- Jamf Nation Community
- Products
- Jamf Pro
- You don't have permission to use the application '...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2015 07:00 PM
Hi JAMF Nation,
Hoping someone can help me out with this.
We are using a Configuration Profile to blacklist and whitelist various applications for students, and for the most part it seems to be working without a problem. However I am running into this issue with Google Chrome and it's Automatic Updater. Whenever I launch Google Chrome, one of the two following messages appears.
"You don't have permission to use the application 'GoogleSoftwareUpdateAgent'."
"You don't have permission to use the application 'ksadmin'."
I have been searching JAMF Nation for the past couple of days to try and resolve this and have tried various fixes. I have now added these two directories to the 'Allow Folders' white list, as from what I can gather they are the directories that these to files are attempting to run from.
~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/Google Software Update.app/Contents/MacOS/GoogleSoftwareUpdateAgent~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksadminEven after white-listing these two, I am still seeing these messages saying that the user does not have permission to run these applications.
Does anyone have a fix for this? Or have any ideas how this could be fixed. I have so far tried the following:
- Completely removing the updater for each user, but I am unable to do this as there is no ~/Library/Google folder until Chrome is run for the first time
- Using the defaults write command to change the update interval to 0 (for each user) to disable automatic update checking. I am of the understanding that this will create the plist it is writing if it doesn't exist, but this didn't work either
- Disabling Chrome Auto Updates using a Config Profile with com.google.chrome.plist
It is fair to say that I am at a loss with where to go next. It may be something really simple that I have missed. I would greatly appreciate anyone that could provide some advice.
JSS version is 9.72
OS X version is 10.10.4 (although saw this issue on 10.9.5 this morning)
Thanks,
Nic Gahan
Trinity Catholic College Lismore
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2015 09:04 PM
This is a common problem that many people run into when trying to use whitelist and blacklist directories.
Google's products apparently try extremely hard to keep themselves up to date, and stopping them from doing this is almost impossible.
Ae your students administrators on their Macs? If not, the following may work, but it will mean Google Chrome will not be able to update itself, so you'll need to provide the latest version yourself to them via Self Service or some other method.
I think the trick to stopping the GoogleSoftwareUpdate process from injecting itself into the system is to do the following.
Instead of trying to remove it after it installs itself, which is futile since it will just re-install itself again next time, try pre-creating the directory in a way that it can't possibly add anything to it.
## Create the GoogleSoftwareUpdate directory
sudo mkdir -p /Library/Google/GoogleSoftwareUpdate
## Make the owner and group root:wheel
sudo chown root:wheel /Library/Google/GoogleSoftwareUpdate
## Change the permissions to root read only
sudo chmod 400 /Library/Google/GoogleSoftwareUpdate
## Set the system immutable flag (even root can't modify it unless it gets unlocked)
sudo chflags noschg /Library/Google/GoogleSoftwareUpdateYou can also do this same procedure for each user account, but place the directory in /Users/username/Library/Google/GoogleSoftwareUpdate instead, and make the same changes to it. If you do this prior to getting Chrome installed on the Mac, once it runs it will not be able to add the Software Update components into either of those directories. If you open the About window in Chrome you will see something like:
Update failed (error: 10)Hope that helps get you on the right track.
Reply
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2015 09:04 PM
This is a common problem that many people run into when trying to use whitelist and blacklist directories.
Google's products apparently try extremely hard to keep themselves up to date, and stopping them from doing this is almost impossible.
Ae your students administrators on their Macs? If not, the following may work, but it will mean Google Chrome will not be able to update itself, so you'll need to provide the latest version yourself to them via Self Service or some other method.
I think the trick to stopping the GoogleSoftwareUpdate process from injecting itself into the system is to do the following.
Instead of trying to remove it after it installs itself, which is futile since it will just re-install itself again next time, try pre-creating the directory in a way that it can't possibly add anything to it.
## Create the GoogleSoftwareUpdate directory
sudo mkdir -p /Library/Google/GoogleSoftwareUpdate
## Make the owner and group root:wheel
sudo chown root:wheel /Library/Google/GoogleSoftwareUpdate
## Change the permissions to root read only
sudo chmod 400 /Library/Google/GoogleSoftwareUpdate
## Set the system immutable flag (even root can't modify it unless it gets unlocked)
sudo chflags noschg /Library/Google/GoogleSoftwareUpdateYou can also do this same procedure for each user account, but place the directory in /Users/username/Library/Google/GoogleSoftwareUpdate instead, and make the same changes to it. If you do this prior to getting Chrome installed on the Mac, once it runs it will not be able to add the Software Update components into either of those directories. If you open the About window in Chrome you will see something like:
Update failed (error: 10)Hope that helps get you on the right track.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2015 10:14 PM
Thank you for that.
I did try something similar to that earlier in the week, but I think I must have left out part of it.
It works now though. No more annoying messages.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-26-2018 07:26 AM
Google did update their site with a way to supposedly stop updates. In my testing (chrome 66 and chrome 69), it stops the ksadmin prompts but not the GoogleSoftwareUpdateAgent prompts.
Please consider starring if you'd like to see Chrome stop launching app out of /Users: https://bugs.chromium.org/p/chromium/issues/detail?id=889150
paging @mm2270 & @nic.tccl in case they'd be interested in the info. Also adding this to other JN threads that mention the issue.
