Automated Client Deployment

At sites that have a large number of K2 client installs to perform, manually running the client installer on each computer may be impractical. This document references some techniques, tools, and documentation that facilitates large scale deployment.

Note: deployment of the K2 client on file servers (for the purpose of auditing only) is covered in the Server Audits document.

Large scale deployment methods

Creating a Customized Mac OS X Client installer

The customization utility, k2clientconfig, is in the full image archive, in Installers/Macintosh Installers/Misc. Consult the documentation, k2clientconfig (Mac), for instructions on how to access this utility and how to set up customized installer preferences. The package can then be installed through Apple Remote Desktop.

Creating Customized Windows Client installers

k2clientconfig.exe is a command line utility found in the Installers\Windows Installers\Misc\ folder of the K2 image archive — or download the latest version from the Sassafras web site.

The simplest way to customize and deploy is first to customize a copy of the installer using a command line like:

k2clientconfig -s 3 -h keyserver_host K2Client.exe
Then do the same thing for the 64-bit client:
k2clientconfig -s 3 -h keyserver_host K2Client-x64.exe

Automatically Deploy the K2 Client through Active Directory GPO

Then to use GPO to set up a shutdown script that calls the customized installers with the -gpo option, e.g.:

\\server\share\K2Client.exe -platform 32 -gpo
\\server\share\K2Client-x64.exe -platform 64 -gpo
For details about this process, and other possible variations, read on.

The k2clientconfig.exe utility program lets you customize the Windows client installers, K2Client.exe and K2Client-x64.exe, with pre-configured KeyServer DNS name (or IP address) and other settings. Using this customized installer, computers supporting Microsoft's "MSI" installer service can be silently updated with K2 client components when logging onto the network.

The example steps below illustrate the use of k2clientconfig to create a "silent" MSI install package that can be used as a Group Policy Object or with a logon script to transparently deploy the K2 client with default settings:

Now when you launch the customized K2Client.exe on a client computer with MSI support, it will automatically use the pre-configured KeyServer host address. Further customization options for the client installers (or for the extracted MSI package) are described in the built in command line help (type k2clientconfig.exe) and also in the documentation for k2clientconfig.

In addition to pre-configuring various options for computers supporting MSI, the k2clientconfig.exe utility can also extract the stand-alone MSI install package, KSClient.msi from the K2Client.exe installer:

Note that it is ok to change the name of a customized exe installer, but if you extract the MSI, you should NEVER change the name - it should ALWAYS be “KSClient.msi”.

This stand-alone MSI install package can be used as a "Group Policy Object" to automate client deployment. Microsoft's documentation at the following link may be helpful:

One potential problem with using the .msi instead of the .exe is that you will not be able to install a minor upgrade over an existing installation using the .msi (e.g. followed by Instead of simply double-clicking the msi, or running msiexec with just the /i option, you should use the command line:

msiexec /i KSClient.msi REINSTALL=ALL REINSTALLMODE=vamus

K2Client.exe command line options for use with GPO

Instead of using the MSI with GPOs, it might be better to create a script that simply calls K2Client.exe, and use GPO to execute the script. That way you will get the benefit of the logic that is built into the exe, with the ease of deployment which GPO provides.

K2Client.exe Command Line Options:

only install if there is no version of KeyAccess installed - do not change an existing install
install if there is no KeyAccess installed, or if an older version is installed
install only if this version is not already installed (install if KeyAccess is not already installed, or if a different version is installed)
-platform 32
only install if the client OS is 32-bit
-platform 64
only install if the client OS is 64-bit

You should only specify one of the first three options (-gpo, -new, -upg). The following table might help understand these options:

  -new -upg -gpo no option
no KeyAccess installed install install install install
older KeyAccess installed do not install install install install
same KeyAccess installed do not install do not install do not install install
newer KeyAccess installed do not install do not install install install

Our recommendation is to always install the same bitness as the OS. While the 32 bit client will run under a 64 bit OS, it will be limited in functionality for tracking certain obscure applications. The simplest method of deployment is to customize the K2Client.exe and K2Client-x64.exe installers and then have a script run periodically. Since the script will do an install, it must run as Administrator, so it should be a startup or shutdown script. It may be simplest to use a shutdown script. The script should look something like:

\\server\share\K2Client.exe -platform 32 -gpo
\\server\share\K2Client-x64.exe -platform 64 -gpo