KLSnRPA / omaha

Automatically exported from code.google.com/p/omaha
Apache License 2.0
0 stars 0 forks source link

Enable option to disable manual updates allow only scheduled #34

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Under Windows 7, logged in without local admin privileges, click
   the options icon, and "About Google Chrome".
2. After update is found by the browser, installation is executed as
   the current logged in user.
3. A system login window appears requiring credentials with elevated
   privileges to begin installation.

What is the expected result?
Opt.1
Browser executes, or leverages currently available local system service, or 
scheduled task created upon browser installation, to execute the update 
request. These currently leverage the local system account, and do not require 
additional elevated privileges.

Opt. 2
Additional Policy setting is added to the available supported policies found in 
policies to leverage this option.

Opt. 3
The manual update is only executed when user chooses too, and not without 
warning while viewing the about option.

What happens instead?
User must attempt logging in or cancelling, leading to multiple reports to IT 
Support staff for false break/fix requests.

What version of the product are you using? On what operating system?
Omaha version: 1.3.21.79
OS Version: 6.1 SP1 (Windows 7)
Chrome Version: 15.0.874.102

Please provide any additional information below.
I am unsure if this functionality would need to be supported by the Chrome 
Updater, or only possible through Chrome's GPO's. Please advise, or help shed 
some light on options if possible.

I am responsible for the Engineering of this product to 18,000+ corporate users 
before end of year, along with another 5,000-6,000 after the new year. So this 
functionality would certainly help make our technical supports lives allot 
easier.

Original issue reported on code.google.com by stlouist...@gmail.com on 28 Oct 2011 at 8:13

Attachments:

GoogleCodeExporter commented 8 years ago
We'd like to improve the Chrome self-update experience soon -- in the meantime, 
you can prevent Google Chrome from installing self-updates entirely, via group 
policies for Google Update.

http://www.google.com/support/installer/bin/answer.py?answer=146164 has a 
description of our GPOs, and an ADM template for download.  You can mark Chrome 
as not being allowed to update, and that should prevent the UAC prompt from 
ever appearing.

Let us know if this doesn't solve your issue :)

Original comment by ryanmyers@google.com on 28 Oct 2011 at 10:07

GoogleCodeExporter commented 8 years ago
Actually, I want to understand this a bit better.  The Google Update GPOs 
currently provide three options for allowing a process to update:

* Allow both scheduled task automated self-update and on-demand updates
* Only allow manually-requested on-demand updates
* Don't allow any updates

From the sound of the above report, you're looking for a fourth option, "Only 
do scheduled-task automatic updates, no on-demand."  Is that correct?

Original comment by ryanmyers@google.com on 28 Oct 2011 at 10:13

GoogleCodeExporter commented 8 years ago
The need for a fourth option is correct. During lab testing over the last 3 
weeks in our environment, we found that all available options to disable the 
manual on-demand update via browser, also disable the scheduled updates.

Original comment by stlouist...@gmail.com on 28 Oct 2011 at 10:23

GoogleCodeExporter commented 8 years ago
Makes sense.  We'll see if we can get this implemented soon.  :)

Original comment by ryanmyers@google.com on 28 Oct 2011 at 10:30

GoogleCodeExporter commented 8 years ago
Allot quicker response than I expected after filing a request, label me happy 
:-) 

Please let me know if I can assist with any testing in our labs, thanks!

Original comment by stlouist...@gmail.com on 28 Oct 2011 at 10:35

GoogleCodeExporter commented 8 years ago
Ryan -- we'd probably also need crbug.com/101868 for this to be smooth.  
Otherwise, the  user would still see an "update" button in the Chrome about 
dialog and it would just fail every time.

Original comment by gwil...@chromium.org on 3 Nov 2011 at 5:25

GoogleCodeExporter commented 8 years ago
We've implemented this in the internal builds of Omaha.  :)  I'll mark this bug 
as Fixed once it has received QA sign-off and starts being included in 
installers for Google products.

Original comment by ryanmyers@google.com on 10 Nov 2011 at 8:56

GoogleCodeExporter commented 8 years ago
That is great to hear Ryan. Thanks for the quick turn around on this one. I am 
highly impressed with the response time to get this update into the next build.

Original comment by stlouist...@gmail.com on 11 Nov 2011 at 11:36

GoogleCodeExporter commented 8 years ago
Ryan,
I've noticed that with the current version of Google Update GPOs that what was 
"Allow Updates" (manual and automatic) has been replaced by "Automatic Silent 
Updates" (presumably manual disabled)
Therefore we still only have 3 options, rather then 4. Was this intentional? 
Thanks.

Original comment by wyd...@gmail.com on 6 Mar 2012 at 4:41

GoogleCodeExporter commented 8 years ago
Ryan,
Additionally to the last comment; when we began to roll out Chrome/Google 
Update, we were not in a position to set GPOs via domain policy, so we added a 
few needed GPO registry keys via a transform script.  One of these was to allow 
automatic silent updates but not to permit manual updates (value of 3 at the 
time). It now seems that a value of 3 is not used. What now have is:

Automatic Silent Updates = 1
Manual Updates = 2
Updates Disabled = 0

However Wrench > About Google Chrome, with anything apart from a value of "3" 
allows me to perform a manual update!
If I set it to 3, I get the message we've always seen "Updates are disabled by 
the Administrator" which I think you advised was misleading and really 
means/should read "Manual Updates are disabled by the Administrator"

This begs a couple of questions:
1. Is Chrome still going to update automatically with the update value set to 3?
2. Are your new GPOs correct, given that manual updates seem to occur when 
update values of 0 and 1 are set?

Thanks,

Duncan

Original comment by wyd...@gmail.com on 6 Mar 2012 at 6:14

GoogleCodeExporter commented 8 years ago
We just updated the ADM templates; you should see four options now.

http://dl.google.com/dl/update2/enterprise/GoogleUpdate.adm

The options are:
0 = all updates disabled
1 = all updates allowed
2 = only manual (on-demand) updates allowed / automatic updates disabled
3 = only automatic (scheduled task) updates allowed / manual updates disabled

Double check that you don't have a policy for Chrome overriding a default 
policy for apps :)

Original comment by ryanmyers@google.com on 7 Mar 2012 at 1:53

GoogleCodeExporter commented 8 years ago
Ryan, fantastic quick response/fix. Many thanks! So was it a regression? ;)
You said: "Double check that you don't have a policy for Chrome overriding a 
default policy for apps"
We do, the Chrome overriding policy says Automatic Update (3), while the 
default policy says don't Update! That's ok isn't it? -  We're still auto 
updating as far as I can tell; nobody's complained that we're not (except for 
the false positives generated by the users who are misled by the message in the 
Chrome About Box!) ;)

...leading neatly on:
What can be done about that misleading Chrome About Box message "Updates are 
disabled by the Administrator"? Can we get this changed to read "Manual Updates 
are disabled by the Administrator" or something that accurately describes the 
current Update policy?  I'm guessing this is a Chrome issue though, huh? ;)

Thanks.

Original comment by wyd...@gmail.com on 7 Mar 2012 at 2:49

GoogleCodeExporter commented 8 years ago
I'm not actually sure what happened there -- nothing's changed on that download 
in months.

The messages in the "About Google Chrome" box are defined on the Chrome side; 
I'll see if we can do anything on the Update side to improve this, though.

Original comment by ryanmyers@google.com on 7 Mar 2012 at 7:18

GoogleCodeExporter commented 8 years ago
Ryan, thanks.
I hadn't looked closely at that particular ADM before. As mentioned we've not 
set GPOs yet via domain policy for Chrome/Omaha, all I've done is enforce the 
bare minimum via a transform script and the ADM I used as reference was an 
older version still, although it had the "automatic updates allowed / manual 
updates disabled" option.

Would it be worth my while to log a new issue for the wording of the update 
status in the Chrome about box or is there perhaps an open issue I can bump to 
get some visibility?  Thanks.  

Original comment by wyd...@gmail.com on 7 Mar 2012 at 7:55

GoogleCodeExporter commented 8 years ago
Google Update for Enterprise documentation only refers to the 3 update override 
options rather than 4:
http://support.google.com/installer/bin/answer.py?hl=en&answer=146164

Original comment by wyd...@gmail.com on 7 Mar 2012 at 9:23