Introduction
Pushing out an application to hundreds or thousands of users is a task faced by many IT professionals, there is no shortage of tools (like JAMF) attempting to simplify this. All of them have some similarities in that they assume an installer of some kind. For Apple's line of macOS operating systems, this generally involves a mountable dmg with an installer package contained within. This is no different for our Computer Backup Installer for macOS. The key difference however is in order to deploy the client silently there are a few unique steps needed to make this process work as smooth as possible. In this article, we will go over the various types of silent deployment and the steps we will need to do in preparation.
In this article, we will go over the following scenarios
- Using the installer through the command line
- Using our shell script to silently deploy w/o JAMF
- Using our shell script to silently deploy with JAMF
Let's go over the two main types of deployments we see.
Decentralized Deployment "User-Managed Account"
The email parameter that is passed by the script will need to be unique to each user related to the endpoint at runtime.
Decentralized deployments involve an account for each endpoint that is then part of your business group which manages payment and admin activity (if enabled). In this scenario, the end-user will have access to their own data through the Backblaze portal.
- Within the context of this guide, this requires a JAMF Pro environment to be set up.
- If you don't have a JAMF Pro setup you will need to fill in a relevant email for each deployment. Custom scripting can be involved with the bash script below to actively pass these values in at runtime.
Centralized Deployment "IT Managed Account"
Hardcode the primary email as it will stay static.
Centralized deployments where every endpoint will be logged into a primary Backblaze account that is managed by IT. In this scenario the end-user will not have access to their data on Backblaze, they will need to contact whoever manages that centralized account. These deployments are quite simple as the email passed to the installer doesn't change per endpoint.
- In scenarios where JAMF is involved, hardcoding an email will skip the step related to querying the JAMF Pro API
Due to Apple's increasing security measures for Mac OS (Mojave and onward), there is an additional step of distributing a configuration to allow the Backblaze client full access to the disk. This process is documented here.
Prerequisites
- Mac OS 10.9 and above
- Active Backblaze Group
- (Required) < email >
- Either a static centralized IT email or a dynamic email related to the particular deployment.
- (Required) < groupID > and < groupToken >
- These two values are used as authentication to log in passed email parameter.
Script will fail to deploy if email account is not a user within the group.
These can be retrieved from your Backblaze portal through the following steps:
- These two values are used as authentication to log in passed email parameter.
-
- Log into your portal and navigate to “Group Management”, navigate to the group we are deploying for. Select “Send Invites”
- Select “Advanced Instructions” on the following screen. The two parameters you see at the end of the command are your groupID and groupToken values respectively. You will need these two values for the rest of this documentation.
- Log into your portal and navigate to “Group Management”, navigate to the group we are deploying for. Select “Send Invites”
-
(Optional) < region >
This is an optional parameter used for deployments that would like to specify what region an email account will be deployed to. Values are either us-west or eu-central
Backblaze Installer
Our current most up-to-date version of our macOS installer can be found here
The macOS package is controlled through the following parameters passed through Terminal.
Sign In Account Mode:
For deployments involving a user who doesn't have a Backblaze account yet.
sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -nogui -createaccount_or_signinaccount <email> <groupid> <grouptoken>
- (Required) <email> = email
- (Required) <groupid> = groupID
- (Required) <grouptoken> = groupToken
Create Account Mode with Region:
For deployments involving a user who already has a Backblaze account and Is part of the group.
sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -nogui -createaccount_or_signinaccount <email> <groupid> <grouptoken> <region>
- (Required) <email> = email
- (Required) <groupid> = groupID
- (Required) <grouptoken> = groupToken
-
(*Optional* for deployments that need accounts in specific regions) <region> = region
Update Mode: -upgrade
For deployments involving a user who already has a Backblaze installed and just needs an update.
sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -upgrade bzdiy
Shell Script
The shell script was written to make interfacing with the different commands you saw in the earlier section easier. Using it we can dynamically do the following workflows.
- Handle both new account deployments (-createaccount) and existing account deployments (-signin) automatically without having to dictate ahead of time per deployment
- Upgrade deployments that already have the software installed/running
- Handle JAMF Pro environments that are looking to use a decentralized deployment (Details in next section)
Gist of our latest macOS script
Non-JAMF Deployment
Before running the script you will need to hardcode in a few values depending on the type of deployment you are looking to do.
username="$3"
groupid="$4"
grouptoken="$5"
email="$6"
region="$7"
The $3-7 variables are used for JAMF Pro deployments. If you are not using JAMF Pro you are replacing those variables with strings as follows.
- (Required) username="username" allows us to set the directory to the proper user to prevent any RMM tools from having us stuck in its working directory.
- (Required) groupid="groupID"
- (Required) groupToken="groupToken"
- (Required) email="email"
- (Optional) region="region"
The rest of the variables we can ignore since they are JAMF-related. The script will automatically ignore any processes related to JAMF.
The script will automatically run an update on any endpoint if it finds Backblaze is already installed.
JAMF Pro Deployment
Our script also supports deployments using JAMF as it is able to query directly from the JAMF Pro API to retrieve emails dynamically for each deployment. This is perhaps the easiest way to accomplish a decentralized deployment. This does mean that there are a few additional prerequisites before we can start with this section.
Prerequisites
Jamf Setup
- Jamf Pro server (formerly JSS) is either hosted on a server or in the Jamf Cloud
- Jamf Pro - this suite includes tools such as Jamf Admin/Imaging/Remote, Composer and Recon (these tools were formerly known as Casper tools).
- A created Jamf enrollment user, this allows the script read access to the user object through the JAMF API. Using this we gather the email related to the particular endpoint.
- Before you start, please make sure that you have a good understanding of how a Jamf policy is set up, how to set up a script for a Jamf policy, and how to set up environment variables in the policy that will be passed into the script when the script is executed on the remote machine. Jamf provides detailed documentation regarding policy configuration.
Setting up Jamf to deploy Backblaze on Mac:
- Create an "Enrollment" user account for the script to complete API calls needed to retrieve emails.
- Upload the deployment script you saw earlier in this article as a JAMF Script.
- We recommend filling out parameter labels as follows for easier usage of the script once imported into a policy.
- Create a Backblaze Deployment Policy with the script imported as a step.
- You will see the parameter descriptions as we set them In the last step. Each of these parameters map to variables the variables in the script communicated by $4-10
- Group ID and Group Token correspond to the values we gathered earlier in this article. These should stay static across all deployments assuming they are all going to be related to the same group.
- Email we can leave blank as we are querying your JAMF Pro API to retrieve related emails to each endpoint.
- Region set only us-west or eu-central
- JAMF Domain will be your environment domain. <domain>.jamfcloud.com
- JAMF Username will be the username related to the enrollment user we created earlier
- JAMF Password will be the password related to the enrollment user we created earlier
- You will see the parameter descriptions as we set them In the last step. Each of these parameters map to variables the variables in the script communicated by $4-10
Your Backblaze Client Policy is now complete. Once the policy runs, the Backblaze client will be installed and start backing up the computer immediately.
Post Installation:
If you added members to a non-auto accept group, the group admin will need to accept these users from the Requesting Membership list on the Invite & Approve page of the group admin account.
Once Backblaze is installed on the end user’s computer, they will receive a Welcome to Backblaze email that will let them know that their data will be securely backed up to Backblaze. The email will describe the service and offer them some tips and guidelines.
Troubleshooting:
Please note, a successful installation will result in a BZERROR:1001.
If you see other output error codes, here are potential issues:
- BZERROR:190 - The System Preferences process is running on the computer. Close System Preferences and retry the installation. (This shouldn't appear as the script should be closing
- BZERROR:1000 - This is a general error code. One possible reason is that the Backblaze installer doesn't have root permissions and is failing. Please see the install log file for more details.
- BZERROR:1016 - The intended email address already has a Backblaze account, the group ID is incorrect, or the group token is incorrect.
The (remote) computer's Backblaze install log is located in: /Library/Backblaze.bzpkg/install_log/install_logNN.log, where NN represents the two digit number that corresponds to the day of month of the installation (i.e. install_log08.log).
If you are unable to successfully install or see a different error, please contact our Support team. Please provide Support with the install log from the computer you are unable to silently install for.