Download and Install Google Chrome

What the Chrome deployment Worklet does

This Automox Worklet™ deploys Google Chrome to macOS endpoints by pulling the universal DMG installer straight from Google's distribution servers. The Worklet uses curl to fetch https://dl.google.com/chrome/mac/universal/stable/GGRO/googlechrome.dmg into /tmp/googlechrome.dmg, attaches the disk image silently with hdiutil, copies Google Chrome.app into /Applications, and then detaches the volume and removes the temporary DMG.

The remediation phase is idempotent. Before downloading anything, the script tests for /Applications/Google Chrome.app and exits early if the bundle is already present. That makes the policy safe to schedule on a recurring cadence: endpoints that already have Chrome skip the network transfer, and endpoints that have lost the bundle are restored on the next evaluation.

Because Google ships a single universal binary, the same DMG covers Intel-based Macs and Apple Silicon (M1, M2, M3, M4) endpoints. Chrome runs natively on each architecture without Rosetta 2 translation. The evaluation script returns exit code 1 unconditionally, which forwards every policy run into remediation. That design supports both initial fleet deployment and self-healing re-installs when an end user drags Chrome to the Trash.

Why deploy Chrome from dl.google.com at fleet scale

Google Chrome is the workhorse browser for most enterprise Mac fleets, and it ships a new stable channel build roughly every four weeks with security fixes for actively exploited zero-day issues. Endpoints that arrive on the fleet without Chrome, or that lose Chrome after a user-initiated uninstall, fall behind that release cadence the moment the gap opens. Sourcing the installer directly from dl.google.com avoids stale internal mirrors and removes the maintenance overhead of repackaging a DMG every time Google ships a new build.

Manual installs against a Mac fleet rarely keep pace with Chrome's stable-channel cadence, and stale installer mirrors leave endpoints multiple zero-day patches behind. Targeting this Worklet at your macOS device group converts Chrome from a per-laptop install task into a fleet-wide baseline: every targeted Mac that lacks Google Chrome.app in /Applications receives the current DMG from dl.google.com on the next agent check-in, whether the user is in office or remote.

How the Chrome deployment runs

1. Evaluation phase: evaluation.sh exits with code 1 every time it runs. The Worklet treats every policy execution as a candidate for remediation, which lets a single scheduled policy serve two jobs at once: deploying Chrome to new endpoints on their first check-in, and re-deploying Chrome on endpoints where the application bundle has been removed. If you only need a one-shot rollout, schedule the policy once and disable it after the fleet shows compliant.

2. Remediation phase: remediation.sh sets five path variables (chromeURL, chromeDL at /tmp/googlechrome.dmg, chromeLoc at /Applications/Google Chrome.app, chromeVol at /Volumes/Google Chrome, and chromeDMG at /Volumes/Google Chrome/Google Chrome.app) and tests whether chromeLoc already exists. If Chrome is missing, the script runs curl against the universal DMG URL, attaches the image with yes | hdiutil attach -noverify -nobrowse, copies Google Chrome.app from the mounted volume to /Applications with cp -Rf, detaches the volume with hdiutil detach, and deletes the DMG with rm -rf. A final directory check logs either Google Chrome installed or Google Chrome failed to install in the Automox activity output.

Chrome deployment requirements

• macOS Big Sur (11), Monterey (12), Ventura (13), Sonoma (14), or Sequoia (15) on an Intel or Apple Silicon endpoint

• Outbound HTTPS from the endpoint to dl.google.com (the Automox agent runs as root, so no proxy credential prompt should appear)

• Write access to /Applications and /tmp on the local volume (default macOS permissions for the root user)

• Roughly 500 MB of free space for the DMG download and the expanded Google Chrome.app bundle

• No code-signing or notarization overrides required; Google ships the DMG signed under its Developer ID, and Gatekeeper accepts it without additional policy

Expected state after Chrome deployment

After a successful remediation, /Applications/Google Chrome.app exists on the endpoint with the standard Google Chrome bundle structure, the /tmp/googlechrome.dmg download has been removed, and the /Volumes/Google Chrome image is no longer attached. The Automox activity log records the curl download, the hdiutil attach and detach calls, and a final Google Chrome installed message. End users see Chrome in Launchpad and in Spotlight on their next login.

Validate the rollout on a pilot endpoint by running ls /Applications/Google Chrome.app and confirming the bundle exists, then read the embedded version with /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version or with defaults read /Applications/Google\ Chrome.app/Contents/Info CFBundleShortVersionString. A subsequent Automox policy run should report the endpoint as compliant and skip the download, because the evaluation phase still forces remediation, but the remediation phase short-circuits on the existing bundle and logs Google Chrome is already installed. Skipping installation.