Using Patch Management to push out Chrome updates

blerud15
New Contributor

I am wondering what the best solution to manage chrome browser updates through Jamf is? I would like to be able to use a patch policy to push out the update, but when the update is tied to our google chrome .pkg and pushed to my device, I perform the update through self service, and when reopening chrome, it is still on the old version.

 

Thanks!

15 REPLIES 15

mainelysteve
Valued Contributor II

Where are sourcing your Chrome pkg from? AutoPKG or manual download? If you've not repackaged anything then both should be moving the same app bundle to the same location (/Applications). Are you seeing the same behavior when you install that same pkg file manually on your machine?

Manual Download, it is the same package initially pushed out to the devices to install chrome browser, but when tying the update to it through patch management, it continues to just install the same version initially pushed out.

 

Thanks!

mainelysteve
Valued Contributor II

So then just to verify:

1. You have the most recent version of Chrome (97.0.4692.99) in Definitions with the same version package added to that definition?

2. Under patch policies you have 97.0.4692.99 set as your target version and patch unknown versions is checked?

It almost sounds like it's #1 and you added an older package to the 97.0.4692.99 definition, but that's just speculation.

1.) 97.0.4692.99 is tied to the chrome .pkg we originally pushed out (95.0.4638.69)

So I need to download the 97.0.4692.99 chrome package, and each update I will need to tie the new version to also a new package? I was assuming we could tie the new version to the chrome package we originally used and it would update to the current version when tied to it in Patch policies.

 

Thanks!

jbisgett
Contributor II

Yes, you have to download the new package from Google, upload it to Jamf, then attach that to the latest definition in patch management. Change the patch policy to the target version and save.

Jamf doesn't automatically download version of apps outside of the App Store and deploy them (yet, looking at you App Installers).

This would make sense. Is there a way to make chrome updates through jamf more automated? To avoid having to upload a new packaged every two weeks and change the patch policy each time?

 

Thanks!

Take a look at Installomator, there is a guide for doing exactly this with Chrome. At least until Jamf finally unveils App Installers, which is supposed to do something similar.

JRM5513
New Contributor III

I would advise to not use the patch management for Chrome and instead use a configuration profile with the RelaunchNotification and RelaunchNotificationPeriod keys.

https://babodee.wordpress.com/2020/06/16/managing-google-chrome-auto-updates/

https://www.alansiu.net/2019/11/24/forcing-updates-to-google-chrome-using-chrome-preferences-a-chrom...

 

JeffBugbee
New Contributor III

I assume you have to have an Google Enterprise account for these Relaunch Notifications to work?

As I know, u have just to use the google enterprise pkg 

Google Enterprise download url 

Flaurian
Contributor

Hey @JRM5513 
just to clarify your recommendation for me. Does that mean, I have to push both Plists "com.company.google.softwareupdatecheck" from babodee and the two commands for com.google.Chrome to managed devices or would be the second one "Relaunchnotification" enough for patch management. 
In case, I need both Plists. I'm not sure to double-check if com.company.google.softwareupdatecheck is working because I can of course check the process / launchctl etc. but I don't have a trigger, isn't? or should I get the notification fromcom.google.Chrome if the agent is running successfull. 


mainelysteve
Valued Contributor II

You only need one plist for both keys. You don't need the second key(RelaunchNotificationPeriod) unless you want to set the notification period otherwise the default is seven days according to the two pages linked above.

You're looking for Google's keystone process not the preference domain you have above.  You won't get a notification that it's running, when a new version is released and the updater checks it will install the new version  based on your settings then notify the user to restart Chrome at seven days or your manually set period. 

FWIW You can still have Chrome in your patch management list, but not set a patch policy. That way you can still get version inventory from each machine.

Flaurian
Contributor

Thanks for ur answer @mainelysteve but it's actually not 100% clear to me what u meant - sorry. 

mainelysteve
Valued Contributor II

Your use of the word agent versus launch agent threw me for a bit.

On your first point. Yes, if you really want to you can shorten the time interval(the trigger) from six hours down to say 30 minutes and monitor using launchctl list. I'm on the K.I.S.S bandwagon and think it's more worth your time to get the configuration profile created and scoped to a client. Deploy the launch agent to that client and then simply monitor a Google Chrome entry in patch management or look at that clients Application inventory. 

Lastly on the second point. Correct, the first key tells Chrome how to notify and then the second key tells it when. The 7 days default setting seems a bit much for me especially with zero days affecting browsers so much these days.

SMR1
Contributor III

I would give installomator a try.