K2 – Getting Started Installation Guide & Technology Overview

     • Server, Admin, Client Install – on a single host computer
     • Explore KeyConfigure – basic functionality
     • Program Actions – Logged or Controlled
     • License Types – Floating versus Node Locked
     • Group Definitions – node list, divisions, network location, authentication
     • Key an Application –file modification for Secure Control
     • Software Audits –scheduled, centralized, data collection
     • Computer Divisions, Program Folders – discover / acknowledge / filter / hide
     • Clean-up –removing the K2 demo files

Quick Setup & Demo Tour

To demonstrate how the Server, Admin, and Client components interact, the steps below outline a first-time installation of all three functions on a single host computer. If you have a previous version of the server component (KeyServer) already installed, you should read the Upgrades chapter before proceeding.

The tour is most effective if you install the client software on a second computer as well, but this is not absolutely necessary. It is important, however, to follow the tour sequence exactly since each step depends on the context set up by the previous steps.

Our tour will generally describe Windows file naming conventions and file locations. The file names for Windows installers end with .exe. The corresponding Macintosh installer file names end with “.sea” . Differences between Windows versus Macintosh install locations and component file names will be explained by the installer dialogs. Consult the “Installation” chapter and the “OS Details” appendix for more complete OS specific comments, including system requirements, network requirements, installer customizations, and cautions.

We will assume TCP/IP is your protocol choice for client connections. For this tour, client and admin functions can be installed on the same host and/or on some other computer(s) where convenient. It will be fine to use your desktop or laptop computer for this demo, but make sure the server process is hosted on a computer that is not configured to “sleep” during your testing! You can run the installer for any K2 function (Server, Admin, and Client) directly from the distribution CD or from any mounted volume (local or remote).

Server, Admin, Client Install – on a single host computer

1. Install the KeyServer process.

Logon to the host computer with full administrative privileges. Inside the K2 image folder, there is a folder containing installers for all components on all platforms. Open the “Server Installers” sub-folder and run the appropriate installer for the KeyServer process. On Windows, the installer file is called “K2Server.exe” . It will create a folder named “Sassafras K2” in the Program Files directory with a shortcut installed in the Start menu. KeyServer (ks.exe) and its “KeyServer Data Folder” will be installed in the sub-folder named “Server” .

If you have a custom License Certificate (server.lic), don’t start the KeyServer process yet! – wait until completing step 2 below.

Without a custom license, you can skip over step 2 – KeyServer will use the default evaluation license file named eval.lic, which is created by the installer. If the evaluation license has already expired and you don’t have a custom license (to use in its place), you will have to download a more recent server installer.

2. Install your custom License Certificate and start KeyServer.

If you have received by e-mail a custom “server.lic” license file, place it into the KeyServer Data Folder (inside the Server folder). On Windows, use the services control panel to start the KeyServer process (stop and restart the process if it is already running). Note that you will get an error message if you start the KeyServer process using both the services control panel and by double clicking the ks.exe file.

Steps 1, and 2 above are nearly the same for a Macintosh host but must be modified somewhat for other operating systems. Specific issues when hosting KeyServer on Linux or NetWare are dealt with in the Appendix: OS Details. But remember, you only install the server process on one computer. This one install will provide license management services throughout your network and across the Internet to all your client computers (Windows, Macintosh, and Thin Client).

The next steps will assume that KeyServer has been successfully installed and the process has been started, either with a custom license or with an unexpired evaluation license. Before proceeding with the Admin and Client installs, you will need to know the IP address of your KeyServer host. To find the IP address on Windows, type “ipconfig” at the command prompt. On Macintosh you can consult the Apple System Profiler.

3. Install KeyConfigure, the Administrative interface for K2.

From the Admin Installers folder in the K2 image, run the appropriate admin installer. For Windows, the installer file is called “K2Admin.exe” . You can accept all of the installer defaults.

Note that it is not actually necessary to install KeyConfigure on the same computer that is hosting the KeyServer process, but it is convenient to run it here for this demo tour. In a typical installation, KeyConfigure might be installed on several computers for the convenient administration of the KeyServer process by one or more people.

4. Test an Admin connection to KeyServer.

Launch KeyConfigure. Use the KeyConfigure shortcut in the “Sassafras K2” group from the Start menu or just double click on the executable in the Admin folder. A Login dialog will be displayed.

In the top most field, enter the IP address (or DNS name) of the computer hosting the KeyServer process. You just looked up this “Server” address in your preparation for step 3. Login using the account name, “Administrator” , with the default password, “Sassafras” (first letter capitalized).

KeyConfigure will bring up three windows named Computers, Programs, and Licenses in their “standard” position. If you move windows around you can always return to this standard view by selecting “Standard” from the Window menu.

These three windows display the basic building blocks for the configuration of software auditing, license management, and report generation. As soon as you install and connect a client computer with the K2 client software (below), it will automatically show up in the Computers window. All programs discovered on each client computer will automatically show up in the Programs window. The Licenses window will never acquire new items automatically.

Initially you will see a KeyCheckout License, a KeySentry License, and a KeyVerify License. These are created by default to give KeyServer control over its own utility programs. Double click on the KeyVerify License and you will see that it controls two programs, KeyVerify for Windows and KeyVerify for Macintosh. In its initial state, the Programs window lists six items: a Windows and Macintosh program item for each of these three utilities.

You will use the Licenses window to explicitly create new licenses for controlling the use of programs on computers. A single license can be configured to control one or more programs. Usage for the license can be enabled for all client computers (usually subject to a maximum limit), or restrictions can be imposed based on network location, time, specific computer node id, etc.

Before you start experimenting with KeyConfigure to explore K2 features, you should be aware that not all of KeyConfigure’s actions can be easily undone. In particular, the optional feature that lets you secure a program against piracy by transforming it to a “keyed” copy is not reversible – only a backup or reinstall will restore the original. Rather than experiment blindly, it is best to carefully follow the steps in this tour and then read subsequent chapters and help documents for more detailed and specific information.

In the next steps, the client component, KeyAccess, will be installed and verified. For the purposes of this demo tour, you can install the client on the same computer where you have installed KeyServer (and/or KeyConfigure) even though in many installations the KeyServer host might not need to be audited or controlled as a regular client workstation.

5. Install KeyAccess client software.

From the Client Installers folder in the K2 image, run the appropriate client installer. For Windows, the installer file is called “K2Client.exe” . Select the TCP/IP protocol and enter the IP address (or a DNS name) for the computer hosting the KeyServer process. Note: normally the KeyServer must be hosted on a computer with a static IP address, but as long as the address doesn’t change during the demo tour, a dynamically allocated address (dhcp) will be fine.

6. Test Client connection to KeyServer.

After you set up the client software, launch the diagnostic utility, KeyVerify. You can find it in the Client folder inside the folder “Sassafras K2” , or use the KeyVerify shortcut in the Start menu. Assuming the KeyServer process is running and the KeyAccess client software is configured correctly, KeyVerify’s window will indicate a valid KeyServer connection.

If you don’t get confirmation of a valid connection, double check the KeyServer address that was entered during the client install. On a Windows client, enter “keyacc32” into the Run... item from the Start menu. On a Macintosh client, double click on KeyAccess Setup located in the “Client” folder inside the folder “Sassafras K2”. Assuming the KeyServer address is entered correctly in KeyAccess Setup, the next thing to check is that the KeyServer process is started (check the Services control panel or process viewer) and that the KeyServer Data Folders contains an unexpired license certificate. You can open the “eval.lic” or “server.lic” file as a text document and read the expiration date.

This same client install sequence must eventually be run on all computers that will access K2’s software auditing and license management services. Both the Windows and Macintosh client installers can be preconfigured with your target KeyServer address and other options to help automate a large scale deployment.

Explore KeyConfigure – basic functionality

7. License Details.

With KeyVerify still running from step 6, the Licenses window will show one in use for the KeyVerify license (launch KeyVerify again if it’s not running). Double click on this license to see details. Notice that the license is set up for a maximum of 2 Concurrent users. One out of two (1/2) of these licenses are in use.

8. Send a Bulletin to a Current User.

In the License Details for KeyVerify, click on the button labeled “Current User List (1/2)” . Double click on a user in the list to bring up the detail window, “User Details for...” , and click on the “Bulletin...” button. Type a message and Click OK to send. Your message will pop up on the client computer.

It should be pointed out that bulletin service is not always available for every client listed in the Computers window. Only clients that are currently connected to KeyServer can receive bulletins.

Before proceeding, let’s close up all of the various detail windows. Then select “Standard” in the Window menu to get back to the standard view.

9. Computer Details.

Click on the word “Refresh” at the bottom of the Computers window. The computer that you verified in step 6 will show up in the computer list. Double click on the computer name to bring up the Computer Details window which gives some basic information about this client. Audit details will probably not be available yet so close the details window for now – we will open it up again later after the audit has had time to complete.

Now we will illustrate how KeyServer can manage any application according to rules that you specify. We will use Notepad as an example application for testing (on Macintosh, use TextEdit).

10. Discover Notepad.

Launch Notepad – from the start menu, type “Notepad” into the Run... item, or use the shortcut in Accessories. Even if no client has had enough time to complete an audit, the launch will immediately add this new “Discovered” program to KeyServer’s database. In order to make Notepad show up in KeyConfigure’s “Programs” window, you will have to click on the word “Refresh” at the bottom of the window.

Because KeyAccess has been busy auditing, the Refresh may also bring in hundreds of other discovered program items, all displayed in a pink font. If Notepad is hard to spot in the program list, use the Find command from the Edit menu to locate it. You can also use “type ahead” – with the Programs list in foreground, just start typing the first few letters of the program name. Unfortunately, on many systems the official name for Notepad is “Windows Notepad” so typing “N” won’t even come close – this time you are better off using Find.

Every K2 client uploads program records to KeyServer when regaining a network connection, when transferring audit data, and when an unknown program is first launched. KeyConfigure maintains a cached copy of these records, so you must click Refresh whenever you want to synchronize the KeyConfigure display to show KeyServer’s new discoveries.

Program Actions – Logged or Controlled

The pink font indicates that KeyServer has applied the default action to a newly discovered program, and no administrator has ever acknowledged the default action, nor explicitly changed to some other action. In the next step you will explicitly configure an action for Notepad.

11. Set Action to Logged.

Select the Notepad item in the Programs window. Then drag & drop onto the word “Logged” in Actions pane (on the left side of the window). You can accomplish the same thing by selecting “Logged” in the context menu (right-click). Notepad’s icon in the Action column will change from the default green dot (Ignored) to the a yellow dot (Logged) and the font color will change to black, indicating that you have explicitly assigned this action.

If too many pink items are cluttering your view, click on the word Uncategorized in the Folders pane (left column) in order to toggle the check mark. Pink items will become hidden from the displayed list leaving only the Uncategorized items visible. A check mark in front of Discovered will bring the pink items back into view. To return to the default view with pink items sorted to the top, click the double-check icon in the column separator between the Display and Name columns.

So far, the only program usage reported to KeyServer has been the launch of KeyVerify in step 6. Now that Notepad is being logged, let’s launch it, let it run for 5 seconds, and then quit. Do this three times and then run a report:

12. Report on Program Usage.

From the Reports menu, select the “Usage (PROG x comp)” report and click OK to run it. Under the Notepad heading will be listed all the computers on which Notepad has run with total usage time and launch count.

Did you ever quit from KeyVerify (launched in step 6)” If not, quit KeyVerify now and click the Refresh button at the bottom of the report window. Program usage for KeyVerify will be added to the report. Leave this report window open.

Whenever a program’s action is set to “Logged” or “Controlled”, clients will send launch and quit records to KeyServer. As you perform experiments to see how program usage is reflected in various reports, don’t expect to see any changes until a program is quit and the report is refreshed (and don’t expect to see anything for “Ignored” programs!). Most reports summarize usage based on the quit records only, so the “Total Count” field is actually the count of program quits and the “Total Hours:mins” does not include programs that are still running.

13. Report on License Usage.

Select the “Usage (LIC x comp)” report from the Reports menu, and click OK. Under each license heading will be listed all computers that have used the license.

Place the License usage report from step 13 next to the Program usage report from step 12 so you can compare them. It is important to understand the difference between Programs and Licenses. The License usage report shows just one group heading for usage of the KeyVerify License. No information concerning usage of Notepad is included in the License report because the Notepad program is not controlled by any License – usage for Notepad is only Logged.

The Program usage report shows group headings for both the Notepad program (Logged) and the Windows KeyVerify program (Controlled). Program usage events are reported in essentially the same way for both Logged and Controlled programs. But for Controlled programs, in addition to the usage events for the program, there are corresponding events reporting usage for the controlling license (which are summarized in the License report).

In this simple tour, usage for Windows KeyVerify (in the PROG report) and for KeyVerify License (in the LIC report) look essentially the same, but recall from step 5, that the KeyVerify License actually controls two distinct programs, not just one. If you were to launch this second program (on a Mac client) and refresh, the distinction between these reports would become more apparent.

The KeyVerify License is an example of a cross-platform “suite” license. In general, a license can be configured to control an entire suite of programs under a single license limit. Usage reports for the license will be an aggregate of usage for all the individual controlled programs in the suite.

When the Notepad action is changed from Ignored to Logged, KeyServer immediately begins collecting the usage data that forms the basis for usage reports. Now, to add control over the Notepad program in addition to logging, let’s change the Action to Controlled. First, close up any open detail windows and return to the Standard view (Window menu). Click on the Action column in the Programs window so Notepad (Logged) will sort near the top where it will be easy to find.

14. Set Action to Controlled.

Select Notepad in the Programs window and then drag & drop it into white space inside the License window (below the existing items). The “Create License” dialog will pop up with a proposed name for the new license. Click OK to accept the name, “Notepad License” . A License Details window will be displayed showing the default configuration for the Notepad license.

Quit and relaunch the Notepad program and leave it running. As with KeyVerify in step 7, you will see in the Licenses window that the “In Use” count for the newly created Notepad License has changed to 1. In the “License Details for the Notepad License” , click on the Computer List button. You may have to click “Refresh” at the bottom of the window to see that your client computer has been added to the “Computer Node List for Notepad License” .

The default behavior of a new license (unlimited) is almost the same as KeyServer’s simpler “Logged” Action. If all you want to do is log usage and run reports, then stick with Logged. To make our new license actually control its program(s) in a useful way, we need to change some settings in the license details.

First, it is important to emphasize that as soon as you set a program’s action to “Controlled” , it cannot be run unless there is a license configured to allow the launch.

When you make any change to the default Unlimited (Site License) by adding a group restriction, node limit, or user limit, you are in general prohibiting usage wherever the restricting conditions can’t be met. Be careful to avoid blocking use of a program unintentionally.

You should always configure program actions and license control in the simplest way possible in order to promote efficient allocation of assets without risk of disabling legitimate use. It is probably also worth mentioning here that there is a good reason why the default action for discovered programs is set to ignored – if you were to log or control all programs (including system startup utilities etc.), the usage database would grow very quickly. Extracting important information would then be slowed by the sheer volume of the task.

License Types – Floating versus Node Locked

The next few steps require a second computer in order to effectively demonstrate Node Locked and Floating license behavior. Even without actually doing a second client install, reading through these steps will clarify the very different control policies enforced by these two license types.

15. Install and test the KeyAccess client on a second computer.

On a second computer, run the client installer and then launch KeyVerify (e.g. repeat step 5 and 6). In order to see the new client in KeyConfigure, click on the word “Refresh” at the bottom of the Computers window.

16. Change to Computer Limit (Node Locked License).

In the “License Details for Notepad License” , use the radio buttons to change from “Unlimited (Site License)” to “Computer Limit (Node Locked License)” . Set the “Computer Limit” to 1, save changes, and close the window. Launch Notepad, let it run for 5 seconds, and quit. Now on a second computer with KeyAccess installed, try to launch Notepad.

You will be told that there is no license available. It does not matter whether Notepad is currently running on the first computer or not. The one available license for Notepad has been locked onto the first computer and it cannot float elsewhere.

17. Remove a node from Notepad’s list of licensed computers.

Right-click on the Notepad License (in the Licenses window), and choose “Show Computers” from the drop down menu. You will see the licensed computer listed in the window, “Computer Node List for Notepad License” . With a computer limit of 1, the second computer cannot be added to this list.

Select the one computer in the Node List and delete it. Now go back to the second computer, launch Notepad, let it run for 5 seconds, and then quit. Use the refresh button at the bottom of the Node List and you will notice that the license has locked onto the second computer. Notepad usage will be denied on other computers, again, regardless of whether it is running on the licensed computer.

For any controlled program, KeyServer accumulates a node list of all the distinct computers where the program has been launched. When a controlling license is set to “Computer Limit (Node Locked)” , new computers will “Auto-add” to the list until the specified limit has been reached. Launch attempts on unlisted computers will then be denied as you just saw in step sixteen.

As an alternative to letting “Auto-add” build the node list you can explicitly drag items into a Node List from the Computers Window. A named list of computer nodes can also be built in the Groups window and then referenced in several License configurations as a common group restriction.

Lets pause to look at the actual usage events that are being recorded by the KeyServer. The dump of all events is not itself very interesting but it is useful as a diagnostic which can clarify our understanding of KeyServer’s actions.

18. Run the Event Dump Report

From the Reports menu, select the Event Dump report and run it on the entire data set. You should be able to trace the history of this demo tour. Now select a computer logon item in the event dump window and right-click to run a sub-report just for the selected computer. You can select other event items and run a separate Event Dump sub-report for each computer, each program, and each license.

In general, a right-click in any window (computer, programs, groups, licenses, etc.), will give a context menu listing all sub-reports that make sense when restricted to the selected item. Notice also that whenever you right click, there is a context sensitive Help item available.

Before returning to our tour of different license types, let’s clean up. Quit all running copies of Notepad on all client computers. Close up all KeyConfigure report windows except the big three (click on “Standard View” from the Window menu).

19. Change to Concurrent Use Limit (Floating License).

Open the “License Details for Notepad License” window again, and use the radio buttons to change the to a “Concurrent Use (Floating License)” . Set the User Limit to 1 and save the changes. Launch Notepad and leave it running.

Now on a second computer (with KeyAccess installed), if you try to launch Notepad, a dialog will come up offering to put you in a waiting queue. Notepad is controlled by one floating license and this one license is in use by the first user. When the first user quits, the waiting user will be notified. Try it.

You can examine the list of current users of a license by clicking on the “Current User List” button in the License Details window. For a Concurrent Use (Floating License), the button label will also show the fraction currently in use, e.g. 3/7. When the license type is Computer Limit (Node Locked License) the “Computer List” button shows the fraction of the license total that has been allocated (locked to a node). In either case, a fraction equalling 1 (e.g. 7/7) means there are no more licenses available.

Group Definitions – node list, divisions, network location, authentication

Rather than allow the Concurrent Use license created in the previous step to float among all computers, we will now restrict it to float only among a specified group. The ability to restrict license access to a specific group is one of KeyServer’s more powerful (and hence dangerous) features:

20. Add a Group restriction to a License.

In the “License Details for Notepad License” , type in a new group name, “TryThis” , into the Group field. Now try to launch Notepad. The launch will be denied on all computers that have KeyAccess installed!

Increasing the User Limit or changing the license type won’t help. The problem is that there is no definition of what it means to be a member of the “TryThis” group. The group has no membership criteria and therefore the license is not available anywhere.

It is obvious that a program will be completely disabled when controlled by a license that has the limit set to zero. Achieving the same result by restricting a license with an empty or non-existent group is perhaps surprising!

It is usually safer to define a group first and then drag it onto the group icon in a license details window, rather than type the name of a group directly into a license details window:

21. Define a Group.

Use the Window menu to open the Groups window. Create a new group using a right click to bring up the context menu (or use “Create New” in the Edit menu). Let’s name this new group “Graphics Group”, and hit OK. Now select a computer from the Computers window – drag & drop it onto the newly created group item, “Graphics Group”, in the Groups window. To check that this computer node was successfully added to the group definition, double click to open “Group Details for Graphics Group” and look in the Nodes panel.

22. Drag & Drop onto the Group icon in License Details.

You will see the old group restriction, “TryThis”, replaced by “Graphics Group”. Save the changes. Now you can experiment with Notepad launches on the various clients to demonstrate how the license is enabled only for the computers listed within the Graphics Group.

Rather than add individual computers to a Group, you may want to include a pre-defined set of computers – e.g. the set of all computers owned by the Art department. The Computers window lets you divide the list of computers into named a subsets for just this purpose.

23. Create a Computer Division for inclusion in a Group definition.

In addition to specifying computers for Group inclusion (referenced under its Nodes or Divisions panes), membership can also be granted based on location (e.g. network address ranges configured in the Locations window). If the KeyServer is configured to consult some external authentication server (such as an NT domain server) then group membership can be further augmented by reference to an external group name. In this case, the complete list of externally defined groups may not appear in the Groups window and it is for this reason that a License Details window accepts a typed in group name as well as supporting drag & drop.

After deploying K2 throughout your site, it will be safer to test custom license rules and group restrictions using the KeyVerify license or a license controlling some unimportant game. Since Notepad is a standard OS utility, disabling it by mistake (or on purpose) would be an un-welcome surprise on any client computer.

Key an Application –file modification for Secure Control

In addition to K2's standard method of managing programs and their respective software licenses, K2 also provides an optional method to secure programs against intentional software piracy. The extra work of preparing and distributing a secured or “keyed” program version is optional and completely unnecessary except when intentional piracy is a concern. The license management interface and usage tracking options available for a standard program and for a secured copy are the same.

KeyVerify is an example of a specially modified, “keyed”, program. Unlike a standard program (e.g. Notepad), it will not run if the KeyAccess client software is absent or not properly setup. To enable a launch, KeyAccess must convey a “key” from the KeyServer to the keyed program. In this sense, the keyed program is controlled “securely” against software piracy by the KeyServer and its KeyAccess client. If you have other programs where this kind of security is required, you can transform a copy of the standard executable file into a “keyed version” which you can then distribute freely without risk of piracy.

For this part of the demo, we will transform a duplicate copy of Notepad to a keyed version and then compare to the unkeyed Notepad behavior illustrated above. We need to create the duplicate outside of the winnt directory because files inside are protected from modification.

A keyed program file cannot be unkeyed! Before transforming a program file into a keyed version always be sure the program installer is available so you can reconstruct the original or else be sure that you are transforming a duplicate copy and that the original is safely archived.

If you were to drag the notepad.exe file into the Licenses window, a “Create License” dialog would pop up giving you the “Control as Keyed Program” option which would transform the notepad.exe file. This would transform the notepad.exe file into a keyed program while putting it under the control of a newly created license.

Instead of making a new license, we will show how the notepad.exe file can be transformed to a keyed version and placed under the control of an existing license:

24. Transform a duplicate copy of notepad.exe into a “keyed version”

Navigate to the folder C:\WINNT\system32, then select the file notepad.exe. Drag the file to the desktop and hold down the ctrl key before releasing so that a copy is made – we need a full duplicate file copy, not a shortcut!

Open the License details window for the existing Notepad License and expose the Programs pane (blue icon). Now drag the duplicated notepad.exe file from the desktop and drop it into the Programs pane below the program item already listed.

A dialog titled “Control Program under Notepad License” will pop open. Instead of the default, “Control as Unkeyed...” , click on “Control as Keyed...” . When you click OK, the notepad.exe file dragged from the desktop will be transformed into a keyed version.

From the Programs window, double click on the word “Controlled” in the left column (click on the word, not the blue icon). This will open a window listing just the controlled programs so Notepad will be easy to spot. If necessary, click on the word “Refresh” at the bottom of the window in order to see two separate Notepad variants listed. Both of these are now under the control of the one Notepad License which treats them as a suite since they are listed together in its Programs pane.

In order to keep the two Notepad variants (keyed and unkeyed) sorted out, we will attach a distinct “On Launch” message to each:

25. Create a Custom Message

Double click on the Notepad variant that has the § symbol in the Versions column to open its “Program Details... ” window. The § symbol indicates this is a keyed variant so let’s change the name to “Keyed Notepad” . Then mouse over the icons to the right of the name until you find the “Custom Message” icon. Click to open the Custom Message pane where you can enter the phrase “This keyed program file won’t run without KeyServer.” Save the changes and close the window.

Open up the program details for the other Notepad variant and enter the phrase: ” KeyAccess will display this message whenever any unkeyed Notepad version is launched” . Save the changes and close the window.

26. Launch both the keyed and unmodified versions of Notepad

Double click on the desktop copy of Notepad (keyed) and also launch the unmodified version by typing “notepad.exe” into the Run... item under the Start menu.

With both the keyed and unmodified programs running, the License window will show just one Notepad license in use because it’s a “suite license” and both controlled programs are running on the same computer. Click Refresh at the bottom of the Programs (Controlled) window and you will see that program usage (as opposed to license usage) is being tracked separately for each program. Run some reports like Usage (COMP x lic) and Usage (COMP x prog) to test your understanding.

As soon as a new client computer is set up properly with a KeyAccess connection to KeyServer, all of KeyServer’s license control actions will take effect immediately. It doesn’t matter whether a controlled program is launched from storage on a local hard disk or from a remote file server and it doesn’t matter whether the executable file is unmodified or it is keyed.

Controlled applications can be moved from remote to local storage, re-named, re-installed, duplicated, compressed, FTP’ed etc. with no effect on KeyServer control. Whenever a controlled application is launched on a client connected to KeyServer it will be subject to the rules imposed by the KeyServer regardless of where the application is located, what it is called, or how it got there.

The essential difference between an unmodified and a keyed version of a program is revealed when KeyAccess is absent. The unmodified version will simply run while the keyed version will not.

If KeyAccess is present but the connection to KeyServer is broken, then by default any unmodified program will be allowed to run “off-line”. Usage information will be recorded for upload when the client next connects to KeyServer. Any keyed program version, however, cannot run unless there is a “checked out” key available on the local computer, or a network connection to a “shadow” KeyServer can be established in lieu of the lost connection to KeyServer.

When a notebook computer is disconnected from the network, keyed applications won’t run (unless a portable key has been checked out). Unkeyed applications won’t be strictly controlled (unless “Allow launch when KeyServer not available” has been turned off). KeyServer gives you the options to customize a balance between strict enforcement and transparent software access for computers that are used both online and off-line.

Unlike our Notepad example, you will typically be interested in controlling applications that are not pre-installed with the operating system. Having decided to Control an application (as opposed to ignoring or logging usage) you must decide whether to install and control it as a keyed program, or as an unkeyed program, or both (perhaps using a “suite license” as in our Notepad demo above).

For both keyed and unkeyed program control, KeyConfigure is used only once to create the controlling license in KeyServer’s Licenses window. Thereafter, it’s just a matter of deploying the application program (keyed or unkeyed) onto other client computers. The extra step required for keyed control – replacing the unkeyed application version with a keyed version – can be automated in several ways. KeyConfigure’s “Deputize” feature will modify the application installer so that it automatically creates a keyed application version at install time. You can also use a software distribution tool to replace unkeyed executable files with their keyed variants. See the complete documentation for Deputy details and for comments on other deployment strategies for keyed software, but remember, in most circumstances management of just the unmodified executables is sufficient.

Software Audits –scheduled, centralized, data collection

By default, each new computer is audited when first connected to the KeyServer.

At some sites, the automatic initial audit for new KeyServer clients may be the wrong default, perhaps for privacy reasons. Go to the “General Settings” in the Admin menu to change this behavior. An individual computer or computers satisfying some filter criteria can later be selected from the Computers window for one time or periodic audits as required.

By this point in the tour, audit data has probably had enough time to trickle up. Look in the Computers window – if there is a time stamp in the “Last Audit” column then an audit has completed and we can have a look.

27. Show the Audit data for a selected computer

Select a computer that has completed an audit and double click to open the Computer Details window. Note in the Audit pane that basic hardware characteristics have been filled in (disk space, cpu speed, etc). If the audit pane is not in view, click on the little audit icon at the top right of the Computer Details window to toggle the display. Click on the “Show” button to bring up the Audit window for this computer.

The bottom of the audit window shows the total number of distinct program variants/versions/files that have been found on the selected computer. The line items (marked with a triangle) in the Audit window are program “variants” which aggregate distinct versions together based on the program family and zero or more digits of version information. Note: it is actually these same program variant items that appear in the Programs window, but without the expansion triangle.

If an expansion triangle is darkened, it means that the audit of this computer has found more than one version within the program variant – click to see the versions. The column labeled “Copies” gives the total number of file copies that were found by the audit for each specific version and each variant.

28. Show the Audit data for a selected program

With one of the program items selected in an audit window, use the right-click “Show Audit” menu item to bring up a list of all computers where this program has been found. A click on the “Last Used” column header will sort the time stamps so you can quickly get a sense of which programs are actually used. Note: the context menu item “Show Audit” is also available directly from a selected item in the Programs window and from the Computers window.

In order to keep audit information current, you may want to set a “Reschedule” time. Use the General Settings item in the Admin menu, or you may have noticed the “set global interval” button at the bottom of the Audit pane (in Computer Details). If you set this interval to 4 weeks, then when any computer whose last audit is older than 4 weeks is connected to KeyServer, it will be told to do an audit asap and to upload any changes.

While “Show Audit” lets you examine detailed audit data directly, for a summarization of software installation and usage patterns you should use the various audit and usage reports from the Reports menu. An appropriate subset of these same reports is available from the context menu (right-click) when a line is selected in any window (including report windows themselves). Remember, of course, that KeyServer has no information about usage prior to the installation of its client software.

By default, each single line in the Programs window represents an entire program family that is aggregated together into a single variant. You make decisions on how to control, log, ignore, and report on a variant as a whole, while treating all versions included in the variant in the same way. Occasionally it may be important to split a program family into multiple distinct variants, based on the first few digits of version information. For example, your license for version “3.x” of a program may be different from version “4.x” so you will need to manage these separately. Consult context help (right-click) from any Program details window for instructions on how to split a program family based on one or more digits of version information.

Computer Divisions, Program Folders – discover / acknowledge / filter / hide

A large site might have tens of thousands of items listed in the Computers window and it is easy for the list of discovered programs to grow this large even at a small site. When either the Computers list or Programs list becomes large, custom defined Filters will become crucial in letting you find and select just the items of interest.

29. Make a platform filter.

With the cursor in the Programs window, right-click in white space within the Filters pane to bring up the context menu. Select “New Filter...” and check the “Platform is Windows” box. Save the filter with the name “Windows” (include an initial space so this filter will sort near the top). Repeat these steps to make another filter called “Macintosh”. You may want to make similar filters for the Computers window.

Now in the Programs window you can easily display or hide Mac or Windows programs just by clicking in front of the filter name in the Filters pane. To open a separate window containing just the matching items, double click on the name of a filter (click on the text, not on the filter icon). A right-click on the name will let you edit an existing filter. Some of these actions may be familiar from your use of the Find command earlier in the tour.

One way to reduce clutter in the Programs window is to hide executable System files inside a custom folder. We may also want to set a default action to exclude these files from audits:

30. Select Win XP system files .

Make a “New Filter...” in the Programs window as in the previous step. Check the box, “Platform is Windows”, and also check “Path contains” with the search string: “:\WINDOWS\” (not including the quotes). Save the filter with the name “XP Sys Files”.

31. Create a Program Folder for System files.

Right-click in the Folders pane to make a new folder called “Ignore/No Audit”. Right-click on our new folder and use the context menu item to set the “Exclude from Audit” drop action for this folder. Do it again to set the “Ignored” drop action.

Now double click on the “XP Sys Files” filter to bring up a window with just the items matching the filter. Select all and drag and drop into the “Ignore/No Audit” folder. All of the selected items will now be tagged with the “Ignore/No Audit” folder name, and because of the drop actions, they will be Excluded from future audits with action set to ignored.

You may want to make another filter, “NT Sys Files”, to select NT programs (path contains “:\WINNT\”), and add these to the “Ignore/No Audit” folder. Of course you can also drag individual program items in and out of folders and set the attributes using right-click. To hide a folder’s items from view, hold down the alt (or option) key and click in front of the folder name – this selects everything except the chosen item.

The Computers window, like the Programs window, supports the same discover, acknowledge, display, filter, and customize behaviors. Again, right click is used to create your own custom categories (beyond discovered and uncategorized) but for computers these are called computer “Divisions” to distinguish them from program “Folders”.

You have already seen how a custom Division was created and used to restrict a License (step 23). But even when all licenses are global (unrestricted by Group conditions), a partition of the computer list into meaningful Divisions can be very useful for organizational and reporting purposes. With one of your custom defined Divisions selected in the Computers Window, right click to see the context menu of all computer reports. Selecting a report from this context menu instead of from the main reports window will restrict the scope of the report to just the selected division. Note: any time range restriction that you have previously configured while running reports from the Reports menu will remain in effect..

Clean-up –removing the K2 demo files

Having completed the demonstration of basic K2 features, you will probably want to install your production KeyServer on a different host computer. Whenever you are ready, you can use the steps below to clean-up.

32. Remove keyed Notepad.

You probably won’t actually want to manage a keyed copy of Notepad (created in step 23), so you can move the keyed notepad.exe file from the desktop into the Recycle Bin.

If you have transformed any programs into “keyed” versions, these will become useless when you trash the KeyServer Data Folder (inside the Sassafras K2 Server folder). This is the reason that the cleanup begins by removing keyed Notepad.

The KeyServer executable file and all its database files are contained in the folder named “Server” inside the folder “Sassafras K2” .

33. Uninstall the KeyServer.

On Windows, quit the KeyServer service using the Services Control Panel. From the DOS command prompt, cd into the directory “Sassafras K2\Server” and run the command “ks.exe -remove”. This will remove the KeyServer entry from the list of services. Now you can move the “Sassafras K2\Server” folder to the Recycle Bin.

On Mac OS X, the “Sassafras K2/Server” folder is actually an alias to the folder “/Library/KeyServer” . Use the Process viewer to quit the process named ks and then remove /Library/KeyServer. On OS 9, quit the KeyServer program and remove the “Sassafras K2/Server” folder.

You may want to keep the admin program, KeyConfigure, in place on your demo computer for use in managing your production KeyServer. It is also easy enough to remove:

34. Remove KeyConfigure.

The KeyConfigure admin program and all its support files are contained in the folder named “Admin” inside the folder “Sassafras K2” . Just drag this to the Recycle Bin. On Windows, you can also clean up the registry entry for the ksODBC driver by using the Add/Remove programs Control Panel.

You may want to keep the client program, KeyAccess, in place on your demo computer – but be sure to use KeyAccess Setup (see step 6) to re-configure the server address when your production KeyServer is in place. To remove the client software:

35. Remove the K2 client software, KeyAccess.

On Windows, use the Add/Remove Control panel to remove the ” Sassafras K2 Client” . On Mac OS X, move the folder “/Library/KeyAccess/” to the trash. On Mac OS 9, remove the KeyAccess chooser extension from the System Folder.

Installation

K2 - Getting Started