Most of the time, if you want to patch Chrome using Munki, you just use add Chrome as a managed update or managed install to the relevant manifests in your Munki repo, and then have the AutoPkg Chrome.munki recipe import the new version of Chrome into your Munki repo from time to time (daily, weekly, etc.).
And, most of the time, that isn’t an issue. Munki checks to see if the Chrome installed is the latest version, and then prompts to update if the latest version isn’t installed. That said, if Chrome is the primary browser your user is using, Chrome is likely open all the time, and you probably have it as a blocking application, which is better than just force-updating it while a user is using Chrome, which could result in corruption and/or a bad user experience.
The trick, though, is if you have Chrome’s built-in updater present (some Munki admins remove the built-in updater so Munki is the sole manager of Chrome updates), the built-in updater may update the version in
/Applications/Google Chrome.app/Contents/Info.plist, and so Munki may think the new version is installed, even if the new version isn’t running.
So how do you know what version of Chrome is running?
Kudos to Justin Holt for pointing me to a script Graham Gilbert (kudos to Graham, too) wrote for chrome_update_notifier that detects the actual running version.
I’ve adapted that code to a Munki installcheck_script (sample pkginfo here), so Munki will prompt for an update even if the “installed” version is up to date but the running version is still the old version—especially handy if you’re trying to use the
force_install_after_date flag in your pkginfo file for particularly urgent Chrome vulnerabilities.