Administrator's Online Documentation
|
|
|
KeyServer ® Administrator's Online Documentation |
| |||
| Home | Support | Legal | Contact Us |
|
KeyConfigure |
|
KeyConfigure is the administrator's interface to the KeyServer, and as such it allows you to monitor all KeyServer activity as you key applications, create Controls for unkeyed programs, regulate user access, set program usage restrictions, view current usage of the KeyServer and KeyServer-controlled programs, and perform other housekeeping tasks.
Launch KeyConfigure from any computer running KeyAccess and connected to the KeyServer and enter the administrator's password (the default is "Sassafras"). The Controls, Users, log file, and other necessary information is retrieved and KeyConfigure is ready to use. KeyServer 5.0 supports multiple administrative sessions so a user with the correct password will never be blocked from administrative access. KeyConfigure also supports an Assistant level sign-on with the same initial password. The Administrator has full control over what the Assistant can, and cannot, do.
The information and functionality provided by KeyConfigure is virtually identical whether KeyConfigure is launched on a Macintosh or Windows client, and regardless of the platform on which the KeyServer is running. In other words the ability to manipulate user and license information is not platform-dependent. You're only required to run KeyConfigure from a particular platform when keying an application, as a Windows application must be keyed by the Windows version of KeyConfigure and Macintosh applications are keyed by a copy of KeyConfigure running on a Mac.
 |  |
The File menu provides commands for opening, saving and printing Controls files, log files, and reports. It also lets you disconnect from the KeyServer and reconnect (to the same or another KeyServer) without exiting KeyConfigure.
Use this command when you want to create a new Controls file. While there is only one Active Controls file, which stores all information about the programs your KeyServer is controlling, you may on occasion need to create a secondary Controls file, for example if you want to move Controls between KeyServers, or in and out of Active Controls.
Select a local or remote log file from this hierarchical menu to create a new report. When the new report window appears, select the desired report by clicking on its name. If you have set a default report (see below), that report starts automatically on the selected log file. Note that you may have any number of Controls and Report windows open, limited only by available memory.
When KeyConfigure is running but not connected to an active KeyServer, only local log files are accessible.
Use this command to open a Controls file other than Active Controls. You can copy Controls back and forth between a Control files (including Active Controls) and you may have any number of Controls windows open, limited only by available memory. To open the Active Controls file, select "Show Active Controls" from the Controls menu.
This command has the same effect as clicking in the Close box of the front-most window. The name of the item changes, depending on the front-most window: inactive Controls file windows and Report windows are closed, while the Users, Active Controls, Unkeyed Actions, and Shadows windows are temporarily hidden. These windows are made visible by selecting "Show Current Users", "Show Active Controls", "Show Unkeyed Actions", or "Show Shadows" commands.
Once you have used the Save As command to indicate a destination for a log report, you can use this command to save any changes made to the report since the last save. This command is dimmed if the report cannot be saved, or if there are no changes to be saved.
Use this command to save the selected Controls in a new and separate Controls file. The name of the command changes, depending on which window is front-most. If a Controls window is front-most, all Controls are saved. You can also use this command to save a running Report. This command is dimmed if a Controls window or a Report window is not front-most.
Use this item to establish a connection to a KeyServer. You must type either the administrator or assistant password, just as you did when you double-clicked on KeyConfigure to start it running.
Use this command to temporarily disconnect from your KeyServer in order to relieve the network of the associated traffic, or to switch to a different KeyServer. To monitor a different KeyServer, select Disconnect then use KeyAccess to select the new KeyServer, then use the Connect command to connect to the new KeyServer.
When KeyConfigure is not connected to a KeyServer, you can still configure Controls in local files, install KeyServer-control into programs, and run reports on local log files. Any program that is keyed off-line is not usable until its Control is placed into the Active Controls file of a running KeyServer.
KeyConfigure defaults to this disconnected state when a password is not recognized by the selected KeyServer.
Use this command to set page layout options for printing, such as the size of the paper you are printing on, and the orientation of the document on the page.
Select this command to print a Controls window or report. The familiar Print dialog box is displayed so that you can specify the number of copies to be printed and other information. When you click OK, printing begins. During the printing process, a dialog box is displayed, which contains buttons to Pause and Cancel your print job.
Because of its dynamic nature, the Users window cannot be printed. Generate a User Report to get a snapshot of current user data, or, if you need to capture the Users window at a particular instant, take a screen shot and print that.
 |  |
Use this menu to manipulate Controls window data. You can Cut, Copy, and Paste in all dialog boxes by typing the proper command key equivalent.
This command reverses the last edit operation performed on any single Control. The name of the command changes to reflect the nature of the Undo, and it is dimmed if the last operation cannot be undone, or the front-most window is not a Controls window.
This edit command removes all selected Controls from the front-most Controls window and places them temporarily in the Clipboard. The previous contents of the Clipboard are removed. You can then use the Paste command to place the Controls into any Controls window, including the Active Controls window. This command is dimmed if no Controls are selected, or if the front-most window is not a Controls window.
Deleting the Control for a keyed program disables all keyed versions of that program. Users subsequently attempting to launch keyed copies of that program are told that the application is not supported and that they should try a different KeyServer (even if there is no other KeyServer on the network). If you cut a Control for an unkeyed program, the Control disappears and the corresponding item in the Unkeyed Actions window reverts to "logged" or "ignored". All subsequent launches of the program are permitted. A controlled program (keyed or unkeyed) can be disabled without cutting by setting the number enabled to zero for all license pools. You can choose to attach a custom message that might explain why the program cannot be used, and where a working upgrade can be found, if one is available.
The Copy command places all selected Controls temporarily in the Clipboard. You can then use the Paste command to place the Controls into any Controls window, including the Active Controls window. The previous contents of the Clipboard are removed. This command is dimmed if no Controls are selected, or if the front-most window is not a Controls window.
Use Paste to place the contents of the Clipboard into any Controls window, including Active Controls. The Controls remain in the Clipboard so you can Paste them into other Controls windows. If the Clipboard and the destination window contain any matching Controls, the Controls in the Clipboard replace those in the destination window. This command is dimmed if there is nothing in the Clipboard, or if the front-most window is not a Controls window.
The Clear command removes the selected Controls from the front-most Controls window, and does not effect the Clipboard in any way. Because you can lose Controls permanently with this command, you are asked to verify your action. Also, remember that you can Undo this action, if only one Control was cleared and you have not performed any other edit operation since the Clear. See Cut for a better way to disable Controls. This command is dimmed if no Controls are selected, or if the front-most window is not a Controls window.
This command selects all items in the front-most window. It is dimmed if the front-most window is not a Controls window or the Unkeyed Actions window.
You can change the details of a Control -- the number enabled, the custom message, user pool information, etc. -- by selecting a single Control and choosing this command (equivalently, you may double-click on a Control, or select a single Control and hit the return or enter key). The Control Details dialog appears, and you may select the appropriate tab to change the information you want. See Details of Controls below. This command is dimmed unless the front-most window is a Controls window with a single Control selected.
The Template Control allows you to preset the details for any Controls you create. You can set them manually with the Edit Template Control command or, if you've created an actual Control that has the details you want to use, select this option after highlighting that Control in the Active Controls window. KeyConfigure sets the template with the options of the selected Control, and supplies those details to any Controls you subsequently create. You can modify any of the details "on the fly" as you create your Controls, without effecting the template.
Use this option to pre-set the details for any Controls you will subsequently create. Using a template can save time if many of your Controls are going to have similar details, or even if only some of your Controls are going to share details. You can use the template to supply these "generic" details and manually change the rest, because any of the details set with the template can be modified on a by-Control basis as the Control is created, without effecting the template.
 |  |
The Admin menu includes various administrative functions. This menu is only enabled when KeyConfigure is connected to a KeyServer.
Both the Users window and the Active Controls window are refreshed from the KeyServer on a schedule determined by your choice in this menu. A short refresh interval keeps KeyConfigure's windows synchronized with the KeyServer. A long refresh interval reduces KeyServer and network overhead. Select "Refresh Now" to initiate an immediate update. Reports running on a KeyServer log will run faster if the Active Controls and Users windows are refreshed infrequently, or closed. The Refresh Interval has no effect on KeyServer's interaction with KeyAccess clients.
 |
If this option is checked, each program that has at least one active user is
listed in the Users window, with the users of a program appearing below it.
Users who are logged into the KeyServer but are not using any controlled
programs are not listed. Users running more than one controlled program are
listed under each program.
Next to each controlled program list in this view is the number of licenses in use and the number of users (if any) waiting in line to get a license. Next to each user is the amount of time they have been using the licene, or the word "Waiting", indicating that the user is in line for the license. See the KeyConfigure Windows section for further explanation of the Users window. |
The KeyServer's active log file is written to a memory buffer on the KeyServer machine. When 1 Kbyte of information has accumulated, this buffer is automatically saved to the disk. "Flush Log to Disk" writes the buffer on command without waiting for the 1 Kbyte accumulation. This command is useful when running reports on the active log file (see Report Menu below).
To create a new log file in the KeyServer Data Folder and begin using it as the active log, choose this command and enter the new name in the dialog box that appears (see below). When you click OK, the newly created file becomes the active log file, and the definition of previous log file is updated accordingly.
The KeyServer remembers the names of two log files, the active log file and the previous log file (see Log File Management or The Active Log File). It assumes that both log files are in the KeyServer Data Folder.
Under certain circumstances it is difficult to access the KeyServer Data Folder and its contents in order to manipulate them. For this reason, the Delete Remote Log command is supplied. This hierarchical menu lists all of the log files that are located on the KeyServer machine. To delete one of these remote logs, choose it by name in the menu, and confirm your selection in the subsequent alert box. Note that the first item in the menu is dimmed. The first item is always the active log file, which you cannot delete until you make another log file active (see Log File Management).
There are several options available for organizing your log files. KeyServer's default is to let a single log file grow until there is no more disk space. It is generally more useful to maintain separate logs for each day, week, or month depending on your KeyServer's usage load and your reporting needs. The auto-swap options start a new log file at midnight after a specified number of days have passed, or alternately, after a log file has grown to a certain size.
KeyServer's log files will eventually use up all space on the KeyServer machine. Before this happens, you must make room for a new log file either by using the "Delete Remote Log" command, or by telling KeyServer to automatically delete old log files (you may also manually delete old log files). You may wish to keep a compression utility on the KeyServer machine, and periodically compress old log files. However, compressed log files will not show up in the Report menu, nor will you be able to delete them from within KeyConfigure.
The Auto-Swap at nnn Kbytes option keeps the size of your log files reasonable. When used with the Delete on Auto-Swap option, the KeyServer limits the amount of space used for its log files. This may be especially important when the KeyServer is running on the same computer as a file server.
You may also instruct the KeyServer to auto-swap the log file on a certain day. For example, you might want the swap to take place every Sunday night. The swap will always take place immediately after midnight on the date specified. To maintain a complete record of KeyServer log transactions, either un-check the Delete on Auto-Swap option, or remove the previous week's log file from the KeyServer Data Folder before it is deleted the following Sunday.
Whenever the log files are auto-swapped, the KeyServer performs the following steps:
The figure below illustrates what happens at midnight February 2nd and 3rd when the KeyServer is set to auto-swap every day and delete old log files. This scheme guarantees that at least one day's worth of log information is available at any time.
The Log File Content section contains a menu of settings, each of which enables a certain amount of information to enter the log file. You should select a setting that best suits your needs and desired use of the log file. The more information saved in the log file, the faster it will fill up your disk.
The following list details the information that is placed in the log file:
A large KeyServer installation logging both controlled and uncontrolled application launches will find that their log files can quickly grow large. If you are logging uncontrolled as well as controlled usage we recommend that you periodically look at your Unkeyed Actions window and scan for any logged applications that you might be able to set to Ignore. You can change a given program's setting from Ignore to Control or Log at any time.
Each KeyServer comes configured with KeyServer as its network name. If you would like to rename your KeyServer, select this item and enter the new name in the dialog box that appears. As soon as you click on the OK button, the name of the KeyServer changes.
Since users may be synchronizing their computers with the KeyServer, you should insure that the KeyServer's clock is correct. Use this command to examine and update the KeyServer's clock.
If you have Daylight Savings Time Awareness set in the Global Settings dialog (see below), you can also check the Daylight Savings Time checkbox, here, to move the KeyServer clock onto Daylight Savings time.
You may also change the KeyServer's clock by clicking on the Date/time display in the Users window.
KeyConfigure has two levels of passwords: the administrator password, which gives full access to all of KeyConfigure's functionality, and the assistant password, which gives limited access to KeyConfigure. Access privileges for the assistant password are set using the "Change Assistant Privileges..." command.
Both passwords are initially set to Sassafras. You should use this command to change this as soon as possible to ensure that your KeyServer cannot be accessed by anyone other than those whom you have granted permission. Type the administrator password, specify which password you wish to change, and type a new password twice. When you click on the OK button, KeyConfigure checks that the two new passwords you typed are identical, and then makes the change permanent. The new password is recorded on the KeyServer machine itself, and is not recorded as part of KeyConfigure. Changing the password in one place means changing it for everyone.
You should make sure that you change both the Administrator's and the Assistant's password, to avoid any confusion that might result from you, or someone else who needs an administrator's session, signing on later as Sassafras and not being able to figure out why they are only getting certain (i.e., the assistant's) privileges.
Note that since the KeyServer tolerates multiple sessions at both the administrative and assistant level, anyone who knows the default password can use it at any time to get full administrative privileges to your KeyServer if you have left the default in place.
Warning: If you lose your administrator password, access to the KeyServer can only be regained by shutting down the server and laboriously reconstructing its data. Be careful to change your password to something that you will remember and record it in a secure place.
The administrator password provides full access to all of KeyConfigure's features. There may be cases where someone needs access to KeyConfigure, but should not be given full access privileges. For example, the KeyServer administrator may have assistants who run reports on KeyServer's log file, but who should not be able to change the settings of Controls.
With this command, the administrator can change the access privilege's given to anyone who types the assistant password. Only the administrator has the capability to change these privileges, and for extra security, the administrator password must be re-entered when the privileges are being changed.
The assistant privileges are listed below, along with a description of what each privilege allows the assistant to do. Privileges are either read-write or read-only.
Assistant privileges are determined upon connection, and cannot change during a given session. This means that, if you change the assistant privileges, anyone logged on as an assistant retains the older privileges until they disconnect. Upon re-connection, the assistant will be granted the newer privileges.
If someone is connected to KeyServer with read-write privileges, any new connections are granted read-only access. This means that the new connection is granted only those privileges that 1) are granted by the password used, and 2) are read-only. It is wise to give assistants read-only privileges, so that the administrator can connect at any time.
The Global Settings allow you to set some KeyServer-wide options that define how your users' copies of KeyAccess interact with the KeyServer. These settings control how KeyAccess handles applications that have been running in the background for longer than a specified time, whether your KeyServer logs will contain information about un-controlled, as well as controlled, launches, and whether or not copies of KeyAccess and the KeyServer are aware Daylight Savings Time.
The Background Warning asks users to quit any program they have left unused for longer than the length of time specified here.
You also use this option to set the interval between the first and all subsequent warnings, which continue along the guidelines you set via the Default/Idle Warning Options dialog.
To further modify how the KeyAccess handles applications that have been running in the background, click the Default Idle/Warning Options button. The following dialog appears:
If program is left idle for more than time allowed allows you to set the action taken for idle-time-based reclamation. Upon reaching the specified time, which defaults from the value set in the Global Settings dialog, the user is either left alone, warned and allowed to continue, (with warnings recurring at short intervals), warned 3 times before being presented with a dialog that quits the application after cancel or Save is selected by the user, or simply quit from the program after choosing to save or cancel.
If Idle and more than n% of licenses are in use gives you the same options as the first selection, but allows you to base the reclamation on how closely the application's usage count is to the maximum. Set the percentage here; the chosen action occurs after the amount of time specified in the Global Settings dialog has passed.
If idle and more than n users are waiting in line gives you the same options as the other selections, but lets you base reclamation on the presence of more than n users queued for the application in question. Set the number of users here; the chosen action occurs after the amount of time specified in the Global Settings dialog has passed.
The Time Zone & DST Aware setting allows you to specify whether KeyConfigure checks its Time Zone and Daylight Savings Time setting against any clients who claim a seat on the KeyServer. Click an X in this box if you want the KeyServer to check against the client's Daylight Savings Time setting. Leave this box empty to disable this checking.
KeyServer allows you to automatically back up your most critical KeyServer-related data, i.e., the data you've entered into the system after setting the KeyServer up. In the event of a crash the generic files can of course be easily replaced off your original KeyServer Package diskettes, but this is not the case with information about the programs your KeyServer is controlling, the portable keys that are currently signed out, the unkeyed program data you've collected, and so on.
Select "Change Backup Schedule..." from the Admin menu to set a daily, multi-day, or weekly backup schedule. The following dialog appears.
Enter the time you want the backup to occur, and enter the day(s) of the week you want the backups to be done. You don't have to choose an "off hours" time, since the backup process will occur without interrupting normal KeyServer service. The important thing to consider is working the time around any other scheduled backup routines that might affect the KeyServer machine. There is also aBackup Now button that performs an immediate (unscheduled) backup.
The backup files are placed in a subfolder on the KeyServer machine itself, in the KeyServer Data Folder. You can place a shortcut or alias in the backup folder if you'd like the files to be backed up onto a remote volume, to protect against utter disk failure. Unscheduled backups are placed in a separate folder labeled Unscheduled.
The files that are backed up are:
 | We strongly recommend that you set a backup schedule soon after setting up your KeyServer, since the data in these files is otherwise irreplacable and if lost must be regenerated from scratch. |
The Authentication command lets you specify the method by which users become authenticated either to the KeyServer or to a particular application. The restrictions for each individual Control are set in the Control Details dialog box, explained under Details of Controls below.
KeyServer's authentication method is initially set to All Authent. To change the authentication method, choose the method you desire from the Method pop-up menu. All authentication modules installed in the KeyServer Data Folder are listed. The Authentication dialog box is modified so that you can configure the method, and the method goes into effect as soon as you click OK. Remember that only one authentication method can be active at one time.
The authentication setup dialog is different for every authentication module. For details on the standard authentication methods - how they operate, how they determine which users are authenticated, and how they are configured - read Appendix A: Standard Authentication Methods.
Because some networks are likely to be accessible from around the world, you may wish to limit the locations from which users can access your KeyServer. When you select this option, the Network Access Limitations dialog box appears. This dialog has three tabs. One for AppleTalk access, one for TCP/IP, and one for IPX. All three work in the same manner. You chose which zones, subnets, networks, etc. will be allowed access to the KeyServer, assign group names to each location/range, then click OK.
This example shows one possible set of configurations for TCP/IP access, in which a number of groups have been created beyond the All IP Addresses setting (which exists by default and cannot be removed, though it can be turned off). Note that the Permit Access box is set to off for All IP Addresses (and is also unchecked for Building 114). Only those address/range combinations expressed by the remaining entries in this list will be allowed access via TCP/IP. If All IP Addresses was set to on, users in Building 114 would be permitted entry (even if the Building 114 group was left off), since users in that building still fall under the umbrella of All IP Addresses.
| You might consider turning All IP Addresses off and adding a group or groups that limit access to the smallest range of addresses that encompasses your potential clients. Even though permitting All IP Addresses does not mean that anyone with a connection to the Internet and the correct IP address or DNS value for your KeyServer has access to your KeyServer-controlled applications, it does mean that a user attempting an otherwise valid KeyAccess logon is not discriminated against based on the IP address of their computer. |
Groups you define here can be associated with the various "license pools", described under Active Controls Window, below, to allow you to limit subsets of licenses to a particular range, or ranges, of IP addresses. This lets you control access down to a single copy of a program being reserved for a particular user, if you wish.
| Do not name a group Global as that term is reserved for the generic group. If you name a group "Global" here it will not be usable. |
To add a group to the list, click the New... button. A window appears, allowing you to enter an AppleTalk zone, IP address range, or IPX network range (depending on which tab is selected). Once you add a location click OK to add it to the Locations list. Then select it and enter the names of groups you want to associate with this new range. For instance, if Building 114 is an IP subnet unto itself, you would add that range then hilight it and enter Building 114 in the Groups entry box. Then, in the Active Controls file, you could open a Control, create a pool with n licenses available, and designate only Building 114 as an associated group. Once you've done that, if there are no other pools associated with that application, access to that particular program is limited to users in Building 114.
KeyServer 5.0 also lets you specify which port it uses for IP packets. The default is 19283, but if you need to specify a different port (for firewall clearance or to run a second KeyServer on a given computer) you can do so here.
Note that you can completely block TCP/IP or IPX access by unchecking Allow users to log in over TCP/IP or Allow users to log in over NetWare (IPX).
The Allow users to log in over... value is dimmed for the protocol you are currently using to talk to the KeyServer. That is, you cannot turn IP access to the KeyServer completely off when you are talking to the KeyServer via TCP/IP.
While it is possible to upgrade to a new version of the KeyServer without forcing your users to upgrade to a new version of KeyAccess, each new KeyAccess version introduces new features and contains all KeyAccess bug fixes to date. You may want your users to have recent versions of KeyAccess so that they can benefit from these features and fixes. KeyAccess versions are controlled in the dialog pictured below.
By selecting a value from the pop-up menus pictured below you can which versions of KeyAccess are up-to-date, out of date, or obsolete. Users who have obsolete versions of KeyAccess in their System Folder are told that they must upgrade in order to use controlled programs. They are not able to use controlled programs until they get a new version.
Users of older but still valid versions of KeyAccess are told that they should upgrade to the newer version. Most controlled programs are still usable, but if a program requires the services of a newer version of KeyAccess, users are told that the program can't be run.
When you upgrade from old versions of KeyServer, you may wish to allow a grace period for users to upgrade their KeyAccess, and then disable these versions.
At certain times, you may wish to inform users of new programs supported by the KeyServer or other important information. To do this, you should send a bulletin message. Bulletins can be sent to all users, to the current users of a specific program, or to a single user.
To send to all users, select the Send command and type in the message. When you click on the OK button, a "*" appears next to each user in the Users window, and remains until the message has been received by that user. It may take a few minutes for KeyServer to cycle through all of the logged-on users.
Double click on a user's name in the Users window to send a message to the individual user or select the user and choose the Send command. When viewing the Users window by Programs, you can send a bulletin message to all users of a program by selecting the program name and choosing the Send command.
Even at moderate-sized KeyServer sites the number of items in the Users window can sometimes extend for screen after screen. You can therefore often find the information you want most quickly by using this command, which allows you to sort the information in the Users window by User Name, Client Address, KeyAccess Version number, Hardware Platform, or Application Usage.
User names for all users currently logged onto the KeyServer appear in the Users window, along with each user's KeyAccess version number, and the name and usage times (hours:minutes.tenths of minutes) of any active programs. You can view any user's network address information by double-clicking on the name.
 |  |
This menu contains commands that let you manipulate the Controls in the Active Controls file. There are two types of Controls (keyed and unkeyed) but in both cases the term describes a program for which KeyServer is controlling access based on your specifications.
Change the order in which KeyConfigure displays the Controls in a Controls window by selecting one of the "By..." commands. The current view option for the front-most Controls window is marked with a check (D).
Each of the options available on this Menu are discussed below. For in-depth information on a particular options, see the Unkeyed Actions Window and Active Controls Window sections, below.
When you need to control an application with security, choose this command and use the Open File dialog box to select the application (only applications that are not already under KeyServer control appear in the list).
|
A Zero Footprint install is available to take care of a few Macintosh
programs that check themselves for modifications before running. Always test a
program after you key it. If it complains about being modified and will not
run, drag the useless keyed program in the trash, and delete its Control (see
the Clear command above). Re-install with the Use "Zero Footprint"
Patch option checked. Since Zero Footprint directly affects a program's
key, as opposed to the type of service enabled by KeyServer, it is fixed at
install time and cannot be changed (except by re-installing into a fresh copy
of the original program).
Note that Zero Footprint is only required for 68K Macintosh programs and the 68K portion of "fat" Macintosh programs. It has no effect when keying native Power Macintosh or Windows programs. A Macintosh program that is keyed with the zero footprint patch and has no custom post-launch message is totally transparent to the Mac Operating System. A knowledgeable software pirate may also find the zero footprint patch more transparent. For a more pirate-proof control, do not check the Use "Zero Footprint" Patch option. Note also that two copies of the same program keyed with a zero footprint patch and a non-zero footprint patch are treated as two distinct programs by the KeyServer. The two distinct keyed programs will request their own distinct keys. |
After you click the Install button, the tabbed Control Details dialog box appears. With this dialog box, you can tailor the Control to your requirements. If you are using a Template Control, many, or even all, of the Control Details may already be set as you wish. Change any details that require modification and click OK.
To modify the options and other settings of a Control at any time, double-click on its entry in the Active Controls window.
Choose this command to create a new suite, into which you can place Controls that share a license. The new suite will be created, and you can change the settings via the Control Details dialog, as you would with any other Control. To place a program Control into a suite, drag the Control (or selection of Controls) on top of the suite, and drop the selection into the suite.
If you have selected Controls in the (frontmost) Controls window when you choose this command, those Controls will automatically be placed into the newly created suite. For a full discussion of suites and their uses, see the KeyServer section of this manual.
Choose this command to place an application installer under KeyServer control. Deputized installers can then be used to automatically create keyed versions of any Macintosh or Power Mac applications that the undeputized version was capable of installing. Your users don't need to know that an installer they're using has been deputized because the only difference between an application created by a deputized installer is the keyed version of the executable that appears after the installer has been run.
Choose this command to deputize a text file script that will run with a deputized installer for a Macintosh or Power Macintosh program. By deputizing an installer's scripts you can ensure that the users run exactly the copy of the installer that you specify.
To hide from view all Controls for which the license count is zero, choose this menu item. When the item has a check next to it, all such Controls will be hidden. As an indication that some Controls are not listed, the Total count at the bottom of the Controls window will display the actual number of Controls in the file, and the actual number shown. To reveal the hidden Controls, choose this menu item once more (the item will lose its check).
The Controls within a Controls window can be displayed as a straight list of Controls, or they can be grouped by suite in a two-level hierarchy. When grouped by suite, all Controls that belong to a suite are listed below the suite.
When Controls are grouped by suite (the "Group Keys By Suite" item described above is marked with a check), the members of suites can be hidden from view. This way, the important summary information is displayed in the Controls window (such as how many users are using a particular software package, and how many licenses are available for the various packages) without the additional details (like which versions of a program are being used).
Suites will still appear in boldface, indicating that they might be hiding details of the member Controls. Program Controls that are not associated with any suite are not hidden from view, and appear in the list along with the suites.
To change the order in which you view the Controls in a Controls window, select one of these options. The Controls in the front-most window are sorted and displayed in the order you selected. The last option, "By Current Usage", is only enabled for the Active Controls window. Because the sorting criterion is dynamic for this option, the Controls may suddenly change position. Therefore, we recommend that you use another sorting option if you are editing your active Controls window.
You know which keyed applications are in use because you've made those particular applications available to your users in the keyed state. The KeyServer is also aware, through KeyAccess, of which unkeyed applications are being launched by your KeyServer clients. If you choose to enable the collection of unkeyed launches, this information can be written to your KeyServer log for reporting. KeyServer also auto-collects and maintains a list of all unkeyed applications that have been launched, and makes them available to you in the Unkeyed Actions Window. To see this window select "Show Unkeyed Actions" from the Controls menu. The Unkeyed Actions window looks like this:
KeyServer stores all the Controls and program license information in a Controls file., and the Controls file named Active Controls in the KeyServer Data Folder (on the KeyServer itself) is the file that actually controls software usage. When KeyConfigure is monitoring a KeyServer, the Active Controls window shows you all the license information from this file. The number of users who are currently running the program (and the number who are waiting) is also shown and updated dynamically. Use the "Show Active Controls" command from the Keys menu to bring the Active Controls window to the front. Backup or archival Controls files are opened using the Open command from the File menu. These do not show any active usage counts. Any Controls window can be printed via the Print command in the File menu.
 |  |
You run reports against the data in you KeyServer's log files. The logs accumulate usage statistics on all KeyServer activity and the reports do analysis or other housekeeping tasks by reading through the file one record at a time from the beginning of the log file. Note that reports running on remote log files will run faster if the Users and Active Keys windows are closed or only refreshed infrequently during processing of the log.
Select a local or remote log file from this hierarchical menu to create a new report. When the new report window appears, select the desired report by clicking on its icon. If you have set a default report (see below), that report automatically starts on the selected log file. You may have any number of Controls and Report windows open.
When KeyConfigure is not connected to an active KeyServer, only local log files are accessible.
Normally, when you start a new report on a log file, the available reports are displayed in the report window, and you click on one to start it running. If you run the same report all the time, and wish to skip this step, you may set up KeyConfigure to always run the same report. Select a report from this hierarchical menu to make it the default, which runs immediately whenever you create a new report window. You may change or cancel the default at any time by selecting a different item from this menu.
Select this command to pause the reports in every open report window. This command can be useful if you want to relieve the network of traffic (if you are running reports on remote log files), or if you wish to save a report in a certain state. You can resume all reports by selecting the Resume All Reports command in this menu, or you can resume an individual report by clicking the pause button in the report's window (see Report Window below).
Select this command to resume all paused reports. This command is useful if you have paused a number of reports, and you do not wish to restart each one individually. Remember to check each report, to see if it is about to chain to the next log file. You can read about chaining in the Report Window section below.
This option allows you to globally set the time display and chaining behavior for your reports. When you choose this option the following dialog box appears.
The first set of radio buttons control the format in which the reports display lengths of time. Chose Standard time format to display in hours, minutes, and seconds. Choose Displayed time format to display in hours, minutes, and tenths of minutes. Number of seconds displays time spans in seconds only.
The lower pair of radio buttons allows you to specify whether you want the log files to chain by default or pause before chaining.
 |  |
The Shadows menu contains commands for installing KeyShadows and for monitoring and controlling remote KeyShadows. KeyShadows provide automatic backup service in case the main KeyServer is not available. KeyShadows can be installed on any number computers on the network, and will silently poll the KeyServer for changes in its information and/or configuration. Note that while a shadow can provide service to either a Macintosh- or Windows-based KeyServer, the shadows themselves must be resident on a Macintosh or Power Macintosh computer. KeyServer 5.0 does not support Windows-based shadows.
Use this command to install a KeyShadow directly on the computer that is running KeyConfigure. The new shadow server will be placed in the Extensions Folder, and can be made invisible. All of the KeyServer's currently supported Controls and their settings will be installed in the new KeyShadow file. In order for the KeyShadow to start shadowing the KeyServer, you must restart the computer. Since shadows can only be installed on Macintosh computers, this selection is not available when KeyConfigure is run on a Windows computer.
Even on a Macintosh, this menu command is only available when KeyConfigure is connected to the KeyServer from a remote (non-KeyServer) computer. If you wish to install KeyShadows while disconnected from the KeyServer, use the "Make KeyShadow Installer" command described below.
When you install a KeyShadow, the KeyShadow configuration dialog box appears. In this dialog box you can tell KeyConfigure to make the KeyShadow file invisible and set the number of users who will be able to access the shadow. This information can only be set at installation time, and cannot be changed later.
The invisible attribute may be useful when you install a KeyShadow on a computer that is more or less publicly accessible. Even though there are several security features that make a KeyShadow difficult to steal, making the shadow invisible may help someone avoid any temptation.
Whether you use the Minimum, Half, or Full size KeyShadow in a particular location depends on how you are setting up shadows on your network. In general, if you are using only a few shadows, you should use full size KeyShadows. If you are installing a KeyShadow in every zone of your network, minimum or half size shadows will probably suffice to support all the computers in the zone. If at a later date you determine that a KeyShadow is oversized or not large enough, you can always re-install another KeyShadow over the older one.
For more information on setting up your KeyShadows, see the KeyShadow chapter later in this manual.
In some cases, you may have to install a KeyShadow when the KeyServer is unreachable due to network failure. In these situations, run KeyConfigure from a Macintosh that can reach the KeyServer (perhaps this is the KeyServer machine itself), and choose this command. Since shadows can only be installed on Macintosh computers, this selection is not available when KeyConfigure is run on a Windows computer.
After you type an installation password of your choosing (and perhaps specify the main KeyServer's AppleTalk Zone), KeyConfigure creates a KeyShadow Installer application. This application can be brought to any other Macintosh computers on your network, and will install a KeyShadow file without first getting a network connection to the KeyServer. You can use one KeyShadow Installer to install multiple shadows, but for security each KeyShadow Installer lasts up to two hours. After its installation time period has passed, a KeyShadow Installer will no longer install shadows.
For more information on setting up your KeyShadows, read the KeyShadow chapter.
When either the Macintosh or Windows KeyConfigure first starts up it initiates a network scan for all of the KeyServers and KeyShadows present. This scan will be completed anywhere from one to thirty or more minutes after it is started, depending on the size of your network. You can still do other work and view the partially collected list of shadows while the scan is in progress.
If you wish to initiate another full scan of your network (for example, if previous scans were conducted while the network was down), choose this command. KeyConfigure will then scan you network once again, and refresh the list with any newly found shadows.
Once the network has been scanned for shadows, KeyConfigure periodically polls each known shadow for updated information, such as the state of the shadow and the time the shadow last contacted the KeyServer. Read the KeyShadow States section for descriptions of the various shadow states.
When a network search is in progress, use this command to stop the search. A new search may be initialed by choosing the "Start Searching" command. Use this command when you have found all shadows that are of interest, and you wish to relieve the network of the traffic generated in order to perform the search.
On large networks, waiting for KeyConfigure to search in all zones for installed shadows can take a long time. The Shadow Search Filter provides a way for you to tell KeyConfigure which zones to search, thus decreasing the time it takes to find all of your shadows. Optionally, KeyConfigure will search through the entire network after it has looked for shadows in the Shadow Search Filter. Since shadows can only be installed on Macintosh computers, this selection is not available when KeyConfigure is run on a Windows computer.
The window that appears when you choose this command will contain all of the zones on your network that are visible (if you are having network difficulty, some or all of the zones might not be listed). Zones marked with a check will be searched (in alphabetical order) before unchecked zones. Place a check mark next to a zone by clicking once on the zone name.
If you know that there are no shadows in the zones that are not checked in the Shadow Search Filter, then KeyConfigure does not need to search in these zones. To instruct KeyConfigure to search only in the checked zones, hilight the Search checked zones only button.
Note that the Shadow Search Filter looks at AppleTalk zones only; IP shadows will only be found if they are listed in the Shadow Hint List. All properly installed, active, and reachable IPX shadows will be located during the search.
The Shadow Hint List allows you to specify which zones Macintoshes check when looking for AppleTalk shadow support, and which IP addresses Macintoshes or Windows computers use when looking for TCP/IP shadow support. For a discussion of the Shadow Hint List, see the KeyShadow chapter later in this manual.
About once every five minutes, KeyConfigure polls each shadow displayed in the Shadows window. If you wish to know the absolute latest information about a particular KeyShadow, select it in the Shadows window and select this command. KeyConfigure will then immediately update its information about the shadow. You can also double-click on a shadow to see more detailed information. In this case, KeyConfigure also updates its information immediately.
KeyShadows can become inactive for one of several reasons. For instance, if the network has been down for over two days, or a shadow has not been able to contact the main KeyServer for a long time due to other circumstances, the KeyShadow(s) will automatically become inactive for security reasons. Also, you can manually inactivate a KeyShadow at any time using the "Put Shadow to Sleep" command. If a KeyShadow indicates that it is inactive, you can re-activate it at any time by selecting it in the Shadows window and choosing the "Wake Shadow Up" command. See the "Put Shadow to Sleep" command for more information on inactive shadows.
At times it may be necessary to temporarily turn off a KeyShadow. For example, when you are trying to isolate a network problem, you may want to eliminate the traffic that is generated by KeyShadow without having to go around to each shadow and restart the computer on which it is running.
When you choose the "Put Shadow to Sleep" command, the selected shadow is deactivated (it goes into the "Inactive" state). Shadows in the Inactive state do not poll the main KeyServer, nor do they take over service when the network fails.
There are a few reasons that a KeyShadow can become inactive. You can manually deactivate a shadow as just described, or if a shadow has been serving Controls for a long time without seeing the main KeyServer, it will automatically inactivate itself for security reasons. Also, when a serving KeyShadow reaches its configured user limit, it inactivates itself for a while until users' requests subside.
To activate an inactive shadow, select it in the Shadows window and choose the "Wake Shadow Up" command. Alternatively, you can restart the computer on which the KeyShadow runs.
Each KeyShadow updates its license information about once every thirty minutes. This way, when you make a change on the KeyServer, all of the KeyShadows on your network will learn about the change within one half hour. If for some reason you want a KeyShadow to update its license data immediately, you can select the shadow in the Shadows window and choose this command. Note, however, that you should not make a practice of resynchronizing all of your KeyShadows every time you make a change. This is because the synchronization process generates a burst of network activity (while the shadow is updating its licenses). The periodic synchronization that automatically occurs minimizes the network traffic by updating only that information that has changed since the last synchronization took place.
Use this command to disable (permanently turn off) a KeyShadow. Before the shadow disables itself, it posts a message on the shadow machine's screen suggesting that the user drag the KeyShadow system extension into the trash. The administrator disabling the shadow is given one confirmation message before the shadow is disabled, and the shadow is disabled as soon as this confirmation is accepted (even if there is no one at the shadow machine to accept the message suggesting removal of the shadow extension). Disabled shadows no longer appear in the Shadows window, and no longer load when their host computer starts up. You will have to install a new KeyShadow if you want to re-instate shadow service from this location.
Note that you can only disable shadows listed beneath the KeyServer to which your KeyConfigure session is connected. You cannot disable shadows belonging to other KeyServers.
Each KeyServer can have multiple shadow servers, or KeyShadows, providing redundant emergency service in case your network has problems. A shadow can be placed on a Macintosh or Power Macintosh and provide service from there to all users of either a Macintosh- or Windows-based KeyServer. When you open KeyConfigure, your entire network is scanned for KeyShadows, and those found are displayed in the Shadows window. For a full discussion of Shadows see the Shadows Window section later in this chapter, or the KeyShadows section of this manual.
Most of the work in KeyConfigure gets done from five main windows: Users, Unkeyed Actions, Active Controls, Report, and Shadows. This section discusses each of these windows in depth and includes information on the dialogs available from each window.
The Users Window allows you to see who is currently logged on to the KeyServer and includes information on any KeyServer-controlled programs they are currently using. You can also use this window to reclaim keys, and to send a message to one user, a subset of users, or to all users. You can display the User information by program name or by user. Use the former if you want to see who is currently using a particular program; use the latter if you want to see all programs currently being used by a particular user.
You display the Users window by selecting "Show Current Users" from the Admin menu.
The window above is sorted By Program, meaning that each KeyServer-controlled program is listed in boldface and with a current in-use total on the same line. Programs are listed in order of launch, and the names of all current users are indented and listed below each program name. This is the way you'd sort the window if you wanted to know who was using a particular application. If you wanted to see all programs in use by a given user (or any user) you would turn off the "View Users by Program" selection in the Admin menu.
When you're viewing by user (i.e., when "View Users by Program" is off) the Admin menu's "Sort Users Now" selection allows you to sort the users by:
The Users window's header lines display information about the KeyServer itself. This includes the KeyServer's Network Name, name of the current log, date and time, amount of freespace on the KeyServer machine, the current user total, number of licenses currently in use, and the current authentication method.
The Users window receives updated information from the KeyServer on a schedule you determine by means of the Admin menu's "Refresh Intervals" option. The user and program counts at the top of the window are updated more frequently, so these numbers may on occasion be out of sync with what you see in the Users window for as much as a minute.
A program name followed by "(W)" indicates that the user is waiting to be notified when a license for the program becomes available. A program name followed by "(Rn)" indicates that the license is on reserve (the number n indicates how many minutes until the reservation expires). A bullet "*" in front of a user's name indicates pending delivery of a bulletin message. See Bulletin Messages for details on sending bulletins.
The name of any KeyServer-controlled program currently in use is listed along with the names of users using the Control. If a user is running more than one copy of the same KeyServer-controlled program, the times for the two licenses are displayed next to each other.
Bulletin messages may be sent to specific active users or to all users currently logged on to KeyServer. To send a message to a specific individual, double click on the individual's name in the Users window. To send a message to all currently active users choose the Send Bulletin command from the Admin menu.
If a user is selected in the Users window, the Bulletin message dialog box that appears contains some detailed information about the user, including the location of the user's computer, and the programs the user has open or is waiting for.
When the Users window has "View Users By Program" enabled, you can double-click on a program name to direct a bulletin to all users of that program.
If no users are selected in the users window, and you choose Send Bulletin, the KeyServer attempts to deliver the bulletin message to all users currently logged on. When you click on the Send button, a "*" appears next to each user name in the Users window, and remains until the message has been received by that user. It may take a few minutes for KeyServer to cycle through all of the logged-on users.
The following macros may be placed in any bulletin message, and KeyAccess will replace them with the appropriate values:
For example, the message:
^u - important meeting in 15 minutes. It is now ^T.
is expanded by KeyAccess to something like:
John Public - important meeting in 15 minutes. It is now 11:20 AM.
You can also tag your message with a message identifier (the number that appears in the lower left hand corner of the alert posted by KeyAccess). To add a message tag, type [.message number.] anywhere in the message text. The message tag can be anything you want; it is provided for quick reference.
Although the KeyServer guarantees delivery to all users who have a good network connection to the KeyServer, they may be away from their computer when the message arrives. Users who have configured their KeyAccess to "Remove Messages" will miss the message if they are away from their computer for more than five minutes.
The bulletin window can also be used to force a reclaim of one or more licenses. Reclaimed licenses are immediately available for other users, even if the user or users who have had their licenses reclaimed are ignoring the nuisance messages telling them to quit.
You can reclaim all the licenses for a given user by double-clicking on the user's name and then clicking in the Reclaim Licenses box in the Bulletin Message dialog. When you send the message, the licenses are reclaimed.
| If you want to reclaim all the licenses currently in use for a particular application, sort the Users window by program and double-click on the name of the application for which you want to reclaim all licenses. Sending the message to the users in question immediately reclaims the licenses for that application. Other applications currently in use by those users continue to work normally. |
The Users window running on a Macintosh version of KeyConfigure lets you reclaim any portable keys checked out to either Windows or Macintosh clients. Because the users of these portable keys do not necessarily have a current connection to KeyServer, you cannot send bulletin messages to these users (unless they are listed elsewhere in the Users window).
When you double-click on one of the listed portable keys, KeyConfigure displays the Portable Keys Options dialog box, allowing you to make a duplicate copy of an existing portable key. This feature is useful when a user has lost a portable key or the disk on which a portable key is stored becomes corrupted, since a re-issued key can be returned, via KeyCheckout, as if it were the original.
Through the Portable Keys Options dialog you can specify the disk on which to place the re-issued portable key. Once the portable key is (re)created, you can use KeyCheckout to further manipulate it. You can also limit the number of times a portable key may be moved, and set other security options.
A copy of KeyAccess running on a client computer reports the launch of any unkeyed programs to the KeyServer. The KeyServer checks its Unkeyed Programs Database and if it has not seen this unkeyed program before it adds a new item for that program and creates a line item in this, the Unkeyed Actions window. If KeyServer already knows about this application (that is, the program has previously been launched unkeyed by a KeyServer client) KeyServer will, depending on what you've told it to do, either:
You can view the Unkeyed Actions Window by selecting "Show Unkeyed Actions" from the Controls menu.
The option you select for Unkeyed Actions governs whether your KeyServer is currently collecting data in this window at all. If you are not interested in collecting unkeyed application data, click on Disabled and KeyServer will stop collecting this information. You can switch between Enabled and Disabled status at any time without losing previously collected data.
If you're collecting unkeyed application launch data you should periodically scan this list to see which unkeyed programs have been launched since the last time you checked.
The Default Action controls whether an item gets added to this list as Ignored or Logged. Ignored means that subsequent unkeyed launches of a program will not be noted in the KeyServer log. Logged means that subsequent unkeyed launches are permitted, but an entry is made in the KeyServer log and information on all launches is available to you for reporting.
The three dots associated with the Show setting allow you to specify whether you want to view Logged, Ignored and/or Controlled applications in this window. Note that this setting controls display only, and has no effect on other actions you specify here. That is, you can turn the Show settings on or off at any time without affecting the data that KeyConfigure is collecting.
Set Action allows you to tell KeyServer, on a by-program basis, how you want unkeyed launches to be handled; if you don't care to track launches of a particular application, highlight its entry in the window and click the green dot associated with Set Action (that is, if it's not already set to green). The highlighted line changes from red to black, signifying that it is no longer an unprocessed item, and Ignored appears next to it. Subsequent unkeyed launches of all versions of this program will be completely ignored by KeyServer, and no log entries will be made for that program. If you highlight a program name and click on the yellow dot, the line item changes the status to Logged, meaning that subsequent unkeyed launches are permitted, but an entry is made in the KeyServer log and information on all launches is available to you for reporting. If you highlight a program name and click the blue dot, signifying that you want to make an unkeyed Control for this application, the following dialog appears:
Enter the name you want to give this Control (KeyConfigure offers the name of the program itself, followed by the word "Control") and click OK. The name you specify appears in the Action column and, more importantly, a new item is added to the Active Controls file, with a fully configurable set of options that will allow the KeyServer to handle subsequent launches of this program just as if it were a keyed program.
After you create an Unkeyed Control for a program you should go to the Active Controls Window and set the limits and options for that Control. For details on the these limits and options, see the Active Controls Window section, below.
You can set the state of an unkeyed Control back to Logged or Ignored at any time.
The Active Controls window allows you to view and manipulate the information for all the programs, both keyed and unkeyed, that your KeyServer is controlling. This window gives you a visual overview of all the suites and stand-alone programs your KeyServer is controlling, including the counts for copies In Use, Enabled, and Waiting for each Control. You view the Active Controls window by selecting "Show Active Controls" from the Controls menu.
Each line item in the Keys window is accompanied by an icon that gives you a quick reference to the type of Control you're looking at. You can also identify a program type by double-clicking on it and looking at the icon in the lower left or the identifying text in the lower right of the Control Details dialog.
| Stand-alone Controls should always be modifiable to a user signed on with the Administrator's password. Although you can view the details for a suite member, and change the custom message, all other details are disabled, and must be changed via the details dialog of the controlling suite. |
You can edit any Control's information by double-clicking on its entry in the Active Controls window, or by selecting the Control and choosing "Edit Control" from the Edit menu. In either case a tabbed dialog will appear. Click on the appropriate tab to change the desired detail for this Control. The information at the bottom of the screen is always displayed regardless of which tab is selected. This information includes the type and platform of the applications, the date the Control was created and last modified.
To change the number of enabled copies for a particular pool of users of this application, click on the Licenses tab, select the appropriate pool, and change the License count to the desired value. You can always get back to the previous settings by clicking on the Cancel button.
If you set a Control's usage limit to Infinite, users will never be denied access to the controlled program. This is also the case if you set a license limit here but then click the Options tab and check the Over-limit option. This is an easy way to track a program's usage for later license negotiations without inconveniencing your users.
This tab controls the name by which it appears in the Active Controls file, KeyCheckout, and in the KeyServer logs and reports. It also contains the Custom Message field and associated selection boxes, and the Notes field.
The value you enter in the Program: field is for the use of yourself and other KeyConfigure users. The value entered here has no effect on the application's name as displayed on local computer, servers, or other non-KeyConfigure locations. This allows you to customize this value to make similar applications more easily recognizable. If for instance you have two versions of Microsoft Word, you could change the names of the Controls to "MS Word 16" and "MS Word 32" or "MS Word 68k" and "MS Word PPC". Or a cross-platform suite could contain "MS Word Mac" and "MS Word Win".
Although the notes field is useful for similar reasons, changing the Program: value can still be worthwhile since that name will display in the Active Controls window and not just here at the details level.
The use of the Custom Message field varies depending on which of the associated checkboxes you have checked. The standard usage is to put an informational message in this box and check On Launch, so that the message appears whenever a user launches this program. If you want user access to KeyServer-controlled applications to be transparent you can blank out the Custom Message field or simply uncheckOn Launch". Note that if the users of a particular application are getting a message box that seems to contain no text, it's likely that the message field contains a space or other invisible character. Remove the characters (make sure the cursor is in the full upper-left corner of the text box) and the (apparently) empty message box will stop appearing.
If you check onlyOn Deny or On Queue , users will only see the text in this field at those times. If you leave all three checkboxes unchecked, user access will be transparent on successful launch, and on denial or queue the appropriate standard KeyServer message displays on the User's computer.
The following macros may be placed in any bulletin or custom message, and KeyAccess will replace them with the appropriate values:
The Notes field is for whatever data you care to enter. It is not reflected or displayed anywhere else in KeyServer and never appears on a user's computer.
The Licenses tab allows you to control how many copies of a KeyServer-controlled application are available to your users, which users those copies are available to, and when copies are, or are not, available to some (or all) users. The limits and options grouped under this tab can be considered the heart of the administrator's interaction with the KeyServer.
The Licenses tab looks like this:
| While all licenses for many of the programs your KeyServer controls may be made available to all your clients, it is extremely important when looking at licenses data to keep in mind that different numbers of licenses can be made available to different groups of users at different times, by means of Schedules. |
While any Control can have multiple schedules, the schedules themselves can only be displayed one at a time in this window; view a Control's various schedules by means of the popup menu that reads "Unscheduled Times" in the picture above. The other data in this window (such as the groups listed under the Group: heading) are very likely to change based on which schedule is displayed for a given Control.
Let's say a site has 30 licenses of 1-2-3 for Windows, as in the picture above, which indicates that during unscheduled times those 30 licenses are divided between the groups Global, Building C, Norris Lab and Portable.
The pools in the example above have 0, 7, 14, and 9 copies available to them respectively. This means among other things that no users outside Building C, Norris Lab, and the Portable group have access to 1-2-3, because the Global pool has been set to zero copies enabled (it's possible, and perhaps preferable, to limit universal access by simply deleting a Control's Global pool, but for this example it's been left as a mental placeholder). The 30 licenses are therefore divided between Building C, Norris Lab, and the Portable pool. Users in Building C (the selected line) share 7 licenses, which can be used on the network or signed out via KeyCheckout (yes/yes in the Network/Portable checkboxes). Users in Norris Lab share 14 licenses but can only use them on the network. The users that make up the Portable group have a pool of 9 licenses for 1-2-3, which are reserved for offsite use.
But let's say that the Control for 1-2-3 for Windows has multiple schedules, in part because the administrator wants all 30 copies of the program to be available to all networked KeyServer clients on Saturdays and Sundays, and has accordingly set up a Weekend Schedule for this Control, where all 30 licenses are available to the global pool as network: yes / portable: no.
To verify that this has been done correctly, the admin would click on the Schedule menu and switch from Unscheduled Times to Weekends:
The Weekends Schedule data displays, showing that on Saturday and Sunday the 30 licenses for 1-2-3 for Windows are distributed differently than they are during unscheduled times:
Which Schedule happens to be displayed in this dialog has nothing to do with precedence of one Schedule over another. KeyServer permits (or denies) a given launch of an application based on the current Schedule of record, of which there is only one at any given time. Note however that KeyConfigure is aware of the current date/time and will attempt, when you call up this dialog, to display the current schedule.
| Schedules are not cumulative so (a) there is only one schedule current for a given Control at a given time and (b) you cannot set them to overlap (that is, you can't have one Schedule for a Control go from Mon - Thu, then define another for the same Control for Tue - Fri). You can however nest schedules, in which case the shorter-duration schedule takes precedence. For example you can have a Tue - Wed Schedule within a Mon - Fri Schedule for the same Control. In that case the Mon - Fri schedule starts on Monday, gives way to the Tue - Wed schedule for Tuesday and Wednesday, then the Mon - Fri schedule again takes over for the last two days of the work week. |
Adding a new schedule is simple. Click the New button at the top of the Licenses dialog and fill in the appropriate details:
Click the checkboxes and the dates field fills in automatically. Set the From/To times and check Recurringif you want the schedule to apply each week (or, leave it unchecked if you want this schedule to apply only the next time it can take precedence). Note that a schedule cannot be edited, once entered (you can however view any schedule by selecting it in the popup and clicking Show).
Again, you may find it sufficient to make the entire license count for many of your Controls available en masse to a single global pool of all your clients, and for those Controls you will not need to bother with schedules at all.
You will however have to configure at least one pool, associate a license count, and decide whether you want to limit the amount of time that program can be held by a user. You will also have to decide whether the program should be available on the network, as a portable (off-network) key, or both.
A "Global" pool appears by default when you first view a Control's license details (and is the default name given to a pool created when you click the New button), any other groups listed under the Group heading have been manually added and should correspond with groups you've previously defined by means of the Network Access dialog or the current authentication method. Also note that you can change the Global to another value, but the italic type will not be carried over to the new name. If you want a new pool to be called Global, leave the group value blank when you are creating it. You can also delete an existing group's name here, and thereby turn the group name to Global.
When you create a new pool, enter the number of licenses available to this pool, then enter the name of the group you want associated with this license pool.
If you want to attach a time limit for this pool, type the amount of time a license may be used in the Timeout field, and select a time unit. When the time limit is up, a user is asked twice to quit the program and the license is then immediately available for others to use. KeyServer presents the user with a dialog asking whether they want to save or cancel any changes in the open documents. Once all changes are saved (or cancelled), the application quits. Time limit information can be communicated to your users in a custom message. You may set the time limit at any time, and subsequently launched programs will abide by this limit. If you want users of a timed program to be allowed to continue using the program if no one else is waiting for it when the expiry time comes, see "auto-extend" under the discussion of the Options tab, below.
Note that the message announcing that the license has expired (KA-400 or KA-410) is a special case and will remain on a user's screen until manually dismissed, even if that user's copy of KeyAccess is set to remove message after five minutes. This ensures that unsaved work is never lost.
This tab contains the settings for use if this key is made available for portable use via KeyCheckout. The settings include how long the portable key can be signed out for, how and how many times it can be moved from volume to volume, and other usage restrictions and settings.
If the display for any of these settings appears to be disabled, click the lock icon to the left of the setting itself. The lock will open and you should be able to make changes to the settings.
The Time Limit can be set to any value from hours to years, depending on how long your users might need to have this application available off the network.
The radio buttons control how often the portable key can be moved (if at all) after it has been signed out with KeyCheckout. If a limit is set (that is, if the second or third radio button is selected) the portable key will only allow the specified number of moves. Note also that these moves must be performed by dragging the portable key between listed volumes in KeyCheckout, as attempting to move a portable key via the Windows Explorer or Macintosh Finder will disable the key.
Use strong calculation of current time ensures that the copy of KeyAccess running on the portable computer does not take the system clock's word alone for date and time of record. If you want to protect against users turning back the system clock in an effort to keep portable keys longer than they were originally signed out for, check this option. If you are not concerned about your users changing the clock, you can leave this option unchecked.
If your users are going to be crossing multiple time zones you may want to leave the Strong Calculation turned off, as well. Otherwise your users may be needlessly pestered and, at worst, might inadvertently invalidate their portable keys.
When a user doubleclicks on a portable key in KeyCheckout, they see the options as shown below. If the padlock icons shown in the previous picture are locked when this key was signed out, the user sees these options as disabled. If you had any of the padlock icons open, the user will be able to modify that detail when he or she views the settings for the portable key.
See the KeyCheckout chapter for a full discussion of these portable key options.
When the background/idle warning is enabled for a given KeyServer-controlled program, KeyAccess starts a time when that program is left unused. When the idle time limit has been reached (as set via the Admin menu), KeyAccess responds according to the options you choose here. The various levels of do nothing, warn, warn-and-quit, and quit let you control on a by-program basis how severely your KeyServer keeps an eye on unused programs. When you click on this tab, the following dialog appears:
The radio buttons allow you to select whether background/idle time checking is used for this Control, and if so, whether the default or custom idle time options are used. If you select the first option (Do nothing...), background and idle time warning is disabled: users running this program can leave it idle or in the background indefinitely. The second radio button (Use Global...) turns on background/idle checking and uses the global limits and options as set via the Admin menu. The third radio button (Use these...) lets you customize on a by-program basis what action(s) KeyAccess takes when the global time limit has been exceeded.
If program is left idle for more than time allowed sets the action taken for idle-time-based reclamation. Upon reaching the specified time, which defaults from the value set in the Global Settings dialog, the user is either left alone, warned and allowed to continue, (with warnings recurring at short intervals), warned 3 times before being presented with a dialog that quits the application after cancel or Save is selected by the user, or simply quit from the program after choosing to save or cancel.
If Idle and more than n% of licenses are in use gives you the same options as the first selection, but allows you to base the reclamation on how closely the application's usage count is to the maximum. Set the percentage here; the chosen action occurs after the amount of time specified in the Global Settings dialog has passed.
If idle and more than n users are waiting in line gives you the same options as the other selections, but lets you base reclamation on the presence of more than n users queued for the application in question. Set the number of users here; the chosen action occurs after the amount of time specified in the Global Settings dialog has passed.
The fifth and final tab contains a number of options related to your users getting, keeping, and relinquishing Controls. When you click on the Option tab the following dialog appears:
Auto-extend is only applicable when you have set timed usage limits for one or more Control. If this option is left unchecked a user is forced to quit when the specified time limit for a program is reached. If you enable this option, however, KeyAccess checks the state of the queue ten minutes before the time limit is reached. If there is someone waiting for that program, the timed use session is closed as usual. If there is no queue, however, the user whose license is about to expire is granted another session with the application, of the same length as the original.
Detachable controls the actions KeyAccess takes when its network connection to the KeyServer is broken. Normally, the KeyServer keeps tight control of each license, and instructs KeyAccess to alert users when the connection to the KeyServer is lost and no KeyShadow is available. With this option checked, KeyAccess allows a keyed program to be detached from the KeyServer for the remainder of a current session. That is, if the network connection breaks after the keyed program is launched, the user is not asked to quit from the program. This option is useful for infinite licenses, as well as in emergency situations when your network is having temporary problems. You may check or un-check this attribute at any time, but KeyServer-controlled programs that are already running are not effected by a given change. Note that this applies only to programs running at the time of an outage. Users requesting a license for a keyed programduring an outage are denied, regardless of the state of this checkbox.
Exact Match Only controls access a specific keyed Control. Programs that are controlled by one KeyServer can be used interchangeably with any KeyServer. However, a program's key, and the keyed program itself, are tagged with an identifying number to couple the two original parts. If you check this attribute, the tags for the keyed program must match the keyed Control supplied by the KeyServer; a keyed program from a foreign KeyServer will not be supported. You may check or un-check this attribute at any time.
Force Password lets you force users to enter their password every time the program is launched. Normally, once a user has been authenticated, the KeyServer remembers this. Under some circumstances (in a computer lab environment, for instance) you may want every launch of a program to be authenticated. You may check or un-check this attribute at any time. This option is only enabled when you've selected an authentication method that requires a password.
| Local Zone Only specifies where the controlled program can be used. If you check this attribute, only users within the same AppleTalk network zone as the KeyServer are allowed to use this program. You may check or un-check this attribute at any time. |
Multi-launch allows users to launch multiple applications from a single suite without using up more licenses. For example, if you have three applications in the suite and this option is disabled, launching all three applications will result in three of that suite's licenses being in use. If this box is checked however, launching those three applications only results in one license for that suite being considered in use.
Over-limit turns on "Soft Metering" for a given Control, meaning that KeyServer will permit any authenticated user to launch this program, regardless of the total number of enabled launches set under the Licenses tab. This will be transparent to your users but unlicensed launches will be recorded in the log file. The Histogram report, for example, will show a horizontal line at the true (enabled) license count but will show the usage lines rising above that line for any unlicensed launches. If you choose to use Soft Metering for a program, the Active Controls window reflects this by showing an infinity symbol in parentheses next to the count in the Enabled column for this program's Control. While Soft Metering allows you to monitor your usage count without penalizing your users, it does permit the use of more copies of a program than are licensed by your site.
| Remote Access controls whether users may use a license over a Remote Access connection. If the option is not checked, users who have dialed onto your network via Apple's Remote Access software can not run the controlled program. This feature does not restrict use of the controlled program over a modem connection established with other communication software (e.g., Shiva NetModem, Farallon Liaison). |
The four radio buttons allow you to control the file server warning messages for this application or to force launch from either a local disk or from a file server. If the first button is selected, users will not receive a message when they launch this application from a file server. If the second button is selected, users launching this application from a server will receive an informational message stating that downloading the application to their local disk might be advantageous in terms of performance.
Note that you can also control file server messages on a by-user basis by checking or unchecking the Give Hints for Efficient Use box in KeyAccess. Both items must be set on for a user to get this message. That is, the Control must have the Post Warning... option selected, and the user's KeyAccess must be set to give hints for efficient use.
Each time you open a log file, a new Report window is opened. You can then run reports on this log file; the report's information is displayed in a format that varies from one report to another. When running a report on the currently active log file, it may finish (as indicated by the progress bar) and then you may notice an update in a few minutes: the active log file on disk in the KeyServer Mac has just been appended with some new records. Force an update by selectingFlush Log to Disk from the Admin menu.
When a report window is first opened, a list of reports is displayed if you do not have a report type selected. Before choosing a report, type in the range of dates on which the report should be run. To run the report on the entire log file, click the Entire Log Series button. To run the report on a specific range of times, type the start date and time, and the stop date and time. The report will be run on log entries made between these two times. When the stop time is reached, the report will automatically pause. Toggle the Pause button (see below) to resume the report and continue running it on entries made after the previously specified stop date. Note that the start time must fall within the range of times that are in the selected log file, but the stop time can be any time after the start time. Once the time range is correct (or if Entire Log Series is marked), click on any one of the reports listed in order to start it running.
Use the pause button at the bottom of a report window to pause the report while you view the partially accumulated statistics. The word "Paused" appears as the report generation halts, and the pause button is highlighted. To resume the individual report, click again on the pause button. You can also resume all reports (including any you paused with the Pause button) by selecting the Resume All Reports command in the Report menu.
Sometimes, you only wish to see the results of a report as applied to a certain portion of a log file. Normally a report scans the selected log file from beginning to end, reading each record sequentially. You can skip to a new position in the log file by sliding the triangular marker to a new location. Use this feature with caution: when the data sent to a report is incomplete or out of sequence it affects the validity or meaning of any summary information.
Whenever a log is swapped (whether automatically or manually), the KeyServer writes one last transaction in the log to indicate the name of the log that comes next. KeyConfigure then uses this information to allow you to chain a series of log files together into one report window. When KeyConfigure reaches the end of a log file that contains such a transaction, it searches the same folder for the next file, and continues running the report on this file. Remember that a series of log files must be in the same folder in order for each successive file to be found.
If the current log file's successor is found, KeyConfigure either automatically chains to this next log, or pauses before doing so. You control which of these two actions KeyConfigure takes by clicking in the Chaining button (see picture above). If a report contains information for a series of chained logs, you can view the names of all of these logs by clicking on the current log file name in the top right corner of the report window.
A report can be printed at any time using the Print command in the File menu. You can also Save a report in a text file, and view it with your favorite text editing program.
This section gives an overview of the basic KeyServer Reports. The modular nature of reports makes it possible to include additional reports at a later date. These reports may be supplied by Sassafras Software, by third party software companies, or by you. To obtain information on writing your own report modules, contact Sassafras Technical Support.
The Digest report scans through the log file and extracts only the important information about when programs were used, or a launch denied, and when users were waiting in line for a Control to be available. This digested form of the log file is then easy to manipulate with a database or spreadsheet program, because there is exactly one line that describes each event (usage from start to finish, waiting period from start to finish, and denial).
The digested log does not contain information such as user log-on and log-off, details about Controls, or Control information. If you need to access this information, use the raw log file (whose contents are described in the KeyServer chapter), or the output of the Interpret report.
Only the fifty most recent lines of the log are displayed in the scrolling report window, but the entire report can be saved with the Save or Save As command.
Copy the selected log file to any volume mounted on the computer running KeyConfigure using this command. If the active log file is selected, you may want to use the "Flush Log To Disk" command in the Admin menu at the end of the downloading process in order to receive the last few records from the log file. You can permanently save the downloaded file by selecting Save or Save As from the File menu.
Only the fifty most recent lines of the log are displayed in the scrolling report window, but the entire report can be saved with the Save or Save As command.
The Histogram presents a graph of the use of each KeyServer-controlled program, as recorded in any log file. All such programs found in the log file are shown in a scrollable list. You can view the histogram of a program's usage by selecting it from this list. Also included in the histogram report are peak usage and queue lengths, as well as the time at which the program reached its peak during the log file(s) scanned. Check marks next to program names indicate which histograms will be included when the histogram report is printed. You can also export the individual histogram pictures from this report into any program using Cut and Paste.
For more detailed information about the maximum usage of KeyServer-controlled programs, use the Summarize report.
The Installs report gives you a list of any Macintosh applications that have been created by means of a deputized installer. The report includes the name of the application, the name of the user on whose computer the installation was performed, the number of times that user has installed that application, and the date of last install.
The Interpret report is useful for presenting a readable interpretation of log files. It may also be convenient to save an Interpret report for use as input to a database or statistics program. The interpreted format simplifies the analysis and generation of detailed software usage statistics based on user name, zone, network address, etc. Interpret produces output similar to the Digest report but even more detail is included.
The raw data in a KeyServer transaction log appears with character codes for various KeyServer events, some of which are described by more than one record in the log file, making interpretation non-trivial. The Interpret report expands this information into a readable description of a KeyServer action (e.g., LAUNCH_OBTAIN means a program was launched and a Control obtained). The Interpret report often merges the information contained in two log entries into a single line, e.g., two entries, one with code 'o' (LAUNCH) and another with code 'O' (OBTAIN), are merged into one LAUNCH_OBTAIN line in the Report window. For more information on the raw log file, see Log File Contents and Log File Codes in the KeyServer chapter.
Only the fifty most recent lines of the parsed log information are displayed in the scrolling report window, but the entire report is saved with the Save or Save As command.
The Shadow report allows you to see any shadow activity recorded in the selected log. This includes the name of any shadows that were serving, the number of times those shadows were in a serving state, and the total time that each shadow was serving.
This report compiles a summary of program usage. The total number of times a program has been launched and the total number of usage hours (hours:minutes.tenths) for each program are accumulated in the report window. The number of launch attempts that have been denied when all licenses have been checked out is also tallied.
Additional statistics concerning any users who were queued for notification are also available in the Summarize report.
If you are running Summarize on the active log file, you may not see the tail end of the log because it has not yet been flushed out of memory onto the disk. Use the "Flush Log To Disk" command to make the report as current as possible.
This report provides an overview of KeyServer-related occurrences that might help you understand KeyServer or network anomalies. The report can tell you for instance when a shadow came online, or when a connection to a user was lost. Events that have a timespan display from/to dates and times.
The Unkeyed report reads through your log files and accumulates usage statistics such as the number of times each application was launched, the maximum number of concurrent users, and the number of current users.
The User report tallies usage of each program based on individual users, and displays a list of programs along with the names of who has used each program. The report details how many times each user launched a particular program, as well as how many Controls are currently in use by the user, and the cumulative time that the user has used the program.
This report provides usage information for each Macintosh program and network location from which the program has been used. You might use this report to determine what departments or groups are using particular software, or to find out who has tried evaluation software.
The Shadows Window appears when you select "Show Shadows" from the Shadows menu. The data in this window shows the name, and state, of any KeyShadows installed against your KeyServer. KeyShadows provide failsafe service to your KeyServer clients in case of network outages or problems with the KeyServer machine.
 | KeyConfigure scans the network and displays a heading line for the KeyServer to which this computer is connected. |
| KeyConfigure scans the network and displays a heading line for each KeyServer it finds. This window also displays information on any KeyShadows it finds. |
The first column lists the location of each KeyShadow, including the user's name and location. This value reflects the name entered in the Sharing Setup control panel (for AppleTalk); the TCP/IP address of the shadow machine (for IP); or the presence of the shadow on the IPX network (for IPX). Note that a single shadow can have multiple entries in this window, depending on which protocols it has been set to serve. If you click on a line item in this window, tiny arrows may appear to the left of one or two other shadows listed under the same KeyServer. This indicates that the shadow you've selected was installed to serve one of both of the other possible protocols.
For example, if you click on a shadow's IP address and an arrow appears next to that entry as well as both an AppleTalk and IPX entry, the shadow you've selected was installed to provide support to all three protocols.
The second column indicates the current states of each KeyShadow (states are detailed in the next section). The final column gives the time at which the KeyShadow last synchronized its license data with the KeyServer.
If you are having difficulties with your network, this window might not list all of the KeyShadows that you have installed. This indicates either that a portion of your network is not reachable from the computer on which you are running KeyConfigure, that the computer on which the KeyShadow is installed is currently turned off, or that one (or more) of the protocols has experienced a breakdown between the shadow itself and the computer where you are running KeyConfigure.
You can re-scan the network for KeyShadows at any time by using the "Start Searching" command in the Shadows menu.
| Note that if you are at the shadow machine you can view this window even when the KeyServer machine is down by launching KeyConfigure and canceling where you would normally type your password. This will keep you from connecting to KeyConfigure but will supply you with the basic KeyConfigure menu. Press Command/Shift/Option/Return and the Shadows menu will appear. |
For more information on KeyShadows, including the Shadow Search Filter, Shadow Hint List, and the KeyShadow states, see the KeyShadow chapter, later in this manual.
Many dialog box items can be activated with the keyboard in addition to the mouse by using the command (Macintosh) or alt (Windows) key and the first letter of the item name. For instance, hold down the alt key and type the letter "O" instead of clicking in the OK button. If a dialog box contains editable text, you may Cut, Copy, and Paste the text by using the key equivalents X, C, and V, respectively.
In Controls windows, you may use the shift and command keys to select consecutive or disjoint groups of Controls. Use Cut, Copy, and Paste to move the selected Controls from one Controls window to another. Mac administrators can also copy Controls from one window to another by holding down the option key and dragging the selected Controls to the destination window.
| |||
| Home | Support | Legal | Contact Us |
|