Chrome Browser Cloud Management vs Jamf Manifesto or Config Plists

New Contributor II


I need your help to understand and eventually decide how to best manage Chrome Browser settings (specifically setting a home page, updates, restricting installation of plug-ins while installing specific ones).

My overall plan for Chrome Browser is this:

  • I am going to use a pre-stage configuration profile to install Chrome on new computers. (but I want to install it with the following settings: homepage, plug in, autoupdate on)

  • I need a way to schedule and force push updates for when users do not upgrade Chrome.

  • Make available a Chrome script that uninstalls and re-installs latest version of Chrome in cases when Chrome is causing "issues" and needs to be re-installed on a user's computer. I would like to have this script available in Self-Service at all times.

  • I do not want to use the packaging method.. :(... the more I can automized this with scripts the better!

  • A way to change, control, and deploy Chrome Settings (Jamf Manifesto vs config profiles plist vs Google Cloud Management "CBCM")

So for the plan above... which tools would you recommend? If you have any other tools (not AutoPg) or processes to tackle the above, please share it!!

Thank you in advance for your help!!

  • Chrome Browser Cloud Management
  • Through Jamf pushing a plist configuration profile
  • Adding a JAMF Manifesto


We are a google shop, so much of our Chrome preference is managed through that avenue. I have a script that downloads from web and installs the most recent version for enrollment (from talkingmoose)
There is a pushed by JAMF that allows all updates (but only when user restarts Chrome, but chrome lets them know there's an update)
Uninstall/reinstall: script the removal. But generally it isn't the app that is the problem. I have folks use AppCleaner to get all the guts.
Chrome settings through Gsuite.

New Contributor III

Hi all,

A few things that have changed in the last few months and some things coming down the pipeline that might help you with your management.
We released a universal PKG that we recommend you push down. You can use this support article to get the latest PKG as part of your download:
We worked with Jamf and both the CBCM enrollment token and the Keystone policies can be deployed from the console via the custom settings -> external -> repository section. We are now part of that drop down. Just populate the settings and deploy.
As far as Chrome settings go, we highly recommend the Cloud Console approach as it is the simplest and most user friendly.
Additionally, the Cloud Console can control update behavior on Chrome on Windows, BUT we should have macOS officially join the pack in the next few weeks - waiting on a new Keystone version to launch and then officially all Cloud Console policies for update controls will work on macOS as well.


The download URLs from the support article both come back 404 (stable and beta)
The URL i have in my script is

Is the CBCM the same as the Enterprise Enrollment Token?

Can you elaborate on the Repository section? For Keystone I see there are 3 versions. What is the difference between the 3?

New Contributor II

Hi @robertliebsch

Thank you for your reply and advise!
I am a bit confused about something... why I cannot use the "Chrome update" section from the CBCM to update Chrome? Why the need of the " pushed by JAMF that allows all updates"?

BTW, I also want to set two default homepages when Chrome starts, but I do not want to limit the user from adding more. I noticed that through CBCM once I setup the homepages, the user cannot make any changes :(... I am guessing this is where "" comes handy?

Thank you in advance for you help!!


New Contributor II

Hi @alexbauer !

Thank for your advise... I have a question.... If I use the .pkg then I would need to create a package for every new chrome version and upload it to Jamf... correct? If this is wrong I would appreciate if you can help me understand. What I ended up doing was to use the script that @robertliebsch mentioned, and then I enrolled the device to CBCM (token and everything). I can see the device in GSuite and I can also set the settings.. but with users working from home and using different devices to work (might be their work laptop, or their personal computer at home), what is it recommended, to enroll Chrome Browser at the user level or the device level? I am inclining towards user level because that way no matter what devices the user uses, the Chrome Browser policies will apply... is this correct? Thoughts?

I am asking Robert about why do I cannot use the "CBCM Chrome Updates settings" from the GSuite Admin Console and why to use the "" ... Also, the more I research... the more I see negative issues/problems cause by Keystone in regards with consuming a lot of MACs resources and slowing them down, which I am afraid I have had issues with users complaining about their laptops being slow, and now I am wondering if the cause is Keystone- ""Google Chrome installs something called Keystone on your computer," says the site, "which nefariously hides itself from Activity Monitor and makes your whole computer slow even when Chrome isn't running.".... Wonder if it for updating Chrome would be best to use a script to update Chrome, 1.- Remove Keystone from all computers, 2- make the update script available on Self Service so that users can have the option to manually update it, 2 - push the update on a scheduled weekly basis for users that failed to update manually.

If you can provide any guidance I would really appreciate..

Thank you in advance for your help!