Jamf Nation Community

cainehorr · ‎08-17-2016

Hey everyone...

I wanted to make Google Chrome a part of my automated deployment process and also be available within Self-Service.

Why? Users can just download from Google on their own. True dat. But hey, one-stop shopping in Self-Service, right?

As we all know, Google deploys Chrome via a DMG file. The Google Chrome.app file must be dragged to the /Applications folder.

You could effectively re-package everything using Composer, but then things get REAL STALE, REAL FAST - Google updates Chrome frequently. So stale software is bad software.

So how can we deploy Google Chrome with the freshest of the fresh so we don't get that not-so-fresh feeling?

Well, lemme share my story, morning glory.

.

THE SCRIPT
I wrote a simple script that does the heavy lifting...

I tossed this script into System Settings > Computer Management > Scripts within the JSS...

NOTE: Yes, I am aware that I don't have any error checking taking place. This is v1.1 - quick and dirty. Feel free to add some if you feel the need.

#!/bin/sh

####################################################################################################
#
# Google Chrome Installation Script
#
####################################################################################################
#
# DESCRIPTION
#
# Automatically download and install Google Chrome
#
####################################################################################################
# 
# HISTORY
#
# Created by Caine Hörr on 2016-07-25
#
# v1.1 - 2016-10-11 - Caine Hörr
# Added -nobrowse flag to hdiutil attach /tmp/$VendorDMG command line arguments
# Shout out to Chad Brewer (cbrewer) on JAMFNation for this fix/update
# https://jamfnation.jamfsoftware.com/viewProfile.html?userID=1685
#
# v1.0 - 2016-07-25 - Caine Hörr
# Google Chrome Installation script

# Vendor supplied DMG file
VendorDMG="googlechrome.dmg"

# Download vendor supplied DMG file into /tmp/
curl https://dl.google.com/chrome/mac/stable/GGRO/$VendorDMG -o /tmp/$VendorDMG

# Mount vendor supplied DMG File
hdiutil attach /tmp/$VendorDMG -nobrowse

# Copy contents of vendor supplied DMG file to /Applications/
# Preserve all file attributes and ACLs
cp -pPR /Volumes/Google Chrome/Google Chrome.app /Applications/

# Identify the correct mount point for the vendor supplied DMG file 
GoogleChromeDMG="$(hdiutil info | grep "/Volumes/Google Chrome" | awk '{ print $1 }')"

# Unmount the vendor supplied DMG file
hdiutil detach $GoogleChromeDMG

# Remove the downloaded vendor supplied DMG file
rm -f /tmp/$VendorDMG

.

SMART COMPUTER GROUP
We need a Smart Computer Group so Policy #1 has something to work from...

Computer Group
Display Name = "Google Chrome - Not Installed"
Criteria
[Application Title] [is not] [Google Chrome.app]

.

POLICY #1
This policy makes things happen auto-magically based on the aforementioned Smart Computer Group.

Policy: Options
General
Display Name: "Download & Install Google Chrome"
Enabled = Checked
Triggers = Login, Recurring Check-In, Make Available Offline
Execution Frequency = Ongoing
Make Available Offline = Checked
Scripts
Points to the script in System Settings > Computer Management > Scripts
Priority: After
Maintenance
Update Inventory = Checked

Policy: Scope
Target Computers = Specific Computers
Target Users = Specific Users
Target/Type = "Google Chrome - Not Installed" Smart Computer Group

.

POLICY #2
I wanted a second policy for the sole purpose of Self-Service. I did not want the user's ability to download/install Google Chrome to be hindered within Self-Service by them being out of scope.

Why?

Perhaps the user's version of Chrome isn't updating properly... they can go to Self-Service and download/install at their leisure. There may be other reasons.

Policy: Options
General
Display Name: "Google Chrome (Latest Version)"
Enabled = Checked
Execution Frequency = Ongoing
Make Available Offline = Checked
Scripts
Points to the script in System Settings > Computer Management > Scripts
Priority: After
Maintenance
Update Inventory = Checked

Policy: Scope
Target Computers = All Computers
Target Users = All Users

Policy: Self Service
Make the policy available in Self Service = Checked
Description: Download and install the latest version of Google Chrome
Icon: I ripped the Google Chrome 128x128 icon from the icon file found within the Google Chrome.app
Feature the policy on the main page = Checked

Anyway - That's about it. It's a simple workflow.

Chrome will auto-install on machines without Chrome
Chrome can be manually installed via Self-Service
Chrome will always be fresh when installed

.

Feel free to salt-to-taste - even better if you share your changes.

Cheers!

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cbrewer · ‎08-17-2016

If you use

hdiutil attach /tmp/$VendorDMG -nobrowse

it will keep the volume from popping up in Finder.

View solution in original post

stevenjklein · ‎12-07-2022

Thanks, @scottlnrd ! I was using an older version of the script (posted by gldc back on 2/7/2019).

I'll give your updated version a try!

Edited (6 hours after I originally posted):

Thanks again, @scottlnrd ! I've just tested this using your updated script, and it worked perfectly!

Here's what I used for Parameter 4:

curl --location https://zoom.us/client/latest/Zoom.pkg?archType=arm64 --output Zoom.pkg

burdett · ‎12-06-2022

Has any one been using Jamf App Catalog, for deploying supported apps like Google Chrome rather then packaging and deploying?
How do you advertise / deploy the apps from the Jamf App Catalog? (Deploy to smart group, some how add to Self Service)
How do you troubleshoot a deployed Jamf App Catalog app like Google Chrome when they fail or are pending?

scottlnrd · ‎12-06-2022

This method does not yet have a Self Service method. So anything you deploy that way will either apply itself to everything in you inventory, or whatever group you apply it to. I use a smart group that looks to see if it exists on the machine and then uses the app catalog to keep it up to date. There are logs you can see when something fails. Not a lot of info, but maybe some clues. It's only given me trouble once deploying Zoom. That seems to have cleared up though.

Until it has a self service option, I use the script in this thread to advertise my self service options via direct download and install.

stevenjklein · ‎12-07-2022

@burdett wrote:
Has any one been using Jamf App Catalog, for deploying supported apps like Google Chrome rather then packaging and deploying?
How do you advertise / deploy the apps from the Jamf App Catalog? (Deploy to smart group, some how add to Self Service)
How do you troubleshoot a deployed Jamf App Catalog app like Google Chrome when they fail or are pending?

I tested the App Catalog for deployment. It works fine to get the first version of any app out to your users, but if it's an app that they keep open all day, then it never gets updated. (Chrome will at least notify users that an update is available, but most apps don't do that.
You shouldn't be packaging Chrome, because your package will become out of date every few weeks when Google released an update. You should be using the universal installer script above, with this URL for Chrome: https://dl.google.com/chrome/mac/universal/stable/GGRO/googlechrome.dmg

That link I posted above always gets the current version of Chrome.

Many app publishers offer similar links that remain static, but always point to the latest version.

(Which makes me think I should start a thread for people to share these static links, which aren't always easy to find.)

sdagley · ‎12-07-2022

@stevenjklein When did you test the Jamf App Catalog? I believe that JSS 10.41 changed/improved the update process for App Catalog apps so that open apps will eventually be forced to update (but I cannot find that in the release notes)

For orgs ok running a script on your Mac endpoints to install software you _really_ should look at the Installomator script (https://github.com/Installomator/Installomator) which supports an incredible number of apps, including Google Chrome.

For orgs that cannot/do not want to use a script based install on an Mac endpoint (e.g. they need a human to verify the package that will be deployed via Jamf Pro) the AutpPkg/AutoPkgr combination offers an automated mechanism to download newly released installers with recipes for an equally large number of apps. And if your org doesn't require human verification of the packages before being added to your JSS that's also an option.

AutoPkg: https://github.com/autopkg/autopkg

AutoPkgr: https://github.com/lindegroup/autopkgr

(Yes, I am a firm believer in the adage don't re-invent the wheel)

scottlnrd · ‎12-08-2022

Honestly, the script I posted has been working a ton better than autopkg. Autopkg had created some issues for me and actually became more of a headache. It's good, but only if all the pieces are reliable. Unfortunately, some are not.

Asnyder · ‎12-08-2022

I think the thousands of people using it would disagree.

scottlnrd · ‎12-08-2022

I use it on a college campus where it sent out bad configurations for the entire campus using Zoom. People can disagree, but when it screws up an entire campus distribution, it doesn't mean squat. Autopkg is tied to recipes. There are some flawed recipes, which means then you need to recreate your own, which is a ton more work than just using the script.

Asnyder · ‎12-08-2022

Autopkg did not send out the "bad" configurations. It did what you told it to do. You can't blame it for that.

scottlnrd · ‎12-08-2022

Correct. Autopkg is fine. But if I have to go through every single recipe just to make sure it's not going to bite me later, and then also hope someone hasn't changed the recipe when I wasn't paying attention, then it causes me a big headache. If Autopkg did all the work, then yes, it would be fine. The problem is the recipes. You can't guarantee anything with those without writing your own. But that's a lot of time dedication when my script does everything I need it to in conjunction with Mac Apps/ Catalog. It's simpler and I know what I can trust without rewriting a bunch of unnecessary code. So yes, Autopkg is fine in itself. But that's as far as I would go with that statement.

Asnyder · ‎12-08-2022

There seems to be some misinformation here. If your way works best for you, that's completely ok. I just want to clear up the misinformation. Recipes use overrides to customize them to your needs. When an override is created there is trust created between the override and the recipe at that very point in time. Any time a recipe is modified, it breaks that trust and requires you to review the change and trust the modified recipe before it will run again. Recipes can't just change and start running in your environment without you approving them first. That would leave room for extremely malicious activity.

https://github.com/autopkg/autopkg/wiki/AutoPkg-and-recipe-parent-trust-info

scottlnrd · ‎12-08-2022

Well I hate to break it to ya, but that is not my experience. No misinformation. You can be a fan boy all you want, to each their own, but don’t tell me what my experience is. Thanks.

stevenjklein · ‎12-08-2022

With App Catalog, updates fail silently if the app is open. Apps like Chrome are always open, and so never get updated. So it didn't work for us.

But we also don't rely much on packaging. There is a better way.

Our solution is to use the universal installer script (posted above). Google provides a static (unchanging) link that always downloads the most recent release

https://dl.google.com/chrome/mac/stable/googlechrome.dmg

Google isn't the only company to do that. Lots of companies provide static links to the current release of their software. Here's one for Zoom:

https://zoom.us/client/latest/Zoom.pkg

And Coconut Battery:

https://coconut-flavour.com/downloads/coconutBattery_latest.zip

I should probably start a separate thread just for people to share static download links.

scottlnrd · ‎12-08-2022

What's great about the App Catalog, is they include those installer links for everything that has a universal installer, etc. So that's what I copy and paste right into my script variable.

bsuggett · ‎01-14-2024

While an old thread, I thought I would provide some rather undocumented things I've found....

The Chrome for enterprise download doesn't always install the googlesoftwareupdate component...

https://support.google.com/chrome/answer/111996?hl=en#zippy=%2Cmac
Note: Download Chrome Again, Step 3, on Mac... Download and install Google Software Update again.

URL: https://dl.google.com/mac/install/googlesoftwareupdate.dmg

This kinda works like Microsoft MAU .app in which its an app that runs on schedule from a launchdaemon... It reads and applies settings from com.google.keystone...

It installs mainly in /Library/Application Support/Google/GoogleUpdater/*

Jamf Nation Community

Install latest version of Google Chrome without re-packaging