Deploy CrashPlan apps

This article applies to CrashPlan Enterprise and MSPs.png

Overview

This article describes multiple strategies for deploying CrashPlan apps to user devices. You can integrate your apps with SSO, for example, without user intervention. The article is intended for administrators using device management tools like SCCM for Windows or Jamf Pro for Mac. This article provides:

  • Introduction to CrashPlan app deployment and description of how it works in general.
  • Links to help you with specific environments and specific deployment strategies.

Considerations

To use these deployment tools, you need to sign in to your CrashPlan console as a user with the Security Administrator role. 

  • Creating and using CrashPlan deployment policies requires familiarity with:
    • Creation and configuration of organizations in your CrashPlan environment.
    • The authentication methods that your organizations use to manage users.
    • The process you use to distribute and install applications to user devices (typically a device management tool like SCCM for Windows or Jamf for Mac).
  • Deployment features are not available for Managed Service Provider environments.

 Need help?

For assistance, contact your Customer Success Manager (CSM) to engage the CrashPlan Professional Services team. If you don't know who your CSM is, contact our technical support team.

How deployment works

Before selecting a deployment option, it helps to understand how deployment works from end-to-end:

  1. You define a deployment policy in the CrashPlan console.
  2. From the policy view in the console, you copy the arguments for a CrashPlan app installer command.
  3. You paste or import those install arguments into your device management software and push them to devices, along with CrashPlan app executables.
  4. When install commands run on user devices, CrashPlan apps retrieve your policy from the CrashPlan cloud.
    If the CrashPlan app fails to connect to the CrashPlan cloud and find the policy, it will retry every 5 minutes until it succeeds or a user explicitly stops the process.
  5. CrashPlan apps run your policy's detection script in order to determine usernames, home directories, and optionally, organizations.
  6. When a policy is configured to automatically register users, CrashPlan apps start monitoring and backing up data without user intervention. Otherwise, users manually authenticate and register.
    If automatic registration fails for any reason, the CrashPlan app retries every hour. It retrieves the policy again and tries to register again, until it succeeds or a user explicitly stops the process. 

Select a deployment option

The deployment options available vary with your CrashPlan environment's configuration:

  • Whether you authenticate users with SSO or local authentication.
  • Whether and how the deployment's username detection script matches usernames at devices with usernames in your authentication data.

Following are the most common deployment options:

Silent registration with SSO

New CrashPlan apps register automatically and start monitoring and backups without user intervention. Use this option with SSO authentication and local directory services set in the organization's Security tab.

  • In the deployment's username detection script, SSO usernames are email addresses.
    You must customize the installer's detection script to adjust for that.

     The CrashPlan cloud requires a custom script

    Because user names in the CrashPlan cloud must be email addresses, deployments for connection to the CrashPlan cloud always require a customized user detection script. 

  • The deployment's username detection script matches usernames at devices with usernames in SSO data.
    Usernames on endpoint devices need to match usernames in SSO data, and usernames for the CrashPlan cloud must be email addresses. So you will need to modify the default user detection script to provide CrashPlan apps with usernames that match SSO usernames. See Step 2, below.

     Mismatched usernames cause serious errors

    If the detection script cannot provide a precise match with SSO data, CrashPlan creates a user that matches the device username. That user has no password, however, and cannot restore backup data or access the CrashPlan console. If you cannot create a reliable script, do not attempt silent deployment. See Manual registration instead.

Silent registration with local authentication

New CrashPlan apps register automatically and start backups without user intervention. Use this option with local authentication (authentication by the CrashPlan cloud) set in the organization's Security tab.

  • CrashPlan passwords are hidden. The process described here generates CrashPlan passwords automatically. Those passwords are not available to users or administrators. To grant a user access to the CrashPlan app or the CrashPlan console, an administrator needs to sign in to the CrashPlan console and edit the user data to set a new password.
  • You must customize your deployment's detection script to specify the user's email address.
    Usernames must be email addresses. In your CrashPlan deployment policy, you need to modify the default user detection script. The script needs to take in device usernames and output email addresses. See Step 2, below.

     The CrashPlan cloud requires a custom script

    Because user names in the CrashPlan cloud must be email addresses, deployments for connection to the CrashPlan cloud always require a customized user detection script. 

Manual registration

Require users to manually sign in to the CrashPlan app. Use this option with:

  • Local authentication set in the organization's Security tab, and user-defined names and passwords.
  • SSO.

Step 1: Identify the deployment organization

A deployment policy belongs to an organization. When you select or create that organization:

  • The organization's authentication method is the policy's authentication method.
  • When deployed CrashPlan apps install, users and devices become members of that organization. 
  • An organization has one deployment policy only. Child organizations do not inherit their parents' policies.
  • Custom images and texts for CrashPlan apps also belong to organizations. You can define customization before or after deployment.

 Changing the organization can break the policy

Once an organization has a deployment policy, changing the organization's authentication method can easily break the policy. See Deployment policies reference.

Check configuration of the organization: 

  1. Sign in to the CrashPlan console.
  2. Select Administration > Environment > Organizations, and select an organization.
    Note the organization name; you will need it later.
  3. Verify settings on the Security tab:
    1. Click the action menu and select Edit.
    2. Select the Security tab and verify that the settings are correct for your selected deployment option:
      • Silent registration with SSO: 
        • The Authentication must be SSO.
        • The Directory service must be Local.
      • Silent registration with local authentication:
        • The Authentication must be Local.
        • The Directory service must be blank.
      • Manual registration: 
        • The Authentication must be Local.
        • The Directory service must be blank.
    3. Click Cancel (or Save, if you made changes).
  4. Verify the device backup defaults settings:
    1. Click the action menu and select Device Backup Defaults.
    2. Select the Backup tab and verify that DESTINATIONS lists at least one destination name and is set to Use.
      The other possible value, DESTINATIONS ... Auto-start, is not acceptable. It means silent deployment is not possible. To configure destinations, go to the organization's action menu, select Device Backup Defaults > Backup > Destinations.
    3. Select the Network tab and note whether PROXY is enabled; you will need that information later.
    4. Click Cancel (or Save, if you made changes).

Step 2: Create the deployment policy

Define the deployment policy for the organization you identified in Step 1.

  1. In the CrashPlan console, select Administration > Client Management > Deployment.
  2. Select Create New Deployment Policy or Create deployment policy.
    The prompt differs depending on whether you see the initial welcome screen or your list of existing policies.
  3. Enter a Deployment policy name to describe this policy.
  4. At Registration organization select the organization you identified at Step 1, above.
    If your organization's name does not appear in the menu, that organization already has a policy.
    You can edit or delete that existing policy.
  5. At Do you want to automatically register users?, verify that the settings are correct for your selected deployment option:
    1. Silent registration with SSO: Yes
    2. Silent registration with local authentication: Yes
    3. Manual registration: No
  6. At Select one or more operating systems, select the systems you will deploy CrashPlan apps to.
  7. For each operating system you select, select Add a custom batch/bash script
    Provide a script that identifies the username and home directory that the CrashPlan app will provide when it registers with your CrashPlan environment. For details, see the script reference.
    The script must end by echoing the username and user home directory in accordance with your selected deployment option:
    • Silent registration with SSO: 
      echo AGENT_USERNAME=<value>
      echo AGENT_USER_HOME=<value>
    • Silent registration with local authentication:
      echo AGENT_USERNAME=<email@address.tld>
      echo AGENT_USER_HOME=<value>
  8. At Do your clients need a proxy URL to connect to your CrashPlan authority?, select No or Yes, depending on what you determined at Step 1, above.
  9. At Launch desktop app after initial install?, select the correct value for your selected deployment option:
    • Silent registration with SSO: No
    • Silent registration with local authentication: No
    • Manual registration: Yes
  10. Click Create.
    You can view the policy and copy the installation properties at any time.

 To disable a deployment policy, generate a new deployment token

You can disable a deployment policy at any time by generating a new deployment token. The policy definition remains intact, but CrashPlan apps actively making requests for this policy can no longer use the policy. You must uninstall and reinstall the CrashPlan app with the new deployment token to enable devices to register with this policy.

Example username detection scripts for the CrashPlan cloud

For example username detection scripts, see Deployment script and command reference.

Step 3: Deploy CrashPlan apps to user devices

Before you deploy to production

Test your deployment plans

Before deploying CrashPlan apps to production devices, always test your entire process and all its scripts and files.

  1. At your CrashPlan console, create at least one test organization.
  2. Add several test users to that organization.
  3. Connect test devices for those users to the network that includes your CrashPlan environment.
  4. Deploy CrashPlan apps to the test devices and make sure they work as intended. 

Verify that apps can connect by HTTPS

User devices must be able to reach your CrashPlan console by the HTTPS protocol. Check your protocol and port configuration:

  • The URL must begin with https://
  • Your firewalls must allow client requests to reach the CrashPlan console. 

When you add a deployment policy to your CrashPlan cloud-based deployment, the URL auto-populates with the address. For example:

Deploy to devices

Retrieve installation properties from your deployment policy as follows:

  1. Sign in to the CrashPlan console.
  2. Select Administration > Client Management > Deployment.
  3. In the list of policies, click on the name of the policy you want to use.
  4. Copy deployment properties from the policy:
    • Windows or Linux: Copy the properties and paste them into your deployment software.
    • Mac: Download the deploy.properties file and provide it to your deployment process.

Distribute installation properties and CrashPlan app installers to your target devices. Then run the installers.
Details for those two tasks depend on your device management tool and endpoint operating systems:

Step 4: Users sign in to the CrashPlan app

After setting deployment options, users are automatically signed in to the CrashPlan app.

Step 5: Verify success

For silent registration deployment options

Perform the following verification steps if you use the following silent deployment options:

  • Silent registration with SSO
  • Silent registration with local authentication

Review device data in CrashPlan console 

Check that deployments succeed by reviewing the number of devices signed in to your organization and backing up data.

  1. Sign in to the CrashPlan console.
  2. Select Administration > Environment > Organizations.
  3. Select the organization you deployed to.
  4. At the top of the window, click the value under Devices.
    The number of devices listed for your org should match the number of devices you deployed CrashPlan apps to. The quantity of data stored for each device should be greater than zero.

Review client logs 

At your test devices, or a selection of your production devices, check the CrashPlan app service.log.0

  1. Find service.log.0 in one of these locations:
    • Windows: C:\ProgramData\CrashPlan\log
      To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
    • Mac: /Library/Logs/CrashPlan
      If you installed per user, see the file and folder hierarchy.
    • Linux: /usr/local/crashplan/log
  2. Open service.log.0 with a text editor.
  3. Search for CP_ARGS=DEPLOYMENT
    Find a line like the following and verify that the installer arguments are correct.
    CP_ARGS=DEPLOYMENT_URL=https://authority.example.com:4285&DEPLOYMENT_POLICY_TOKEN=e675f3e1-ebb3-496e-9cef-c669db6ffac6
    
  4. Search for Results of running user script.
    Find lines like the following that verify the CrashPlan app retrieved the deployment policy and ran the detection script without error.
    Deploy:: Successfully retrieved deployment package
    Results of running user script: UserScriptExecutionResults [username=exampleUser, userHomeDirectory=/home/exampleUser]
    
  5. Search for LoginRequest
    Find lines like the following that verify that the CrashPlan app logged in and is authorized to backup data.
    UserActionRequest: LoginRequestMessage[809641607873065038] LOGIN: username=exampleUser, password=****, serverAddress=authority.example.com:4287
    AUTH:: CPC session is LOGGED_IN
    

Troubleshooting

If a user opens the desktop UI for a newly deployed CrashPlan app, but the UI never progresses beyond the message Connecting... , then the deployment has probably failed.

client.connecting.circle.png

Confirm the error as follows:

  1. Find service.log.0 in one of these locations:
    • Windows: C:\ProgramData\CrashPlan\log
      To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
    • Mac: /Library/Logs/CrashPlan
      If you installed per user, see the file and folder hierarchy.
    • Linux: /usr/local/crashplan/log
  2. Open service.log.0 with a text editor.
  3. Find deployment errors by searching for Deploy::, for example:
    deploy:: Unable to make request
    
    Deploy:: Unable to process deployment package, USERNAME_NOT_IN_OUTPUT
    
Was this article helpful?
0 out of 0 found this helpful

Articles in this section