Jamf Nation Community

You can white list it via mcx.

Thats what i do using Work Group Manager.

Also i successfully snapshot using Composer, then set the autoupdater with the local admin details.

Now i never ever have to package and redeploy Chrome ever again. Mozilla could learn a lot form Google rather than spending time on pointless GUI rubbish.

@mm2270

That didn't work for me, even if I white listed that or removed it it was still coming up. I found that "ksadmin" comes up from inside google chrome, the keystone or self updater framework...

/Applications/Google Chrome.app/Contents/Versions/18.0.1025.168/Google Chrome Framework.framework/Frameworks/KeystoneRegistration.framework/

this was my problem with ksadmin coming up asking for privileges

Thanks for the replies. With that command is the $3 supposed to be some sort of wild card to make it delete this file from every user's folder? Because thats the kind of thing I need. I did try running this command but it said no such file existed after trying to run the command. I could do a "rm path/to/file" way, and it works for one computer, but with 150+ computers and all different usernames it would take forever to get this done without a wildcard or variable of some sort.

I could allow this to run, but thats not ideal. My job is to make sure all software updates and such work before the users get their hands on them. I know its unlikely Chrome would mess something up, but that one in a thousand chance can be a major headache if it happens.

And I know there are no negative side effects, its what many people do. I just somehow missed it in my Chrome and Sketchup packages when I built my image and created more work for myself

Yeah, I originally missed deleting this file:
/Applications/Google Chrome.app/Contents/Versions/18.0.1025.168/Google Chrome Framework.framework/Frameworks/KeystoneRegistration.framework/

which is what puts ksadmin in place. I have created policies to get rid of that framework file that does the placement of ksadmin, but now I need to remove ksadmin from the computers that have already launched a Google application

Yes, the $3 variable is a placeholder for the username, but it only works from a Login or Self Service policy, and I think one other method I can't remember now.
When you got the 'no such file' error, were you attempting to run it from Casper Remote? If so, that won't work. As I said, set it up as a Login policy and try it on one of the Macs that you know has the file.

Another way to get the logged in user is to capture it to a variable with something like-

/usr/bin/who | ak '/console/{print $1}'

or

ls -l /dev/console | awk '{print $3}'

Capturing it that way will allow you to run it from anything including Casper Remote and it should work.
If you'd like to try it from Remote without uploading a script, do this-

rm /Users/$(/usr/bin/who | awk '/console/{print $1}')/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksadmin

Any of the above will only work when someone is logged in though. It could be scripted to run against all user folders on the system, but it might be better to have it run when someone logs in.

That last script worked like a charm thank you very much for the help!

I am copying and pasting that bottom script into Apple Script Editor and trying to save it. I get an error when I save it and it says "Syntax error, expected expression but found unknown token" and it highlights the $ sign at the beginning. This is what I'm putting in the editor...
rm /Users/$(/usr/bin/who | awk '/console/{print $1}')/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksadmin

What am I doing wrong?

I remember working on this long and hard. I also control where apps launch. They key is NOT to delete files but work on getting the correct white list raw path. It depends how you are implementing mcx to be able to work it out.

I used WGM on a 10.6.8 vanilla build just with WGM and Google chrome. Setting up autoupdates in Chrome and looking at the local node in WGM.

Set App control through wgm white lists. You need to white list the entire path for ksadmin for it to work!

/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/

Reboot

Launched old version of Goolgle chrome and looked at about and it automatically updated.

You can then take the plist for the mcx and upload it to Casper or use mcxtoprofile to create a config profile for 10.8

Be warned for 10.8 app control config profiles there is a bug where the user will not get the unauthorised app message at all. So for troubleshooting just have a dev box not using config profiles :(

I never ever ever have to repackage chrome ever again. Last time I did was about a year ago and now mines on the latest version even after rebuilding my machine a stupid amount of times :)

Do not give up you can get it working just like I have.

So what exactly is the fix here? I am having the same issue as jkruse, I can't seem to figure it out (I am new at this whole thing...). Is there a way to put the steps down for us less intelligent? (OK, maybe just me). Just need ksadmin to go away...could care less about keeping Chrome up to date for now.

After some tests, keeping Chrome updated is the best solution. I found a killer script here

https://github.com/hjuutilainen/adminscripts/blob/master/chrome-enable-autoupdates.py

#!/usr/bin/env python # encoding: utf-8 """ chrome-enable-autoupdates.py This script enables system wide automatic updates for Google Chrome. It should work for Chrome versions 18 and later. No configuration needed as this is originally intended as a munki postinstall script. Created by Hannes Juutilainen, hjuutilainen@mac.com History: -------- 2012-08-31, Hannes Juutilainen - Added --force flag to keystoneInstall as suggested by Riley Shott 2012-05-29, Hannes Juutilainen - Added more error checking 2012-05-25, Hannes Juutilainen - Added some error checking in main 2012-05-24, Hannes Juutilainen - First version """ import sys import os import getopt import subprocess import plistlib chromePath = "/Applications/Google Chrome.app" infoPlistPath = os.path.realpath(os.path.join(chromePath, 'Contents/Info.plist')) brandPath = "/Library/Google/Google Chrome Brand.plist" brandKey = "KSBrandID" tagPath = infoPlistPath tagKey = "KSChannelID" versionPath = infoPlistPath versionKey = "KSVersion" class Usage(Exception): def init(self, msg): self.msg = msg def chromeIsInstalled(): """Check if Chrome is installed""" if os.path.exists(chromePath): return True else: return False def chromeVersion(): """Returns Chrome version""" infoPlist = plistlib.readPlist(infoPlistPath) bundleShortVersion = infoPlist["CFBundleShortVersionString"] return bundleShortVersion def chromeKSUpdateURL(): """Returns KSUpdateURL from Chrome Info.plist""" infoPlist = plistlib.readPlist(infoPlistPath) KSUpdateURL = infoPlist["KSUpdateURL"] return KSUpdateURL def chromeKSProductID(): """Returns KSProductID from Chrome Info.plist""" infoPlist = plistlib.readPlist(infoPlistPath) KSProductID = infoPlist["KSProductID"] return KSProductID def keystoneRegistrationFrameworkPath(): """Returns KeystoneRegistration.framework path""" keystoneRegistration = os.path.join(chromePath, 'Contents/Versions') keystoneRegistration = os.path.join(keystoneRegistration, chromeVersion()) keystoneRegistration = os.path.join(keystoneRegistration, 'Google Chrome Framework.framework') keystoneRegistration = os.path.join(keystoneRegistration, 'Frameworks/KeystoneRegistration.framework') return keystoneRegistration def keystoneInstall(): """Install the current Keystone""" installScript = os.path.join(keystoneRegistrationFrameworkPath(), 'Resources/install.py') keystonePayload = os.path.join(keystoneRegistrationFrameworkPath(), 'Resources/Keystone.tbz') if os.path.exists(installScript) and os.path.exists(keystonePayload): retcode = subprocess.call([installScript, '--install', keystonePayload, '--root', '/', '--force']) if retcode == 0: return True else: return False else: print >> sys.stderr, "Error: KeystoneRegistration.framework not found" return False def removeChromeFromKeystone(): """Removes Chrome from Keystone""" ksadmin = "/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksadmin" ksadminProcess = [ ksadmin, '--delete', '--productid', chromeKSProductID()] retcode = subprocess.call(ksadminProcess) if retcode == 0: return True else: return False def registerChromeWithKeystone(): """Registers Chrome with Keystone""" ksadmin = "/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksadmin" if os.path.exists(ksadmin): ksadminProcess = [ksadmin, '--register', '--preserve-tttoken', '--productid', chromeKSProductID(), '--version', chromeVersion(), '--xcpath', chromePath, '--url', chromeKSUpdateURL(), '--tag-path', tagPath, '--tag-key', tagKey, '--brand-path', brandPath, '--brand-key', brandKey, '--version-path', versionPath, '--version-key', versionKey] retcode = subprocess.call(ksadminProcess) if retcode == 0: return True else: return False else: print >> sys.stderr, "Error: %s doesn't exist" % ksadmin return False def main(argv=None): if argv is None: argv = sys.argv try: # Check for root if os.geteuid() != 0: print >> sys.stderr, "This script must be run as root" return 1 if not chromeIsInstalled(): print >> sys.stderr, "Error: Chrome is not installed on this computer" return 1 if keystoneInstall(): print "Keystone installed" else: print >> sys.stderr, "Error: Keystone install failed" return 1 if registerChromeWithKeystone(): print "Registered Chrome with Keystone" return 0 else: print >> sys.stderr, "Error: Failed to register Chrome with Keystone" return 1 except Usage, err: print >>sys.stderr, err.msg print >>sys.stderr, "for help use --help" return 2 if name == "main": sys.exit(main())

I just run this on every machine and now every machine keeps chrome updated and no more errors. It is working perfect!!

If you want to get rid or disable the updater run this one
https://github.com/hjuutilainen/adminscripts/blob/master/chrome-disable-autoupdates.py

That is a killer script, worked perfectly! Thanks rpotvin!

I think the script is running fine during the login (once per user) to the machine.

If I run it in terminal I can se the result:

Keystone installed
Registered Chrome with Keystone

But I still get the error message that ksadmin can not be executed when I launch Chrome...

Any help/idea

Thanks

Does the script found on this site https://github.com/hjuutilainen/adminscripts/blob/master/chrome-enable-autoupdates.py work on non-admin accounts? If so, what needs to be whitelisted?

@khatem I use the script on non-admin accounts as-is and it seems to work fine. That's a fantastic script.

Thanks for the quick response. I ran the script successfully on a student laptop. But when logged in as a local user, I'm getting the message: You don't have permission to use the application "ksfetch." I obviously have something blacklisting the path. Any help would be appreciated. I did whitelist the following: /Library/Google/GoogleSoftwareUpdate, ~/Library/Application Support/Google/Chrome/, ~/Library/Application Support/Google/Chrome/tmp, and ~/Library/Google/

Ah, right, I apologize. You just jogged my memory.

I have the same folders whitelisted, but I think ksfetch runs from random locations within the /private/tmp folder. Try whitelisting that, or just /private.

Thanks so much for your help rcastorani. /private folder worked for me.

All of those things worked, but we are now left with the following

You don't have the permission to run the application "ksinstall"

Any ideas?

Thanks

I'd be very wary of whitelisting folders users have write access to. You're giving them permission to run whatever they want from those folders.

We had google update blocked but for some reason it started trying to update again. Google is now putting back Chrome update mechanism if you delete it on Chrome launch. This is how I'm getting around it now, but I'd love recommendations if there is better way to manage.

Delete the software update bundle, put a blank file in it's place with root permission so Google can't write over it. We will continue to patch Chrome on our schedule.

#!/bin/sh

rm -rf /Users/$3/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
touch /Users/$3/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
chown root /Users/$3/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
chmod 644 /Users/$3/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle

/url">@CasperSally][/url
We have auto updates enabled by using :
[https://github.com/hjuutilainen/adminscripts/blob/master/chrome-enable-autoupdates.py
Works really well.

Did you try disabling it using this script:
https://github.com/hjuutilainen/adminscripts/blob/master/chrome-disable-autoupdates.py

Thanks

@Kumarasinghe][/url

That script doesn't work as is anymore. There is no more install.py. There is a ksinstall that some say --uninstall or --nuke should uninstall it, but in my experience google puts back the software update mechanism. So far putting the root only access file in its place seems to fix.

Old thread but in case someone else finds it - Google did update their site with a way to supposedly stop updates. In my testing (chrome 66 and chrome 69), it stops the ksadmin prompts but not the GoogleSoftwareUpdateAgent prompts.

Please consider starring if you'd like to see Chrome stop launching app out of /Users: https://bugs.chromium.org/p/chromium/issues/detail?id=889150