Zehadi Alam
The following procedure outlines the steps for deploying CrashPlan using Microsoft Intune.
1. Create a deployment policy for your department in the CrashPlan console
2. Name the policy according to the name of your department and select your department from the Registration organization. If a deployment policy was created for you, this step can be skipped.
3. Copy/paste the following user detection script for Windows in your deployment policy
<# : batch script
@echo off
setlocal
cd %~dp0
powershell -executionpolicy bypass -Command "Invoke-Expression (Get-Content -Path '%~f0' -Raw)"
endlocal
goto:eof
#>
# List of excluded usernames that CrashPlan should ignore
$ExcludedUsers = @(
'defaultuser0',
'z-*',
'oithelp',
'Administrator'
)
function Find-User {
Write-Log "Starting user detection..."
if (Check-Excluded-Users $username $AGENT_USERNAME) {
Write-Log "Trying to grab the username from hybrid Azure reg key..."
$username = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI).LastLoggedOnDisplayName
Write-Log "Display name found: ($username)"
$AGENT_USERNAME = (Get-ItemProperty HKLM:SOFTWARE\Microsoft\IdentityStore\LogonCache\*\Name2Sid\* | Where-Object {$_.DisplayName -eq $username} | Select-Object -First 1 -ExpandProperty identityName)
Write-Log "Username found via hybrid Azure reg key: ($AGENT_USERNAME)"
}
if (Check-Excluded-Users $username $AGENT_USERNAME) {
Write-Log "Trying to find username from Azure Identity..."
$username = ((Get-Process -IncludeUserName -Name explorer).UserName -split '\\')[1]
Write-Log "Username found: ($username)"
$AGENT_USERNAME = (Get-ItemProperty HKLM:SOFTWARE\Microsoft\IdentityStore\Cache\*\IdentityCache\* | Where-Object {$_.SAMName -eq $username} | Select-Object -First 1 -ExpandProperty UserName)
Write-Log "Email found in registry via Azure identity: ($AGENT_USERNAME)"
}
if (Check-Excluded-Users $username $AGENT_USERNAME) {
Write-Log "Trying to grab the username from ADSI domain lookup key..."
$username = ((Get-Process -IncludeUserName -Name explorer).UserName -split '\\')[1]
Write-Log "Local username found ($username)"
$searcher = [adsisearcher]"(samaccountname=$username)"
$AGENT_USERNAME = ($searcher.FindOne().Properties.mail -join "")
Write-Log "Username found via ADSI domain lookup: ($AGENT_USERNAME)"
}
if (Check-Excluded-Users $username $AGENT_USERNAME) {
Write-Log "Excluded or null email address detected ($username). Will retry user detection in 60 minutes, or when reboot occurs."
Write-Output "Excluded or null email address detected ($username). Will retry user detection in 60 minutes, or when reboot occurs."
exit
}
$ExplorerUser = ((Get-Process -IncludeUserName -Name explorer).UserName -split '\\')[1]
$wmiuser = Get-CimInstance Win32_UserAccount -Filter "Name = '$ExplorerUser'"
$AGENT_USER_HOME = (Get-CimInstance Win32_UserProfile -Filter "SID = '$($wmiuser.SID)'").LocalPath
if (-not $AGENT_USER_HOME) {
Write-Log "User home query from WMI failed. Using fallback home detection method"
$AGENT_USER_HOME = "$env:HOMEDRIVE\Users\$ExplorerUser"
Write-Log "User home set by appending $ExplorerUser to home path ($AGENT_USER_HOME)"
} else {
Write-Log "User home queried from WMI successfully ($AGENT_USER_HOME)"
}
Write-Log "Returning AGENT_USERNAME: $AGENT_USERNAME"
Write-Log "Returning AGENT_USER_HOME: $AGENT_USER_HOME"
Write-Host "AGENT_USERNAME=$AGENT_USERNAME"
Write-Host "AGENT_USER_HOME=$AGENT_USER_HOME"
}
<# Helper functions below this point #>
$PROC_LOG = "$env:HOMEDRIVE\ProgramData\CrashPlan\log\userDetect_Result.log"
function Check-Excluded-Users {
Param (
[string]$username,
[string]$AGENT_USERNAME
)
foreach ($excluded in $ExcludedUsers) {
if (-not $AGENT_USERNAME -or $username -like $excluded -or -not $username -or $AGENT_USERNAME -like $excluded) {
return $true
}
}
return $false
}
function Write-Log {
Param (
[string]$LogMessage
)
$message = "{0} - {1}" -f (Get-Date), $LogMessage
Write-Output $message
Add-Content -Path $PROC_LOG -Value $message
}
Find-User
4. Copy/paste the following user detection script for Mac in your deployment policy
function main () {
writeLog "Starting user detection..."
local user=$(last | egrep 'console.*still' | egrep -v 'root|admin|reboot|shutdown|local|_mbsetupuser' | awk '{print $1}' | sort -u | head -n1)
writeLog "User name found ($user)"
if [[ "$user" =~ ^(admin1|admin2|admin3)$ ]] || [[ -z "$user" ]]; then
writeLog "Excluded or null username detected ($user). Will retry user detection in 60 minutes, or when reboot occurs."
exit
else
local AGENT_USERNAME="${user}@uga.edu"
writeLog "Username assembled by appending domain ($AGENT_USERNAME)"
local AGENT_USER_HOME=$(dscl . -read "/users/${user}" NFSHomeDirectory | cut -d ' ' -f 2)
writeLog "Home directory read from dscl ($AGENT_USER_HOME)"
writeLog "Returning AGENT_USERNAME=$AGENT_USERNAME"
writeLog "Returning AGENT_USER_HOME=$AGENT_USER_HOME"
echo "AGENT_USERNAME=$AGENT_USERNAME"
echo "AGENT_USER_HOME=$AGENT_USER_HOME"
fi
}
function writeLog () {
echo "$(date) - $@" >> /Library/Logs/CrashPlan/userDetect_Result.log
}
main "$@"
5. Copy your deployment policy token. This can be found in the install commands under Installation Properties.
6. Save the following PowerShell script as Install-CrashPlan.ps1. Replace <INSERT_DEPLOYMENT POLICY TOKEN> with your deployment policy token. This will download the latest version of CrashPlan and install it using the parameters that will enforce your deployment policy.
Note: ARPNOREMOVE= prevents the user from uninstalling CrashPlan from their device using the Control Panel. This is a recommended parameter.
For more information on CrashPlan installation command parameters, see the following: https://support.crashplan.com/hc/en-us/articles/8653225861901-Deployment-script-and-command-reference
Start-BitsTransfer -Source "https://download.crashplan.com/installs/agent/latest-win64.msi" -Destination "$env:TEMP" -TransferType Download -RetryTimeout 60 -RetryInterval 60
Start-Sleep -Seconds 5
$crashPlanPath = "$env:TEMP\latest-win64.msi"
if (Test-Path -Path $crashPlanPath -PathType Leaf) {
Start-Process -FilePath msiexec.exe -ArgumentList "/i $crashPlanPath CP_ARGS=""DEPLOYMENT_URL=https://console.us2.crashplan.com&DEPLOYMENT_POLICY_TOKEN=<INSERT_DEPLOYMENT_POLICY_TOKEN>"" CP_SILENT=true DEVICE_CLOAKED=false ARPNOREMOVE= /norestart /qn" -Wait -NoNewWindow
Remove-Item -Path $crashPlanPath -Force -Confirm:$false
}
7. Package this PowerShell script using the Win32 Content Prep Tool. For more information, see Windows Software Deployment with Intune
8. In the Intune app deployment wizard, use the following for the install and uninstall commands
Install command
%systemroot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -File Install-CrashPlan.ps1
Uninstall Command
(Get-WmiObject -Query "SELECT * FROM Win32_Product WHERE Name='CrashPlan'").Uninstall()
9. Set the Install behavior to System
10. In the detection rules section, ensure that Manually configure detection rules is selected and click on Add. Create a detection rule that uses File as the rule type.
11. Use the following values and options for the detection rule.
12. The dependencies and supersedence sections can be left unconfigured. Assign the application to the appropriate device groups. Review and create the app.
