mm
+      - om_invite_220x220mm
+      - om_italian_110x230mm
+      - om_juuro-ku-kai_198x275mm
+      - om_large-photo_200x300
+      - om_pa-kai_267x389mm
+      - om_postfix_114x229mm
+      - om_small-photo_100x150mm
+      - prc_10_324x458mm
+      - prc_16k_146x215mm
+      - prc_1_102x165mm
+      - prc_2_102x176mm
+      - prc_32k_97x151mm
+      - prc_3_125x176mm
+      - prc_4_110x208mm
+      - prc_5_110x220mm
+      - prc_6_120x320mm
+      - prc_7_160x230mm
+      - prc_8_120x309mm
+      - roc_16k_7.75x10.75in
+      - roc_8k_10.75x15.5in
+      - jis_b0_1030x1456mm
+      - jis_b1_728x1030mm
+      - jis_b2_515x728mm
+      - jis_b3_364x515mm
+      - jis_b4_257x364mm
+      - jis_b5_182x257mm
+      - jis_b6_128x182mm
+      - jis_b7_91x128mm
+      - jis_b8_64x91mm
+      - jis_b9_45x64mm
+      - jis_b10_32x45mm
+      type: string
+  required:
+  - name
+  type: object
+supported_on:
+- chrome.*:84-
+- chrome_os:84-
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingPinDefault.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingPinDefault.yaml
new file mode 100755
index 000000000..9ff0b577f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingPinDefault.yaml
@@ -0,0 +1,28 @@
+caption: Default PIN printing mode
+desc: Overrides default PIN printing mode. If the mode is unavailable this policy
+  is ignored.
+example_value: pin
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable PIN printing by default
+  name: pin
+  value: pin
+- caption: Disable PIN printing by default
+  name: no_pin
+  value: no_pin
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  enum:
+  - pin
+  - no_pin
+  type: string
+supported_on:
+- chrome_os:75-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingSendUsernameAndFilenameEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingSendUsernameAndFilenameEnabled.yaml
new file mode 100755
index 000000000..31c2c1a2a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/PrintingSendUsernameAndFilenameEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Send username and filename to native printers
+desc: |-
+  Send username and filename to native printers server with every print job. The default is not to send.
+
+        Setting this policy to true also disables printers that use protocols other than IPPS, USB, or IPP-over-USB since username and filename shouldn't be sent over the network openly.
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable sending username and filename to native printers
+  value: true
+- caption: Disable sending username and filename to native printers
+  value: false
+owners:
+- ust@google.com
+- chromeos-commercial-printing@google.com
+- pawliczek@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:72-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/UserNativePrintersAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/UserNativePrintersAllowed.yaml
new file mode 100755
index 000000000..594a3a951
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/UserNativePrintersAllowed.yaml
@@ -0,0 +1,22 @@
+caption: Allow access to native CUPS printers
+deprecated: true
+desc: "Allows you to control if users can access non-enterprise printers\n\n     \
+  \ If the policy is set to True, or not set at all, users will be able to add, configure,\
+  \ and print using their own native printers.\n\n      If the policy is set to False,\
+  \ users will not be able to add and configure their own native printers. They will\
+  \ also not be able to print using any previously configured native printers.\n\n\
+  \      This policy is deprecated, please use <ph name=\"USER_PRINTERS_ALLOWED\"\
+  >UserPrintersAllowed</ph> instead.\n      "
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- valleau@chromium.org
+- skau@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:67-100
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/UserPrintersAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/UserPrintersAllowed.yaml
new file mode 100755
index 000000000..236a8fda4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Printing/UserPrintersAllowed.yaml
@@ -0,0 +1,24 @@
+caption: Allow access to CUPS printers
+desc: "Allows you to control if users can access non-enterprise printers\n\n     \
+  \ If the policy is set to True, or not set at all, users will be able to add, configure,\
+  \ and print using their own printers.\n\n      If the policy is set to False, users\
+  \ will not be able to add and configure their own printers. They will also not be\
+  \ able to print using any previously configured printers.\n      "
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow users to add, configure, and print from non-enterprise printers
+  value: true
+- caption: Do not allow users to add, configure, and print from non-enterprise printers
+  value: false
+owners:
+- valleau@chromium.org
+- skau@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:86-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/.group.details.yaml
new file mode 100755
index 000000000..b1af9dfcc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> policies
+desc: A group of policies related to <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph>. See <ph name="PRIVACY_SANDBOX_URL">https://privacysandbox.com</ph> for details about <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> effort to deprecate third-party cookies.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxAdMeasurementEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxAdMeasurementEnabled.yaml
new file mode 100755
index 000000000..6ed005422
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxAdMeasurementEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Choose whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> ad measurement setting can be disabled
+default: true
+desc: |-
+  A policy to control whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Ad measurement setting can be disabled for your users.
+
+  If you set this policy to Disabled, then the Ad measurement setting will be turned off for your users.
+  If you set this policy to Enabled or keep it unset, your users will be able to turn on or off the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Ad measurement setting on their device.
+
+  Setting this policy requires setting the <ph name="PRIVACY_SANDBOX_PROMPT_ENABLED_POLICY_NAME">PrivacySandboxPromptEnabled</ph> policy to Disabled.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+ - fuchsia
+items:
+- caption: Allow users to turn on or off the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Ad measurement setting on their device.
+  value: true
+- caption: Disable <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Ad measurement setting for your users.
+  value: false
+owners:
+- roagarwal@chromium.org
+- file://components/privacy_sandbox/OWNERS
+schema:
+  type: boolean
+supported_on:
+ - chrome.*:111-
+ - chrome_os:111-
+ - android:111-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxAdTopicsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxAdTopicsEnabled.yaml
new file mode 100755
index 000000000..af33b3921
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxAdTopicsEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Choose whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Ad topics setting can be disabled
+default: true
+desc: |-
+  A policy to control whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Ad topics setting can be disabled for your users.
+
+  If you set this policy to Disabled, then the Ad topics setting will be turned off for your users.
+  If you set this policy to Enabled or keep it unset, your users will be able to turn on or off the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Ad topics setting on their device.
+
+  Setting this policy requires setting the <ph name="PRIVACY_SANDBOX_PROMPT_ENABLED_POLICY_NAME">PrivacySandboxPromptEnabled</ph> policy to Disabled.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+ - fuchsia
+items:
+- caption: Allow users to to turn on or off the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Ad topics setting on their device.
+  value: true
+- caption: Disable <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Ad topics setting for your users.
+  value: false
+owners:
+- roagarwal@chromium.org
+- file://components/privacy_sandbox/OWNERS
+schema:
+  type: boolean
+supported_on:
+ - chrome.*:111-
+ - chrome_os:111-
+ - android:111-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxFingerprintingProtectionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxFingerprintingProtectionEnabled.yaml
new file mode 100755
index 000000000..93a0fe252
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxFingerprintingProtectionEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Choose whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Fingerprinting Protection feature is to be enabled.
+default: null
+desc: |-
+  A policy to control whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Fingerprinting Protection setting is to be enabled or disabled for your users.
+
+  If you set this policy to Disabled, then the Fingerprinting Protection feature setting will be turned off for your users.
+  If you set this policy to Enabled, your users will have the Fingerprinting Protection feature setting turned on.
+  If the policy is not set, users will be able to turn on or off the Fingerprinting Protection feature in their UI settings. The default state will be false or disabled, meaning the Fingerprinting Protection feature will be turned off.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+ - chrome.*
+ - chrome_os
+ - android
+items:
+- caption: Enable the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Fingerprinting Protection feature.
+  value: true
+- caption: Disable the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Fingerprinting Protection feature.
+  value: false
+- caption: Allow users to turn on or turn off the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Fingerprinting Protection setting on their device.
+  value: null
+owners:
+- johnykim@google.com
+- rizvis@google.com
+- file://components/privacy_sandbox/OWNERS
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxIpProtectionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxIpProtectionEnabled.yaml
new file mode 100755
index 000000000..18dc26dca
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxIpProtectionEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Choose whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> IP Protection feature should be enabled.
+default: null
+desc: |-
+  A policy to control whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> IP Protection feature should be enabled.
+
+  If the policy is set to Disabled, then the IP Protection feature will be disabled and users won't be able to enable the feature via UI settings.
+  If the policy is set to Enabled, then the IP Protection feature will be enabled and users won't be able to disable the feature via UI settings.
+  If the policy is not set, users will be able to turn on or turn off the IP Protection feature on their device via UI settings.
+
+  Note: The behavior of the IP Protection feature for enterprise users may vary over time when the policy is set to Enabled or when the policy is not set and the feature is enabled via UI settings.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+ - fuchsia
+ - chrome.*
+ - chrome_os
+ - android
+items:
+- caption: Disable the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> IP Protection feature.
+  value: false
+- caption: Enable the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> IP Protection feature.
+  value: true
+- caption: Allow users to turn on or turn off the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> IP Protection setting on their device.
+  value: null
+owners:
+- awillia@chromium.org
+- file://components/ip_protection/OWNERS
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxPromptEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxPromptEnabled.yaml
new file mode 100755
index 000000000..90adc710e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxPromptEnabled.yaml
@@ -0,0 +1,35 @@
+caption: Choose whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> prompt can be shown to your users
+default: true
+desc: |-
+  A policy to control whether your users see the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> prompt.
+  The prompt is a user-blocking flow which informs your users of the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> settings. See <ph name="PRIVACY_SANDBOX_URL">https://privacysandbox.com</ph> for details about Chrome’s effort to deprecate third-party cookies.
+
+  If you set this policy to Disabled, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> won’t show the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> prompt.
+  If you set this policy to Enabled or keep it unset, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> determines whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> prompt can be shown or not and then show it if possible.
+
+  If any of the following policies are set, it’s required to set this policy to Disabled:
+  <ph name="PRIVACY_SANDBOX_AD_TOPICS_ENABLED_POLICY_NAME">PrivacySandboxAdTopicsEnabled</ph>
+  <ph name="PRIVACY_SANDBOX_SITE_ENABLED_ADS_ENABLED_POLICY_NAME">PrivacySandboxSiteEnabledAdsEnabled</ph>
+  <ph name="PRIVACY_SANDBOX_AD_MEASUREMENT_ENABLED_POLICY_NAME">PrivacySandboxAdMeasurementEnabled</ph>
+example_value: false
+future_on:
+ - fuchsia
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to determine whether to show the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> prompt.
+  value: true
+- caption: Do not show the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> prompt to users.
+  value: false
+owners:
+- roagarwal@chromium.org
+- file://components/privacy_sandbox/OWNERS
+schema:
+  type: boolean
+supported_on:
+ - chrome.*:111-
+ - chrome_os:111-
+ - android:111-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxSiteEnabledAdsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxSiteEnabledAdsEnabled.yaml
new file mode 100755
index 000000000..cabbc6f39
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/PrivacySandboxSiteEnabledAdsEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Choose whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Site-suggested ads setting can be disabled
+default: true
+desc: |-
+  A policy to control whether the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Site-suggested ads setting can be disabled for your users.
+
+  If you set this policy to Disabled, then the Site-suggested ads setting will be turned off for your users.
+  If you set this policy to Enabled or keep it unset, your users will be able to turn on or off the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Site-suggested ads setting on their device.
+
+  Setting this policy requires setting the <ph name="PRIVACY_SANDBOX_PROMPT_ENABLED_POLICY_NAME">PrivacySandboxPromptEnabled</ph> policy to Disabled.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+ - fuchsia
+items:
+- caption: Allow users to turn on or off the <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Site-suggested ads setting on their device.
+  value: true
+- caption: Disable <ph name="PRIVACY_SANDBOX_NAME">Privacy Sandbox</ph> Site-suggested ads setting for your users.
+  value: false
+owners:
+- roagarwal@chromium.org
+- file://components/privacy_sandbox/OWNERS
+schema:
+  type: boolean
+supported_on:
+ - chrome.*:111-
+ - chrome_os:111-
+ - android:111-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/policy_atomic_groups.yaml
new file mode 100755
index 000000000..e2963455e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacySandbox/policy_atomic_groups.yaml
@@ -0,0 +1,7 @@
+PrivacySandbox:
+  caption: Privacy sandbox settings controls
+  policies:
+  - PrivacySandboxPromptEnabled
+  - PrivacySandboxAdTopicsEnabled
+  - PrivacySandboxSiteEnabledAdsEnabled
+  - PrivacySandboxAdMeasurementEnabled
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/.group.details.yaml
new file mode 100755
index 000000000..291311a75
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Privacy screen settings
+desc: Controls user and device policies for the privacy screen feature.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/DeviceLoginScreenPrivacyScreenEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/DeviceLoginScreenPrivacyScreenEnabled.yaml
new file mode 100755
index 000000000..fd66afcba
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/DeviceLoginScreenPrivacyScreenEnabled.yaml
@@ -0,0 +1,36 @@
+caption: Set the state of privacy screen on the login screen
+default: null
+desc: |-
+  Set the state of the privacy screen feature on the login screen.
+
+  If this policy is set to True, privacy screen will be enabled when the login screen is shown.
+
+  If this policy is set to False, privacy screen will be disabled when the login screen is shown.
+
+  When this policy is set, the user cannot override the value when the login screen is shown.
+
+  If this policy is left unset, the privacy screen is disabled initially, but remains controllable by the user when the login screen is shown.
+device_only: true
+example_value: true
+features:
+  can_be_mandatory: true
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Always enable the privacy screen on the sign-in screen
+  value: true
+- caption: Always disable the privacy screen on the sign-in screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- gildekel@chromium.org
+- chromeos-gfx-display@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:83-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/PrivacyScreenEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/PrivacyScreenEnabled.yaml
new file mode 100755
index 000000000..9aedb0619
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivacyScreen/PrivacyScreenEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Enable privacy screen
+default: null
+desc: |-
+  Enable/disable the privacy screen feature.
+
+  If this policy is set to True, privacy screen will always be enabled.
+
+  If this policy is set to False, privacy screen will always be disabled.
+
+  When this policy is set, the user cannot override the value.
+
+  If this policy is left unset, privacy screen is disabled initially but can be controlled by the user.
+example_value: true
+features:
+  can_be_mandatory: true
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Always enable the privacy screen
+  value: true
+- caption: Always disable the privacy screen
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- gildekel@chromium.org
+- chromeos-gfx-display@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:83-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/.group.details.yaml
new file mode 100755
index 000000000..637feff68
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Private network request settings
+desc: A group of policies related to private network request settings.  See https://wicg.github.io/private-network-access/.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/InsecurePrivateNetworkRequestsAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/InsecurePrivateNetworkRequestsAllowed.yaml
new file mode 100755
index 000000000..0ec915b8c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/InsecurePrivateNetworkRequestsAllowed.yaml
@@ -0,0 +1,44 @@
+caption: Specifies whether to allow websites to make requests to more-private network
+  endpoints in an insecure manner
+desc: |-
+  Controls whether websites are allowed to make requests to more-private network endpoints in an insecure manner.
+
+            When this policy is set to true, all <ph name="PRIVATE_NETWORK_ACCESS">Private Network Access</ph> checks are disabled for all origins. This may allow attackers to perform <ph name="CSRF">CSRF</ph> attacks on private network servers.
+
+            When this policy is either not set or set to false, the default behavior for requests to more-private network endpoints will depend on the user's personal configuration for the <ph name="BLOCK_INSECURE_PRIVATE_NETWORK_REQUESTS_FEATURE_NAME">BlockInsecurePrivateNetworkRequests</ph>, <ph name="PRIVATE_NETWORK_ACCESS_SEND_PREFLIGHTS_FEATURE_NAME">PrivateNetworkAccessSendPreflights</ph>, and <ph name="PRIVATE_NETWORK_ACCESS_RESPECT_PREFLIGHT_RESULTS_FEATURE_NAME">PrivateNetworkAccessRespectPreflightResults</ph> feature flags, which may be set by field trials or on the command line.
+
+            This policy relates to the <ph name="PRIVATE_NETWORK_ACCESS">Private Network Access</ph> specification. See https://wicg.github.io/private-network-access/ for more details.
+
+            A network endpoint is more private than another if:
+            1) Its IP address is localhost and the other is not.
+            2) Its IP address is private and the other is public.
+            In the future, depending on spec evolution, this policy might apply to all cross-origin requests directed at private IPs or localhost.
+
+            When this policy is set to true, websites are allowed to make requests to any network endpoint, subject to other cross-origin checks.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow websites to make requests to any network endpoint in an insecure manner.
+  value: true
+- caption: Use default behavior when determining if websites can make requests
+    to network endpoints.
+  value: false
+owners:
+- titouan@chromium.org
+- clamy@chromium.org
+- mkwst@chromium.org
+- phao@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:92-
+- chrome_os:92-
+- android:92-
+- webview_android:92-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/InsecurePrivateNetworkRequestsAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/InsecurePrivateNetworkRequestsAllowedForUrls.yaml
new file mode 100755
index 000000000..dbb839b38
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/InsecurePrivateNetworkRequestsAllowedForUrls.yaml
@@ -0,0 +1,35 @@
+caption: Allow the listed sites to make requests to more-private network endpoints
+  in an insecure manner.
+desc: |-
+  List of URL patterns. Requests initiated from websites served by matching origins are not subject to <ph name="PRIVATE_NETWORK_ACCESS">Private Network Access</ph> checks.
+
+            If unset, this policy behaves as if set to the empty list.
+
+            For origins not covered by the patterns specified here, the global default value will be used either from the <ph name="INSECURE_PRIVATE_NETWORK_REQUESTS_ALLOWED_POLICY_NAME">InsecurePrivateNetworkRequestsAllowed</ph> policy, if it is set, or the user's personal configuration otherwise.
+
+            For detailed information on valid URL patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
+example_value:
+- http://www.example.com:8080
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- titouan@chromium.org
+- clamy@chromium.org
+- mkwst@chromium.org
+- phao@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:92-
+- chrome_os:92-
+- android:92-
+- webview_android:92-
+tags:
+- system-security
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/PrivateNetworkAccessRestrictionsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/PrivateNetworkAccessRestrictionsEnabled.yaml
new file mode 100755
index 000000000..bc6a908ae
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/PrivateNetworkAccessRestrictionsEnabled.yaml
@@ -0,0 +1,47 @@
+owners:
+- phao@chromium.org
+- file://chrome/browser/private_network_access/OWNERS
+
+caption: Specifies whether to apply restrictions to requests to more-private
+  network endpoints
+
+desc: |-
+  When this policy is set to Enabled, any time when a warning is supposed to be
+  displayed in the <ph name="DEV_TOOLS_NAME">DevTools</ph> due to <ph
+  name="PRIVATE_NETWORK_ACCESS">Private Network Access</ph> checks failing, the
+  main request will be blocked instead.
+
+  When this policy is set to Disabled or unset, all <ph
+  name="PRIVATE_NETWORK_ACCESS">Private Network Access</ph> warnings will not
+  be enforced and the requests will not be blocked.
+
+  See https://wicg.github.io/private-network-access/ for <ph
+  name="PRIVATE_NETWORK_ACCESS">Private Network Access</ph> restrictions.
+
+supported_on:
+- chrome.*:120-
+- chrome_os:120-
+- android:120-
+
+future_on:
+- fuchsia
+
+features:
+  dynamic_refresh: true
+  per_profile: false
+
+type: main
+
+schema:
+  type: boolean
+
+items:
+- caption: Apply restrictions to requests to more-private network endpoints
+  value: true
+- caption: Use default behavior when determining if websites can make requests
+    to network endpoints
+  value: false
+
+example_value: true
+
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/policy_atomic_groups.yaml
new file mode 100755
index 000000000..0ae020ce3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/PrivateNetworkRequestSettings/policy_atomic_groups.yaml
@@ -0,0 +1,5 @@
+PrivateNetworkRequestSettings:
+  caption: Private network request settings
+  policies:
+  - InsecurePrivateNetworkRequestsAllowed
+  - InsecurePrivateNetworkRequestsAllowedForUrls
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/.group.details.yaml
new file mode 100755
index 000000000..b8abcb19f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Screencast
+desc: Controls policies for Screencast.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/ProjectorDogfoodForFamilyLinkEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/ProjectorDogfoodForFamilyLinkEnabled.yaml
new file mode 100755
index 000000000..7f9506148
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/ProjectorDogfoodForFamilyLinkEnabled.yaml
@@ -0,0 +1,30 @@
+caption: Enable Screencast dogfood for Family Link users
+default: false
+desc: |-
+  This policy enables Screencast feature for Family Link users and gives it permission to create and transcribe screen recording and upload to Drive.
+        This policy does not affect other types of users.
+        This policy does not affect <ph name="PROJECTOR_ENABLED_POLICY_NAME">ProjectorEnabled</ph> policy for enterprise users.
+
+        If the policy is enabled, Screencast dogfood will be enabled for Family Link users.
+        If the policy is disabled, Screencast dogfood will be disabled for Family Link users.
+        If the policy is not set, Screencast dogfood will be by default disabled for Family Link users.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Screencast dogfood for Family Link users
+  value: true
+- caption: Disable Screencast dogfood for Family Link users
+  value: false
+owners:
+- agawronska@google.com
+- llin@google.com
+- cros-projector@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:102-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/ProjectorEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/ProjectorEnabled.yaml
new file mode 100755
index 000000000..87c1c2fe9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Projector/ProjectorEnabled.yaml
@@ -0,0 +1,28 @@
+caption: Enable Screencast
+default: true
+desc: |-
+  This policy gives Screencast permission to create and transcribe screen recording and upload to Drive for enterprise users.
+        This policy does not affect Family Link users.
+        This policy does not affect <ph name="PROJECTOR_DOGFOOD_FOR_FAMILY_LINK_ENABLED_POLICY_NAME">ProjectorDogfoodForFamilyLinkEnabled</ph> policy for Family Link users.
+
+        If the policy is unset or enabled, Screencast will be enabled.
+        If the policy is disabled, Screencast will be disabled.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Screencast
+  value: true
+- caption: Disable Screencast
+  value: false
+owners:
+- llin@google.com
+- cros-projector@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:99-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/.group.details.yaml
new file mode 100755
index 000000000..803317884
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/.group.details.yaml
@@ -0,0 +1,14 @@
+caption: Proxy server
+desc: |-
+  Allows you to specify the proxy server used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing proxy settings.
+
+        If you choose to never use a proxy server and always connect directly, all other options are ignored.
+
+        If you choose to auto detect the proxy server, all other options are ignored.
+
+        For detailed examples, visit:
+        <ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>.
+
+        If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and ARC-apps ignore all proxy-related options specified from the command line.
+
+        Leaving these policies not set will allow the users to choose the proxy settings on their own.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyBypassList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyBypassList.yaml
new file mode 100755
index 000000000..7f04ce882
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyBypassList.yaml
@@ -0,0 +1,29 @@
+arc_support: You cannot force Android apps to use a proxy. A subset of proxy settings
+  is made available to Android apps, which they may voluntarily choose to honor. See
+  the <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph> policy for more details.
+caption: Proxy bypass rules
+deprecated: true
+desc: |-
+  This policy is deprecated, please use <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> instead.
+
+         Setting the policy means <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> bypasses any proxy for the list of hosts given here. This policy only takes effect if the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy isn't specified and you specified either <ph name="PROXY_MODE_ENUM_FIXED_SERVERS">fixed_servers</ph> or <ph name="PROXY_MODE_ENUM_PAC_SCRIPT">pac_script</ph> for <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph>.
+
+         Leave this policy unset if you selected any other mode for setting proxy policies.
+
+         Note: For more detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).
+example_value: https://www.example1.com,https://www.example2.com,https://internalsite/
+features:
+  dynamic_refresh: true
+  per_profile: true
+label: Comma-separated list of proxy bypass rules
+owners:
+- acostinas@google.com
+- file://components/proxy_config/OWNERS
+schema:
+  type: string
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyMode.yaml
new file mode 100755
index 000000000..271186e86
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyMode.yaml
@@ -0,0 +1,58 @@
+caption: Choose how to specify proxy server settings
+deprecated: true
+desc: |-
+  This policy is deprecated, please use <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> instead.
+
+         Setting the policy to Enabled lets you specify the proxy server Chrome uses and prevents users from changing proxy settings. Chrome and ARC-apps ignore all proxy-related options specified from the command line. The policy only takes effect if the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy isn't specified.
+
+         Other options are ignored if you choose:
+           * <ph name="PROXY_MODE_ENUM_DIRECT">direct</ph> = Never use a proxy server and always connect directly
+           * <ph name="PROXY_MODE_ENUM_SYSTEM">system</ph> = Use system proxy settings
+           * <ph name="PROXY_MODE_ENUM_AUTO_DETECT">auto_detect</ph> = Auto detect the proxy server
+
+         If you choose to use:
+           * <ph name="PROXY_MODE_ENUM_FIXED_SERVERS">fixed_servers</ph> = Fixed proxy servers. You can specify further options with <ph name="PROXY_SERVER_POLICY_NAME">ProxyServer</ph> and <ph name="PROXY_BYPASS_LIST_POLICY_NAME">ProxyBypassList</ph>. Only the HTTP proxy server with the highest priority is available for ARC-apps.
+           * <ph name="PROXY_MODE_ENUM_PAC_SCRIPT">pac_script</ph> =  A .pac proxy script. Use <ph name="PROXY_PAC_URL_POLICY_NAME">ProxyPacUrl</ph> to set the URL to a proxy .pac file.
+
+        Leaving the policy unset lets users choose the proxy settings.
+
+        Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).
+example_value: direct
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Never use a proxy
+  name: ProxyDisabled
+  value: direct
+- caption: Auto detect proxy settings
+  name: ProxyAutoDetect
+  value: auto_detect
+- caption: Use a .pac proxy script
+  name: ProxyPacScript
+  value: pac_script
+- caption: Use fixed proxy servers
+  name: ProxyFixedServers
+  value: fixed_servers
+- caption: Use system proxy settings
+  name: ProxyUseSystem
+  value: system
+owners:
+- acostinas@google.com
+- file://components/proxy_config/OWNERS
+schema:
+  enum:
+  - direct
+  - auto_detect
+  - pac_script
+  - fixed_servers
+  - system
+  type: string
+supported_on:
+- chrome.*:10-
+- chrome_os:11-
+- android:30-
+tags: []
+type: string-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyPacUrl.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyPacUrl.yaml
new file mode 100755
index 000000000..025e892b2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyPacUrl.yaml
@@ -0,0 +1,28 @@
+arc_support: You cannot force Android apps to use a proxy. A subset of proxy settings
+  is made available to Android apps, which they may voluntarily choose to honor. See
+  the <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph> policy for more details.
+caption: URL to a proxy .pac file
+deprecated: true
+desc: |-
+  This policy is deprecated, please use <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> instead.
+
+         Setting the policy lets you specify a URL to a proxy .pac file. This policy only takes effect if the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy isn't specified and you selected <ph name="PROXY_MODE_ENUM_PAC_SCRIPT">pac_script</ph> with <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph>.
+
+         Leave this policy unset if you selected any other mode for setting proxy policies.
+
+         Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).
+example_value: https://internal.site/example.pac
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- acostinas@google.com
+- file://components/proxy_config/OWNERS
+schema:
+  type: string
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyServer.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyServer.yaml
new file mode 100755
index 000000000..a71be2b0d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyServer.yaml
@@ -0,0 +1,28 @@
+arc_support: You cannot force Android apps to use a proxy. A subset of proxy settings
+  is made available to Android apps, which they may voluntarily choose to honor. See
+  the <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph> policy for more details.
+caption: Address or URL of proxy server
+deprecated: true
+desc: |-
+  This policy is deprecated, please use <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> instead.
+
+         Setting the policy lets you specify the URL of the proxy server. This policy only takes effect if the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy isn't specified and you selected <ph name="PROXY_MODE_ENUM_FIXED_SERVERS">fixed_servers</ph> with <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph>.
+
+         Leave this policy unset if you selected any other mode for setting proxy policies.
+
+        Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).
+example_value: 123.123.123.123:8080
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- acostinas@google.com
+- file://components/proxy_config/OWNERS
+schema:
+  type: string
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyServerMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyServerMode.yaml
new file mode 100755
index 000000000..3460012c3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/ProxyServerMode.yaml
@@ -0,0 +1,54 @@
+arc_support: You cannot force Android apps to use a proxy. A subset of proxy settings
+  is made available to Android apps, which they may voluntarily choose to honor. See
+  the <ph name="PROXY_MODE_POLICY_NAME">ProxyMode</ph> policy for more details.
+caption: Choose how to specify proxy server settings
+deprecated: true
+desc: |-
+  This policy is deprecated, use ProxyMode instead.
+
+            Allows you to specify the proxy server used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing proxy settings.
+
+            This policy only takes effect  if the <ph name="PROXY_SETTINGS_POLICY_NAME">ProxySettings</ph> policy has not been specified.
+
+            If you choose to never use a proxy server and always connect directly, all other options are ignored.
+
+            If you choose to use system proxy settings or auto detect the proxy server, all other options are ignored.
+
+            If you choose manual proxy settings, you can specify further options in 'Address or URL of proxy server', 'URL to a proxy .pac file' and 'Comma-separated list of proxy bypass rules'. Only the HTTP proxy server with the highest priority is available for ARC-apps.
+
+            For detailed examples, visit:
+            <ph name="PROXY_HELP_URL">https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett<ex>https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>.
+
+            If you enable this setting, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> ignores all proxy-related options specified from the command line.
+
+            Leaving this policy not set will allow the users to choose the proxy settings on their own.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Never use a proxy
+  name: ProxyServerDisabled
+  value: 0
+- caption: Auto detect proxy settings
+  name: ProxyServerAutoDetect
+  value: 1
+- caption: Manually specify proxy settings
+  name: ProxyServerManual
+  value: 2
+- caption: Use system proxy settings
+  name: ProxyServerUseSystem
+  value: 3
+owners:
+- acostinas@google.com
+- file://components/proxy_config/OWNERS
+schema:
+  $ref: ProxyServerMode
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/policy_atomic_groups.yaml
new file mode 100755
index 000000000..a5e22bdd2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Proxy/policy_atomic_groups.yaml
@@ -0,0 +1,9 @@
+Proxy:
+  caption: Proxy
+  policies:
+  - ProxyMode
+  - ProxyServerMode
+  - ProxyServer
+  - ProxyPacUrl
+  - ProxyBypassList
+  - ProxySettings
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/.group.details.yaml
new file mode 100755
index 000000000..c4144a5ba
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Quick Answers
+desc: Controls settings for Quick Answers.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersDefinitionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersDefinitionEnabled.yaml
new file mode 100755
index 000000000..38ba80bc5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersDefinitionEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable Quick Answers Definition
+default: true
+desc: |-
+  This policy gives Quick Answers permission to access selected content and send the info to the server to get definition results.
+
+        If the policy is enabled or not set, Quick Answers Definition will be enabled.
+        If the policy is disabled, Quick Answers Definition will be disabled.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Quick Answers Definition
+  value: true
+- caption: Disable Quick Answers Definition
+  value: false
+owners:
+- updowndota@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:97-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersEnabled.yaml
new file mode 100755
index 000000000..c10373df0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Enable Quick Answers
+default: true
+desc: |-
+  This policy gives Quick Answers permission to access selected content and send the info to the server.
+
+        If the policy is enabled, Quick Answers will be enabled.
+        If the policy is disabled, Quick Answers will be disabled.
+        If the policy is not set, users can decide whether to enable or disable Quick Answers.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Quick Answers
+  value: true
+- caption: Disable Quick Answers
+  value: false
+owners:
+- updowndota@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:97-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersTranslationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersTranslationEnabled.yaml
new file mode 100755
index 000000000..3583ec2e7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersTranslationEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable Quick Answers Translation
+default: true
+desc: |-
+  This policy gives Quick Answers permission to access selected content and send the info to the server to get translation results.
+
+        If the policy is enabled or not set, Quick Answers translation will be enabled.
+        If the policy is disabled, Quick Answers translation will be disabled.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Quick Answers Translation
+  value: true
+- caption: Disable Quick Answers Translation
+  value: false
+owners:
+- updowndota@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:97-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersUnitConversionEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersUnitConversionEnabled.yaml
new file mode 100755
index 000000000..d933f63c4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickAnswers/QuickAnswersUnitConversionEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Enable Quick Answers Unit Conversion
+default: true
+desc: |-
+  This policy gives Quick Answers permission to access selected content and send the info to the server to get unit conversion results.
+
+        If the policy is enabled or not set, Quick Answers unit conversion will be enabled.
+        If the policy is disabled, Quick Answers unit conversion will be disabled.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Quick Answers Unit Conversion
+  value: true
+- caption: Disable Quick Answers Unit Conversion
+  value: false
+owners:
+- updowndota@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:97-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/.group.details.yaml
new file mode 100755
index 000000000..52ded6a08
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Quick unlock
+desc: Configures quick unlock related policies.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockAutosubmitEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockAutosubmitEnabled.yaml
new file mode 100755
index 000000000..61d3ab765
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockAutosubmitEnabled.yaml
@@ -0,0 +1,33 @@
+caption: Enable PIN auto-submit feature on the lock and login screen.
+default_for_enterprise_users: false
+desc: |-
+  The PIN auto-submit feature changes how PINs are entered in <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
+            Instead of showing the same textfield that is used for password input, this
+            feature shows a special UI that clearly shows to the user how many
+            digits are necessary for their PIN. As a consequence, the user's PIN length
+            will be stored outside the user encrypted data. Only supports PINs that are
+            between 6 and 12 digits long.
+
+            If the policy is set to true, users will have PIN auto-submit on the lock and login screen.
+            If the policy is set to false or not set, users will not have PIN auto-submit on the lock and login screen.
+
+            If this policy is set, users will not have the option of enabling the feature.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable PIN auto-submit on the lock and login screen
+  value: true
+- caption: Disable PIN auto-submit on the lock and login screen
+  value: false
+owners:
+- rrsilva@google.com
+- cros-oac@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:86-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockMaximumLength.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockMaximumLength.yaml
new file mode 100755
index 000000000..42edee87e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockMaximumLength.yaml
@@ -0,0 +1,18 @@
+caption: Set the maximum length of the lock screen PIN
+desc: |-
+  Setting the policy means the configured maximum PIN length is enforced. A value of 0 or less means the user may set a PIN of any length. If the value is less than <ph name="PIN_UNLOCK_MINIMUM_LENGTH_POLICY_NAME">PinUnlockMinimumLength</ph> but greater than 0, the maximum length is set to the minimum length.
+
+        Leaving the policy unset means no maximum length is enforced.
+example_value: 0
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome_os:57-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockMinimumLength.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockMinimumLength.yaml
new file mode 100755
index 000000000..3c407f0ed
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockMinimumLength.yaml
@@ -0,0 +1,18 @@
+caption: Set the minimum length of the lock screen PIN
+desc: |-
+  Setting the policy enforces the minimum PIN length chosen. (Values below 1 are rounded up to the minimum of 1.)
+
+        Leaving the policy unset enforces a minimal PIN length of 6 digits, the recommended minimum.
+example_value: 6
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: integer
+supported_on:
+- chrome_os:57-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockWeakPinsAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockWeakPinsAllowed.yaml
new file mode 100755
index 000000000..c8533979b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/PinUnlockWeakPinsAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Enable users to set weak PINs for the lock screen PIN
+default: null
+desc: |-
+  Setting the policy to Enabled allows weak PINs. Some characteristics of weak PINs: only one digit (1111), digits increase by 1 (1234), digits decrease by 1 (4321), and common PINs. Setting the policy to Disabled means users can't set weak, easy-to-guess PINs.
+
+        If policy is not set, users get a warning, not an error, for a weak PIN.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Allow users to set a weak PIN
+  value: true
+- caption: Do not allow users to set a weak PIN
+  value: false
+- caption: Allow users to set a weak PIN, but show a warning
+  value: null
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:57-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/QuickUnlockModeAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/QuickUnlockModeAllowlist.yaml
new file mode 100755
index 000000000..9c31b0053
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/QuickUnlockModeAllowlist.yaml
@@ -0,0 +1,38 @@
+caption: Configure allowed quick unlock modes
+default_for_enterprise_users: []
+desc: |-
+  Setting the policy controls which quick unlock modes can unlock the lock screen.
+
+        To allow:
+
+        * Every quick unlock mode, use ["all"] (includes modes added in the future).
+
+        * Only PIN unlock, use ["PIN"].
+
+        * PIN and fingerprint, use ["PIN", "FINGERPRINT"].
+
+        If the policy is unset or set to an empty list, no quick unlock modes are available for managed devices.
+example_value:
+- PIN
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: All
+  name: all
+  value: all
+- caption: PIN
+  name: PIN
+  value: PIN
+- caption: Fingerprint
+  name: FINGERPRINT
+  value: FINGERPRINT
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  $ref: QuickUnlockModeAllowlist
+supported_on:
+- chrome_os:87-
+tags: []
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/QuickUnlockTimeout.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/QuickUnlockTimeout.yaml
new file mode 100755
index 000000000..56cb430ab
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/QuickUnlockTimeout.yaml
@@ -0,0 +1,36 @@
+caption: Set how often user has to enter password to use quick unlock
+desc: |-
+  Setting the policy controls how often the lock screen requests the password for quick unlock. Each time the lock screen appears, if the last password entry occurred before the time window specified by the value chosen, quick unlock won't be available. If users stay on the lock screen past this amount of time, a password is requested next time they enter the wrong code or re-enter the lock screen, whichever comes first.
+
+        Leaving the policy unset means users using quick unlock enter their password on the lock screen daily.
+example_value: 2
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Password entry is required every six hours
+  name: SixHours
+  value: 0
+- caption: Password entry is required every twelve hours
+  name: TweleveHours
+  value: 1
+- caption: Password entry is required every two days (48 hours)
+  name: TwoDays
+  value: 2
+- caption: Password entry is required every week (168 hours)
+  name: Week
+  value: 3
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:57-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/policy_atomic_groups.yaml
new file mode 100755
index 000000000..a139e98b3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/QuickUnlock/policy_atomic_groups.yaml
@@ -0,0 +1,12 @@
+PinUnlock:
+  caption: Pin unlock
+  policies:
+  - PinUnlockMinimumLength
+  - PinUnlockMaximumLength
+  - PinUnlockWeakPinsAllowed
+  - PinUnlockAutosubmitEnabled
+QuickUnlock:
+  caption: Quick unlock
+  policies:
+  - QuickUnlockModeAllowlist
+  - QuickUnlockTimeout
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/.group.details.yaml
new file mode 100755
index 000000000..7a5ec2ae6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Related Website Sets Settings
+desc: Controls policies for the Related Website Sets feature.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/RelatedWebsiteSetsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/RelatedWebsiteSetsEnabled.yaml
new file mode 100755
index 000000000..760d5f675
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/RelatedWebsiteSetsEnabled.yaml
@@ -0,0 +1,31 @@
+caption: Enable Related Website Sets
+default: true
+desc: |-
+  This policy allows to control the Related Website Sets feature enablement.
+
+  This policy overrides the <ph name="FIRST_PARTY_SETS_ENABLED_POLICY_NAME">FirstPartySetsEnabled</ph> policy.
+
+  When this policy is unset or set to True, the Related Website Sets feature is enabled.
+
+  When this policy is set to False, the Related Website Sets feature is disabled.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+supported_on:
+- chrome.*:120-
+- chrome_os:120-
+- android:120-
+- fuchsia:120-
+items:
+- caption: Enable Related Website Sets
+  value: true
+- caption: Disable Related Website Sets
+  value: false
+owners:
+- sandormajor@google.com
+- chrome-first-party-sets@chromium.org
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/RelatedWebsiteSetsOverrides.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/RelatedWebsiteSetsOverrides.yaml
new file mode 100755
index 000000000..a9b7bea7e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RelatedWebsiteSets/RelatedWebsiteSetsOverrides.yaml
@@ -0,0 +1,123 @@
+caption: Override Related Website Sets.
+default: {}
+desc: |-
+  This policy provides a way to override the list of sets the browser uses for Related Website Sets features.
+
+  This policy overrides the <ph name="FIRST_PARTY_SETS_OVERRIDES_POLICY_NAME">FirstPartySetsOverrides</ph> policy.
+
+  Each set in the browser's list of Related Website Sets must meet the requirements of a Related Website Set.
+  A Related Website Set must contain a primary site and one or more member sites.
+  A set can also contain a list of service sites that it owns, as well as a map from a site to all of its ccTLD variants.
+  See https://github.com/WICG/first-party-sets for more information on how <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses Related Website Sets.
+
+
+  All sites in a Related Website Set must be a registrable domain served over HTTPS. Each site in a Related Website Set must also be unique,
+  meaning a site cannot be listed more than once in a Related Website Set.
+
+  When this policy is given an empty dictionary, the browser uses the public list of Related Website Sets.
+
+  For all sites in a Related Website Set from the <ph name="REPLACEMENTS">replacements</ph> list, if a site is also present
+  on a Related Website Set in the browser's list, then that site will be removed from the browser's Related Website Set.
+  After this, the policy's Related Website Set will be added to the browser's list of Related Website Sets.
+
+  For all sites in a Related Website Set from the <ph name="ADDITIONS">additions</ph> list, if a site is also present
+  on a Related Website Set in the browser's list, then the browser's Related Website Set will be updated so that the
+  new Related Website Set can be added to the browser's list. After the browser's list has been updated,
+  the policy's Related Website Set will be added to the browser's list of Related Website Sets.
+
+  The browser's list of Related Website Sets requires that for all sites in its list, no site is in
+  more than one set. This is also required for both the <ph name="REPLACEMENTS">replacements</ph> list
+  and the <ph name="ADDITIONS">additions</ph> list. Similarly, a site cannot be in both the
+  <ph name="REPLACEMENTS">replacements</ph> list and the <ph name="ADDITIONS">additions</ph> list.
+
+  Wildcards (*) are not supported as a policy value, nor within any Related Website Set in these lists.
+
+  All sets provided by the policy must be valid Related Website Sets, if they aren't then an
+  appropriate error will be outputted.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value:
+  additions:
+  - associatedSites:
+    - https://associate2.test
+    ccTLDs:
+      https://associate2.test:
+      - https://associate2.com
+    primary: https://primary2.test
+    serviceSites:
+    - https://associate2-content.test
+  replacements:
+  - associatedSites:
+    - https://associate1.test
+    ccTLDs:
+      https://associate1.test:
+      - https://associate1.co.uk
+    primary: https://primary1.test
+    serviceSites:
+    - https://associate1-content.test
+features:
+  dynamic_refresh: false
+  per_profile: true
+supported_on:
+- chrome.*:120-
+- chrome_os:120-
+- android:120-
+- fuchsia:120-
+owners:
+- sandormajor@google.com
+- chrome-first-party-sets@chromium.org
+schema:
+  properties:
+    additions:
+      items:
+        properties:
+          associatedSites:
+            items:
+              type: string
+            type: array
+          ccTLDs:
+            additionalProperties:
+              items:
+                type: string
+              type: array
+            type: object
+          primary:
+            type: string
+          serviceSites:
+            items:
+              type: string
+            type: array
+        required:
+        - primary
+        - associatedSites
+        type: object
+      type: array
+    replacements:
+      items:
+        properties:
+          associatedSites:
+            items:
+              type: string
+            type: array
+          ccTLDs:
+            additionalProperties:
+              items:
+                type: string
+              type: array
+            type: object
+          primary:
+            type: string
+          serviceSites:
+            items:
+              type: string
+            type: array
+        required:
+        - primary
+        - associatedSites
+        type: object
+      type: array
+  type: object
+tags: []
+type: dict
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/.group.details.yaml
new file mode 100755
index 000000000..ed9bf9ecd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/.group.details.yaml
@@ -0,0 +1,8 @@
+caption: Remote access
+desc: |-
+  Configure remote access options in Chrome Remote Desktop host.
+
+        Chrome Remote Desktop host is a native service that runs on the target machine that a user can connect to using Chrome Remote Desktop application.  The native service is packaged and executed separately from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> browser.
+
+        These policies are ignored unless the
+        Chrome Remote Desktop host is installed.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessClientFirewallTraversal.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessClientFirewallTraversal.yaml
new file mode 100755
index 000000000..9ce3d5fe4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessClientFirewallTraversal.yaml
@@ -0,0 +1,24 @@
+caption: Enable firewall traversal from remote access client
+deprecated: true
+desc: |-
+  This policy is no longer supported.
+            Enables usage of STUN and relay servers when connecting to a remote client.
+
+            If this setting is enabled, then this machine can discover and connect to remote host machines even if they are separated by a firewall.
+
+            If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine can only connect to host machines within the local network.
+example_value: false
+features:
+  dynamic_refresh: true
+  platform_only: true
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- garykac@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:14-16
+- chrome_os:14-16
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowClientPairing.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowClientPairing.yaml
new file mode 100755
index 000000000..da24a34e6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowClientPairing.yaml
@@ -0,0 +1,26 @@
+caption: Enable or disable PIN-less authentication for remote access hosts
+desc: |-
+  Setting the policy to Enabled or leaving it unset lets users pair clients and hosts at connection time, eliminating the need to enter a PIN every time.
+
+        Setting the policy to Disabled makes this feature unavailable.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+items:
+- caption: Enable PIN-less authentication for the remote access host
+  value: true
+- caption: Disable PIN-less authentication for the remote access host
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:30-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowEnterpriseFileTransfer.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowEnterpriseFileTransfer.yaml
new file mode 100755
index 000000000..b2080ddf3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowEnterpriseFileTransfer.yaml
@@ -0,0 +1,26 @@
+caption: Enable file transfer capability in enterprise remote support sessions
+default: false
+desc: |-
+  If this policy is enabled, admin-initiated enterprise remote support sessions will allow the transfer of files between the client and the host.
+
+  This policy does not affect remote access scenarios.
+
+  Leaving this policy unset or setting to Disabled disallows file transfer.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable file transfer in remote support connections from enterprise admins
+  value: true
+- caption: Disable file transfer in remote support connections from enterprise admins
+  value: false
+owners:
+- macinashutosh@google.com
+- file://remoting/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:117-
+tags: []
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowEnterpriseRemoteSupportConnections.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowEnterpriseRemoteSupportConnections.yaml
new file mode 100755
index 000000000..152e1bbd1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowEnterpriseRemoteSupportConnections.yaml
@@ -0,0 +1,29 @@
+caption: Allow enterprise remote support connections to this machine
+default: true
+desc: |-
+  If this policy is disabled, remote support sessions cannot be started using the admin console.
+
+  This policy does not affect remote access scenarios.
+
+  This policy prevents enterprise admins from connecting to managed <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices.
+
+  This policy has no effect if enabled, left empty, or is not set.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+items:
+- caption: Allow remote support connections from enterprise admins to this machine
+  value: true
+- caption: Prevent remote support connections from enterprise admins to this machine
+  value: false
+owners:
+- file://remoting/OWNERS
+- crmullins@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:113-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowFileTransfer.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowFileTransfer.yaml
new file mode 100755
index 000000000..c03c53dbf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowFileTransfer.yaml
@@ -0,0 +1,28 @@
+caption: Allow remote access users to transfer files to/from the host
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset allows users connected to a remote access host to transfer files between the client and the host. This doesn't apply to remote assistance connections, which don't support file transfer.
+
+        Setting the policy to Disabled disallows file transfer.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+items:
+- caption: Enable remote access users to transfer files to and from the remote host
+  value: true
+- caption: Disable remote access users from transferring files to and from the remote
+    host
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:74-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowGnubbyAuth.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowGnubbyAuth.yaml
new file mode 100755
index 000000000..1de7db541
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowGnubbyAuth.yaml
@@ -0,0 +1,30 @@
+caption: Allow gnubby authentication for remote access hosts
+desc: |-
+  Setting the policy to Enabled means gnubby authentication requests will be proxied across a remote host connection.
+
+        Setting the policy to Disabled or leaving it unset means gnubby authentication requests won't be proxied.
+
+        Note that this feature requires additional components which are not available outside of the Google network environment in order to work properly.
+example_value: true
+features:
+  dynamic_refresh: true
+  internal_only: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+items:
+- caption: Enable gnubby authentication for the remote access host
+  value: true
+- caption: Disable gnubby authentication for the remote access host
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- lambroslambrou@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:35-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowPinAuthentication.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowPinAuthentication.yaml
new file mode 100755
index 000000000..5f2bce4be
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowPinAuthentication.yaml
@@ -0,0 +1,29 @@
+caption: Allow PIN and pairing authentication methods for remote access hosts
+desc: |-
+  Setting the policy to Enabled allows the remote access host to use PIN and pairing authentications when accepting client connections.
+
+  Setting the policy to Disabled disallows PIN or pairing authentications.
+
+  Leaving it unset lets the host decide whether PIN and/or pairing authentications can be used.
+
+  Note: If the setting results in no mutually supported authentication methods by both the host and the client, then the connection will be rejected.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+items:
+- caption: Allows the remote access host to use PIN and pairing authentications when accepting client connections
+  value: true
+- caption: Disallows the remote access host to use PIN and pairing authentications when accepting client connections
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- joedow@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:123-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRelayedConnection.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRelayedConnection.yaml
new file mode 100755
index 000000000..ebd548721
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRelayedConnection.yaml
@@ -0,0 +1,28 @@
+caption: Enable the use of relay servers by the remote access host
+desc: |-
+  If <ph name="REMOTE_ACCESS_HOST_FIREWALL_TRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is set to Enabled, setting <ph name="REMOTE_ACCESS_HOST_ALLOW_RELAYED_CONNECTION_POLICY_NAME">RemoteAccessHostAllowRelayedConnection</ph> to Enabled or leaving it unset allows the use of remote clients to use relay servers to connect to this machine when a direct connection is not available, for example, because of firewall restrictions.
+
+        Setting the policy to Disabled doesn't turn remote access off, but only allows connections from the same network (not NAT traversal or relay).
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+items:
+- caption: Enable the use of relay servers by the remote access host
+  value: true
+- caption: Disable the use of relay servers by the remote access host
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- garykac@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:36-
+- chrome_os:86-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRemoteAccessConnections.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRemoteAccessConnections.yaml
new file mode 100755
index 000000000..08dae2638
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRemoteAccessConnections.yaml
@@ -0,0 +1,28 @@
+caption: Allow remote access connections to this machine
+default: true
+desc: |-
+  If this policy is Disabled, the remote access host service cannot be started or configured to accept incoming connections.  This policy does not affect remote support scenarios.
+
+            This policy has no effect if it is set to Enabled, left empty, or is not set.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+items:
+- caption: Allow remote access connections to this machine
+  value: true
+- caption: Prevent remote access connections to this machine
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- joedow@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:89-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRemoteSupportConnections.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRemoteSupportConnections.yaml
new file mode 100755
index 000000000..fc64044ad
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowRemoteSupportConnections.yaml
@@ -0,0 +1,33 @@
+caption: Allow remote support connections to this machine
+default: true
+desc: |-
+  If this policy is disabled, the remote support host cannot be started or configured to accept incoming connections.
+
+            This policy does not affect remote access scenarios.
+
+            This policy does not prevent enterprise admins from connecting to managed <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> devices.
+
+            This policy has no effect if enabled, left empty, or is not set.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+items:
+- caption: Allow remote support connections to this machine
+  value: true
+- caption: Prevent remote support connections to this machine
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- joedow@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:97-
+- chrome_os:97-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowUiAccessForRemoteAssistance.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowUiAccessForRemoteAssistance.yaml
new file mode 100755
index 000000000..a93041160
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowUiAccessForRemoteAssistance.yaml
@@ -0,0 +1,30 @@
+caption: Allow remote users to interact with elevated windows in remote assistance
+  sessions
+default: false
+desc: |-
+  Setting the policy to Enabled means the remote assistance host runs in a process with <ph name="UIACCESS_PERMISSION_NAME">uiAccess</ph> permissions. This lets remote users interact with elevated windows on the local user's desktop.
+
+        Setting the policy to Disabled or leaving it unset means the remote assistance host runs in the user's context, and remote users can't interact with elevated windows on the desktop.
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+  platform_only: true
+items:
+- caption: Enable remote user interaction with elevated windows in remote assistance
+    sessions
+  value: true
+- caption: Disable remote user interaction with elevated windows in remote assistance
+    sessions
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- lambroslambrou@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.win:55-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowUrlForwarding.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowUrlForwarding.yaml
new file mode 100755
index 000000000..0481fffc7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostAllowUrlForwarding.yaml
@@ -0,0 +1,30 @@
+caption: Allow remote access users to open host-side URLs in their local client browser
+default: true
+desc: |-
+  Setting the policy to Enabled or leaving it unset may allow users connected to a remote access host to open host-side URLs in their local client browser.
+
+  Setting the policy to Disabled will prevent the remote access host from sending URLs to the client.
+
+  This setting doesn't apply to remote assistance connections as the feature is not supported for that connection mode.
+
+  Note: This feature is not yet generally available so enabling it does not mean that the feature will be visible in the client UI.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+items:
+- caption: Enable remote access users to open host-side URLs in their local client browser
+  value: true
+- caption: Disable remote access users from opening host-side URLs in their local client browser
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- joedow@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:123-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClientDomain.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClientDomain.yaml
new file mode 100755
index 000000000..e2744e149
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClientDomain.yaml
@@ -0,0 +1,20 @@
+caption: Configure the required domain name for remote access clients
+deprecated: true
+desc: This policy is deprecated. Please use <ph name="REMOTE_ACCESS_HOST_CLIENT_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostClientDomainList</ph>
+  instead.
+example_value: my-awesome-domain.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- joedow@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:22-
+- chrome_os:41-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClientDomainList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClientDomainList.yaml
new file mode 100755
index 000000000..3cc276147
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClientDomainList.yaml
@@ -0,0 +1,31 @@
+caption: Configure the required domain names for remote access clients
+desc: |-
+  Setting the policy specifies the client domain names that are imposed on remote access clients, and users can't change them. Only clients from one of the specified domains can connect to the host.
+
+        Setting the policy to an empty list or leaving it unset applies the default policy for the connection type. For remote assistance, this allows clients from any domain to connect to the host. For anytime remote access, only the host owner can connect.
+
+        See also <ph name="REMOTE_ACCESS_HOST_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostDomainList</ph>.
+
+        Note: This setting overrides <ph name="REMOTE_ACCESS_HOST_CLIENT_DOMAIN_POLICY_NAME">RemoteAccessHostClientDomain</ph>, if present.
+example_value:
+- my-awesome-domain.com
+- my-auxiliary-domain.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- garykac@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:60-
+- chrome_os:60-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClipboardSizeBytes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClipboardSizeBytes.yaml
new file mode 100755
index 000000000..01eaeca31
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostClipboardSizeBytes.yaml
@@ -0,0 +1,35 @@
+caption: The maximum size, in bytes, that can be transferred between client and host
+  via clipboard synchronization
+default: null
+desc: |-
+  If this policy is set, clipboard data sent to and from the host will be truncated to the limit set by this policy.
+
+            If a value of 0 is set, then clipboard sync is disabled.
+
+            This policy affects both remote access and remote support scenarios.
+
+            This policy has no effect if it is not set.
+
+            Setting the policy to a value that is not within the min/max range may prevent the host from starting.
+
+            Please note that the actual upper bound for the clipboard size is based on the maximum WebRTC data channel message size which this policy does not control.
+example_value: 1048576
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- joedow@chromium.org
+schema:
+  maximum: 2147483647
+  minimum: 0
+  type: integer
+supported_on:
+- chrome.*:97-
+- chrome_os:97-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDebugOverridePolicies.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDebugOverridePolicies.yaml
new file mode 100755
index 000000000..295b28894
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDebugOverridePolicies.yaml
@@ -0,0 +1,21 @@
+caption: Policy overrides for Debug builds of the remote access host
+deprecated: true
+desc: |-
+  Overrides policies on Debug builds of the remote access host.
+
+            The value is parsed as a JSON dictionary of policy name to policy value mappings.
+example_value: '{ "RemoteAccessHostMatchUsername": true }'
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:25-47
+- chrome_os:42-47
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDomain.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDomain.yaml
new file mode 100755
index 000000000..862e26a89
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDomain.yaml
@@ -0,0 +1,20 @@
+caption: Configure the required domain name for remote access hosts
+deprecated: true
+desc: This policy is deprecated. Please use <ph name="REMOTE_ACCESS_HOST_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostDomainList</ph>
+  instead.
+example_value: my-awesome-domain.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- yuweih@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:22-
+- chrome_os:41-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDomainList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDomainList.yaml
new file mode 100755
index 000000000..c534d2849
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostDomainList.yaml
@@ -0,0 +1,31 @@
+caption: Configure the required domain names for remote access hosts
+desc: |-
+  Setting the policy specifies the host domain names that are imposed on remote access hosts, and users can't change them. Hosts can be shared only using accounts registered on one of the specified domain names.
+
+        Setting the policy to an empty list or leaving it unset means hosts can be shared using any account.
+
+        See also <ph name="REMOTE_ACCESS_HOST_CLIENT_DOMAIN_LIST_POLICY_NAME">RemoteAccessHostClientDomainList</ph>.
+
+        Note: This setting will override <ph name="REMOTE_ACCESS_HOST_DOMAIN_POLICY_NAME">RemoteAccessHostDomain</ph>, if present.
+example_value:
+- my-awesome-domain.com
+- my-auxiliary-domain.com
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- yuweih@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:60-
+- chrome_os:60-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostEnableUserInterface.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostEnableUserInterface.yaml
new file mode 100755
index 000000000..7b82d4473
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostEnableUserInterface.yaml
@@ -0,0 +1,31 @@
+caption: Enable connection-related UI on the host desktop when a connection is active
+default: true
+desc: |-
+  If this policy is disabled, connection related UI (e.g. the disconnect window) will not be shown for non-curtained remote access connections. Curtained remote access sessions and remote support sessions are not affected by this policy.
+
+            This policy has no effect if it is set to true, left empty, or is not set.
+example_value: false
+features:
+  dynamic_refresh: true
+  internal_only: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+items:
+- caption: Enable connection-related UI on the remote host desktop when a connection
+    is active
+  value: true
+- caption: Disable connection-related UI on the remote host desktop when a connection
+    is active
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- joedow@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostFirewallTraversal.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostFirewallTraversal.yaml
new file mode 100755
index 000000000..334f526df
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostFirewallTraversal.yaml
@@ -0,0 +1,27 @@
+caption: Enable firewall traversal from remote access host
+desc: |-
+  Setting the policy to Enabled or leaving it unset allows the usage of STUN servers, letting remote clients discover and connect to this machine, even if separated by a firewall.
+
+        Setting the policy to Disabled when outgoing UDP connections are filtered by the firewall means the machine only allows connections from client machines within the local network.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+items:
+- caption: Enable firewall traversal from remote access host
+  value: true
+- caption: Disable firewall traversal from remote access host
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:14-
+- chrome_os:41-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostMatchUsername.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostMatchUsername.yaml
new file mode 100755
index 000000000..49ac73e1c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostMatchUsername.yaml
@@ -0,0 +1,26 @@
+caption: Require that the name of the local user and the remote access host owner
+  match
+desc: |-
+  Setting the policy to Enabled has the remote access host compare the name of the local user the host is associated with and the name of the Google Account registered as the host owner ("johndoe," if the host is owned by "johndoe@example.com"). This host won't start if the host owner's name differs from the name of the local user that the host is associated with. To enforce that the owner's Google Account is associated with a specific domain, use the policy with <ph name="REMOTE_ACCESS_HOST_DOMAIN_POLICY_NAME">RemoteAccessHostDomain</ph>.
+
+        Setting the policy to Disabled or leaving it unset means the remote access host can be associated with any local user.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+items:
+- caption: Require matching local user and remote access host owner
+  value: true
+- caption: Do not require matching local user and remote access host owner
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.linux:25-
+- chrome.mac:25-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostMaximumSessionDurationMinutes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostMaximumSessionDurationMinutes.yaml
new file mode 100755
index 000000000..6d6182712
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostMaximumSessionDurationMinutes.yaml
@@ -0,0 +1,25 @@
+caption: Maximum session duration allowed for remote access connections
+default: null
+desc: |-
+  If this policy is set, remote access connections will automatically disconnect after the number of minutes defined in the policy have elapsed. This does not prevent the client from reconnecting after the maximum session duration has been reached. Setting the policy to a value that is not within the min/max range may prevent the host from starting. This policy does not affect remote support scenarios.
+
+            This policy has no effect if it is not set. In this case, remote access connections will have no maximum duration on this machine.
+example_value: 1200
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- joedow@chromium.org
+schema:
+  maximum: 10080
+  minimum: 30
+  type: integer
+supported_on:
+- chrome.*:89-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostRequireCurtain.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostRequireCurtain.yaml
new file mode 100755
index 000000000..b7b4c2919
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostRequireCurtain.yaml
@@ -0,0 +1,28 @@
+caption: Enable curtaining of remote access hosts
+desc: |-
+  Setting the policy to Enabled turns off remote access hosts' physical input and output devices during a remote connection.
+
+        Setting the policy to Disabled or leaving it unset lets both local and remote users interact with the host while it's shared.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+items:
+- caption: Enable curtaining of the remote access host
+  value: true
+- caption: Disable curtaining of the remote access host
+  value: false
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- garykac@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:23-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostRequireTwoFactor.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostRequireTwoFactor.yaml
new file mode 100755
index 000000000..635da0a99
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostRequireTwoFactor.yaml
@@ -0,0 +1,23 @@
+caption: Enable two-factor authentication for remote access hosts
+deprecated: true
+desc: |-
+  Enables two-factor authentication for remote access hosts instead of a user-specified PIN.
+
+            If this setting is enabled, then users must provide a valid two-factor code when accessing a host.
+
+            If this setting is disabled or not set, then two-factor will not be enabled and the default behavior of having a user-defined PIN will be used.
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- lambroslambrou@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:22-22
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTalkGadgetPrefix.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTalkGadgetPrefix.yaml
new file mode 100755
index 000000000..dd79cd0dd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTalkGadgetPrefix.yaml
@@ -0,0 +1,28 @@
+caption: Configure the TalkGadget prefix for remote access hosts
+deprecated: true
+desc: |-
+  Configures the TalkGadget prefix that will be used by remote access hosts and prevents users from changing it.
+
+            If specified, this prefix is prepended to the base TalkGadget name to create a full domain name for the TalkGadget. The base TalkGadget domain name is '.talkgadget.google.com'.
+
+            If this setting is enabled, then hosts will use the custom domain name when accessing the TalkGadget instead of the default domain name.
+
+            If this setting is disabled or not set, then the default TalkGadget domain name ('chromoting-host.talkgadget.google.com') will be used for all hosts.
+
+            Remote access clients are not affected by this policy setting. They will always use 'chromoting-client.talkgadget.google.com' to access the TalkGadget.
+example_value: chromoting-host
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- joedow@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:22-75
+- chrome_os:41-75
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenUrl.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenUrl.yaml
new file mode 100755
index 000000000..2c55546ba
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenUrl.yaml
@@ -0,0 +1,26 @@
+caption: URL where remote access clients should obtain their authentication token
+deprecated: true
+desc: |-
+  Setting the policy means the remote access host requires authenticating clients to get an authentication token from this URL to connect.
+
+        This feature is disabled if empty or not set.
+
+        Note: This policy must be used with <ph name="REMOTE_ACCESS_HOST_TOKEN_VALIDATION_URL_POLICY_NAME">RemoteAccessHostTokenValidationUrl</ph>.
+example_value: https://example.com/issue
+features:
+  dynamic_refresh: true
+  internal_only: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:28-127
+tags:
+- website-sharing
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenValidationCertificateIssuer.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenValidationCertificateIssuer.yaml
new file mode 100755
index 000000000..3714646a6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenValidationCertificateIssuer.yaml
@@ -0,0 +1,23 @@
+caption: Client certificate for connecting to RemoteAccessHostTokenValidationUrl
+deprecated: true
+desc: Setting the policy means the remote access host uses a client certificate with
+  the given issuer CN to authenticate to <ph name="REMOTE_ACCESS_HOST_TOKEN_VALIDATION_URL_POLICY_NAME">RemoteAccessHostTokenValidationUrl</ph>.
+  To use any available client certificate, set it to <ph name="WILDCARD_VALUE">*</ph>.
+  This feature is disabled if empty or not set.
+example_value: Example Certificate Authority
+features:
+  dynamic_refresh: true
+  internal_only: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:28-127
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenValidationUrl.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenValidationUrl.yaml
new file mode 100755
index 000000000..ac98c790f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostTokenValidationUrl.yaml
@@ -0,0 +1,25 @@
+caption: URL for validating remote access client authentication token
+deprecated: true
+desc: |-
+  Setting the policy means the remote access host uses this URL to validate authentication tokens from remote access clients to accept connections. This feature is disabled if empty or not set.
+
+        Note: Use the policy with <ph name="REMOTE_ACCESS_HOST_TOKEN_URL_POLICY_NAME">RemoteAccessHostTokenUrl</ph>.
+example_value: https://example.com/validate
+features:
+  dynamic_refresh: true
+  internal_only: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- garykac@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:28-127
+tags:
+- website-sharing
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostUdpPortRange.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostUdpPortRange.yaml
new file mode 100755
index 000000000..925a80cff
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/RemoteAccessHostUdpPortRange.yaml
@@ -0,0 +1,25 @@
+caption: Restrict the UDP port range used by the remote access host
+desc: |-
+  Setting the policy restricts the UDP port range used by the remote access host in this machine.
+
+        Leaving the policy unset or set to an empty string means the remote access host can use any available port.
+
+        Note: If <ph name="REMOTE_ACCESS_HOST_FIREWALL_TRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is Disabled, the remote access host will use UDP ports in the 12400-12409 range.
+example_value: 12400-12409
+features:
+  dynamic_refresh: true
+  per_profile: false
+  platform_only: true
+future_on:
+- fuchsia
+owners:
+- file://remoting/OWNERS
+- jamiewalch@chromium.org
+- yuweih@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:36-
+- chrome_os:41-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/policy_atomic_groups.yaml
new file mode 100755
index 000000000..06fcc7927
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/RemoteAccess/policy_atomic_groups.yaml
@@ -0,0 +1,32 @@
+RemoteAccess:
+  caption: Remote access
+  policies:
+  - RemoteAccessClientFirewallTraversal
+  - RemoteAccessHostClientDomain
+  - RemoteAccessHostClientDomainList
+  - RemoteAccessHostFirewallTraversal
+  - RemoteAccessHostDomain
+  - RemoteAccessHostDomainList
+  - RemoteAccessHostRequireTwoFactor
+  - RemoteAccessHostTalkGadgetPrefix
+  - RemoteAccessHostRequireCurtain
+  - RemoteAccessHostAllowClientPairing
+  - RemoteAccessHostAllowGnubbyAuth
+  - RemoteAccessHostAllowRelayedConnection
+  - RemoteAccessHostUdpPortRange
+  - RemoteAccessHostMatchUsername
+  - RemoteAccessHostTokenUrl
+  - RemoteAccessHostTokenValidationUrl
+  - RemoteAccessHostTokenValidationCertificateIssuer
+  - RemoteAccessHostDebugOverridePolicies
+  - RemoteAccessHostAllowUiAccessForRemoteAssistance
+  - RemoteAccessHostAllowFileTransfer
+  - RemoteAccessHostEnableUserInterface
+  - RemoteAccessHostAllowRemoteAccessConnections
+  - RemoteAccessHostMaximumSessionDurationMinutes
+  - RemoteAccessHostClipboardSizeBytes
+  - RemoteAccessHostAllowRemoteSupportConnections
+  - RemoteAccessHostAllowEnterpriseRemoteSupportConnections
+  - RemoteAccessHostAllowEnterpriseFileTransfer
+  - RemoteAccessHostAllowUrlForwarding
+  - RemoteAccessHostAllowPinAuthentication
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/.group.details.yaml
new file mode 100755
index 000000000..963b9ba92
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Saml user identity management settings
+desc: Controls settings for users authenticated via SAML with an external IdP
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/LockScreenReauthenticationEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/LockScreenReauthenticationEnabled.yaml
new file mode 100755
index 000000000..0e7b3933c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/LockScreenReauthenticationEnabled.yaml
@@ -0,0 +1,23 @@
+caption: Enables online re-authentication on lock screen for SAML users
+desc: |-
+  Enables online user signin on a lock screen. If the policy is set to true online re-authentication on the lock screen is triggered e.g. by <ph name="POLICY">SAMLOfflineSigninTimeLimit</ph>.
+        The re-authentication is enforced immediately when on the lock screen or next time a user locks the screen after the condition is met.
+        If the policy is set to false or unset users can always unlock the screen with their local credentials.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enforce online logins on the login and lock screens
+  value: true
+- caption: Only enforce online logins on the login screen
+  value: false
+owners:
+- mslus@chromium.org
+- emaxx@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:98-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SAMLOfflineSigninTimeLimit.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SAMLOfflineSigninTimeLimit.yaml
new file mode 100755
index 000000000..48d7ec7a0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SAMLOfflineSigninTimeLimit.yaml
@@ -0,0 +1,25 @@
+caption: Limit the time for which a user authenticated via SAML can log in offline
+desc: |-
+  During login, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> can authenticate against a server (online) or using a cached password (offline).
+
+        When this policy is set to a value of -1, the user can authenticate offline indefinitely. When this policy is set to any other value, it specifies the length of time since the last online authentication after which the user must use online authentication again.
+
+        Leaving this policy not set will make <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> use a default time limit of 14 days after which the user must use online authentication again.
+
+        This policy affects only users who authenticated using SAML.
+
+        The policy value should be specified in seconds.
+example_value: 32
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  minimum: -1
+  type: integer
+supported_on:
+- chrome_os:34-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SamlInSessionPasswordChangeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SamlInSessionPasswordChangeEnabled.yaml
new file mode 100755
index 000000000..b83343030
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SamlInSessionPasswordChangeEnabled.yaml
@@ -0,0 +1,29 @@
+caption: Password synchronization between third-party SSO providers and Chrome devices
+default: false
+desc: |-
+  Enables SAML password sync between multiple Chrome devices by monitoring the value of password sync token and sending a user through the online re-authentication if password was updated and needs to be synchronized.
+
+        Enables a page at chrome://password-change that lets SAML users change their SAML passwords while in-session, which ensures that the SAML password and the device lockscreen password are kept in-sync.
+
+        This policy also enables notifications that warn SAML users if their SAML passwords are soon to expire so that they can deal with this immediately by doing an in-session password change.
+        But, these notifications will only be shown if password expiry information is sent to the device by the SAML identity provider during the SAML login flow.
+
+        Setting this policy to Disabled or not set, SAML password can't be changed at chrome://password-change and there won't be any notification when SAML passwords are soon to expire.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Trigger authentication flows to synchronize passwords with SSO providers
+  value: true
+- caption: Do not trigger authentication flows for password synchronization
+  value: false
+owners:
+- mslus@chromium.org
+- rsorokin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:98-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SamlPasswordExpirationAdvanceWarningDays.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SamlPasswordExpirationAdvanceWarningDays.yaml
new file mode 100755
index 000000000..0cbad6276
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SAML/SamlPasswordExpirationAdvanceWarningDays.yaml
@@ -0,0 +1,25 @@
+caption: How many days in advance to notify SAML users when their password is due
+  to expire
+desc: |-
+  This policy has no effect unless SamlInSessionPasswordChangeEnabled is true.
+        If that policy is true, and this policy is set to (for example) 14, that means SAML users will be notified 14 days in advance that their password is due to expire on a certain date.
+        Then they can deal with this immediately by doing an in-session password change and updating their password before it expires.
+        But, these notifications will only be shown if password expiry information is sent to the device by the SAML identity provider during the SAML login flow.
+        Setting this policy to zero means the users will not be notified in advance - they will only be notified once the password has already expired.
+
+        If this policy is set, the user cannot change or override it.
+example_value: 14
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- mslus@chromium.org
+- rsorokin@chromium.org
+schema:
+  maximum: 90
+  minimum: 0
+  type: integer
+supported_on:
+- chrome_os:98-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/.group.details.yaml
new file mode 100755
index 000000000..9e0a55a75
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Safe Browsing settings
+desc: Configure Safe Browsing related policies.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/DisableSafeBrowsingProceedAnyway.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/DisableSafeBrowsingProceedAnyway.yaml
new file mode 100755
index 000000000..a14e7d861
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/DisableSafeBrowsingProceedAnyway.yaml
@@ -0,0 +1,30 @@
+caption: Disable proceeding from the Safe Browsing warning page
+desc: |-
+  Setting the policy to Enabled prevents users from proceeding past the warning page the Safe Browsing service shows to the malicious site. This policy only prevents users from proceeding on Safe Browsing warnings such as malware and phishing, not for SSL certificate-related issues such as invalid or expired certificates.
+
+        Setting the policy to Disabled or leaving it unset means users can choose to proceed to the flagged site after the warning appears.
+
+        See more about Safe Browsing ( https://developers.google.com/safe-browsing ).
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Do not allow user to bypass Safe Browsing warning
+  value: true
+- caption: Allow user to bypass Safe Browsing warning
+  value: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:22-
+- chrome_os:22-
+- android:30-
+- ios:88-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionChangePasswordURL.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionChangePasswordURL.yaml
new file mode 100755
index 000000000..615d73762
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionChangePasswordURL.yaml
@@ -0,0 +1,25 @@
+caption: Configure the change password URL.
+desc: |-
+  Setting the policy sets the URL for users to change their password after seeing a warning in the browser. The password protection service sends users to the URL (HTTP and HTTPS protocols only) you designate through this policy. For <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to correctly capture the salted hash of the new password on this change password page, make sure your change password page follows these guidelines ( https://www.chromium.org/developers/design-documents/create-amazing-password-forms ).
+
+  Turning the policy off or leaving it unset means the service sends users to https://myaccount.google.com to change their password.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value: https://mydomain.com/change_password.html
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- nwokedi@chromium.org
+- nparker@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome.*:69-
+- chrome_os:69-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionLoginURLs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionLoginURLs.yaml
new file mode 100755
index 000000000..fb806f39c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionLoginURLs.yaml
@@ -0,0 +1,30 @@
+caption: Configure the list of enterprise login URLs where password protection service
+  should capture salted hashes of passwords.
+desc: |-
+  Setting the policy sets the list of enterprise login URLs (HTTP and HTTPS protocols only). Password protection service will capture salted hashes of passwords on these URLs and use them for password reuse detection. For <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to correctly capture password salted hashes, ensure your sign-in pages follow these guidelines ( https://www.chromium.org/developers/design-documents/create-amazing-password-forms ).
+
+  Turning this setting off or leaving it unset means the password protection service only captures the password salted hashes on https://accounts.google.com.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value:
+- https://mydomain.com/login.html
+- https://login.mydomain.com
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- nwokedi@chromium.org
+- nparker@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:69-
+- chrome_os:69-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionWarningTrigger.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionWarningTrigger.yaml
new file mode 100755
index 000000000..3253bc287
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/PasswordProtectionWarningTrigger.yaml
@@ -0,0 +1,46 @@
+caption: Password protection warning trigger
+desc: |-
+  Setting the policy lets you control the triggering of password protection warning. Password protection alerts users when they reuse their protected password on potentially suspicious sites.
+
+        Use <ph name="PASSWORD_PROTECTION_LOGIN_URLS_POLICY_NAME">PasswordProtectionLoginURLs</ph> and <ph name="PASSWORD_PROTECTION_CHANGE_PASSWORD_URL_POLICY_NAME">PasswordProtectionChangePasswordURL</ph> to set which password to protect.
+
+        If this policy is set to:
+
+        * PasswordProtectionWarningOff, no password protection warning will be shown.
+
+        * PasswordProtectionWarningOnPasswordReuse, password protection warning will be shown when the user reuses their protected password on a non-allowed site.
+
+        * PasswordProtectionWarningOnPhishingReuse, password protection warning will be shown when the user reuses their protected password on a phishing site.
+
+        Leaving the policy unset has the password protection service only protect Google passwords, but users can change this setting.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Password protection warning is off
+  name: PasswordProtectionWarningOff
+  value: 0
+- caption: Password protection warning is triggered by password reuse
+  name: PasswordProtectionWarningOnPasswordReuse
+  value: 1
+- caption: Password protection warning is triggered by password reuse on phishing
+    page
+  name: PasswordProtectionWarningOnPhishingReuse
+  value: 2
+owners:
+- nwokedi@chromium.org
+- nparker@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:69-
+- chrome_os:69-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingAllowlistDomains.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingAllowlistDomains.yaml
new file mode 100755
index 000000000..c120151d8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingAllowlistDomains.yaml
@@ -0,0 +1,31 @@
+caption: Configure the list of domains on which Safe Browsing will not trigger warnings.
+desc: |-
+  Setting the policy to Enabled means Safe Browsing will trust the domains you designate. It won't check them for dangerous resources such as phishing, malware, or unwanted software. Safe Browsing's download protection service won't check downloads hosted on these domains. Its password protection service won't check for password reuse.
+
+  Leaving the policy unset means default Safe Browsing protection applies to all resources.
+
+  This policy does not support regular expressions; however, subdomains of a given domain are allowlisted. Fully qualified domain names (FQDNs) are not required.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value:
+- mydomain.com
+- myuniversity.edu
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- nwokedi@chromium.org
+- nparker@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:86-
+- chrome_os:86-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingDeepScanningEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingDeepScanningEnabled.yaml
new file mode 100755
index 000000000..cf8105673
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingDeepScanningEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Allow download deep scanning for Safe Browsing-enabled users
+default: true
+desc: |-
+  When this policy is enabled or left unset, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can send suspicious downloads from Safe Browsing-enabled users to Google to scan for malware, or prompt users to provide a password for encrypted archives.
+  When this policy is disabled, this scanning will not be performed.
+  This policy does not impact download content analysis configured by Chrome Enterprise Connectors.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Safe Browsing download deep scans
+  value: true
+- caption: Disable Safe Browsing download deep scans
+  value: false
+owners:
+- drubery@chromium.org
+- file://components/safe_browsing/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome.*:119-
+- chrome_os:119-
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingEnabled.yaml
new file mode 100755
index 000000000..c21bca318
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingEnabled.yaml
@@ -0,0 +1,39 @@
+caption: Enable Safe Browsing
+deprecated: true
+desc: |-
+  This policy is deprecated in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 83, please use <ph name="SAFE_BROWSING_PROTECTION_LEVEL_POLICY_NAME">SafeBrowsingProtectionLevel</ph> instead.
+
+  Setting the policy to Enabled keeps Chrome's Safe Browsing feature on. Setting the policy to Disabled keeps Safe Browsing off.
+
+  If you set this policy, users can't change it or override the "Enable phishing and malware protection" setting in Chrome. If not set, "Enable phishing and malware protection" is set to True, but the user can change it.
+
+  See more about Safe Browsing ( https://developers.google.com/safe-browsing ).
+
+  If the policy <ph name="SAFE_BROWSING_PROTECTION_LEVEL_POLICY_NAME">SafeBrowsingProtectionLevel</ph> is set, the value of the policy <ph name="SAFE_BROWSING_ENABLED_POLICY_NAME">SafeBrowsingEnabled</ph> is ignored.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Safe Browsing
+  value: true
+- caption: Disable Safe Browsing
+  value: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:30-
+- ios:88-
+tags:
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingExtendedReportingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingExtendedReportingEnabled.yaml
new file mode 100755
index 000000000..1023bc939
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingExtendedReportingEnabled.yaml
@@ -0,0 +1,38 @@
+arc_support: This policy is not supported within Arc.
+caption: Enable Safe Browsing Extended Reporting
+default: null
+desc: |-
+  Setting the policy to Enabled turns on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Safe Browsing Extended Reporting, which sends some system information and page content to Google servers to help detect dangerous apps and sites.
+
+        Setting the policy to Disabled means reports are never sent.
+
+        If you set this policy, users can't change it. If not set, users can decide whether to send reports or not.
+
+        See more about Safe Browsing ( https://developers.google.com/safe-browsing ).
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Enable reporting of system information and page content to help improve
+    Safe Browsing
+  value: true
+- caption: Disable reporting of system information and page content which are used
+    to help improve Safe Browsing
+  value: false
+- caption: Allow the user to decide
+  value: null
+owners:
+- nwokedi@chromium.org
+- nparker@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:66-
+- chrome_os:66-
+- 'android: 87-'
+tags:
+- google-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingProtectionLevel.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingProtectionLevel.yaml
new file mode 100755
index 000000000..0d3d8c5c9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingProtectionLevel.yaml
@@ -0,0 +1,52 @@
+arc_support: This policy is not supported within Arc.
+caption: Safe Browsing Protection Level
+desc: |-
+  Allows you to control whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s Safe Browsing feature is enabled and the mode it operates in.
+
+        If this policy is set to 'NoProtection' (value 0), Safe Browsing is never active.
+
+        If this policy is set to 'StandardProtection' (value 1, which is the default), Safe Browsing is always active in the standard mode.
+
+        If this policy is set to 'EnhancedProtection' (value 2), Safe Browsing is always active in the enhanced mode, which provides better security, but requires sharing more browsing information with Google.
+
+        If you set this policy as mandatory, users cannot change or override the Safe Browsing setting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        If this policy is left not set, Safe Browsing will operate in Standard Protection mode but users can change this setting.
+
+        See https://support.google.com/chrome?p=safe_browsing_preferences for more info on Safe Browsing.
+example_value: 2
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Safe Browsing is never active.
+  name: NoProtection
+  value: 0
+- caption: Safe Browsing is active in the standard mode.
+  name: StandardProtection
+  value: 1
+- caption: Safe Browsing is active in the enhanced mode. This mode provides better
+    security, but requires sharing more browsing information with Google.
+  name: EnhancedProtection
+  value: 2
+owners:
+- vakh@chromium.org
+- file://components/safe_browsing/OWNERS
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome.*:83-
+- chrome_os:83-
+- android:87-
+- ios:88-
+tags:
+- google-sharing
+- system-security
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingProxiedRealTimeChecksAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingProxiedRealTimeChecksAllowed.yaml
new file mode 100755
index 000000000..9575c96f8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingProxiedRealTimeChecksAllowed.yaml
@@ -0,0 +1,46 @@
+caption: Allow Safe Browsing Proxied Real Time Checks
+default: true
+desc: |-
+  This controls whether Safe Browsing's standard protection mode is allowed to
+  send partial hashes of URLs to Google through a proxy via Oblivious HTTP
+  in order to determine whether they are safe to visit.
+
+  The proxy allows browsers to upload partial hashes of URLs to Google
+  without them being linked to the user's IP address. The policy also allows
+  browsers to upload the partial hashes of URLs with higher frequency for
+  better Safe Browsing protection quality.
+
+  This policy will be ignored if Safe Browsing is disabled or set to enhanced
+  protection mode.
+
+  Setting the policy to Enabled or leaving it unset allows the
+  higher-protection proxied lookups.
+
+  Setting the policy to Disabled disallows the higher-protection proxied
+  lookups. Partial hashes of URLs will be uploaded to Google directly with much
+  lower frequency, which will degrade protection.
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow higher-protection proxied lookups
+  value: true
+- caption: Don't allow higher-protection proxied lookups
+  value: false
+owners:
+- file://components/safe_browsing/OWNERS
+- thefrog@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:118-
+- chrome_os:118-
+- ios:118-
+- android:119-
+tags:
+- google-sharing
+- system-security
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingSurveysEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingSurveysEnabled.yaml
new file mode 100755
index 000000000..e9eef1b51
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/SafeBrowsingSurveysEnabled.yaml
@@ -0,0 +1,27 @@
+caption: Allow Safe Browsing Surveys
+desc: |-
+  When this policy is enabled or left unset, the user may receive surveys related to Safe Browsing.
+  When this policy is disabled, the user will not receive surveys related to Safe Browsing.
+default: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable receiving Safe Browsing surveys
+  value: true
+- caption: Disable receiving Safe Browsing surveys
+  value: false
+owners:
+- nwokedi@chromium.org
+- file://components/safe_browsing/OWNERS
+future_on:
+- fuchsia
+schema:
+  type: boolean
+supported_on:
+- chrome.*:117-
+- chrome_os:117-
+tags:
+- google-sharing
+type: main
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/policy_atomic_groups.yaml
new file mode 100755
index 000000000..2d7e44c81
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SafeBrowsing/policy_atomic_groups.yaml
@@ -0,0 +1,17 @@
+PasswordProtection:
+  caption: Password protection
+  policies:
+  - PasswordProtectionWarningTrigger
+  - PasswordProtectionLoginURLs
+  - PasswordProtectionChangePasswordURL
+SafeBrowsing:
+  caption: Safe Browsing settings
+  policies:
+  - SafeBrowsingEnabled
+  - SafeBrowsingExtendedReportingEnabled
+  - SafeBrowsingProtectionLevel
+  - SafeBrowsingAllowlistDomains
+  - SafeBrowsingProxiedRealTimeChecksAllowed
+  - SafeBrowsingSurveysEnabled
+  - SafeBrowsingDeepScanningEnabled
+  - DisableSafeBrowsingProceedAnyway
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/.group.details.yaml
new file mode 100755
index 000000000..dec89fdf2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/.group.details.yaml
@@ -0,0 +1,4 @@
+caption: Allow or deny screen capture
+desc: |-
+  Configure policies to control the level of screen-share APIs (e.g., getDisplayMedia() or the Desktop Capture extension API)
+        that a site may capture (e.g. tab, window or desktop capture).
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/MultiScreenCaptureAllowedForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/MultiScreenCaptureAllowedForUrls.yaml
new file mode 100755
index 000000000..556d0ea88
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/MultiScreenCaptureAllowedForUrls.yaml
@@ -0,0 +1,23 @@
+caption: Enables automatic screencapture of multiple screens
+desc: |-
+  The <ph name="GET_ALL_SCREENS_MEDIA_NAME">getAllScreensMedia</ph> API allows isolated web applications (identified by their origin) to capture multiple surfaces at once without additional user permission.
+        If the policy is not set, <ph name="GET_ALL_SCREENS_MEDIA_NAME">getAllScreensMedia</ph> is not available for any web application.
+  In order to improve privacy, this policy will not support mid-session updates of the policy value and therefore changes will only apply after the user logged out and logged in again.
+  The user can be sure that no additional apps will be able to capture the screens after login if it were not allowed at session start already.
+example_value:
+- isolated-app://pt2jysa7yu326m2cbu5mce4rrajvguagronrsqwn5dhbaris6eaaaaic
+features:
+  # intentional!
+  dynamic_refresh: false
+  per_profile: true
+owners:
+- file://chrome/browser/media/webrtc/OWNERS
+- simonha@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:130-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/SameOriginTabCaptureAllowedByOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/SameOriginTabCaptureAllowedByOrigins.yaml
new file mode 100755
index 000000000..62fe5d552
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/SameOriginTabCaptureAllowedByOrigins.yaml
@@ -0,0 +1,31 @@
+caption: Allow Same Origin Tab capture by these origins
+desc: |-
+  Setting the policy lets you set a list of URL patterns that can capture tabs with their same Origin.
+
+        Leaving the policy unset means that sites will not be considered for an override at this level of capture.
+
+        Note that windowed Chrome Apps with the same origin as this site will still be allowed to be captured.
+
+        If a site matches a URL pattern in this policy, the following policies will not be considered: <ph name="TAB_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">TabCaptureAllowedByOrigins</ph>, <ph name="WINDOW_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">WindowCaptureAllowedByOrigins</ph>, <ph name="SCREEN_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">ScreenCaptureAllowedByOrigins</ph>, <ph name="SCREEN_CAPTURE_ALLOWED_POLICY_NAME">ScreenCaptureAllowed</ph>.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.  This policy only matches based on origin, so any path in the URL pattern is ignored.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- alcooper@chromium.org
+- mfoltz@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:94-
+- chrome.*:95-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/ScreenCaptureAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/ScreenCaptureAllowed.yaml
new file mode 100755
index 000000000..cd09246da
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/ScreenCaptureAllowed.yaml
@@ -0,0 +1,35 @@
+caption: Allow or deny screen capture
+default: true
+desc: "If enabled or not configured (default), a Web page can use\n      screen-share\
+  \ APIs (e.g., getDisplayMedia() or the Desktop Capture extension API)\n      to\
+  \ prompt the user to select a tab, window or desktop to capture.\n\n      When this\
+  \ policy is disabled, any calls to screen-share APIs will fail\n      with an error;\
+  \ however this policy is not considered (and a site will be\n      allowed to use\
+  \ screen-share APIs) if the site matches an origin pattern in\n      any of the\
+  \ following policies:\n      <ph name=\"SCREEN_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME\"\
+  >ScreenCaptureAllowedByOrigins</ph>,\n      <ph name=\"WINDOW_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME\"\
+  >WindowCaptureAllowedByOrigins</ph>,\n      <ph name=\"TAB_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME\"\
+  >TabCaptureAllowedByOrigins</ph>,\n      <ph name=\"SAME_ORIGIN_TAB_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME\"\
+  >SameOriginTabCaptureAllowedByOrigins</ph>.\n      "
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow sites to prompt the user to share a video stream of their screen
+  value: true
+- caption: Do not allow sites to prompt the user to share a video stream of their
+    screen
+  value: false
+owners:
+- guidou@chromium.org
+- marinaciocea@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:81-
+- chrome_os:81-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/ScreenCaptureAllowedByOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/ScreenCaptureAllowedByOrigins.yaml
new file mode 100755
index 000000000..d042585af
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/ScreenCaptureAllowedByOrigins.yaml
@@ -0,0 +1,31 @@
+caption: Allow Desktop, Window, and Tab capture by these origins
+desc: |-
+  Setting the policy lets you set a list of URL patterns that can use Desktop, Window, and Tab Capture.
+
+        Leaving the policy unset means that sites will not be considered for an override at this level of Capture.
+
+        This policy is not considered if a site matches a URL pattern in any of the following policies: <ph name="WINDOW_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">WindowCaptureAllowedByOrigins</ph>, <ph name="TAB_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">TabCaptureAllowedByOrigins</ph>, <ph name="SAME_ORIGIN_TAB_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">SameOriginTabCaptureAllowedByOrigins</ph>.
+
+        If a site matches a URL pattern in this policy, the <ph name="SCREEN_CAPTURE_ALLOWED_POLICY_NAME">ScreenCaptureAllowed</ph> will not be considered.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.  This policy only matches based on origin, so any path in the URL pattern is ignored.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- alcooper@chromium.org
+- mfoltz@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:94-
+- chrome.*:95-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/TabCaptureAllowedByOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/TabCaptureAllowedByOrigins.yaml
new file mode 100755
index 000000000..bcef6f0c7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/TabCaptureAllowedByOrigins.yaml
@@ -0,0 +1,33 @@
+caption: Allow Tab capture by these origins
+desc: |-
+  Setting the policy lets you set a list of URL patterns that can use Tab Capture.
+
+        Leaving the policy unset means that sites will not be considered for an override at this level of capture.
+
+        Note that windowed Chrome Apps will still be allowed to be captured.
+
+        This policy is not considered if a site matches a URL pattern in the <ph name="SAME_ORIGIN_TAB_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">SameOriginTabCaptureAllowedByOrigins</ph> policy.
+
+        If a site matches a URL pattern in this policy, the following policies will not be considered: <ph name="WINDOW_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">WindowCaptureAllowedByOrigins</ph>, <ph name="SCREEN_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">ScreenCaptureAllowedByOrigins</ph>, <ph name="SCREEN_CAPTURE_ALLOWED_POLICY_NAME">ScreenCaptureAllowed</ph>.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.  This policy only matches based on origin, so any path in the URL pattern is ignored.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- alcooper@chromium.org
+- mfoltz@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:94-
+- chrome.*:95-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/WindowCaptureAllowedByOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/WindowCaptureAllowedByOrigins.yaml
new file mode 100755
index 000000000..8a0112e4b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/WindowCaptureAllowedByOrigins.yaml
@@ -0,0 +1,31 @@
+caption: Allow Window and Tab capture by these origins
+desc: |-
+  Setting the policy lets you set a list of URL patterns that can use Window and Tab Capture.
+
+        Leaving the policy unset means that sites will not be considered for an override at this level of Capture.
+
+        This policy is not considered if a site matches a URL pattern in any of the following policies: <ph name="TAB_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">TabCaptureAllowedByOrigins</ph>, <ph name="SAME_ORIGIN_TAB_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">SameOriginTabCaptureAllowedByOrigins</ph>.
+
+        If a site matches a URL pattern in this policy, the following policies will not be considered: <ph name="SCREEN_CAPTURE_ALLOWED_BY_ORIGINS_POLICY_NAME">ScreenCaptureAllowedByOrigins</ph>, <ph name="SCREEN_CAPTURE_ALLOWED_POLICY_NAME">ScreenCaptureAllowed</ph>.
+
+        For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.  This policy only matches based on origin, so any path in the URL pattern is ignored.
+example_value:
+- https://www.example.com
+- '[*.]example.edu'
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- alcooper@chromium.org
+- mfoltz@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:94-
+- chrome.*:95-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/policy_atomic_groups.yaml
new file mode 100755
index 000000000..eecb97a0d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/ScreenCapture/policy_atomic_groups.yaml
@@ -0,0 +1,8 @@
+ScreenCaptureSettings:
+  caption: Screen Capture settings
+  policies:
+  - ScreenCaptureAllowed
+  - ScreenCaptureAllowedByOrigins
+  - WindowCaptureAllowedByOrigins
+  - TabCaptureAllowedByOrigins
+  - SameOriginTabCaptureAllowedByOrigins
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/.group.details.yaml
new file mode 100755
index 000000000..14d6988e7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Screensaver Settings
+desc: Controls the screensaver settings for the device sign-in screen, and user lock screen.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenEnabled.yaml
new file mode 100755
index 000000000..2fd6d6b6d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenEnabled.yaml
@@ -0,0 +1,34 @@
+caption: Device screensaver login screen enabled.
+default: false
+desc: |-
+  Configures the device-level screensaver for the login screen.
+
+  If this policy is set to true, the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device will show a screensaver when it is idle in the login screen.
+
+  If this policy is set to false, or unset, the screensaver will not be displayed in the login screen.
+
+  The device screensaver displays the images referenced by the <ph name="DEVICE_SCREENSAVER_LOGIN_SCREEN_IMAGES_POLICY_NAME">DeviceScreensaverLoginScreenImages</ph> policy. If <ph name="DEVICE_SCREENSAVER_LOGIN_SCREEN_IMAGES_POLICY_NAME">DeviceScreensaverLoginScreenImages</ph> is unset, or it is set to an empty list, or to a list without any valid images, the screensaver for the login screen will not be displayed.
+
+  The idle timeout to start the screensaver, and the interval that an image is displayed can be modified with the <ph name="DEVICE_SCREENSAVER_LOGIN_SCREEN_IDLE_TIMEOUT_SECONDS_POLICY_NAME">DeviceScreensaverLoginScreenIdleTimeoutSeconds</ph>, and the <ph name="DEVICE_SCREENSAVER_LOGIN_SCREEN_DISPLAY_INTERVAL_SECONDS_POLICY_NAME">DeviceScreensaverLoginScreenDisplayIntervalSeconds</ph> policies respectively. If any of these policies are unset, their default values will be use instead.
+
+device_only: true
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable the screensaver in the login screen.
+  value: true
+- caption: Do not enable the screensaver in the login screen.
+  value: false
+owners:
+- mpetrisor@google.com
+- imprivata-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:116-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenIdleTimeoutSeconds.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenIdleTimeoutSeconds.yaml
new file mode 100755
index 000000000..e6b0c0904
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenIdleTimeoutSeconds.yaml
@@ -0,0 +1,27 @@
+caption: Device screensaver login screen idle timeout.
+desc: |-
+  Configures the time in seconds that the device will wait idle before showing the screensaver for the login screen.
+
+  Valid values range from 1 second to 9999 seconds. Leaving the policy unset means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> uses the default value of 7 seconds.
+
+  This policy will not have any effect when the <ph name="DEVICE_SCREENSAVER_LOGIN_SCREEN_ENABLED_POLICY_NAME">DeviceScreensaverLoginScreenEnabled</ph> policy is set to false.
+
+device_only: true
+default: 7
+example_value: 7
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- mpetrisor@google.com
+- imprivata-eng@google.com
+schema:
+  minimum: 1
+  maximum: 9999
+  type: integer
+supported_on:
+- chrome_os:116-
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenImageDisplayIntervalSeconds.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenImageDisplayIntervalSeconds.yaml
new file mode 100755
index 000000000..3eacc3568
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenImageDisplayIntervalSeconds.yaml
@@ -0,0 +1,27 @@
+caption: Device screensaver login screen image display interval.
+desc: |-
+  Configures the interval in seconds to display an image when the screensaver for the login screen has multiple images to display.
+
+  Valid values range from 1 second to 9999 seconds. Leaving the policy unset means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> uses the default value of 60 seconds.
+
+  This policy will not have any effect when the <ph name="DEVICE_SCREENSAVER_LOGIN_SCREEN_ENABLED_POLICY_NAME">DeviceScreensaverLoginScreenEnabled</ph> policy is set to false.
+
+device_only: true
+default: 60
+example_value: 60
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- mpetrisor@google.com
+- imprivata-eng@google.com
+schema:
+  minimum: 1
+  maximum: 9999
+  type: integer
+supported_on:
+- chrome_os:116-
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenImages.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenImages.yaml
new file mode 100755
index 000000000..e9b321144
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/DeviceScreensaverLoginScreenImages.yaml
@@ -0,0 +1,34 @@
+caption: Device screensaver login screen image source.
+desc: |-
+  Configures the list of images to display in the screensaver for the login screen.
+
+  Each item must be a URL referencing an image file. The image format must be JPEG, and the file size must not exceed 8MB. Invalid URLs and unsupported images will be ignored. The <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device will download these images, and keep them in a local cache.
+
+  The number of images to display in the screensaver is limited to 25. Only the first 25 URL entries from the list will be used.
+
+  This policy will not have any effect if the <ph name="DEVICE_SCREENSAVER_LOGIN_SCREEN_ENABLED_POLICY_NAME">DeviceScreensaverLoginScreenEnabled</ph> policy is set to false.
+
+  If this policy is unset, or the list does not contain any valid image references, the screensaver for the login screen will not be displayed, regardless of the value set in the <ph name="DEVICE_SCREENSAVER_LOGIN_SCREEN_ENABLED_POLICY_NAME">DeviceScreensaverLoginScreenEnabled</ph> policy.
+
+device_only: true
+default: []
+example_value:
+- https://www.example.com/img_1.jpg
+- https://www.example.com/img_2.jpg
+- https://www.example.com/img_3.jpg
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- mpetrisor@google.com
+- imprivata-eng@google.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:116-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenEnabled.yaml
new file mode 100755
index 000000000..d15d9ccc9
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenEnabled.yaml
@@ -0,0 +1,32 @@
+caption: User screensaver lock screen enabled.
+default: false
+desc: |-
+  Configures the user screensaver for the lock screen.
+
+  If this policy is set to true, the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device will show a screensaver when it is idle in the lock screen.
+
+  If this policy is set to false, or unset, the screensaver will not be displayed in the lock screen.
+
+  The user screensaver displays the images referenced by the <ph name="SCREENSAVER_LOCK_SCREEN_IMAGES_POLICY_NAME">ScreensaverLockScreenImages</ph> policy. If <ph name="SCREENSAVER_LOCK_SCREEN_IMAGES_POLICY_NAME">ScreensaverLockScreenImages</ph> is unset, or it is set to an empty list, or to a list without any valid images, the screensaver for the lock screen will not be displayed.
+
+  The idle timeout to start the screensaver, and the interval that an image is displayed can be modified with the <ph name="SCREENSAVER_LOCK_SCREEN_IDLE_TIMEOUT_SECONDS_POLICY_NAME">ScreensaverLockScreenIdleTimeoutSeconds</ph>, and the <ph name="SCREENSAVER_LOCK_SCREEN_DISPLAY_INTERVAL_SECONDS_POLICY_NAME">ScreensaverLockScreenDisplayIntervalSeconds</ph> policies respectively. If any of these policies are unset, their default values will be use instead.
+
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable the screensaver in the lock screen.
+  value: true
+- caption: Do not enable the screensaver in the lock screen.
+  value: false
+owners:
+- mpetrisor@google.com
+- imprivata-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:116-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenIdleTimeoutSeconds.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenIdleTimeoutSeconds.yaml
new file mode 100755
index 000000000..d9b44040e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenIdleTimeoutSeconds.yaml
@@ -0,0 +1,25 @@
+caption: User screensaver lock screen idle timeout.
+desc: |-
+  Configures the time in seconds that the device will wait idle before showing the screensaver for the lock screen.
+
+  Valid values range from 1 second to 9999 seconds. Leaving the policy unset means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> uses the default value of 7 seconds.
+
+  This policy will not have any effect when the <ph name="SCREENSAVER_LOCK_SCREEN_ENABLED_POLICY_NAME">ScreensaverLockScreenEnabled</ph> policy is set to false.
+
+default: 7
+example_value: 7
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- mpetrisor@google.com
+- imprivata-eng@google.com
+schema:
+  minimum: 1
+  maximum: 9999
+  type: integer
+supported_on:
+- chrome_os:116-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenImageDisplayIntervalSeconds.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenImageDisplayIntervalSeconds.yaml
new file mode 100755
index 000000000..3e6d41b0a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenImageDisplayIntervalSeconds.yaml
@@ -0,0 +1,25 @@
+caption: User screensaver lock screen image display interval.
+desc: |-
+  Configures the interval in seconds to display an image when the screensaver for the lock screen has multiple images to display.
+
+  Valid values range from 1 second to 9999 seconds. Leaving the policy unset means <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> uses the default value of 60 seconds.
+
+  This policy will not have any effect when the <ph name="SCREENSAVER_LOCK_SCREEN_ENABLED_POLICY_NAME">ScreensaverLockScreenEnabled</ph> policy is set to false.
+
+default: 60
+example_value: 60
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- mpetrisor@google.com
+- imprivata-eng@google.com
+schema:
+  minimum: 1
+  maximum: 9999
+  type: integer
+supported_on:
+- chrome_os:116-
+tags: []
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenImages.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenImages.yaml
new file mode 100755
index 000000000..e31dddae6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Screensaver/ScreensaverLockScreenImages.yaml
@@ -0,0 +1,32 @@
+caption: User screensaver lock screen image source.
+desc: |-
+  Configures the list of images to display in the screensaver for the lock screen.
+
+  Each item must be a URL referencing an image file. The image format must be JPEG, and the file size must not exceed 8MB. Invalid URLs and unsupported images will be ignored. The <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device will download these images, and keep them in a local cache.
+
+  The number of images to display in the screensaver is limited to 25. Only the first 25 URL entries from the list will be used.
+
+  This policy will not have any effect if the <ph name="SCREENSAVER_LOCK_SCREEN_ENABLED_POLICY_NAME">ScreensaverLockScreenEnabled</ph> policy is set to false.
+
+  If this policy is unset, or the list does not contain any valid image references, the screensaver for the lock screen will not be displayed, regardless of the value set in the <ph name="SCREENSAVER_LOCK_SCREEN_ENABLED_POLICY_NAME">ScreensaverLockScreenEnabled</ph> policy.
+
+default: []
+example_value:
+- https://www.example.com/img_1.jpg
+- https://www.example.com/img_2.jpg
+- https://www.example.com/img_3.jpg
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- mpetrisor@google.com
+- imprivata-eng@google.com
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:116-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/.group.details.yaml
new file mode 100755
index 000000000..de7a22aab
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/.group.details.yaml
@@ -0,0 +1,5 @@
+caption: Sign-in settings
+desc: Controls the behavior of the sign-in screen, where users log into their accounts.
+  Settings include who can log in, what type of accounts are allowed, what authentication
+  methods should be used, as well as general accessibility, input method and locale
+  settings.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/BoundSessionCredentialsEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/BoundSessionCredentialsEnabled.yaml
new file mode 100755
index 000000000..604d80b31
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/BoundSessionCredentialsEnabled.yaml
@@ -0,0 +1,42 @@
+owners:
+- alexilin@chromium.org
+- file://chrome/browser/signin/bound_session_credentials/OWNERS
+
+caption: Bind Google credentials to a device
+
+desc: |-
+  Controls the state of the <ph name="DBSC_FEATURE_NAME">Device Bound Session Credentials</ph> feature.
+
+  <ph name="DBSC_FEATURE_NAME">Device Bound Session Credentials</ph> protects Google authentication cookies against cookie theft by regularly providing a cryptographic proof of device possession to Google servers.
+
+  If this policy is set to false, <ph name="DBSC_FEATURE_NAME">Device Bound Session Credentials</ph> feature will be disabled.
+
+  If this policy is set to true, <ph name="DBSC_FEATURE_NAME">Device Bound Session Credentials</ph> feature will be enabled.
+
+  If this policy is unset, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will follow the default rollout process for the <ph name="DBSC_FEATURE_NAME">Device Bound Session Credentials</ph> feature, which means that the feature will be gradually rolled out to an increasing number of users.
+
+supported_on:
+- chrome.win:124-
+
+features:
+  can_be_mandatory: true
+  can_be_recommended: false
+  dynamic_refresh: false
+  per_profile: true
+
+type: main
+
+schema:
+  type: boolean
+
+items:
+- caption: Enable <ph name="DBSC_FEATURE_NAME">Device Bound Session Credentials</ph>.
+  value: true
+- caption: Disable <ph name="DBSC_FEATURE_NAME">Device Bound Session Credentials</ph>.
+  value: false
+- caption: <ph name="DBSC_FEATURE_NAME">Device Bound Session Credentials</ph> may be used depending on feature launch process.
+  value: null
+
+default: null
+example_value: true
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAllowNewUsers.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAllowNewUsers.yaml
new file mode 100755
index 000000000..3b8da6325
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAllowNewUsers.yaml
@@ -0,0 +1,30 @@
+arc_support: This policy controls whether new users can be added to <ph name="PRODUCT_OS_NAME">$2<ex>ChromiumOS</ex></ph>.
+  It does not prevent users from signing in to additional Google accounts within Android.
+  If you want to prevent this, configure the Android-specific <ph name="ACCOUNT_TYPES_WITH_MANAGEMENT_DISABLED_CLOUDDPC_POLICY_NAME">accountTypesWithManagementDisabled</ph>
+  policy as part of <ph name="ARC_POLICY_POLICY_NAME">ArcPolicy</ph>.
+caption: Allow creation of new user accounts
+desc: |-
+  Controls whether <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> allows new user accounts to be created.
+
+        If this policy is set to false, only users present in <ph name="DEVICE_USER_ALLOWLIST_POLICY_NAME">DeviceUserAllowlist</ph> will be able to login.
+
+        If this policy is set to true or not configured, all users will be able to login.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow any user to sign in
+  value: true
+- caption: Restrict sign-in to a list of users
+  value: false
+owners:
+- file://components/policy/OWNERS
+- pastarmovj@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:12-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAuthenticationFlowAutoReloadInterval.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAuthenticationFlowAutoReloadInterval.yaml
new file mode 100755
index 000000000..70fb9cb75
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAuthenticationFlowAutoReloadInterval.yaml
@@ -0,0 +1,38 @@
+caption: Automatically reload authentication flow on ChromeOS
+
+default: null
+
+desc: |-
+  Sets the time interval (in minutes) used to automatically reload the user's authentication flow on their <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> device. This policy is introduced to handle the expiry of some services used in authentication flows when the device is left idle for some time.
+
+  When the policy is unset or has a value of zero, the authentication flow will never be reloaded.
+
+  When the policy is set to a positive value, the authentication flow will automatically be reloaded by the set interval.
+
+  The maximum possible reload interval is one week (10080 minutes).
+
+  This policy affects both login and lockscreen authentication flows.
+
+device_only: true
+
+example_value: 15
+
+features:
+  dynamic_refresh: true
+  per_profile: false
+
+supported_on:
+- chrome_os:129-
+
+owners:
+- ayag@chromium.org
+- chromeos-commercial-identity@google.com
+
+schema:
+  maximum: 10080
+  minimum: 0
+  type: integer
+
+tags: []
+
+type: int
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAutofillSAMLUsername.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAutofillSAMLUsername.yaml
new file mode 100755
index 000000000..853856180
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceAutofillSAMLUsername.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on Android apps.
+caption: Autofill username on SAML IdP page
+desc: |-
+  Specifies a url parameter name which will be used on the SAML IdP login page to autofill the username field.
+
+        User's email assosiated with their <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> profile will be used as a value for the url parameter. So this setting should be disabled if users are expected to use different emails with SAML IdP.
+
+        If this setting is unset, users will need to manually enter their username on the SAML IdP login page.
+
+        This policy affects online authentication on sign-in and lock screens.
+device_only: true
+example_value: login_hint
+features:
+  dynamic_refresh: true
+  per_profile: false
+owners:
+- andreydav@google.com
+- chromeos-commercial-identity@google.com
+schema:
+  type: string
+supported_on:
+- chrome_os:107-
+tags:
+- website-sharing
+- local-data-access
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceEphemeralUsersEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceEphemeralUsersEnabled.yaml
new file mode 100755
index 000000000..acb1e1876
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceEphemeralUsersEnabled.yaml
@@ -0,0 +1,25 @@
+caption: Wipe user data on sign-out
+desc: |2-
+
+        Determines whether <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> keeps local account data after logout. If set to true, no persistent account data are kept by <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> and all data from the user session will be discarded after logout. If this policy is set to false or not configured, the device will keep (encrypted) local user data.
+
+        Note: Since M114, specific kiosk apps are allowed to override the behavior of this policy for their app for special use cases, such as student assessments.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Erase all local user data
+  value: true
+- caption: Do not erase local user data
+  value: false
+owners:
+- file://components/policy/OWNERS
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:19-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceFamilyLinkAccountsAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceFamilyLinkAccountsAllowed.yaml
new file mode 100755
index 000000000..db127c450
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceFamilyLinkAccountsAllowed.yaml
@@ -0,0 +1,30 @@
+caption: Allow addition of Family Link accounts to the device
+default: false
+desc: |-
+  Controls whether <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> allows new Family Link user accounts to be added on the device.
+        This policy is only useful in combination with <ph name="DEVICE_USER_ALLOWLIST_POLICY_NAME">DeviceUserAllowlist</ph>. It allows Family Link accounts additionally to the accounts defined in the allowlist.
+        This policy does not affect the behavior of other sign-in policies. Particularly it will not have any effect when:
+        - Adding new users to the device is disabled with <ph name="DEVICE_ALLOW_NEW_USERS_POLICY_NAME">DeviceAllowNewUsers</ph> policy.
+        - Adding all users is allowed with <ph name="DEVICE_USER_ALLOWLIST_POLICY_NAME">DeviceUserAllowlist</ph> policy.
+
+        If this policy is set to false (or not configured), no additional rules will be applied to Family Link accounts.
+        If this policy is set to true, new Family Link user accounts will be allowed additionally to those defined in <ph name="DEVICE_USER_ALLOWLIST_POLICY_NAME">DeviceUserAllowlist</ph>.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow parents to add supervised accounts
+  value: true
+- caption: Do not allow parents to add supervised accounts
+  value: false
+owners:
+- agawronska@chromium.org
+- cros-families-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:87-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceGuestModeEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceGuestModeEnabled.yaml
new file mode 100755
index 000000000..28f9621e0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceGuestModeEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Enable guest mode
+desc: |-
+  If this policy is set to true or not configured, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will enable guest logins. Guest logins are anonymous user sessions and do not require a password.
+
+        If this policy is set to false, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will not allow guest sessions to be started.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable guest mode
+  value: true
+- caption: Disable guest mode
+  value: false
+owners:
+- file://components/policy/OWNERS
+- anqing@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:12-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenAutoSelectCertificateForUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenAutoSelectCertificateForUrls.yaml
new file mode 100755
index 000000000..704f3c218
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenAutoSelectCertificateForUrls.yaml
@@ -0,0 +1,58 @@
+caption: Automatically select client certificates for these sites on the sign-in screen
+desc: |-
+  Allows you to specify a list of url patterns that specify sites for which a client certificate is automatically selected on the sign-in screen in the frame hosting the SAML flow, if the site requests a certificate. An example usage is to configure a device-wide certificate to be presented to the SAML IdP.
+
+        The value is an array of stringified JSON dictionaries, each with the form <ph name="AUTO_SELECT_CERTIFICATE_FOR_URLS_EXAMPLE">{ "pattern": "$URL_PATTERN", "filter" : $FILTER }</ph>, where <ph name="URL_PATTERN_PLACEHOLDER">$URL_PATTERN</ph> is a content setting pattern. <ph name="FILTER_PLACEHOLDER">$FILTER</ph> restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected.
+
+        Examples for the usage of the <ph name="FILTER_PLACEHOLDER">$FILTER</ph> section:
+
+        * When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> is set to <ph name="AUTO_SELECT_CERTIFICATE_FOR_URLS_FILTER_EXAMPLE">{ "ISSUER": { "CN": "$ISSUER_CN" } }</ph>, only client certificates issued by a certificate with the CommonName <ph name="ISSUER_CN_PLACEHOLDER">$ISSUER_CN</ph> are selected.
+
+        * When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains both the <ph name="ISSUER_STRING_VALUE">"ISSUER"</ph> and the <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> sections, only client certificates that satisfy both conditions are selected.
+
+        * When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains a <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> section with the <ph name="FILTER_STRING_ORGANIZATION">"O"</ph> value, a certificate needs at least one organization matching the specified value to be selected.
+
+        * When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> contains a <ph name="SUBJECT_STRING_VALUE">"SUBJECT"</ph> section with a <ph name="FILTER_STRING_ORGANIZATIONAL_UNIT">"OU"</ph> value, a certificate needs at least one organizational unit matching the specified value to be selected.
+
+        * When <ph name="FILTER_PLACEHOLDER">$FILTER</ph> is set to <ph name="EMPTY_DICTIONARY">{}</ph>, the selection of client certificates is not additionally restricted. Note that filters provided by the web server still apply.
+
+
+
+        If this policy is left not set, no auto-selection will be done for any site.
+
+        For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
+device_only: true
+example_value:
+- '{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer
+  name", "L": "certificate issuer location", "O": "certificate issuer org", "OU":
+  "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L":
+  "certificate subject location", "O": "certificate subject org", "OU": "certificate
+  subject org unit"}}}'
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:65-
+tags:
+- website-sharing
+type: list
+validation_schema:
+  items:
+    properties:
+      filter:
+        properties:
+          ISSUER:
+            $ref: CertPrincipalFields
+          SUBJECT:
+            $ref: CertPrincipalFields
+        type: object
+      pattern:
+        type: string
+    type: object
+  type: array
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenDomainAutoComplete.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenDomainAutoComplete.yaml
new file mode 100755
index 000000000..95c0ae611
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenDomainAutoComplete.yaml
@@ -0,0 +1,19 @@
+caption: Enable domain name autocomplete during user sign in
+desc: |-
+  If this policy is set to a blank string or not configured, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will not show an autocomplete option during user sign-in flow.
+        If this policy is set to a string representing a domain name, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will show an autocomplete option during user sign-in allowing the user to type in only their user name without the domain name extension.  The user will be able to overwrite this domain name extension.
+        If the value of the policy is not a valid domain, the policy will not be applied.
+device_only: true
+example_value: students.school.edu
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: string
+supported_on:
+- chrome_os:44-
+tags: []
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenExtensions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenExtensions.yaml
new file mode 100755
index 000000000..eaa9e47ca
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenExtensions.yaml
@@ -0,0 +1,32 @@
+caption: Configure the list of installed apps and extensions on the login screen
+desc: |2-
+
+        Specifies a list of apps and extensions that are installed silently on the login screen, without user interaction, and which cannot be uninstalled or disabled by the user.
+
+        Permissions requested by the apps/extensions are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app/extension. <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> restricts the set of permissions that the extensions can request.
+
+        Note that, for security and privacy reasons, only apps and extensions that belong to the allow list bundled into <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> can be installed. All other items will be ignored.
+
+        If an app or extension that previously had been force-installed is removed from this list, it is automatically uninstalled by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+        Each list item of the policy is a string that contains an extension ID and, optionally, an "update" URL separated by a semicolon (<ph name="SEMICOLON">;</ph>). The extension ID is the 32-letter string found e.g. on <ph name="CHROME_EXTENSIONS_LINK">chrome://extensions</ph> when in developer mode. The "update" URL, if specified, should point to an update manifest XML document as described at <ph name="LINK_TO_EXTENSION_DOC1">https://developer.chrome.com/extensions/autoupdate</ph>. By default, the Chrome Web Store's update URL is used (which currently is "https://clients2.google.com/service/update2/crx"). Note that the "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension employ the update URL indicated in the extension's manifest.
+
+        For example, <ph name="LOGIN_SCREEN_EXTENSION_POLICY_EXAMPLE">khpfeaanjngmcnplbdlpegiifgpfgdco;https://clients2.google.com/service/update2/crx</ph> installs the <ph name="SMART_CARD_CONNECTOR_APP_NAME">Smart Card Connector</ph> app from the standard Chrome Web Store "update" URL. For more information about hosting extensions, see: <ph name="LINK_TO_EXTENSION_DOC2">https://developer.chrome.com/extensions/hosting</ph>.
+device_only: true
+example_value:
+- khpfeaanjngmcnplbdlpegiifgpfgdco;https://clients2.google.com/service/update2/crx
+features:
+  dynamic_refresh: true
+owners:
+- emaxx@chromium.org
+- hendrich@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:60-
+tags:
+- full-admin-access
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenInputMethods.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenInputMethods.yaml
new file mode 100755
index 000000000..2e4d3639f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenInputMethods.yaml
@@ -0,0 +1,22 @@
+caption: Device sign-in screen keyboard layouts
+desc: |-
+  Configures which keyboard layouts are allowed on the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> sign-in screen.
+
+        If this policy is set to a list of input method identifiers, the given input methods will be available on the sign-in screen. The first given input method will be preselected. While a user pod is focused on the sign-in screen, the user's last used input method will be available in addition to the input methods given by this policy. If this policy is not set, the input methods on the sign-in screen will be derived from the locale in which the sign-in screen is displayed. Values which are not valid input method identifiers will be ignored.
+device_only: true
+example_value:
+- xkb:us::en
+- xkb:ch::ger
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:58-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenIsolateOrigins.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenIsolateOrigins.yaml
new file mode 100755
index 000000000..d82b6f2fd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenIsolateOrigins.yaml
@@ -0,0 +1,25 @@
+caption: Enable Site Isolation for specified origins
+deprecated: true
+desc: "\n      This policy was removed in M77.\n      This policy applies to the sign-in\
+  \ screen. Please see also the <ph name=\"ISOLATE_ORIGINS_POLICY_NAME\">IsolateOrigins</ph>\
+  \ policy which applies to the user session.\n      If the policy is enabled, each\
+  \ of the named origins in a comma-separated list will run in its own process. This\
+  \ will also isolate origins named by subdomains; e.g. specifying https://example.com/\
+  \ will also cause https://foo.example.com/ to be isolated as part of the https://example.com/\
+  \ site.\n      If the policy is not configured or disabled, the platform default\
+  \ site isolation settings will be used for the sign-in screen.\n      "
+device_only: true
+example_value: https://a.example.com/,https://othersite.org/,https://[*.]corp.example.com
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+schema:
+  type: string
+supported_on:
+- chrome_os:66-76
+tags:
+- system-security
+type: string
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenLocales.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenLocales.yaml
new file mode 100755
index 000000000..94e3e950a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenLocales.yaml
@@ -0,0 +1,21 @@
+caption: Device sign-in screen locale
+desc: |-
+  Configures the locale which is enforced on the <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> sign-in screen.
+
+        If this policy is set, the sign-in screen will always be displayed in the locale which is given by the first value of this policy (the policy is defined as a list for forward compatibility).  If this policy is not set or is set to an empty list, the sign-in screen will be displayed in the locale of the last user session.  If this policy is set to a value which is not a valid locale, the sign-in screen will be displayed in a fallback locale (currently, en-US).
+device_only: true
+example_value:
+- en-US
+features:
+  dynamic_refresh: false
+owners:
+- file://components/policy/OWNERS
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:58-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenPromptOnMultipleMatchingCertificates.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenPromptOnMultipleMatchingCertificates.yaml
new file mode 100755
index 000000000..4243a00f5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenPromptOnMultipleMatchingCertificates.yaml
@@ -0,0 +1,28 @@
+caption: Prompt when multiple certificates match on the sign-in screen
+default: false
+desc: |-
+  This policy controls whether the user is prompted to select a client certificate on the sign-in screen in the frame hosting the SAML flow when more than one certificate matches <ph name="DEVICE_LOGIN_SCREEN_AUTO_SELECT_CERTIFICATE_FOR_URLS_POLICY_NAME">DeviceLoginScreenAutoSelectCertificateForUrls</ph>.
+        If this policy is set to Enabled, the user is asked to select the client certificate whenever the auto-selection policy matches multiple certificates.
+        If this policy is set to Disabled or not set, the user is never prompted to select a client certificate on the sign-in screen.
+        Note: This policy is in general not recommended, since it imposes potential privacy risks (in case device-wide TPM-backed certificates are used) and presents poor user experience.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Prompt the user to select the client certificate whenever the auto-selection
+    policy matches multiple certificates on the sign-in screen
+  value: true
+- caption: Do not prompt the user to select a client certificate on the sign-in screen
+  value: false
+owners:
+- emaxx@chromium.org
+- miersh@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenSitePerProcess.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenSitePerProcess.yaml
new file mode 100755
index 000000000..1d8d066a4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenSitePerProcess.yaml
@@ -0,0 +1,23 @@
+caption: Enable Site Isolation for every site
+deprecated: true
+desc: "\n      This policy was removed in M77.\n      This policy applies to the sign-in\
+  \ screen. Please see also the <ph name=\"SITE_PER_PROCESS_POLICY_NAME\">SitePerProcess</ph>\
+  \ policy which applies to the user session. It is recommended to set both policies\
+  \ to the same value. If the values don't match, a delay may be incurred when entering\
+  \ a user session while the value specified by user policy is being applied.\n  \
+  \    "
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+owners:
+- file://components/policy/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:66-76
+tags:
+- system-security
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenSystemInfoEnforced.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenSystemInfoEnforced.yaml
new file mode 100755
index 000000000..a4a7b9ba7
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceLoginScreenSystemInfoEnforced.yaml
@@ -0,0 +1,31 @@
+caption: Force the sign-in screen to show or hide system information.
+default: null
+desc: |-
+  Specify whether the system information (e.g. ChromeOS version, device serial
+        number) is always shown (or hidden) on the login screen.
+
+        If the policy is set to true, the system information will be shown forcedly.
+        If the policy is set to false, the system information will be hidden forcedly.
+        If the policy is unset, default hehavior (being shown for Canary / Dev channel)
+        is effective. Users can toggle the visibility by specific operations (e.g., Alt-V).
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Always display system information on the sign-in screen
+  value: true
+- caption: Do not display system information on the sign-in screen
+  value: false
+- caption: Allow users to toggle the display of system information on the sign-in
+    screen
+  value: null
+owners:
+- anqing@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceRunAutomaticCleanupOnLogin.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceRunAutomaticCleanupOnLogin.yaml
new file mode 100755
index 000000000..edb2cba80
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceRunAutomaticCleanupOnLogin.yaml
@@ -0,0 +1,25 @@
+caption: Control automatic cleanup during login
+default: false
+desc: |-
+  When this policy is set to true, automatic cleanup is executed during login to ensure enough free disk space is available.
+        Cleanup will only run when strictly necessary, but will still impact the login time.
+        Setting the policy to false (the default) ensures the login time is not affected.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: false
+  per_profile: false
+items:
+- caption: Run automatic disk cleanup during login
+  value: true
+- caption: Do not run automatic disk cleanup during login
+  value: false
+owners:
+- vsavu@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:99-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceSecondFactorAuthentication.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceSecondFactorAuthentication.yaml
new file mode 100755
index 000000000..17d30f2da
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceSecondFactorAuthentication.yaml
@@ -0,0 +1,38 @@
+caption: Integrated second factor authentication mode
+desc: |-
+  Specifies how the on-board secure element hardware can be used to provide a second-factor authentication if it is compatible with this feature. The machine power button is used to detect the user physical presence.
+
+        If 'Disabled' is selected, no second factor is provided.
+
+        If 'U2F' is selected, the integrated second factor will behave according the FIDO U2F specification.
+
+        If 'U2F_EXTENDED' is selected, the integrated second factor will provide the U2F functions plus some extensions for individual attestation.
+device_only: true
+example_value: 2
+features:
+  dynamic_refresh: false
+items:
+- caption: Second factor disabled
+  name: Disabled
+  value: 1
+- caption: U2F (Universal Second Factor)
+  name: U2F
+  value: 2
+- caption: U2F plus extensions for individual attestation
+  name: U2F_EXTENDED
+  value: 3
+owners:
+- vpalatin@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  - 3
+  type: integer
+supported_on:
+- chrome_os:61-
+tags:
+- system-security
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceShowNumericKeyboardForPassword.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceShowNumericKeyboardForPassword.yaml
new file mode 100755
index 000000000..43ed74de0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceShowNumericKeyboardForPassword.yaml
@@ -0,0 +1,23 @@
+caption: Show numeric keyboard for password
+desc: |-
+  Setting the policy to true displays numeric keyboard by default for entering password on the login screen. Users still could switch to the normal keyboard.
+
+        If you set the policy, users can't change it. If not set or set to false, it has no effect.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Default to a numeric keyboard for password input
+  value: true
+- caption: Default to a standard keyboard for password input
+  value: false
+owners:
+- file://chrome/browser/ash/login/OWNERS
+schema:
+  type: boolean
+supported_on:
+- chrome_os:80-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceShowUserNamesOnSignin.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceShowUserNamesOnSignin.yaml
new file mode 100755
index 000000000..0a73043bd
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceShowUserNamesOnSignin.yaml
@@ -0,0 +1,28 @@
+caption: Show usernames on login screen
+desc: |-
+  If this policy is set to true or not configured, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will show existing users on the login screen and allow to pick one.
+
+        If this policy is set to false, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will not show existing users on the login screen. The normal sign-in screen (prompting for the user email and password or phone) or the SAML interstitial screen (if enabled via the <ph name="LOGIN_AUTHENTICATION_BEHAVIOR_POLICY_NAME">LoginAuthenticationBehavior</ph> policy) will be shown, unless a Managed Session is configured. When a Managed Session is configured, only the Managed Session accounts will be shown, allowing to pick one of them.
+
+        Note that this policy does not affect whether the device keeps or discards the local user data.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Always show user names and photos
+  value: true
+- caption: Never show user names and photos
+  value: false
+owners:
+- dkuzmin@google.com
+- antrim@chromium.org
+- cros-oobe@google.com
+- cros-lurs@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:12-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceStartUpFlags.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceStartUpFlags.yaml
new file mode 100755
index 000000000..2c50bbac6
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceStartUpFlags.yaml
@@ -0,0 +1,25 @@
+caption: System wide flags to be applied on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>
+  start-up
+deprecated: true
+desc: |-
+  This policy is deprecated and removed in M66, because it was used only for internal testing and it is a security liability.
+
+        Specifies the flags that should be applied to <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> when it starts. The specified flags are applied on the login screen only. Flags set via this policy do not propagate into user sessions.
+device_only: true
+example_value:
+- enable-managed-mode
+- my-cool-flag
+features:
+  dynamic_refresh: false
+owners:
+- file://components/policy/OWNERS
+- emaxx@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:27-65
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceTransferSAMLCookies.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceTransferSAMLCookies.yaml
new file mode 100755
index 000000000..def8970d0
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceTransferSAMLCookies.yaml
@@ -0,0 +1,32 @@
+arc_support: Cookies transferred to the user's profile are not accessible to Android
+  apps.
+caption: Transfer SAML IdP cookies during login
+desc: |-
+  Specifies whether authentication cookies set by a SAML IdP during login should be transferred to the user's profile.
+
+        When a user authenticates via a SAML IdP during login, cookies set by the IdP are written to a temporary profile at first. These cookies can be transferred to the user's profile to carry forward the authentication state.
+
+        When this policy is set to true, cookies set by the IdP are transferred to the user's profile every time they authenticate against the SAML IdP during login.
+
+        When this policy is set to false or unset, cookies set by the IdP are transferred to the user's profile during their first login on a device only.
+
+        This policy affects users whose domain matches the device's enrollment domain only. For all other users, cookies set by the IdP are transferred to the user's profile during their first login on the device only.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable transfer of SAML SSO Cookies into user session during sign-in
+  value: true
+- caption: Disable transfer of SAML SSO Cookies into user session during sign-in
+  value: false
+owners:
+- file://components/policy/OWNERS
+- bartfab@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:38-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceUserAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceUserAllowlist.yaml
new file mode 100755
index 000000000..39b6ee28f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceUserAllowlist.yaml
@@ -0,0 +1,29 @@
+arc_support: This policy controls who may start a <ph name="PRODUCT_OS_NAME">$2<ex>ChromiumOS</ex></ph>
+  session. It does not prevent users from signing in to additional Google accounts
+  within Android. If you want to prevent this, configure the Android-specific <ph
+  name="ACCOUNT_TYPES_WITH_MANAGEMENT_DISABLED_CLOUDDPC_POLICY_NAME">accountTypesWithManagementDisabled</ph>
+  policy as part of <ph name="ARC_POLICY_POLICY_NAME">ArcPolicy</ph>.
+caption: Login user allow list
+desc: |-
+  Defines the list of users that are allowed to login to the device. Entries are of the form <ph name="USER_ALLOWLIST_ENTRY_FORMAT">user@domain</ph>, such as <ph name="USER_ALLOWLIST_ENTRY_EXAMPLE">madmax@managedchrome.com</ph>. To allow arbitrary users on a domain, use entries of the form <ph name="USER_ALLOWLIST_ENTRY_WILDCARD">*@domain</ph>.
+
+        If this policy is not configured, there are no restrictions on which users are allowed to sign in. Note that creating new users still requires the <ph name="DEVICE_ALLOW_NEW_USERS_POLICY_NAME">DeviceAllowNewUsers</ph> policy to be configured appropriately.
+        If <ph name="DEVICE_FAMILY_LINK_ACCOUNTS_ALLOWED_POLICY_NAME">DeviceFamilyLinkAccountsAllowed</ph> is enabled, Family Link users will be allowed additionally to the accounts defined in this policy.
+device_only: true
+example_value:
+- madmax@managedchrome.com
+features:
+  dynamic_refresh: true
+owners:
+- file://components/policy/OWNERS
+- emaamari@google.com
+schema:
+  items:
+    type: string
+  sensitiveValue: true
+  type: array
+supported_on:
+- chrome_os:87-
+tags: []
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceWallpaperImage.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceWallpaperImage.yaml
new file mode 100755
index 000000000..2ba90070f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/DeviceWallpaperImage.yaml
@@ -0,0 +1,31 @@
+caption: Device wallpaper image
+desc: |-
+  Configure device-level wallpaper image that is shown on the login screen if no user has yet signed in to the device. The policy is set by specifying the URL from which the ChromeOS device can download the wallpaper image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its file size must not exceed 16MB. The URL must be accessible without any authentication. The wallpaper image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.
+
+        If the device wallpaper policy is set, the ChromeOS device will download and use the wallpaper image on the login screen if no user has yet signed in to the device. Once the user logs in, the user's wallpaper policy kicks in.
+
+        If the device wallpaper policy is left not set, it's the user's wallpaper policy to decide what to show if the user's wallpaper policy is set.
+device_only: true
+example_value:
+  hash: 1337c0ded00d84b1dbadf00dd15ea5eb000deaddeaddeaddeaddeaddeaddead0
+  url: https://example.com/device_wallpaper.jpg
+features:
+  dynamic_refresh: true
+max_size: 16777216
+owners:
+- xdai@chromium.org
+- maybelle@chromium.org
+schema:
+  properties:
+    hash:
+      description: The SHA-256 hash of the wallpaper image.
+      type: string
+    url:
+      description: The URL from which the wallpaper image can be downloaded.
+      type: string
+  type: object
+supported_on:
+- chrome_os:61-
+tags: []
+type: external
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ExtensibleEnterpriseSSOEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ExtensibleEnterpriseSSOEnabled.yaml
new file mode 100755
index 000000000..9b7e926fb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ExtensibleEnterpriseSSOEnabled.yaml
@@ -0,0 +1,37 @@
+owners:
+- ydago@chromium.org
+- file://components/policy/OWNERS
+caption: Enable extensible Enterprise SSO support
+desc: |-
+  Configures automatic user sign-in for accounts with authentication providers by an Enterprise SSO Extension.
+
+  By setting this policy to 1 (<ph name="POLICY_VALUE_ENABLED">Enabled</ph>) or leaving it unset, authentication providers with an SSO extension on the device will use that extension to authenticate users trying to sign in.
+
+  By setting this policy to 0 (<ph name="POLICY_VALUE_DISABLED">Disabled</ph>), automatic sign-in as described above is disabled.
+
+  This feature is available starting in MacOS Catalina.
+
+  Note: This policy doesn't apply to Incognito or Guest modes.
+future_on:
+- chrome.mac
+
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: int-enum
+schema:
+  enum:
+  - 0
+  - 1
+  type: integer
+items:
+- caption: Disable extensible Enterprise SSO support
+  name: Disabled
+  value: 0
+- caption: Enable extensible Enterprise SSO support
+  name: Enabled
+  value: 1
+
+default: 1
+example_value: 0
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/LoginAuthenticationBehavior.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/LoginAuthenticationBehavior.yaml
new file mode 100755
index 000000000..85004e9f5
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/LoginAuthenticationBehavior.yaml
@@ -0,0 +1,35 @@
+caption: Configure the login authentication behavior
+desc: |-
+  When this policy is set, the login authentication flow will be in one of the following ways depending on the value of the setting:
+
+        If set to GAIA, login will be done via the normal GAIA authentication flow.
+
+        If set to SAML_INTERSTITIAL, login will automatically redirect to SAML IdP by default. The user is still allowed to go back to the normal GAIA login flow.
+
+        Note: the additional user confirmation screen, which was shown on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> until version 99, isn't displayed anymore. If SAML IdP isn't configured and this policy is set to SAML_INTERSTITIAL, redirect will fail with the 400 error.
+device_only: true
+example_value: 0
+features:
+  dynamic_refresh: true
+items:
+- caption: Authentication via the default GAIA flow
+  name: GAIA
+  value: 0
+- caption: Redirect to SAML IdP by default (prior to <ph name="PRODUCT_NAME">$1<ex>Google
+    Chrome</ex></ph> 99 user confirmation is needed)
+  name: SAML_INTERSTITIAL
+  value: 1
+owners:
+- afakhry@chromium.org
+- tbarzic@chromium.org
+schema:
+  enum:
+  - 0
+  - 1
+  - 2
+  type: integer
+supported_on:
+- chrome_os:51-
+tags: []
+type: int-enum
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/LoginVideoCaptureAllowedUrls.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/LoginVideoCaptureAllowedUrls.yaml
new file mode 100755
index 000000000..db16a1fde
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/LoginVideoCaptureAllowedUrls.yaml
@@ -0,0 +1,24 @@
+caption: URLs that will be granted access to video capture devices on SAML login pages
+desc: |-
+  Patterns in this list will be matched against the security
+        origin of the requesting URL.  If a match is found, access to video
+        capture devices will be granted on SAML login pages.  If no match is
+        found, access will be automatically denied.  Wildcard patterns are not
+        allowed.
+device_only: true
+example_value:
+- https://example.com
+features:
+  dynamic_refresh: true
+owners:
+- cernekee@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome_os:52-
+tags:
+- website-sharing
+type: list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationDataMigrationSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationDataMigrationSettings.yaml
new file mode 100755
index 000000000..b86bd49ff
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationDataMigrationSettings.yaml
@@ -0,0 +1,50 @@
+owners:
+- ydago@chromium.org
+- file://components/policy/OWNERS
+
+caption: Profile separation data migration settings
+
+desc: |-
+  This policy controls whether users are allowed to bring existing browsing data into a managed profile created after a managed account signs into the content area.
+
+  If this policy is unset or set to <ph name="USER_OPTIN_DATA_ENUM_NAME">UserOptInData</ph> (value 1), the user can choose whether to bring existing browsing data into the managed profile. The checkbox in the profile creation dialog will be visible and unchecked by default.
+
+  If this policy is set to <ph name="USER_OPTOUT_DATA_ENUM_NAME">UserOptOutData</ph> (value 2), the user can choose whether to bring existing browsing data into the managed profile. The checkbox in the profile creation dialog will be visible and checked by default. This option is only allowed on managed devices.
+
+  If this policy is set to <ph name="USER_ALWAYS_SEPARATE_DATA_ENUM_NAME">AlwaysSeparateData</ph> (value 3), the user cannot bring any existing browsing data into the managed profile. The checkbox in the profile creation dialog will not be visible.
+
+  Bringing existing browsing data into the managed profile means that the current profile will become managed. No new profile will be created.
+
+  Not bringing existing browsing data into the managed profile means that a new clean profile will be created. The existing browsing data will stay in an unmanaged profile which will still be accessible to the user via the profile picker.
+
+supported_on:
+- chrome.*:119-
+
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+
+type: int-enum
+
+schema:
+  type: integer
+  enum:
+  - 1
+  - 2
+  - 3
+
+items:
+- caption: Let users decide to bring existing browsing data into their managed profile
+  name: UserOptInData
+  value: 1
+- caption: Suggest to users to bring their existing data in the managed profile and give them a choice not to
+  name: UserOptOutData
+  value: 2
+- caption: Users cannot bring existing browsing data in their managed profile
+  name: AlwaysSeparateData
+  value: 3
+
+default: null
+example_value: 1
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationDomainExceptionList.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationDomainExceptionList.yaml
new file mode 100755
index 000000000..f12dc537d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationDomainExceptionList.yaml
@@ -0,0 +1,30 @@
+owners:
+- ydago@chromium.org
+- file://components/policy/OWNERS
+
+caption: Enterprise profile separation secondary domain allowlist
+
+desc: |-
+  If this policy is unset, account logins will not be required to create a new separate profile.
+
+  If this policy is set, account logins from the listed domains will not be required to create a new separate profile.
+
+  This policy can be set to an empty string so that all account logins are required to create a new separate profile.
+
+supported_on:
+- chrome.*:119-
+
+features:
+  dynamic_refresh: true
+  per_profile: true
+
+type: list
+
+schema:
+  items:
+    type: string
+  type: array
+
+default: null
+example_value: ["domain.com", "otherdomain.com"]
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationSettings.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationSettings.yaml
new file mode 100755
index 000000000..1bd3e90a1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/ProfileSeparationSettings.yaml
@@ -0,0 +1,50 @@
+owners:
+- ydago@chromium.org
+- file://components/policy/OWNERS
+
+caption: Enterprise profile separation settings
+
+desc: |-
+  This policy controls the behavior of the browser after a managed account signs into the content area.
+
+  This policy overrides <ph name="MANAGED_ACCOUNTS_SIGNIN_RESTRICTION_POLICY_NAME">ManagedAccountsSigninRestriction</ph>.
+
+  If this policy is set to Suggested, after a managed account sign in, the user will be be asked to continue using a managed profile as if it was enforced. If they refuse, the user may continue their browsing in an unmanaged environment.
+
+  If this policy is set to Enforced, after a managed account sign in, the user will be required to continue using a managed profile. If they refuse, they will be signed out of their account. This enforcement is not affected by the <ph name="SIGNIN_INTERCEPTION_ENABLED_POLICY_NAME">SigninInterceptionEnabled</ph> policy.
+
+  If this policy is set to Disabled or unset, after a managed account sign in, the user may see a bubble asking them to create a new profile. The bubble can be dismissed and the user may continue their browsing in an unmanaged environment. The bubble is controlled by the <ph name="SIGNIN_INTERCEPTION_ENABLED_POLICY_NAME">SigninInterceptionEnabled</ph> policy.
+
+  This policy has no effect when set on a machine level.
+
+supported_on:
+- chrome.*:119-
+
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+
+type: int-enum
+
+schema:
+  type: integer
+  enum:
+  - 0
+  - 1
+  - 2
+
+items:
+- caption: Suggests profile separation
+  name: Suggested
+  value: 0
+- caption: Enforce profile separation
+  name: Enforced
+  value: 1
+- caption: Disables profile separation
+  name: Disabled
+  value: 2
+
+default: null
+example_value: 1
+tags: []
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/RecoveryFactorBehavior.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/RecoveryFactorBehavior.yaml
new file mode 100755
index 000000000..62b8ae00a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/RecoveryFactorBehavior.yaml
@@ -0,0 +1,34 @@
+caption: Account recovery
+default: true
+default_for_enterprise_users: false
+desc: "Specifies whether the account recovery service is activated for your users\
+  \ on <ph name=\"PRODUCT_OS_NAME\">$2<ex>Google ChromeOS</ex></ph> devices.\n\n \
+  \     When the policy is enabled, the user data recovery is activated. When the\
+  \ policy is disabled or not set, the user data recovery is not activated.\n    \
+  \  Setting the policy level to recommended lets users change the account recovery\
+  \ activation through the settings page. Setting the policy level to mandatory means\
+  \ users can't change the account recovery activation.\n\n      On the policy value\
+  \ change the update process is completed on the next login to <ph name=\"PRODUCT_OS_NAME\"\
+  >$2<ex>Google ChromeOS</ex></ph> device, after the new policy value was fetched.\n\
+  \n      Note: This setting only applies to new accounts that get added on <ph name=\"\
+  PRODUCT_OS_NAME\">$2<ex>Google ChromeOS</ex></ph> devices.\n      "
+example_value: true
+features:
+  can_be_mandatory: true
+  can_be_recommended: true
+  dynamic_refresh: false
+  per_profile: true
+supported_on:
+- chrome_os:112-
+items:
+- caption: Activate account recovery
+  value: true
+- caption: Deactivate account recovery
+  value: false
+owners:
+- antrim@chromium.org
+- cros-lurs@google.com
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/policy_atomic_groups.yaml
new file mode 100755
index 000000000..f5d926b36
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Signin/policy_atomic_groups.yaml
@@ -0,0 +1,15 @@
+LoginScreenOrigins:
+  caption: Login and screen origins
+  policies:
+  - DeviceLoginScreenIsolateOrigins
+  - DeviceLoginScreenSitePerProcess
+SAML:
+  caption: SAML
+  policies:
+  - DeviceTransferSAMLCookies
+ProfileSeparation:
+  caption: Profile Separation
+  policies:
+  - ProfileSeparationSettings
+  - ProfileSeparationDataMigrationSettings
+  - ProfileSeparationDomainExceptionList
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/.group.details.yaml
new file mode 100755
index 000000000..5f0152f58
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/.group.details.yaml
@@ -0,0 +1,3 @@
+caption: Turn SkyVault on or off
+desc: |-
+  Configure policies to control whether user data is allowed on the device, and whether existing data should be uploaded to the cloud.
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/LocalUserFilesAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/LocalUserFilesAllowed.yaml
new file mode 100755
index 000000000..36f046825
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/LocalUserFilesAllowed.yaml
@@ -0,0 +1,26 @@
+caption: Enable local user files
+default: true
+desc: |-
+  This policy controls whether <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> users can store data locally or not.
+        Setting this policy to False blocks local storage on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> - users cannot store any data locally, and cannot access any local directories.
+        Setting this policy to True or leaving it unset allows local storage on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> - there are no restrictions on where users can store data, or which directories they can access.
+example_value: true
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable storing user files locally
+  value: true
+- caption: Disable storing user files locally
+  value: false
+owners:
+- aidazolic@google.com
+- ayaelattar@google.com
+- poromov@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:126-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/LocalUserFilesMigrationDestination.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/LocalUserFilesMigrationDestination.yaml
new file mode 100755
index 000000000..e40252a5f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/LocalUserFilesMigrationDestination.yaml
@@ -0,0 +1,36 @@
+caption: Local user files migration destination
+default: "read_only"
+desc: |-
+  Controls the local files migration to the cloud.
+  Applies only for SkyVault users, i.e. when LocalUserFilesAllowed is false and is ignored otherwise.
+
+  If set to "google_drive", local files are moved to Google Drive and local folders are hidden.
+  If set to "microsoft_onedrive", local files are moved to OneDrive and local folders are hidden.
+  If set to "read-only" or left unset: local files remain in read-only mode.
+example_value: "read_only"
+features:
+  can_be_recommended: false
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Migrate local files to Google Drive and hide local folders
+  name: "google_drive"
+  value: "google_drive"
+- caption: Migrate local files to Microsoft OneDrive and hide local folders
+  name: "microsoft_onedrive"
+  value: "microsoft_onedrive"
+- caption: Keep local files in read-only mode
+  name: "read_only"
+  value: "read_only"
+owners:
+- file://chrome/browser/ash/policy/skyvault/OWNERS
+schema:
+  type: string
+  enum:
+    - "google_drive"
+    - "microsoft_onedrive"
+    - "read_only"
+future_on:
+- chrome_os
+tags: []
+type: string-enum
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/policy_atomic_groups.yaml
new file mode 100755
index 000000000..e15a3b581
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/SkyVault/policy_atomic_groups.yaml
@@ -0,0 +1,5 @@
+SkyVaultSettings:
+  caption: SkyVault (all data in cloud) settings
+  policies:
+  - LocalUserFilesAllowed
+  - LocalUserFilesMigrationDestination
\ No newline at end of file
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/.group.details.yaml
new file mode 100755
index 000000000..66ca5b169
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/.group.details.yaml
@@ -0,0 +1,7 @@
+caption: Startup, Home page and New Tab page
+desc: |-
+  Configure the pages to load on startup, the default home page and the default new tab page in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> and prevents users from changing them.
+
+        The user's home page settings are only completely locked down if you either select the home page to be the new tab page, or set it to be a URL and specify a home page URL. If you don't specify the home page URL, then the user is still able to set the home page to the new tab page by specifying 'chrome://newtab'.
+
+        The policy 'URLs to open on startup' is ignored unless you select 'Open a list of URLs' in 'Action on startup'.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/HomepageIsNewTabPage.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/HomepageIsNewTabPage.yaml
new file mode 100755
index 000000000..648ba2f93
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/HomepageIsNewTabPage.yaml
@@ -0,0 +1,33 @@
+caption: Use New Tab Page as homepage
+default: null
+desc: |-
+  Setting the policy to Enabled makes the New Tab page the user's homepage, ignoring any homepage URL location. Setting the policy to Disabled means that their homepage is never the New Tab page, unless the user's homepage URL is set to chrome://newtab.
+
+  If you set the policy, users can't change their homepage type in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, the user decides whether or not the New Tab page is their homepage.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Use New Tab Page as homepage
+  value: true
+- caption: Do not use New Tab Page as homepage
+  value: false
+- caption: Allow users to choose
+  value: null
+owners:
+- chrome-desktop-ntp@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/HomepageLocation.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/HomepageLocation.yaml
new file mode 100755
index 000000000..6c2508b67
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/HomepageLocation.yaml
@@ -0,0 +1,31 @@
+caption: Configure the home page URL
+desc: |-
+  Setting the policy sets the default homepage URL in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. You open the homepage using the Home button. On desktop, the <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> policies control the pages that open on startup.
+
+  If the homepage is set to the New Tab Page, by the user or <ph name="HOMEPAGE_IS_NEW_TAB_PAGE_POLICY_NAME">HomepageIsNewTabPage</ph>, this policy has no effect.
+
+  The URL needs a standard scheme, such as http://example.com or https://example.com. When this policy is set, users can't change their homepage URL in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+  Leaving both <ph name="HOMEPAGE_LOCATION_POLICY_NAME">HomepageLocation</ph> and <ph name="HOMEPAGE_IS_NEW_TAB_PAGE_POLICY_NAME">HomepageIsNewTabPage</ph> unset lets users choose their homepage.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value: https://www.chromium.org
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+label: Home page URL
+owners:
+- chrome-desktop-ntp@google.com
+schema:
+  type: string
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+- android:81-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/NewTabPageLocation.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/NewTabPageLocation.yaml
new file mode 100755
index 000000000..54ed82411
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/NewTabPageLocation.yaml
@@ -0,0 +1,32 @@
+caption: Configure the New Tab page URL
+desc: |-
+  Setting the policy configures the default New Tab page URL and prevents users from changing it.
+
+  The New Tab page opens with new tabs and windows.
+
+  This policy doesn't decide which pages open on start up. Those are controlled by the <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> policies. This policy does affect the homepage, if that's set to open the New Tab page, as well as the startup page if it's set to open the New Tab page.
+
+  It is a best practice to provide fully canonicalized URL, if the URL is not fully canonicalized <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will default to https://.
+
+  Leaving the policy unset or empty puts the default New Tab page in use.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value: https://www.chromium.org
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+label: New Tab page URL
+owners:
+- chrome-desktop-ntp@google.com
+schema:
+  type: string
+supported_on:
+- chrome.*:58-
+- chrome_os:58-
+- ios:99-
+tags: []
+type: string
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/RestoreOnStartup.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/RestoreOnStartup.yaml
new file mode 100755
index 000000000..6f806bba1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/RestoreOnStartup.yaml
@@ -0,0 +1,52 @@
+caption: Action on startup
+desc: |-
+  Setting the policy lets you specify system behavior on startup. Turning this setting off amounts to leaving it unset as <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> must have specified start up behavior.
+
+  If you set the policy, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, users can change it.
+
+  Setting this policy to <ph name="POLICY_ENUM_RESTOREONSTARTUP_RESTOREONSTARTUPISLASTSESSION">RestoreOnStartupIsLastSession</ph> or <ph name="POLICY_ENUM_RESTOREONSTARTUP_RESTOREONSTARTUPISLASTSESSIONANDURLS">RestoreOnStartupIsLastSessionAndURLs</ph> turns off some settings that rely on sessions or that perform actions on exit, such as clearing browsing data on exit or session-only cookies.
+
+  If this policy is set to <ph name="POLICY_ENUM_RESTOREONSTARTUP_RESTOREONSTARTUPISLASTSESSIONANDURLS">RestoreOnStartupIsLastSessionAndURLs</ph>, browser will restore previous session and open a separate window to show URLs that are set from <ph name="RESTORE_ON_STARTUP_URLS_POLICY_NAME">RestoreOnStartupURLs</ph>. Note that users can choose to keep those URLs open and they will also be restored in the future session.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value: 4
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Open New Tab Page
+  name: RestoreOnStartupIsNewTabPage
+  value: 5
+- caption: Restore the last session
+  name: RestoreOnStartupIsLastSession
+  value: 1
+- caption: Open a list of URLs
+  name: RestoreOnStartupIsURLs
+  value: 4
+- caption: Open a list of URLs and restore the last session
+  future_on:
+  - fuchsia
+  name: RestoreOnStartupIsLastSessionAndURLs
+  supported_on:
+  - chrome.*:98-
+  - chrome_os:98-
+  value: 6
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  enum:
+  - 1
+  - 4
+  - 5
+  type: integer
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+tags: []
+type: int-enum
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/RestoreOnStartupURLs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/RestoreOnStartupURLs.yaml
new file mode 100755
index 000000000..d4904219d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/RestoreOnStartupURLs.yaml
@@ -0,0 +1,28 @@
+caption: URLs to open on startup
+desc: |-
+  If <ph name="RESTORE_ON_STARTUP_POLICY_NAME">RestoreOnStartup</ph> is set to RestoreOnStartupIsURLs, then setting <ph name="RESTORE_ON_STARTUP_URLS_POLICY_NAME">RestoreOnStartupURLs</ph> to a list of URLs specify which URLs open.
+
+  If not set, the New Tab page opens on start up.
+
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph> or enrolled in <ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>.
+example_value:
+- https://example.com
+- https://www.chromium.org
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+owners:
+- file://components/policy/OWNERS
+- rsorokin@chromium.org
+schema:
+  items:
+    type: string
+  type: array
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+tags: []
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/ShowHomeButton.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/ShowHomeButton.yaml
new file mode 100755
index 000000000..e0b7aef59
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/ShowHomeButton.yaml
@@ -0,0 +1,27 @@
+caption: Show Home button on toolbar
+desc: |-
+  Setting the policy to Enabled shows the Home button on <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>'s toolbar. Setting the policy to Disabled keeps the Home button from appearing.
+
+        If you set the policy, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, users chooses whether to show the Home button.
+example_value: true
+features:
+  can_be_recommended: true
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Show the Home button on the toolbar
+  value: true
+- caption: Hide the Home button from the toolbar
+  value: false
+owners:
+- file://components/policy/OWNERS
+- poromov@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome.*:8-
+- chrome_os:11-
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/policy_atomic_groups.yaml
new file mode 100755
index 000000000..58b01f431
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/Startup/policy_atomic_groups.yaml
@@ -0,0 +1,15 @@
+Homepage:
+  caption: Homepage
+  policies:
+  - HomepageLocation
+  - HomepageIsNewTabPage
+  - NewTabPageLocation
+  - ShowHomeButton
+RestoreOnStartup:
+  caption: Action on startup
+  owners:
+  - file://components/policy/OWNERS
+  - rsorokin@chromium.org
+  policies:
+  - RestoreOnStartup
+  - RestoreOnStartupURLs
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/.group.details.yaml
new file mode 100755
index 000000000..36e11a50a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: User and device reporting
+desc: Controls what kind of user and device information is reported.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceActivityHeartbeatCollectionRateMs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceActivityHeartbeatCollectionRateMs.yaml
new file mode 100755
index 000000000..208408276
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceActivityHeartbeatCollectionRateMs.yaml
@@ -0,0 +1,25 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Device activity heartbeat collection rate in milliseconds.
+default: 900000
+desc: |-
+  Rate at which the device activity state is collected on enrolled devices for affiliated users. The minimum allowed is 1 minute.
+
+        If not set, the default rate of 15 minutes applies.
+device_only: true
+example_value: 900000
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  unlisted: true
+owners:
+- vshenvi@google.com
+- cros-reporting-eng@google.com
+schema:
+  minimum: 60000
+  type: integer
+supported_on:
+- chrome_os:113-
+tags:
+- admin-sharing
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceActivityHeartbeatEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceActivityHeartbeatEnabled.yaml
new file mode 100755
index 000000000..6799a902a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceActivityHeartbeatEnabled.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Enable device activity heartbeat reporting
+default: false
+desc: |-
+  Reports device activity state on enrolled devices for affiliated users.
+
+        If the policy is Disabled or left unset, device activity state will not be reported.
+        If Enabled, the device activity state is reported to the server allowing it to detect if the device is offline, as long as the user is affiliated.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device activity heartbeat
+  value: true
+- caption: Disable device activity heartbeat
+  value: false
+owners:
+- vshenvi@google.com
+- cros-reporting-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:113-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceExtensionsSystemLogEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceExtensionsSystemLogEnabled.yaml
new file mode 100755
index 000000000..6c4adb064
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceExtensionsSystemLogEnabled.yaml
@@ -0,0 +1,26 @@
+caption: Enable extensions system logging
+desc: |-
+  Enterprise extensions can add logs via the chrome.systemLog API to a system log file.
+
+  Setting the policy to Enabled will allow the logs to be persisted in the system log file for a limited amount of time.
+  Setting the policy to Disabled or leaving it unset does not allow the logs to be added to the system log file which means that logs will not be persisted between sessions.
+default: false
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+supported_on:
+- chrome_os:125-
+items:
+- caption: Enable enterprise extensions system logging
+  value: true
+- caption: Disable enterprise extensions system logging
+  value: false
+owners:
+- mpetrisor@chromium.org
+- imprivata-eng@google.com
+schema:
+  type: boolean
+tags: []
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceFlexHwDataForProductImprovementEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceFlexHwDataForProductImprovementEnabled.yaml
new file mode 100755
index 000000000..a523ac461
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceFlexHwDataForProductImprovementEnabled.yaml
@@ -0,0 +1,33 @@
+owners:
+- tbrandston@google.com
+- chromeos-flex-eng@google.com
+caption: Send hardware data to Google to support improvements to ChromeOS Flex
+desc: |-
+  Allows some services on <ph name="PRODUCT_OS_FLEX_NAME">Google ChromeOS Flex</ph> to send additional hardware data.
+
+  This hardware data is used for overall improvements to <ph name="PRODUCT_OS_FLEX_NAME">Google ChromeOS Flex</ph>.
+  For example, we might analyze the impact of a crash based on CPU,
+  or prioritize a bugfix based on how many devices share a component.
+
+  If the policy is Enabled or left unset, additional hardware details
+  will be sent from <ph name="PRODUCT_OS_FLEX_NAME">Google ChromeOS Flex</ph>
+  devices.
+  If Disabled, only standard hardware data will be sent.
+supported_on:
+- chrome_os:120-
+device_only: true
+features:
+  dynamic_refresh: true
+  per_profile: false
+type: main
+schema:
+  type: boolean
+items:
+- caption: Send additional hardware data on ChromeOS Flex
+  value: true
+- caption: Do not send additional hardware data on ChromeOS Flex
+  value: false
+default: true
+example_value: true
+tags: ['google-sharing']
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceMetricsReportingEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceMetricsReportingEnabled.yaml
new file mode 100755
index 000000000..01e0450c2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceMetricsReportingEnabled.yaml
@@ -0,0 +1,30 @@
+arc_support: This policy also controls Android usage and diagnostic data collection.
+caption: Enable metrics reporting
+desc: |-
+  Setting the policy to Enabled has <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> report usage metrics and diagnostic data, including crash reports, back to Google. Setting the policy to Disabled turns off metrics and diagnostic data reporting.
+
+  For managed devices, this policy is enabled by default and sends metrics to Google.
+
+  For unmanaged devices, the user can make the decision to send the metrics.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Always send metrics to Google
+  value: true
+- caption: Never send metrics to Google
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+- zmin@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:14-
+tags:
+- admin-sharing
+- google-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportNetworkEvents.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportNetworkEvents.yaml
new file mode 100755
index 000000000..8d7aa3269
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportNetworkEvents.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report network events
+default: false
+desc: |-
+  Report network connection and signal strength events on enrolled devices.
+
+        If the policy is set to false or left unset, the information will not be reported.
+        If set to true, the device's network events will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Report network events
+  value: true
+- caption: Do not report network events
+  value: false
+owners:
+- anasr@google.com
+- cros-reporting-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:114-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportRuntimeCounters.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportRuntimeCounters.yaml
new file mode 100755
index 000000000..c299e898e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportRuntimeCounters.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report device runtime counters
+default: false
+desc: |-
+  Setting the policy to enabled has enrolled devices report device runtime counters (Intel vPro Gen 14+ only).
+
+  Setting the policy to disabled or leaving it unset would make enrolled devices not record or report device runtime counters.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Report device runtime counters
+  value: true
+- caption: Do not report device runtime counters
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- xuhong@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:121-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportRuntimeCountersCheckingRateMs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportRuntimeCountersCheckingRateMs.yaml
new file mode 100755
index 000000000..4d6afd53b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportRuntimeCountersCheckingRateMs.yaml
@@ -0,0 +1,25 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: CPU runtime counters telemetry collection rate in milliseconds.
+default: 86400000
+desc: |-
+  Rate at which runtime counters are sampled and collected. The minimum allowed is 1 day.
+
+  If not set, the default rate of 1 day applies.
+device_only: true
+example_value: 90000000
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  unlisted: true
+owners:
+- cros-reporting-eng@google.com
+- xuhong@chromium.org
+schema:
+  minimum: 86400000
+  type: integer
+supported_on:
+- chrome_os:121-
+tags:
+- admin-sharing
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportXDREvents.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportXDREvents.yaml
new file mode 100755
index 000000000..802e702c1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/DeviceReportXDREvents.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report extended detection and response (XDR) events
+default: false
+desc: |-
+  Setting the policy to True has enrolled devices report information related to extended detection and response (XDR) events.
+
+        Setting the policy to False or leaving it unset means enrolled devices don't report extended detection and response (XDR) events.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Report information about extended detection and response (XDR) events
+  value: true
+- caption: Do not report information about extended detection and response (XDR) events
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- jrhilke@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:110-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/EnableDeviceGranularReporting.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/EnableDeviceGranularReporting.yaml
new file mode 100755
index 000000000..f52378ac4
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/EnableDeviceGranularReporting.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Enable granular reporting controls
+default: true
+deprecated: true
+desc: |-
+  This policy is deprecated. Setting the policy to enabled or leaving it unset allows for the device to recieve granular reporting controls.
+        Setting the policy to Disabled means enrolled devices won't receive granular reporting controls.
+device_only: true
+example_value: true
+features:
+  dynamic_refresh: true
+items:
+- caption: Allow granular reporting controls
+  value: true
+- caption: Do not allow granular reporting controls
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-105
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/HeartbeatEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/HeartbeatEnabled.yaml
new file mode 100755
index 000000000..b6f75b23d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/HeartbeatEnabled.yaml
@@ -0,0 +1,26 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Send network packets to the management server to monitor online status
+desc: |-
+  Setting the policy to Enabled sends monitoring network packets (<ph name="HEARTBEATS_TERM">heartbeats</ph>) to the management server to monitor online status, to allow the server to detect if the device is offline.
+
+        Setting the policy to Disabled or leaving it unset sends no packets.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device health monitoring
+  value: true
+- caption: Disable device health monitoring
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:43-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/HeartbeatFrequency.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/HeartbeatFrequency.yaml
new file mode 100755
index 000000000..505c9512b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/HeartbeatFrequency.yaml
@@ -0,0 +1,21 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Frequency of monitoring network packets
+desc: |-
+  Setting the policy determines how frequently to send monitoring network packets, in milliseconds. Intervals range from 30 seconds to 24 hours. Values outside this range are clamped to this range.
+
+        If not set, the default interval of 3 minutes applies.
+device_only: true
+example_value: 180000
+features:
+  dynamic_refresh: true
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  minimum: 30000
+  type: integer
+supported_on:
+- chrome_os:43-
+tags: []
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/LogUploadEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/LogUploadEnabled.yaml
new file mode 100755
index 000000000..1b8f32c22
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/LogUploadEnabled.yaml
@@ -0,0 +1,26 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Send system logs to the management server
+desc: |-
+  Setting the policy to Enabled sends system logs to the management server, to allow admins to monitor system logs.
+
+        Setting the policy to Disabled or leaving it unset reports no system logs.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device system log upload
+  value: true
+- caption: Disable device system log upload
+  value: false
+owners:
+- cros-reporting-team@google.com
+- lbaraz@chromium.org
+- pbond@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:46-
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppInventory.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppInventory.yaml
new file mode 100755
index 000000000..f7c91f92b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppInventory.yaml
@@ -0,0 +1,55 @@
+caption: App inventory reporting
+default: []
+desc: |-
+  Reports app inventory data for affiliated users.
+
+        Setting the policy controls app install, launch and uninstall event reporting for specified app types.
+        If unset, no app events will be reported.
+example_value:
+- chrome_apps_and_extensions
+- progressive_web_apps
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Chrome apps and extensions
+  value: chrome_apps_and_extensions
+  name: chrome_apps_and_extensions
+- caption: Progressive Web Apps
+  value: progressive_web_apps
+  name: progressive_web_apps
+- caption: Android applications
+  value: android_apps
+  name: android_apps
+- caption: Linux applications
+  value: linux_apps
+  name: linux_apps
+- caption: System applications
+  value: system_apps
+  name: system_apps
+- caption: Games
+  value: games
+  name: games
+- caption: Browser
+  value: browser
+  name: browser
+owners:
+- vshenvi@google.com
+- cros-reporting-eng@google.com
+schema:
+  type: array
+  items:
+    type: string
+    enum:
+    - chrome_apps_and_extensions
+    - progressive_web_apps
+    - android_apps
+    - linux_apps
+    - system_apps
+    - games
+    - browser
+supported_on:
+- chrome_os:117-
+tags:
+- admin-sharing
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppUsage.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppUsage.yaml
new file mode 100755
index 000000000..959231850
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppUsage.yaml
@@ -0,0 +1,55 @@
+caption: App usage reporting
+default: []
+desc: |-
+  Reports app usage telemetry data for affiliated users.
+
+        Setting the policy controls app usage telemetry reporting for specified app types.
+        If unset, no app usage telemetry will be reported.
+example_value:
+- chrome_apps_and_extensions
+- progressive_web_apps
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Chrome apps and extensions
+  value: chrome_apps_and_extensions
+  name: chrome_apps_and_extensions
+- caption: Progressive Web Apps
+  value: progressive_web_apps
+  name: progressive_web_apps
+- caption: Android applications
+  value: android_apps
+  name: android_apps
+- caption: Linux applications
+  value: linux_apps
+  name: linux_apps
+- caption: System applications
+  value: system_apps
+  name: system_apps
+- caption: Games
+  value: games
+  name: games
+- caption: Browser
+  value: browser
+  name: browser
+owners:
+- vshenvi@google.com
+- cros-reporting-eng@google.com
+schema:
+  type: array
+  items:
+    type: string
+    enum:
+    - chrome_apps_and_extensions
+    - progressive_web_apps
+    - android_apps
+    - linux_apps
+    - system_apps
+    - games
+    - browser
+supported_on:
+- chrome_os:117-
+tags:
+- admin-sharing
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppUsageCollectionRateMs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppUsageCollectionRateMs.yaml
new file mode 100755
index 000000000..d8b10cdec
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportAppUsageCollectionRateMs.yaml
@@ -0,0 +1,23 @@
+caption: App usage telemetry collection rate in milliseconds.
+default: 900000
+desc: |-
+  Rate at which app usage telemetry is collected on enrolled devices for affiliated users. The minimum allowed is 5 minutes.
+
+        If not set, the default rate of 15 minutes applies.
+example_value: 900000
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+  unlisted: true
+owners:
+- vshenvi@google.com
+- cros-reporting-eng@google.com
+schema:
+  minimum: 300000
+  type: integer
+supported_on:
+- chrome_os:117-
+tags:
+- admin-sharing
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportArcStatusEnabled.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportArcStatusEnabled.yaml
new file mode 100755
index 000000000..e7dbd2906
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportArcStatusEnabled.yaml
@@ -0,0 +1,24 @@
+caption: Report information about status of Android
+desc: |-
+  If Android apps are on, then setting the policy to True has enrolled devices report Android status information.
+
+        Setting the policy to Disabled or leaving it unset means enrolled devices don't report Android status information
+example_value: true
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Enable Android reporting
+  value: true
+- caption: Disable Android reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:55-
+tags:
+- admin-sharing
+type: main
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportCRDSessions.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportCRDSessions.yaml
new file mode 100755
index 000000000..44507b8cc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportCRDSessions.yaml
@@ -0,0 +1,29 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report CRD sessions
+default: false
+desc: |-
+  Report CRD sessions events on enrolled devices for affiliated users.
+
+        If the policy is Disabled or left unset, the information will not be reported.
+        If Enabled, the CRD events will be reported, if the user is affiliated
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Report <ph name="CHROME_REMOTE_DESKTOP_PRODUCT_NAME">Chrome Remote Desktop</ph>
+    events
+  value: true
+- caption: Do not report CRD sessions events
+  value: false
+owners:
+- lbaraz@google.com
+- cros-reporting-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:99-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceActivityTimes.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceActivityTimes.yaml
new file mode 100755
index 000000000..17d75622f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceActivityTimes.yaml
@@ -0,0 +1,26 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report device activity times
+desc: |-
+  Setting the policy to Enabled or leaving it unset has enrolled devices report time periods when a user is active on the device.
+
+        Setting the policy to Disabled means enrolled devices don't record or report activity times.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device activity time reporting
+  value: true
+- caption: Disable device activity time reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:18-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAppInfo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAppInfo.yaml
new file mode 100755
index 000000000..aa6b34f25
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAppInfo.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report applications information
+desc: |-
+  Report information for a device's application inventory and usage.
+
+        If the policy is set to false or left unset, the information will not be reported.
+        If set to true, the device's applications and usage will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device app info reporting
+  value: true
+- caption: Disable device app info reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+- mattme@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:85-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAudioStatus.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAudioStatus.yaml
new file mode 100755
index 000000000..beba82eeb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAudioStatus.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report device audio status
+default: true
+desc: |-
+  Setting the policy to enabled or leaving it unset has enrolled devices report device audio volume.
+
+        Setting the policy to Disabled means enrolled devices don't record or report audio status.
+        Exception: System volume level information is controlled by <ph name="REPORT_DEVICE_HARDWARE_STATUS">ReportDeviceHardwareStatus</ph> for M95 and below.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Report audio status
+  value: true
+- caption: Do not report audio status
+  value: false
+owners:
+- cros-reporting-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAudioStatusCheckingRateMs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAudioStatusCheckingRateMs.yaml
new file mode 100755
index 000000000..43ae09363
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceAudioStatusCheckingRateMs.yaml
@@ -0,0 +1,25 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Audio telemetry collection rate in milliseconds.
+default: 900000
+desc: |-
+  Rate at which audio data is sampled and collected. The minimum allowed is 1 minute.
+
+        If not set, the default rate of 15 minutes applies.
+device_only: true
+example_value: 900000
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  unlisted: true
+owners:
+- cros-reporting-eng@google.com
+- albertojuarez@google.com
+schema:
+  minimum: 60000
+  type: integer
+supported_on:
+- chrome_os:103-
+tags:
+- admin-sharing
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBacklightInfo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBacklightInfo.yaml
new file mode 100755
index 000000000..32c530a5b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBacklightInfo.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report backlight info
+desc: |-
+  Report information about a device's backlights.
+
+        If the policy is set to false or left unset, the information will not be reported.
+        If set to true, the device's backlight information will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device backlight info reporting
+  value: true
+- caption: Disable device backlight info reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:83-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBluetoothInfo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBluetoothInfo.yaml
new file mode 100755
index 000000000..2fb3ba9cc
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBluetoothInfo.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report Bluetooth info
+desc: |-
+  Report a device's Bluetooth information.
+
+        If the policy is set to false or left unset, the information will not be reported.
+        If set to true, the device's Bluetooth information will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device Bluetooth info reporting
+  value: true
+- caption: Disable device Bluetooth info reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:85-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBoardStatus.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBoardStatus.yaml
new file mode 100755
index 000000000..a51b1b004
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBoardStatus.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report board status
+desc: |-
+  Setting the policy to Enabled has enrolled devices report hardware statistics for SoC components.
+
+        Setting the policy to Disabled or leaving it unset means enrolled devices don't report the statistics.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device board status reporting
+  value: true
+- caption: Disable device board status reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+- antrim@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:73-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBootMode.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBootMode.yaml
new file mode 100755
index 000000000..b86b96fc2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceBootMode.yaml
@@ -0,0 +1,26 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report device boot mode
+desc: |-
+  Setting the policy to Enabled or leaving it unset has enrolled devices report the state of the device's dev switch when the machine booted.
+
+        Setting the policy to Disabled means enrolled devices don't report the state of the dev switch.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device boot mode reporting
+  value: true
+- caption: Disable device boot mode reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:18-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceCpuInfo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceCpuInfo.yaml
new file mode 100755
index 000000000..877395cec
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceCpuInfo.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report CPU info
+desc: |-
+  This policy is set to Enabled by default. It controls the enrolled devices to report the CPU model name, architecture, and maximum clock speed (and CPU utilization and temperature for M96 and above).
+
+        Setting the policy to Disabled means enrolled devices don’t report any CPU information.
+        Exception CPU utilization and temperature reporting is controlled by <ph name="REPORT_DEVICE_HARDWARE_STATUS">ReportDeviceHardwareStatus</ph> for M95 and below.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device CPU info reporting
+  value: true
+- caption: Disable device CPU info reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:81-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceCrashReportInfo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceCrashReportInfo.yaml
new file mode 100755
index 000000000..bbb486d07
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceCrashReportInfo.yaml
@@ -0,0 +1,29 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report information about crash reports.
+desc: |-
+  Report information related to crash reports, such as remote id,
+        capture timestamp and cause.
+
+        If the policy is set to false or left unset, the crash report information
+        will not be reported. If set to true, crash report information will be
+        reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device crash report information reporting
+  value: true
+- caption: Disable device crash report information reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:83-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceFanInfo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceFanInfo.yaml
new file mode 100755
index 000000000..0d26d4903
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceFanInfo.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report fan info
+desc: |-
+  Report a device's fan information.
+
+        If the policy is set to false or left unset, the information will not be reported.
+        If set to true, the device's fan information will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device fan info reporting
+  value: true
+- caption: Disable device fan info reporting
+  value: false
+owners:
+- cros-reporting-team@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:85-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceGraphicsStatus.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceGraphicsStatus.yaml
new file mode 100755
index 000000000..33bab2232
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceGraphicsStatus.yaml
@@ -0,0 +1,29 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report display and graphics statuses
+desc: |-
+  Report information related to display, such as refresh rate, and
+        information related to graphics, such as driver version.
+
+        If the policy is set to false or left unset, the display and graphics
+        statuses will not be reported. If set to true, display and graphics
+        statuses will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device graphics status reporting
+  value: true
+- caption: Disable device graphics status reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:81-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceHardwareStatus.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceHardwareStatus.yaml
new file mode 100755
index 000000000..d745b3c67
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceHardwareStatus.yaml
@@ -0,0 +1,30 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report hardware status
+deprecated: true
+desc: |-
+  This policy is deprecated as of M96. Please use <ph name="REPORT_DEVICE_CPU_INFO">ReportDeviceCpuInfo</ph>, <ph name="REPORT_DEVICE_MEMORY_INFO">ReportDeviceMemoryInfo</ph>, <ph name="REPORT_DEVICE_STORAGE_STATUS">ReportDeviceStorageStatus</ph>, <ph name="REPORT_DEVICE_SECURITY_STATUS">ReportDeviceSecurityStatus</ph>, and <ph name="REPORT_DEVICE_AUDIO_STATUS">ReportDeviceAudioStatus</ph> instead.
+
+        Setting the policy to Enabled or leaving it unset has enrolled devices report hardware statistics such as CPU/RAM usage.
+
+        Setting the policy to Disabled means enrolled devices don't report the hardware statistics.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device hardware status reporting
+  value: true
+- caption: Disable device hardware status reporting
+  value: false
+owners:
+- cros-reporting-team@google.com
+- lbaraz@chromium.org
+- antrim@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:42-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceLocation.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceLocation.yaml
new file mode 100755
index 000000000..5a48f526c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceLocation.yaml
@@ -0,0 +1,29 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report device location
+deprecated: true
+desc: |-
+  This policy is deprecated.
+
+        Setting the policy to Enabled has enrolled devices periodically report their location.
+
+        Setting the policy to Disabled or leaving it unset means enrolled devices don't report their location.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+future_on:
+- chrome_os
+items:
+- caption: Enable device location reporting
+  value: true
+- caption: Disable device location reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceLoginLogout.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceLoginLogout.yaml
new file mode 100755
index 000000000..ca1f1e99c
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceLoginLogout.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report login/logout
+default: false
+desc: |-
+  Report users login/logout events on enrolled devices including failed logins.
+
+        If the policy is set to false or left unset, the information will not be reported.
+        If set to true, the device's login/logout events will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Report login/logout events
+  value: true
+- caption: Do not report login/logout events
+  value: false
+owners:
+- anasr@google.com
+- cros-reporting-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceMemoryInfo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceMemoryInfo.yaml
new file mode 100755
index 000000000..ddd2ff2d8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceMemoryInfo.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report memory info
+desc: |-
+  This policy is set to Enabled by default. It controls the enrolled devices to report the memory information.
+
+        Setting the policy to Disabled means enrolled devices don’t report any memory information.
+        Exception: free memory information is controlled by <ph name="REPORT_DEVICE_HARDWARE_STATUS">ReportDeviceHardwareStatus</ph> for M95 or below.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device memory info reporting
+  value: true
+- caption: Disable device memory info reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:83-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkConfiguration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkConfiguration.yaml
new file mode 100755
index 000000000..4054e883a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkConfiguration.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report network configuration
+default: true
+desc: |-
+  Report users network configuration on enrolled devices.
+
+        If the policy is set to false, the information will not be reported.
+        If set to true or unset, the device's network configuration will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Report network configuration
+  value: true
+- caption: Do not report network configuration
+  value: false
+owners:
+- tylergarrett@google.com
+- cros-reporting-team@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkInterfaces.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkInterfaces.yaml
new file mode 100755
index 000000000..a4c554dcf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkInterfaces.yaml
@@ -0,0 +1,29 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report device network interfaces
+deprecated: true
+desc: |-
+  This policy is deprecated in M96. Please use <ph name="REPORT_DEVICE_NETWORK_CONFIGURATION">ReportDeviceNetworkConfiguration</ph> and <ph name="REPORT_DEVICE_NETWORK_STATUS">ReportDeviceNetworkStatus</ph> instead.
+
+        Setting the policy to Enabled or leaving it unset has enrolled devices report the list of network interfaces with their types and hardware addresses.
+
+        Setting the policy to Disabled means enrolled devices don't report the network interface.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device network interface reporting
+  value: true
+- caption: Disable device network interface reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:29-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkStatus.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkStatus.yaml
new file mode 100755
index 000000000..c33f88d56
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkStatus.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report network status
+default: true
+desc: |-
+  Report users network status on enrolled devices.
+
+        If the policy is set to false, the information will not be reported.
+        If set to true or unset, the device's network status will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Report network status
+  value: true
+- caption: Do not report network status
+  value: false
+owners:
+- tylergarrett@google.com
+- cros-reporting-eng@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkTelemetryCollectionRateMs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkTelemetryCollectionRateMs.yaml
new file mode 100755
index 000000000..55761a99d
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkTelemetryCollectionRateMs.yaml
@@ -0,0 +1,25 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Network telemetry collection rate in milliseconds.
+default: 3600000
+desc: |-
+  Rate at which network data is sampled and collected. The minimum allowed is 1 minute.
+
+        If not set, the default rate of 10 minutes applies.
+device_only: true
+example_value: 600000
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  unlisted: true
+owners:
+- anasr@google.com
+- cros-reporting-eng@google.com
+schema:
+  minimum: 60000
+  type: integer
+supported_on:
+- chrome_os:103-
+tags:
+- admin-sharing
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkTelemetryEventCheckingRateMs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkTelemetryEventCheckingRateMs.yaml
new file mode 100755
index 000000000..56ac63378
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceNetworkTelemetryEventCheckingRateMs.yaml
@@ -0,0 +1,25 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Network events checking rate in milliseconds.
+default: 600000
+desc: |-
+  Rate at which network data is polled and checked for events. The minimum allowed is 1 minute.
+
+        If not set, the default rate of 1 minute applies.
+device_only: true
+example_value: 60000
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  unlisted: true
+owners:
+- anasr@google.com
+- cros-reporting-eng@google.com
+schema:
+  minimum: 60000
+  type: integer
+supported_on:
+- chrome_os:103-
+tags:
+- admin-sharing
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceOsUpdateStatus.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceOsUpdateStatus.yaml
new file mode 100755
index 000000000..5f01bef02
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceOsUpdateStatus.yaml
@@ -0,0 +1,29 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report OS update status
+desc: |-
+  Report OS update information such as update status, platform version,
+        last update check and last reboot.
+
+        If the policy is set to false or left unset, the OS update information will not be
+        reported. If set to true, OS update information will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device OS update status reporting
+  value: true
+- caption: Disable device OS update status reporting
+  value: false
+owners:
+- cros-reporting-team@google.com
+- lbaraz@chromium.org
+- anqing@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:79-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePeripherals.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePeripherals.yaml
new file mode 100755
index 000000000..f03b694ed
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePeripherals.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report peripheral details
+default: false
+desc: |-
+  Setting the policy to True has enrolled devices report information related to peripherals that are plugged into the device.
+
+        Setting the policy to False or leaving it unset means enrolled devices don't report peripherals information.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Report information about peripherals that are plugged into the device
+  value: true
+- caption: Do not report information about peripherals that are plugged into the device
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:101-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePowerStatus.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePowerStatus.yaml
new file mode 100755
index 000000000..3135efa45
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePowerStatus.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report power status
+desc: |-
+  Setting the policy to Enabled has enrolled devices report hardware statistics and identifiers related to power.
+
+        Setting the policy to Disabled or leaving it unset means enrolled devices don't report power statistics.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device power status reporting
+  value: true
+- caption: Disable device power status reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+- antrim@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:73-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePrintJobs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePrintJobs.yaml
new file mode 100755
index 000000000..d1e77e836
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDevicePrintJobs.yaml
@@ -0,0 +1,29 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report print jobs
+default: false
+desc: |-
+  Report a device's print jobs.
+
+        If the policy is set to false or left unset, the information will not be reported.
+        If set to true, the device's print jobs will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Report print jobs
+  value: true
+- caption: Do not report print jobs
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+- mattme@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:91-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSecurityStatus.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSecurityStatus.yaml
new file mode 100755
index 000000000..550043cdf
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSecurityStatus.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report device security status
+default: false
+desc: |-
+  Setting the policy to enabled reports device TPM security status.
+
+        Setting the policy to Disabled or leaving it unset means enrolled devices don't record or report TPM security status.
+        Exception: TPM information is controlled by <ph name="REPORT_DEVICE_HARDWARE_STATUS">ReportDeviceHardwareStatus</ph> for M95 and below.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Report security status
+  value: true
+- caption: Do not report security status
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- tylergarrett@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:96-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSessionStatus.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSessionStatus.yaml
new file mode 100755
index 000000000..ebaab5ba2
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSessionStatus.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report information about active kiosk sessions
+desc: |-
+  Setting the policy to Enabled or leaving it unset has enrolled devices report the active kiosk session information such as application ID and version.
+
+        Setting the policy to Disabled means enrolled devices don't report kiosk session information.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device kiosk session reporting
+  value: true
+- caption: Disable device kiosk session reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+- antrim@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:42-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSignalStrengthEventDrivenTelemetry.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSignalStrengthEventDrivenTelemetry.yaml
new file mode 100755
index 000000000..990fa26f3
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSignalStrengthEventDrivenTelemetry.yaml
@@ -0,0 +1,39 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Telemetry data to report on signal strength event.
+desc: |-
+  List of telemetry data to be reported on signal strength change events.
+
+        Each telemetry data specified will only be reported if it was not disabled by its controlling policy.
+        Controlling policy for https_latency and network_telemetry is ReportDeviceNetworkStatus.
+
+        If not set, no additional telemetry data will be reported on signal strength change events.
+device_only: true
+example_value:
+- https_latency
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  unlisted: true
+future_on:
+- chrome_os
+items:
+- caption: Network Telemetry
+  name: network_telemetry
+  value: network_telemetry
+- caption: Https Latency
+  name: https_latency
+  value: https_latency
+owners:
+- anasr@google.com
+- cros-reporting-eng@google.com
+schema:
+  items:
+    enum:
+    - network_telemetry
+    - https_latency
+    type: string
+  type: array
+tags:
+- admin-sharing
+type: string-enum-list
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceStorageStatus.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceStorageStatus.yaml
new file mode 100755
index 000000000..ce5326f16
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceStorageStatus.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report storage status
+desc: |-
+  This policy is set to Enabled by default. It controls the enrolled devices to report hardware statistics and identifiers for storage devices.
+
+        Setting the policy to Disabled means enrolled devices don't report storage statistics.
+        Eexception: Disk size and disk free space is controlled by <ph name="REPORT_DEVICE_HARDWARE_STATUS">ReportDeviceHardwareStatus</ph> for M95 and below.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device storage status reporting
+  value: true
+- caption: Disable device storage status reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+- antrim@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:73-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSystemInfo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSystemInfo.yaml
new file mode 100755
index 000000000..73216788b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceSystemInfo.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report system info
+desc: |-
+  Report a device's system information.
+
+        If the policy is set to false or left unset, the information will not be reported.
+        If set to true, the device's system information will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device system info reporting
+  value: true
+- caption: Disable device system info reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:86-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceTimezoneInfo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceTimezoneInfo.yaml
new file mode 100755
index 000000000..7266d6721
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceTimezoneInfo.yaml
@@ -0,0 +1,27 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report Timezone info
+desc: |-
+  Report information for a device's timezone.
+
+        If the policy is set to false or left unset, the information will not be reported.
+        If set to true, the device's currently set timezone will be reported.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device timezone info reporting
+  value: true
+- caption: Disable device timezone info reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:83-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceUsers.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceUsers.yaml
new file mode 100755
index 000000000..81b2a6109
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceUsers.yaml
@@ -0,0 +1,29 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report device users
+desc: |-
+  Setting the policy to Enabled or leaving it unset has enrolled devices report the list of device users that signed in recently.
+
+  Setting the policy to Disabled means enrolled devices don't report the list of users.
+
+  When <ph name="DEVICE_EPHEMERAL_USERS_ENABLED_POLICY_NAME">DeviceEphemeralUsersEnabled</ph> is enabled, <ph name="REPORT_DEVICE_USERS_POLICY_NAME">ReportDeviceUsers</ph> is ignored and will always be disabled.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device users reporting
+  value: true
+- caption: Disable device users reporting
+  value: false
+owners:
+- stepco@chromium.org
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:32-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceVersionInfo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceVersionInfo.yaml
new file mode 100755
index 000000000..464b4f74f
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceVersionInfo.yaml
@@ -0,0 +1,26 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report OS and firmware version
+desc: |-
+  Setting the policy to Enabled or leaving it unset has enrolled devices periodically report their OS and firmware version.
+
+        Setting the policy to Disabled means enrolled devices don't report version info.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device version info reporting
+  value: true
+- caption: Disable device version info reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:18-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceVpdInfo.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceVpdInfo.yaml
new file mode 100755
index 000000000..480438d11
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportDeviceVpdInfo.yaml
@@ -0,0 +1,28 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Report VPD info
+desc: |-
+  Report a device's VPD information.
+
+        If the policy is set to false or left unset, the information will not be reported.
+        If set to true, the device's VPD information will be reported.
+        Vital Product Data (VPD) is a collection of configuration and informational data (such as part and serial numbers) associated with the device.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+items:
+- caption: Enable device VPD info reporting
+  value: true
+- caption: Disable device VPD info reporting
+  value: false
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  type: boolean
+supported_on:
+- chrome_os:85-
+tags:
+- admin-sharing
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportUploadFrequency.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportUploadFrequency.yaml
new file mode 100755
index 000000000..55b1d4b5b
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportUploadFrequency.yaml
@@ -0,0 +1,22 @@
+arc_support: This policy has no effect on the logging done by Android.
+caption: Frequency of device status report uploads
+desc: |-
+  Setting the policy determines how frequently to send device status uploads, in milliseconds. The minimum allowed is 60 seconds.
+
+        If not set, the default interval of 3 hours applies.
+device_only: true
+example_value: 10800000
+features:
+  dynamic_refresh: true
+owners:
+- cros-reporting-eng@google.com
+- lbaraz@chromium.org
+schema:
+  minimum: 60000
+  type: integer
+supported_on:
+- chrome_os:42-
+tags:
+- admin-sharing
+type: int
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteActivityAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteActivityAllowlist.yaml
new file mode 100755
index 000000000..25950ea61
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteActivityAllowlist.yaml
@@ -0,0 +1,28 @@
+caption: Website activity reporting allowlist
+default: []
+desc: |-
+  Allowlist that controls website activity reporting for affiliated users.
+
+  Setting the policy controls website URL opened and closed event reporting for allowlisted URLs.
+  If unset, no website events will be reported.
+  For detailed information on valid URL patterns, see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Only HTTP and HTTPS URL schemes are allowed for this policy.
+example_value:
+- 'example.com'
+- 'https://ssl.server.com'
+- '[*.]google.com'
+- 'https://server:8080/path'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- vshenvi@google.com
+- cros-reporting-eng@google.com
+schema:
+  type: array
+  items:
+    type: string
+supported_on:
+- chrome_os:123-
+tags:
+- admin-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetry.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetry.yaml
new file mode 100755
index 000000000..786593bc1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetry.yaml
@@ -0,0 +1,30 @@
+caption: Website telemetry reporting
+default: []
+desc: |-
+  Reports website telemetry data for allowed URLs specified by the <ph name="REPORT_WEBSITE_TELEMETRY_ALLOWLIST_POLICY_NAME">ReportWebsiteTelemetryAllowlist</ph> policy for affiliated users.
+
+  Setting the policy controls website telemetry reporting for specified telemetry data types.
+  If unset, no website telemetry data will be reported.
+example_value:
+- usage
+features:
+  dynamic_refresh: true
+  per_profile: true
+items:
+- caption: Usage
+  value: usage
+  name: usage
+owners:
+- vshenvi@google.com
+- cros-reporting-eng@google.com
+schema:
+  type: array
+  items:
+    type: string
+    enum:
+    - usage
+supported_on:
+- chrome_os:123-
+tags:
+- admin-sharing
+type: string-enum-list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetryAllowlist.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetryAllowlist.yaml
new file mode 100755
index 000000000..ca4522c1e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetryAllowlist.yaml
@@ -0,0 +1,28 @@
+caption: Website telemetry reporting allowlist
+default: []
+desc: |-
+  Allowlist that controls website telemetry reporting for affiliated users. Telemetry data types being reported are controlled by the <ph name="REPORT_WEBSITE_TELEMETRY_POLICY_NAME">ReportWebsiteTelemetry</ph> policy.
+
+  Setting the policy controls website telemetry reporting for allowlisted URLs.
+  If unset, no website telemetry will be reported.
+  For detailed information on valid URL patterns, see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Only HTTP and HTTPS URL schemes are allowed for this policy.
+example_value:
+- 'example.com'
+- 'https://ssl.server.com'
+- '[*.]google.com'
+- 'https://server:8080/path'
+features:
+  dynamic_refresh: true
+  per_profile: true
+owners:
+- vshenvi@google.com
+- cros-reporting-eng@google.com
+schema:
+  type: array
+  items:
+    type: string
+supported_on:
+- chrome_os:123-
+tags:
+- admin-sharing
+type: list
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetryCollectionRateMs.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetryCollectionRateMs.yaml
new file mode 100755
index 000000000..dd082f431
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/ReportWebsiteTelemetryCollectionRateMs.yaml
@@ -0,0 +1,23 @@
+caption: Website telemetry collection rate in milliseconds.
+default: 900000
+desc: |-
+  Rate at which website telemetry data is collected on enrolled devices for affiliated users. The minimum allowed is 5 minutes.
+
+  If not set, the default rate of 15 minutes applies.
+example_value: 900000
+features:
+  cloud_only: true
+  dynamic_refresh: true
+  per_profile: true
+  unlisted: true
+owners:
+- vshenvi@google.com
+- cros-reporting-team@google.com
+schema:
+  minimum: 300000
+  type: integer
+supported_on:
+- chrome_os:123-
+tags:
+- admin-sharing
+type: int
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/policy_atomic_groups.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/policy_atomic_groups.yaml
new file mode 100755
index 000000000..e53f8272e
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/UserAndDeviceReporting/policy_atomic_groups.yaml
@@ -0,0 +1,43 @@
+UserAndDeviceReporting:
+  caption: User and device reporting
+  policies:
+  - EnableDeviceGranularReporting
+  - ReportDeviceVersionInfo
+  - ReportDeviceBootMode
+  - ReportDeviceUsers
+  - ReportDeviceActivityTimes
+  - ReportDeviceAudioStatus
+  - ReportDeviceLocation
+  - ReportDeviceNetworkConfiguration
+  - ReportDeviceNetworkInterfaces
+  - ReportDeviceNetworkStatus
+  - ReportDeviceHardwareStatus
+  - ReportDeviceSessionStatus
+  - ReportDeviceGraphicsStatus
+  - ReportDeviceCrashReportInfo
+  - ReportDeviceOsUpdateStatus
+  - ReportDeviceBoardStatus
+  - ReportDeviceCpuInfo
+  - ReportDeviceTimezoneInfo
+  - ReportDeviceMemoryInfo
+  - ReportDeviceBacklightInfo
+  - ReportDevicePeripherals
+  - ReportDevicePowerStatus
+  - ReportDeviceSecurityStatus
+  - ReportDeviceStorageStatus
+  - ReportDeviceAppInfo
+  - ReportDeviceBluetoothInfo
+  - ReportDeviceFanInfo
+  - ReportDeviceVpdInfo
+  - ReportDeviceSystemInfo
+  - ReportDevicePrintJobs
+  - ReportDeviceLoginLogout
+  - DeviceReportRuntimeCounters
+  - ReportUploadFrequency
+  - ReportArcStatusEnabled
+  - HeartbeatEnabled
+  - HeartbeatFrequency
+  - LogUploadEnabled
+  - DeviceMetricsReportingEnabled
+  - DeviceReportXDREvents
+  - DeviceExtensionsSystemLogEnabled
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/.group.details.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/.group.details.yaml
new file mode 100755
index 000000000..8b4c453c8
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/.group.details.yaml
@@ -0,0 +1,2 @@
+caption: Wilco DTC
+desc: Controls wilco diagnostics and telemetry controller settings.
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/DeviceWilcoDtcAllowed.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/DeviceWilcoDtcAllowed.yaml
new file mode 100755
index 000000000..7dee25b0a
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/DeviceWilcoDtcAllowed.yaml
@@ -0,0 +1,29 @@
+caption: Allows wilco diagnostics and telemetry controller
+deprecated: true
+desc: |-
+  Setting the policy to Enabled when <ph name="WILCO_NAME">wilco</ph> diagnostics and telemetry controller (DTC) is available on the device turns collecting, processing, and reporting of telemetry and diagnostics data on.
+
+        Setting the policy to Disabled or leaving it unset turns DTC off. It can't collect, process, or report telemetry and diagnostics data from the device.
+device_only: true
+example_value: false
+features:
+  dynamic_refresh: true
+  per_profile: false
+items:
+- caption: Enable the wilco diagnostics and telemetry controller
+  value: true
+- caption: Disable the wilco diagnostics and telemetry controller
+  value: false
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  type: boolean
+supported_on:
+- chrome_os:74-122
+tags: []
+type: main
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/DeviceWilcoDtcConfiguration.yaml b/tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/DeviceWilcoDtcConfiguration.yaml
new file mode 100755
index 000000000..6d2f05acb
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/policy_definitions/WilcoDtc/DeviceWilcoDtcConfiguration.yaml
@@ -0,0 +1,32 @@
+caption: Wilco DTC configuration
+deprecated: true
+desc: |-
+  Setting the policy configures the <ph name="WILCO_NAME">wilco</ph> diagnostics and telemetry controller (DTC), if available on the device. The setup size can't exceed 1MB (1,000,000 bytes) and must be in JSON format. The <ph name="WILCO_NAME">wilco</ph> DTC is responsible for handling it. The cryptographic hash verifies the integrity of the download. The configuration is downloaded and cached. It's redownloaded whenever the URL or the hash changes.
+
+        If you set this policy, users can't change it.
+device_only: true
+example_value:
+  hash: deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+  url: https://example.com/wilcodtcconfig
+features:
+  dynamic_refresh: true
+  per_profile: false
+max_size: 1000000
+owners:
+- bkersting@google.com
+- kerker@chromium.org
+- chungsheng@google.com
+- byronlee@chromium.org
+- chromeos-oem-services@google.com
+schema:
+  properties:
+    hash:
+      type: string
+    url:
+      type: string
+  type: object
+supported_on:
+- chrome_os:75-122
+tags: []
+type: external
+generate_device_proto: False
diff --git a/tools/under-control/src/components/policy/resources/templates/risk_tag_definitions.yaml b/tools/under-control/src/components/policy/resources/templates/risk_tag_definitions.yaml
new file mode 100755
index 000000000..b536c52c1
--- /dev/null
+++ b/tools/under-control/src/components/policy/resources/templates/risk_tag_definitions.yaml
@@ -0,0 +1,54 @@
+admin-sharing:
+  description: |-
+    Policies with this tag enable an administrator to log
+          the user's activity or traffic.
+  user-description: Policy configured by your administrator might allow them to gather
+    general information about your device and your activity.
+filtering:
+  description: |-
+    Policies with this tag can restrict the information a
+          user can query from the world-wide web. This includes blocked websites,
+          enforced search settings and partly data synchronization.
+  user-description: Your administrator has set up policy that may restrict your access
+    to websites, services or search results.
+full-admin-access:
+  description: |-
+    Policies with this tag enable an administrator to
+          execute arbitrary code or configure a machine in a way that a
+          man-in-the-middle situation can occur.
+  user-description: |-
+    Your administrator has set up certificates or applications that could potentially access all of your data.
+          This could possibly allow inspecting and modifying all data sent and received by Chrome.
+google-sharing:
+  description: |-
+    Set policies might enforce sharing data with google,
+          like crash reports or history.
+  user-description: |-
+    There are policies set by your administrator which can affect the communication with Google services.
+          Therefore, some services could either be unreachable or you might not be able to restrict sent data.
+local-data-access:
+  description: |-
+    Policies with this tag can cause storing data to or
+          reading data from a local file system without the user's knowledge. This
+          includes import of existing settings to the cloud or avoiding clean-up of
+          local history data.
+  user-description: Your administrator has set up policy that could cause private
+    data to be imported from your system or could cause private data to be written
+    to an admin-specified place.
+system-security:
+  description: |-
+    Policies with this tag can make the user vulnerable
+          against attacks which are not possible when the policies are unset.
+          This includes execution of deprecated code or unsafe configuration of
+          network settings and proxies.
+  user-description: Policy set by your administrator could enable functionality that
+    is outdated or that could reduce the security of the system in other ways.
+website-sharing:
+  description: |-
+    Setting Policies with this tag will allow sharing
+          information with a server that would normally not be allowed.
+          Those information can include geolocation, audio/video device inputs or
+          data that can be used to identify the user.
+  user-description: |-
+    Policy set by your administrator could enable sharing of data with websites.
+          Some of these data might suffice to identify you or could be used to record private information.
-- 
GitLab