How to handle Google Chrome?

mikelbeck 2023-10-03 20:48:45 UTC #1

We group our patches to be deployed into a baseline, created a few days after Patch Tuesday and then scheduled to be deployed during our defined patch weekends.

Most of the time by the time that patch weekend rolls around, Google Chrome has been updated and the fixlet will hang as it tries to download a file that no longer exists. We have the Action set to retry 3 times in the event of a failure, as you can imagine this causes problems.

The majority of the clients update themselves but there are some that don’t have Internet access, those we update with BigFix.

Any suggestions about how to handle this? I could download the latest version each month and create a custom fixlet to be included in the baseline but there’s got to be a better way?

itsmpro92 2023-10-03 22:09:50 UTC #2

If you download and pre-cache the Google Chrome executable when the Fixlet is released, the OOB Fixlet action will work in your Baseline when it runs later in the month. The key is having the file in the cache that matches the SHA-1 and SHA-256 values present in the OOB Fixlet.

SLB 2023-10-03 23:04:49 UTC #3

Maybe you could use a daily script to leverage the REST API to check for new Chrome fixlets released in the past x number of days and if a fixlet is detected, create an action to a group of test machines, may even just an empty group (not sure if that would be enough to cache the file on the BES server) so the file that matches the fixlet in your baselines is already cached on your server.

I use a similar concept to automate deploying new fixlets for some 3rd party apps so we release as pilot / prod deployments within 24-48 hrs of the fixlets being gathered. Fixlet age sometimes needs to be tweaked to cater from times where fixlets may, in some cases, take a bit longer due to overlapping with patch Tuesday. Pulling the fixlet ID to then issue via REST could be something like

(ids of it) of bes fixlets whose (name of it as lowercase contains "chrome" and name of it as lowercase does not contain "superseded" and name of site of it = "Updates for Windows Applications" and (source release date of it > (current date - 3 * day)))

orbiton 2023-10-04 01:06:34 UTC #4

What is your Patching Strategy for Browsers?

If you want to be on the latest Browser I would recommend using Patch Policy - restrict it to Browser content only and then schedule it to be deployed daily.

With that option you will also cache the content.

If you don’t wanna do that but you still want to cache the binary, you can still use the same method but just schedule it to some test machine with Google Chrome, and don’t allow it to auto update.

Of course, you can use other methods with REST API and such… but the simpler method is the best

JasonWalker 2023-10-04 01:55:22 UTC #5

You might also consider using the BESDownloadCacher and a scheduled task to perform the downloads daily (or several times a day).

Usually the BESDownloadCacher is used by Airgapped customers, but it might be a good use-case for frequently downloading Chrome.

I’ll look into it a bit in the next few days, but you can get started with https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_airgap_tool_transf_downloaded.html

mikelbeck 2023-10-04 11:28:51 UTC #6

If you download and pre-cache the Google Chrome executable when the Fixlet is released, the OOB Fixlet action will work in your Baseline when it runs later in the month. The key is having the file in the cache that matches the SHA-1 and SHA-256 values present in the OOB Fixlet.

I could use the File Pre-Cache Wizard to take care of that, right?

orbiton 2023-10-04 11:40:16 UTC #7

@mikelbeck You can , but this is a manual way and you will need to select the specific Fixlet.

mikelbeck 2023-10-04 15:27:06 UTC #8

You might also consider using the BESDownloadCacher and a scheduled task to perform the downloads daily (or several times a day).

Some examples about how to go about doing this would be great, if you have any.

JasonWalker 2023-10-04 16:58:08 UTC #9

I was just working on a batch file for that, here’s the process I’ve come up with so far

:: SETUP:
:: Assumes performing this all on the Root Server
::  Download BESDownloadCacher.exe from https://software.bigfix.com/download/bes/util/BESDownloadCacher.exe
:: Create directory "C:\BES\DownloadCacher and copy BESDownloadCacher.exe there
:: create directory "C:\BES\DownloadCacher\mastheads"
::
::
:: locate 'Updates for Windows Applications' masthead and copy to .\mastheads.  Any copy of the .efxm is ok.
:: C:\BES>dir /s /b "C:\BES\Server\wwwrootbes\bfsites\*Updates for Windows Applications.efxm"
::     C:\BES\Server\wwwrootbes\bfsites\actionsite_0_470\Updates for Windows Applications.efxm
::     C:\BES\Server\wwwrootbes\bfsites\actionsite_0_471\Updates for Windows Applications.efxm
::     C:\BES\Server\wwwrootbes\bfsites\actionsite_0_472\Updates for Windows Applications.efxm

:: copy /y "C:\BES\Server\wwwrootbes\bfsites\actionsite_0_470\Updates for Windows Applications.efxm" "C:\BES\DownloadCacher\mastheads"

:: Normal Usage
:: 1. Generate a list of *all* downloads from the "Updates for Windows Applications" site, to 'all-site-downloads.txt'
:: 2. Filter the downloads to only the Chrome downloads, without the MANUAL_BES_CACHING_REQUIRED string, output to a new file 'chrome-downloads.txt'
:: 3. Perform downloads of the files listed in chrome-downloads.txt (many may fail due to hash mismatches, this method seems to include superseded Chrome fixlets)

echo Generating list of all downloads from "Updates for Windows Applications" site
BESDownloadCacher.exe -m "mastheads\Updates for Windows Applications.efxm" -w all-site-downloads.txt

echo Filtering to Chrome downloads
type all-site-downloads.txt |find "googlechromestandaloneenterprise" |find /v "MANUAL_BES_CACHING_REQUIRED" > chrome-downloads.txt

echo Performing chrome downloads
BESDownloadCacher.exe -o chrome-downloads.txt -l

JasonWalker 2023-10-04 17:07:10 UTC #10

Oops, I needed to step back from the problem a bit.

The issue is that Google always replaces the same URL with the latest copy of their download, so…this batch script was a bit of overkill. We can have BESDownloadCacher just try that URL directly.

64-bit version:

BESDownloadCacher.exe -u https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B03FE9563-80F9-119F-DA3D-72FBBB94BC26%7D%26lang%3Den%26browser%3D4%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable%26brand=GCEA/dl/chrome/install/googlechromestandaloneenterprise64.msi

32-bit version:

When run on the root server, BESDownloadCacher automatically renames the file to match its sha1, and puts in the download cache at wwwrootbes/bfmirror/downloads/sha1

orbiton 2023-10-04 17:41:41 UTC #11

@JasonWalker Gonna try it later, Thanks!

itsmpro92 2023-10-04 18:32:04 UTC #12

BigFix just released the latest Fixlet for Google Chrome: Content Modification: Updates for Windows Applications published 2023-10-04

Rickm19 2023-10-06 01:34:48 UTC #13

There is already a lot of good advice in this thread. Just wanted to mention the same thing in another way.
Simply deploy Google Chrome to a test machine. Then when you are ready to deploy a few days later, right click on the action and “custom-copy” the action or baseline, and deploy as you wish. You will be deploying the original Google Chrome version from a few days ago since it was cached with the action.

eavesrb 2023-10-30 15:05:52 UTC #14

Jason, Can you help me out a bit more? You are caching locally, does that mean the fixlet will pickup from that location from then on without returning to the web? Will it also pickup from that location if the fixlet is added to a baseline?

JasonWalker 2023-10-31 03:09:24 UTC #15

Yes on both counts. The idea behind using the Download Cacher is to get the browser downloaded and cached on the root server before Google replaces it, so we have a version that matches whatever Fixlet we’re using. It’s an alternative to “hurry up & send a action so the download gets cached”.

You could run the Download Cacher as a scheduled task. Run it a few times a day if necessary.

An alternative to that is a Fixlet I posted to BigFix.me that just deploys “whatever version of Chrome is available now” (at the time you click Take Action). It does not verify the hashes though so you never acknowledge what version of Chrome you end up with until you take the action.