Reports

Report Options Dialog
Filters
Exporting
Data Tables

KeyConfigure Internal Reports

Overview

KeyConfigure's internal reports allow administrators to seamlessly summarize usage and audit information, and view internal data in hundreds of ways. The reports are supported by KeyServer's various databases, which are also accessible externally through the KeyServer ODBC driver, ksODBC, using any reporting tool. The internal reports have the advantage of being integrated into the User Interface.

Report Categories

Audit - Reports that list programs deployed on each computer or products that contain these programs.
Chart - Histograms of concurrent usage or logins.
Configuration - Reports that show basic configuration - association between objects, e.g. Programs in a Product.
Denial - Reports summarizing program Denial events.
Login - Summaries of who logged in where, and for how long.
Miscellaneous - Reports that may be useful for very specific situations.
Node Locked - Reports that compare deployment and usage data to policy configuration data.
Purchase - Reports that deal with Purchase data.
Summarize - General Summaries of configuration and usage.
Usage - Two-level usage summaries of program or policy usage.

Programs displayed in reports

Generally speaking, all reports will ignore data from programs which are not part of any product. So, even if a program used to be in a Product in the past, and a Policy caused usage information to be recorded for the program, usage reports will not select launch and quit events if the program now has no product. Presumably if a program has been removed from a product, an administrator has decided that the program is not interesting, so reports should not show information on usage of the program. In addition, while Audit related reports will show data for programs which are merely Utility components of products, Usage related reports will only show programs which are Application components, since that is the only configuration which can generate new usage data. One exception to this rule is the Event Dump report, which is designed solely to show an exhaustive list of all events in KeyServer's usage database. Another exception is the Audit Verbose (COMP x prog) and Audit Verbose (PROG x comp) reports, which show audit data even for programs with no product.

Computer Login types displayed in reports

Most reports will show data from all computers. However, Audit related reports will only show data for computers which are currently Dedicated or Leased.

Parameters and Interaction

In addition to using the Reports menu, specific reports can be invoked using the context menu attached to any appropriate selection in the user interface - this has the effect of passing the selected item as a parameter to refine the report's scope. The context menu for any selected item will list only those reports which can accept that item as a parameter.

You can also select multiple items. e.g. if you select five computers, then right-click and select a report, it will only contain data from those 5 computers. In this case, the Report Builder Window that comes up will show the 5 Computers in the Target Pane. There is a checkbox labeled "Aggregated", which will be enabled for most reports. Checking this box will combine usage from all five computers into a single line item (named "*"). Leaving it unchecked will show five distinct entries for the five computers, as always.

Once a report has finished building its display, any item in the report can be manipulated in all the same ways that are familiar in other windows: double-clicking will open the details for the object, items can be dragged into appropriate targets, etc. You can even select a line in a report window and use the context menu to run a "sub-report" on just the selected item.

Most columns in the reports will sort when you click in the column header. This is extremely useful for quickly finding the most extreme cases of any particular attribute (e.g. program which is used most often, or for the most hours, etc.). Also, many reports have columns which are not shown by default. For example, all grouped reports have an optional column named "Count Details". This column allows you to see how many details lines are contained under each group line. If you right-click in any of the column headers, you will be able to Customize Columns, and show columns which are hidden by default, or hide default columns which you are not interested in.

Reports can also have multiple views. What this means is that you can run a report once, then view the data in more than one way (beyond simply sorting by different columns). In most reports this is used to allow you to "flip" the report. That is, you might run a Usage (COMP x plcy) report and then decide you really want to see all the computers that have used a policy. Instead of running a second report, you can simply switch this report so that it shows policy groups instead of computer groups. The data is essentially the same, it is just organized differently. If a completed report has multiple views, you will see two little arrows next to the report name in the upper left of the report window. Clicking on the report name will bring up a pop-up menu that allows you to change views.

As each report is selected from the Reports menu you will see a Report Builder Window where you can typically specify a date range on which to run the report. This date range will then be used for any reports which are invoked from a context menu within the original report. For example, after running Logins (DIV x comp) from the Reports menu on a time period of "This Week", if you right-click a computer Division within that report and then invoke the Usage (DIV x prog) report you will see just the program usage from this week for computers belonging to the selected division.

With proper ODBC support, all internal reports can be pointed to a high performance database server as data source instead of to the KeyServer. This option is available from the Data Source pane of the Report Builder Window. For more information on ODBC as well as further report options, refer to the Report Builder Window documentation.

Reports can be saved using the "Save" or "Save As..." menu items from the File menu. Various formats including HTML and TEXT are available in a pull down menu from the save dialog. There is also a special format, "KS Report Document" or KSR, that offers a compact, single file format for text and graphics that is readable by KeyConfigure. When a KSR is opened by KeyConfigure, the window that is presented will look almost identical to the original report window. Columns will still be sortable, and items such as Computers can still be double-clicked, if you are connected to the KeyServer. Reports can also be printed from the file menu.

The following user interface items can be selected for use as parameters / restrictions on reports (via the context menu):

Computer (from the Computers Window - or other windows listing the computer name)
Computer Login type (from the Computers Window)
Computer Division (from the Computers Window)
Computer Filter (from the Computers Window)
Policy (from the Policies Window - or other windows listing the policy name)
Policy Folder (from the Policies Window
Policy Filter (from the Policies Window
Program (from the Programs Window - or other windows listing the program name)
Program Status (from the Programs Window)
Program Folder (from the Programs Window)
Program Filter (from the Programs Window)
Product (from the Products Window - or other windows listing the product name)
Product Status (from the Products Window)
Product Folder (from the Products Window)
Product Filter (from the Products Window)
Purchase (from the Purchases Window - or other windows listing the purchase name)
Purchase Folder (from the Purchases Window
Purchase Filter (from the Purchases Window
Time Set (from the Time Sets Window)
User (from the Connected Clients Window)

Naming Conventions

The report names are meant to be short, yet understandable and meaningful. We use the following standard abbreviations:

comp - Computer
div - Division
fix - Hotfix
fldr - Program Folder
plcy - Policy
prch - Purchase
prod - Product
prog - Program
user - User
pool - Policy Pool (e.g. the name of the Group used as an access restriction for a policy pool - configured in the details of a custom policy)
path - Path
sn - Serial Number

These abbreviations are used within parenthesis following the name of various reports. If there is only one term, the report will usually generate a flat list. For example, "Histogram (PROG)" indicates a list of programs. If there are two terms in parenthesis, the first term (CAPS font) indicates the summary (header) records. Below the expansion icon for each summary record, the detail records (lower case font) are listed. For example, "Usage (COMP x plcy)" indicates a usage summary, where summary lines are computers, and detail lines are policies - "under each computer, list in detail the policies that were used". In some cases, there may be a third level of detail, but this will not be referenced in the report name.

Audit reports

installed programs
RUN Audit (COMP x prog)
RUN Audit (COMP x sn)
RUN Audit (PATH x prog)
RUN Audit (PROG x comp)
RUN Audit (PROG x path)
RUN Audit (PROG x sn)
RUN Audit (SN x comp)
RUN Audit (SN x prog)
RUN Audit Verbose (COMP x prog)
RUN Audit Verbose (PROG x comp)

These reports show which programs are installed on various computers. When they are first completed, they are collapsed by default. This is because they may contain huge amounts of information. You can expand any particular group you want to look at by clicking on the expansion icon next to it, or you can right-click in the report window and Expand All. The most basic of these reports are Audit (COMP x prog) and Audit (PROG x comp), and they simply show which computers have which programs installed. These two reports are typical in that they only include programs which are in products. The two Audit Verbose reports are identical except that they include all programs, even those which are not in any products. Other reports include only programs in products, and group audit entries by path or serial number.

The "Name" column tells the name of the computer or program variant (as named in the computer or programs window).
The "Variant" column shows the masked version number for a program or the complete KeyAccess version number for a computer.
The "Status" column shows the Status icon for a program, just as it would appear in the main Programs Window.
The "First Seen" column is used in detail lines to show when a program was first discovered on each computer. In summary (header) lines of Audit (COMP x prog), it shows the most recent audit date (using italic font).
The "Last Used" column shows the date when the program was last used on a computer. In a summary line, it is the most recent of all the times listed in the detail lines below (note that this information is recorded as part of an audit, so if a computer has recently used the program but has not since performed an audit, the recent usage will not be reflected).
The "Copies" column shows the number of copies of a particular program which are installed on a particular computer (for detail lines), and for group lines, shows the sum of the values in the detail lines for that group.
The "Identifier" column shows the Program identifier (for the program family), or for a computer line, the last user of the computer (in italic font).

The Audit (COMP x prog) report lists- under each computer- all the programs that are currently installed on that computer. This is similar to the information displayed when you select an individual computer and use its context menu item, "Show Installs". However, the report only shows program variants while the "Show Installs" context menu shows variants which can be expanded to reveal individual distinct versions. This report has the advantage of consolidating the audit for all computers (or a selected Division) into a single window while supressing unnecessary distinct version details.

The Audit (PROG x comp) report lists- under each program- all the computers where that program is currently installed. This is similar to the information displayed for a single selected program using "Show Installs" from its context menu. Note: in both cases the "programs" we are talking about here are actually "program variants" - the same items that appear in the Programs window. To list instead the computers where a fully specified version is installed, use the "Version Installs" button in the program details window rather than the "Variant Installs" button (which does the same thing as "Show Installs").

baseline / delta programs
RUN Audit Baseline (COMP x prog)
RUN Audit Delta (COMP x prog)

The Audit Baseline (COMP x prog) report shows where programs were deployed as of the "baseline" date. By default, the baseline date for each computer is the time of first audit. This can be reset in the Computer Details window. All of the other audit reports show current program deployment based on all the most recent audit data available. You control how "current" to maintain the audit data in the "General Settings..." dialog from the Admin menu.

The Audit Delta (COMP x prog) report is conceptually the difference between Audit (COMP x prog) and Audit Baseline (COMP x prog) - it shows what programs have been installed, updated, or removed between the baseline audit date and the current audit date.

Both of these reports have the same columns as the Audit (COMP x prog) and Audit (PROG x comp) reports, but they also have additional columns.

The "Date Stamp" column shows the date which is most relevant to that row of the report. For a computer, this shows the date of the Baseline Audit on the computer. For a program in the Baseline report, it shows the date when the program was discovered on the computer. For the Delta report, it shows the date when a change was observed. If the program was newly installed, this is the date when it was first seen. If the program was uninstalled, this is the date when it was last seen.
The "Change" column in the Delta report shows what has changed.
- "Installed" means that no version of the program was in the Baseline Audit, but it has since been installed.
- "New Vers" means that there was some version of the program in the Baseline Audit, but since then, another version of the program has been installed as well.
- "Changed Vers" means that there was one version of the program in the Baseline Audit, but since then, it was deleted, and replaced by a different version of the program.
- "Deleted Vers" means that there were two or more versions of the program in the Baseline Audit, and since then, at least one has been deleted, but at least one is still installed.
- "Deleted" means that one or more versions of the program were in the Baseline Audit, but all copies of the program have since been deleted.
The "Version" column identifies a particular version within the program variant. In the Baseline report, the highest numbered version discovered on each computer is shown. In the Delta report, when a program is added, deleted, or upgraded, the specific program version is shown.

programs which are members of a product
RUN Audit Products (COMP x prod)
RUN Audit Products (PROD x comp)

These reports show audit information, organized by product. Instead of simply showing where every program file is installed, they show where any program within a certain product is installed. This allows you to quickly see which computers might have certain products installed, and which products might be installed on a certain computer. Note that when a program is part of multiple products, these reports will attempt to determine which products are most likely installed, and will only display these products. For example, if all of the Applications within a Suite product are installed on a computer, that suite will be listed, while the individual point products will not be listed.

The "Name" column tells the name of the computer or product.
The "Variant" column specifies which variant of the program is installed on the computer. For a Product it shows the version of the Product.
The "Last Used" column tells when the program was last used on the computer (note that this information is recorded as part of an audit, so if a computer has recently used the program but has not since performed an audit, the recent usage will not be reflected).
The "Copies" column tells how many copies of the program variant are installed on the computer.

All programs, even those that are not installed
RUN Audit Summary (PROG)

This report summarizes Audit information for all programs (even those not in products). It is similar to a fully collapsed Audit Verbose (PROG x comp) report, but there is one important difference. Audit Verbose (PROG x comp) only shows programs which are currently part of an audit of some computer. Audit Summary (PROG) shows ALL programs, regardless of whether they are currently part of an audit. One additional difference is that Audit Summary (PROG) includes data from Dormant computers. Other audit reports exclude Dormant computers since they are less interesting and the audit data is older, but here for a summary they are included. This lets you identify programs which are no longer installed on any of your clients.

The "Name" column tells the name of the program variant (as named in the programs window).
The "Variant" column shows the masked version number of the program.
The "Status" column shows the same Status as in the main Programs window.
The "Last Used" column shows the date when the program was last used on any computer (note that this information is recorded as part of an audit, so if a computer has recently used the program but has not since performed an audit, the recent usage will not be reflected).
The "Copies" column shows the number of copies of the program which are installed.
The "Identifier" column shows the Program identifier.
The "Active" column shows a checkmark if the program is installed on any computers. This column is the default sort.

installed hotfixes
RUN Audit (COMP x fix)
RUN Audit (FIX x comp)

These reports show which hotfixes are installed on various computers. The format is very similar to Audit (COMP x prog) and Audit (PROG x comp).

Chart reports - Daily reports

RUN Daily (PLCY)
RUN Daily (PROD)
RUN Daily (PROG)
RUN Daily Logins (DIV)

These reports let you see visually a usage pattern throughout the course of an "average" day. When the report is run on usage data spanning several days, all of the 1 PM data is averaged together for the 1 PM display, all the 2 PM data is averaged together for the 2 PM display, etc. Each "bar" of the histogram represents 10 minute of the day. The right side of the window lists each object (policy, product, program, division), and when you click on one, a graph is drawn on the left side of the window. The Daily Logins (DIV) report shows graphs of users logged into computers within the various divisions.

The black part represents the average (over the various days) of the maximum usage values during that hour of the day.
The red part represents the average (over the various days) of the maximum queued values during that hour of the day.
The first line of Daily (PLCY) says "KeyServer" and will show you a graph of "KeyServer usage" - that is, users logging on to the KeyServer, and logging off again.
The horizontal axis labels the hours of the day from Midnight to Midnight.
The name of the selected item on the right is displayed below the graph. If it is a program, it is followed by the version, and either M or W (Macintosh or Windows), and possibly K (Keyed).
Peak usage and other summary statistics are calculated. For a policy, these statistics include the license limit and maximum length of the waiting queue (for the entire data set selected by the report).

Clicking on the graph (left) portion of "Daily (PLCY)" will toggle between choosing the vertical axis to show the license total (if not infinite), and showing only up to the peak usage. This is useful if the license total is significantly higher than the peak usage, because it magnifies the vertical differences.

Chart reports - Histograms

RUN Histogram (PLCY)
RUN Histogram (PROD)
RUN Histogram (PROG)
RUN Histogram Logins (COMP)
RUN Histogram Logins (DIV)
RUN Histogram Logins (USER)

These reports let you see visually a usage pattern over the specified time range. The right side of the window lists each object (policy, product, program, division), and when you click on one, a graph is drawn on the left side of the window. The Histogram Logins (DIV) report shows graphs of users logged into computers within the various divisions. Histogram Logins (COMP) and Histogram Logins (USER) are similar but group by Computer or User. Usually these are less interesting since they may simply show alternation between 0 and 1 logins.

The black bars represent the maximum concurrent use during each time slice.
If there is red drawn, that shows that there was a waiting queue for a policy.
The first line of Histogram (PLCY) says "KeyServer" and will show you a histogram of "KeyServer usage" - that is, users logging on to the KeyServer, and logging off again.
Below the histogram, the beginning and end time of the x-axis are printed.
Next, the name of the selected item on the right is displayed. If it is a program, it is followed by the version, and either M or W (Macintosh or Windows), and possibly K (Keyed).
Next, there is a series of lines describing highlights of usage, such as peak usage. For the policy histogram, there are more lines, since policies can have a limit, and waiting queues.

Clicking on the histogram (left) portion of "Histogram (PLCY)" will toggle between choosing the vertical axis to show the license total (if not infinite), and showing only up to the peak usage. This is useful if the license total is significantly higher than the peak usage, because it magnifies the vertical differences.

The Histogram reports have many columns which are hidden by default. These are the same columns which are shown in the Summarize reports.

Chart reports - Histogram Lease

RUN Histogram Lease (PLCY)

This report is much like Histogram (PLCY), but instead of charting policy usage over time, it charts allocations of the policy over time. So for a Lease or Node policy, this report gives the graph of the value that is restricted by the license limit. So while Histogram (PLCY) will give you a better sense of actual usage patterns, Histogram Lease (PLCY) will show you how close to the license limit you actually got over time.

Chart reports - Weekly reports

RUN Weekly (PLCY)
RUN Weekly (PROD)
RUN Weekly (PROG)
RUN Weekly Logins (DIV)

These reports let you see visually a usage pattern throughout the course of an "average" week. When the report is run on usage data spanning several weeks, all of the Monday data is averaged together for the Monday display, all the Tuesday data is averaged together for the Tuesday display, etc. Each "bar" of the histogram represents 1 hour of a day. The right side of the window lists each object (policy, product, program, division), and when you click on one, a graph is drawn on the left side of the window. The Weekly Logins (DIV) report shows graphs of users logged into computers within the various divisions.

The black part represents the average (over the various weeks) of the maximum usage values during that part of the week.
The red part represents the average (over the various weeks) of the maximum queued values during that part of the week.
The first line of Weekly (PLCY) says "KeyServer" and will show you a graph of "KeyServer usage" - that is, users logging on to the KeyServer, and logging off again.
The horizontal axis labels the days of the week starting with Sunday.
The name of the selected item on the right is displayed below. If it is a program, it is followed by the version, and either M or W (Macintosh or Windows), and possibly K (Keyed).
Peak usage and other summary statistics are calculated. For a policy, these statistics include the license limit and maximum length of the waiting queue (for the entire data set selected by the report).

Clicking on the graph (left) portion of "Weekly (PLCY)" will toggle between choosing the vertical axis to show the license total (if not infinite), and showing only up to the peak usage. This is useful if the license total is significantly higher than the peak usage, because it magnifies the vertical differences.

Configuration reports

RUN Config (PLCY x pool)
RUN Config (PLCY x prod)
RUN Config (PROD x plcy)
RUN Config (PROD x prch)
RUN Config (PROD x prog)
RUN Config (PROG x prod)

The Configuration reports are very simple. Each one shows the relationship between two different objects in KeyConfigure. Config (PLCY x pool) shows the pools within each policy (most policy types only have a single pool). Config (PLCY x prod) shows what products are managed by each policy. Config (PROD x plcy) shows what policies apply to each product. Config (PROD x prch) shows all the purchases for each product. Config (PROD x prog) shows the programs which make up each product. Config (PROG x prod) shows the products which each program is part of. The columns should be self explanatory.

Denial reports

RUN Denials (COMP x prog)
RUN Denials (DIV x prog)
RUN Denials (PROG x comp)
RUN Denials (PROG x div)
RUN Denials (PROG x user)
RUN Denials (USER x prog)

These reports simply show which programs were denied (a user tried to run the program, but was denied because they need a license and could not get one), and how many times they were denied. These reports always involve programs, since that is what gets denied.

The "Name" column tells the name of the program / computer / division / user.
The "Variant" column only applies to program lines. It shows the significant digits of the program variant, and also indicates whether the program is keyed.
The "Type" column indicates the platform for a computer. It is empty for program, division and user lines.
The "Count" column tells how many times the program was denied.
The "Last Denied" column tells when the most recent denial occurred.

Login reports

RUN Logins (COMP x user)
RUN Logins (DIV x comp)
RUN Logins (DIV x user)
RUN Logins (USER x comp)
RUN Logins (USER x div)

These reports summarize Login information. They show who logged in from where, and for how long.

The "Name" column shows the name of the computer, division, or user.
The "Type" column shows the client platform: Windows or Macintosh.
The "Total Time" column shows the total login time (hours:minutes). For a summary line, it is the total login time for all the detail lines listed below the expansion icon. For a detail line, it is the total login time for that particular detail record.
The "Total Count" column shows the number of sessions (logout events) which are summarized on the line.
The "Avg Time" column shows the average login time per week (hours:minutes). If the report is on less than half a week, this field shows "N/A", since an average would be misleading.
The "Avg Count" column shows the average number of sessions per week. If the report is on less than half a week, this field shows "N/A", since an average would be misleading.
The "Last Session" column shows the time of the last logout. This does not give you any information on a currently active session, if any.

Logins OS Percent reports

RUN Logins OS Percent (COMP x user)
RUN Logins OS Percent (DIV x comp)
RUN Logins OS Percent (DIV x user)
RUN Logins OS Percent (USER x comp)
RUN Logins OS Percent (USER x div)

These reports are identical to the standard Logins reports except that they have additional columns describing what percent of logins occurred as different platforms. This is useful for understanding how “Dual Boot” computers are being used. Note that Virtual Computers have their own computer records in KeyConfigure, and there is no easy way to correlate which Virtual Computers are being run on which Physical computers. The standard columns show percents by duration. For example if “Total Time” is 4:00 and “% Mac” is 25%, then the logins totalled 4 hours, and 1 hour of this was on Mac. There are optional columns which will show percents of counts. For example, if “Total Count” is 10 and “# % Mac” is 60%, then there were 10 total logins and 6 logins on Mac.

Miscellaneous reports

Duplicate reports

RUN Duplicate MACs (COMP)
RUN Duplicate Names (COMP)

These reports are similar to the Hardware report, but only show computer records which may be Duplicates. Duplicate computer entries occur when a single client computer is unreliable in recognizing hardware properties such as MAC address. KeyAccess on that computer may start out using one computer ID, but then be forced to switch IDs when the hardware properties appear to have changed.

Duplicate MACs (COMP) looks for multiple computers where the MAC address is identical. Duplicate Names (COMP) looks for multiple computers where the Name is identical. At sites where computer names are guaranteed to be unique (based on central deployment or domains), the name based report should be good at identifying duplicate records. But for a site where computer names are not unique, the results are not so meaningful. If the reports give the message "No data to report on", it means that your data does not contain any duplicate computer entries.

If the data in a column is displayed in bold, then the computer ID for the computer is based on that piece of data. For example, if the MAC column for a particular computer is in bold, then the computer ID is the letter "N" plus the MAC address. If the value is also dimmed (medium grey instead of black), then the computer record doesn't actually have a value recorded for this property, but it is displayed in the report since it can be inferred from the computer ID.

The "Dup?" column lets you sort apart the computers according to what type of entry this report has guessed that they are. If this column is empty for a particular computer, it means that this computer record is almost certainly still in use, and should not be deleted. In Duplicate Names (COMP), if the column contains a question mark (?), then this row shares the computer name with another entry, but has a distinct MAC address. This means that the computer could be a duplicate entry which should be deleted, or it could be a unique entry which simply has the same computer name. For these rows, you should sort by name, and compare this row to other rows with the same name, to see if other hardware properties match or are distinct. If the column contains a red "x", then this row is almost certainly a duplicate and should be deleted. Not only does it share the computer name with another entry, it also has the same MAC address (or the other entry has a MAC address and this entry has no known MAC address).

These reports are intended to be used in order to identify and delete duplicate computer entries. After running the report, it is recommended that you create a new computer division, to temporarily move duplicates into. Then sort the report by the "Dup?" column. Scroll to the bottom and select all the computers with an "x" in that column, then drag them to the new division. Now you can filter the main computers window to show only those computers in the new division, select them all, and cut them (delete them). Alternatively you can set them to either Dormant or Excluded, so they will no longer take up a KeyServer seat.

Event Dump

RUN Event Dump

Event Dump is the most detailed report on usage information. As such, it is probably not generally that useful, but is extremely valuable in certain situations. It shows, in chronological order, one line for every single event which KeyServer records. All events relate to Server startup/shutdown, Computer audit, client activity, Program launch/quit, and Policy usage.

Caution: on a KeyServer supporting thousands of clients with heavy usage data going back several months, the Event dump might require several gigabytes of memory space to hold perhaps many millions of event records. In order to avoid virtual memory thrashing, you should always run the Event Dump report on a limited data set. Restrict to a specific time period of interest, and/or select a specific Computer, Program, or Policy. Use its context menu to run the report - this will download events concerning only the selected item.

The "Name" column shows a name which is associated with the event. For server events, it is simply "KeyServer" (the name as configured in KeyConfigure appears in the "User" column). For logon/logoff events, it is the computer name. For programs, it is the program variant name. For policies, it is the policy name. This name, and the icon next to it, shows what details window will be opened when you double-click that line in the report.
The "Vers" column shows the version of the KeyServer process, the version of KeyAccess which was used to log on/off, the version of a program, or the license total and type of a policy.
The "Event" column shows a short name for the event type. For program events, the icon for the program action is also shown. Note that the icon may not agree with the event type. The event type was recorded when the event occurred, while the icon simply tells the current action for the program. For example, you may see a gray diamond for a logged launch event. This simply means that at the time of the event, the program was Logged, but now it is Ignored.
The "Why" column shows a short description of why the event occurred.
The "Product" column shows the name of the relevant product. This field has a value for launch and quit events.
The "Policy" column shows the name of the relevant policy, in the case of program launch events, and shows time at which the event began, for all "end" type events (shutdown/logoff/quit/return).
The "When" column shows when the event occurred. This is the column on which the entire report is sorted by default.
The "User" column shows the name of the user who triggered the event.
The "Address" column shows the address of the computer on which the event occurred, at the time at which it occurred.
The "Computer" column shows the name of the computer on which the event occurred.
The "Extra" column shows the name of the group which enabled the usage event, if there was one.

This report can be given any of the five types of parameters (computer/product/program/policy/user). Regardless of parameter type, server events are always shown.

If a computer is the parameter, all events on that computer are shown (user events, policy events, program events, audit events).
If a program is the parameter, all events of that program are shown (only launch/quit events).
If a product is the parameter, all events of that product are shown (only launch/quit events).
If a policy is the parameter, all events pertaining to that policy are shown (policy events, and program events which were recorded because of the policy).
If a user is the parameter, all events for that user are shown (logon events, policy events, program events, audit events).

Under a few conditions, lines will be highlighted in red. These are events where something is wrong. These are the specific conditions:

The policy no longer exists. In this case, "Policy Not Found" will appear in either the "Name" column (for a policy event), or the "Policy" column (for a program event).
The program is no longer known to the KeyServer (it has been manually deleted, or the programs table was deleted entirely). "Program Not Found" will appear in the "Name" column.
This is a server startup event, and there is no server shutdown event in between the last startup event and this one. Thus, the server must have crashed at some point in between.

Hardware

RUN Hardware

This report is similar to the Computers Window, but shows many more attributes of each computer. All of the information displayed can be seen in each individual Computer Details Window, but this report allows all of the information to be seen at once, and will sort the computers by any of the attributes which are displayed. The Computers Window can in fact be customized to show additional values as well, but still, the Hardware report may be a convenient way to quickly see a long list of values for each computer.

If the data in a column is displayed in bold, then the computer ID for the computer is based on that piece of data. For example, if the MAC column for a particular computer is in bold, then the computer ID is the letter "N" plus the MAC address. Most likely, almost all of the computers will be using the same attribute for the computer ID. If the value is also dimmed (medium grey instead of black), then the computer record doesn't actually have a value recorded for this property, but it is displayed in the report since it can be inferred from the computer ID.

Lease Simulator (PLCY)

RUN Lease Simulator (PLCY)

This report helps you determine how many copies of a license you would need if you changed the policy to a lease policy. When it runs, it looks at historical policy usage, and simulates what would have happened if the policy had already been a lease policy, and there were allocations of a lease, using different lease durations. You can run this report on any date range, but the longer the range you use, the more meaningful it will be. The format of the report is very simple - there are columns for various lease durations, so for each policy, you can see what the maximum allocation would have been assuming those different durations.

Path Browser

RUN Path Browser

The Path Browser report shows Programs organized in a path hierarchy based on the Sample Path where each Program was first discovered. While this sample path may not in fact be the common path that results from a standard install, it is often the standard path, and so the report mimics what you would see “on disk” if a single computer had all known programs installed on it.

Session Dump

RUN Session Dump

Session Dump lists a single line for every KeyAccess session with KeyServer. Columns display the Computer, User, time of Logon, time of Logoff, Duration, and Address.

Shadow

RUN Shadow

This report shows a list of shadows that served at some point in the specified time period.

The "Address" column shows the address of the shadow.
The "Total Count" column shows how many times the shadow served.
The "Total Time" column shows how long the shadow served for (hours:minutes).
The "Avg Time" column shows how long the shadow served, as an average per service interval (Total hours:mins / Total count).

Suite reports

RUN Suite (PLCY x prog)

This report shows you a summary of policy usage, including program usage. The group headers are policies, and show usage summaries for each policy over the time period. The details are programs, and show usage summaries for the program, in the cases where it was enabled by the particular policy.

The "Name" column shows the name of the policy, product, or program
The "Variant" column shows the version of the program (with the keyed symbol, if appropriate)
The "Computers" column shows a distinct count of the number of computers on which the policy or program was used.
The "Total Time" column shows the total usage time for the policy or program (hours:minutes).
The "Total Count" column shows the number of times the policy or program was used.
The "Avg Time" column shows the average usage time per week (hours:minutes). If the report is on less than half a week, this field show "N/A", since an average would be misleading.
The "Avg Count" column shows the average number of uses per week. If the report is on less than half a week, this field shows "N/A", since an average would be misleading.

If the same program is controlled by multiple policies, it may appear on multiple lines in the report, under different policies.

It is important to note that the header lines do not necessarily show a sum of the detail lines. They show a usage summary for the policy. So if it is a suite policy (one which controls multiple products), the policy usage total may be less than the sum of the program usage totals, since computers may have used multiple programs at the same time. Likewise if a policy controls a single product but the product is a suite product with multiple programs, the Suite (PLCY x prog) report may show multiple detail lines which don't add up to the group line. This is different from most reports, where instead each group line is a summary of the details below it.

Node Locked reports

RUN Node Locked (COMP x plcy)
RUN Node Locked (PLCY x comp)

These reports show information related to Node policies only. They show where node-locks have been allocated, where programs which are controlled by node-lock policies are installed, and where these two conditions do not exactly correspond.

There are three basic cases which are represented in these reports.

A computer has a node-lock allocated to it for a policy. It also has at least one program which is controlled by the policy installed, and furthermore, that program has been used recently. This is the "normal" case, where node-locks have been allocated correctly.
A computer has a node-lock allocated to it for a policy, but does not have any programs installed which are in a product controlled by the policy. This may happen if an administrator allocated node-locks manually, before installing software on the computer, or if a computer used a program once, but has since uninstalled the program. In this case, the node-lock is not necessary. In the same category are cases where the program is installed but has not been used in over 90 days. These are likewise candidates for removing the lock.
A computer has a program installed which is in a product controlled by a node-lock policy, but the policy has not been allocated to the computer. This may happen if the program has been installed, but not yet used (or if a standard image installs the same program on all computers, regardless of whether it is needed on each computer). In these cases either the policy should be locked or the program should be uninstalled.

Both reports show exactly the same information, but organize it in different ways. Since a single policy can control multiple products containing multiple programs, there is a third level of detail showing the program or programs that are actually installed that correspond to each particular policy/computer pair. The mid-level line (computer or policy) shows the status for that computer/policy pair. The top-level line shows an overall status for that computer or policy, which summarizes and generalizes the status of the mid-level lines below that top-level line. Note that these reports get "Last Used" information from audit and Node Locked records - they do not directly access usage data. The only time Usage events would differ significantly from the data used here is if a policy has been recently created.

The "Name" column tells the name of the computer, policy, or program.
The "Variant" column specifies which variant of a program is installed on a computer.
The "Issued" column shows how many policies are issued (locked to computers).
The "Limit" column shows the policy limit.
The "Status" column shows the status for the line. For a top-level line, it is a summary which essentially indicates whether the configuration of that policy or computer needs any attention or whether it is correct as it is. For a mid-level line, it shows two pieces of information. First, it may or may not have a checkmark icon in it. If it does, the policy is locked to the computer. Second, it has a short string describing the status of the policy allocation for the computer, and perhaps suggesting what you may want to change about the policy allocation. For a complete description of each status code, see the next section. If this field is highlighted in red, it is one of the "non-standard" cases, and you may want to change how policies are allocated.
The "Last Used" column tells when the program variant was last used on the computer - this can help you decide which policies to reallocate.
The "Copies" column tells how many copies of the program variant are installed on the computer.

Top-level Status strings:

"OK" - this is the general category for top-level lines where everything seems to be configured properly.
"Unclear" - this is the general category for top-level lines where a node-lock policy controls software which is also controlled by a non-node-lock policy. In such cases, it is hard to tell whether any given computer needs to have the Node policy locked, since it might be possible for it to also use the non-Node policy.
"Optimize" - this is the general category for top-level lines where policies are allocated to computers that don't seem to be using them.
"Reconcile" - this is the general category for top-level lines where policies are not allocated to computers even though software controlled by the policy is installed on those computer. Note that "Optimize" takes precedence over "Reconcile". That is, if some policy can be unlocked from some computers, and at the same time, other computers have the software installed, so it should be uninstalled, the Status for the policy will be "Optimize" - since this is the more interesting action to take. If the policy is Optimized, and then the report is run again, it will then show Reconcile.
"Over-limit" - this is the general category for top-level lines where policies are set to Over-limit, and in fact have more copies Allocated than the configured Limit. This takes precedence over both "Optimize" and "Reconcile", since it is a state which should be corrected.

Mid-level Status strings:

"locked" - this is the "normal" case for a mid-level line - the policy is locked to the computer, and a program controlled by it is installed. This falls under the general category "OK".
"locked other" - a program controlled by this policy is installed, and this policy is not locked, but at least one other node-lock policy which controls the same program IS locked on this computer. This falls under the general category "OK".
"used non-node" - a program controlled by this policy is installed, and this policy is not locked, but the computer has used a different, non-Node policy to control use of the program - so presumably the computer does not require the Node policy to be locked. This falls under the general category "OK".
"licensed other" - a program controlled by this policy is installed, and this policy is not locked to the computer. There is a non-Node policy which controls the same program, but it is unclear whether the computer has or could use the other policy. This case is complex enough that the admin should look at the policy configurations and decide which one is relevant to this computer. This falls under the general category "Unclear".
"redundant lock" - a program controlled by this policy is installed, this policy is locked to the computer, and in addition, another Node policy controlling the same program is also locked to the computer. One or the other policy should be unlocked since it is redundant. This falls under the general category "Optimize".
"unlock" - the policy is locked to the computer, but no programs controlled by the policy are installed. Or, the policy is locked but has not been used in over 90 days, and the computer is set to not audit, so it is not known whether or not the program is installed. If you are not going to install the programs in the near future (and you know the program is not being run off a network volume), you could unlock the policy from this computer. This falls under the general category "Optimize".
"unlock / uninstall" - the policy is locked to the computer, programs controlled by the policy are installed, but have not been used in over 90 days. Therefore, if you know the policy is no longer needed on this computer, you should unlock the computer, and uninstall the software from the computer. This falls under the general category "Optimize".
"uninstall" - a program controlled by the policy is installed, but the policy is not locked. The audit shows that the program has not been used in the last 90 days, so the software should probably be uninstalled. This falls under the general category "Reconcile".
"lock" - a program controlled by the policy is installed, but the policy is not locked. The audit shows that the program has been used recently, so the policy should probably be locked. You will generally only see this status if the program was recently changed to controlled, or if an admin has removed this computer manually from the node list for the policy. This falls under the general category "Reconcile".
"lock somewhere" - this is exactly like "lock", except that there are two or more Node policies that control the program - so you may want to lock a different policy than the one you are looking at. This falls under the general category "Reconcile".

Purchase reports

RUN Purchases (PROD x prch)

Purchases (PROD x prch) is very similar to Config (PROD x prch). However, the Config report is merely listing purchases for a product, while the Purchases report is more suited for reporting on purchasing. It has some additional optional columns, and it can accept a time range will will limit the report to just the purchases made during that time range.

Summarize reports

RUN Summarize (PLCY)
RUN Summarize (PROD)
RUN Summarize (PROG)
RUN Summarize Logins (DIV)
RUN Summarize Logins (USER)

These reports give an overall summary of configuration and usage statistics. Unlike the Usage reports, they do not show information about where policies and programs were used, but they do give overall summaries like maximum Concurrent Usage.

The first line of Summarize (PLCY) says "KeyServer" and will show you a summary of "KeyServer usage" - that is, users logging on to the KeyServer, and logging off again.
The "Name" column shows the name of the product, program, policy, division, or user.
The "Variant" column is only shown in Summarize (PROG) and shows the version of the program variant
The "Version" column is only shown in Summarize (PROD) and shows the version of the product
The "Type" column shows the type of the program or policy.
Summarize (PLCY) has a "Limit" column which shows the policy limit.
The "In Use" column shows how many copies are in use as of the end of the time range used for the report. If you selected a time range ending "now", this value in Summarize (PLCY) should match what you can see in the Policies window.
Summarize (PROG) has a "Deny" column which shows how many times a program launch was denied.
The "Max" column shows the Maximum number of copies that were in use at any particular time (Maximum Concurrent usage)
The "Total" column shows the Total number of launch / policy checkout events for the product / program / policy
The "Total Time" column shows the total amount of time (hours:minutes) of use. If copies are still in use, this reflects usage up until the end of the time range for the report.
Summarize (PLCY) has four additional columns which show the current length of the waiting queue for the policy, the maximum length of the queue, the total time spent on the queue, and the average time spent on the queue.

Usage reports

RUN
(PLCY x comp)

<–>

RUN
(COMP x plcy)

RUN
(PROD x comp)

<–>

RUN
(COMP x prod)

RUN
(PROG x comp)

<–>

RUN
(COMP x prog)

RUN
(FLDR x comp)

<–>

RUN
(COMP x fldr)

RUN
(PLCY x div)

<–>

RUN
(DIV x plcy)

RUN
(PROD x div)

<–>

RUN
(DIV x prod)

RUN
(PROG x div)

<–>

RUN
(DIV x prog)

RUN
(FLDR x div)

<–>

RUN
(DIV x fldr)

RUN
(PLCY x pool)

<–>

RUN
(POOL x plcy)

RUN
(PROD x pool)

<–>

RUN
(POOL x prod)

RUN
(PROG x pool)

<–>

RUN
(POOL x prog)

RUN
(PLCY x user)

<–>

RUN
(USER x plcy)

RUN
(PROD x user)

<–>

RUN
(USER x prod)

RUN
(PROG x user)

<–>

RUN
(USER x prog)

RUN
(FLDR x user)

<–>

RUN
(USER x fldr)

These reports all summarize usage information for policies, products, or programs (actually "program variants"). Each report pair presents the same information but with the summary and detail fields interchanged.

The division reports (DIV or div) aggregate together information from all the computers within each division.

The pool reports allude to the "pools" which can be set up in a custom policy in order to enforce group membership requirements that restrict access to each pool. Pool reports show which group requirement allowed the usage of a policy, product, or program, either through a pool in a custom policy, or through a group scope for a policy. Any usage which did not require group membership shows up as "universal". If you have not set up groups, group scopes on policies, or custom policies with multiple pools, these "pool" reports will not be very interesting since ALL usage would be detailed with a single line: "universal".

The "Name" column shows the name of the computer, division, folder, policy, pool, product, program, or user.
The "Variant" column only appears in reports that show program usage, and contains the significant digits of the program variant (with the keyed symbol, if appropriate).
The "Version" column only appears in reports that show product usage, and contains the version of the product.
The "Type" column shows the type of a computer, program, or policy. It is blank for divisions, folders, pools, products, and users.
The "% Usage" column is only available in Usage reports where the primary group is a policy, product, or program. It shows what percent of the total usage time was contributed by each detail line. This could be useful for bill back.
The "Total Time" column shows the total usage time (hours:minutes). For a summary line, it is the total usage over all its detail lines. For a detail line, it is the total usage for that particular line.
The "Total Count" column shows the number of usage events for each line. For a summary line, it is the sum of the counts for all the detail lines that appear below its expansion icon.
The "Avg Time" column shows the average usage time per week (hours:minutes). If the report is on less than half a week, this field shows "N/A", since an average would be misleading.
The "Avg Count" column shows the average number of uses per week. If the report is on less than half a week, this field shows "N/A", since an average would be misleading.
The "Last Used" column shows the last quit time for a product or program, or the policy return time for a policy within the time range of the report. This field will not reflect currently active usage of a program (or product or policy) that has been launched but has not yet quit.

Help Index

2012.04.12