Mac Silent Deployment

Introduction

Pushing out an application to hundreds or thousands of users is a task faced by many IT professionals, there is no shortage of tools (like JAMF) attempting to simplify this. All of them have some similarities in that they assume an installer of some kind. For Apple's line of macOS operating systems, this generally involves a mountable dmg with an installer package contained within. This is no different for our Computer Backup Installer for macOS. The key difference however is in order to deploy the client silently there are a few unique steps needed to make this process work as smooth as possible. In this article, we will go over the various types of silent deployment and the steps we will need to do in preparation. 

In this article, we will go over the following scenarios

  • Using the installer through the command line
  • Using our shell script to silently deploy w/o JAMF
  • Using our shell script to silently deploy with JAMF

 

Let's go over the two main types of deployments we see.

Decentralized Deployment "User-Managed Account"

The email parameter that is passed by the script will need to be unique to each user related to the endpoint at runtime.

Decentralized deployments involve an account for each endpoint that is then part of your business group which manages payment and admin activity (if enabled). In this scenario, the end-user will have access to their own data through the Backblaze portal.

  • Within the context of this guide, this requires a JAMF Pro environment to be set up. 
  • If you don't have a JAMF Pro setup you will need to fill in a relevant email for each deployment. Custom scripting can be involved with the bash script below to actively pass these values in at runtime. 

 

Centralized Deployment "IT Managed Account" 

Hardcode the primary email as it will stay static.

Centralized deployments where every endpoint will be logged into a primary Backblaze account that is managed by IT. In this scenario the end-user will not have access to their data on Backblaze, they will need to contact whoever manages that centralized account. These deployments are quite simple as the email passed to the installer doesn't change per endpoint.

  • In scenarios where JAMF is involved, hardcoding an email will skip the step related to querying the JAMF Pro API

 

Due to Apple's increasing security measures for Mac OS (Mojave and onward), there is an additional step of distributing a configuration to allow the Backblaze client full access to the disk. This process is documented here.

 

Prerequisites

  • Mac OS 10.9 and above
  • Active Backblaze Group
  • < email > and < password > are required for all deployments. 
    • < email > is either a static centralized IT email or a dynamic email related to the particular deployment. 
    • < password > is specific to the account being logged in.
      • This value can be anything with new account deployments (-createaccount) however we recommend setting this as something static across all deployments as you will need to recall it if the user endpoint needs to be deployed to again using -signin
      • In SSO environments, this password that is set will be considered your silent installer password, you will still need it for any future deployments using -signin
  • <  groupID  > and < groupToken > are required for create (new) account deployments. These can be retrieved from your Backblaze portal through the following steps 
    1. Log into your portal and navigate to “Group Management”, navigate to the group we are deploying for. Select “Send Invites” Screen_Shot_2021-04-07_at_12.53.24_PM.png
    2. Select “Advanced Instructions” on the following screen. The two parameters you see at the end of the command are your groupID and groupToken values respectively. You will need these two values for the rest of this documentation.
      Screen_Shot_2021-04-07_at_12.53.46_PM.png

Backblaze Installer

Our current most up to date version of our macOS installer can be found here 

https://secure.backblaze.com/mac/install_backblaze.dmg

The macOS package is controlled through the following parameters passed through Terminal.

Create Account Mode: -createaccount

For deployments involving a user who doesn't have a Backblaze account yet.

sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -nogui -createaccount <email> <password> <groupid> <grouptoken>
  • (Required) <email> = email
  • (Required) <password> = password
  • (Required) <groupid> = groupID
  • (Required) <grouptoken> = groupToken

 

Sign In Account Mode: -signin

For deployments involving a user who already has a Backblaze account and Is part of the group.

sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -nogui -signin <email> <password>
  • (Required) <email> = email
  • (Required) <password> = password

 

Update Mode: -upgrade

For deployments involving a user who already has a Backblaze installed and just needs an update.

sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -upgrade bzdiy

 

 

Shell Script

The shell script was written to make interfacing with the different commands you saw in the earlier section easier. Using it we can dynamically do the following workflows.

  • Handle both new account deployments (-createaccount) and existing account deployments (-signin) automatically without having to dictate ahead of time per deployment
  • Upgrade deployments that already have the software installed/running
  • Handle JAMF Pro environments that are looking to use a decentralized deployment (Details in next section)

 

Gist of our latest macOS script

 

 

Non-JAMF Deployment

Before running the script you will need to hardcode in a few values depending on the type of deployment you are looking to do.

 

username="$3"
groupid="$4"
grouptoken="$5"
email="$6"
password="$7"

 

The $3-7 variables are used for JAMF Pro deployments. If you are not using JAMF Pro you are replacing those variables with strings as follows. 

  • (Required) username="username" allows us to set the directory to the proper user to prevent any RMM tools from having us stuck in its working directory. 
  • (Required) groupid="groupID
  • (Required) groupToken="groupToken"
  • (Required) email="email"
  • (Required) password="password"

The rest of the variables we can ignore since they are JAMF related. The script will automatically ignore any processes related to JAMF.

The script will automatically run an update on any endpoint if it finds Backblaze is already installed. 

 

JAMF Pro Deployment

Our script also supports deployments using JAMF as it is able to query directly from the JAMF Pro API to retrieve emails dynamically for each deployment. This is perhaps the easiest way to accomplish a decentralized deployment. This does mean that there are a few additional prerequisites before we can start with this section. 

Prerequisites

Jamf Setup

  • Jamf Pro server (formerly JSS) is either hosted on a server or in the Jamf Cloud
  • Jamf Pro - this suite includes tools such as Jamf Admin/Imaging/Remote, Composer and Recon (these tools were formerly known as Casper tools).
  • A created Jamf enrollment user, this allows the script read access to the user object through the JAMF API. Using this we gather the email related to the particular endpoint. 
  • Before you start, please make sure that you have a good understanding of how a Jamf policy is set up, how to set up a script for a Jamf policy, and how to set up environment variables in the policy that will be passed into the script when the script is executed on the remote machine. Jamf provides detailed documentation regarding policy configuration.

Setting up Jamf to deploy Backblaze on Mac:

  • Create an "Enrollment" user account for the script to complete API calls needed to retrieve emails.                         
    Screen_Shot_2021-04-21_at_12.54.28_PM.png
  • Upload the deployment script you saw earlier in this article as a JAMF Script.Screen_Shot_2021-04-21_at_12.52.56_PM.png
  • We recommend filling out parameter labels as follows for easier usage of the script once imported into a policy.Screen_Shot_2021-04-21_at_12.51.24_PM.png
  • Create a Backblaze Deployment Policy with the script imported as a step. Screen_Shot_2021-04-21_at_1.01.46_PM.png
    • You will see the parameter descriptions as we set them In the last step. Each of these parameters map to variables the variables in the script communicated by $4-10
      • Group ID and Group Token correspond to the values we gathered earlier in this article. These should stay static across all deployments assuming they are all going to be related to the same group. 
      • Email we can leave blank as we are querying your JAMF Pro API to retrieve related emails to each endpoint.
      • Password like we talked about earlier in this article we can keep static that way all your endpoints will have a related silent installer password. Changing this between different deployments will causes errors with future deployments that involve signing in an existing account.
      • JAMF Domain will be your environment domain.       <domain>.jamfcloud.com
      • JAMF Username will be the username related to the enrollment user we created earlier
      • JAMF Password will be the password related to the enrollment user we created earlier

 

Your Backblaze Client Policy is now complete. Once the policy runs, the Backblaze client will be installed and start backing up the computer immediately.


Post Installation:

If you added members to a non-auto accept group, the group admin will need to accept these users from the Requesting Membership list on the Invite & Approve page of the group admin account. 

Please ask your group members to follow the Forgot Password directions from this help article to set an initial password if you used “none” for the password in the script.

Once Backblaze is installed on the end user’s computer, they will receive a Welcome to Backblaze email that will let them know that their data will be securely backed up to Backblaze. The email will describe the service and offer them some tips and guidelines.

 

Troubleshooting:

Please note, a successful installation will result in a BZERROR:1001.

If you see other output error codes, here are potential issues:

  • BZERROR:190 - The System Preferences process is running on the computer. Close System Preferences and retry the installation. (This shouldn't appear as the script should be closing
  • BZERROR:1000 - This is a general error code. One possible reason is that the Backblaze installer doesn't have root permissions and is failing. Please see the install log file for more details.
  • BZERROR:1016 - The intended email address already has a Backblaze account, the group ID is incorrect, or the group token is incorrect.

The (remote) computer's Backblaze install log is located in: /Library/Backblaze.bzpkg/install_log/install_logNN.log, where NN represents the two digit number that corresponds to the day of month of the installation (i.e. install_log08.log).

If you are unable to successfully install or see a different error, please contact our Support team. Please provide Support with the install log from the computer you are unable to silently install for.

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk