FAQ

A lot. But to put it VERY simply, at the top tier (AllSight) it's an ITAM tool. A discreet agent is deployed to your computers which reports back a full hardware and software inventory. You can then use that to track system and application usage, input purchase information to determine license compliance and return on cost, perform lifecycle management, build interactive lab maps, and much more! It is designed to be flexible so you can use as many features as you want any way you want when tracking and visualizing your fleet. Lower tiers are targeted to just monitoring (LabSight) or license control (KeySight).

No, but it is pretty easy to have it do so. By design, the Server with the help of the KeyAccess Client gathers an inventory of your Computer hardware and installed software. Using this information, you can create Policies that will Observe, Manage, or Deny use of Programs. As of 7.6 and later the Automatic Family Policy Wizard greatly assists in making sure you did not overlook something. As of 7.7 the Web UI adds a simple Manage overview for Products.

Yes. We have a very small low profile client that you will deploy to your computers (Win, Mac, and Linux). It can be fully customized for automated deployment and silent install on Windows, Mac or even Linux. Unlike some agents in the industry, ours is extremely small in resource footprint. Note you CAN have records of offline equipment for inventory management purposes, but in order to have automatic updates of hardware and software inventory, and any Usage reporting, the active agent is required on the workstations of interest.

You don't! We include a database engine of our design that is automatically installed in the background. It is very lightweight so there is no need to worry about a cumbersome SQL server. Our Tables structure is fully documented and you can Export the data if you need.

None! The web service is built into the server software. It will detect if you have a webserver already running on that server system and allow you to choose alternate ports if needed. We recommend standard ports if possible for simplicity of course. You can also add an SSL Certificate for secure browsing.

Well 30 years ago when the product was developed the entire concept was to insert a "key" in an application to control its use. Technology has changed a lot since then, and our product has grown radically in feature set from simply keying software (which few people need anymore) to a full ITAM suite. The name KeyServer is what our long term customers know, and it is the name of the core server component in the back end. We have rebranded the Sassafras KeyServer Platform into 3 tiered products (KeySight, LabSight, and AllSight) at this point in time. Other renames include the Web Service which was formerly called and still is named under the hood KeyReporter, and we'll refer to the Client and Admin component which are still referenced as KeyAccess and KeyConfigure.

Nothing (extra)! Support is included with your paid subscription or maintenance plan. Also included are configuration reviews, which means we'll do a remote session with you to talk about new features, perform training with your team, and review your KeyServer configuration to ensure it is doing what you need it to.

That depends, but we generally see a major release every 12-18 months with Image Releases in between as appropriate (no promises, but maybe every 2 months?). If you find a bug, please report it to us so we can fix it! We pride ourselves on rapid response to issues, so some times patch releases can be close together. As with any software, check our Component History to see if an update is critical to you or not.

Licenses are on a per active client cost which are cross platform (Win/Mac/Linux) for LabSight and AllSight. KeySight is licensed by active Policy use. There is no fee for the server. There is no fee for tracking Devices. There is no fee for keeping an offline computer inventory. There is no additional cost for different components or features, the tiers are locked in to their feature set. If you paid for a perpetual or site license, it will work forever even if you discontinue your maintenance to get new versions and support (though you lose access to our PRS catalogue). A subscription license ceases operation on the day it expires annually. Contact Sassafras Software Sales for more information.

That depends. Many companies like AutoDesk use FlexLM license managers with license files they provide. We can't replace that as that license system is built into and required by their software. Note however we can report advanced use data and chart that use which FlexLM can not do. We can also supplement those license controls in some cases which is easier than configuring an options file. Other products (such as Finale from MakeMusic, Inc.) are coded to use a Sassafras KeyServer Policy in lieu of other licensing schemas. There are also vendors (such as Albleton, DNASTAR, and others) who can provide you with a .lic file to incorprate into your Sassafras Server, which then creates a Policy/Product combination that reflects your organization's purchased total of the software in question. The entitlement total of such a policy is locked, but the enabled count can be scoped and pooled, allowing you to parcel allocations among groups of Users or Computers in the same manner as you scope and schedule your other policies. Talk to the software vendor about available options, and invite them to contact us if they are interested in using Sassafras KeyServer as a license manager.

KeyConfigure is the traditional desktop management tool. It is "old school" in design but long standing and powerful in features. The Web UI is modern and beautiful and had many tools not available in KeyConfigure like the Dashboard, Maps, and Extras. However it lacks some of the deep under the hood management capabilities. A full administrator and certain power users should be familiar with both interfaces to manage all aspects of the platform. Where there is overlap, you can use either or choose which UI you prefer. Everyday users at more of a help desk level generally never need know about KeyConfigure as they can do everything in the friendly Web UI.

There are a couple methods of making sure you have Policies for all Products of interest. The easiest is by using the Products Window to Filter down to just Discovered products. If you look at the Status column and see the little blue dot policy Icon then you have a policy for that product and will be logging usage. If there is no such icon, you should consider if you want to make a policy. Another handy tip for deciding the significance of a Product is to view the Installs column in the Products Window. Right click the column header to customize your columns and turn this one one. This shows how many Computers the product has been found on. All this of course is only needed if you didn't make full use of the Automatic Family Policy Wizard. As of 7.7 the Web UI adds a basic Manage overview for Products that simplifies what the automatic policy wizard does in KeyConfigure.

We have detailed guides on upgrading for Minor and Major situations. At the most basic, you put in your new server.lic file to the KeyServer Data Folder, run the server installer for the new release, let dbconsist run, and then make sure the server started. Upgrade your KeyConfigure installs to match so you can manage the server, then consider your strategy for Client Deployment. Since old clients will still report in (with the exception of new features) the latter is not a rush situation, and you can even upgrade clients ahead of the server.

This can be a complicated answer, and yet at the most basic level it's very simple. All configuration and data for your site is in the KeyServer Data Folder in the installation directory for the Server. If you simply install the Sassafras Server on a new machine, do not start it, copy the KSDF from the old machine, and start the service, you've moved your server. Of course you have to consider if you moved to a new DNS name and IP you'll need to re-deploy your KeyAccess clients, likely need a new SSL certificate in the Web Service, and may need to change network Firewall rules. For more details see Migrating KeyServer and Deployment Outline.

Unless you are specifically affected by a bug fixed noted in the release notes, no. The client is forward and backward compatible with the server, so if you upgrade the server you get all the benefits of that new version, and can roll out a new client as it's convenient. If there was a very specific client feature that was added, that wouldn't be available until a given client was updated, but everything else would function as it always had. When pushing out an update, remember you can use automated deployment and silent install on Windows, Mac or even Linux, and for Win and Mac you can simply use the Self Update feature which is now 2 easy clicks in the Web UI.

Entirely possible! A side effect of our ever expanding catalogue and the rapid release cycle of many vendors is that we can miss a new release. Just send an email to support@sassafrass.com with the details of what is missing and we'll get it in the pipeline!

This is a complex topic, and Sassafras Software Support is happy to assist navigating the nuances. The most popular method for authentication is Active Directory, but newer methods like Azure are growing in popularity. Step one is setting up your authentication module. That tells us where to look for accounts and passwords. Step two is telling KeyServer how to correlate users to permissions. This is done in Admin Access by creating a Role that points to the external group in AD the user is a member of. The Role assigns Privileges. That same role can then be added to the Server ACLs to grant Access rights. The combination of Access and Privilege results in Permission. If they don't line up, you get the lowest level of the two. Very granular capabilities exist to assign ACLs to Folders in various Windows, and use Groups that are linked to external groups to grant Access so you can layer Roles and Groups to reach the end goal.

In general, keep it simple unless you need to get complicated! You can duplicate any of our example built-in roles as a starting point to make your own custom roles for delegated rights needs. The Notes of each role help indicate general intent.

Not a problem! Just go to Window -> Standard View to reset to the default layout.

Ah yes, that old confusion. If you resize the left pane of a window in KeyConfigure and make it too small it vanishes entirely. The way to get it back is to double click on that far left edge of the window. It can be tricky to do that without moving which just resizes the window. This has been addressed in newer versions of KeyConfigure.

It's possible you're having a caching issue. First click the Refresh text/button at the bottom of the window in question. If that doesn't help hold Control (Windows) or Command (Mac) to force a flush of the local cache and reload from server.

Keep in mind if you're using ad hoc Targets in KeyConfigure, there is a simple rule. If you target an item that is of the report primary or secondary type, it should always work. If you target anything else, it may or may not work. For example, Usage (COMP x user) will take computer or user as valid targets. If you use a Division, that is not one of the report object types. In this case it will work, but that's not guaranteed in all similar cases. This includes things like using Tags or Filters as some times those will resolve, some times not. Always sanity check your results when doing this.

Most likely you're looking at an Audit report which is not time sensitive. Audits are an inventory of what is current. Certain reports are audits but don't have that word in the name, like the Hardware report. To illustrate, if you run Audit (PROD x comp) you get a list of Products installed on your computers. We don't keep track of points in time for an inventory, it's simply a report of what currently exists that we know about. If you run Usage (PROD x comp), that will show you software use which is time based, so you can set a time range on that report to see a smaller snapshot. By comparing these two report results, you could see a couple possible things:

• Computer in both reports because it has software installed and it's been used.
• Computer is in Audit but not Usage, because the software was never run. This could inform deployment and Purchase decisions.
• Computer is in Usage but not Audit, because it used the software in the past but it's since been uninstalled.

The most common confusion with Policy hierarchy is that traditionally Manage/Observe policies allow and override any Deny. This means if you have a Universal Observe for Chrome and want to Deny Chrome on a select Group of systems, you can't just make a scoped Deny Policy and have it work. The Group also has to be excluded from the Observe Policy because otherwise the implicit allow takes precedence. In this case you can simply drag the Group into the Scope of the Observe as well and put a ! in front of it so it applies to everything NOT that Group. This logic is what leads to the typical practice of making a Universal Deny Policy to block the use of a Product, then making a Scoped Manage Policy to allow use on a specific Group of systems.

All that said, that's the old way. Mid 7.6 we added an option to change the order of Deny and Allow and changed the default in new installs to be more "friendly". Check in KeyConfigure -> Config -> General Settings -> Misc -> Policy Precedence. Be careful of changing this on a long standing server without checking your policy structure.

That is possible, but here's why. This is usually a claim we hear based on Suites like Adobe, and the difference between Programs and Products. You install Photoshop, we see Photoshop. You say "but we own Creative Cloud", we say yeah but we only see Photoshop, so install the rest of the software you bought and we'll see Creative Cloud. Ok not always what is desired in the deployment right? Conversely, you say "we bought Acrobat but you're showing Technical Suite". Yeah... it's complicated. Suffice to say the combination of things that are or are not installed isn't going to always represent what you actually have purchased (see also the two questions right under this one!).

The good news is, this is an easy thing to address in most cases. Simply drag the Product you don't own to the Ignored category in the Products window. On the next Audit, we'll figure out where else we can attribute those installs. Repeat as needed to drive software up or down the suite chain to the thing you really own.

The other reason we hear this is because the Audit cycle is set to weeks and not daily. As such, if you run an Audit report on computers and expect to see an update/install applied two days ago, but the next audit isn't for another week, it appears something is not working. Depending on your site size, the best option to have up to date inventory may be to set your Audits (KeyConfigure -> Config -> General Settings -> Audit) to daily. On a related note, check the Last Audit time of the Computer(s) you are reporting on to see if you have stale data.

The last thing we have seen confuse this issue are duplicate computer records. If you're looking at the old record before a new image was applied, well that would be an issue. Check the details of the record, and try the various Duplicate reports (Miscellaneous category in KeyConfigure's menu) to see what might be going on.

Otherwise, it's likely there is in fact software on the computer you don't realize is there, which is a good reason for our product. Looking at the Show Installs for a given Computer will show you the path of the application so you can track it down on the endpoint.

We promise you it does not. The client does certain things that some security software will flag as malicious or even call a known exploit. These statements are not true. You should also make sure you are using a current version of the installer as older versions may have a now expired signing certificate which can throw a flag. In some cases, Windows Smart Screen will say it's not trusted. Keep in mind Smart Screen is basically crowd sourced trust by popularity of "how many people installed it anyway" which is not very trustworthy. And of course if you customized the installer with the ksp-client config, this does break the signing as it modifies the installer. We have a variety of other Deployment Methods that may be preferable in your environment.

Here is a full statement from our lead programmer on the subject if you want more details:

"This is a false positive. The anti-malware software is reporting a generic activity pattern that some malware exhibits, although it is not an indication that there is definitely malware. My guess is that the anti-malware software sees our client/installer modify the AppInit_DLLs registry entry, which is a perfectly legal activity, and flags the client/installer as possible malware. If it is not this exact behavior, it is something like that.
The computer on which we build Windows components and installers is scanned daily, and is and has always been clear of viruses and Trojans. On that computer, the only internet access/use is for updating Windows and the development tools. IE and Edge are never used on that computer. Once our software is built and packaged it is uploaded to a non-Windows web server for public distribution. This environment and process make it extremely unlikely that we are distributing malware in our installers or software components.
Since we digitally sign every executable, archive, and installer package we distribute, it is easy to check whether one of these files has been compromised after having been downloaded. If the digital signature for a file is invalid, the file has been modified. Digital signatures can be verified in the Properties for a file."

Check to make sure the things stated are in fact not open (Services, folder, etc). If not, it may be Windows Quick Access causing the issue because Windows has itself open, odd as that sounds. In which case, try these steps to turn that off:

• Open File Explorer and click on the View tab at the top.
• Then, click on Options and select Change folder and search options.
• Here, uncheck both boxes under the Privacy section.

These conditions are both likely due to bad Firewall configurations. Remember that for us to fetch the street map tiles from OpenStreetMap, the server needs to be able to get out by https to that service. In order for us to pull down Product definitions automatically, the server needs to be able to reach https://prs.sassafras.com. That also affects the icons on the Software page of the Web UI. On a related note, if you're trying to use our client self update, the server has to be able to get to sassafras.com to look for and download those updates.

There are a few common reasons for this. First is that customers will install IIS or Apache on the server hosting their KeyServer thinking that we need it. However, we have a built in web service and other web servers just get in the way, so best to remove those. Second most common is thinking you need to install KeyReporter which is the stand alone web service. You do not as it's part of KeyServer, and the second copy again just causes trouble. Another possibility is due to using SCCM and System Manager you have the Branch Cache service running. For some reason Microsoft decided to use the standard web ports for that so invariably it conflicts with IIS or other web servers. Lastly of course you may simply have installed some other piece of software on the server that uses standard web ports. We of course don't recommend that unless the other service can run on a different port. Using our web service with non standard ports is possible, but makes for a less convenient user experience in many cases.

Not unless it's from an old Sassafras Server, or you are just looking at hardware inventory. We can't see into the past before our client was installed on a machine for usage, we can only gather current information and track use moving forward. The OS and applications themselves don't have that data in any way at all in most cases, or a way we can use in the rare instance they log something of that nature. Likewise, data from another source like SCCM is not in a format or structure we can leverage as it lacks details we provide. You can however drop in a CSV of Computers or Devices to add your offline inventory into KeyServer.

This is a case of just because you can, doesn't mean you should. Consult the software license terms. If it allows for use as both node locked and concurrent for example, or user locked instead of node locked, and if there is no vendor specific license management in the way, then sure. We provide a very flexible tool that can do what you tell it, but it's up to you to ensure you're using it within your software terms. Even if you can't use the license in a different way, we can enforce and track that use as needed, which may allow you to see where you should consider a different kind of vendor license.

The process of normalizing Programs into Products is a very important aspect of software asset management and allows things like Purchases to really work as intended. However, it can cause some confusion, especially because deductive computer reasoning is not flawless. If we see Photoshop on a machine, great that's the Photoshop product. But if we see Photoshop, InDesign, and Acrobat Pro, now what is it? Based on the installed Programs we figure out the "least common denominator" Product that contains all of them, which may not be correct compared to what you licensed. You may own nothing but Creative Cloud suite, but various people install various combinations of Programs that we identify as different bundles. This is very common with Adobe, Microsoft, and AutoDesk suites. So, here are the two key things to keep in mind to manage this.

First of all, if we identify something "wrong", you can drag that Product to the Ignored category in the Products Window. This will force the next audit cycle to find a different matching Product for those Programs to assign the installs to. This allows you to force things up the chain of suites so to speak to the Product you actually purchased.

Second, Audits will show you what is installed, and what Products those installed Programs have been normalized into. Usage will show you clear usage information at the Program level, but can become confusing at Product level due to the function of Policies. Remember you have no Usage without a Policy to track it, and each Policy targets a Product. The detail that is confusing is that when a Program launches, we look for any Policy that contains any Product that the Program is a member of. If there is a match, then Usage is recorded against that Policy and the Product it contains, NOT necessarily the Product that we show as Installed due to the normalization. So, if you have an install of AutoCAD that shows installed in the design suite but you only have the master suite in a policy (and possibly we show no installs for that), your Audit will show an install of design suite while your Usage x PROD will show the master suite.

This seeming disconnect is what can be confusing, but once you understand the process you can see why it occurs. Ultimately this means it is best to review your Product installs and Policy configuration (all easily done in the Products Window using the Status and Installs columns) to make sure things line up as needed for clear reporting later. Explaining to the boss why there is usage or installs for things you don't own or vice versa tends to not be fun.

This is a two part answer. First, maybe you don't want things like MacOS and Symantec to show up. Easy enough, edit those Products (Web or KeyConfigure) and in the Contact section uncheck the show on availability lists option. This will hide it from the Software list and Computer popups on the web, while still showing all the Audit information at the admin level.

Second, you may want to have Photoshop show up instead of Creative Cloud for example. While not technically what you want for license purposes historically, current use can sometimes be the opposite. That is, you say ok we bought Creative Cloud, that's fine it's everywhere we don't need to track it as a suite. What we do want is to show the apps we have, not the suite. So you use the Product Statuses to ignore Creative Cloud, and all other suites down the line, until you force the system to attribute the installs only to the stand alone Products of Photoshop, Illustrator, etc. Keep in mind, that's a long list of possible software on the main page, and on any machine that has the whole suite. However, on a computer that has only 3 apps installed you'll see those 3 Products instead of Creative Cloud, which didn't give an indication the other dozen apps in the suite were not installed. Also, remember if you are using AllSight and want Purchases to Reconcile, forcing things in the opposite direction of your licensed Product will be detrimental. You much balance between technically correct, and user friendly in some cases.

In the full sense of the question we have not yet implemented a feature for this. However as of 7.7 there is some capability for this, and there are some possible automation ideas if you're dealing with a large number of dynamic users via AD groups. In the latter case, this shell script may be of use:

@echo off
echo This script pulls a list of users from Active Directory and clones a KeyReporter Dashboard to each of them.
for /f "tokens=2 delims==" %%D in ('set user ^| find "USERDOMAIN="') do set domain=%%D
echo Domain is "%domain%"
set /p "adgroup=Which AD group has the users?:"
echo Pulling user list from "%adgroup%"
set userlist="C:\Program Files\Sassafras K2\Server\KeyServer Data Folder\Helper Data\KeyReporter Data Folder\preferences\userlist.txt"
dsquery group -name "%adgroup%" | dsget group -members | DSGET user -samid -c | Find /V "dsget"|Find /V "samid" > %userlist%
set /P "dash=Which Dashboard should I clone?:"
for /F "usebackq tokens=1 delims= " %%A in (%userlist%) do echo copying %dash% to %%A
set dashpath="C:\Program Files\Sassafras K2\Server\KeyServer Data Folder\Helper Data\KeyReporter Data Folder\preferences\"
for /F "usebackq tokens=1 delims= " %%A in (%userlist%) do copy %dashpath%%dash%-dashboard.json %dashpath%%domain%~%%A-dashboard.json
		

You could modify this to point to static groups and dashboards, make multiple copies, and schedule them in Task Scheduler to create a sort of automated system for catching up users to a default dashboard. Just be careful that you're sure you want to overwrite any customizations they may make if you do that!

Going back to the features added in 7.7, there are now 3 fields in the Admin Authentication to directly map external groups to a default account. This can be our built in defaults like Manager, Staff, Community, or ones you build yourself. Each of those accounts can have a default dashboard. However, note that this is a shared dashboard on that account, and each person sharing the account through this mapping shares that dashboard.

We can certainly try! If you make a manual Product, select and right click the product and choose Export Product Definitions. In the save dialog, check the box in the lower corner for Export Selections Only. Email that xml file to Sassafras Software Support with your request and we'll see what we can do.

There are basically two strategies:
   1) Create a new manual Product that includes all programs for both Mac and Window that belong to the cross-platform license (including all Programs in a suite). Create a Purchase record and a Policy to manage this Product.
   2) Create a new manual Product but don't include any programs in the definition! Create a Purchase record and a Policy for this "placeholder product". Modify the Policy by adding the two platform specific Products to its products list (be mindful if this Purchase/license ony applies to a single Edition/version or the entire Family). The result is a Policy that is set up to manage first the "placeholder" and then also the Mac and Windows Products that are the basis of the cross-platform licensing rights.

Strategy 2 is preferable since it takes direct advantage of the standard Product definitions for each platform which have been pre-defined by Sassafras.

Absolutely. In most cases we will already have Product definitions for the stand alone as well as suite products, and you can always make your own if needed. Once you define the Polices you can set their priority in the Program details to ensure they are accessed in the proper order. You can also scope the policies to specific computers if needed. This allows robust management of the license use in the exact hierarchy and/or allocated systems needed.

As implied by being on this page, this is frequently requested and an area of development interest, but at this time the software does none of these things directly. It can display reservation and open hour information which can include AD permissions on the remote connection links, but it will not stop someone from logging in physically. For that we'd recommend clever use of access schedules and login rights in GPO or other related mechanisms. You can add links to the Info page of labs to an existing scheduling/ booking system, but there is no direct integration at this time to replicate schedules from another source.

To be clear, we have not implemented any manner of new remote connection technology. The links that are displayed on availability maps use existing technologies like RDP and VNC direct from the user's workstation to the target computer. No portion of this connection goes through or is controlled by the Sassafras Server in any way. See Remote Links for details.

We currently have a integrations with TeamDynamix and Servicenow for help desk integration, and PaperCut for printer integration. In 7.7 we added support for using a Guacamole broker for web based remote desktop connections. In 7.8 we added the ability to pull in "computer" records from Jamf and Intune, including iOS and Android devices using Admin Scripts. There are more subtle options like exporting data to MSSQL to leverage PowerBi.

Absolutely, in that modern OIDC (SSO) methods support 2FA within those services (Azure, Okta, ADFS, Google, DUO, etc). You can also use DUO with traditional on prem Active Directory.