Updates to Google Chrome deployment for macOS

jamf_sam
Moderator
Moderator

We are excited about recent updates that make Chrome on macOS easier to deploy and manage. Our work with the Google Chrome for Enterprise Team is ongoing, and this first release benefits not only Jamf Pro admins, but everyone who manages Mac at scale. Look for more information in the form of a blog, but here are the highlights:

Updates to the installer - Chrome is now available as a PKG in addition to the standard DMG. This is the preferred installer format for mass distribution, and is available from the Chrome Browser Enterprise Installers website.

Initial Support for Application & Custom Settings - Chrome Browser Cloud Management (CBCM) is a a single location to set Chrome policies on multiple platforms. Google simplified the process of deploying the enrollment token by leveraging Jamf's new Application & Custom Settings payload.

This work comes from user feedback and @alexbauer from the Chrome for Enterprise Team is joining this thread to hear your thoughts!

Chrome Enterprise Browser Support can be reached here.

Update 6/11/2020 - The Chrome for Enterprise Team has published a new kBase on Managing Chrome Browser Updates with Jamf Pro (macOS)

78 REPLIES 78

alexbauer
New Contributor III

@bcbackes sorry for the late reply. please go ahead and open a CRbug (https://bugs.chromium.org/p/chromium/issues/list) and link it here and I will make sure someone from our enterprise team looks into it. In the second step, please make sure to tag enterprise as the issue. Add as much detail as you can, screenshots etc.

@JarvisUno the PKG includes the latest version of Chrome at download time. It does not pull the latest version during installation. Chrome should auto update to the latest version as soon as it starts anyway. I will put in a request to have an online version of the installer with a PKG format. We usually offer offline installers for enterprises.

Has anyone had any luck in disabling QUIC protocol in Google Chrome through the config profile? Setting QuicAllowed boolean to false in the config profile still shows as default in chrome://flags#enable-quic in the browser.

alexbauer
New Contributor III

Also, for any other issues y'all encounter, feel free to email me and I will do my best to help you out. My email address was posted a few comments above.

bcbackes
Contributor III

@alexbauer I'm sorry for not updating my previous post. I must have done something wrong. Further testing I found that if I install Adblock Plus, then, add that extension to the block list and apply config profile it DOES disable the extension. Not sure what I was doing wrong during my initial testing, but, it is working as expected.

Thanks for getting back to me!

alexbauer
New Contributor III

@bcbackes awesome! Thanks for the update!
@JarvisUno I was told by the engineering team that at the moment an online PKG installer is not something we plan on offering. Sorry. Wish I had better news.

jhuls
Contributor III

@alexbauer It's minor but something I noticed on the Downloads page is that it still references "Chrome DMG for Mac OS X" and "Chrome PKG for Mac OS X". Unless I'm mistaken that should be "Chrome DMG for macOS" and "Chrome PKG for macOS".

jamf_sam
Moderator
Moderator

Update 6/11/2020 - The Chrome for Enterprise Team has published a new kBase on Managing Chrome Browser Updates with Jamf Pro (macOS). This takes advantage of Jamf's Application and Custom Settings Payload.

cbrewer
Valued Contributor II

Thanks @jamf_sam but could you add some clarification around the preference domain?

https://support.google.com/chrome/a/answer/7591084?hl=en states to use com.google.Keystone

https://support.google.com/chrome/a/answer/9923111?hl=en states to use com.google.keystone

Which is it? Does the keystone process look for both?

bfrench
Contributor III

I tried setting this up on a Mojave machine but Chrome still starts with "Google Chrome may not be able to keep itself updated"

sdagley
Esteemed Contributor II

@bfrench Are you installing the "regular" Chrome or the Enterprise targeted .pkg installer that Google now makes available? The latter is available at https://chromeenterprise.google/browser/download/

Better yet, set up AutoPkg and AutoPkgr to automate downloading it.

bfrench
Contributor III

I am using a script to pull the current version for first install. But Chrome launches the first time without auto update flipped on. I did not realize that the script @jamf_sam posted was only for "managed Chrome" which we currently do not utilize.

bfrench
Contributor III

I found a script to pull the new pkg installer and that worked. Thanks

neilrooney
New Contributor II

@jamf_sam regarding Manage Chrome Browser updates with Jamf Pro (macOS), I have followed the instructions to the point but the policy does not show in chrome://policy whereas a separate config profile for Chrome Enterprise is working fine. Am I missing something?

hdsreid
Contributor III

if I have machines that have non-enterprise pkg, can I just deploy a newer enterprise pkg on top of it to convert and update?

alexbauer
New Contributor III

You should be able to do that, yes

alexbauer
New Contributor III

@neilrooney can you try this? https://support.google.com/chrome/a/answer/9923111?hl=en

neilrooney
New Contributor II

@alexbauer thanks Alex, I did. No dice. Auto updates are not enabled on the device. :/

privo
New Contributor

Do the CBCM settings for 'Auto-update check period' (0) and 'Chrome browser updates' (Updates disabled) have an affect on Macs? Currently testing w/ the enterprise installation v86.0.4240.80 and it doesn't seem to honor those two settings.

B_Johnston
New Contributor II

@alexbauer How does this work for education customers who do not have a current GSuite license? I tried to sign up here and received a message that I was not able to signup.

https://devicemanagement.google.com/signup/form?product=Chrome-Management

darthmaverick
New Contributor III

Is there a different build of Chrome for the M1 chips and if so how would that effect the URL listed for the PKG?

spalmer
Contributor III

@alexbauer I would prefer to see a PKG for the universal binary version of Chrome, as I do not want to have to test, download and deploy two versions of every application we have to support for our organization, as native M1 Apple Silicon versions are released.

I understand that every organization will likely have different needs, so in that regard it would be best to make multiple enterprise PKGs available (Intel only, Apple Silicon only, Universal). Plus, since a universal version is available on your download page for consumers, a universal PKG version should be available to enterprise/education IT admins.

I would also like to point out that there was no discussion on pros and cons of a universal build with regards to enterprise/education IT admins at https://bugs.chromium.org/p/chromium/issues/detail?id=1142017.

vmalapati_mu
New Contributor III

Hey guys,
Is there a change in URL to download Chrome Enterprise using curl? Here is the old one that I have been using so far. url='https://dl.google.com/chrome/mac/stable/gcem/GoogleChrome.pkg'
/usr/bin/curl -s -o /tmp/${pkgfile} ${url}

Also is there a way to differciate Chrome Enterprise and legacy browser?

Thanks & Regards
VM

alexbauer
New Contributor III

@spalmer  we do offer a universal pkg for all platforms.

This script here allows you to get the latest universal package: https://support.google.com/chrome/a/answer/9915669?hl=en

Our download page now only offers a universal PKG: https://chromeenterprise.google/browser/download/#

 

tomt
Valued Contributor

@alexbauer Thanks for the link to the Universal package! The regular Chrome download site still has the choices. Now if you could just add the version number to the package file name it would be perfect.

 

Soo many "googlechrome.dmg" files laying around.  😉

alexbauer
New Contributor III

HAHA! I think this was done on purpose to allow automation etc. Our stance is that you should only have to do this once and then control updates and version via policy.

beareye321
New Contributor II

Hello, I would like to create a Smart Group in Jamf to filter between machines having Chrome Enterprise and regular Chrome installed? Is there a way to distinguish between the 2?

thomH
New Contributor III

@beareye321You may be able to scope your Smart Group to the config profile that you use to enroll your Enterprise target machines with.

kwoodard
Contributor III

Is there an update to this process? I ask because the last few new deployments that I have done (essentially using the update script to install Chrome)...all the browsers display an error stating that the software needs to update. When you click on update, it states that the file is corrupted and you need to reinstall. These are on Monterey machines.

nwebster
New Contributor II

I'm still using the following script to 100% success on any macOS device I've tried so far. 

#!/bin/sh

logfile="/Library/Logs/JamfScripts.log"
ISCHROME=`ls /Applications | grep -i Google\ Chrome`

if [ "$ISCHROME" = "Google Chrome.app" ]; then
	echo `date "+%y/%m/%d %H:%M:%S: "`"Chrome already present. Moving on.\n" | tee -a ${logfile}
	exit 0
else

	pkgfile="GoogleChrome.pkg"
	url='https://dl.google.com/chrome/mac/universal/stable/gcem/GoogleChrome.pkg'
	
	echo `date "+%y/%m/%d %H:%M:%S: "`"Downloading latest version of Google Chrome." | tee -a ${logfile}
	curl -s -o /tmp/${pkgfile} ${url}
	
	echo `date "+%y/%m/%d %H:%M:%S: "`"Installing Google Chrome." | tee -a ${logfile}
	cd /tmp
	installer -pkg GoogleChrome.pkg -target /
	sleep 5

	echo `date "+%y/%m/%d %H:%M:%S: "`"Cleaning up.\n" | tee -a ${logfile}
	rm /tmp/"${pkgfile}"
	exit 0  
fi

That is the essentially the same script I am using. I have about 150 computers that have issues with Chrome.

nwebster
New Contributor II

Are you getting any errors in jamf.log during the install process, or is it acting as if it completed? Whats your install policy look like other than the script?

It installs fine. It has been working for years... I am thinking that maybe Google has a broken package hosted at the moment.

nwebster
New Contributor II

It's possible. You can always download the PKG from https://dl.google.com/chrome/mac/universal/stable/gcem/GoogleChrome.pkg and try running it on a fresh install to see if the issue persists. If so, may want to take it to Google Support. I personally haven't had an issue yet, but I also haven't deployed any new machines since Chrome v101+

This worked. Seems something is failing when Jamf runs the script vs. me manually running the script. The Jamf log makes it look like things finished properly, when in fact, they didn't.

tomt
Valued Contributor

Maybe a difference with Jamf running it as Root?

kwoodard
Contributor III

I wish I knew. Moving to the cloud based instance of Jamf has been a nightmare. The shear number of issues I have had is truly staggering. I would go back in an instant if I could.

beareye321
New Contributor II

Not sure if this helps but you need to accept the terms when installing Chrome Enterprise so the URL should look like this:

url='https://dl.google.com/chrome/mac/stable/accept_tos%3Dhttps%253A%252F%252Fwww.google.com%252Fintl%252...'

https://support.google.com/chrome/a/answer/9915669?hl=en&ref_topic=9026943

bcbackes
Contributor III

I'm currently migrating devices from OnPrem to the Cloud. My process for updating the Chrome base install (via Self Service policy) is to go out to Google's site to download the universal pkg. I then upload this into Jamf directly - I don't repackage or make any changes. We've been deploying Chrome out this way for quite some time.

I will note that with Jamf Cloud I'm using App Installers process to update existing Chrome installs - no need to download a package from Google to upgrade. I'm also looking at using App Installers as a potential means to do my base install since it not only will upgrade existing installs but will install it on a device that never had Chrome to begin with. Initially testing is looking great - does what I'm expecting.

bsuggett
Contributor II

While an old thread, I thought I would provide some rather undocumented things I've found....


The Chrome for enterprise download doesn't always install the googlesoftwareupdate component...

https://support.google.com/chrome/answer/111996?hl=en#zippy=%2Cmac
Note: Download Chrome Again, Step 3, on Mac... Download and install Google Software Update again.

URL: https://dl.google.com/mac/install/googlesoftwareupdate.dmg

This kinda works like Microsoft MAU .app in which its an app that runs on schedule from a launchdaemon... It reads and applies settings from com.google.keystone... 

It installs mainly in /Library/Application Support/Google/GoogleUpdater/*