Google Chrome has a few ways in which you can manage its update mechanism which I wanted to post about.
Google Chrome Enterprise Installer
If you’re not already doing so, I recommend you start using the enterprise Google Chrome installer package. This package installs Google Chrome but also configures the Google Software Update Agent which many admins were doing with a separate script. Once Chrome is registered with the Google Software Update agent, there’s a few options for managing it to ensure that Google Chrome stays up to date.
Managing Google Software Update/Keystone
Here is an article that talks about how to manage Google Chrome updates: https://support.google.com/chrome/a/answer/7591084
By generating a configuration profile that manages the domain
com.google.Keystone.plist, you can ensure that Google’s auto update mechanism is configured according to your needs. Keep in mind that the Google Software Update Agent can manage the updates for various Google apps on macOS. Unfortunately, the Google Software Update Agent won’t necessarily force users to do anything as it’s pretty transparent in the background and its job when unmanaged is just to check for updates and stage them for installation on a relaunch of a Google application. Once a registered Google application is relaunched, it will ensure the app is running the latest version.
Managing Update Notifications
Fortunately, Google has provided a way for admins to notify users that a Chrome update is pending and force them to relaunch. This article talks about how to manage relaunch notifications: https://support.google.com/chrome/a/answer/7679871?hl=en&ref_topic=9023245
Tells users to relaunch Chrome Browser or restart their device running Chrome OS to get the latest update. Choose one of the options:
Relaunch recommended—Users can close the notification and keep using the old version of Chrome Browser or Chrome OS until they choose to relaunch Chrome Browser or restart their Chrome device.
Relaunch required—Users can close the notification but will see a recurring message that Chrome Browser will automatically relaunch or their Chrome device will restart after a certain time. Use the RelaunchNotificationPeriod policy to set the relaunch time (details below).
Unset: On the toolbar, the More icon More changes to indicate that an update is available but users aren’t forced to relaunch.
Sets the time period, in milliseconds (ms), that a user is repeatedly notified to relaunch Chrome Browser or restart their Chrome device to apply an update.
Unset: The default time period is 604,800,000 ms (7 days).
In our environment, we’ve got it set to 86400000 ms (or 24 hours). It has worked out pretty well for us. As an aside, I have no idea why Google chose to work with milliseconds.
Here is an example screenshot of what the notification looks like in Google Chrome if you set it to require a relaunch in 4 days:
When does Google Software Update run?
The last part of the equation to account for is controlling when Google Software Update Agent runs. At the moment, there is no way to do so. Google Software Update Agents runs based on a launch daemon in
/Library/LaunchDaemons/com.google.keystone.daemon.plist and 2 launch agents in
Here are my observations:
- The agent will automatically check for updates when the user logs into macOS.
- The agent will automatically check for updates when Google Chrome is launched. However, it will only install any updates after a relaunch of Chrome.
- The agent is supposed to automatically check for updates every 3623 seconds (this may be randomized on each device). As someone who does not use Chrome, I found that the app remained unpatched for days even when updates were definitely available which leads me to believe that this is not checking aggressively enough or there are some strings attached. I purposely did not launch Chrome to see how long it would take for it to auto update.
This becomes a bit of a problem because most people rarely restart their web browser, let alone log out and log back into their computer. I wanted a more guaranteed way that would ensure that Chrome was at least regularly checking for updates in the background. The idea here is if someone is not using Chrome then I want it to be updated as soon as they do decide to launch it the next time. I don’t want to try and check for updates in the background only when the browser is launched.
I did a bit of searching and found the following discussion on Jamf Nation which shows you can run the following command as the user (it will not work if you run this as root or a user other than the one in the current session):
"/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent" -runMode oneshot -userInitiated YES "$@"
That eventually led me to create a launch agent that I could then deploy myself to devices:
<?xml version=”1.0″ encoding=”UTF-8″?><!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”><plist version=”1.0″><dict><key>Label</key><string>com.company.google.softwareupdatecheck</string><key>LimitLoadToSessionType</key><string>Aqua</string><key>ProgramArguments</key><array><string>/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent</string><string>-runMode</string><string>oneshot</string><string>-userInitiated</string><string>YES</string><string>”$@”</string></array><key>RunAtLoad</key><true/><key>StartInterval</key><integer>21600</integer></dict></plist>
/Library/LaunchAgents/with permissions set to
644and owner/group set to
root:wheel. The idea here is that the launch agent will run every 21600 seconds (or 6 hours). I chose 6 hours because it would at least ensure that the Google Software Update agent checks for an update at least once a day during the work day. Feel free to change those values for yourself.