Create a Universal Browser Patch Policy

JumpCloud provides a universal policy to keep Google Chrome up to date for macOS, Windows, and Linux. A universal policy saves you time by automatically scheduling and enforcing Chrome security patches on a large number of managed devices.

JumpCloud provides four universal default Chrome browser patch policies that are preconfigured. These default policies help you deploy browser updates with different levels of urgency. You can also configure a custom universal policy to modify the settings of existing policies to tailor the update experience to your organization’s needs. See Configuring a Chrome Browser Patch Policy below. 

Browser patching is included in the Patch Management add-on package. Contact your Account Manager if you’re interested in adding patch management to your package or to learn more about the solution. Learn more on our Pricing page. 

Prerequisite:

• Mobile Device Management (MDM) is configured for your organization and macOS devices are enrolled in JumpCloud’s MDM.

Creating Default Chrome Browser Patch Policies

If your organization has not yet configured a universal Google Chrome browser patch policy for macOS, Windows, and Linux, you can save time by loading the default browser patch policies. These policies control how and when you deploy a universal policy to your fleet.

After you create a Chrome browser patch policy, you can assign it to any devices, policy groups, or device groups. A policy group helps you quickly and efficiently roll out existing policies to large numbers of similar devices. 

These four default Chrome browser patch management policies control how and when a Chrome update is applied. These are recommended deployment strategies:

• Day Zero – Deploy automated upgrades inside your IT Department on the first day the update is available.
• Early Adoption – Deploy automated upgrades to early adopters outside of IT.
• General Adoption – Deploy automated upgrades to general users in your company.
• Late Adoption – Deploy automated upgrades to remaining users in your company.
  

To create default universal browser patch policies:

1. Log in to the JumpCloud Admin Portal.
2. Go to DEVICE MANAGEMENT > Policy Management.
3. Select Patch Management, then select the Browser tab.
4. If you haven’t yet configured a Google Chrome browser patch policy, click Load Default Policies to create the four preconfigured universal default Chrome policies.
   
   If you’ve already created a browser patch policy, you won’t see this window and will instead see the four new Chrome browser patch policies:
   

5. Select one of the default Chrome browser patch policies.
6. (Optional) Enter a new name for the policy or keep the default. Policy names must be unique. 
7. Review the fields under Automatic Update Settings and the default settings for each browser patch policy.
   
   
   1. Enforce Automatic Updates – Automatically update Chrome with security patches and new features as those items become available. You must select this field for this policy to work
   2. Enable Component Updates – Automatically update Chrome components that work in the background and control features like media playback, policies, and malicious content filters. Some components, such as executable code that is critical for browser security, are not controlled by this setting.
   3. Relaunch Action – Choose the behavior for Chrome relaunches:
      • Require Relaunch – Users can close the notification but will see a recurring message to relaunch Chrome within the time period you set in the Relaunch Notification Period field. At the end of the Relaunch Notification Period, Chrome will automatically relaunch to apply the update.
      • Recommend Relaunch – Users can close the notification and keep using the old version of Chrome until they relaunch the Chrome browser.
   4. Relaunch Grace Period (Milliseconds) – Specify how long before users are notified to relaunch Google Chrome to get the latest update. You cannot enter less than 3,600,000 ms (1 hour).
   5. Review these preconfigured default settings for the Automatic Update Settings section of each deployment ring and adjust them as needed.

8. Configure the fields under Sign-in Settings:
   1. Browser sign-in settings – Choose the user’s sign-in behavior for Google Chrome:
      • Enable browser sign-in – Allow users to sign into Chrome and sync browser information to their Google Accounts. This is the default.
      • Disable browser sign-in – Prevent users from signing into Chrome so they cannot use account-based services. Browser-level features like Google Chrome Sync cannot be used and will be unavailable. 
      • Force browser sign-in – Require users to choose an account and sign into Chrome. This ensures that for managed accounts, the policies associated with the account are applied and enforced. This choice is not supported on Linux, and if you choose it the Enable browser sign-in option is used.
   2. Restrict sign-in to regular expression pattern – Enter a regular expression that determines which Google accounts can be set as browser primary accounts in Chrome. These primary accounts are chosen during the Sync opt-in flow. For example, enter .*@abcdefg\.com to restrict sign-in to accounts in the abcdefg,com domain.
9. Configure the fields under Chrome Browser Cloud Management Settings:
   If you are new to Google and need a Google Admin Console login to configure Chrome Browser Cloud Management Settings, you can sign up for Chrome Browser Cloud Management at no additional cost. See the Chrome Browser Cloud Management documentation.
   1. Enable Chrome Browser Cloud Management – Enroll your devices in Google Chrome Browser Cloud Management to enforce additional browser policies, view and enforce managed browser extensions, and view detailed reports on managed browsers.
   2. Chrome Browser Cloud Management Enrollment Token – Paste the enrollment token here. Go to the Managed Browsers page in the Google Admin Console to generate the token. The enrollment token ties the browser to a specific organization at the time of registration. Chrome Browser Cloud Management currently has a limit on the number of browsers that can be enrolled simultaneously. Google recommends that you enroll no more than 150 browsers per minute, and is working to increase the limit in a future release. See Set Up Chrome Browser Management.
   3. Enable Chrome Browser Cloud Management Reporting – Upload information about the browser operation to the Google Admin Console.
      
10. Click save. 
11. (Optional) Select the policy you just created and select Device Groups. Select one or more device groups where you’ll apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
12. (Optional) Select Devices, then select one or more devices where you’ll apply this policy.
13. (Optional) Select Policy Groups, then select one or more policy groups for this policy.
14. Click save. The configured policy appears in the Browser tab under the Patch Management tab.
15. After applying the policy, the user must relaunch Chrome on the device for the changes to take effect.
16. After the policy runs, you can view detailed results for a specific device:
    1. Go to DEVICE MANAGEMENT > Devices.
    2. Select the Devices tab, then select the device.
    3. Select Policy Results, then click view to see more details. An Exit Code of 0 means the policy ran successfully. 
    4. Click Close.
       
17. To delete a browser patch policy, see Removing a Browser Patch Policy.

Configuring a Chrome Browser Patch Policy

You must have Manager role permissions or higher to create and enforce a universal browser patch management policy. If you don’t want to use the preconfigured default browser patch policies with defaults described above, you can create and configure your own Google Chrome browser patch policy.

1. Log in to the JumpCloud Admin Portal.
2. Go to DEVICE MANAGEMENT > Policy Management.
3. Select Patch Management, then select the Browser tab.
4. If this is the first time you’ve accessed the Browser tab, click Load Default Policies to create four universal default Chrome policies. See the section above.
5. To configure a new universal Chrome browser patch policy, click ( + ), then choose Google Chrome.
   

6. (Optional) Enter a new name for the policy or keep the default. Policy names must be unique. 
7. Configure the fields under Automatic Update Settings:
   1. Enforce Automatic Updates – ​Automatically update Chrome with security patches and new features as those items become available. You must select this field for this policy to work.
   2. Enable Component Updates – Automatically update Chrome components that work in the background and control features like media playback, policies, and malicious content filters. Some components, such as executable code that is critical for browser security, are not controlled by this setting.
   3. Relaunch Action – Choose the behavior for Chrome relaunches:
      • Recommend Relaunch – Let users can close the notification and keep using the old version of Chrome until they relaunch the Chrome browser.
      • Require Relaunch – Allow users to close the notification but they will see a recurring message to relaunch Chrome within the time period you set in the Relaunch Notification Period field. At the end of the Relaunch Notification Period, Chrome will automatically relaunch to apply the update.
   4. Relaunch Grace Period (Milliseconds) – Enter a value or use the default value of 259,200,000 ms or 3 days to specify how long before users are notified to relaunch Google Chrome to get the latest update. You cannot enter less than 3,600,000 ms (1 hour).
      

8. Configure the fields under Sign-in Settings:
   1. Browser sign-in settings – Choose the user’s sign-in behavior for Google Chrome:
      • Enable browser sign-in – Allow users to sign into Chrome and sync browser information to their Google Accounts. This is the default.
      • Disable browser sign-in – Prevent users from signing into Chrome so they cannot use account-based services. Browser-level features like Google Chrome Sync cannot be used and will be unavailable.
      • Force browser sign-in – Choose an account and sign into Chrome. This ensures that for managed accounts, the policies associated with the account are applied and enforced. This choice is not supported on Linux, and if you choose it, the Enable browser sign-in option is used.
   2. Restrict sign-in to regular expression pattern – Enter a regular expression that determines which Google accounts can be set as browser primary accounts in Chrome. These primary accounts are chosen during the Sync opt-in flow. For example, enter .*@abcdefg\.com to restrict sign-in to accounts in the abcdefg.com domain.
      
9. Configure the fields under Chrome Browser Cloud Management Settings:
   1. Enable Chrome Browser Cloud Management – View all of your company’s enrolled browsers and apply universal policies to manage them.
   2. Chrome Browser Cloud Management Enrollment Token – Paste the enrollment token here. Go to the Managed Browsers page in the Google Admin Console to generate the token. The enrollment token ties the browser to a specific organization at the time of registration. Chrome Browser Cloud Management currently has a limit on the number of browsers that can be enrolled simultaneously. Google recommends that you enroll no more than 150 browsers per minute, and is is working to increase the limit in a future release. See Set Up Chrome Browser Management.
   3. Enable Chrome Browser Cloud Management Reporting – Upload information about the browser operation to the Google Admin Console.

10. Click save.
11. (Optional) Select the policy you just created and select Device Groups. Select one or more device groups where you’ll apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
12. (Optional) Select Devices. Select one or more devices where you’ll apply this policy.
13. (Optional) Select Policy Groups, then select one or more policy groups for this policy.
14. Click save. The configured policy appears in the Browser Patch Management tab.
15. After applying the policy, the user must relaunch Chrome on the device for the changes to take effect.
16. After the policy runs, you can view detailed results for a specific device:
    1. Go to DEVICE MANAGEMENT > Devices.
    2. Select the Devices tab, then select the device.
    3. Select the Policy Results tab, then click view to see more details. An Exit Code of 0 means the policy ran successfully. 
    4. Click ok.

17. To delete a browser patch policy, see below.

Removing a Browser Patch Policy

To remove an existing browser patch policy:

1. Log in to the JumpCloud Admin Portal.
2. Go to DEVICE MANAGEMENT > Policy Management.
3. Select Patch Management, then select the Browser tab.
4. Select the policy that you wish to remove. You can select more than one policy.
5. Click Delete.
6. Click continue.