Controlling updates for Google Chrome enterprise deployment

google-chrome group-policy deployment

We have been using Chrome's MSI and chrome's group policy templates to deploy it to all our users.

Lately we have been bitten by a few bugs that made it into release updates. The latest being scroll bars in select dropdowns not being draggable.

We want more control over when people get updated - so we can have a few of the more tech savvy staff try the newest version with our internal applications before everyone gets it.

I found the documentation on disabling automatic updates and pushing out new MSIs to upgrade, but:

  • I couldn't find out if google puts out a new MSI for every update or only major version updates?
  • If it is only major updates is there a way for everyone to still get security updates until the next major version is releases? (and hope the minor updates don't break anything)

Solution 1:

I have Chrome deployed fairly widely in a few different Customers and I've had to contend with this.

Here's where Google relates the policy:

We release a new "major" version to the stable channel about every six weeks. We also update the stable channel between major updates if we have important crash or security fixes.

If you're looking to repair an existing MSI installation, and you left auto-updates on, you can repair with the latest stable MSI.

That's not as crystal-clear as I'd like it to be, and I suspect you'll feel the same way.

We have disabled automated updates, test new versions in limited deployments and, when they test "good", deploy the new MSIs to "upgrade" the old versions. Sounds like something very similar to what you're looking to do.

Solution 2:

From watching the last few updates, it looks like a new MSI file is released with each release channel update, both major and minor.

So automatic updates can be completely disabled, and rely on the IT staff pushing out each update after appropriate testing.

Instead of watching the release blog, I came up with a relatively simple script to identify when a new version is released. With a few tweaks this could be fed into a monitoring system to alert you that there is a new version to test:

wget http://dl.google.com/chrome/install/GoogleChromeStandaloneEnterprise.msi && md5sum GoogleChromeStandaloneEnterprise.msi && file  GoogleChromeStandaloneEnterprise.msi | grep -o 'Comments:[ 0-9.]*'

This downloads the latest MSI file (hopefully google doesn't change that link...it was rather difficult to find a direct link to it), calculates the MD5sum to see if it has changed, and extracts the version number from the comments field of the MSI.

Related

linux cache usage
Looking for alternative to Symantec Backup Exec 12.5 [closed]
fsc option is ignored when trying to use cachefilesd on ubuntu 18.04
zfs for Hadoop cloud instead of ext4 [closed]
Apache gives empty reply
SQL Server backup and restore process
Django 2.1 deployment on centos 7 with apache, mod_wsgi, python3 venv
How to configure Apache to act as an SSL proxy to an application server?
Reboot VMware View Connection Server
Nginx + php5-fpm + Symfony2 = "File not found."
What is the best way to get PRECISE domain name from ip address logged in iptables log
HAProxy basic auth except from specific IP