Effortless Browser Management : Enabling Auto Updates for Google Chrome on macOS with Intune

In today’s dynamic digital landscape, staying ahead with up-to-date software is vital for security and optimal performance.

For organizations relying on Google Chrome, an efficient and automated update process is a must.

This guide takes you through forcing auto-updates for Google Chrome on macOS using Microsoft Intune, your favorite MDM solution. Elevate your security measures effortlessly by automating Chrome updates.

Build your .mobileconfig file

Mobileconfig file is typically distributed and installed to enforce settings and policies, such as Wi-Fi configurations, email accounts, security settings, VPN configurations, and more.

We’ll use one to configure Chrom app. To build one, i suggest you to have a look on Google’s support page to configure Google applications.

I share with you the payload to Auto update every Google installed applications. Note that in the documentation, you can target specific app in the payload and have a different approach for each app.

Here is my payload :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadUUID</key>
			<string>32B84802-AE6D-4E2E-9939-6976933C687D</string>
			<key>PayloadType</key>
			<string>com.google.Keystone</string>
			<key>PayloadOrganization</key>
			<string>PoemToMDM</string>
			<key>PayloadIdentifier</key>
			<string>77C4D3F1-1B43-43BA-ABF7-379A940161CD</string>
			<key>PayloadDisplayName</key>
			<string>Google services auto updates</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>PayloadDescription</key>
			<string>Payload to enable auto update for Google services</string>
			<key>updatePolicies</key>
       		<dict>
          		<key>global</key>
          		<dict>
            		<key>UpdateDefault</key>
            		<integer>0</integer>
            	</dict>
            </dict>
        </dict>
	</array>
</dict>
</plist>

Tips : Generate uuid running « uuidgen » from Terminal.

The most important being the UpdateDefault value :

You can set the value from 0 to 3 :
0 is automatic update
1 is for installing updates ONLY with scheduled check
2 is for installing manually by the user
3 is for never installing updating.

Save the payload in a .mobileconfig file.

Create the Intune Configuration Profile

Using Intune, you’re going to create a custom configuration profile : Configuration Profiles > Create > Custom > Import your .mobileconfig file

The « Custom configuration profile name » value will appear in the profiles locally.

Assign the profile to users or devices. You’ll see the results in the reporting of your devices.

End-User Experience

Let’s have a look locally in the profiles :

What about Chrome application ? An update has been automatically downloaded and ready to be installed when the app is re-launched.

What happens when i change the value from 0 to 3 ? No updates !

An error occures. By reading the Google’s article it’s indeed because my administrator stopped me to update my application.

Bonus : Having specific updates policies for specific google applications

Everything is happening in the payload. Configure it to add your specific application such as Google Drive or Google Chrome specifically for example :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadUUID</key>
			<string>32B84802-AE6D-4E2E-9939-6976933C687D</string>
			<key>PayloadType</key>
			<string>com.google.Keystone</string>
			<key>PayloadOrganization</key>
			<string>PoemToMDM</string>
			<key>PayloadIdentifier</key>
			<string>77C4D3F1-1B43-43BA-ABF7-379A940161CD</string>
			<key>PayloadDisplayName</key>
			<string>Google services auto updates</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>PayloadDescription</key>
			<string>Payload to enable auto update for Google services</string>
			<key>updatePolicies</key>
       		<dict>
	       		<key>com.google.Chrome</key>
	       		<dict>
					<key>UpdateDefault</key>
					<integer>3</integer>
				</dict>
					<key>com.google.GoogleDrive</key>
				<dict>
					<key>UpdateDefault</key>
					<integer>0</integer>
				</dict>
          		<key>global</key>
          		<dict>
            		<key>UpdateDefault</key>
            		<integer>0</integer>
            	</dict>
            </dict>
        </dict>
	</array>
</dict>
</plist>

Even if global is configured to auto-update, i have specifically said that Chrome must not be updated :

Conclusion

Enabling auto-updates for Google Chrome on macOS using Microsoft Intune is a strategic move toward maintaining a secure and efficient computing environment. By centralizing the control of Chrome update policies, organizations can ensure that their devices are consistently running the latest and most secure browser version.

Also, I recommend exploring Google’s documentation for insightful guidance on optimizing network bandwidth or perfecting rollback operations. Your mac, your rules ! And with Intune, your rules are your own 🙂