How we can achieve this for every newly logged in user. need a script help.

Thanks
Vijju

Disabling the auto update is almost imperative. Today I manually updated to Chrome 58 on my Mac and then discovered that I couldn't establish a secure connection to many of our internal servers. These servers aren't using self-signed certs, but they are issued from our internal CA. It also affects Chrome 58 on Windows machines too. This page kinda explains the problem but I dont know where the solution lies.

Meanwhile I made sure to not push the Chrome 58 update to the Macs until this is resolved. If I had autoupdate enabled, things could get really nasty.

@AVmcclint pretty sure you found this already but just in case...

https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors

oh yeah. The workaround that was offered up back then really was a temporary band-aid because Google said that it would only work through version 65 (I think) after that, all certs would need to be properly built. We had to scramble to get all our server certs updated.

@AVmcclint yep, the real solution is to red internal PKI certs to include SAN.

I had trouble with Google Backup and Sync overriding even with above script in place, so I modified it to not allow write permissions on the whole software update folder. So far so good. I also disabled the launchagent runatload.

#!/bin/sh

rm -rf /Users/$3/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
mkdir -p /Users/$3/Library/Google/GoogleSoftwareUpdate/
touch /Users/$3/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
chown -R root /Users/$3/Library/Google/GoogleSoftwareUpdate
chmod -R 644 /Users/$3/Library/Google/GoogleSoftwareUpdate

Edit: I removed the LaunchAgent part of the script since it was causing issues in our environment.

I use the Jamf Pro Restricted software option to nuke Chrome from updating and it seems to work across the board till Google renames a process. So under Restricted Software create like this;

Display Name: Google Software Update Agent
Process Name: GoogleSoftwareUpdateAgent.app
Restrict exact process name: checked
Delete Application: Not checked
Send email notification on violation: Not checked

Kill process: checked

Scope: All managed clients

End users will get an error when they try to update, they can still manually download a Chrome installer but never update it as long as they are managed by the JSS.

All, looks like as of Chrome 62, keystone.plist can be managed via a profile (this had been deprecated, I think, but is now back it appears). I'm working on testing this now. Great news if it works, I'd love to get away from these scripts to stop the tool from running!

Relevant post

Google reference

Edit: in my testing, the profile stops the ksadmin prompts but not the GoogleSoftwareUpdate prompts :(

Please let me know if anyone has a different experience? Thanks!

Edit: I posted this in the wrong thread. These prompts apply if you restrict where apps can launch from. We don't allow apps to launch out of /Users and hence the prompts. It's possible the profile works fine if you're wiling to let GoogleSoftwareUpdateAgent bundle launch.

More info (star if you'd like to see Chrome stop launching app out of /Users): https://bugs.chromium.org/p/chromium/issues/detail?id=889150