General Settings Dialog

This dialog contains general KeyServer settings that will apply to all users. It is accessed from the Config Menu.

PRS Settings

This section of the Dialog lets you enable, disable, and configure the Product Recognition Service (PRS). Usually, PRS should be turned on and configured to run at some time during the middle of the night. Note that when the “Submit Manually defined Products” option is enabled, your server will send to PRS data on Products that you created. This is useful to Sassafras because it helps us to understand what Products are missing from our definitions, and to prioritize them for inclusion in a future update.

PRS Location: Typically you will leave this set the to default, “”. KeyServer will use the HTTPS protocol to contact PRS at that address. In cases where network configurations do not permit HTTPS communication with PRS, try changing this setting to “”. KeyServer will then use the non-encrypted HTTP protocol to contact PRS.

Proxy Server: If the host on which KeyServer or KeyConfigure run requires all Internet-bound communication to happen through a proxy server, enter that server's address (and port). For example, you would use “” if your proxy service runs on a host with that name, and accepts HTTP and HTTPS traffic on the default ports. You can also specify an IP address, or if the proxy service is on a non-default port, you can specify that by adding a colon “:” followed by the port number (e.g., “”). Do not include the protocol prefix (http:..., etc.) in this field.

Contact PRS daily at: Leave this option checked in order to have your server check with PRS for new Product definitions. The very first time it starts, your server will pick a random time of day at which it will contact PRS. You can change this time to suit your needs, for example if you have scheduled downtimes that would interfere with the time that was selected by your server.

Submit Manually defined products: Checking this option allows your server to upload data on the Products that you have created. This data is stripped of identifying information, and is used only in aggregate form in order to aid Sassafras in the definitions of products. If sending this data is not allowed due to organizational or other policies, leave this option off.

Last Update from PRS: Your server updates this field each time it attempts to contact PRS. Success or failure is indicated by a green check or red ×. If you want to have PRS check immediately for new Products, click the Contact Now button. Note that it may take several minutes for the transaction to complete and the new time to be reflected in Last Update from PRS.

PRS ID: Your server generates a random, anonymous ID that it uses in all communication with PRS. This allows PRS to avoid duplicate data and make associations to related data in a manner that preserves the anonymity of the submitter. We remind you that Sassafras Software does not collect any identifiable user or system data, PRS is used only to keep us alerted to new Products in use by customers (but not which customer) so we can keep it updated.


The Audits tab has settings for controlling how often clients are asked to perform a software audit, and for scheduling processing that applies to the collected audit data.

Reschedule Audit every: Configure the time interval used to perform audits on computers which are set to audit automatically. Repeated audits allow you to keep audit information accurate as new software is installed and old software is uninstalled. The default audit interval is 2 weeks. Note that you can make a particular computer stop performing repeated audits by configuring this option in the Computer Details. By doing so, you will keep the existing audit information, but stop automatic re-audits. You will still be able to see the existing audit information by right-clicking the computer and selecting Show Installs, but the standard audit reports will only report on computers set to audit. See Sassafras Software Licensing for information on how the audit interval affects licensing of Sassafras Software products.

Throttle Network Traffic: Optionally set a threshold for network traffic associated with client audits. If the KeyServer begins to get more traffic than this upper bound, it will tell clients to slow the rate at which they are sending audit data. By default, there is no throttle. Under normal circumstances, you should not need to set a throttle, since generally clients will perform audits at various different times, and the audits will never account for very much network traffic. If however you have a situation where many clients are sending audits simultaneously, and you notice that KeyConfigure is slow to respond, you may want to set a throttle.

Generate Product Audit Daily At: is used to configure a daily process that examines the programs discovered on each computer, and generates a table that tracks which products are installed on each computer. You can use the Now button to perform this action on demand at any time.

Generate Product Audit After Optimizing causes the Audit Product database to be generated essentially when Products have been changed or created - in addition to the scheduled daily computation. This can make new data available sooner, without waiting for the daily schedule.

Use Audit Product database in Product Reports will cause your local KeyConfigure to use this precomputed data for certain Product related reports, instead of recomputing the same information as part of the report. This will make reports such as the Audit Products reports complete more quickly, but they will also show data that is valid as of the last time this data was generated - not up to the minute based on new program audits.

Note that with the default settings, every client computer will perform an audit when it first connects to the KeyServer, as well as incremental audits every 2 weeks. If you do not want clients to perform audits automatically after they first connect, you will need to change the discovery rule for new computers. If you want audits to occur only once, but not be rescheduled automatically, you will need to remove the "Reschedule Audit every ..." option in this dialog.

Generating Product Audits can help run reports quickly. In addition if you are Exporting data, you may find that by generating Product Audits, you can avoid exporting the entire Program Audit table.

Consult Audit Product database when prioritizing Policies is a feature that is relevant when a single program is in multiple managed products. It tells KeyServer to use the Audit Product database to determine the appropriate policy - so that the policy used is for the product that is installed instead of for a different Product. When this information is used it can override the standard priority of products that has been specified for a program.

Send Program management settings to clients during audits will allow clients to learn what policies apply to installed software when the list of installed software is sent to KeyServer. With this option turned off, a client would need to run software while connected to KeyServer in order to learn what to do with that software. By enabling this option, clients can learn how to treat software even before it has ever run - which can make a difference if the first launch occurs when KeyServer cannot be contacted.

Gather information about connected devices for members of [group] allows you to in some way limit when clients will report Devices as part of their audit data. By default this is enabled and set to all groups which means any computer will report the data. Unchecking this option will globally disable device audits. If you make a Group you can select it from the drop down and limit audits to that group of computers. Because Groups can be made of Locations, this means you can limit device audits to when laptops are on site as opposed to at home or on the road.

Include imported Products on availability pages by default allows you to globally disable new Products being visible. This may be desired if you have a well curated Software page in the Web UI and you don't want surprise items discovered mid year showing up automatically. By disabling this all new Products discovered will have their visibility flag disabled so you can manually confirm what you want published.

Privacy Settings

This section of the Dialog lets you configure how user and computer names are recorded. By default, the real values are recorded. However, you may choose to scramble the names, which will map each name to a “nonsense” string, which will always be the same for that name. Or, you can tell KeyServer not to record names. The one thing that will always be recorded with each event is the computer ID. This cannot be changed. However, one related feature is that you can delete usage older than some configured date when you run the KSdbConsist tool. Note that if you are trying to hide computer names, you may want to disable the Computer Name as an acceptable Computer ID type (in the Computer ID Types dialog in the Config Menu) - since the computer ID will not be changed even when the privacy settings are enabled. These settings have a significant impact on your reports as relates to being able to identify exactly who or what used a piece of software, so use with caution. As a reminder, Sassafras Software does not collect any personally identifiable data from customer Keyservers, so this is not relevant to such concerns, only your internal reports.

Idle Settings

This pane of the General Settings Dialog lets you configure idle settings. First, you can specify what actions will occur by default when a managed program is idle. Note that these options only apply to programs when they are being managed by a Policy. Also, in the Policy Details Window, you can configure whether programs using the Policy will have these idle settings, or whether to do something else for that Policy.

Track client computer startup and shutdown when turned on will give KeyServer awareness of a computer which is on but sitting at a login screen - as opposed to a computer which has been shutdown or lost its network connection to KeyServer. This option primarily is used in the Availability Maps presented in the Web UI.

Write events to log when user sessions are idle - when checked, KeyServer will write events in the usage database when a session transitions from idle to active and vice versa.

User sessions are idle after: 15 minutes can be used to configure how many minutes before KeyAccess considers a session to be idle.


The Default Currency setting affects what currency is assumed for purchases where a currency is not explicitly set. It also determines what currency will be used in Purchase related reports.
Configure the Separator to conform to your preferred numeric representation.

System User Names can be used to list all admin users of your systems, which will be ignored when running reports. This is useful to ignore logins by the local and network admins so service logins are not part of your use reports. Much like Tags, type the user name and hit Enter to create the name. Repeat as needed for each name. You can also use a tag that you create in the Users Window by using #tag syntax. This lets you put in more names that would otherwise be supported in this config pane, but this should be very uncommon and there may be a better approach to your need. Please contact support with any questions this may lead to.


This screen is for configuration of an external Print Server as a source for Printers. Currently PaperCut is supported. Users of that system should be familiar with these settings to allow for query of the devices. Note only a single PaperCut server is supported at this time. However, you may use IPP in your Printer Details to query them independently of a server.

Note most of these settings are also available in the Web UI -> Settings which offers more information in the UI as to their use and purpose.

Compatibility Notice: - PaperCut version 18.3 and higher are fully supported with the settings documented here. Prior to 18.3 we are unable to automatically update the printer status as a key identifier is missing from the printer export. If you manually populate this value in each printer record, then status can be updated. We do not support any version prior to 17 as the needed API does not exist.

Click here for instructions for manually setting IDs to fetch status updates.

In order for KeyServer to update the Status of a Printer we need the Service ID of that device. Prior to PaperCut 18.3 it is not possible to retrieve that programmatically, so it would need to be set individually per device. For each printer imported from PaperCut, you will need to do the following:

  • Open PaperCut and go to Printers and view the Printers List

  • Hover your mouse over the link for a given printer, and look at the address shown in the bottom of your browser window

  • Note the number at the end of that URL. That is the Service ID which must be entered in the Service Pane of the Printer Details window for that device in KeyConfigure. Ensure the Service Type is set to PaperCut.

  • Service URL is typically something like or (note the port and protocol pairings). If you change Papercut to use default ports they still need to be specified here, e.g. https://papercut:443.
  • URL Pattern determines how to link to the admin Printer pages in PaperCut. The default is usually appropriate.
  • Admin Name is for the privileged account in Papercut you want to use for queries.
  • Admin Password is for the above account.
  • Click here for details on required PaperCut permissions.

    The account used for pulling printers from PaperCut needs to have certain permissions, but does not need to be a full admin. Configure the account you wish to use in PaperCut under Options -> Admin Rights -> Edit the account in question.

    Ensure the account has these permissions:
    Access Dashboard
    Access printers section
    Access devices and site sections
    Access reports section
    Access Central Reports

  • Web Auth Token can be found in the Config editor of PaperCut's Options page.
  • Show me how to find the token!

    Log in to your PaperCut server and click on Options

    Click in the upper right on the Actions button and choose Config Editor (advanced) from the drop down menu

    In the search field enter auth.webservices.auth-token and click the green arrow.

    If there is no Value for the auth-token, type one in (make sure it's secure) and click Update. Copy the Value for the token into the configuration field in KeyServer and Save the settings.

    The Update every frequency only affects the Status of the printer on Maps, the rest of the fields are imported once per day to keep records in sync. It is important to note that the daily full update will replace information in the mapped fields (see Tables for more details). Clicking Now will force an import, including a query via IPP. Note that the minimum timeframe for updates is 3 minutes for network and load sanity.

    Click here for notes on PaperCut Security

    There are a couple security items worth noting so they are not overlooked. These are the Allowed admin IP addresses and the auth.webservices.allowed-addresses options.

    1. Under an admin login, go to Options -> Advanced and scroll down to the Security section. In the field for Allowed admin IP addresses ensure you have the IP address of the KeyServer in addition to whatever other IPs may be needed in your environment normally.

    2. Under Options -> Actions -> Config Editor search for webservices.

      In the auth.webservices.allowed-addresses field ensure the IP of the Keyserver is added if it's not set to the default unrestricted (*) value.

      You can also see this under Options -> Advanced -> Security in the Allowed XML Web Services field: