Impossible to stop Chrome Browser auto update on Mac OS |
||||||||||||||
Issue descriptionChrome version: 69.0.3497.100 OS version: Mac OS High Sierra (version 10.13.6) Case#: 17013106 Description: On Windows it was quite simple to use GPO to stop Chrome auto updates by following the article -> https://support.google.com/chrome/a/answer/6350036?hl=en and you can easily check the changes via: chrome://settings/help of Chrome browser Messages: “Updates are disabled by the administrator” On Mac OS: By following the information provided at https://support.google.com/chrome/a/answer/7591084?hl=en , Chrome auto updated are not stopping… (as you can see with the screenshots https://drive.google.com/drive/folders/1PVL2aCuNxNzVGGF9oe8km-bkDbUDXkm1?usp=sharing) Steps to reproduce: 1) Use the sample file provided at https://support.google.com/chrome/a/answer/7591084?hl=en <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>updatePolicies</key> <dict> <key>global</key> <dict> <key>UpdateDefault</key> <integer>3</integer> <key>DownloadPreference</key> <string>cacheable</string> </dict> <key>com.google.Chrome</key> <dict> <key>UpdateDefault</key> <integer>2</integer> <key>TargetVersionPrefix</key> <string>69.</string> </dict> <key>com.google.drivefs</key> <dict> <key>UpdateDefault</key> <integer>2</integer> </dict> </dict> </dict> </plist> 2) follow the steps of the help https://support.google.com/chrome/a/answer/7591084?hl=en 3) via chrome://settings/help of Chrome browser Messages: “Automatic Updates are turned on” Current Behavior / Reproduction: Chrome browser auto updates are not turned off on Mac OS Expected Behavior: Chrome browser auto updates should be turned off on Mac OS Drive link to logs: https://drive.google.com/drive/folders/1PVL2aCuNxNzVGGF9oe8km-bkDbUDXkm1?usp=sharing
,
Oct 16
I have tried with our without
<key>TargetVersionPrefix</key>
<string>69.</string>
I have also replaced
<key>UpdateDefault</key>
<integer>2</integer>
by
<key>UpdateDefault</key>
<integer>3</integer>
in different places and it does not work...
,
Oct 19
Mac triage: +cc avi@ and marking assigned to kotah@
,
Oct 19
I don't have other comments to add now:) Assigning a few components
,
Oct 22
,
Nov 19
Hi all is there an update on this? This issue is also being worked on in b/117237754 but I believe that issue is more from a documentation perspective. It appears the customer in go/sfstory/17013106 is still affected and are hoping there can be a fix by M71 if possible.
,
Nov 19
+mevissen +borisv since this touches updates on Mac
,
Nov 21
,
Nov 21
,
Dec 10
Hi Avi, Any progress on this issue? Where you able to stop the auto update of chrome by following the documentation provided? Thank you
,
Dec 10
My customer has the same issue. I wants to know what the " deploy " means in the following context of the help article. Do We have to use MDM (Mobile device management) to deploy plist ? Manage Chrome updates (Mac) https://support.google.com/chrome/a/answer/7591084?hl=en ================ Manage Chrome updates (Mac) You can set values for both types of policies in the Google Software Update configuration file (com.google.Keystone.plist), and then create a configuration profile that you deploy to all devices in your organization. ================
,
Dec 10
,
Dec 10
,
Dec 15
Has there been any progress about this issue ? Is "MDM" service such as "Airwatch" or "Jamf" not mandatory to delpy "plist" to the Macbook ?
,
Dec 17
In the following help article information, "MDM" seems to be essential to deploy the chrome browser policy to mac OS devices. Chrome Browser quick start (Mac) https://support.google.com/chrome/a/answer/7550274?hl=en ---- To set up Chrome Browser on Mac, you create a configuration profile and deploy it using your preferred mobile device management (MDM) tool. The Chrome Browser for the enterprise bundle file contains a sample file that you can copy and customize for your own use. ---- Is there any detailed information about this article ? But it's a bit odd, in my understanding. "MDM" just allows administrators to overwrite local plist file and lock it.Technically,There is no difference between editing local plist file directory and deploying it with MDM. Anyway , I think There is a lack of information on help articles about how to deploy chrome policy to Mac OS device. I want to clarify if "MDM" is mandatory or not at this point.
,
Dec 18
1. Keystone will only act on the enterprise policies if it detects that the machine is under enterprise management. For that purpose it uses OpenDirectory and looks at the open directory entries on the machine. LDAP or AD typically add additional entries. So first let us see if the machines are detected correctly as enterprise machines. Please open Console application and search for 'request' to find any of the Keystone requests. Below is the header from my machine. Observe the domainjoined="1" attribute. If that attribute is not present in the requests from the machine, that means that Keystone assumes that the machine is not under MDM management.
<request protocol="3.0" version="KeystoneDaemon-1.2.11.124" ismachine="1" requestid="{304AA3D1-7F75-4162-8B17-BF7506A4C1C6}" dedup="cr" sessionid="{B21D2D30-DA25-44F2-85E0-B7D622C329B7}" dlpref="cacheable" domainjoined="1">
2. I am afraid that MDM is the way to deploy profiles on the machine. Keystone verifies explicitly that the policy is enforced on the current user. This happens when a management profile is imported (e.g. importing the attached file).
,
Dec 18
That is the point I have wanted to know. According to your explanation. I understand "MDM" allows user to manage their Macbook with chrome policy. Strictly speaking, MDM is just a way to deploy policy file to the devices as borisv said. But typical MDM service such as AireWatch(Vmawre) and Jamf have Directory Service in their basic function. Do I understand correctly?
,
Dec 27
Have you made any progress on this matter ? In conclusion, in order to manage Mac OS devices(Macbooks) with chrome policy. just editing the plist file with default command it not enough. Additionally, It is necessary to manage Mac OS devices with Enterprise Mobility Management. In other words, Enterprise mobility management such as "Jamf" and "airwatch" is required to manage mac OS device with chrome policy. Did I get that right ?
,
Jan 2
Please, accept my apologies for the delay around the holidays. "In other words, Enterprise mobility management such as "Jamf" and "airwatch" is required to manage mac OS device with chrome policy. Did I get that right ?" Yes, this is correct. The intent for these policies is to be enterprise only, with the assumption that the enterprises have dedicated IT department responsible for managing updates.
,
Jan 10
We have received an additional question from the customer. They will try to use Jamf MDM on Mac OS devices in order to restrict Chrome browser update. However, there is no available information found regarding how to check the status of restriction from Mac OS device wise. They previously mentioned they tested and found the following message of Chrome browser on Windows Devices: Original Message in Japanese: 更新は管理者によって無効になっています。 Translation of the above : Updates are disabled by the administrator. Therefore, please kindly provide the information how to check the restricted configuration from Chrome browser on their Mac OS devices after the policy is deployed from Jamf MDM under customer environment. Thank you for assistance on this issue.
,
Jan 11
Here is a scenario: 1. Apply the update disabling profile on the machine. 2. Install a version before the latest on the test machine. 3. Navigate to chrome://chrome 4. Update check should start. 5. If updates are disabled, eventually an error should be displayed: 'Updates are disabled.'. I believe that this particular string will not be localized, but the rest of the UI should be in the local language. I am attaching a screenshot from the English version of the browser, as I don't have a Japanese one handy. |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by kotah@google.com
, Oct 15Owner: allanrobert@chromium.org