Overview
This article describes multiple strategies for deploying CrashPlan apps to user devices. You can integrate your apps with SSO, for example, without user intervention. The article is intended for administrators using device management tools like SCCM for Windows or Jamf Pro for Mac. This article provides:
- Introduction to CrashPlan app deployment and description of how it works in general.
- Links to help you with specific environments and specific deployment strategies.
Considerations
- Creating and using CrashPlan deployment policies requires familiarity with:
- Creation and configuration of organizations in your CrashPlan environment.
- The authentication methods that your organizations use to manage users.
- The process you use to distribute and install applications to user devices (typically a device management tool like SCCM for Windows or Jamf for Mac).
- Deployment features are not available for Managed Service Provider environments.
Need help?
For assistance, contact your Customer Success Manager (CSM) to engage the CrashPlan Professional Services team. If you don't know who your CSM is, contact our technical support team.
How deployment works
Before selecting a deployment option, it helps to understand how deployment works from end-to-end:
- You define a deployment policy in the CrashPlan console.
- From the policy view in the console, you copy the arguments for a CrashPlan app installer command.
- You paste or import those install arguments into your device management software and push them to devices, along with CrashPlan app executables.
- When install commands run on user devices, CrashPlan apps retrieve your policy from the CrashPlan cloud.
If the CrashPlan app fails to connect to the CrashPlan cloud and find the policy, it will retry every 5 minutes until it succeeds or a user explicitly stops the process. - CrashPlan apps run your policy's detection script in order to determine usernames, home directories, and optionally, organizations.
- When a policy is configured to automatically register users, CrashPlan apps start monitoring and backing up data without user intervention. Otherwise, users manually authenticate and register.
If automatic registration fails for any reason, the CrashPlan app retries every hour. It retrieves the policy again and tries to register again, until it succeeds or a user explicitly stops the process.
Select a deployment option
The deployment options available vary with your CrashPlan environment's configuration:
- Whether you authenticate users with SSO or local authentication.
- Whether and how the deployment's username detection script matches usernames at devices with usernames in your authentication data.
Following are the most common deployment options:
Silent registration with SSO
New CrashPlan apps register automatically and start monitoring and backups without user intervention. Use this option with SSO authentication and local directory services set in the organization's Security tab.
- In the deployment's username detection script, SSO usernames are email addresses.
You must customize the installer's detection script to adjust for that.The CrashPlan cloud requires a custom script
Because user names in the CrashPlan cloud must be email addresses, deployments for connection to the CrashPlan cloud always require a customized user detection script.
- The deployment's username detection script matches usernames at devices with usernames in SSO data.
Usernames on endpoint devices need to match usernames in SSO data, and usernames for the CrashPlan cloud must be email addresses. So you will need to modify the default user detection script to provide CrashPlan apps with usernames that match SSO usernames. See Step 2, below.Mismatched usernames cause serious errors
If the detection script cannot provide a precise match with SSO data, CrashPlan creates a user that matches the device username. That user has no password, however, and cannot restore backup data or access the CrashPlan console. If you cannot create a reliable script, do not attempt silent deployment. See Manual registration instead.
Silent registration with local authentication
New CrashPlan apps register automatically and start backups without user intervention. Use this option with local authentication (authentication by the CrashPlan cloud) set in the organization's Security tab.
- CrashPlan passwords are hidden. The process described here generates CrashPlan passwords automatically. Those passwords are not available to users or administrators. To grant a user access to the CrashPlan app or the CrashPlan console, an administrator needs to sign in to the CrashPlan console and edit the user data to set a new password.
- You must customize your deployment's detection script to specify the user's email address.
Usernames must be email addresses. In your CrashPlan deployment policy, you need to modify the default user detection script. The script needs to take in device usernames and output email addresses. See Step 2, below.The CrashPlan cloud requires a custom script
Because user names in the CrashPlan cloud must be email addresses, deployments for connection to the CrashPlan cloud always require a customized user detection script.
Manual registration
Require users to manually sign in to the CrashPlan app. Use this option with:
- Local authentication set in the organization's Security tab, and user-defined names and passwords.
- SSO.
Step 1: Identify the deployment organization
A deployment policy belongs to an organization. When you select or create that organization:
- The organization's authentication method is the policy's authentication method.
- When deployed CrashPlan apps install, users and devices become members of that organization.
- An organization has one deployment policy only. Child organizations do not inherit their parents' policies.
- Custom images and texts for CrashPlan apps also belong to organizations. You can define customization before or after deployment.
Changing the organization can break the policy
Once an organization has a deployment policy, changing the organization's authentication method can easily break the policy. See Deployment policies reference.
Check configuration of the organization:
- Sign in to the CrashPlan console.
- Select Administration > Environment > Organizations, and select an organization.
Note the organization name; you will need it later. - Verify settings on the Security tab:
- Click the action menu and select Edit.
- Select the Security tab and verify that the settings are correct for your selected deployment option:
- Silent registration with SSO:
- The Authentication must be SSO.
- The Directory service must be Local.
- Silent registration with local authentication:
- The Authentication must be Local.
- The Directory service must be blank.
- Manual registration:
- The Authentication must be Local.
- The Directory service must be blank.
- Silent registration with SSO:
- Click Cancel (or Save, if you made changes).
- Verify the device backup defaults settings:
- Click the action menu and select Device Backup Defaults.
- Select the Backup tab and verify that DESTINATIONS lists at least one destination name and is set to Use.
The other possible value, DESTINATIONS ... Auto-start, is not acceptable. It means silent deployment is not possible. To configure destinations, go to the organization's action menu, select Device Backup Defaults > Backup > Destinations. - Select the Network tab and note whether PROXY is enabled; you will need that information later.
- Click Cancel (or Save, if you made changes).
Step 2: Create the deployment policy
Define the deployment policy for the organization you identified in Step 1.
- In the CrashPlan console, select Administration > Client Management > Deployment.
- Select Create New Deployment Policy or Create deployment policy.
The prompt differs depending on whether you see the initial welcome screen or your list of existing policies. - Enter a Deployment policy name to describe this policy.
- At Registration organization select the organization you identified at Step 1, above.
If your organization's name does not appear in the menu, that organization already has a policy.
You can edit or delete that existing policy. - At Do you want to automatically register users?, verify that the settings are correct for your selected deployment option:
- Silent registration with SSO: Yes
- Silent registration with local authentication: Yes
- Manual registration: No
- At Select one or more operating systems, select the systems you will deploy CrashPlan apps to.
- For each operating system you select, select Add a custom batch/bash script
Provide a script that identifies the username and home directory that the CrashPlan app will provide when it registers with your CrashPlan environment. For details, see the script reference.
The script must end by echoing the username and user home directory in accordance with your selected deployment option:- Silent registration with SSO:
echo AGENT_USERNAME=<value> echo AGENT_USER_HOME=<value>
- Silent registration with local authentication:
echo AGENT_USERNAME=<email@address.tld> echo AGENT_USER_HOME=<value>
- Silent registration with SSO:
- At Do your clients need a proxy URL to connect to your CrashPlan authority?, select No or Yes, depending on what you determined at Step 1, above.
- At Launch desktop app after initial install?, select the correct value for your selected deployment option:
- Silent registration with SSO: No
- Silent registration with local authentication: No
- Manual registration: Yes
- Click Create.
You can view the policy and copy the installation properties at any time.
To disable a deployment policy, generate a new deployment token
You can disable a deployment policy at any time by generating a new deployment token. The policy definition remains intact, but CrashPlan apps actively making requests for this policy can no longer use the policy. You must uninstall and reinstall the CrashPlan app with the new deployment token to enable devices to register with this policy.
Example username detection scripts for the CrashPlan cloud
Step 3: Deploy CrashPlan apps to user devices
Before you deploy to production
Test your deployment plans
Before deploying CrashPlan apps to production devices, always test your entire process and all its scripts and files.
- At your CrashPlan console, create at least one test organization.
- Add several test users to that organization.
- Connect test devices for those users to the network that includes your CrashPlan environment.
- Deploy CrashPlan apps to the test devices and make sure they work as intended.
Verify that apps can connect by HTTPS
User devices must be able to reach your CrashPlan console by the HTTPS protocol. Check your protocol and port configuration:
- The URL must begin with https://
- Your firewalls must allow client requests to reach the CrashPlan console.
When you add a deployment policy to your CrashPlan cloud-based deployment, the URL auto-populates with the address. For example:
Deploy to devices
Step 4: Users sign in to the CrashPlan app
After setting deployment options, users are automatically signed in to the CrashPlan app.
Step 5: Verify success
For silent registration deployment options
Perform the following verification steps if you use the following silent deployment options:
- Silent registration with SSO
- Silent registration with local authentication