TN 4398: Adobe CS 5 and CS 6,
policy management — unkeyed or keyed

This tech note reviews the choice between unkeyed vs keyed policy management and includes documentation specifically related to Adobe Creative Suite 5 and 6 installers and updaters.

2012.08.07 (reviewed)

First a reminder of the keyed versus unkeyed issues that apply not just for CS 5-6, but for management of any program.

Management of programs in the unkeyed state is often easiest, but you must ensure that:

  1. KeyAccess remains installed on all computers you wish to manage.
  2. Personally owned copies of managed programs must be exempted from the policies managing institutional copies. (TN 4399).
When managing programs in the keyed state, you must ensure that:
  1. Updaters applied to a keyed installation will preserve the keyed state.

With the keyed option, you don't have to worry about issue 1 (even for broadly deployed software) — a keyed application won't run without KeyAccess. Issue 2 is also eliminated but at the expense of managing installation of keyed variants separately from any unkeyed distribution. On Windows, the "deputize" feature is available to simplify installation of keyed variants. On Macintosh, the CS 5-6 installers can be manually deputized (TN 4398.1).

Adobe has dealt with issue 3 by working with Sassafras to make their CS 5-6 updaters, "keyed-state-aware" so they will either refuse to update a keyed installation, or when customized with the "mode=sass" option (TN 4521) the update will preserve the keyed state of the installation. Note: it is probably best to either disable the the "auto update" feature for keyed installations or configure these installations to use a local update server (such as Adobe Application Manager Enterprise Edition) which you take care to provision with updaters that have the "mode=sassa" option enabled.

Distinguishing CS 5 applications from earlier versions

We will use Photoshop 12.x as an example program from CS 5. In order to configure a Manage Policy for Photoshop 12.x, first we need to make sure KeyServer has had a chance to discover the new program variant so we can find it in the Programs window. With CS 5 installed on the KeyConfigure computer itself, just drag the Photoshop 12.x application into KeyConfigure's Programs window (or from the Computers window select a computer where Photoshop 12.x is installed and do a right-click, "Request Audit", then wait for the audit to upload). Click "refresh" at the bottom of the Programs window and then use the Find command to search for "Photoshop". This will find several records. Do you see in the Identifier column, the value "PHOTOSHO" (Win) or "8BIMAPPL" (Mac)? Double-click on one of these records to show Program details for the entire Photoshop family. if you have both Win and Mac programs, open a separate detail window for each family.

Typically you will need to apply a different Manage Policy to the new Photoshop 12.x, so it must be distinguished from the older variants (10.x, 11.x, etc.). For example, your Photoshop 12.x copies might be licensed as a CS 5 point-product (single application install), while Photoshop 11.x might be licensed as part of the CS 4 Design Premium Suite bundle. By default, the Programs details window treats all (unkeyed) versions of Photoshop (major and minor versions) as members of the single, undistinguished family (usually appearing as something like "Photoshop all"). Thus in preparation for distinct management policies for the new CS 5 applications, it is often (but not always) necessary to slide the variant mask at the top of the Program details window over to the right by one decimal point. This will split the family into variants distinguished by major version so you can now select the Photoshop 12.x variant. Save the changes to the Program Details window, but leave the window open with the Photoshop 12.x variant selected — you may notice new records appear in the Programs window.*

Note: when a 'parent' is split into multiple 'children' variants, any pre-existing Manage Policy in force for the 'parent' will propagate to the 'children'. This effectively preserves any existing policy management behavior from before the split, but it may or may not be consistent with your license entitlements! If your intention is to manage the new Photoshop 12.x separately from your old policies, you will have to remove the newly created variant, Photoshop 12.x , from each of the existing products that previously contained the Photoshop all variant before the split.. You should double-click each relevant Product so you can view its Programs pane to check on how the new versions have propagated.

CS 5-6, Manage — unkeyed

Again, we will use Photoshop 12.x as an example program from CS 5 and we assume, following the instructions above, that the record for this variant is currently selected — either it is the selected item from the left column of the Program details window for the Photoshop family, or it is selected directly in the Programs window.

Drag the Photoshop 12.x program record into KeyConfigure's Products Window:

to create a product
drag into whitespace, use the New Product wizard to enter any desired values.
to add to a product
drag onto the existing product (e.g., CS5 Master Collection).

Drag the appropriate product record into whitespace in KeyConfigure's Policies Window. In the New Policy wizard, enter an appropriate name, and accept the default Policy Action, Manage.

In the new Policy Details window, double check the action, metric, limits, and scope. Check the Products pane to make sure the appropriate product is listed, then double-click the product and check the Program pane to make sure the program variants are listed for a suite product versus a standalone product as appropriate. Double click on each program listed in this pane to bring up its Program details window. In each of these Program detail windows, take a look at all the Products that are associated with this program (i.e. check the Products pane for each program). Also check the Policies associated with each Product.

Caution: If KeyAccess is installed on computers that might have personal copies of Photoshop 12.x installed, make sure that the Policy you have created for Photoshop 12.x has an appropriate Scope, so that non-institutional copies will not be in Scope, and will run without interference (TN 4399).

CS 5-6, Manage — keyed

Before transforming any application into a keyed version it is important to backup so you do the transformation on a duplicate, not the original: create a folder named something like "CS 5 backup - unkeyed" and move all the CS 5 applications from their original locations into it. Then duplicate (using control-drag or option-drag) each of these moved applications back to its original location. Note: the act of duplicating will clear up any file permission issues that might interfere with the keying step that follows.

Again, we will use Photoshop 12.x as an example program from CS 5. Select “Key a Program” from the “File” menu in KeyConfigure. In the dialog that comes up, click “Browse”, and locate the Photoshop 12.x application copy in its usual location in the file system. Click OK.**

After keying has completed you will see the program details for the new keyed variant. If the unkeyed variant containing this version of the program was in a product already, the keyed variant has been added to the same product. If this is not what you want, you can right-click the product listed in the Products pane and select Delete. If the program is not in a product, you will need to add it to one. As above in the unkeyed steps, associate the keyed program with a product, then make a Manage Policy for the product.

Now having keyed an instance of each CS 5 application, you can use various methods to install or deploy the keyed variant out to user workstations. One method involves using a deputized version of the original installer. Even though there is no built in ability to deputize Mac installers for the Adobe CS 5 applications, they are easy to deputize manually so then they will install keyed versions. (TN 4398.1).

*If you use KeyConfigure to transform an application into a keyed instance, it will add a new item to the Programs window. This new keyed variant is completely distinct from any other variants in the program family — in the Program details window, keyed variants are added below the horizontal dividing line in the left column (while unkeyed variants appear above). For this reason, if you are only going to manage and track an application (e.g. Photoshop 12.x) using the keyed option, the preparation step of sliding the variant mask over in order to distinguish unkeyed major versions may be unnecessary. Also, with the keyed option, there is no concern with the "owns-their-own" issue since the keyed copy (owned by the institution) is completely distinguished.

** An alert may be posted to inform you that keying will remove the application's digital signature. Click past the message — removal will not interfere with program functionality.