Skip to main content

 

Druva Documentation

How to implement automatic token-based deployment of inSync clients for inSync Cloud and On-premise

Summary

inSync allows an IT Administrator to automate the Account Creation, Deployment and Authentication of inSync clients on all enterprise devices.

This article explains the concept and describes the steps an IT administrator needs to follow when automating inSync deployment.

Before You Begin

Ensure that you have installed the latest inSync server and configured the user profile and storage appropriately.

Note: Currently, the auto-installation feature supports only the Windows and Macintosh versions of inSync clients.

Note: The mass deployment of inSync clients support new client installations only and does not support upgrade of the existing inSync clients.

Go to top

Overview

The client auto-deployment feature helps you:
•    Install the inSync client package on the client computer.
•    Load the authentication key without user’s intervention.

After the successful installation and authentication on clients, users are created on the inSync server without manual intervention of the Administrator.

The mass deployment process relies on the creation of an “ini” file on the target, which contains information needed to create and assign the account to the correct inSync Server, Storage and Profile and also the target users credentials.

An enterprise can create its own scripting methods to create and save this information or use the Automatic Deployment package provided by Druva to assist in this process. The Druva package can integrate with Active Directory (AD) or a CSV file to create the required ini files. 

Go to top

inSync Automatic Deployment Package

The inSync Automatic Deployment package provides some batch files and configuration files that you can use along with an Active Directory Group Policy Object (GPO) to silently install the inSync msi on clients and authenticate them on the server. The GPO is used to automatically distribute and deploy the inSync Client installable (msi) across domain computers or users and to authenticate them automatically as well. 

At user logon, a batch process (MASSDS.bat) creates an '.ini'  file per AD logon name and stores it on the client machine. Another batch process (SI.bat) silently installs the inSync client and authenticates the users using details present in the .ini file (like username, user’s email id), and a Mass Deployment Token.
The ini file can also be created from user details present in a .csv file.

A configuration file, server.conf, holds information like the inSync server IP, the storage name, the user’s profile etc.

The method used for Active Directory Group Policy can also be used with other third-party tools such as SCCM, LANDesk, etc.

Go to top

Auto deployment process

To automate the entire client deployment process:
1.    Download the Auto-Depv2.0.zip package and place the contents on a GPO share.
2.    Edit the batch and configuration files as per your environment. 
3.    Generate a Mass Deployment Token.
4.    Execute two steps using GPO:

•    Create an %username%.INI file (at logon) and store it on the client machine.
•    Deploy inSync.msi using Mass deployment token and the .ini file (at start up).
 
You can download the Auto-Deployment-2.0.zip package from here: Auto-Deployment-2.0.zip This package has some libraries and binaries which help in creating the inSync INI file and installing and authenticating the client.

Binaries location

The zipped files for automatic deployment need to be hosted on common accessible share, so that they are available to all users for execution. The path for share needs to be updated in MASSDS.bat.

Go to top

Customizing the package

Edit the following files for customizing the package to your environment:

Server.conf

Set the inSync Server address, default storage, and profile, and select INI creation mode (AD or CSV).

MASSDS.bat

This is a batch script which is responsible for invoking the inSync INI creator exe.  Hence it is executed using User logon scripts via GPO. It uses the parameters in  the server.conf file. It creates a set of .ini files, one per user. 

SI.bat

This is a batch script which is executed as a machine startup script and it executes using parameters like TOKEN (mass deployment token) and INIFILE (file holding user’s details). It installs the client and authenticates it with the inSync server, using the .ini file created by MASSDS.bat.

Block diagram of inSync Client Auto-installation Process

token_flow_diag2.png

Go to top

Editing Server.conf

The inSync INI creator package allows using two different modes to create an INI file: 
 - Using LDAP
 - Using CSV 

This option can be set in the server.conf file.

Using LDAP

In 'server.conf', set the variable “CSV = No”. The mass deployment exe will query the LDAP server to find the logged in user email ID. The server.conf will look as follows:

Sample Server.conf

[DETAILS]
SERVER_IP = 192.168.51.77:6061,192.168.51.78:80
STORAGE = inSyncStore
PROFILE = DEFAULT
CSV = No
USERDOMAIN = scorpius.druva.com
GROUPMAPPING = Yes
[PROFILEMAPPINGS]
Administrators = IT
PROFILE1 = SALES

Note: The following parameters are not required in inSync 5.2 or above

Using CSV

In the server.conf, set the variable “CSV = Yes”. The mass deployment exe will try and parse through the users.csv file provided by the administrator. The users.csv format looks something like this:

Sample Users.csv

UserName,emailID,Storage,Profile
test1,test1@gmail.com,inSyncStore,IT,
test2,test2@gmail.com, inSyncStore,IT,
test3,test3@gmail.com, inSyncStore,IT,
test4,test4@gmail.com, inSyncStore,IT,
test5,test5@gmail.com, inSyncStore,IT,
test6,test6@gmail.com, inSyncStore,IT,
test7,test7@gmail.com, inSyncStore,IT,
test8,test8@gmail.com, inSyncStore,IT,

Group/Profile Mapping

The server.conf also has another section known as [PROFILEMAPPINGS]. This allows IT administrators to map their exiting AD group with an inSync server user profile. For example, we can use an AD group as administrators and map it to an inSync user profile as IT.

The parameters are shown here:

[PROFILEMAPPINGS]
Administrators = IT

Note: Please note that INI creator will use the logged user accounts member group to execute the mappings. If the user does not belong to mapped groups then the default profile will be used.

Editing MASSDS.bat

Once you have the file share and server.conf configured, you can edit the MASSDS.bat to reflect  their paths. A sample MASSDS.bat file is shown below:

Sample MASSDS.bat

@echo on
IF EXIST C:\inSyncAD goto CHECKINI
mkdir C:\inSyncAD
cd C:\inSyncAD
copy "\\192.168.51.77\iMD\*.*" "C:\inSyncAD" > filecopy.log
goto CHECKINI
:CHECKINI
cd C:\inSyncAD
if EXIST "c:\inSyncAD\%username%.INI" goto END
Mass_Dep.exe
:END

The result of running this batch file is the creation of ini files, a sample of which is in the next section.

inSyncConfig.ini File Composition

The INI file contains some information for the inSync MSI installer to read after installation. This information allows the user's account to be configured on the inSync server and for it to be authenticated. 

Here is a sample inSyncConfig.ini file.

Sample inSyncConfig.ini

ADDRESS = 'IP Address of inSync Server:6061'
STORAGE = 'Name of Target Storage'
PROFILE = 'Name of Target Profile'
ADUSERNAME = 'AD UserName of user'
USERNAME = 'Name of User for inSync Account'
MAIL = 'email address of user'
WINUSERNAME = 'Windows UserName of user'
WINUSERDOMAIN = 'Windows UserDomain of user'

The ini file should be created in the following location on the target device:
•    C:\Windows\temp

Editing SI.bat

Similarly you can now edit  SI.bat to reflect the msi name and new paths and along with the new token value from  inSync server web console. 

To get the token, on the inSync server web control panel, click  Management > Users > Import > Mass Deployment token. 

Paste the token in the SI.bat file. This token is used for security purposes when installing the msi.

Sample SI.bat

@echo on
copy "\\192.168.51.77\iMD\*.msi" "C:\inSyncAD"
cd C:\
msiexec /qn /i C:\inSyncAD\<path to inSync.msi>
TOKEN="4-9eff6f87a64bb5a7614ce3f173c24e81"
INIFILE="C:\inSyncAD\%USERNAME%.INI" /Lime C:\inSyncAD\MSIlog.txt
if exist "c:\program files (x86)" goto WIN7
goto XP
:WIN7
cd "C:\Program Files (x86)\Druva\inSync"
inSyncAgent.exe
goto END
:XP
cd "C:\Program Files\Druva\inSync"
inSyncAgent.exe
goto END
:END

 Refer to the inSync KB article for related information: How to Silently Deploy inSync User Authentication Keys.

Go to top

GPO Setup

Now you can start executing the steps  to start the automatic deployment. In GPO create two policies:

•    User logon script to execute MASSDS.bat

•    Windows startup script to execute SI.bat

See the inSync KB article  for related information: How to Silently Deploy inSync Client using Active Directory Group Policy.

Note: For details on how to setup GPO policies please follow Microsoft KB article here: http://support.microsoft.com/kb/816102.

Go to top

Sample log from inSync AD folder

 AD.log

2012-07-13 15:36:15,489 INFO Using LDAP Method ... 2012-07-13
15:36:15,505 INFO The logged in user is:test@SCORPIUS.DRUVA.COM
2012-07-13 15:36:15,505 INFO Connected to the LDAP Server 2012-07-1
15:36:15,505 INFO ldap searching.. 2012-07-13 15:36:15,505 INFO
[('CN=test,CN=Users,DC=Scorpius,DC=druva,DC=com',
{'primaryGroupID': ['513'], 'cn': ['test'], 'objectClass':
['top', 'person', 'organizationalPerson', 'user'], 'userPrincipalName':
['test@Scorpius.druva.com'], 'lastLogonTimestamp':
['129858174761464843'], 'instanceType': ['4'], 'distinguishedName':
['CN=test,CN=Users,DC=Scorpius,DC=druva,DC=com'],
'dSCorePropagationData': ['20120703202239.0Z', '16010101000000.0Z'],
'objectSid':
['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xd3f\x01\x1aS\r\xe1\xc1\xefr_\
x03n\x04\x00\x00'],

'whenCreated': ['20120703174520.0Z'], 'uSNCreated': ['21918'], 'mail':
['test@druva.com'], 'sAMAccountName': ['test'],
'objectCategory':
['CN=Person,CN=Schema,CN=Configuration,DC=Scorpius,DC=druva,DC=com'],
'objectGUID': ['\xed\x99\x06\x03\x8f\x1e0L\x9f\xf5]\x13%\xd3\xfa\xd0'],
'whenChanged': ['20120709125243.0Z'], 'displayName': ['test'], 'name': ['test'], 'memberOf':
['CN=Galaxy,OU=LEO,DC=Scorpius,DC=druva,DC=com',
'CN=PF,OU=Pre-Sales,DC=Scorpius,DC=druva,DC=com',
'CN=Administrators,CN=Builtin,DC=Scorpius,DC=druva,DC=com'],
'userAccountControl': ['66048'], 'sAMAccountType': ['805306368'],
'uSNChanged': ['24971'], 'sn': ['test'], 'givenName': ['test']})]
2012-07-13 15:36:15,519 INFO Groupnames are ['Galaxy', 'PF',
'Administrators']
2012-07-13 15:36:15,519 INFO Could not find group mapping for
groupname=Galaxy
2012-07-13 15:36:15,519 INFO Could not find group mapping for
groupname=PF
2012-07-13 15:36:15,519 INFO Found group mapping for
groupname=Administrators
2012-07-13 15:36:15,519 INFO Connection established with inSync server
2012-07-13 15:36:15,519 INFO Creating test.ini file
2012-07-13 15:36:15,519 INFO test.ini file created
at:C:\inSyncAD\test.INI

MSI Installation log:
=== Logging started: 7/13/2012  15:39:34 ==
Action start 15:39:34: INSTALL.
Action start 15:39:34:
SystemFolder.30729.01.Microsoft_VC90_CRT_x86.SP.D8D85FD0_537C_3A3A_9BEC_7A1B426637EC.
Action ended 15:39:48: INSTALL. Return value 1.
MSI (s) (10:50) [15:39:48:649]: Product: Druva inSync 5.0 --
Installation completed successfully.
=== Logging stopped: 7/13/2012  15:39:48 ===

Note: The logs are created in C:\inSyncAD and user's temp directory.

Go to top