FAQ

Frequently Asked Questions, Common Issues, and other Stuff

Show All

Hide All


New Users

What exactly does your software do?

A lot. But to put it VERY simply, at the top tier (AllSight) it's an ITAM tool. A discreet agent is deployed to your computers which reports back a full hardware and software inventory. You can then use that to track system and application usage, input purchase information to determine license compliance and return on cost, perform lifecycle management, build interactive lab maps, and much more! It is designed to be flexible so you can use as many features as you want any way you want when tracking and visualizing your fleet. Lower tiers are targeted to just monitoring (LabSight) or license control (KeySight).

Do I need an agent?

Broadly, yes. We have a very small low profile client that you will deploy to your computers (Window, Mac, Linux (deb and rpm), ChromeOS). It can be fully customized for automated deployment and silent install on Windows, Mac or even Linux. Unlike some agents in the industry, ours is extremely small in resource footprint. Note you CAN have records of offline equipment for inventory management purposes, but in order to have automatic updates of hardware and software inventory, and any Usage reporting, the active agent is required on the workstations of interest. For iOS and Android devices we have no agent but can import records from Jamf and Intune where you manage those assets. This allows AllSight to be the central hub of asset management from all data sources.

Does the Platform automatically track software use?

No, but it is pretty easy to have it do so. Because the agent captures every executable on all systems, auto tracking every usage event of everything would be overload, and largely useless data. The Audit data gathered by the agent does however include the last used date for every executable. This means even without active tracking you know if and when something was last used, and can compare this to the first time it was seen in audit. Using this information, you can create Policies that will Observe, Manage, or Deny use of Programs. Doing this in the Web UI is very easy on the Manage page where you simply click a green dot for anything you want to track. There are also various ways to be alerted when something new has been discovered in the environment so you don't miss anything.

Can you track SaaS products?

Yes. But let's be clear about what SaaS is and what this means. It's a URL in a browser that is the thing that has to be tracked. There is no local execution, there is no magic tie in to some 3rd party service via hidden API, it's just knowing if someone is on a web page. The difficulty then is how the SaaS provider designs their site. As long as there is a unique URL pattern that you can only hit once you are authenticated, then we can track that pattern in supported browsers to know when it is actively "in use". If the URL is not unique, then we would be counting consumption even if there isn't license use because the URL is the same for guest as well as user. Also, things like Office Online do not use unique URLs for each "app" in the suite, so there is no way to know if Word or Excel is being used, but you can at least know Office is being used. Finally, we are limited by how browsers work. In most cases modern browsers put inactive tabs to "sleep" which means they don't consider the page open. This means that while the user is authenticated to the SaaS service and consuming a seat, the browser says it's not active and we therefore can not see the usage. On the up side this is consistent with our Active vs Total time tracked in desktop applications as far as real active use of software. On the other hand you can't know the idle consumption as you can with desktop software. Be careful of any solution that says it can track usage of SaaS product in any terms other than these. We don't try to mislead our customers with marketing statements.

What kind of Database Server do I need for this?

You don't! We include a database engine of our design that is automatically installed in the background. It is very lightweight so there is no need to worry about a cumbersome SQL server. Our Tables structure is fully documented and you can Export the data if you need.

So you have a web component, what kind of web server do I need?

None! The web service is built into the server software. It will detect if you have a webserver already running on that server system and allow you to choose alternate ports if needed. We recommend standard ports if possible for simplicity of user access. You should also add an SSL Certificate for secure browsing of course.

So you have these LabSight and AllSight products, what's this KeyServer name about?

Well 30 years ago when the product was developed the entire concept was to insert a "key" in an application to control its use. Technology has changed a lot since then, and our product has grown radically in feature set from simply keying software (which few people need anymore) to a full ITAM suite. The name KeyServer is what our long term customers know, and it is the name of the core server component in the back end. We have rebranded the Sassafras KeyServer Platform into 3 tiered products (KeySight, LabSight, and AllSight) at this point in time. Other renames include the Web Service which was formerly called and still is named under the hood KeyReporter, and we'll refer to the Client and Admin component which are still referenced as KeyAccess and KeyConfigure.

How much does support cost?

Nothing (extra)! Support is included with your paid subscription or maintenance plan. Also included are configuration reviews, which means we'll do a remote session with you to talk about new features, perform training with your team, and review your KeyServer configuration to ensure it is doing what you need it to.

How often do you put out new versions?

That depends, but we generally see a major release every 12-18 months with Image Releases in between as appropriate (no promises, but maybe every 2 months?). If you find a bug, please report it to us so we can fix it! We pride ourselves on rapid response to issues, so some times patch releases can be close together. As with any software, check our Component History to see if an update is critical to you or not.

How does your licensing work?

Licenses are on a per active client cost which are cross platform (Win/Mac/Linux) for LabSight and AllSight, or for education we also have site licenses based on full time enrollment. KeySight is licensed by active Policy use. There is no fee for the server (but we do offer hosted service for an upcharge). There is no fee for tracking Devices. There is no fee for keeping an offline computer inventory. There is no additional cost for different components or features, the tiers are locked in to their feature set. If you paid for a perpetual entitlement, it will work forever even if you discontinue your maintenance to get new versions and support (though you lose access to our PRS catalogue). A subscription license ceases operation on the day it expires annually. Contact Sassafras Software Sales for more information.

Can we replace other license servers with Sassafras?

That depends. Many companies like AutoDesk use FlexLM license managers with license files they provide. We can't replace that as that license system is built into and required by their software. Note however we can report advanced use data and chart that use which FlexLM can not do. We can also supplement those license managers with things like custom messages, idle time enforcement, and queue and notify options. Other products (such as Finale from MakeMusic, Inc.) are coded to use a Sassafras KeyServer Policy in lieu of other licensing schemas. There are also vendors (such as Albleton, DNASTAR, and others) who can provide you with a .lic file to incorprate into your Sassafras Server, which then creates a Policy/Product combination that reflects your organization's purchased total of the software in question. The entitlement total of such a policy is locked, but the enabled count can be scoped and pooled, allowing you to parcel allocations among groups of Users or Computers in the same manner as you scope and schedule your other policies. Talk to the software vendor about available options, and invite them to contact us if they are interested in using Sassafras KeyServer as a license manager.

What's the difference between the Web UI and KeyConfigure?

KeyConfigure is the traditional desktop management tool. It is "old school" in design but long standing and powerful in features. It allows for more "under the hood" admin features than the Web. The Web UI is modern and beautiful and had many tools not available in KeyConfigure like the Dashboard, Maps, and Extras. However it lacks some of the deep under the hood management capabilities. A full administrator and certain power users should be familiar with both interfaces to manage all aspects of the platform. Where there is overlap, you can use either or choose which UI you prefer. Everyday users at more of a help desk level generally never need know about KeyConfigure as they can do everything in the friendly Web UI.

Existing Users

How can I ensure I am tracking everything I should be?

There are a couple methods of making sure you have Policies for all Products of interest. The easy modern way is using the Manage page in the Web UI. Unfiltered, you can see which Products have the green dot checked vs the red dot x or both circles empty. This tells you if you are observing, ignoring, or undecided (and therefore not tracking) for each item. The more advanced method is by using the Products Window to Filter down to just Discovered products. If you look at the Status column and see the little blue dot policy Icon then you have a policy for that product and will be logging usage. If there is no such icon, you should consider if you want to make a policy. Another handy tip for deciding the significance of a Product is to view the Installs column in the Products Window. Right click the column header to customize your columns and turn this one one. This shows how many Computers the product has been found on. There are other deeper methods using the Programs window in KeyConfigure and support is happy to help with those (it's a lot of data to sift!).

How do I upgrade?

We have detailed guides on upgrading for Minor and Major situations. At the most basic, you put in your new server.lic file to the KeyServer Data Folder, run the server installer for the new release, let dbconsist run, and then make sure the server started. Yes it's really that easy because we have no 3rd party dependencies. Upgrade your KeyConfigure installs to match so you can manage the server, then consider your strategy for Client Deployment. Since old clients will still report in (with the exception of new features) the latter is not a rush situation, and you can even upgrade clients ahead of the server. If you are a hosted customer you just worry about your KeyConfigure installs and hopefully use the client self update on the server, we handle the server end updates.

How do I migrate my server?

This can be a complicated answer, and yet at the most basic level it's very simple. All configuration and data for your site is in the KeyServer Data Folder in the installation directory for the Server. If you simply install the Sassafras Server on a new machine, do not start it, copy the KSDF from the old machine, and start the service, you've moved your server. Of course you have to consider if you moved to a new DNS name and IP you'll need to re-deploy your KeyAccess clients, likely need a new SSL certificate in the Web Service, and may need to change network Firewall rules. Perhaps you use a CNAME in DNS so you don't have to repoint clients, you just assing that old name as an alias on the new server. For more details see Migrating KeyServer and Deployment Outline and as always support is available to advise.

There's a new version, do I have to push it out to all my clients?

Unless you are specifically affected by a bug fixed or feature noted in the release notes, no. The client is forward and backward compatible with the server, so if you upgrade the server you get all the benefits of that new version, and can roll out a new client as it's convenient. If there was a very specific client feature that was added, that wouldn't be available until a given client was updated, but everything else would function as it always had. When pushing out an update, remember you can use automated deployment and silent install on Windows, Mac or even Linux, and for Win and Mac you can simply use the Self Update feature which is 2 easy clicks in the Web UI.

You're missing a new version of xxx in your Products!

Entirely possible! A side effect of our ever expanding catalogue and the rapid release cycle of many vendors is that we can miss a new release. Just send an email to support@sassafrass.com with the details of what is missing and we'll get it in the pipeline!

How does Authentication/Permissions work?

This is a complex topic, and Sassafras Software Support is happy to assist navigating the nuances. The most popular method for authentication is Active Directory, but newer methods like Azure are growing in popularity. Step one is setting up your authentication module. That tells us where to look for accounts and passwords. Step two is telling KeyServer how to correlate users to permissions. This is done in Admin Access by creating a Role that points to the external group in AD the user is a member of. The Role assigns Privileges. That same role can then be added to the Server ACLs to grant Access rights. The combination of Access and Privilege results in Permission. If they don't line up, you get the lowest level of the two. Very granular capabilities exist to assign ACLs to Folders in various Windows, and use Groups that are linked to external groups to grant Access so you can layer Roles and Groups to reach the end goal.

In general, keep it simple unless you need to get complicated! You can duplicate any of our example built-in roles as a starting point to make your own custom roles for delegated rights needs. The Notes of each role help indicate general intent.

Troubleshooting

I've made a mess of my windows in KeyConfigure!

Not a problem! Just go to Window -> Standard View to reset to the default layout.

The data I'm seeing in KeyConfigure's main windows seems wrong...

It's possible you're having a caching issue. First click the Refresh text/button at the bottom of the window in question. If that doesn't help hold Control (Windows) or Command (Mac) and click Refresh again to force a flush of the local cache and reload from server.

This report result isn't right/ isn't what I asked for.

Keep in mind if you're using ad hoc Targets in KeyConfigure, there is a simple rule. If you target an item that is of the report primary or secondary type, it should always work. If you target anything else, it may or may not work. For example, Usage (COMP x user) will take computer or user as valid targets. If you use a Division, that is not one of the report object types. In this case it will work, but that's not guaranteed in all similar cases. This includes things like using Tags or Filters as some times those will resolve, some times not. Always sanity check your results when doing this. If you're in the Web, make sure you didn't have a Scope set in the top navigation when you ran the report. Scope applies on the fly to any report to filter the result, which is very powerful and convenient but not if you had it on by mistake. Beyond those common mistakes, contact support for assistance looking at your report settings if you can't identify the issue.

Why can't I set the date range on this report??

Most likely you're looking at an Audit report which is not time sensitive. Audits are an inventory of what is current. Certain reports are audits but don't have that word in the name, like the Hardware report. To illustrate, if you run Audit (PROD x comp) you get a list of Products installed on your computers. We don't keep track of points in time for an inventory, it's simply a report of what currently exists that we know about. If you run Usage (PROD x comp), that will show you software use which is time based, so you can set a time range on that report to see a smaller snapshot. By comparing these two report results, you could see a couple possible things:

  • Computer in both reports because it has software installed and it's been used.
  • Computer is in Audit but not Usage, because the software was never run. This could inform deployment and Purchase decisions.
  • Computer is in Usage but not Audit, because it used the software in the past but it's since been uninstalled.

Why is my deny policy not working?

The most common confusion with Policy hierarchy is that traditionally Manage/Observe policies allow and override any Deny. This means if you have a Universal Observe for Chrome and want to Deny Chrome on a select Group of systems, you can't just make a scoped Deny Policy and have it work. The Group also has to be excluded from the Observe Policy because otherwise the implicit allow takes precedence. In this case you can simply drag the Group into the Scope of the Observe as well and put a ! in front of it so it applies to everything NOT that Group. This logic is what leads to the typical practice of making a Universal Deny Policy to block the use of a Product, then making a Scoped Manage Policy to allow use on a specific Group of systems.

All that said, that's the old way. There is an option to change the order of Deny and Allow and changed the default in new installs to be more "friendly". Check in KeyConfigure -> Config -> General Settings -> Misc -> Policy Precedence. Be careful of changing this on a long standing server without checking your policy structure.

Sassafras KeyServer is showing the wrong software on my computers!

That is possible, but here's why. This is usually a claim we hear based on Suites like Adobe, and the difference between Programs and Products. You install Photoshop, we see Photoshop. You say "but we own Creative Cloud", we say yeah but we only see Photoshop, so install the rest of the software you bought and we'll see Creative Cloud. Ok not always what is desired in the deployment right? Conversely, you say "we bought Acrobat but you're showing Technical Suite". Yeah... it's complicated. Suffice to say the combination of things that are or are not installed isn't going to always represent what you actually have purchased.

The good news is, this is an easy thing to address in most cases. Simply drag the Product you don't own to the Ignored category in the Products window of KeyConfigure. On the next Audit, we'll figure out where else we can attribute those installs. Repeat as needed to drive software up or down the suite chain to the thing you really own. Note if you DO own both suite and stand alone app licenses for something like Adobe, this gets more complicated. Support is here to assist with those configurations.

The other reason we hear this is because the Audit cycle is set to weeks and not daily. As such, if you run an Audit report on computers and expect to see an update/install applied two days ago, but the next audit isn't for another week, it appears something is not working. Depending on your site size, the best option to have up to date inventory may be to set your Audits (KeyConfigure -> Config -> General Settings -> Audit) to daily. On a related note, check the Last Audit time of the Computer(s) you are reporting on to see if you have stale data.

The last thing we have seen confuse this issue are duplicate computer records. If you're looking at the old record before a new image was applied, well that would be an issue. Check the details of the record, and try the various Duplicate reports (Miscellaneous category in KeyConfigure's menu) to see what might be going on.

Otherwise, it's likely there is in fact software on the computer you don't realize is there, which is a good reason for our product. Looking at the Show Installs for a given Computer will show you the path of the application so you can track it down on the endpoint.

Your client installer has a virus/malware/security issue!

We promise you it does not. The client does certain things that some security software will flag as malicious or even call a known exploit. These statements are not true. You should also make sure you are using a current version of the installer as older versions may have a now expired signing certificate which can throw a flag. In some cases, Windows Smart Screen will say it's not trusted. Keep in mind Smart Screen is basically crowd sourced trust by popularity of "how many people installed it anyway" which is not very trustworthy. And of course if you customized the installer with the ksp-client config, this does break the signing as it modifies the installer. We have a variety of other Deployment Methods that may be preferable in your environment.

Here is a full statement from our lead programmer on the subject if you want more details:

"This is a false positive. The anti-malware software is reporting a generic activity pattern that some malware exhibits, although it is not an indication that there is definitely malware. My guess is that the anti-malware software sees our client/installer modify the AppInit_DLLs registry entry, which is a perfectly legal activity, and flags the client/installer as possible malware. If it is not this exact behavior, it is something like that.
The computer on which we build Windows components and installers is scanned daily, and is and has always been clear of viruses and Trojans. On that computer, the only internet access/use is for updating Windows and the development tools. IE and Edge are never used on that computer. Once our software is built and packaged it is uploaded to a non-Windows web server for public distribution. This environment and process make it extremely unlikely that we are distributing malware in our installers or software components.
Since we digitally sign every executable, archive, and installer package we distribute, it is easy to check whether one of these files has been compromised after having been downloaded. If the digital signature for a file is invalid, the file has been modified. Digital signatures can be verified in the Properties for a file."

The server installer says I have something open and it can't upgrade!

Check to make sure the things stated are in fact not open (Services, folder, etc). If not, it may be Windows Quick Access causing the issue because Windows has itself open, odd as that sounds. In which case, try these steps to turn that off:

  • Open File Explorer and click on the View tab at the top.
  • Then, click on Options and select Change folder and search options.
  • Here, uncheck both boxes under the Privacy section.

Street maps in the Web UI are blank! / I'm not getting Products!

These conditions are both likely due to bad Firewall configurations. Remember that for us to fetch the street map tiles from OpenStreetMap, the server needs to be able to get out by https to that service. In order for us to pull down Product definitions automatically, the server needs to be able to reach https://prs.sassafras.com. That also affects the icons on the Software page of the Web UI. On a related note, if you're trying to use our client self update, the server has to be able to get to sassafras.com to look for and download those updates.

I can't start the Web Service, it says something is using 80/443!

There are a few common reasons for this. First is that customers will install IIS or Apache on the server hosting their KeyServer thinking that we need it. However, we have a built in web service and other web servers just get in the way, so best to remove those. Second most common is thinking you need to install KeyReporter which is the stand alone web service. You do not as it's part of KeyServer, and the second copy again just causes trouble. Another possibility is due to using SCCM and System Manager you have the Branch Cache service running. For some reason Microsoft decided to use the standard web ports for that so invariably it conflicts with IIS or other web servers. Lastly of course you may simply have installed some other piece of software on the server that uses standard web ports. We of course don't recommend that unless the other service can run on a different port. Using our web service with non standard ports is possible, but makes for a less convenient user experience in many cases.

Granular Topics

Can I get old data into my Sassafras Server?

Not unless it's from an old Sassafras Server, or you are just looking at hardware inventory. We can't see into the past before our client was installed on a machine for usage, we can only gather current information and track use moving forward. The OS and applications themselves don't have that data in any way at all in most cases, or a way we can use in the rare instance they log something of that nature. Likewise, data from another source like SCCM is not in a format or structure we can leverage as it lacks details we provide. You can however drop in a CSV of Computers or Devices to add your offline inventory into KeyServer.

Can I change a software license behavior with Sassafras?

This is a case of just because you can, doesn't mean you should. Consult the software license terms. If it allows for use as both node locked and concurrent for example, or user locked instead of node locked, and if there is no vendor specific license management in the way, then sure. We provide a very flexible tool that can do what you tell it, but it's up to you to ensure you're using it within your software terms. Even if you can't use the license in a different way, we can enforce and track that use as needed, which may allow you to see where you should consider a different kind of vendor license.

These Product suites are confusing my Audit and Usage information!

The process of normalizing Programs into Products is a very important aspect of software asset management and allows things like Purchases to really work as intended. However, it can cause some confusion, especially because deductive computer reasoning is not flawless. If we see Photoshop on a machine, great that's the Photoshop product. But if we see Photoshop, InDesign, and Acrobat Pro, now what is it? Based on the installed Programs we figure out the "least common denominator" Product that contains all of them, which may not be correct compared to what you licensed. You may own nothing but Creative Cloud suite, but various people install various combinations of Programs that we identify as different bundles. This is very common with Adobe, Microsoft, and AutoDesk suites. So, here are the two key things to keep in mind to manage this.

First of all, if we identify something "wrong", you can drag that Product to the Ignored category in the Products Window. This will force the next audit cycle to find a different matching Product for those Programs to assign the installs to. This allows you to force things up the chain of suites so to speak to the Product you actually purchased.

Second, Audits will show you what is installed, and what Products those installed Programs have been normalized into. Usage will show you clear usage information at the Program level, but can become confusing at Product level due to the function of Policies. Remember you have no Usage without a Policy to track it, and each Policy targets a Product. The detail that is confusing is that when a Program launches, we look for any Policy that contains any Product that the Program is a member of. If there is a match, then Usage is recorded against that Policy and the Product it contains, NOT necessarily the Product that we show as Installed due to the normalization. So, if you have an install of AutoCAD that shows installed in the design suite but you only have the master suite in a policy (and possibly we show no installs for that), your Audit will show an install of design suite while your Usage x PROD will show the master suite.

This seeming disconnect is what can be confusing, but once you understand the process you can see why it occurs. Ultimately this means it is best to review your Product installs and Policy configuration (all easily done in the Products Window using the Status and Installs columns) to make sure things line up as needed for clear reporting later. Explaining to the boss why there is usage or installs for things you don't own or vice versa tends to not be fun.

How do I change what Software shows up in the Web UI?

This is a two part answer. First, maybe you don't want things like MacOS and Symantec to show up. Easy enough, edit those Products (Web or KeyConfigure) and in the Contact section uncheck the show on availability lists option. This will hide it from the Software list and Computer popups on the web, while still showing all the Audit information at the admin level.

Second, you may want to have Photoshop show up instead of Creative Cloud for example. While not technically what you want for license purposes historically, current use can sometimes be the opposite. That is, you say ok we bought Creative Cloud, that's fine it's everywhere we don't need to track it as a suite. What we do want is to show the apps we have, not the suite. So you use the Product Statuses to ignore Creative Cloud, and all other suites down the line, until you force the system to attribute the installs only to the stand alone Products of Photoshop, Illustrator, etc. Keep in mind, that's a long list of possible software on the main page, and on any machine that has the whole suite. However, on a computer that has only 3 apps installed you'll see those 3 Products instead of Creative Cloud, which didn't give an indication the other dozen apps in the suite were not installed. Also, remember if you are using AllSight and want Purchases to Reconcile, forcing things in the opposite direction of your licensed Product will be detrimental. You much balance between technically correct, and user friendly in some cases.

How can I have a different Default Web Dashboard for each Administrator Role?

In the full sense of the question there isn't a feature for this. However there are some possible automation ideas if you're dealing with a large number of dynamic users via AD groups. In the latter case, this shell script may be of use:

@echo off
echo This script pulls a list of users from Active Directory and clones a KeyReporter Dashboard to each of them.
for /f "tokens=2 delims==" %%D in ('set user ^| find "USERDOMAIN="') do set domain=%%D
echo Domain is "%domain%"
set /p "adgroup=Which AD group has the users?:"
echo Pulling user list from "%adgroup%"
set userlist="C:\Program Files\Sassafras K2\Server\KeyServer Data Folder\Helper Data\KeyReporter Data Folder\preferences\userlist.txt"
dsquery group -name "%adgroup%" | dsget group -members | DSGET user -samid -c | Find /V "dsget"|Find /V "samid" > %userlist%
set /P "dash=Which Dashboard should I clone?:"
for /F "usebackq tokens=1 delims= " %%A in (%userlist%) do echo copying %dash% to %%A
set dashpath="C:\Program Files\Sassafras K2\Server\KeyServer Data Folder\Helper Data\KeyReporter Data Folder\preferences\"
for /F "usebackq tokens=1 delims= " %%A in (%userlist%) do copy %dashpath%%dash%-dashboard.json %dashpath%%domain%~%%A-dashboard.json
		

You could modify this to point to static groups and dashboards, make multiple copies, and schedule them in Task Scheduler to create a sort of automated system for catching up users to a default dashboard. Just be careful that you're sure you want to overwrite any customizations they may make if you do that!

Note also there are 3 fields in the Admin Authentication to directly map external groups to a default account. This can be our built in defaults like Manager, Staff, Community, or ones you build yourself. Each of those accounts can have a default dashboard. However, note that this is a shared dashboard on that account, and each person sharing the account through this mapping shares that dashboard. Also if they can make changes you don't know who made the change, only that it was done under that shared account. Use as appropriate.

Can you add something to PRS that's missing so I don't have to make manual Products?

We can certainly try! If you make a manual Product, select and right click the product and choose Export Product Definitions. In the save dialog, check the box in the lower corner for Export Selections Only. Email that xml file to Sassafras Software Support with your request and we'll see what we can do.

I have a license that is valid cross platform. How can I map this Purchase to Products and the Policies?

There are basically two strategies:
   1) Create a new manual Product that includes all programs for both Mac and Window that belong to the cross-platform license (including all Programs in a suite). Create a Purchase record and a Policy to manage this Product.
   2) Create a new manual Product but don't include any programs in the definition! Create a Purchase record and a Policy for this "placeholder product". Modify the Policy by adding the two platform specific Products to its products list (be mindful if this Purchase/license ony applies to a single Edition/version or the entire Family). The result is a Policy that is set up to manage first the "placeholder" and then also the Mac and Windows Products that are the basis of the cross-platform licensing rights.

Strategy 2 is preferable since it takes direct advantage of the standard Product definitions for each platform which have been pre-defined by Sassafras.

We have x number of licenses for a suite, but then y number of additional licenses for one of the Programs in the suite. Can we manage this?

Absolutely. In most cases we will already have Product definitions for the stand alone as well as suite products, and you can always make your own if needed. Once you define the Polices you can set their priority in the Program details to ensure they are accessed in the proper order. You can also scope the policies to specific computers if needed. This allows robust management of the license use in the exact hierarchy and/or allocated systems needed.

Can Sassafras KeyServer prevent users from logging in/ enforce schedules/ integrate with scheduling software?

As implied by being on this page, this is frequently requested and an area of development interest, but at this time the software does none of these things directly. It can display reservation and open hour information which can include AD permissions on the remote connection links, but it will not stop someone from logging in physically. For that we'd recommend clever use of access schedules and login rights in GPO or other related mechanisms. You can add links to the Info page of labs to an existing scheduling/ booking system, but there is no direct integration at this time to replicate schedules from another source.

How does your remote connection for workstations work?

To be clear, we have not implemented any manner of new remote connection technology. The links that are displayed on availability maps use existing technologies like RDP and VNC direct from the user's workstation to the target computer. No portion of this connection goes through or is controlled by the Sassafras Server in any way. See Remote Links for details.

What kind of integrations do you have?

We currently have a integrations with TeamDynamix and Servicenow for help desk integration, and PaperCut for printer integration. In 7.7 we added support for using a Guacamole broker for web based remote desktop connections. In 7.8 we added the ability to pull in "computer" records from Jamf and Intune, including iOS and Android devices using Admin Scripts. There are more subtle options like exporting data to MSSQL to leverage PowerBi.

Do you support Multi Factor Authentication?

Absolutely, in that modern OIDC (SSO) methods support 2FA within those services (Azure, Okta, ADFS, Google, DUO, etc). You can also use DUO with traditional on prem Active Directory. We have no MFA for internal accounts.