As a Mac administrator, you can use Google Software Update to manage Chrome browser and Chrome apps updates on your users' Mac computers. There are two types of Google Software Update policies:
- Global policies apply to all Google apps installed on a device.
- App specific policies apply only to a specific app and override global policies.
You can set values for both types of policies in the Google Software Update configuration file (com.google.Keystone.plist), and then create a configuration profile that you deploy to all devices in your organization.
Step 1: Create a policy settings file
- Create a new property list (.plist) file in your preferred editor.
To create and edit .plist files, Google recommends you use an editor such as Xcode that formats the XML code for you. - Add global policy keys to your file, as follows:
<key>updatePolicies</key>
<dict>
<key>global</key>
<dict>
</dict>
</dict> - Save your file as
com.google.Keystone.plist. - If you use a Mobile Device Management (MDM) system, such as Jamf or AirWatch, upload the .plist file into your MDM system. If you do not use a MDM, save the file in /Library/Managed Preferences/.
Step 2: Configure updates
Applies for Chrome browser and all applications managed by Google Software Update.
We recommend that you keep auto-updates turned on so your users receive critical security fixes and new features as they become available.
- Open the
com.google.Keystone.plistfile in your preferred XML editor. - Under the
updatePolicieskey, add the Chrome browserUpdateDefaultkey entry, and set the key value to 0. The following example shows settings for Chrome browser (com.google.Chrome) that turns on auto-updates:
<key>updatePolicies</key>
<dict>
<key>global</key>
<dict>
<key>UpdateDefault</key>
<integer>0</integer>
</dict>
</dict> - Save your changes.
The table below shows all valid settings for the UpdateDefault key.
Applies for Chrome browser and all applications managed by Google Software Update.
Chrome browser automatically updates with feature and security updates to ensure that your users don't fall behind on critical security updates or miss out on new features.
If you need to stop Chrome browser updates, you can turn off automatic updates and prevent users from manually updating the browser themselves.
Important: We do not recommend turning off browser updates. Doing so prevents software fixes and security patches from being applied to Chrome browser. You are also at risk of crashes and security vulnerabilities. If you must turn off updates, make sure you have a process to ensure timely updates throughout your network. Better yet, include a plan to re-enable updates as soon as possible.
- Open the
com.google.Keystone.plistfile in your preferred XML editor. - Under the
updatePolicieskey, add the Chrome browserUpdateDefaultkey entry, and set the key value to 2. The following example shows settings for Chrome browser (com.google.Chrome) that turns off scheduled auto-updates and prevents users from manually installing updates using chrome://settings/help:
<key>updatePolicies</key>
<dict>
<key>global</key>
<dict>
<key>UpdateDefault</key>
<integer>3</integer>
</dict>
</dict> - Save your changes.
The table below shows all valid settings for the UpdateDefault key.
Applies only to Chrome browser components.
Even if you turn off updates for Chrome browser, browser components won’t automatically stop updating, including Widevine DRM and the Chrome updater recovery component.
To stop Chrome browser components from updating:
- In a custom property list (.plist) file, disable the ComponentUpdatesEnabled Chrome policy. The following example shows how to turn off component updates:
<key>global</key>
<dict>
<key>ComponentUpdatesEnabled</key>
<boolean>false</boolean>
<dict> - Using your preferred deployment tool, deploy the policy to your Mac computers.
Note:
- This policy does not apply to all components. For a full list of exempted components, see ComponentUpdatesEnabled.
- For more information on how to configure Chrome policies on Mac computers, see Policy Templates.
Step 3: Customize updates
Applies for Chrome browser and all applications managed by Google Software Update.
To prevent auto-updates from occurring during certain time periods, such as peak work hours, you can set a time period for each day when auto-updates are performed.
Note: The times you specify are local machine times.
- Open the
com.google.Keystone.plistin your preferred XML editor. - Add the following nested keys to the updatePolicies global key:
Setting Description UpdatesSuppressedStartHourThe time, in 24-hour clock format, that auto-updates start. Use a value between 0 (midnight) and 23. UpdatesSuppressedStartMinThe minute, within the starting hour, that auto-updates start. Use a value between 0 and 59. UpdatesSuppressedDurationMinThe length of time, in minutes, that auto-updates can be made. If you set this value to 0, the system behaves as if no update window is specified. - Save your changes.
Example
The following example sets the auto-update period to start at 4:30 pm and end at 8:00 am the following morning:
<key>updatePolicies</key>
<dict>
<key>global</key>
<dict>
<key>UpdatesSuppressedStartHour</key>
<integer>16</integer>
<key>UpdatesSuppressedStartMin</key>
<integer>30</integer>
<key>UpdatesSuppressedDurationMin</key>
<integer>960</integer>
</dict>
</dict>
Applies for all applications managed by Google Software Update.
Every Google app has a unique identifier (app id), that you use to define app specific policy settings. These settings will override any global update settings. To configure update policies for an app, you must know the app id.
- Find the app id for the application you want to manage:
- Open the applications folder on your computer.
- Right click on the Google application you want to configure.
- Select Show package contents.
- Open the contents folder.
- Open the info.plist file, and search for your app id. It will be in the form
com.google.productname. For example, the app id for Drive File Stream iscom.google.drivefs.
- Open the
com.google.Keystone.plistfile in your preferred XML editor. - Under the
updatePolicieskey, add an app specificUpdateDefaultkey entry for each app you want to update. The following example shows settings for Drive File Stream (com.google.drivefs).<key>com.google.drivefs</key> <dict> <key>UpdateDefault</key> <integer>2</integer> </dict> - Set the
UpdateDefaultkey to the update policy setting you want. - (Optional) To pin an application to a single version, specify the targeted version using the
TargetVersionPrefixkey. This stops your devices from updating to versions of the app beyond the number you specify. - Save your changes.
Applies for Chrome browser updates only.
You can specify the Chrome browser version (major milestone or specific full version) that you want Mac computers to update to. Google gradually updates computers on the Stable channel to new versions of Chrome browser over a few weeks. Sometimes, updates might take longer.
- Specify the major milestone using the xx. syntax—Computers continue to receive security updates for as long as the milestone that you specified is the major version on the Stable channel. Chrome browser updates to the latest minor release after rollout reaches 100%. This can take a few weeks.
- Specify the full version using the xx.xx.xx.xx syntax—Computers update to the exact version that you specify as soon as it's available.
In general, we recommend that you use the major milestone syntax, xx., to make sure that devices remain on the latest version for that milestone. However, sometimes you might need to specify a certain version using the full version syntax, xx.xx.xx.xx. For example, you might need to deploy a critical security fix and the Google Software Update ramp rate does not meet business needs. Or, a specific version has been certified based on your organization's internal testing.
Sometimes, minor versions don't reach 100% rollout due to a bug or security fix that requires a new minor version. If you use full version syntax, xx.xx.xx.xx, you're at risk of deploying a version that is not the most recent or has known bugs.
Caution: Pinning updates to a specific version of Chrome browser should be done only temporarily, such as while testing a new version of Chrome browser. Don't forget to unpin users' computers or they can fall behind on critical security updates and miss new features.
- Open the
com.google.Keystone.plistfile you created in your preferred editor. - Under the
updatePolicieskey, add the Chrome browserUpdateDefaultandTargetVersionPrefixkey entries. The following example shows settings for Chrome browser (com.google.Chrome) that pins the version to 89:<key>com.google.Chrome</key> <dict> <key>TargetVersionPrefix</key> <string>89.</string> </dict> - Save your file
Applies only to Chrome browser updates. Use this policy at your own risk.
To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome browser. Use the RollbackToTargetVersion key with TargetVersionPrefix to temporarily roll back to a specific version of Chrome browser on Mac computers. By running earlier versions of Chrome browser, you will expose your users to known security issues.
Chrome browser stores a snapshot of user information locally on devices after each major version update. By default, the three most recent snapshots are retained. You can specify how many snapshots you want to keep on users’ devices. For details, read Keep data during version rollback.
Note: You can only use this policy to roll back to the three latest major releases of Chrome browser.
- Open the
com.google.Keystone.plistfile you created in your preferred editor. - Under the
updatePolicieskey, add the Chrome browserUpdateDefault,TargetVersionPrefix, andRollbackToTargetVersionkey entries. - Save your file.
Example
The following example shows settings for Chrome browser (com.google.Chrome) that rolls back the version to 89:
<key>com.google.Chrome</key>
<dict>
<key>TargetVersionPrefix</key>
<string>89.</string>
<key>RollbackToTargetVersion</key>
<true/>
</dict>
Applies only to Chrome browser updates.
Starting in Chrome version 90, Google Software Update lets you choose the Stable, Extended stable, Beta, or Dev Chrome browser channel. By default, Chrome follows updates on the Stable channel.
For information to help you decide which channel to have your users on, go to Chrome browser release channels.
Things to consider
For example:
<key>com.google.Chrome</key>
<dict>
<key>TargetChannel</key>
<string>stable</string>
<key>RollbackToTargetVersion</key>
<true/>
</dict
- Moving to a more stable channel— When you move a browser to a more stable channel, such as from Beta to Stable, the more stable channel is likely to have a lower version number.
For example, Stable is on version 90 when Beta is on version 91. By default, Google Software Update will not downgrade Chrome to a lower version when switching channels. Chrome stays on the old channel until the new channel is upgraded to a higher version. - Moving to an extended stable channel— When you move to an extended stable channel, we recommend you use the
RollbackToTargetVersionkey to let Chrome browser roll back to a previous version. Otherwise, Chrome browser might not get the latest security fixes.
For example, if you’re on Chrome version 95 and you switch from Stable channel to Extended stable channel, the browser no longer gets security fixes for Chrome version 95. Chrome only gets security fixes when you roll back to Chrome version 94—the previous extended stable version. - To switch Chrome to a channel with a lower version, set TargetChannel to your desired channel and instruct Chrome to rollback to your desired version. For details, see Roll back Chrome browser to a previous version above.
- Clearing the TargetChannel policy—Chrome continues to follow the last channel on which it received an update if the TargetChannel policy is cleared. For example, if TargetChannel is set to beta to move a collection of machines to the Beta channel, those machines continue to update on the Beta channel even if the TargetChannel policy is cleared. To move them back to the Stable channel, set the TargetChannel policy to stable. You can optionally clear the TargetChannel policy after all machines have received an update on the Stable channel.
How to
- Open the
com.google.Keystone.plistfile you created in your preferred editor. - Under the
updatePolicieskey andcom.google.Chromekey, add the Chrome browserTargetChannelkey entry. - Set the policy to
stable,extended,beta, ordev. Note: The default isstable. - Save your file.
The following example shows settings for Chrome browser (com.google.Chrome) that sets the release channel to Beta:
<key>com.google.Chrome</key>
<dict>
<key>TargetChannel</key>
<string>beta</string>
</dict>
If your organization has an intermediate proxy cache set up on its network, you can use it to cache Chrome Browser updates. The updates downloaded from Google can be cached on most web-caching proxy servers. Proxy caches reduce bandwidth and improve response times by caching and reusing frequently requested webpages.
However, many proxy cache default settings aren’t optimal for Chrome Browser updates. To make sure that your proxy cache software can cache Chrome Browser updates, experienced IT administrators can configure the following settings:
- Maximum file object size— Updates are downloaded as one file, so make sure that the maximum file object size is 100mb.
To cache updates, set the global DownloadPreference key to the cacheable. See the sample property list. - URL settings—If the server allows you to add settings for particular domains, give preference to dl.google.com/* and www.google.com/dl/*. This is where devices get Chrome Browser updates.
- Cache space—The total amount of space that the server can use to cache objects. If you have more than 30 GB of cache storage, you can increase the value to cache more objects.
Step 4: Deploy your auto-update settings
After you’ve made your changes to the com.google.Keystone.plist file, use your preferred deployment tool to deploy the auto-update policies to your Mac computers.
There are many mobile device management (MDM) tools that you can use to deploy your configuration profiles (for example, Profile Manager, Jamf Pro, or AirWatch). The following approach is a guideline only; the exact steps depend on which MDM tool you use.
- Open your preferred MDM tool.
- Upload the com.google.Chrome.mobileconfig file you created to your MDM tool to create a new configuration profile to manage Chrome browser policies. This profile contains all the preferences you want to manage.
- Deploy your auto-update profile to ensure that all your Mac devices have the same settings.
The com.google.keystone.mobileconfig sample file has settings to disable auto-updates and pin the Chrome browser to version 62.
Key values and examples
| Setting | Description |
|---|---|
<integer>0</integer> |
Turns on auto-updates. Updates are always applied when detected by Google Software Update. This is the default value. |
<integer>1</integer> |
Updates are installed only from the scheduled update checks. Manual update checks will not install updates. |
<integer>2</integer> |
Turns off auto-updates. This stops Google Software Update automatically updating all users to the latest stable version of Chrome. Updates are only applied when the user manually checks for updates. For example, on the chrome://help page or by running the CheckForUpdatesNow.command utility. |
<integer>3</integer> |
Updates are never applied. |
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>updatePolicies</key>
<dict>
<key>global</key>
<dict>
<key>UpdateDefault</key>
<integer>3</integer>
<key>DownloadPreference</key>
<string>cacheable</string>
</dict>
<key>com.google.Chrome</key>
<dict>
<key>UpdateDefault</key>
<integer>2</integer>
<key>TargetVersionPrefix</key>
<string>62.</string>
</dict>
<key>com.google.drivefs</key>
<dict>
<key>UpdateDefault</key>
<integer>2</integer>
</dict>
</dict>
</dict>
</plist>
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.