Client Self-Updates

Starting with version 7.4.1, on Windows and 7.4.1.2 on Mac OS X, KeyAccess has the ability to update itself automatically without user interaction

Details of the update — when it happens, what version is installed, and other settings — are configured centrally on the server. Client versions 7.4.1.0 and newer for Windows and 7.4.1.2 and newer for Mac will fetch the upgrade instructions from the server and install the new version even if no users are logged into the computer. Computers that are not powered on will update when they next start up.

While the update instructions are stored on and distributed by the KeyServer, the actual client installers must be stored on and served by an HTTP(S) server. This can be any server you choose, as long as it is accessible to your client computers. Although it is possible to link directly to the client installers on Sassafras's web server, we recommend that you use a local web server instead. This will give you more control over which version you distribute, and avoids any network accessibility or performance issues.

The client-side settings that are already in place, such as the KeyServer address, are retained. It is possible to change certain settings during the update, but typically this will not be necessary. It is important that you use the installers as they are, without modification (by k2clientconfig or otherwise). This because the installers are digitally signed by Sassafras, and the self-update process will verify the signature before using the installer file. Any modification will invalidate the signature.

Configuring The Update

Configure the update settings in the Client Updates dialog in KeyConfigure. The most important setting is the location of the client installer. Configuration for each client platform is kept separate, since each platform has a different installer. Put the installer(s) on the web server first, then enter the URL. You can test that the file is accessible by clicking the refresh icon. This will also determine the version of the client contained in the installer. It is important that the version displayed in this dialog is updated any time you change the installer in the web server.

To open the Client Updates dialog, select “KeyAccess Version Control” from the Config menu in KeyConfigure.

Client Updates dialog

The steps below are sufficient to instruct clients how to update.

  1. Place the client installers (one for each platform you have) on a central web server that is accessible to all clients
  2. In the Client Update dialog, for each platform, set the installer URL and click the refresh icon to update the version displayed.
  3. Check the “Enable Auto-updates until” checkbox and do not enter a deadline

When all needed platforms have been configured in this way, click OK. Each client checks in regularly to get the latest update instructions. Once each day (macOS) or two (Windows), the client update process will run. First, the process will determine whether the update applies to that particular computer. For example if the latest client is already installed, no update is needed. If it is determined that the update applies, the installer file is then downloaded from the web server. Assuming its the digital signature is valid, the installer is run to perform the update.

In most cases, the client will be running when the upgrade happens. The upgrade process will stop the running client before installing the new software, and then silently start the new client once the upgrade is complete. The upgrade process does not initiate a computer restart, but in some cases some of the new components will not be in place until after the client computer restarts.

Gradual Updates

When update instructions apply to a 7.4.1.0 client, the client will always run the update. With version 7.4.1.1 installed on clients (so, when self-updating to 7.4.1.2 or higher), updates can be applied to a portion of all clients. This gradual update is randomized — you set a percentage of clients that should be updated, and then statistically that number of clients will be updated. As needed, this percentage can be increased up to 100%, at which point all clients will have been updated. Note the Mac client must be 7.4.1.2 or newer for self-update to work.

Security Measures

The main protection against malicious parties utilizing the self-update feature is the digital signature of the installers. The update program that is already present on the client computer will check the signature of the downloaded installer before using it. The signature must be valid, and must also have been created using Sassafras Software's private signing key.

The upgrade instructions are stored in a file that is read-only for non-administrator accounts. On Windows this file is stored at \ProgramData\KeyAccess\kami.xml. On Mac OS X the file is at /Library/Preferences/KeyAccess/kami.xml. Keep this file accessible only to admin accounts so it cannot be modified by normal users. But even if this file is changed, the digital signature check protects against installation of unsanctioned software. Modification of this file could disable updates, or could cause an older version of the client to be installed.

While it is not necessary, using an HTTPS URL for the installers will add one more security obstacle.

Note that the client can always be updated using external distribution mechanisms, such as Group Policy Objects. The self-update feature of the client can be disabled completely if there are security concerns about its operation.

Client Installer Location

Client installers are downloaded over HTTP(S) from any web server you choose. This can be a central web server for your organization, or an internal web server accessible to the client computers. Optionally, neither of those options are available, KeyServer's built-in web server can be used. As a last resort, you could refer to the client installers hosted at www.sassafras.com.