Skip to main content

Hey All,



Trying to build 3 policies for our JSS regarding the google chrome browser but I'm having 0 luck!



1: I need to force chrome installs with the automatic updater installed to run



2: I need to be able to install the automatic updater on machines that do not have it installed or configured but DO have chrome



3: I need to install chrome and have its automatic updater configured on for new enrollments.



I've got the policies figured out and the extension attributes in place to identify the presence of the automatic updater, I just can't get the programs to install correctly! I've tried composer and while I can get chrome to install, its automatic updater breaks and fails everytime it tries to go download a new version.
I'm pretty new to Jamf and for that matter, the mac platform as a whole and we're just feeling a little stuck.
Any help would be appreciated,



Thanks!

article on google here explains it. not tried it yet but I am going to now I found it.


We can't get it to work either. Either the documentation is outdated, or something with the latest version(s) of Google Chrome changed.


Download the following script:
https://github.com/hjuutilainen/adminscripts/blob/master/chrome-enable-autoupdates.py



After a Chrome.app installation in a policy run the above script.



Done.


@marklamont has the right link. The tricky part is some of the files and the permissions on them.


Would it be as simple as this?



chown -R $currentUser "/Applications/Google Chrome.app"

I use a combination of the chrome-enable-autoupdates.py script above to first make sure the Chrome updater is working, then I force the Chrome updater to run using this script:



#!/bin/sh
## Script name: run_chrome_updater.sh
## Author: Andy McPherson
## Last modified: 1/31/18

## Logged in user
loggedInUser=$( ls -l /dev/console | awk '{print $3}' )

echo "$loggedInUser"

sudo -u "$loggedInUser" /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent -runMode oneshot -userInitiated YES 2> /dev/null

exit 0


I then added a "sleep 30" before running a recon which seems to give it enough time to actually run the updater and install the new version.



The best part is, this runs silently in the background! Technically the user probably needs to quit and relaunch Chrome to begin using the new version, but until then, it will show up as the latest version in Patch Reporting.


My Jamf on-board person was awesome and I got him to send me an updated build that will turn auto update on for all users automatically. Just install or make sure Chrome is updated and auto-updates are turned on for your Mac and then this:



Using Composer, package;



/Applications/Google Chrome.app
/Library/Google
/Library/LaunchDaemons/com.google.keystone.daemon.plist
/Library/LaunchAgents/com.google.keystone.agent.plist
/Library/LaunchAgents/com.google.keystone.xpcservice.plist



That should do it.
I had no issues using this method last year, I'm just re-issuing the new version of Chrome for this school year.


Is there an EA to detect if chrome auto update is enabled or not?


You try Chrome browser cloud management



https://cloud.google.com/files/chrome-enterprise/Chrome_Enterprise_Browser_CBCM_Mktg_WP_3.22_final.pdf



https://support.google.com/chrome/a/answer/9116814


There is another similar thread on this here: How to update Chrome automatically



Uses the same script that @ryan.ball created located here: chrome-enable-autoupdates


Thank you @andymcp! That looks like a simple elegant solution.



If I were to run just that one line, how might I verify that it has actually run? I checked ~/Library/Logs/GoogleSoftwareUpdateAgent.log thinking there might be something there, however nothing gets logged there apparently. Should I see a GoogleSoftwareUpdate process show up in Activity Monitor? Is a log kept somewhere else that I'm not thinking of?


@andymcp Does your method still work? I ran into some issues with @ryan.ball method, something about a keystone error. I am considering just re-packaging Chrome and running at login to get us to the latest version.



Thanks for the help,
Jared


@jared_f The script that @andymcp links to does work, but you need to make sure you have downloaded the latest version of the script at https://github.com/hjuutilainen/adminscripts/blob/master/chrome-enable-autoupdates.py as that was updated on 8/5/19 for changes to the keystone registration framework path introduced in newer versions of Chrome.


I've found that this script: https://github.com/ryangball/chrome-enable-autoupdates/blob/master/chrome-enable-autoupdates.sh
is working for me with fresh install of Mojave 10.14.6.
Chrome is currently at version 78
When I select About Chrome, I see Google Chrome is up to date Automatic updates are turned on



along with this scritp to download Chrome:



**#####################################################################################################



# ABOUT THIS PROGRAM



NAME



GoogleChromeInstall.sh -- Installs the latest Google Chrome version



SYNOPSIS



sudo GoogleChromeInstall.sh



########################################################################################


# HISTORY



Version: 1.0



###################################################################################################



Script to download and install Google Chrome.



Only works on Intel systems.



dmgfile="googlechrome.dmg"
volname="Google Chrome"
logfile="/Library/Logs/GoogleChromeInstallScript.log"
url='https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg'



Are we running on Intel?



if [ '/usr/bin/uname -p'="i386" -o '/usr/bin/uname -p'="x86_64" ]; then
/bin/echo "--" >> ${logfile}
/bin/echo "date: Downloading latest version." >> ${logfile}
/usr/bin/curl -s -o /tmp/${dmgfile} ${url}
/bin/echo "date: Mounting installer disk image." >> ${logfile}
/usr/bin/hdiutil attach /tmp/${dmgfile} -nobrowse -quiet
/bin/echo "date: Installing..." >> ${logfile}
ditto -rsrc "/Volumes/${volname}/Google Chrome.app" "/Applications/Google Chrome.app"
/bin/sleep 10
/bin/echo "date: Unmounting installer disk image." >> ${logfile}
/usr/bin/hdiutil detach $(/bin/df | /usr/bin/grep "${volname}" | awk '{print $1}') -quiet
/bin/sleep 10
/bin/echo "date: Deleting disk image." >> ${logfile}
/bin/rm /tmp/"${dmgfile}"
else
/bin/echo "date: ERROR: This script is for Intel Macs only." >> ${logfile}
fi
exit 0**


@atomczynski I've been using that same script for quite awhile now, works great. I wish it had a check for the current version installed vs the current version available - and if the versions match then skip the installation.



Iv'e been looking at the script to try to insert this version check, but kinda don't want to bother with it.


This script works well, but how do you whitelist allowing the "GoogleSoftwareUpdate.bundle" app to open without user interaction?:



GoogleSoftwareUpdate.bundle Prompt Screenshot



Would that be a PPPC profile?


I'me having trouble getting this to work. I pushed the script and a configuration profile that allows the Chrome updater in Accessibility but Chrome still would not auto update. On some computers, I get Update Failed (error: 12) KSInstallAction install script failure. Exit Code: 12.



Edit: Nevermind. I got it working. It just took longer for the policies to take than I thought.


I've allowed the team ID for GoogleSoftwareUpdate.bundle but it still prompts me to setup automatic updates and asks for admin credentials. Am I missing something? How can I automatically enable this?


The Chrome for Enterprise Team has published a new kBase on Managing Chrome Browser Updates with Jamf Pro (macOS). This takes advantage of Jamf's Application and Custom Settings Payload and does not rely on a script.


I've moved to using the Chrome policy schema. It works well with Chrome Enterprise. My only issue now is switching everyone over to Chrome Enterprise because it doesn't show autoupdate being enabled on the standard version.


I got so excited about this and then realised it's only for chrome enterprise.....Does Chrome Enterprise have costs associated with it and do I really have to enroll the machines into chrome enterpise to enable auto updates?


@McGinn



I didn't see any cost and I set up a test account and configured it and got the management part working...However auto updated still required the user to sign in the 1st time. I figured it didn't really address the auto update issue.



That said I only tied once and moved on!



C


we use the Chrome Enteprise pkg and config profile and that seems to keep chrome up to date without any other configuration on our end.


@walt Can you explain in detail that Configuration Profile you have for Google Chrome?



What it looks like and whats the difference between Regular Chrome and Enterprise Chrome?


@JarvisUno , I think this is the explanation you are looking for.
https://support.google.com/chrome/a/answer/9923111?hl=en


Reply