UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Steps to reproduce the problem:
We have an application allowed to run whitelist for security so that items cannot run out of /Users/ folder (we whitelist folders that apps can run from like /Applications and some other locations that are not write accessible by a user).  

This stops adware, malicious software, etc from running.  In our environment, no apps should be allowed to run where users have read/write permissions.

1. Follow Google KB to create com.google.Keystone.plist to block updates https://support.google.com/chrome/a/answer/7591084 - we push this via a config profile as instructed.
2. Update (I'm going from Chrome 66 to latest for test)
3. Open Chrome, get prompt about GoogleSoftwareUpdate being blocked.  

Note: Before putting this config profile in place, I was getting prompt about ksadmin as well but that at least no longer happens.

What is the expected behavior?
If we choose to disable updates (setting plist to option 3), GoogleSoftwareUpdate shouldn't attempt to run, or if it needs to run it should not run out of /Users/username/Google folder.  If we were to allow this bundle to run, anything could be ran from that location.

What went wrong?
See screenshots.  On the PC side, we similarly use group policy to block updates and users never see any prompts.

Did this work before? N/A 

Chrome version: 69.0.3497.100  Channel: n/a
OS Version: OS X 10.13.5
Flash Version: 

Please find a way to fix this.  It has been an ongoing issue for schools and other enterprise environments that need to lock down apps that attempt to run in the users folder for years.
 

Deleted: 1.png 25.9 KB

	1.png 25.9 KB View Download

Deleted: 2.png 46.0 KB

	2.png 46.0 KB View Download