k2clientconfig (Mac)

Use of this configuration utility is deprecated

Use of this utility is not recommended compared to other deployment options as it removes the code signing from the installer. Because this can make MacOS and security software block the package, it is better to use defaults write commands on Mac. See Deployment for suggested methods and commands. Also note that you can use the Self Update feature of the server once the initial client deployment is performed.

ksp-client.pkg is a signed “flat package”. It can be customized to include the target KeyServer address and other settings, but this customization will remove the digital signature. There are also considerations for using JAMF for package deployment and working with the security changes in modern MacOS versions, which are discussed in this blog post.

The k2clientconfig script is an OS X command line utility that lets you customize the OS X client package installer (ksp-client.pkg) with a pre-configured KeyServer DNS name (or IP address). You can also customize other client settings and the installer behavior itself to suit your particular deployment strategy. k2clientconfig can be found in the full Sassafras Software archive, in Installers/Macintosh Installers/Misc (or download k2clientconfig from the Sassafras Software web site, but then you must use chmod u+x in the terminal to enable execute permission).

Use the Mac OS X Terminal program to run k2clientconfig. Type in the path manually, or just drag the k2clientconfig file into the terminal window. Running k2clientconfig with no additional parameters will display the command line options. The table below gives a more complete explanation with defaults underlined and some additional comments. Running k2clientconfig with a particular set of command line options changes ONLY those options specified on the command line, leaving all other options set to their current values. Therefore, it not necessary to specify every command line option, but only those which you would like to change. Because customization removes the signature, Gatekeeper might handle the modified installer differently from the original installer.

k2clientconfig

Usage:

k2clientconfig [options] ksp-client.pkg

Command Line Options:

-d: display current settings (other options are ignored)
-h <host>: set IP address or DNS name of KeyServer to <host> (default DNS name: keyserver)
-s {0|1|2|3}¹: interface level displayed when the pkg installer is run
     0: user can change settings
     1: user can see settings but cannot change them
     2: user cannot see any settings besides standard pkg interface
        use this option if you are distributing the pkg with Remote Desktop
        to prevent anything from appearing on the client computer
     3: same as 2
-g {yes|no}: override current ka address with address specified by -h option
yes: address specified by pkg will be used
no: current ka address will be used if present
-c {yes|no|maybe}: install KeyCheckout
yes: KeyCheckout will be installed unless user chooses not to
no: user cannot install KeyCheckout
-k {yes|no}: kill KeyAccess before install
yes: KeyAccess will be killed (quit) before the install begins
no: KeyAccess will not be killed (quit) before the install begins
-r {yes|no}²: run KeyAccess after install
yes: KeyAccess will be started after install completes
no: KeyAccess will not be started after install completes
-b {yes|no}: reboot after install
yes: prompt for a reboot after install
no: do not prompt for a reboot after install
-v name[=value]: set a specific named plist preference to a custom initial value
name is the preference name (e.g., 'trust' or 'security' or custom properties like site, assetOwner, assetLocation, etc.)
value is the preference value ('1' if omitted)
-l {yes|no}: lock KeyAccess settings
yes: after install, KeyAccess settings will be locked to users
no: after install, KeyAccess settings will not be locked to users (admin unlock of Preferences still required by Apple)
-f {0|1|2|3|4}: value used for computer name
     0: computer name defined by user (in Sharing system preference panel)
     1: local computer host name as returned by gethostname
     2: canonical host name, as retrieved from DNS
     3: first component of canonical host name (i.e. 'myhost' instead of 'myhost.domain.org')
     4: local host name (gethostname) truncated to first part
-z {user|short|comp}: source of value used as login name
     user: KeyAccess will use user name as login name
     short: KeyAccess will use short user name as login name
     comp: KeyAccess will use computer name as login name
-x {yes|no}: by default, quarantine is removed from the pkg when any other change is made
yes: remove quarantine attribute even if no other options are specified
no: do not remove quarantine attribute

1 Note that by default, the installer will prompt for the KeyServer address during installation. If you are using Apple Remote Desktop for distribution of the pkg, this dialog will appear on the computer where the software is being installed - not on the computer where Remote Desktop is running. Therefore, you will probably want to configure the KeyServer address, and set the installer to silent mode. To do so, you would do something like:

./k2clientconfig -h 192.168.0.16 -s 2 -g yes ksp-client.pkg

(assuming you are in a directory containing copies of k2clientconfig and ksp-client.pkg)

2 "-r yes" will start KeyAccess after installation. In order to do so, it must kill any currently running KeyAccess. If you do not use keyed software, this has no unexpected consequences - if the client has a connection to KeyServer, it will close the connection, and the newly installed KeyAccess will open a new connection. However, if a keyed program is running when this happens, the new session will not ask for the key again. Therefore, KeyAccess will ask the user to quit the keyed program about 15 minutes after the installation. For this reason, you should only use "-r yes" if your clients do not yet have KeyAccess software installed, or if you do not use any keyed programs. If you use "-r yes", you may want to also use "-b no", since a restart is no longer necessary. e.g.:

./k2clientconfig -r yes -b no ksp-client.pkg

(assuming you are in a directory containing copies of k2clientconfig and ksp-client.pkg)

Less Common Options:

-t {yes|no}: allow installation of KeyVerify (highly recommended for troubleshooting)
yes: KeyVerify will be installed unless user chooses not to
no: user cannot install KeyVerify
-p {yes|no}: allow installation of KeyAccess Preference Pane (highly recommended)
yes: Pane will be installed unless user chooses not to
no: user cannot install KeyAccess Preference Pane

Suppose you want users who run the pkg installer not to be able to choose the server address. After installation, you don't want them to be able to see the KeyAccess Preference Panel, and don't want them to be able to make changes (such as changing the KeyServer address). In this case, use something like:

./k2clientconfig -h 192.168.0.16 -s 2 -g yes -p no -l yes ksp-client.pkg

(assuming you are in a directory containing copies of k2clientconfig and ksp-client.pkg)

And for a final example, let's say you have several optional properties you want to include in the installer:

./k2clientconfig -h 192.168.1.250 -g yes -c yes -k yes -r yes -s 2 -b no -v site=Baltimore -v assetOwner=Joe_User -v assetLocation=Marketing ksp-client.pkg

which in order sets the host, overrides if there was a previous host in local config, installs KeyCheckout, kills KeyAccess before install, starts KeyAccess after install, performs a silent install, suppresses reboot, sets the client to ignore MAC as an ID type (presumably falling back to computer name), and sets some custom properties that will report back to the record on the server.

Technical Details

k2clientconfig extracts underlying files from ksp-client.pkg, modifies them, then reassembles the flat package installer. Most of the common command line options correspond to settings in a single file that is embedded in the installer, k2clientconfig.plist.

The k2clientconfig utility customizes the XML key values in the plist file as follows:

-h <host>: KSAddress key is set to <host>
-s {0|1|2|3}: for 0: AddressPromptUser key is set to 1 and AddressDisableChange key is set to 0
for 1: AddressPromptUser key is set to 1 and AddressDisableChange key is set to 1
for 2: AddressPromptUser key is set to 0 and AddressDisableChange key is set to 1
for 3: AddressPromptUser key is set to 0 and AddressDisableChange key is set to 1
-g {yes|no}: AddressDefaultCurrent key is set to 1 or 0
-l {yes|no}: KASettingsLocked key is set to 1 or 0
-z {user|short|comp}: UseComputerName key is set to 0, 3, or 1

Note: Any installer that is tagged as "quarantined" (an extended file system attribute) may be prevented from running by GateKeeper. Generally, this attribute can get set on downloaded files and will remain set for all copies. After running k2clientconfig to customize the ksp-client.pkg installer, its quarantine attribute will be deleted — make sure that your deployment method does not set the quarantine attribute again when the installer is deployed.