7

I am deploying Chrome through group policy. This is working fine.

Obviously Chrome has a pretty regular update cycle. I am not allowing Domain Users to install Chrome updates.

Having subscribed to the release blog, and downloaded/tested a new release MSI, what is the "correct" way to deploy a Chrome MSI?

For example: do I use the built in Group Policy MSI update feature? Do I overwrite the MSI file with a new one? Do I delete the policy and make a new one, linked to the newer MSI? Or do I allow Domain Users to perform Chrome updates automatically?

P.S. As a humorous aside, if this question gets down-voted, closed or voted to be closed as non-constructive, I will probably kill myself. You will have blood on your hands.

George
  • 383
  • 1
  • 5
  • 17
  • 1
    +1 for the postscript – Ryan Ries Mar 21 '13 at 14:07
  • 3
    Haha, thanks. I get very frustrated at the amount of legitimate questions (some of my own), across the Stack Exchange community get over-moderated. Since I first started using SO a few years ago, things have really gone downhill, imo of course. – George Mar 21 '13 at 14:09
  • 1
    `pretty regular update cycle` hmm. quite. The reason we don't use it here. – tombull89 Mar 21 '13 at 14:18
  • 1
    @tombull89 Unlike, say, Flash, Reader, Java or Windows? :) – jscott Mar 21 '13 at 14:32
  • @tombull89 Haha, true, however the reason we are seeking to automate deployment of Chrome in the first place, is because Adobe seem to churn out a new Flash update every day, and in doing so, Chrome blocks running of Flash enabled websites completely. As much as I hate Flash powered sites, we have to use them. Yay for user experience, Google/Adobe.. -.- – George Mar 21 '13 at 14:34
  • 1
    @George The Google Update Service will update Chrome and its bundled version Flash Player. It will not affect the ActiveX/Plugin(Mozilla) versions of Flash Player. – jscott Mar 21 '13 at 14:48
  • @jscott right, thanks for pointing that out. That seems to contradict with the original question here: http://serverfault.com/questions/485198/chrome-flash-updates-in-a-domain-environment?lq=1 Now I'm not sure the best way to tackle this! I guess, to manage MSI deployment of both Chrome and the ActiveX Flash plugin? – George Mar 21 '13 at 14:51
  • 1
    @George No, the other answer (well, comment) states: `Chrome bundles its own version of Flash Player (on Windows) and so you're stuck with it` That's correct. The Chrome-bundled Flash is not tied to [and does not update] the IE/Firefox Flash plugins – jscott Mar 21 '13 at 14:58
  • OK thank you. I perhaps misinterpreted your original comment. So I need one or the other version (and not both)? – George Mar 21 '13 at 15:33
  • 1
    In terms of Chrome updates, Google bundle an _ADM_ file with their enterprise version of Chrome. This allows you to control Chrome's behaviour by policy, including the disabling of *all* updates in terms of extensions, chrome, flash etc. – Snellgrove Apr 03 '13 at 16:58
  • @Snellgrove - yeah I know, this is all set up and configured. thanks for pointing this out though. – George Apr 03 '13 at 17:00
  • Just so you know Chrome for Business auto updates using a system account on the computer, ie even for locked down computers. https://support.google.com/chrome/a/answer/188447?hl=en – Molotch Feb 15 '14 at 19:04

2 Answers2

3

You ultimately need to check whether Chrome can be updated or not - suggest making a policy in a test OU with a machine in it.

If it can be updated, you could add a new MSI to the same GPO each time, and let it roll it out.

By unticking the 'Uninstall this application when it falls out of the scope of management' option, you can remove old MSIs from the GPO without it trying to perform an uninstall at the clients, when they next update their policies.

I know I've not been completely specific with this program, but I hope this helps anyway. With feedback, the answer can probably be made more specific to Chrome, but their enterprise MSI is not special as such, it is just an MSI!

EDIT / ANSWER / SOLUTION:

Just to sum up the answer to this question (based on the further discussion in the comments below).

  • Create a GPO for handling Chrome (solely is a good idea for organisation)
  • Each time a Chrome update is released, add the MSI as a new assigned entry in the Software Installation section of the GPO.
  • Be sure to disable the "Uninstall software when it goes out of scope" option
  • Since a GPO is applied in an old->new order, you can safely delete the software assignments for old Chrome versions, just keeping the latest version and one or two prior to this.

Credit to Snellgrove.

George
  • 383
  • 1
  • 5
  • 17
Snellgrove
  • 712
  • 4
  • 14
  • Thank you for posting, this is helpful. I have noticed that by adding a new MSI, Chrome does seem to update itself. My concern is however that within a few months, I would end up with a load of redundant old MSIs. Your 3rd paragraph is particularly helpful - knowing this I know I can now just overwrite the MSI with a new version, provided that tick box is unchecked. Thank you. – George Apr 03 '13 at 12:48
  • 3
    Well, to clarify further, it's not that you overwrite it, you just add the next MSI to the same GPO. So when a new PC joins the domain and is affected by this policy, it'll go through the policy, installing the MSI files, in order. There's a priority to the MSI's (oldest first, basically). The thing you'll probably want to do, is just remove the old MSI files so only the previous (in case of rollback being required) and latest, is left within the GPO. HTH! – Snellgrove Apr 03 '13 at 12:53
  • Ooh right, well this is what I've been doing. So can I just clarify: One GPO; multiple MSI assignments (each version); delete the oldest MSI files, leaving only the latest two? – George Apr 03 '13 at 15:26
  • That's it, procedure wise. It's of course up to you if you leave a previous version or not, or maybe more! it's just for making things easier if you need to roll back a version. Alternatively, keep all your MSI's in a folder somewhere (_I'm assuming you've got a binaries & downloads dump like most people!_) ready to attach to a GPO. – Snellgrove Apr 03 '13 at 16:54
  • Thanks, that's great. I have accepted and edited your answer to include a summary of the discussion here. It's pending peer review but I'm sure it will be a good move in the interest of completion. Thanks for all of your time. – George Apr 03 '13 at 17:05
0

I know that if you use a third-party GP management suite (like PolicyPak) you can push out MSI's as updates/upgrades to existing installs easily. It runs the MSI as an update, rather than as a full install. It's how the place I worked at last spring/summer managed updates and such.

acolyte
  • 417
  • 2
  • 13