macOS Chrome Patching with Notifications

What the Chrome notification patcher does

This Automox Worklet™ updates Google Chrome on macOS endpoints to the latest stable release. The Worklet reads CFBundleShortVersionString from /Applications/Google Chrome.app/Contents/Info.plist and compares it against the version returned by the Automox cache API at api.automox.com/api/cache, queried with the getLatestVersion command for the google_chrome_dmg package on the Mac universal architecture. If the versions differ, the endpoint is flagged for remediation.

The remediation script downloads googlechrome.dmg from dl.google.com/chrome/mac/universal/stable/GGRO/, mounts it with hdiutil, copies the new Chrome.app to /Applications/Google Chrome.new, and stages the swap. The active /Applications/Google Chrome.app is copied to /Applications/Google Chrome.bck before replacement, and the backup is restored automatically if the swap fails.

When Chrome is running, the Worklet calls the Automox Notifier helper at /Library/Application Support/Automox/Automox Notifier.app to display a native dialog asking the signed-in user to close Chrome. Each dialog times out after 180 seconds, and the Worklet reissues it at the configured notificationInterval (default one minute) until forcePatchOrTimeoutIn (default 20 minutes) elapses. If forcePatch is true, the Worklet then issues pkill against the Google Chrome process and applies the update. If forcePatch is false, the Worklet exits cleanly and tries again on the next policy run.

An optional disableAutoUpdateApp parameter neutralizes Google’s built-in GoogleChromeSoftwareUpdate helper by replacing /Library/Google/GoogleSoftwareUpdate with a root-owned file at mode 444. This blocks Chrome’s side-channel updater so Automox is the single source of truth for the Chrome version on the endpoint.

Why patch Chrome on macOS endpoints through Automox

Google ships a Chrome stable-channel security update roughly every two weeks, and several releases each year fix actively exploited zero-day vulnerabilities in the renderer or V8 engine. Chrome's in-app updater only takes effect after a full browser restart, which on a Mac is rare. Developers and knowledge workers leave Chrome running with dozens of tabs and a window restore session for days at a time, so the version reported by chrome://version often lags the active stable channel by weeks.

Run this Worklet across the macOS fleet to compare the on-disk Chrome version against the latest universal Chrome DMG published by Google, prompt the user through Automox Notifier when an open Chrome process is detected, and run the install once the user agrees or the configured deadline elapses. The forcePatch flag gives the security team an escape hatch when a release cannot wait, so a critical CVE moves from disclosure to fleet-wide remediation inside the same maintenance window.

How Chrome patching with notifications works

1. Evaluation phase: The Worklet reads the installed version from /Applications/Google Chrome.app/Contents/Info.plist using defaults read CFBundleShortVersionString. It then calls the Automox cache API to get the latest stable Mac universal Chrome version. If the two strings do not match, the endpoint is flagged for remediation with exit 1. The script also compares the per-user Last Version file at ~/Library/Application Support/Google/Chrome/Last Version to detect a running session that is still on an older binary and needs a restart. If disableAutoUpdateApp is true, the evaluation also checks that /Library/Google/GoogleSoftwareUpdate is a root-owned 444 file and flags the endpoint if it is not.

2. Remediation phase: The script downloads googlechrome.dmg via curl to /var/tmp/googlechrome.dmg, mounts it at $(pwd)/mnt with hdiutil attach, and copies Google Chrome.app from the mounted volume into /Applications/Google Chrome.new. If pgrep reports a running Google Chrome process, the Worklet calls launchctl asuser to launch Automox Notifier with the notificationMessage prompt and the Patch and Cancel actions. The user can defer up to forcePatchOrTimeoutIn minutes. On accept, on timeout with forcePatch=true, or when Chrome is not running, the Worklet copies the live app to /Applications/Google Chrome.bck and swaps the new build into /Applications/Google Chrome.app. The Worklet then relaunches Chrome under the console user with su -l "${consoleUser}" -c "open". An EXIT trap runs the workletCleanup function, which detaches the DMG and removes the .new and .bck folders on success, or restores the .bck folder if the swap failed.

Chrome patcher requirements

• macOS 10.13 (High Sierra) or later, on either Intel or Apple Silicon (the Worklet downloads the universal Chrome DMG)

• Google Chrome already installed at /Applications/Google Chrome.app; the Worklet does not perform first-time installs

• Root context for the Automox agent (the default) so the script can write to /Applications and /Library/Google

• Automox Notifier.app at /Library/Application Support/Automox/Automox Notifier.app, which ships with the Automox agent and renders the native dialog

• Outbound HTTPS to dl.google.com (DMG download) and api.automox.com (version lookup); approximately 300 MB of free space for the DMG plus the staged Chrome.new and Chrome.bck folders

• forcePatch (default false): set to true to terminate Chrome via pkill once the deferral window expires

• forcePatchOrTimeoutIn (default 20): minutes the user has to accept the patch before timeout or force-patch logic runs

• notificationInterval (default 1): minutes between repeated dialogs when the user defers

• disableAutoUpdateApp (default false): set to true to disable Google’s in-OS updater so Automox owns Chrome version management

Expected state after Chrome patching

After a successful remediation, /Applications/Google Chrome.app contains the version reported by the Automox cache API, and the .new and .bck staging folders have been removed. The DMG at /var/tmp/googlechrome.dmg and the local mount at $(pwd)/mnt are detached and deleted by the EXIT trap. The Automox agent reports exit code 0 in the activity log, and the next evaluation run finds the endpoint compliant without scheduling another remediation.

If Chrome was running at the start of the run and the user accepted the patch, the Worklet relaunches Chrome under the console user with their existing profile. Bookmarks, extensions, signed-in identities, and saved sessions are preserved across the swap. If the user deferred past the timeout and forcePatch was false, the Worklet exits without applying the update. The endpoint stays flagged as non-compliant, and the next scheduled policy run tries again.

Validate by running defaults read /Applications/Google\ Chrome.app/Contents/Info.plist CFBundleShortVersionString from Terminal, or by opening Chrome and visiting chrome://settings/help. The string should match the latest stable release on the Chrome Releases blog. If disableAutoUpdateApp was set to true, verify that /Library/Google/GoogleSoftwareUpdate is a file rather than a directory. Then confirm that stat -f "%A %u %g" returns 444 0 0. That output confirms the in-OS updater is neutralized and Automox is now the single update channel for Chrome.