As a Chrome administrator, you can manage Chrome operating system (OS) updates for devices in your organization. Chrome releases a full OS update about every 4 weeks. Minor updates, such as security fixes and software updates, happen every 2–3 weeks. ChromeOS updates are differential, meaning they include the changes between the current and updated version. So, the download size depends on how big these changes are. If changes are small, the download is only a few hundred MB. But if the changes are big, the download is bigger and can go up to 2-3 GB in rare cases.
If you choose the Long-term support candidate (LTC) or Long-term support (LTS) release channel, devices receive cumulative feature updates every 6 releases, approximately every 6 months. Devices on the LTC or LTS channels continue to receive security fixes every 2 weeks.
To keep ChromeOS devices secure and up to date, we recommend using automatic updates. If your organization deploys thousands of devices or if you have bandwidth restrictions, you might need to customize how updates are deployed.
Configure auto-updates
Turn on auto-updates (recommended)By default, ChromeOS devices update to the latest version of Chrome when it’s available. We recommend that you keep the default auto-update settings. That way, your users' devices will automatically update to new versions of ChromeOS as they’re released on the Stable channel. Your users will get critical security fixes and new features as they become available.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Device update settings.
- Click Auto-update settings.
- Select Allow updates.
- Click Save.
If a ChromeOS release causes an issue in your organization, you can turn off auto-updates until the issue is resolved. Your users can no longer manually check for updates themselves.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Device update settings.
- Click Auto-update settings.
- Select Block updates.
- Click Save.
For P2P automatic updating to work:
- Your organization’s network needs to allow P2P connectivity.
- Multicast DNS (mDNS) shouldn’t be filtered or blocked on the local area network (LAN).
Customize updates
Pin ChromeOS updates to a specific versionNot recommended. Only the latest version of ChromeOS is supported.
By default, ChromeOS devices auto-update to the latest version of the channel that devices are using, except if they are pinned to a specific version. We recommend that users be on the latest version of Chrome, but sometimes you might need to specify which version your devices run. For example, a later version of ChromeOS might cause compatibility issues with tools in your organization. Or, you might find a critical issue while testing devices on the Beta channel.
ChromeOS devices can update from any version to the latest Stable version or the version that you pin using the Admin console, as long as devices are receiving automatic updates (including extended updates), and the update wasn’t skipped for that specific model. If the target version that is pinned is not available for a device, it will not receive any further updates. For more details, see Auto Update policy.
Note: If you pin devices to a version that’s older than n-3, auto-update might not work as expected. Currently we only support auto-update to version n-3 or later, where n is the current stable release.
You should avoid pinning to a certain version as much as possible. If you forget to unpin versions, devices can fall behind on critical security updates and miss out on new features.
Instead, consider switching devices to the LTC (Long-term support candidate) or Long-term support (LTS) channel. That way, devices continue to receive security fixes every 2 weeks, but they only get feature updates every 6 months. For details, see Long-term support on ChromeOS.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Device update settings.
- Click Auto-update settings.
- Select Allow updates.
- From Target version , select a ChromeOS version. Devices are prevented from updating to versions of ChromeOS beyond the version number you choose.
- (Optional) From Roll back to target version, select Roll back OS.
This specifies whether devices should roll back to the version that you specify in Target version, if they're already running a later version. - Click Save.
Troubleshooting
You can configure one or more of your devices to use the development (Dev) or Beta channel to help identify compatibility issues in upcoming versions of Chrome. For more information, see Chrome release best practices.
ChromeOS is currently available on 5 channels: Stable, Long-term support (LTS), LTS candidate (LTC), Beta, and Dev. By default, ChromeOS follows updates on the Stable channel. For information to help you decide which channel to have your users on, go to ChromeOS release best practices.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Device update settings.
- Click Auto-update settings.
- Select Allow updates.
- From Release channel , select a channel.
- Click Save.
Not recommended. Only the latest version of ChromeOS is supported.
You can release ChromeOS updates to devices using a staged rollout schedule. With a staged rollout, only a percentage of devices initially get the update. You can increase the percentage over time to gradually roll out updates to all devices in your organization. You can also set up gradual updates for specific groups or departments. The devices that you specify are chosen at random for each new rollout. The date that some devices update might be after a new release. You should choose the fewest days possible, such as 2 or 3. If you roll out updates over a longer period, some users might fall behind by more than one version. Download and view this example staged rollout policy exception scenario.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
-
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Device update settings.
- Click Auto-update settings.
- From Rollout plan, select Roll out updates over a specific schedule.
- From Staging Schedule, enter the number of days to wait after the update and the percentage of devices to update.
- (Optional) To gradually increase the percentage over time, click Add and enter the number of days to wait and the percentage of devices.
- Enter the number of days since the update when all devices should be updated.
- Click Save.
You can specify the days and times when Chrome temporarily stops automatic checks for updates. If the device is in the middle of an update, Chrome will temporarily pause the update. You can set as many blackout windows as you need. Manual update checks that users or admins initiate during a blackout window are not blocked.
Note: Setting this policy might affect the staging schedule, as devices cannot download auto-updates during blackout windows.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
-
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Device update settings.
- Click Auto-update settings.
- Select Allow updates.
- From Additional blackout windows, enter the set of hours during which to block updates. For example, you can choose to block mid-week automatic updates, during the hours of Monday at 6am to Friday at 8.30pm.
- (Optional) To block updates during additional time periods, click ADD A NEW SET OF HOURS and enter the start and end time of the blackout window. For example, you can choose to block midday automatic updates, by adding a separate set of hours for each day of the week.
- Click Save.
If your organization is deploying thousands of ChromeOS devices or you have network bandwidth restrictions, consider scattering automatic updates. You can scatter updates over a period of days, but you should choose the fewest days possible, such as 2 or 3. If you scatter updates over a longer period, some users might fall behind by more than one version.
The downloads occur at various times during this period to avoid causing traffic spikes that can impact old or low-bandwidth networks. Devices that are offline during this period download the update when they go back online.
You should set this policy to its default (none) or a low number unless you know your network cannot handle traffic spikes. A low number lets users benefit from new Chrome enhancements and features quicker. It also minimizes the number of concurrent versions in your organization and simplifies change management during the update period.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Device update settings.
- Click Auto-update settings.
- From Rollout plan, select Scatter updates.
- From Randomly scatter auto-updates over, select the period of time to scatter the updates, for example, 2 or 3 days.
- Click Save.
You can set the notification period to tell users that they need to restart their ChromeOS devices to apply pending updates. You can force devices to automatically restart after the specified time has passed.
For details, see Notify users to restart to apply pending updates.
After an update gets applied to a ChromeOS device, users restart their devices for it to take effect. They get a notification prompting them to restart, but they might not restart the device for some time.
If you want devices to restart sooner, you can sign users out when the device lid is closed. That way, if a user doesn’t restart a device after an update and then closes the lid, the device restarts and completes the update.
Be sure to let users know that they should save their work before they close the lid so they don't lose it.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
-
To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Power and shutdown.
- Click Idle Settings.
- From Action on lid close, select Logout.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
If your organization has an intermediate proxy cache set up on its network, you can use it to cache ChromeOS updates. Because these updates are downloaded from Google over HTTP, they can be cached on most web-caching proxy servers. Proxy caches reduce bandwidth and improve response times by caching and reusing frequently requested webpages.
However, many proxy cache default settings aren’t optimal for ChromeOS updates. To make sure that your proxy cache software can cache ChromeOS updates, experienced IT administrators can configure the following settings:
- Maximum file object size—The maximum individual file size that the proxy will cache. For most web-caching proxy servers, the default maximum is smaller than the average ChromeOS update. Updates are downloaded as one file, so make sure that the maximum file object size is at least 1 GB.
- Cache directory size—By default, some web-caching proxy servers cache objects in memory. Most of these servers can also be configured to cache to disk. Ensure that the cache has adequate storage space, either in memory or on disk. Browsers retrieve objects cached in memory faster than on the hard disk.
- URL settings—If the server allows you to add settings for particular domains, give preference to dl.google.com, which is where devices get ChromeOS updates.
- Maximum object size in memory—Servers don't keep objects larger than the specified value in memory. This value needs to be set high enough to keep ChromeOS updates in memory, but low enough to keep larger objects from hoarding the cache memory. Set the maximum object size in memory at a reasonable limit, such as 2,000 KB.
- Cache space on disk—The total amount of hard disk space that the server can use to cache objects. If you have a large hard drive (more than 30 GB), you can increase the value to cache more objects.