macOS Chrome Patching with Notifications

What the Chrome Notification Patcher does

This Automox Worklet™ updates Google Chrome on macOS endpoints by comparing the installed version to the latest stable release and deploying updates when needed. The Worklet downloads the latest Chrome DMG file from Google's stable release channel, mounts the disk image, and replaces the current Chrome application with the updated version.

The Worklet integrates native macOS notification dialogs to inform users about available updates and provide deferral options. Users can defer the patch multiple times before the Worklet either times out or forces the update, depending on the forcePatch setting. This balance between automation and user control reduces disruption while maintaining Chrome currency.

dmg".

The Worklet can also manage Google's built-in GoogleChromeSoftwareUpdate app, optionally disabling it to let Automox handle all Chrome updates centrally. This prevents conflicting update mechanisms and maintains consistent patch deployment across your fleet.

Why deploy Chrome updates through Automox

Chrome updates contain critical security patches for zero-day vulnerabilities that attackers actively exploit in the wild. When Chrome endpoints fall behind on updates, they remain vulnerable to known exploits that attackers can deliver through malicious websites, phishing emails, or compromised advertising networks. These vulnerabilities give attackers code execution capabilities, credential theft, and data exfiltration opportunities.

Users frequently ignore Chrome's built-in update prompts or postpone updates indefinitely because they do not want to close browser tabs or interrupt their workflows. This user behavior creates security gaps where known vulnerabilities persist for weeks or months after patches become available. IT teams need the ability to force Chrome updates on specific timelines regardless of user preferences.

Enterprise environments require visibility and control over software updates to maintain security baselines, satisfy compliance requirements, and coordinate patching schedules. Chrome's automatic update mechanism provides no central reporting, no audit trail, and limited control over timing. Organizations need patch management integration that Chrome's native updater does not provide.

Zero-day vulnerabilities in Chrome appear regularly and receive immediate attention from attackers because of Chrome's ubiquity and role in accessing sensitive web applications. When Google releases emergency patches for actively exploited vulnerabilities, you need the ability to deploy those patches immediately across your fleet rather than waiting for users to notice and accept update prompts.

How Chrome update deployment works

1. Evaluation phase: The Worklet queries the Automox cache API to fetch the latest Chrome version number for macOS, compares it against the installed version in /Applications/Google Chrome.app, and checks whether Chrome is currently running on the endpoint. If the versions match, no patch is needed. If versions differ or Chrome is running an old version, the Worklet flags the endpoint for remediation.

2. Remediation phase: The Worklet downloads the latest Chrome DMG from Google's stable release server, mounts the disk image, and copies the new Chrome.app to a temporary location. If Chrome is running, the Worklet displays a native macOS notification dialog asking the user to shut down Chrome and allow the patch. The user can defer this notification repeatedly based on the deferral interval setting (default one minute). After the timeout period (default 20 minutes), if forcePatch is enabled, the Worklet forcibly stops Chrome and applies the update. The Worklet backs up the existing Chrome.app before replacement and restores the backup if the update fails. After successful patching, the Worklet relaunches Chrome automatically if it was running before the patch.

Chrome update requirements

• macOS 10.13 (High Sierra) or later

• Google Chrome installed in /Applications/Google Chrome.app

• Root or sudo privileges to modify /Applications and /Library directories

• Internet connectivity to download the Chrome DMG from dl.google.com

• Automox Notifier.app installed for macOS notification display (included in Automox agent)

• Sufficient disk space for DMG download and temporary Chrome.app storage (approximately 300 MB)

• Optional: Set disableAutoUpdateApp to true if you want Automox to completely replace Google's built-in update mechanism

Expected Chrome patching state

Chrome downloads and installs the latest available version from Google's update servers. The application updates to the current stable release, which includes all security patches, bug fixes, and feature updates released since the previous version. The update completes without requiring a system reboot.

Users see a macOS notification informing them that Chrome has been updated and requesting that they restart the browser to complete the update. The notification includes your organization's name and explains that the update addresses security vulnerabilities. Users can continue working but should restart Chrome at their next convenient break.

When users restart Chrome, the new version activates and displays the 'What's New' page or silently continues their previous session depending on Chrome's settings. All extensions, bookmarks, saved passwords, and browsing history remain intact. The update process preserves user data and preferences.

You can verify the Chrome version by checking Chrome > About Google Chrome or running '/Applications/Google Chrome.app/Contents/macOS/Google Chrome --version' from the terminal. The version number matches the latest stable release listed on Google's Chrome release blog, confirming successful patching.

How to validate macos chrome patching with notifications changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for macos chrome patching with notifications.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as function, rm, return.

4. Validate remediation effects from script operations such as exec, trap, function, then rerun evaluation for compliance.