Client Management Suite

So I have a similar issue - I need to push Google Chrome enterprise to over 300 computers.
Google supplies an MSI file for enterprise use.
But as soon as it's installed I need to replace a single file that has the master default preferences in it - these determine how it will first open, what the home page is and so on.
It is called master_prefrences and goes into the same folder as the Chrome exe file once Chrome is installed.
Of course installing Chrome can be done with the software management if I ever get this 747 if the software world figured out - the trick is I need to bundle a task with it that will copy that file intot he Chrome program folder AFTER Chrome is installed.
I can't figure that part out - I know it will need to be a task - I can do that and other things via command lines. (also set a service to disabled)
But my questions are - what do I tell the task to do - where is the file going to be copied from - I need to supply a path.
It is currently in the SAME folder on our Altiris server that the Chrome MSI is in.
How is that addresses? What's the source path in the task?
The destination should be easy.......

So I need this as a taks to run in the SAME policy that installs Chrome - the question marks are because I don't know where to tell these commands to get the file from. It's in the "software library" where the MSI is.
But this is so very confusing as this is a HUGE set of apps, and the going back and forth trying to figure out if this is a program, or a version or just what the heck it is! Then to get it installed I have to go to manage policies and work in there........ it's not all in the manage software area so going back and forth has me lost.

if exist "c:\Program Files\Google\Chrome\Application\master_preferences" copy /y "?????????\master_preferences" "C:\Program Files\Google\Chrome\Application\master_preferences"
if exist "c:\Program Files (x86)\Google\Chrome\Application\master_preferences" copy /y "???????\master_preferences" "C:\Program Files (x86)\Google\Chrome\Application\master_preferences"
reg add HKLM\Software\Policies\Google\Update /f /v AutoUpdateCheckPeriodMinutes /d 0
sc stop gupdate
sc config gupdate start= disabled

Where will the task get the file from if it's in the software library folder with the Chrome MSI?
What do I tell it the path or source is?
 

I create a Software Update called "[MyCo] Google Chrome Master Preferences update".

Package: just the master_preferences file

Command Line: 

CMD /C "copy /y *.* "C:\program files (x86)\google\chrome\application" > "C:\program files (x86)\google\chrome\application\%ERRORLEVEL%.txt""

So it is assumed that the commands or script run and copy the file from the same path the command is run from?
The source and command line are in the same place - so it is copy name.ext and not c:\path\name.ext  correct?

Rather confusing as I can't get the Chrome install itself to work - it's hanging either on the file download or on execution, the logs don't say specifically so I've not gotten even past that but the path for the command line for the MSI install are \chrome32\xxxxxxx.msi which is where it comes from in the software library - is it copying the folder structure TOO?
Odd, I assumed it took the file or files and worked right from that folder as far as copying the MSI file to the client and then running it.
But the execution path is Chrome32\xxxxxx.msi

I'll try a version of your suggestion and see how that goes - once I get it figured out why the basic Chrome install is failing.

Sorry, I got a bit lost with that one. I'll show exactly what is on the Altiris/Symantec server - which might help -
So I am trying to figure out the software library thing, which isn't too bad - fairly simple concept - it's where you keep the programs/install files. It's a share in this case, directly on the management server.

\\SERVERNAME\SoftwareLibrary\Chrome\Chrome-32

Since I have more than one Chrome install - not sure why but I see over and over use 32bit even on 64 bit systems, mostly JAVA, I suspect, but I have a 64 and a 32bit version of the Chrome install MSI. I'll be concentrating on the 32 bit as that's what people suggest using, sort of like IE - the 64bit version is not worth much as you normally use the 32 even on 64 bit systems.
You can see the softwarelibrary share is where I keep all of our stuff.
I have a folder called Chrome under that. The only things in the folder named Chrome are 2 other folders.
Those are the 64bit and 32 bit folders, as shown above it's the 32bit path.
So the library SHARE, the folder named Chrome which contains only two other folders, Chrome-32 and Chrome-64.
The MSI installer is in the Chrome-32 folder. The path to it from the SHARE or SOFTWARE LIBRARY would be
\Chrome\Chrome-32
The package COMMAND LINE is calling the msiexec /i
and then
Chrome-32\GoogleChromeStandaloneEnterprise.msi

So it would seem that everything is based on the SoftwareLibrary share as being the base or root.
But in this case it's including the one folder, and noth the other. Most I see are not including ANY folder at all, it's right at the ROOT
So any packages this system builds would include the full path AFTER or ABOVE the SoftwareLibrary share - so any command line would also include the full path, correct? Well, sort of because it leaves out the first level of folder above the library share.

This is what the system built for a command line - I added only the NOGOOGLEUPDATING to prevent the install from going out to find a later version.
(next is all on one line technically, it's done a word-wrap here, however)
msiexec.exe /i "Chrome-32\GoogleChromeStandaloneEnterprise.msi" NOGOOGLEUPDATEPING=1 /quiet /noresatart 

I have in the policy, after I spent an hour figuring out HOW, that you MUST do all this via the catelog, can't touch anything directly, a "Software Update" as you suggested.

I still need to run other commands to change the services status, etc.
These are other commands I need to run -
reg add HKLM\Software\Policies\Google\Update /f /v AutoUpdateCheckPeriodMinutes /d 0
sc stop gupdate
sc config gupdate start= disabled
but first things first....

Here is the command line for the master_preferences file -
copy /y Chrome-32\master_preferences.* "C:\program files (x86)\google\chrome\application" > "C:\program files (x86)\google\chrome\application\%ERRORLEVEL%.txt"

This part of the system, adding new apps to install (I think they assume that any app you wish to install is already running on one of your systems - but what if it's not - what if no other computer has it - that's more complex, adding a new app you cannot IMPORT)

So I have the softwarelibrary share, Chrome\Chrome-32 with the MSI and master_preferences file in it.
I have an update task created that copies the master_preferences file as you suggested, I have no Dependency tasks (not sure how I'd do that anyway, suspect I don't need it in this case)

This is the package command line as it shows:
msiexec.exe /i "Chrome-32\GoogleChromeStandaloneEnterprise.msi" NOGOOGLEUPDATEPING=1 /quiet /noresatart 
The advanced options are default as far as download, run, etc. No changes there.

Well just when I thought I was onto something - and I was in a way as I got it to work on 1 computer, I've run into another snag.
We have a mix of computers - 64 and 32bit.
Many recommend using the 32bit version due to some plugins or something not working well, and like IE, the 64bit version can cause issues. The 32bit version runs great on anything.
So I had it all figured out - but realized it installed on a 64bit server but not a 32bit Windows 7 OS.
I found the thing was somehow told that it was for 64bit server OS only, 2008 and 2012.
But also, the command that copies the master_preferences file works ONLY for 64bit systems as 32bit won't have "Program Files (x86) " folder while the 64bit does have that and that's where Chrome installs.
So I created a batch file - if this exists copy here, if that exists copy there.
Fine - but now the ."Software Update" - the Master Preferences copy package won't work properly as I can't find a way to have the "detection rule" do a "find this file AND that file (OR) find file 1 and file 2"
It's not hard to have it do AND at the top and then define two files and it has to find both - but when I have to include both files for 32bit AND both files for 64bit Symantec has made understanding the structure impossible. I can get either an AND or an OR at the top, but how can I get it to be more like a tree -

detect file 1 AND file 2
OR
Detect file A AND file B
 
The AND or OR always go at the very top - but that makes no sense - it should be between. You don't write a script as
AND
if exist file a
if exist file b
You write if exist file a and if exist file b

I need to detect
master_prefernces AND 0.txt in Program Files (x86)
OR
master_preferences AND 0.txt in Program Files

and can't get that diagrammed out in their system. It appears to be 2 dimensional only - not detection multipls pairs of files in multple places, if that makes sense.

Why is there ALWAYS an AND at the very top?

This one works -


But I need to detect either 1 of 2 file pairs for 32 and 64bit -
And this is screwy!  I can't get it to put the master preferences file back if I delete it as a test...........

the log files really don't tell me much at all. It only says that 0.txt wasn't found - and then nothing.
Not sure what you mean check the exact content of my rules as this is so horribly complex there's no clean way to keep track and you can't easily move from one part of a package or policy to another without saving what you have done and totally changing screens. You must complete and save one page before you can do anything else.
The days and hours I've spent trying to get this install to work on both 32 and 64bit with the file copy part I could have manually installed this on our computers.

Worse, if you need to change a single file, like I have had to change the batch file due to Google's complex system of scheduled tasks, services and install files, you must delete the update part from the policy and package, then go recreate the update, save it, and then connect it to the install package again. Each time you need to change a single letter in a single file, you have to start over again with part of it. There's no directly editing any files in the package once it's created.

I had it partially succeed on a couple of servers I tested with, but it won't work on any Windows 7 computers.
OF course to cover both 32 and 64 I did change to that horribly convoluted double-check setup above - which brings up another question directly related to your repsonse above- how can changing the base to Program Files (x86) help since that folder ONLY exists on 64 bit systems. It doesn't even exist on 32bit systems.

Chrome installs in c:\Program Files (x86)\Google\Chrome\Application on 64bit systems
Chrome installs in c:\Program Files\Google\Chrome\Application on 32bit systems so there is no common base, except the C drive.  If I chose \Program Files (x86)\ as the base, it could never find the files on any 32bit system.

Because I have to run the Google Chrome install MSI, and then immediately after, copy the master_preferences file in, and also disable a service and disable two scheduled tasks with a batch file, and must do this on both 32 and 64 bit computers, it's extremely complex and frustrating.

I have a SIMPLE app installed fine, in fact it hit almost 300 computers in an hour - it's a single MSI, installs on any Windows computer and doesn't require any added things, no updates, no further file copies, etc. So I know the agents can see the policy, download a file and run it.

Chrome, however,
1. I had to put Chrome in the software catelog manually, which isn't simple if you don't already have it installed on computers,
2. then I had to create the software product and found out that wasn't enough, you can't do anything with that because apparently, not explained in the documents that it's just more of a heading and nothing else,
3. I then had to create the software release which is the actual Chrome package. OK, that's the basic install out of the box, no settings, no preferences file, etc. - just the bare install.
4. Then I had to create the "Software Update" which is the master_preferences file and the batch file that copies the master preferences file into place, sets the update service to not start, and disables 2 scheduled tasks that Chrome installs.
I had to associate the sofware update with the software package to get them to work together.
Then I had to create the install policy and tell it to use the software update with the softwre install package.
Then it gets really hairy -
I need it to see if Chrome is already installed, and if not, install it.
Ah, but there's more - besides Chrome being installed, I need it to see if the master_preferences file is in place and if not, put it there and then disable the google update service and disable the two scheduled tasks.
AND it must do all of that on 32bit AND 64bit computers, all Windows OS.
So why it worked on SERVERS but not Windows 7 computers has me baffled! Well, it sort of worked, Chrome installed and I got the preferences file in place but at that time I was dealing ONLY with 64bit checks.
I added the 32bit file checks and it's fallen apart. Even worse yet - the master_preference file didn't work with Chrome, so I had to scrap the software update after disconnecting it from the install package and start all over, you can't edit a file once it is in the library. So I had to undo the association in the software package, remove the file from the software update package, pull it back in and do it all again.

The batch file that must run immediately after the Chrome install is:
if exist "c:\Program Files\Google\Chrome\Application\chrome.exe" copy /y master_preferences "C:\program files\google\chrome\application\master_preferences" > "C:\program files\google\chrome\application\%ERRORLEVEL%.txt"
if exist "c:\Program Files (x86)\Google\Chrome\Application\chrome.exe" copy /y master_preferences "C:\program files (x86)\google\chrome\application\master_preferences" > "C:\program files (x86)\google\chrome\application\%ERRORLEVEL%.txt"
reg add HKLM\Software\Policies\Google\Update /f /v AutoUpdateCheckPeriodMinutes /d 0
sc stop gupdate
sc config gupdate start= disabled
SCHTASKS /Change /TN "GoogleUpdateTaskMachineCore" /DISABLE
SCHTASKS /Change /TN "GoogleUpdateTaskMachineUA" /DISABLE
 
I need to figure out why the Windows 7 computers say they are downloading the package, but never do, you never see it at all anywhere. There is no sign of it or the folder it's supposed to be in for the install! It's like it says "Downloading file" and "in process" and then - not another entry at all. And the files never appear on the W7 computers, but did on 4 servers.

The software update which runs that batch file needs to look for the 0.txt file and the master_preferences file in Program Files OR in Program Files (x86) and it has to look for both files on either type of system.
That means it has to see if this logic works:
Find 0.txt AND master_preferences in Program Files\Google\Chrome\Application
OR
Find 0.txt AND master_preferences in Program Files (x86)\Google\Chrome\Application

because a 32 bit computer will never have the Program Files (x86) folder and a 64bit computer that's where Chrome installs to.
Symantec makes it nearly impossible to use that sort of logic.

Unless this is correct and would work..........But I question - why the "AND" at the very very top? What does THAT one do? Can't get rid of it.
I want A AND B  OR C  AND D  but can't seem to make it look like that.

Part of the issue is that the documentation assumes you already know how to use the product, or doesn't give "walk-throughs" of the processes.
This is one very bloody complex suite - I am beginning to believe SCCM was more simple.

One problem with this install is that the master_preferences MUST BE INSTALLED or copied into the application folder immediately following the install!
You have one shot at it as if the Chrome install works - and the user launches it, BOOM, you are done, the master preferences file will be worthless if it installs 2 minutes later. It must be done during the install.
Granted the services could be stopped and disabled, the updater changed later but to copy the master_preferences file, that must be done at the time of the install - as quick as the install is finished. It can't wait. It only works upon initial launch of Chrome.
And our users are quick to click on things they haven't seen before (this the extremely strict app control and web policies in place - "it exists, therefore I must click it" is their motto.
Chrome itself is horrible in that Google offers zero support. Their help is like "install, launch, enjoy".
So with no support on installing product, I went by what others here are doing - and the batch files were not only suggested by Symantec customers, but the files were available. The batch file I am using was customer suggested.
I plan on solving the 32 vs. 64 bit problem by telling the boss "I won't support 32bit any more". That means the remaining 2 or 3 dozen 32bit machines will need to be reimaged with the 64bit image by helpdesk if they want any further app support. It's getting stupid having to support such a mix and jump through hoops to detect what's what. Since the vast majority of our computers are now running 64bit Windows, I see little reason to continue to support the very few 32bit.

But the real kicker - I still have never received a good explanation from Symantec as to how the detection rule screen I showed above is supposed to work. The and/or parts, there is almost no documentation on it and the explanation in help are - well, gee, I can see the choices exist, but exactly how do they work?
The AND at the top - and what? What is the and referring to? Something before it - outside of this screen, or something in this screen to come later?
There's And at the top, then an Or, but what's the top And refer to?
There is no logic chart!
What AND this?

Since there are so many issues with this product that I can't get forum help on, I am going to have to start creating tickets for all of them and have someone remote in and tell us if it's even set up properly, if the application installs are even close. For one thing it says that nothing here is running Chrome - but we have a couple dozen with it. Why isn't it being shown as being on computers?
Why does software have to be version specific? Can't we just say we want to see computers with Chrome, or computers with SEP - ignore the darned version and show us all? It won't even tell me what computers have SEP when I click on the SEP package I created (and it won't install it on 2 of our new computers - keeps timing out at 30 minutes then tries the download again, failing after 30 minutes - where is the 30 minutes coming from? We have no timeout, and I spent an entire day looking for a place the 30 minutes was coming from)
Too many troubles with it. Unreliable, too hard to create something that simply checks does a computer have SEP, if not install it - no, I have to specify a version instead of generic SEP
Same for Chrome - I want to create a software package, not a software version, but it won't allow that.
Why? Because when you search for Chrome, it shows 50 different versions, not just "Chrome" so I can't create a managed install or whatever it's called and say "install".
The product treats each version of SEP, each version of Chrome (And I could go on listing many more) as separate or distinct products instead of a single product. Chrome 4x.xx is a different product from Chrome 4y.xx and different from 5x.xx So it lists several Chrome as if each is a different product from a different company. SEP is listed several times as distinct products in the software product list.
I could see if I was listing versions, but I want to list products, instead I get dozens and dozens of listings for software and the only diff is the minor version.
So to see what computers have a product, I have to click on each little version, maybe no computers have this version, 1 has this, 10 have that.

I hope future versions have better documents. I thought the docs were good until I had to do something with it and then find them written for those who created the software and already know it.
There is zero for beginners - who were tossed into using this when the SCCM person quit and we dumped SCCM.
Isn't there a 101 version, that shows step by step?

The simple answer to your first problem is to only install Google Chrome when no user is logged in. You can also use the Google Chrome Group policy add-in to create Group Policies for Chrome.

The initial "AND" is to logically AND all the conditions you put under it, I think this is explained in the Software Management User Guide.

You can create/edit a Software Product that show all version of Chrome and/or SEP.

You have problems getting forum help because you put too many problems in one post. 

LOL - if they were split out there would be 15 posts - but it's hard to do so when they all tie in and it's impossible to tell what is breaking down. 

Youre 'AND' explanation is far better than anything in any document I've seen to date.
But it still leaves me with what is before the 'AND' shown in that rule box.
I get the "and all of the conditions below" part. But what what is BEFORE the AND? Is it the Applicability rule - but that's shown below or AFTER the detection rule.

I'll compare it to this
"do if true - THIS AND all of the conditions below"

In the sentence above, what is the "THIS" that the 'AND' at the very top is referring to, the one that is already there by default.  
I can see 'do it if this is true - file a exists AND file b exists'
BUT - the AND is before - it almost looks like "AND file a exists file b exists"
Logic runs serially, one after the other, so the AND at the very top needs something BEFORE it, but the only things you control for detection are below it.

Referring to the image I posted above, way back, the 'AND' is at the top, not between.

To me it seems that if I want this to do something based on the criteria or conditions defined in a "detection rule" in that detection rule box or window, there should be no AND in there yet - I should be telling it to do something "if file a exists" and then insert an 'AND' and then type "if file b exists".
The result being do something if file a exists AND if file b exists, instead I read it as AND file a exists file be exists.
 
Maybe it's because they have it shown rather up-side-down?
Is the 'AND' really meaning it will apply the  "APPLICABILITY RULE" FIRST, then read the
AND
Then apply the stuff defined in the detection rule?

If that's the case, the applicability rule should visually be ABOVE the detection rule.
Look to see if it's if it's Windows 64 bit FIRST, then run the detection rule -
Does it apply to this computer.
AND
Check to see if these files exist.

Perhaps that's the confusion - they have detection above applicability, as you should see first if you even need to bother looking for a file, etc.
If that's what the AND refers to - something after, then they should flip those two on the rules tab!
Don't bother looking for files or registry key if it's not Windows 64 bit.
But to me it's an AND hanging up there at the top in space, doing nothing. The part before the AND is missing.

Problem installing Chrome when no one is around - you would have to work in an ideal world where all computers were alway on and everyone left or logged out at the same time so you could schedule it to run at 6pm, knowing all computers would be running and no one would be logged in.
Just for 1 example, there are "shared laptops" that sit until someone logs in - otherwise are either not on the network or are turned off. Yeah, I know - we DO have rules and policies, but we are dealing with people - people who hold Masters degrees, the worst sort. Those shared laptops are supposed to be turned on, connected to the network, past the bitlocker PIN screen and on the network so they can communicate and get SEP updates and Windows patches, etc. Yeah, key word "supposed to".

Since these software installs run on a schedule, you'd have to make it run every hour, every day, and find a time no one was logged in.
That would seem to mean another condition to look for - the registry to indicate there was no current user.
When people leave, they may log out, they may not log out, they may reboot, or not reboot, they may lock it and walk away, or walk away and wait for the policy to lock it 10 minutes later.
Too many variables.

I wonder if I'm setting up the detection rules and such all wrong anyway.
I need to detect for Chrome, run it and then as an update or "patch" immediately, through the associations, run the master_preferences copy, if it hasn't run already, but the text file the bat file creates would tell me that.
So now I'm trying to find a way to detect if Chrome is installed, if not, install it - the 64 bit version and then run that "update" piece which via association should work.
I find that Chrome appears as about 20 or 25 different things - the list of Chrome in the management server is huge - the number of versions, and it seems to treat each like a different app, not a different version of the same app. Thank you Google.

On this - >>You can create/edit a Software Product that show all version of Chrome and/or SEP.<<
I AM going to start a new topic - as so far, I have spent days trying to figure that out. This lists each Chrome version and build (what the heck is the difference with Google?!) as a distinct product. I tried to come up with a generic build or product, but it keeps changing versions on me! I use 52.0.xxxxx and it comes back no, this is version 66. Since that's so complex in itself, that will be a new topic-  but frankly, I think I must solve that before I can continue. I need it to treat ALL Chrome the same - but not really.

15 posts is fine. 

This is in the Software Management User Guide:

"Note: The And, Not, Or operators apply to the rules, which reside under the
corresponding operator in the expression tree in the left pane. The rule does
not work, if the operator and the rules, to which it must apply, are on the same
level in the expression tree."

So, where it says:

AND

• MSI Code 1234
• File version=

It means 

MSI Code 1234 AND File Version=

To get software to install when no user is logged in you don't need to do a check yourself, that's one of the things Symantec is for, to do things like that for you.

In the last environment I managed, Managed Software Delivery Policies were set to run at 20.00 Daily. If the software had already been installed then the detection rule would see it and the remediation (installing the software) would not run. If there's a newer version of the software the Applicability rule would prevent the older version installing. Provided a laptop has been on the network during the day to download the software and policy it will run provided it's on at 20:00.

Users get to understand that, if they want software they have to leave their computer powered on but logged off (not locked) at 20:00.

If you have lots of users who work late or shift systems you can change or add the Compliance Check schedule. I'd avoid doing it hourly as you then will catch PCs that are being turned on or shut down and the install may corrupt.

"So now I'm trying to find a way to detect if Chrome is installed, if not, install it "

The Detection Rule is to uniquely identify the piece of software in the Software Release, when the Compliance Check in a Managed Software Delivery Policy runs and detects it reports to the NS that the software is installed, it will appear in the list of Installed Software in the Computer Inventory.

To make sure that your Chrome Managed Software Delivery (MSD) gets applied to all PCs with Chrome you need to create a Filter of all computers with "chrome" in Add/Remove programs and apply the MSD to that.

Symantec will treat each version of Chrome as a separate Software Release because they are different releases. I've answered your other thread as to how to create one Software Product.

OK, thanks for trying to reign me in a bit. You are a very patient person. 
I am the only network person left (one retired, the other left on medical stuff) and the only one here who can deal with technical projects - assuming information is available.  I'm wearing more hats than I ever have before - and I normally wear a lot of them but this is not exactly intuitive. That's fine - but examples and "pictures" are helpful in those cases.

Sticking with the detection part. When you go to create a new detection rule, I think I worded that correctly, it opens a new "page" and the left pane already has "AND" present at the top. What if you want to look for EITHER of two things to exist - you are not allowed to change that top AND to OR.
So you end up with AND, and then below that OR, and then you look for file A OR file B - and the top AND does nothing?

I can see getting this wrong can cause undesired effects.

Deliverable software, (I wish it would allow me to create a product and not a release, but that's a different topic). I choose edit a software release, then go to the Rules tab, the top is Detection rule, below that Applicability rule.
Detection rule, if I choose new, I get a screen with AND already populated. That cannot be changed.
IF, for example, I wanted to find this file OR that file, the AND is in the way. I have to add OR below the existing default can't be deleted or changed AND.
So then I have AND OR. Why the AND if I want to see if either of two or more files exists?
Plus, the two icons differ - one is a FOLDER icon, the other a paper or page icon. (I tried to find an explanation of that but could not.)

But when I add an expression, say look for a static file, the icons change....... maybe it sort of makes sense....

Maybe if I knew what this example would do, I could eventually figure it out.
The AND I cannot change, if I could, it would be gone, as I'd ideally look only for File-A OR File-B but the AND is stuck there. So I have to add an OR. And I click on the OR to highlight it and I add an expression for file-A and another for file-B
I clicked on the AND and added another expression, file-C just so I could ask and refer to something I could SEE -
What would happen in THIS scenario, assume the top two expressions are for file-A and for file-B and the bottom one, which is more directly under the AND is for file-C.
What is the logic and the ORDER of logic? And can the AND ever be deleted if I only want it to look for A OR B.

And I will leave this one at that and not complicate it any further........



 

Now we are into more complexity as the applicability rule seems to be more for looking for the correct OS, 32 vs 64bit, etc.
But the biggest thing is - our users find ways to blame us even if it's their fault, and further, some of this is not what they WANT, but what they need or - what we want them to have - and if we imply that if the computer is off they won't get something, then more people will leave computers off. Yeah, that's social workers for you.
But with the shared computers, the shared laptops, those are not always on, and not always on the network, and seldom on after hours, etc. so we pretty much have to target computers during the day - we found with SCCM that because the prior person who ran that to push software and keep systems patched ran it over weekends. We hit a whopping 30-some percent success rate and our computers were found to be only about 25% in compliance with patches and updates.  We do not have management support in this because a very vocal middle-manager blames IT for all of their woes and all we do is prevent her slaves, uh, employees, from doing much more with much less and in less time. To suggest they spend 5 seconds connecting to a printer gets a huge pushback, we are supposed to do it for them.

Bottom line, if I don't do this so it actually installs during the "day", it's going to fail miserably. It's hard enough to get it to go then, but at least if something runs several times every single day, after a couple of weeks or so I can catch most, and in a month or two, I'll get close to 95%. (when someone decides to pay attention to us and turn the shared laptops back on and connect them to the network, taking them out of the desk drawer or off the closet shelf... and they wonder why the first connection in a month or two is SLOOOOOW for them and VPN struggles)

I have a solution for those cases where people keep computers locked and logged in - a scheduled reboot - it disables Bitlocker, counts to 5 and checks to ensure it's disabled, then uses the power control to reboot. A GPO enables Bitlocker again as soon as Windows launches.
But I find it doesn't matter if they stay logged in - almost everything I've tried to date doesn't care if they are logged in or not. We have people who ignore requests to reboot even once a week, some go over 25 or even 30 days - I find those people and schedule my reboot job to run every-other day at 6pm (when they are supposed to be out the door anyway) That way other patches and such will work - otherwise I was seeing large fail rates on some patches and updates, only to find the computer up time was over 2 weeks.

I'll have to check the appliplicability rules for newer vs. older versions. Normally an MSI install will fail if you try to install a version older than one present.........  I know I can compare versions in the detection rules. (although I have not tried it yet)

Actually, I want the managed software delivery to apply to computers that don't have, but need it, or to put the CORRECT type of Chrome on computers where people have downloaded the cheat version that installs to their profile.
But for now, I don't want it on ALL computers, just a list of computers that either do not have Chrome, or that have the wrong "personal" version and not the enterprise version. Correct the type of Chrome where they have it, install where they don't have it, but not all - not YET. A small group now, all later. I also need to find those with old versions and apply to those as well.

The problem with Chrome is that it exists in so many places, in so many ways.
People can install Chrome as a user with zero admin rights because Google snuck it through enterprise's locked doors by installing under the USER profile, so Chrome can be found installed under individual user names or profiles and not under any Program Files folder at all.
So one has to find where it's installed under the user profile, and go ahead and install the enterprise version which is SUPPOSED TO REMOVE the "private" version under a user profile first. Worse, confusing things further, the 64 bit version used to (maybe STILL DOES? Have not found the answer yet)
it used to install to the Program Files(x86) folder on 64 bit systems! So you could never tell - do they run the 32 bit or the 64 bit versions, both installed to the same Program Files(x86) folder!

I need to find Chrome installations in the user profiles, but not under Program Files so that it removes their snuck-in copy and install our enterprise version we can manage.
But I also need to find computers that do not have Chrome at all, and install it to those.

Then the problem of someone having a newer version than that I am pushing out, but the wrong bit or it's under their profile....... it will fail there.

* If it's 32 bit Chrome on a 64 bit system, I want to install the 64 bit version, removing the 32 bit version. Will the later 64bit version do this? Google doesn't have support on this, I tried Google, no response.

* If it is not installed at all, install it.

* If it is installed, but it is the snuck-in version under the user profile, install the correct enterprise 64 bit version.
Now Google does say the ENTERPRISE version is supposed to uninstall their personal version from under their profile and install my version (Google CLAIMS the enterprise version will do this!)

* Find 64bit versions installed under the Program Files(x86) folder........ and do what, leave them alone? undecided. Upodate it with the later 64 bit versions but Chrome is said to not move it, just update it.

If I create a software install policy that references a software build for the current Chrome, and in a month more computers need Chrome, it means I have to build a whole new package with the latest downloaded install MSI - because Google changes versions every few days. What I build today will install version 52.0.1234.5678 and that's fine for this week, but computers that get it next week will be getting an older version because Google will release version 52.0.3456.7890 by then.
That's the part I dislike - each time Google updates the Chrome browser, I cannot use the same install I used last week. And this will be in place forever - meaning as computers are imaged, changed, bought and placed into service, this is to run and install Chrome - but in 2 months the job I build today will be 2 months old and they will get an old version.

The fix? Let the PATCH MANAGER deal with that by creating patch policies because Chrome is listed along with the other MS stuff and the Flash and JAVA patches or updates.
The problem with that? Symantec says it applies to 0 computers!
A dozen computers have Chrome, some with versions from last spring, but the patch manager says the latest Chrome doesn't apply to any of our computers.
I'm about to open a case on that one because what's the point of the latest version showing up and being downloaded in patch manager, but it will never install to any computer, even WITH Chrome!
I need someone to remote in, and LOOK at our setup - and if necessary, tell me what _I_ did wrong, or figure out why it applies to no computers, even though we have had Chrome in here for years in IT - now we need it consistant, managed, and enterprise.
And I would like to find out how to install apps like Chrome and not have to build a NEW software install every time Chrome is updated, which is almost 2 times a month, sometimes more. I've rebuilt this install, importing new MSI install files 4 times already, I keep deleting and re-importing the latest files - can't simply copy them over because the things are version specific and build hashes. I want to install Chrome, not a specific version - always the latest, or, find a way to make this work.

So many things going on - can't get through the basic understanding when things like this keep popping up.

THIS is sort of holding me up - either I need to create a job that will install Chrome where I want it or need it installed and always do the latest version so I can stop recreating the packages and deleting and then recreating the Chrome in the software library, or get the "patch manager" to update with this - but even with Chrome installed on several computers, some for years, it says zero? What's up with that?

I will plan on controlling the updater and/or services via GPO now that I have the templates and they are in place, SORT OF configured, but I still must copy the master preferences into the folder because GPO can NOT do all that the master preferences file does, even Google support tells me this, as do many admins. You need both, master_preferences and group policy, so I must run the install, and then run a Chrome "update" job to copy the master preferences file in.

I have policies set up for these updates - but witht the zero, they never ever apply.

"Sticking with the detection part. When you go to create a new detection rule, I think I worded that correctly, it opens a new "page" and the left pane already has "AND" present at the top. What if you want to look for EITHER of two things to exist - you are not allowed to change that top AND to OR.
So you end up with AND, and then below that OR, and then you look for file A OR file B - and the top AND does nothing?"

Exactly right.

But in your example you've added file c so you've got

(File A OR File B) AND File C

Which is the same as File C AND (File A OR File B), the order isn't relevant.

You can't ever delete the top AND, there's no need to, if it's not used it's just "AND [nothing]", which has no effect on the outcome.

You could run a task that shuts Desktops down every night at midnight, power saving's important. Make sure the script checks for a time window, you can't rely on Symatec's script timing to be 100%.

Patches I am happy to install during the day. Then let the nightly shutdown or normal laptop usage take care of reboots.

Don't rely on MSI installs failing if there's a newer version, it's bad practice to lets installs run you know will fail, that's what Applicability rules are for. It's a good idea to let the Compliance Check run on a schedule, you don't want MSI installs failing over and over again.

I'm not sure what you mean by comparing versions in detection rules but don't forget, use Detection Rules only to detect for that specific version as, if it evaluates True, it reports back to Inventory that version of the software is installed.

OK. First off Patch Management won't help you with this because you want to install the latest Chrome to PCs that don't have it.

So you will have to create a Software Release for Chrome every time a new version is released. This is one reason using Group Policy to turn off the automating updating is a good idea, saves you having to add the Master Prefs Software Update in dependencies every time.

To get rid of user based installs you need to create an filter of PCs with Chrome in the user profile, you can do this using Inventory data. 

To get rid of user based installs you need to create a Software Release for each one with a different MSI GUID with a detection rule of MSI code AND chrome.exe in the user profile. Just needs a Command line with msiexec /x of Type Uninstall.

Then add all these uninstalls into the top of your Chrome Managed Software Delivery Policy with the advanced option of run in the user's context. So when the Policy runs to install Chrome it will first check if a user based install exists and uninstall that first.

In other words, "the AND is there. You either use it or not use it, stop worrying about it".  ;-)

OK, I think that part has finally sunk in. It appears you could look for the existance of, or version of, almost anything anywhere in any combination but I expect overly complex chains could slow things down or actually lead to errors and be less than helpful. I suspect I'd not really get much deeper than an example like that.
 

Our problem with actually shutting things down is that the computers then may remain that way, for days, weeks, or longer, then someone will decide to use them and have nothing but trouble, and suddenly we have a computer on the network that isn't secured against the latest threats, is days or weeks or longer behind on patches or updates, or even lacking in software.
The way our people do things, we must force the opposite - ensure all computers are on and on the network.
Due to the security risks of computers being offline for too long (and us not having a clue as to what happened to them - over half are in 30+ offices scattered all over the state of Iowa) and the fact that the state CIO says "thou shalt patch and keep current with all things lest you become unsecure and unpatched", we keep reminding people.......... and still some won't be turned on for days or weeks or longer then they call when something doesn't work or they have problems.
Worse, we run Bitlocker - with a PIN required. So a computer that is off, which then gets turned on, isn't really on because it stops at the Bitlocker login or PIN screen, never touching Windows. And if someone doesn't know the PIN to that computer, it's yet another helpdesk call (we are short-staffed there, too)

I do agree on the MSIs and changed one software install configuration I had - apparently the software, FireEye, supplied by central state IT, updates itself constantly. So my install was saying, gee, you don't have this exact file so we'll install this app - and it failed filling the logs with MSI entries "newer version already exists" or words to that effect. So I changed it - not sure why it did that as I never set up a VERSION check, but I changed it to look for a registry key value instead of a file and that solved the problem.
 

I missed this part earlier:
>> This is one reason using Group Policy to turn off the automating updating is a good idea, saves you having to add the Master Prefs Software Update in dependencies every time.<<
That's not why the master_preferences file exists - it is to configure parts of Chrome that the group policies will not, and to configure the "first launch" behavior, among other things.
The batch file that copies the master_preferences file also does set up the updating, or rather turns it pretty much off, but that's not the reason we use the master_preferences. We have to comply with some specific rules and policies and we need Chrome to launch for the first time for each user in specific ways - some of that isn't in group policies, found that out from Google as well as the state's Google person. They say we need both - master_preferences to make sure the very first time a person launches Chrome, or the first time a NEW person logs in and launches Chrome, they see or get, or not get, certain things.
Most of our computers are used by more than one person, so a computer that is used by Jane for 6 months may be used by 2 others now and then when Jane is away, or in some cases, the computers are actually shared computers. Each time a person launches Chrome for the first time on a given computer, it starts based on the master_preferences. From there either group policies or other settings take over.
Since Chrome may have been launched 3 times on a computer already by 3 different people, they will be set, but not Joe who logs into computer 104234 for the first time. Master_preferences does that.
I could make the batch file more simple - remove the parts that set other things up and have it copy the master_preferences file only, and do nothing else at all.

I could keep only the top two if exist lines and remove the rest.........

if exist "c:\Program Files\Google\Chrome\Application\chrome.exe" copy /y master_preferences "C:\program files\google\chrome\application\master_preferences" > "C:\program files\google\chrome\application\%ERRORLEVEL%.txt"
if exist "c:\Program Files (x86)\Google\Chrome\Application\chrome.exe" copy /y master_preferences "C:\program files (x86)\google\chrome\application\master_preferences" > "C:\program files (x86)\google\chrome\application\%ERRORLEVEL%.txt"

reg add HKLM\Software\Policies\Google\Update /f /v AutoUpdateCheckPeriodMinutes /d 0
sc stop gupdate
sc config gupdate start= disabled
sc config gupdatem start= disabled
SCHTASKS /Change /TN "GoogleUpdateTaskMachineCore" /DISABLE
SCHTASKS /Change /TN "GoogleUpdateTaskMachineUA" /DISABLE

>>

OK. First off Patch Management won't help you with this because you want to install the latest Chrome to PCs that don't have it.

So you will have to create a Software Release for Chrome every time a new version is released.<<

While the first is true - once all computers have it, I need to keep them current somehow. I thought that is what that part of patch management was for. If the software already exists - patch management sees the software exists and keeps it current based on the patch policies.
But you are saying that part doesn't work and I will forever, several times a month, at the very least, 1 or 2 times every month for all of my years here need to keep creating NEW Chrome installs?
I can see for new computers coming in, or those turned on after being offline for weeks, but if we go 2 months and all computers have Chrome - but they need to be UPDATED to the latest, I cannot use patch manager?
Apparently NOT! I say that because it refuses to update the dozen or so installs we have already, and it says applies to 0 computers. So why does Symantec even have Google in there if you can't update Chrome using patch manager? It will download the MSI file if I create a patch policy for it.

I know what you mean about the documentation being tough to get through. I tend to go back to these series of posts when I'm having trouble with a rule. This is the best guide available.

https://www.symantec.com/connect/articles/symantec-software-management-71-best-practices-part-2

The rules section is a nice quick reference when needed.