This is most likely the vendor DMG verification feature. If Gatekeeper detects certain apps (Chrome for example) were installed from a DMG that didn't match the vendor DMG exactly it will consider them suspect, what it then does is create a new copy for each user when they run it, which of course plays complete havoc with any doc icons for them.
You can resolve it by packaging up the vendor DMG itself inside a PKG with a postinstall script that mounts it and copies the app across to Applications.
I did something like this for Chrome, it's rather simplistic and I didn't worry about paths very much as I intended it to be post image (if you use it in imagingit has to be set to run on reboot as a result). Packaged up with the /private/tmp/googlechrome.dmg it deletes Chrome from Applications, then mounts the DMG and copies across a new copy.

If JAMF ever get around to supporting vendor drag and drop dmg's directly this problem will just disappear on it's own (hint, hint).

#!/bin/sh

## postinstall



The_DMG="/private/tmp/googlechrome.dmg"



echo

The_Volume=$(hdiutil mount -nobrowse  "$The_DMG" | awk '/Volumes/' | sed -e 's/.*/Volumes//Volumes/g')

if [[ "$The_Volume" ]]; then

echo "The volume is $The_Volume"

The_App=$(ls -1 "$The_Volume" | awk /.app/ | head -n 1)

fi

if [[ "$The_App" ]]; then

echo "The app is $The_App"

echo "Removing previous version from /Applications/$The_App"

rm -rf "/Applications/$The_App"

sleep 2

echo "Copying new version to /Applications/$The_App"

ditto "$The_Volume/$The_App" "/Applications/$The_App"

sleep 2

echo "Fixing permissions on /Applications/$The_App"

chown -R root:admin "/Applications/$The_App"

echo "Ejecting the volume $The_Volume"

hdiutil eject "$The_Volume"

echo "Done"

echo

exit 0      ## Success

else

echo "Failed"

echo

exit 1      ## Failure

fi