Manage Chrome updates (Mac)

Applies to Mac users who sign in to a managed account on Chrome Browser.

As a Mac® administrator, you can use Google Software Update to manage Chrome Browser and Chrome apps updates on your users' Mac computers. There are 2 types of Google Software Update policies:

  • Global policies apply to all Google apps installed on a device.
  • App specific policies apply only to a specific app and override global policies.

You can set values for both types of policies in the Google Software Update configuration file (com.google.Keystone.plist), and then create a configuration profile that you deploy to all devices in your organization.

Step 1: Create a policy settings file

Create a new property list file
  1. Create a new property list (.plist) file in your preferred editor.
    To create and edit .plist files, Google recommends you use an editor such as Xcode that formats the XML code for you.
  2. Add global policy keys to your file, as follows:
    <key>updatePolicies</key>
    <dict>
     <key>global</key>
     <dict>
  3. Save your file as com.google.Keystone.plist.

Step 2: Configure auto-updates

Turn on auto-updates (recommended)

Applies for Chrome Browser and all applications managed by Google Software Update.

We recommend that you keep auto-updates turned on so your users receive critical security fixes and new features as they become available.

  1. Open the com.google.Keystone.plist file in your preferred XML editor.
  2. Under the updatePolicies key, add the Chrome Browser UpdateDefault key entry, and set the key value to 0. The following example shows settings for Chrome Browser (com.google.Chrome) that turns on auto-updates:
    <key>updatePolicies</key>
    <dict>
      <key>global</key>
      <dict>
        <key>UpdateDefault</key>
        <integer>0</integer>
      </dict>
    </dict>
  3. Save your changes.

The table below shows all valid settings for the UpdateDefault key.

Turn off auto-updates (for testing)

Applies for Chrome Browser and all applications managed by Google Software Update.

Chrome Browser automatically updates with feature and security updates to ensure that your users don't fall behind on critical security updates or miss out on new features.

If a Chrome Browser release causes an issue in your organization, you can turn off auto-updates until the issue is resolved. You can also turn off auto-updates if your organization wants instead to push Chrome Browser updates manually.

  1. Open the com.google.Keystone.plist file in your preferred XML editor.
  2. Under the updatePolicies key, add the Chrome Browser UpdateDefault key entry, and set the key value to 2. The following example shows settings for Chrome Browser (com.google.Chrome) that turns off auto-updates:
    <key>updatePolicies</key>
    <dict>
      <key>global</key>
      <dict>
        <key>UpdateDefault</key>
        <integer>2</integer>
      </dict>
    </dict>
  3. Save your changes.

The table below shows all valid settings for the UpdateDefault key.

Turn off Chrome Browser component updates (optional)

Applies only to Chrome Browser components.

Even if you turn off automatic updates for Chrome Browser, browser components won’t automatically stop updating, including Adobe® Flash®, Widevine DRM (for encrypted media), and the Chrome updater recovery component.

To stop Chrome Browser components from updating:

  1. In a custom property list (.plist) file, disable the ComponentUpdatesEnabled Chrome policy. The following example shows how to turn off component updates:
    <key>global</key>
    <dict>
         <key>ComponentUpdatesEnabled</key>

            <boolean>false</boolean>
      <dict>
  2. Using your preferred deployment tool, deploy the policy to your Mac computers.

Note:

  • This policy does not apply to all components. For a full list of exempted components, see ComponentUpdatesEnabled.
  • For more information on how to configure Chrome policies on Mac computers, see Policy Templates.

Step 3: Customize auto-updates

Schedule auto-updates outside work hours

Applies for Chrome Browser and all applications managed by Google Software Update.

To prevent auto-updates from occurring during certain time periods, such as peak work hours, you can set a time period for each day when auto-updates are performed.

Note: The times you specify are local machine times.

  1. Open the com.google.Keystone.plist in your preferred XML editor.
  2. Add the following nested keys to the updatePolicies global key:
    Setting  Description
    UpdatesSuppressedStartHour The time, in 24-hour clock format, that auto-updates start. Use a value between 0 (midnight) and 23.
    UpdatesSuppressedStartMin The minute, within the starting hour, that auto-updates start. Use a value between 0 and 59.
    UpdatesSuppressedDurationMin The length of time, in minutes, that auto-updates can be made. If you set this value to 0, the system behaves as if no update window is specified.
  3. Save your changes.

Example

The following example sets the auto-update period to start at 4:30 pm and end at 8:00 am the following morning:

<key>updatePolicies</key>
<dict>
 <key>global</key>
 <dict>
   <key>UpdateDefault</key>
   <integer>0</integer>
    <key>UpdatesSuppressedStartHour</key>
    <integer>16</integer>
    <key>UpdatesSuppressedStartMin</key>
    <integer>30</integer>
    <key>UpdatesSuppressedDurationMin</key>
    <integer>960</integer>
  </dict>
Set app-specific policies

Applies for all applications managed by Google Software Update.

Every Google app has a unique identifier (app id), that you use to define app specific policy settings. These settings will override any global update settings. To configure update policies for an app, you must know the app id.

  1. Find the app id for the application you want to manage:
    1. Open the applications folder on your computer.
    2. Right click on the Google application you want to configure.
    3. Select Show package contents.
    4. Open the contents folder.
    5. Open the info.plist file, and search for your app id. It will be in the form com.google.productname. For example, the app id for Drive File Stream is com.google.drivefs.
  2. Open the com.google.Keystone.plist file in your preferred XML editor.
  3. Under the updatePolicies key, add an app specific UpdateDefault key entry for each app you want to update. The following example shows settings for Drive File Stream (com.google.drivefs).
        
        <key>com.google.drivefs</key>
        <dict>
           <key>UpdateDefault</key>
               <integer>2</integer>
        </dict>
    
  4. Set the UpdateDefault key to the update policy setting you want.
  5. (Optional) To pin an application to a single version, specify the targeted version using the TargetVersionPrefix key. This stops your devices from updating to versions of the app beyond the number you specify.
  6. Save your changes.
Pin Chrome Browser updates to a specific version

Applies for Chrome Browser updates only.

You can prevent Mac computers from updating beyond a specific version of Chrome Browser.

Caution: Pinning updates to a specific version of Chrome Browser should be done only temporarily, such as while testing a new version of Chrome Browser. Don't forget to unpin users' computers or they can fall behind on critical security updates and miss new features.

  1. Open the com.google.Keystone.plist file you created in your preferred editor.
  2. Under the updatePolicies key, add the Chrome Browser UpdateDefault and TargetVersionPrefix key entries. The following example shows settings for Chrome Browser (com.google.Chrome) that turns off auto-updates and pins the version to 62:
        
        <key>com.google.Chrome</key>
        <dict>
           <key>UpdateDefault</key>
               <integer>2</integer>
           <key>TargetVersionPrefix</key>
               <string>62.</string>
        </dict>
    
  3. Save your file

Step 4: Deploy your auto-update settings

Push auto-update policies to users' computers

After you’ve made your changes to the com.google.Keystone.plist file, use your preferred deployment tool to deploy the auto-update policies to your Mac computers.

There are many mobile device management (MDM) tools that you can use to deploy your configuration profiles (for example, Profile Manager, Jamf Pro, or AirWatch). The following approach is a guideline only; the exact steps depend on which MDM tool you use.

  1. Open your preferred MDM tool.
  2. Upload the com.google.Chrome.mobileconfig file you created to your MDM tool to create a new configuration profile to manage Chrome Browser policies. This profile contains all the preferences you want to manage.
  3. Deploy your auto-update profile to ensure that all your Mac devices have the same settings.

The com.google.keystone.mobileconfig sample file has settings to disable auto-updates and pin the Chrome Browser to version 62.

Key values and examples

Update policy settings
Setting Description
<integer>0</integer> Turns on auto-updates. Updates are always applied when detected by Google Software Update. This is the default value.
<integer>1</integer> Updates are installed only from the scheduled update checks. Manual update checks will not install updates.
<integer>2</integer> Turns off auto-updates. This stops Google Software Update automatically updating all users to the latest stable version of Chrome. Updates are only applied when the user manually checks for updates. For example, on the chrome://help page or by running the CheckForUpdatesNow.command utility.
<integer>3</integer> Updates are never applied.
Sample property list
  
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>updatePolicies</key>
        <dict>
          <key>global</key>
          <dict>
            <key>UpdateDefault</key>
            <integer>3</integer>
            <key>DownloadPreference</key>
            <string>cacheable</string>
          </dict>
          <key>com.google.Chrome</key>
          <dict>
            <key>UpdateDefault</key>
            <integer>2</integer>
            <key>TargetVersionPrefix</key>
            <string>62.</string>
          </dict>
	    <key>com.google.drivefs</key>
          <dict>
            <key>UpdateDefault</key>
            <integer>2</integer>
           </dict>
        </dict>
</dict>
</plist>
  
Was this article helpful?
How can we improve it?