Controlling updates for Google Chrome enterprise deployment

We have been using Chrome's MSI and chrome's group policy templates to deploy it to all our users.

Lately we have been bitten by a few bugs that made it into release updates. The latest being scroll bars in select dropdowns not being draggable.

We want more control over when people get updated - so we can have a few of the more tech savvy staff try the newest version with our internal applications before everyone gets it.

I found the documentation on disabling automatic updates and pushing out new MSIs to upgrade, but:

  • I couldn't find out if google puts out a new MSI for every update or only major version updates?
  • If it is only major updates is there a way for everyone to still get security updates until the next major version is releases? (and hope the minor updates don't break anything)

Solution 1:

I have Chrome deployed fairly widely in a few different Customers and I've had to contend with this.

Here's where Google relates the policy:

We release a new "major" version to the stable channel about every six weeks. We also update the stable channel between major updates if we have important crash or security fixes.

If you're looking to repair an existing MSI installation, and you left auto-updates on, you can repair with the latest stable MSI.

That's not as crystal-clear as I'd like it to be, and I suspect you'll feel the same way.

We have disabled automated updates, test new versions in limited deployments and, when they test "good", deploy the new MSIs to "upgrade" the old versions. Sounds like something very similar to what you're looking to do.

Solution 2:

From watching the last few updates, it looks like a new MSI file is released with each release channel update, both major and minor.

So automatic updates can be completely disabled, and rely on the IT staff pushing out each update after appropriate testing.

Instead of watching the release blog, I came up with a relatively simple script to identify when a new version is released. With a few tweaks this could be fed into a monitoring system to alert you that there is a new version to test:

wget http://dl.google.com/chrome/install/GoogleChromeStandaloneEnterprise.msi && md5sum GoogleChromeStandaloneEnterprise.msi && file  GoogleChromeStandaloneEnterprise.msi | grep -o 'Comments:[ 0-9.]*'

This downloads the latest MSI file (hopefully google doesn't change that link...it was rather difficult to find a direct link to it), calculates the MD5sum to see if it has changed, and extracts the version number from the comments field of the MSI.