Install the Backblaze Client Silently (Mac)

For Apple's line of macOS operating systems, pushing an application to hundreds of users generally involves a mountable DMG file that contains an installer package. The Backblaze Computer Backup Installer for macOS works similarly. There are a few unique steps to deploy the client silently.

Decentralized Deployment (User-Managed Account)

The email parameter that is passed by the script must be unique to each user who is related to the endpoint at runtime.

Decentralized deployments involve an account for each endpoint that is then part of the business group that manages payment and admin activity (if enabled). In this scenario, the end user has access to their own data through the Backblaze portal.

• Within the context of this guide, this requires that you set up a Jamf Pro environment. 
• If you do not have a Jamf Pro setup, you will need a relevant email for each deployment. Custom scripting to actively pass in these values at runtime can be done using the bash script that is mentioned later in this article . 

Centralized Deployment (IT Managed Account)

The primary email will be hardcoded because it stays static.

Centralized deployments mean that every endpoint is logged into a primary Backblaze account that is managed by IT. In this scenario, the end user does not have access to their data on Backblaze and they must contact the manager of that centralized account. These deployments are quite simple because the email that is passed to the installer does not change per endpoint.

• In scenarios in which Jamf is involved, hardcoding an email skips the step that is related to querying the Jamf Pro API.

Use the Installer through the Command-Line Interface

Before you begin: You must have the following prerequisites.

• Mac OS 10.9 or newer
• An active Backblaze Group
• Either a static, centralized IT email or a dynamic email that is related to the particular deployment
• The value region is optional and can be used for deployments that must specify the region to which an email account will be deployed. Values are either us-west, us-east, or eu-central.
• A groupID and a groupToken
  These two values are used as authentication to log in after the email parameter. The script fails to deploy if the email account is not a user within the Group. You can retrieve these from your Backblaze portal.

Retrieve your groupID and groupToken

Backblaze Installer

You can find the most current version of the macOS installer here: https://secure.backblaze.com/mac/install_backblaze.dmg.

The macOS package is controlled through the following parameters that you pass through Terminal.

Sign In Account Mode

Use the following command for deployments that involve a user who does not yet have a Backblaze account. You must enter values for <email>, <groupID>, and <groupToken>.

sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -nogui -createaccount_or_signinaccount <email> <groupid> <grouptoken>

Create Account Mode with Region

Use the following command for deployments that involve a user who already has a Backblaze account and is part of the group. You must enter values for <email>, <groupID>, and <groupToken>. The <region> parameter is optional.

sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -nogui -createaccount_or_signinaccount <email> <groupid> <grouptoken> <region>

Update Mode -upgrade

Use the following command for deployments that involve a user who already has Backblaze installed and only needs an update.

sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -upgrade bzdiy

Use a Shell Script

The shell script makes interfacing with the commands you saw in the previous section easier. If you use the script, you can dynamically complete the following workflows:

• Automatically handle both new account deployments (-createaccount) and existing account deployments (-signin) without the need to dictate ahead of time per deployment
• Upgrade deployments that already have the software installed and running
• Handle Jamf Pro environments that need to use a decentralized deployment

#!/bin/bash

# The following parameters are pulled directly from the "Parameter Values" section of your Backblaze deployment policy.
# Please make sure they are filled out respectively prior to your push
computername="$2"
username="$3"
groupid="$4"
grouptoken="$5"
email="$6" #If email is entered in parameters, script will skip over using JAMF API, make sure related password is entered as well
region="$7" #Specify if account is to be deployed in specific region [us-west or eu-central]
JAMF_domain="$8"

# The script needs access to the JAMF Pro API to gather related the related email for a given user 
# Account just needs to have Users - Read permissions
# You can configure a temp account for this in the "Jamf Pro User Accounts & Groups" section of your console
JAMF_username="$9"
JAMF_password="${10}"

# BZERROR MEANINGS 
# BZERROR:190 - The System Preferences process is running on the computer. Close System Preferences and retry the installation.
# BZERROR:1000 - This is a general error code. One possible reason is that the Backblaze installer doesn’t have root permissions and is failing. Please see the install log file for more details.
# BZERROR:1016/1003 - Login Error... Email account exists but is not a member of indicated Group, Group ID is incorrect, or Group token is incorrect,

var=0

################ FUNCTIONS #########################
function updateBackblaze {
	return=$(sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -upgrade bzdiy)
}

function signinBackblaze {
	return=$(sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -nogui -createaccount_or_signinaccount $email $groupid $grouptoken)
}

function createRegionAccount {
	return=$(sudo /Volumes/Backblaze\ Installer/Backblaze\ Installer.app/Contents/MacOS/bzinstall_mate -nogui -createaccount_or_signinaccount $email $groupid $grouptoken $region)
}

function emailValidation {
	[[ "$email" =~ ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$ ]]
	rc=$?
	if [ "$rc" != "0" ]
		then
			if [ "$var" = 1 ]
				then
					echo "Failed to retrieve valid email address from JAMF API. Parsed Email: [ $email ]"
					echo "Please make sure JAMF credentials have READ access on the user object and endpoints have emails properly set" 
					exit 1
				else
					echo "Failed to retrieve valid email address from JAMF API. Attempting to use computername"
					jamfAPIComputername
			fi
		else
			echo "The email retrieved from JAMF API [ $email ] seems to be a valid email address"
			echo "Continuing with install"
	fi
}

function jamfAPIUsername {
	echo "Making GET request to Classic JAMF API using Username"
	response=$(curl -s "https://$JAMF_domain.jamfcloud.com/JSSResource/users/name/$username" -u "$JAMF_username:$JAMF_password")

	email=$(echo $response | /usr/bin/awk -F'<email_address>|</email_address>' '{print $2}')
	emailValidation
}

function jamfAPIComputername {
	echo "Making GET request to Classic JAMF API using Computer Name"
	response=$(curl -s "https://$JAMF_domain.jamfcloud.com/JSSResource/computers/name/$computername" -u "$JAMF_username:$JAMF_password")

	email=$(echo $response | /usr/bin/awk -F'<email_address>|</email_address>' '{print $2}')
	var=1
	emailValidation
}

function successExit {
	echo "Unmounting Installer..."
	diskutil unmount /Volumes/Backblaze\ Installer
	echo "Cleaning up..."
	rm install_backblaze.dmg
	exit 0
}

function failureExit {
	echo "Unmounting Installer..."
	diskutil unmount /Volumes/Backblaze\ Installer
	echo "Cleaning up..."
	rm install_backblaze.dmg
	exit 1
}

function killSyspref {
	killall -KILL System\ Preferences > /dev/null 2>&1
}

function setDirectory {
	if [ -n "$3" ] 
	then 
		cd /Users/"$3" || { echo "Failed to cd to user directory"; exit 1; }
	fi
}

function downloadBackblaze {
	echo "Downloading latest backblaze client..."
	curl -s -O https://secure.backblaze.com/mac/install_backblaze.dmg
}

function mountBackblaze {
	echo "Mounting Installer..."
	hdiutil attach -quiet -nobrowse install_backblaze.dmg 
}
###################################################

setDirectory "$@"
downloadBackblaze
mountBackblaze

#Kill System Preferences process to prevent related BZERROR
killSyspref

#Check to see if Backblaze is installed already, if so update it. Else continue as planned. 
if open -Ra "Backblaze" ; 
	then
  		echo "Backblaze already installed, attempting to update"
		updateBackblaze
		if [ "$return" == "BZERROR:1001" ]
			then
		   		echo "Backblaze successfully updated"
				successExit
			else
				#Try upgrade again incase there was a file lock on the mounted dmg causing errors
				updateBackblaze
				if [ "$return" == "BZERROR:1001" ]
					then
		   				echo "Backblaze successfully updated"
						successExit
					else
						echo "Backblaze was already installed but failed to update"
						failureExit
				fi
		fi
	else
  		echo "Confirmed Backblaze isnt installed already, continuing with deployment..."
fi

#If email wasnt passed in from parameters, assume we need to access JAMF API to retrieve it
if [ "$email" == "" ]
 	then
		echo "Email not hardcoded, attempting to pull from JAMF Pro API"
		jamfAPIUsername
fi

echo "Trying to sign in account"

if [ "$region" == "" ]
 	then
		signinBackblaze
		if [ "$return" == "BZERROR:1001" ]
			then
				echo "Backblaze successfully installed, $email signed in..."
				successExit
			else
				signinBackblaze
				if [ "$return" == "BZERROR:1001" ]
					then
						echo "Backblaze successfully installed, $email signed in..."
						successExit
					else
						echo "Failed to install Backblaze, errorcode: $return"
                        failureExit
				fi
		fi
	else 
		createRegionAccount
		if [ "$return" == "BZERROR:1001" ]
			then
				echo "Backblaze account successfully created in $region, $email signed in..."
				successExit
			else
				echo "Failed to install Backblaze, errorcode: $return"
				failureExit
		fi	
fi

Use the Shell Script to Silently Deploy without Jamf

Before you run the script, you must hard code a few values depending on the type of deployment you need:

username="$3"
groupid="$4"
grouptoken="$5"
email="$6"
region="$7"

The $3-$7 variables are used for Jamf Pro deployments. If you are not using Jamf Pro, replace those variables with strings.

• (Required) username="username" sets the directory to the proper user to prevent RMM tools from having Backblaze stuck in its working directory.
• (Required) groupid="groupID" 
• (Required) groupToken="groupToken"
• (Required) email="email"
• (Optional) region="region"

You can ignore the rest of the variables since they are Jamf-related. The script automatically ignores any processes that are related to Jamf.

The script automatically runs an update on any endpoint if it finds that Backblaze is already installed. 

Use the Shell Script to Silently Deploy with Jamf

The script also supports deployments using Jamf because it is able to query directly from the Jamf Pro API to dynamically retrieve emails for each deployment. This is likely the easiest way to accomplish a decentralized deployment. There are a few additional prerequisites before you can begin this process.

Before you begin: You must complete the following tasks:

• Set up a Jamf Pro server (formerly JSS) that is hosted on a server or in the Jamf Cloud.
• Install Jamf Pro. This suite includes tools such as Jamf Admin/Imaging/Remote, Composer, and Recon (formerly known as Casper tools).
• Create a Jamf enrollment user. This allows the script read access to the user object through the Jamf API. Backblaze then gathers the email that is related to the particular endpoint.
• Ensure that you have a good understanding of how a Jamf policy is set up, how to set up a script for a Jamf policy, and how to set up environment variables in the policy that will be passed into the script when the script is run on the remote machine. Jamf provides detailed documentation regarding policy configuration.

Set up Jamf to deploy Backblaze

1. Create an Enrollment user account that the script can use to complete the API calls that are needed to retrieve emails. 
2. Upload the previous Shell script.
3. Backblaze recommends that you enter parameter labels for easier usage of the script after it is imported into a policy.
4. Create a Backblaze Deployment Policy with the script imported as a step.
   

Parameter descriptions are shown as set in the last step. Each parameter maps to the variables in the script communicated by $4-$10.

• Group ID and Group Token correspond to the values gathered earlier in this article. These should stay static across all deployments assuming they are all going to be related to the same group.
• Email can be left blank because Backblaze queries your Jamf Pro API to retrieve the related emails to each endpoint.
• Region possible values are us-west, us-east, or eu-central
• Jamf Domain is your environment domain <domain>.jamfcloud.com.
• Jamf Username is the username that is related to the enrollment user that you created earlier.
• Jamf Password is the password that is related to the enrollment user that you created earlier.

Your Backblaze Client Policy is now complete. After the policy runs, the Backblaze client is installed and you can immediately begin backing up the computer.

Post Installation

If you added members to a non-auto-accept group, the Group admin must accept these users from the Requesting Membership list on the Invite & Approve page of the Group admin account. 

After Backblaze is installed on the end user’s computer, they receive a "Welcome to Backblaze" email that explains that data is securely backed up to Backblaze. The email describes the service and offers them some tips and guidelines.

Troubleshooting

The (remote) computer's Backblaze install log is located in: /Library/Backblaze.bzpkg/install_log/install_logNN.log, in which NN represents the two-digit number that corresponds to the day of the month of the installation (for example, install_log08.log).

If you are unable to successfully install or you see a different error, contact the Support team. Provide Support with the install log from the computer for which you attempted a silent installation.