Contents x
    How to install the Backblaze Client Silently with Jamf (Decentralized)
      • Print
      • Dark
        Light
      Contents

      How to install the Backblaze Client Silently with Jamf (Decentralized)

        • Print
        • Dark
          Light
        Article summary

        Backblaze Backup Client v10 supports automated deployment through Jamf Pro using a decentralized deployment model. In this model, Jamf Pro handles installation and deployment orchestration, while each endpoint is associated with its own Backblaze account during onboarding.

        This deployment method allows administrators to deploy Backblaze across many managed macOS devices without creating separate Jamf policies for individual users or hardcoding account information into deployment scripts.

        Use this deployment model when:

        • each device should sign in using its assigned user’s Backblaze account,
        • Jamf Pro is used as the primary macOS management platform,
        • deployment identity should be resolved dynamically at install time,
        • centralized administrative enrollment is not required.

        For more information about this deployment model, see How to install the Backblaze Client Silently with Jamf (Centralized).

        How the Decentralized Deployment Model Works

        The Jamf Pro deployment workflow consists of the following steps:

        1. A Jamf policy runs the Backblaze installation script on the endpoint.
        2. The script installs or upgrades the Backblaze client.
        3. The script uses the Jamf Pro API to identify the email address that is associated with the target device.
        4. The script uses the resolved email address during the Backblaze onboarding process.
        5. The endpoint completes installation using its assigned Backblaze account.

        This allows a single Jamf policy to be reused across many managed devices without requiring separate user-specific deployment configurations.

        Prerequisites

        Before you deploy Backblaze client v10 with Jamf Pro, ensure that the following requirements are met.

        Jamf Pro API Access

        This deployment model requires Jamf Pro API access.

        The installation script uses the Jamf API to retrieve device assignment information and determine which Backblaze account should be associated with the endpoint.

        Create or configure a Jamf API account with permission to:

        • read computer inventory,
        • read assigned user information,
        • authenticate through the Jamf Pro API.

        Jamf Pro API Role and Client Permissions

        This deployment model requires a dedicated Jamf Pro API Client with read-only access to the device and user records that are used during onboarding.

        The API Client must be assigned an API Role with the following Jamf Pro privileges:

        • Read Computers
        • Read Computer Inventory Collection
        • Read Computer Inventory Collection Settings
        • Read Computer Extension Attributes
        • Read User
        • Read User Extension Attributes

        These privileges allow the deployment script to authenticate to Jamf Pro, retrieve the target Mac record, read inventory and assignment fields, and resolve the email address for the assigned user.

        Backblaze recommends that you use a dedicated read-only API Client for this workflow and assign only the permissions that are required for deployment.

        Jamf Inventory and User Assignment Data

        The deployment workflow depends on accurate Jamf inventory data.

        Devices should already have:

        • assigned users,
        • valid email addresses,
        • correctly populated inventory records.

        If user assignment data is incomplete or missing, onboarding may fail.

        Backblaze Group Configuration

        Before deployment, confirm the following values:

        • Group ID
        • Group Token
        • Backblaze region
        • onboarding approval behavior

        Depending on your Backblaze group configuration, administrator approval may still be required after endpoints submit onboarding requests.

        For assistance, see Locate a Group ID and Authentication Token.

        License Availability

        Ensure that sufficient Backblaze licenses are available before large-scale deployment.

        macOS Privacy and Configuration Profile Requirements

        Backblaze client v10 requires several macOS privacy and background service permissions in managed environments.

        Deploy the required configuration profiles through Jamf Pro before installation.

        Recommended Configuration Profiles

        Full Disk Access

        Backblaze requires Full Disk Access to protect and back up user data.

        Recommended profile:

        • PPPC-Backblaze-FDA.mobileconfig

        Bundle ID:

        • com.backblaze.backblaze

        Background Service and Menu Component Access

        Recommended profile:

        • PPPC-Backblaze-bzbmenu-FDA.mobileconfig

        Managed Login Items for macOS 13+

        Recommended profile:

        • Backblaze-Managed-Login-Items.mobileconfig

        Optional Profiles

        Depending on organizational policy, you may also deploy location-related permissions:

        • PPPC-Backblaze-LocationServices.mobileconfig
        • PPPC-Location-Backblaze.mobileconfig

        Reference configuration profiles are maintained in the Backblaze RMM repository:

        Required Deployment Parameters

        The decentralized deployment workflow requires both Backblaze enrollment values and Jamf Pro API configuration.

        CategoryParameterPurpose
        Backblaze EnrollmentGroup IDIdentifies the target Backblaze group.
        Backblaze EnrollmentGroup TokenAuthorizes device enrollment into the group.
        Backblaze EnrollmentRegionDefines the Backblaze environment that is used during onboarding.
        Jamf Pro APIJamf Pro URLSpecifies the Jamf tenant that is used for device lookup.
        Jamf Pro APIAPI Client IDAuthenticates the deployment script to Jamf.
        Jamf Pro APIAPI Client SecretAuthenticates the deployment script to Jamf.
        Identity ResolutionAssigned user emailDetermines which Backblaze account is associated with the endpoint.
        The assigned user email address must already exist in the Jamf inventory and user assignment data before deployment.
        Identity ValidationAllowed email domain (optional)Restricts onboarding to approved domains.
        Installer SourceBackblaze DMG URLSpecifies the Backblaze installer source.
        Warning
        Never publish or hardcode real Group IDs, Group Tokens, API client secrets, or customer-specific deployment values in public repositories, screenshots, or documentation.

        Store sensitive deployment values securely using Jamf policy parameters or approved secret-management workflows.

        Deployment Script and Repository References

        Backblaze maintains Jamf deployment scripts and supporting resources in the Backblaze RMM repository.

        Installation Script

        Canonical installation script:

        Operational Scripts

        Operational and remediation scripts:

        Extension Attribute Scripts

        Extension Attribute examples:

        Repository Documentation

        Additional deployment documentation:

        Example Deployment Workflow

        Upload the Installation Script to Jamf Pro

        1. Sign in to Jamf Pro.
        2. Click Settings > Computer Management > Scripts.
        3. Upload the installation script from the Backblaze repository.
        4. Configure the required Jamf and Backblaze parameters securely.

        Validate the Jamf Pro API Client

        Before you deploy the policy broadly, validate that the Jamf Pro API Client can retrieve the required device and user information.

        Confirm that:

        • the API Client can authenticate successfully,
        • the API Client can retrieve the target Mac record,
        • the Mac record includes the assigned user information,
        • the assigned user record includes a valid email address,
        • the resolved email address matches the allowed domain, if domain validation is enabled,
        • the API Client works when the script runs from a scoped Jamf policy.

        Create Required Configuration Profiles

        Deploy the following configuration profiles through Jamf Pro before installation:

        • PPPC profiles,
        • Full Disk Access permissions,
        • Managed Login Items profiles.

        Create Deployment Smart Groups

        Example Smart Groups may include:

        • Backblaze – Not Installed
        • Backblaze – Backup Paused
        • Backblaze – Backup Not Running

        Create the Installation Policy

        Configure a Jamf policy using the following recommended values.

        SettingRecommended Value
        TriggerEnrollment Complete and Recurring Check-in
        Execution FrequencyOnce per computer
        ScopeDevices that require Backblaze installation

        Scope the Policy

        Assign the policy to the appropriate Smart Computer Groups.

        Operational Considerations

        Jamf Data Quality

        The deployment workflow depends on accurate device-to-user mappings in Jamf Pro.

        If assigned user data is incorrect or missing, onboarding may fail or associate the device with the wrong account.

        Approval Behavior

        Depending on group configuration, administrator approval may still be required after device onboarding requests are submitted.

        Reusable Deployment Design

        This deployment model is designed to support reusable Jamf policies across many endpoints without requiring unique user-specific policy configurations.

        Monitoring and Compliance

        Jamf Extension Attributes and Smart Computer Groups can be used to monitor:

        • installation state,
        • backup status,
        • client version,
        • encryption configuration,
        • backup health.

        Example operational automation workflows include:

        • automatically resuming paused backups,
        • triggering backup jobs,
        • validating encryption settings,
        • identifying devices that require remediation.

        Reference operational scripts are available in the Backblaze RMM repository.

        Troubleshooting

        Verify Configuration Profiles

        Before installation, confirm that:

        • Full Disk Access permissions are approved,
        • required PPPC profiles are installed,
        • Managed Login Items are approved.

        Review Jamf Policy Logs

        If installation fails:

        1. Review Jamf policy history.
        2. Confirm that API authentication succeeds.
        3. Validate assigned user email data in Jamf inventory.
        4. Verify Group ID and Group Token values.

        Validate Service Status

        After installation, verify that the Backblaze service is running correctly.

        Troubleshoot Email Lookup Failures

        Successful Jamf Pro API authentication does not guarantee that the API Client has enough permissions to resolve the assigned user email address.

        If authentication succeeds but the script cannot resolve an email address, verify that:

        • the API Role includes the required read privileges,
        • the Mac has an assigned user in Jamf Pro,
        • the assigned user record includes an email address,
        • the API Client can read computer inventory and user assignment fields,
        • the Jamf Pro URL, API Client ID, and API Client Secret are correct,
        • the allowed domain parameter matches the assigned user’s email domain, if domain validation is enabled.

        Security Considerations

        Follow enterprise security best practices when you deploy Backblaze through Jamf Pro.

        Recommended practices include:

        • using least-privilege API accounts,
        • storing secrets securely,
        • rotating credentials regularly,
        • restricting access to deployment parameters,
        • auditing deployment workflows.

        Additional Resources

        Was this article helpful?
        What's Next