Updates to Google Chrome deployment for macOS

jamf_sam
Contributor
Contributor

We are excited about recent updates that make Chrome on macOS easier to deploy and manage. Our work with the Google Chrome for Enterprise Team is ongoing, and this first release benefits not only Jamf Pro admins, but everyone who manages Mac at scale. Look for more information in the form of a blog, but here are the highlights:

Updates to the installer - Chrome is now available as a PKG in addition to the standard DMG. This is the preferred installer format for mass distribution, and is available from the Chrome Browser Enterprise Installers website.

Initial Support for Application & Custom Settings - Chrome Browser Cloud Management (CBCM) is a a single location to set Chrome policies on multiple platforms. Google simplified the process of deploying the enrollment token by leveraging Jamf's new Application & Custom Settings payload.

This work comes from user feedback and @alexbauer from the Chrome for Enterprise Team is joining this thread to hear your thoughts!

Chrome Enterprise Browser Support can be reached here.

Update 6/11/2020 - The Chrome for Enterprise Team has published a new kBase on Managing Chrome Browser Updates with Jamf Pro (macOS)

77 REPLIES 77

spalmer
Contributor III

@jamf_sam @alexbauer This is great news! I really appreciate having Chrome available as an officially signed and notarized PKG installer. This will save me quite a few steps in my packaging and testing workflow for Chrome.

@jamf_sam I am not sure if Jamf plans on reaching out to other companies like this but if you can convince Adobe to create standard flat PKGs, for all of their Creative Cloud products, that are properly signed and notarized for easier use with Enterprise/Education deployment you will be considered a miracle worker. Mac IT admins around the world will sing your praise!

Surajit
New Contributor III

Thanks @jamf_sam @alexbauer . I noticed this few days ago & already deployed the pkg installer on few Macs for testing, wasn't aware Jamf was behind this. This is really great & saves a lot of time for us.

tomt
Valued Contributor

This sounds like a great start! Are you still adding the updater application to the user libraries? That is my biggest issue as Security has instructed us not to allow any application launches from within User Space.

ooshnoo
Valued Contributor

Awesome!!! Here's a script to automatically download and install it.

#!/bin/sh
pkgfile="GoogleChrome.pkg"
logfile="/Library/Logs/GoogleChromeInstallScript.log"
url='https://dl.google.com/chrome/mac/stable/gcem/GoogleChrome.pkg'

/bin/echo "--" >> ${logfile}
/bin/echo "`date`: Downloading latest version." >> ${logfile}
/usr/bin/curl -s -o /tmp/${pkgfile} ${url}
/bin/echo "`date`: Installing..." >> ${logfile}
cd /tmp
/usr/sbin/installer -pkg GoogleChrome.pkg -target /
/bin/sleep 5
/bin/echo "`date`: Deleting package installer." >> ${logfile}
/bin/rm /tmp/"${pkgfile}"

exit 0

AtillaTheC
New Contributor III

This script seems to only install the intel version of Chrome on M1 macs for me, is there any setting changes that need to be added for me to get this to install the ARM version?

alexbauer
New Contributor III

nwebster
New Contributor II

I've been using this reliably for about a year, but after seeing @alexbauer's reply, I'll likely update it soon to use the PKG instead. Until then:

ISCHROME=`ls /Applications | grep -i Google\ Chrome`

if [ "$ISCHROME" = "Google Chrome.app" ]; then
    echo "Chrome already present. Moving on."
    exit 0
else
    CPUTYPE=`sysctl -n machdep.cpu.brand_string | awk -F " " '{print $1}'`

    cd /Users/Shared

    if [ "$CPUTYPE" = "Intel(R)" ]; then
            echo "Installing Google Chrome for Intel"
            curl -O https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg
        else
            echo "Installing Google Chrome for Apple Silicon"
            curl -O https://dl.google.com/chrome/mac/universal/stable/GGRO/googlechrome.dmg
        fi
    CHROMEATTACH=`ls googlechrome*`
    echo $CHROMEATTACH
    hdiutil attach $CHROMEATTACH -nobrowse -quiet

    cp -r /Volumes/Google\ Chrome/Google\ Chrome.app /Applications/
    hdiutil detach /Volumes/Google\ Chrome

    rm -rf $CHROMEATTACH
    exit 0
fi

alexbauer
New Contributor III

Yea, we really do not recommend the DMG to anyone to use. It causes a lot of problems with the updater component of Chrome and so the PKG is our preferred deployment method.

Hi Alex, what if you need to install Chrome Enterprise package on top of an existing regular Chrome installation (.dmg). I noticed I have a lot of issues updating Chrome in this scenario. Any ideas? I already reinstall Google Software Updater but I constantly run in Error 11 problem (Updates are disabled or 

KSTempDirectoryAdditions failed to create temp directory. [com.google.UpdateEngine.CommonErrorDomain:54 - '/tmp/KSOutOfProcessFetcher.XXXXXXXXXX' - 'NSFileManager+TempDirectory.m:126'] (The operation couldn’t be completed. Permission denied [NSPOSIXErrorDomain:13])
KSTempDirectoryAdditions failed to create temp directory. [com.google.UpdateEngine.CommonErrorDomain:54 - '/tmp/KSOutOfProcessFetcher.XXXXXXXXXX' - 'NSFileManager+TempDirectory.m:126'] (The operation couldn’t be completed. Permission denied [NSPOSIXErrorDomain:13])
KSServerUpdateRequest fetch failed. KSOutOfProcessFetcher could not create download temp location.

Thanks

alexbauer
New Contributor III

Just use the PKG to deploy over and you are good to go.

Error 11 means that you have set a policy to disable keystone updates for Chrome.

I am not sure where I could've set that.. I use one Configuration Profile in Jamf

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>updatePolicies</key>
    <dict>
      <key>global</key>
      <dict>
        <key>UpdateDefault</key>
        <integer>0</integer>
      </dict>
      <key>com.google.Chrome</key>
      <dict>
        <key>UpdateDefault</key>
        <integer>0</integer>
        <key>TargetVersionPrefix</key>
        <string/>
        <key>RollbackToTargetVersion</key>
        <string/>
        <key>TargetChannel</key>
        <string>stable</string>
      </dict>
    </dict>
  </dict>
</plist>

And in the Google Admin Console > Devices > Chrome > Settings > Users & Browsers -- I have set Chrome Browser Updates - Automatic Updates Only & Component Updates - Enable Updates for all components.

I tried to reinstall Chrome Ent. package but I still hit the same problem.. 😞 

Update failed (error: 11)

Error details:

KSTempDirectoryAdditions failed to create temp directory. [com.google.UpdateEngine.CommonErrorDomain:54 - '/tmp/KSOutOfProcessFetcher.XXXXXXXXXX' - 'NSFileManager+TempDirectory.m:126'] (The operation couldn’t be completed. Permission denied [NSPOSIXErrorDomain:13])
KSTempDirectoryAdditions failed to create temp directory. [com.google.UpdateEngine.CommonErrorDomain:54 - '/tmp/KSOutOfProcessFetcher.XXXXXXXXXX' - 'NSFileManager+TempDirectory.m:126'] (The operation couldn’t be completed. Permission denied [NSPOSIXErrorDomain:13])
KSServerUpdateRequest fetch failed. KSOutOfProcessFetcher could not create download temp location.
Updates are disabled.

Under /Volumes I have these 2 folders (probably after reinstalling Google Software Update right?)
drwxr-xr-x 7 myuser staff 306B Jul 2 2016 GoogleSoftwareUpdate-1.2.5.1203
drwxr-xr-x 6 myuser staff 272B Jul 10 04:09 GoogleSoftwareUpdate-1.3.16.180
lrwxr-xr-x 1 root wheel 1B Oct 29 17:21 Macintosh -> /

I was able to solve this by using chown 

sudo chown myuser:mygroup /private/tmp/com.google.Keystone

But I am still getting 

 

Update failed (error: 11)

Error details:

Updates are disabled.

I was able to solve this by removing folder

~/Library/Google/GoogleSoftwareUpdate

/Library/Google/GoogleSoftwareUpdate

Reintalling the Chrome Enterprise package and reinstalling Google Software Update from here https://support.google.com/chrome/answer/111996?hl=en

AtillaTheC
New Contributor III

Found this and it has been working for me, thanks tho! 

#!/bin/sh
pkgfile="GoogleChrome.pkg"
logfile="/Library/Logs/GoogleChromeInstallScript.log"
url='https://dl.google.com/chrome/mac/universal/stable/gcem/GoogleChrome.pkg'

/bin/echo "--" >> ${logfile}
/bin/echo "`date`: Downloading latest version." >> ${logfile}
/usr/bin/curl -s -o /tmp/${pkgfile} ${url}
/bin/echo "`date`: Installing..." >> ${logfile}
cd /tmp
/usr/sbin/installer -pkg GoogleChrome.pkg -target /
/bin/sleep 5
/bin/echo "`date`: Deleting package installer." >> ${logfile}
/bin/rm /tmp/"${pkgfile}"

exit 0

nwebster
New Contributor II

Assuming chrome/mac/universal/stable/gcem/GoogleChrome.pkg link will install the correct version for Intel, as well as M1?

AtillaTheC
New Contributor III

@nwebster wrote:

Assuming chrome/mac/universal/stable/gcem/GoogleChrome.pkg link will install the correct version for Intel, as well as M1?


yes, this will install a universal binary version of chrome and it will auto select ARM vs x86 after multiple tests.

Hi, did you ever run into problems updating Chrome? Like Error 11 or some other errors like the one below? Thanks

 

Error details:

KSTempDirectoryAdditions failed to create temp directory. [com.google.UpdateEngine.CommonErrorDomain:54 - '/tmp/KSOutOfProcessFetcher.XXXXXXXXXX' - 'NSFileManager+TempDirectory.m:126'] (The operation couldn’t be completed. Permission denied [NSPOSIXErrorDomain:13])
KSTempDirectoryAdditions failed to create temp directory. [com.google.UpdateEngine.CommonErrorDomain:54 - '/tmp/KSOutOfProcessFetcher.XXXXXXXXXX' - 'NSFileManager+TempDirectory.m:126'] (The operation couldn’t be completed. Permission denied [NSPOSIXErrorDomain:13])
KSServerUpdateRequest fetch failed. KSOutOfProcessFetcher could not create download temp location.

 

I was able to solve this by using chown 

sudo chown myuser:mygroup /private/tmp/com.google.Keystone

But I am still getting 

 

Update failed (error: 11)

Error details:

Updates are disabled.

alexbauer
New Contributor III

Sorry for the late reply. @tomt, I ran a test and the PKG installs the updater files here (see screenshot below). It will put some update stuff in the user library as well, but I believe that is used to stage updates etc. The updater itself should not be in the user library I believe.

29ce877d94d64f28a3c42c8259f17c4a

tcandela
Valued Contributor II

@ooshnoo hey can you explain what the 4th line below does? specifically the /${pkgfile} ${url} whats it doing with these 2 variables on that line? is it just renameing the downloaded .pkg to GoogleChrome.pkg? (i see that in the installer -pkg line)

pkgfile="GoogleChrome.pkg"
logfile="/Library/Logs/GoogleChromeInstallScript.log"
url='https://dl.google.com/chrome/mac/stable/gcem/GoogleChrome.pkg'

/usr/bin/curl -s -o /tmp/${pkgfile} ${url}

tomt
Valued Contributor

No .apps in ~/Library/Google/GoogleSoftwareUpdate? If so, that's great! I'll give this .pkg a test as soon as I have some time.

I've had to resort to using a locked file that Chrome could not replace since every time Chrome was launched it would recreate the updater app inside the user's library.

Thanks

alexbauer
New Contributor III

@tomt, one of the reasons why we did the PKG was that with the DMG, updates were not applying consistently on mac deployments. We've heard from customers that the way Jamf Composer and other tools were picking up the "delta" to build the PKG was missing sometimes some of the updater files which in turn would break auto update for some users.

alexbauer
New Contributor III

By the way, if anyone would like a more thorough demo related to CBCM, let me know. We can have a quick 30 minute call to go over what it is, capabilities, etc.

jhuls
Contributor III

Can someone throw out a clue as to why when I install Google Chrome with the pkg at the link below and then throw it in the trash to test installing again that the pkg then errors out and doesn't install thereafter?

https://cloud.google.com/chrome-enterprise/browser/download/

It literally worked the first time I ran it. Threw Google Chrome in the trash and tried both testing through Self Service and double-clicking the package and got same results where it errored out.

tomt
Valued Contributor
one of the reasons why we did the PKG was that with the DMG, updates were not applying consistently on mac deployments. We've heard from customers that the way Jamf Composer and other tools were picking up the "delta" to build the PKG was missing sometimes some of the updater files which in turn would break auto update for some users.

@alexbauer In our case, we want to completely disable auto updates and any helpers, reminders or pop-ups about them. Unfortunately we have quite a few legacy portals and have to vet each update before releasing them.

alexbauer
New Contributor III

@tomt you can do that through policy. disable auto update and pin to certain versions. only updates when you change the pinned version.
@jhuls, go to https://bugs.chromium.org/p/chromium/issues/list and open a new bug there and let me know the bug number and I will send it to our engineering team. make sure to add as much detail as you can

jhuls
Contributor III

@alexbauer Thanks. It's 1065730.

alexbauer
New Contributor III

@jhuls thanks! i forwarded the CRbug to our engineering team

jhuls
Contributor III

An update on the issue I mentioned earlier...it turns out that the Google Chrome package provided by Google does not like it when there is a Google Chrome.app anywhere else in addition to or in place of /Applications on my system. The installer simply fails. I was unable to test on other systems since I'm doing the work from home thing now. Oddly enough it obviously worked the first time but after that is when it failed continously during the time that another Google Chrome.app was on my machine.

I don't see this as a big issue in my environment and I only learned of this because I have autopkg installed on my system creating packages to deploy...one of them is Google Chrome where it has Google Chrome.app located in their cache directory. The logs of the Chrome installer thinks that Google Chrome.app was relocated there. The same occurs if someone were to deploy this Google's package to a system that has the Google Chrome.app in ~/Applications or if a user were to have copied the app to ~/Desktop or ~/Downloads from the dmg still available to the general public.

At least on my machine it behaves this way. In another thread here I saw someone mentioning what sounds like a similar issue that they're experiencing.

Like I said this isn't a big deal for my environment and the solution is to remove the other Google Chrome.app applications on the system. In a looser setting where users have copied this to anywhere other than /Applications this looks to be a problem though.

I should add also that when running the installer package manually that it would on occasion show the "Destination Select" page rather than skip over it. Google's intention is for that to not be presented but it would show up on occasion while testing this. I don't have the technical kung-fu to know why the installer fails like it does or why it presents the "Destination Select" page at times. The page being shown seems harmless to me but it was strange seeing that show up every now and then.

Basically the person I chatted with seems to be marking this as a no-fix and seemed perplexed by what was going on. If it's an issue for others, they should probably speak up.

https://bugs.chromium.org/p/chromium/issues/detail?id=1065730

jhuls
Contributor III

Now it looks like things are getting figured out with a fix on the way.

alexbauer
New Contributor III

The issue is fixed in CRbug: https://bugs.chromium.org/p/chromium/issues/detail?id=1067275
Should roll out in the next PKG

alexbauer
New Contributor III

Officially tagged for Chrome v83 for now, so it should come out May 19th.

jhuls
Contributor III

@alexbauer Thanks for the fix and responsiveness.

alexbauer
New Contributor III

My pleasure! Let me know if you guys run into any other issues and I will try to help from my side.

dswitmer
New Contributor III

@alexbauer Hi, if you want to do a call, I'd join.

alexbauer
New Contributor III

@dswitmer - send me an email alexbauer@google.com and we can set something up

GabeShack
Valued Contributor III

This is good news indeed. Up until now, we have been scripting the download of the stable release .DMG and we keep seeing issues where the Chrome app only shows as partially installed. I've noticed it doesn't always seem to copy the full app from the tmp mount point and leaves a broken chrome.

@jamf_sam @alexbauer Are there any future thoughts of having Patch Management just carry the whole burden (perhaps with partnership with the various companies that make the apps followed in patch management) of downloading and installing said updates if the feature is turned on? The whole idea of packaging and adding updates constantly has always been a load of work, but it seems like JAMF is trying to take some of this off our plates.

The final push would be for Jamf to have an automatic solution (for these specific apps of course) to keep the community from having to script or package their own solutions and just have Patch Management get updates directly from those companies that we can turn on or not.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

bcbackes
Contributor II

@alexbauer @jamf_sam I have a request from my Security team to block certain Chrome extensions. I've used the "ExtensionInstallBlacklist" setting to block the extensions from installing. However, in my testing that setting doesn't disable and/or remove the extension if it's already installed. Do either of you know how to do this? I'm currently deploying all my Chrome settings via Configuration Profile through Jamf Pro. For the life of me I'm not able to find a way to disable and/or remove extensions that might already be installed.

My example: I was testing with trying to block Adblock Plus extension (cfhdojbkjhnklbpkdaibdccddilifddb). I found that when I add (cfhdojbkjhnklbpkdaibdccddilifddb) to the "ExtensionInstallBlacklist" setting, I was unable to install it. However, if I remove it from "ExtensionInstallBlacklist", install Adblock Plus extension, then, re-add the "ExtensionInstallBlacklist". Adblock Plus functions without any issues. I'm trying to find the setting to disable/remove already installed Chrome extensions. Any help is greatly appreciated!

JarvisUno
Contributor II

So does this package now take care of the heavy lifting and update chrome as well or is this still a manual or scripted processes I currently have a script that checks for the latest version of the .DMG and then updates it if available.