Automated Client Deployment

At sites that have a large number of K2 client installs to perform, manually running the client installer on each computer may be impractical. This document references some techniques, tools, and documentation that facilitates large scale deployment.

Note: deployment of the K2 client on file servers (for the purpose of auditing only) is covered in the Server Audits document.

Large scale deployment methods

Automatically Deploy the K2 Client through Active Directory GPO

Use GPO to set up a startup or shutdown script that calls installers with necessary command line options, e.g.:

\\server\share\K2Client.exe -platform 32 -gpo -q -v
\\server\share\K2Client-x64.exe -platform 64 -gpo -q -v
The command line options above will be the most common. Since the script will do an install, it must run as Administrator, so it should be a startup or shutdown script. Both the 32 and 64 bit installers are run with similar parameters - only one will have an effect on any particular client compouter. The installer will install KeyAccess any time the installed version is different than the version being installed. It will be a "quiet" install, meaning the user won't see any Installer UI pop up during the install. A reboot will be suppressed. Finally, the KeyServer host is specified. These command line options are further documented below.

K2Client-x64.exe / K2Client.exe Installer command line options

The following command line options are available. There may be others that can be added - if you need something in particular don't hesitate to contact Sassafras Support.

Options to make a quiet install and specify a server address:

do a "quiet" install that won't display any UI, and suppresses restart.
specify the KeyServer host name or IP address

Two options that determine what architecture to run on (vs aborting the install):

-platform 32
only install if the client OS is 32-bit
-platform 64
only install if the client OS is 64-bit

Our recommendation is to always install the same bitness as the OS. While the 32 bit client will run under a 64 bit OS, it will be limited in functionality for tracking certain obscure applications.

Three options that determine when to install KeyAccess or skip the install, based on versions:

only install if there is no version of KeyAccess installed - do not change an existing install
install if there is no KeyAccess installed, or if an older version is installed
install only if this version is not already installed (install if KeyAccess is not already installed, or if a different version is installed)

You should only specify one of prior first three options (-gpo, -new, -upg). The following table might help understand these options:

  -new -upg -gpo no option
no KeyAccess installed install install install install
older KeyAccess installed do not install install install install
same KeyAccess installed do not install do not install do not install install
newer KeyAccess installed do not install do not install install install

Misc additional options

force an audit to complete immediately after install, even if no user is logged in
do not install the KeyAccess Control Panel (only works on initial install)
if the client already has a KeyServer address, overwrite with the value passed as PROP_HOSTNAME
install the KeyCheckout utility
do not allow changes to the KeyServer host inside the KeyAccess Control Panel (only works on initial install)
-v PROP_SITE=value
populate a value on the client which will appear in the Department field of the computer record
use the computer name as the user name
-v key=value
pass an additional value to the installer

Embedding installer options in exe name

Note that on Windows, all of the above options can be embedded in the file name of the installer, so that you end up with an exe that doesn't require any additional parameters (e.g. could be double-clicked). To do this, add an @ symbol just before .exe. Then in between the @ and the . add any parameters you would otherwise pass to the exe, replacing spaces with + signs. For example, you might name a 64-bit installer:
Note that for this example we have not included the "-q" parameter. If we imagine a user double-clicking this installer, we don’t want it to silently run without any feedback.

Customized Windows msi and exe Client installers

If you require an MSI based installer, or you want to embed install options in the installer instead of using command line options or file naming as described above, you will use a utility named k2clientconfig.exe. k2clientconfig is a command line utility found in the Installers\Windows Installers\Misc\ folder of the K2 image archive — or download the latest version from the Sassafras web site. Note however that using k2clientconfig.exe will remove the digital signature from the installer. For this reason, it is preferable to use command line options to the exe, as described further up on this page.

The example steps below illustrate the use of k2clientconfig to create a "silent" MSI install package that can be used as a Group Policy Object or with a logon script to transparently deploy the K2 client with default settings:

Now when you launch the customized K2Client.exe on a client computer, it will automatically use the pre-configured KeyServer host address. Unlike using command line options or exe naming, these options are embedded deeply in the installer file itself. Further customization options for the client installers (or for the extracted MSI package) are described in the built in command line help (type k2clientconfig.exe) and also in the documentation for k2clientconfig.

In addition to pre-configuring various options, the k2clientconfig.exe utility can also extract the stand-alone MSI install package, KSClient.msi from the K2Client.exe installer:

k2clientconfig -e K2Client.exe

Note that it is ok to change the name of a customized exe installer, but if you extract the MSI, you should NEVER change the name - it should ALWAYS be “KSClient.msi”.

This stand-alone MSI install package can be used as a "Group Policy Object" to automate client deployment. Microsoft's documentation at the following link may be helpful:

One potential problem with using the .msi instead of the .exe is that you will not be able to install a minor upgrade over an existing installation using the .msi (e.g. followed by Instead of simply double-clicking the msi, or running msiexec with just the /i option, you should use the command line:

msiexec /i KSClient.msi REINSTALL=ALL REINSTALLMODE=vamus

Deploying on Mac OS X without modifying the installer

On Mac you might want to do a silent (remote) install without modifying the installer, so that the signature is not removed. This can be done in a terminal or with a script using the following two commands:

defaults write /Library/Preferences/com.sassafras.KeyAccess host
installer -tgt / -pkg K2Client.pkg

Note that if you use Endpoint Management for preferences, you should set the host value that way instead of using defaults as above.

Creating a Customized Mac OS X Client installer

On Mac there is currently no way to pass command line options during the install - so to specifying options like the server address, you will need to use The customization utility, k2clientconfig. You can find k2clientconfig in the full image archive, in Installers/Macintosh Installers/Misc. Consult the documentation, k2clientconfig (Mac), for instructions on how to access this utility and how to set up customized installer preferences. The package can then be installed through Apple Remote Desktop.

Deploying on Linux on a command line

On Linux the KeyServer address can be specified during install using the env command. The installation syntax varies for different specific OS's - two examples are shown below:

sudo env dpkg -i KeyAccess_version-build_platform.deb
sudo env rpm -U KeyAccess-version-build.platform.rpm

For details about other syntax and additional command line options, refer to the Linux Client Deployment documentation.