At sites that have a large number of K2 client installs to perform, manually running the client installer on each computer may be impractical. This document references some techniques, tools, and documentation that facilitates large scale deployment.
Note: deployment of the K2 client on file servers (for the purpose of auditing only) is covered in the Server Audits document.
Use GPO to set up a startup or shutdown script that calls installers with necessary command line options, e.g.:
\\server\share\K2Client.exe -platform 32 -gpo -q -v PROP_HOSTNAME=keyserver.mysite.org \\server\share\K2Client-x64.exe -platform 64 -gpo -q -v PROP_HOSTNAME=keyserver.mysite.orgThe command line options above will be the most common. Since the script will do an install, it must run as Administrator, so it should be a startup or shutdown script. Both the 32 and 64 bit installers are run with similar parameters - only one will have an effect on any particular client compouter. The installer will install KeyAccess any time the installed version is different than the version being installed. It will be a "quiet" install, meaning the user won't see any Installer UI pop up during the install. A reboot will be suppressed. Finally, the KeyServer host is specified. These command line options are further documented below.
The following command line options are available. There may be others that can be added - if you need something in particular don't hesitate to contact Sassafras Support.
Options to make a quiet install and specify a server address:
Two options that determine what architecture to run on (vs aborting the install):
Our recommendation is to always install the same bitness as the OS. While the 32 bit client will run under a 64 bit OS, it will be limited in functionality for tracking certain obscure applications.
Three options that determine when to install KeyAccess or skip the install, based on versions:
You should only specify one of prior first three options (-gpo, -new, -upg). The following table might help understand these options:
|no KeyAccess installed||install||install||install||install|
|older KeyAccess installed||do not install||install||install||install|
|same KeyAccess installed||do not install||do not install||do not install||install|
|newer KeyAccess installed||do not install||do not install||install||install|
Misc additional options
Note that on Windows, all of the above options can be embedded in the file name of the installer, so that you end up with an exe that doesn't require any additional parameters (e.g. could be double-clicked). To do this, add an @ symbol just before .exe. Then in between the @ and the . add any parameters you would otherwise pass to the exe, replacing spaces with + signs. For example, you might name a 64-bit installer:
K2Client-x64@+-platform+64+-gpo+-v+PROP_HOSTNAME=keyserver.mysite.org.exeNote that for this example we have not included the "-q" parameter. If we imagine a user double-clicking this installer, we don’t want it to silently run without any feedback.
If you require an MSI based installer, or you want to embed install options in the installer instead of using command line options or file naming as described above, you will use a utility named k2clientconfig.exe. k2clientconfig is a command line utility found in the Installers\Windows Installers\Misc\ folder of the K2 image archive — or download the latest version from the Sassafras web site. Note however that using k2clientconfig.exe will remove the digital signature from the installer. For this reason, it is preferable to use command line options to the exe, as described further up on this page.
The example steps below illustrate the use of k2clientconfig to create a "silent" MSI install package that can be used as a Group Policy Object or with a logon script to transparently deploy the K2 client with default settings:
k2clientconfig -s 3 -h keyserver_host K2Client.exe
Now when you launch the customized K2Client.exe on a client computer, it will automatically use the pre-configured KeyServer host address. Unlike using command line options or exe naming, these options are embedded deeply in the installer file itself. Further customization options for the client installers (or for the extracted MSI package) are described in the built in command line help (type k2clientconfig.exe) and also in the documentation for k2clientconfig.
In addition to pre-configuring various options, the k2clientconfig.exe utility can also extract the stand-alone MSI install package, KSClient.msi from the K2Client.exe installer:
k2clientconfig -e K2Client.exe
Note that it is ok to change the name of a customized exe installer, but if you extract the MSI, you should NEVER change the name - it should ALWAYS be “KSClient.msi”.
This stand-alone MSI install package can be used as a "Group Policy Object" to automate client deployment. Microsoft's documentation at the following link may be helpful:
One potential problem with using the .msi instead of the .exe is that you will not be able to install a minor upgrade over an existing installation using the .msi (e.g. 184.108.40.206 followed by 220.127.116.11). Instead of simply double-clicking the msi, or running msiexec with just the /i option, you should use the command line:
msiexec /i KSClient.msi REINSTALL=ALL REINSTALLMODE=vamus
On Mac you might want to do a silent (remote) install without modifying the installer, so that the signature is not removed. This can be done in a terminal or with a script using the following two commands:
defaults write /Library/Preferences/com.sassafras.KeyAccess host keyserver.mysite.org installer -tgt / -pkg K2Client.pkg
Note that if you use Endpoint Management for preferences, you should set the host value that way instead of using defaults as above.
On Mac there is currently no way to pass command line options during the install - so to specifying options like the server address, you will need to use The customization utility, k2clientconfig. You can find k2clientconfig in the full image archive, in Installers/Macintosh Installers/Misc. Consult the documentation, k2clientconfig (Mac), for instructions on how to access this utility and how to set up customized installer preferences. The package can then be installed through Apple Remote Desktop.
On Linux the KeyServer address can be specified during install using the env command. The installation syntax varies for different specific OS's - two examples are shown below:
sudo env KA_SERVERHOST=keyserver.mysite.org dpkg -i KeyAccess_version-build_platform.deb
sudo env KA_SERVERHOST=keyserver.mysite.org rpm -U KeyAccess-version-build.platform.rpm
For details about other syntax and additional command line options, refer to the Linux Client Deployment documentation.