k2clientconfig (Mac)

K2Client.pkg is a signed “flat package” which can be installed on OS 10.6 and later. It can be customized to include the target KeyServer address and other settings, but this customization will remove the signature, so you may need to right-click the installer when running it manually in order to tell Gatekeeper to allow it to run.

The k2clientconfig script is an OS X command line utility that lets you customize the OS X client package installer (K2Client.pkg) with a pre-configured KeyServer DNS name (or IP address). You can also customize other client settings and the installer behavior itself to suit your particular deployment strategy. k2clientconfig can be found in the full K2 archive, in Installers/Macintosh Installers/Misc (or download k2clientconfig from the Sassafras web site, but then you must use chmod u+x in the terminal to enable execute permission).

Use the Mac OS X Terminal program to run k2clientconfig. Type in the path manually, or just drag the k2clientconfig file into the terminal window. Running k2clientconfig with no additional parameters will display the command line options. The table below gives a more complete explanation with defaults underlined and some additional comments. Running k2clientconfig with a particular set of command line options changes ONLY those options specified on the command line, leaving all other options set to their current values. Therefore, it not necessary to specify every command line option, but only those which you would like to change. Because customization removes the signature, Gatekeeper might handle the modified installer differently from the original installer.

k2clientconfig

Usage:

k2clientconfig [options] K2Client.pkg

Command Line Options:

-d
display current settings (other options are ignored)
-h <host>
set IP address or DNS name of KeyServer to <host> (default DNS name: keyserver)
-s {0|1|2|3} 1
interface level displayed when the pkg installer is run
     0: user can change settings
     1: user can see settings but cannot change them
     2: user cannot see any settings besides standard pkg interface
        use this option if you are distributing the pkg with Remote Desktop
        to prevent anything from appearing on the client computer
     3: same as 2
-g {yes|no}
override current ka address with address specified by pkg
     yes: address specified by pkg will be used
     no: current ka address will be used if present
-c {yes|no|maybe}
install KeyCheckout
     yes: KeyCheckout will be installed unless user chooses not to
     no: user cannot install KeyCheckout
     maybe: KeyCheckout will not be installed unless user chooses to
-t {yes|no}
allow installation of KeyVerify
     yes: KeyVerify will be installed unless user chooses not to
     no: user cannot install KeyVerify
-p {yes|no}
allow installation of KeyAccess Preference Pane
     yes: Pane will be installed unless user chooses not to
     no: user cannot install KeyAccess Preference Pane
-k {yes|no}
kill KeyAccess before install
     yes: KeyAccess will be killed (quit) before the install begins
     no: KeyAccess will not be killed (quit) before the install begins
-r {yes|no} 2
run KeyAccess after install
     yes: KeyAccess will be started after install completes
     no: KeyAccess will not be started after install completes
-b {yes|no}
reboot after install
     yes: prompt for a reboot after install
     no: do not prompt for a reboot after install
-v name[=value]
set a specific named plist preference to a custom initial value
     name is the preference name (e.g., 'trust')
     value is the preference value ('1' if omitted)
-l {yes|no}
lock KeyAccess settings
     yes: after install, KeyAccess settings will be locked to users
     no: after install, KeyAccess settings will not be locked to users
-f {0|1|2|3}
value used for computer name
     0: computer name defined by user (in Sharing system preference panel)
     1: local computer host name as returned by gethostname
     2: canonical host name, as retrieved from DNS
     3: first component of canonical host name (i.e. 'myhost' instead of 'myhost.domain.org')
-z {user|short|comp}
source of value used as login name
     user: KeyAccess will use user name as login name
     short: KeyAccess will use short user name as login name
     comp: KeyAccess will use computer name as login name
-x {yes|no}
by default, quarantine is removed from the pkg when any other change is made
     yes: remove quarantine attribute even if no other options are specified
     no: do not remove quarantine attribute

1  Note that by default, the installer will prompt for the KeyServer address during installation. If you are using Apple Remote Desktop for distribution of the pkg, this dialog will appear on the computer where the software is being installed - not on the computer where Remote Desktop is running. Therefore, you will probably want to configure the KeyServer address, and set the installer to silent mode. To do so, you would do something like:

./k2clientconfig -h 192.168.0.16 -s 2 -g yes K2Client.pkg
(assuming you are in a directory containing copies of k2clientconfig and K2Client.pkg)

2  "-r yes" will start KeyAccess after installation. In order to do so, it must kill any currently running KeyAccess. If you do not use keyed software, this has no unexpected consequences - if the client has a connection to KeyServer, it will close the connection, and the newly installed KeyAccess will open a new connection. However, if a keyed program is running when this happens, the new session will not ask for the key again. Therefore, KeyAccess will ask the user to quit the keyed program about 15 minutes after the installation. For this reason, you should only use "-r yes" if your clients do not yet have KeyAccess software installed, or if you do not use any keyed programs. If you use "-r yes", you may want to also use "-b no", since a restart is no longer necessary. e.g.:

./k2clientconfig -r yes -b no K2Client.pkg
(assuming you are in a directory containing copies of k2clientconfig and K2Client.pkg)

For one more example, suppose you want users who run the pkg installer not to be able to choose the server address. After installation, you don't want them to be able to see the KeyAccess Preference Panel, and don't want them to be able to make changes (such as changing the KeyServer address). In this case, use something like:

./k2clientconfig -h 192.168.0.16 -s 2 -g yes -p no -l yes K2Client.pkg
(assuming you are in a directory containing copies of k2clientconfig and K2Client.pkg)

Technical Details

k2clientconfig extracts underlying files from K2Client.pkg, modifies them, then reassembles the flat package installer. Most of the common command line options correspond to settings in a single file that is embedded in the installer, k2clientconfig.plist.

The k2clientconfig utility customizes the XML key values in the plist file as follows:

-h <host>
KSAddress key is set to <host>
-s {0|1|2|3}
for 0: AddressPromptUser key is set to 1 and AddressDisableChange key is set to 0
for 1: AddressPromptUser key is set to 1 and AddressDisableChange key is set to 1
for 2: AddressPromptUser key is set to 0 and AddressDisableChange key is set to 1
for 3: AddressPromptUser key is set to 0 and AddressDisableChange key is set to 1
-g {yes|no}
AddressDefaultCurrent key is set to 1 or 0
-l {yes|no}
KASettingsLocked key is set to 1 or 0
-z {user|short|comp}
UseComputerName key is set to 0, 3, or 1

On 10.8 (Mountain Lion) and higher, any installer that is tagged as "quarantined" (an extended file system attribute) may be prevented from running by GateKeeper. Generally, this attribute is set on downloaded files and will remain set for all copies. After running k2clientconfig to customize the K2Client.pkg installer, its quarantine attribute will be deleted — make sure that your deployment method does not set the quarantine attribute again when the installer is deployed to a computer running OSX 10.8 or higher.