Client Self-Updates

KeyAccess has the ability to auto update itself via your server without user interaction

Details of the update — when it happens, what version is installed, and other settings — are configured centrally on the server. Client versions 7.4.1.0 and newer for Windows and 7.4.1.2 and newer for Mac are required for this function. Clients will fetch the upgrade instructions from the server and install the new version even if no users are logged into the computer. Installs are silent so there is no interruption to logged in users.

Note: Because the clients check for update information at various client triggered events (e.g. boot time), and they perform updates at a random 48 hour spaced time, it is possible a client could take several days before it updates. These mechanisms ensure a gradual roll out that does not tax the infrastructure. This means you should wait 3 days from the time you enable a new update until you question if there is an issue with any given client system getting it.

The client-side settings that are already in place, such as the KeyServer address, are retained. It is possible to change certain settings during the update, but typically this will not be necessary. It is important that you use the installers as they are, without modification (by k2clientconfig or otherwise). This because the installers are digitally signed by Sassafras, and the self-update process will verify the signature before using the installer file. Any modification will invalidate the signature.

The update instructions are stored on and distributed by the KeyServer, along with the actual installers. Clients download all items from your server, but the server host needs to be able to reach www.sassafras.com to check for and import the new client installers. See Firewall Rules for full details. Also note if you don't have an SSL Certificate on the server some clients may not update as they can not get a trusted connection to the server to download the file.

Configuring The Update

Web UI

Simply log in to the Web UI as an administrator (account with sufficient rights) and go to Settings -> Updates. If there is a newer client version available from Sassafras, there will be a notice of this. You can simply click the Accept button for each platform to have the new clients downloaded to the server and update the settings for you. Be sure to click Save to apply the settings and activate the updates. Also be sure the URL that is auto populated is valid. Some times a short name will be used due to local DNS and you'll want to change this to the FQDN.

New Client Updates

KeyConfigure

Configure the update settings in KeyConfigure under Config -> KeyAccess Version Control. Configuration for each client platform is on indvidual tabs. Unlike the Web UI, KeyConfigure offers an option for the older 32 bit client, though this is rarely used. There are also options for how to handle Old Versions if desired (block, warn, etc).

To pull in the latest version installer and enable the update, simply click the Accept button at the top of each tab. You'll get a green checkmark by the Version indicating everything is in order. Be sure the URL that is auto populated is valid for possible cross network downloads. Some times a short name will be used due to local DNS and you'll want to change this to the FQDN. Clients download all items from your server, but the server host needs to be able to reach www.sassafras.com to check for and import the new client installers. See Firewall Rules for full details. If there is no Accept button, there is either no new client, or the server can not reach Sassafras.

For more information on the scheduled tasks and considerations for state management like Deep Freeze, see TN3704.

In most cases, the client will be running when the upgrade happens. The upgrade process will stop the running client before installing the new software, and then silently start the new client once the upgrade is complete. The upgrade process does not initiate a computer restart, but in some cases some of the new components will not be in place until after the client computer restarts.

Properties

Similar to standard client Deployment there are properties you can specify for the client installations. Generally you don't need to change things for simple upgrades, but you can use this to deploy new default settings if needed. These properties are set per client version (per tab). Much like tags, type a property and hit enter to add it to the window. Again, you generally do not need to use these as upgrades keep all prior version client settings, and this process inherently does things like close the running process, silently install, and then start the new process with no reboot.
The following properties are valid for self updates. Some properties on the deployment page should NOT be used here as they are implicit (like silent install and don't reboot)

PROP_LOCKED=1 do not allow changes to the KeyServer host inside the KeyAccess Control Panel
PROP_USERNAME=# value used for user name (Mac ONLY):
  • 0 - default value that the standard OS routine provides
  • 1 - computer name
  • 2 - long user name
  • 3 - short user name
  • PROP_COMPNAME=# value used for computer name:
  • 0 - Sharing name on Mac, Host name on Windows (same as 3)
  • 1 - locally configured host name
  • 2 - canonical host name
  • 3 - canonical host name, truncated to first component
  • 4 - locally configured host name, truncated to first name component
  • PROP_SITE=value populate a value on the client which will appear in the Department field of the computer record
    PROP_TRUST={0|1|2|10} set the Trust level
    PROP_SECURITY={0|1|2} set the Security level
    PROP_NOURL=1 disable URL tracking (privacy or security reasons)

    Generally not needed for upgrades, but could be used to help migrations:

    PROP_FORCEHOST=1 if the client already has a KeyServer address, overwrite with the value passed with PROP_HOSTNAME
    PROP_HOSTNAME specify the KeyServer host name or IP address
    PROP_NUKEAUDIT=1 clear the previous local audit so it is rebuilt

    Download URL

    Client installers are downloaded over HTTP(S) from any web server you choose. This can be any web server if you like, but by default the update will be hosted locally in the Sassafras Web Service.

    Coverage Target

    Updates can be applied to a portion of all clients. This gradual update is randomized — you set a percentage of clients that should be updated, and then statistically that number of clients will be updated. As needed, this percentage can be increased up to 100%, at which point all clients will have been updated. This is useful for spreading out network load so all clients aren't trying to download the updater at the same time. Note that the random seed on the scheduled time does provide some spread already, so for most settings this option is not necessary.

    Security Measures

    The main protection against malicious parties utilizing the self-update feature is the digital signature of the installers. The update program that is already present on the client computer will check the signature of the downloaded installer before using it. The signature must be valid, and must also have been created using Sassafras Software's private signing key.

    The upgrade instructions are stored in a file that is read-only for non-administrator accounts. On Windows this file is stored at \ProgramData\KeyAccess\kami.xml. On Mac OS X the file is at /Library/Preferences/KeyAccess/kami.xml. Keep this file accessible only to admin accounts so it cannot be modified by normal users. But even if this file is changed, the digital signature check protects against installation of unsanctioned software. Modification of this file could disable updates, or could cause an older version of the client to be installed.

    While it is not necessary, using an HTTPS URL for the installers will add one more security obstacle.

    Note that the client can always be updated using external distribution mechanisms, such as Group Policy Objects. The self-update feature of the client can be disabled completely if there are security concerns about its operation.

    Old Versions

    While older versions of KeyAccess cannot self-update, they can be configured to receive bulletin messages asking them to update. This is done in the Old Version tab. Users of older versions can either receive a warning, or a message that they must upgrade in order to use managed programs (in which case they will not be able to use managed programs until they get a new version).

    There are various client versions in which new functionality was introduced, which may make these versions a natural choice for a cutoff.

    • Prior to 6.2.1.4, KeyAccess cannot respond to an Observe Policy. Usage which should be logged on these older clients is instead ignored (usage of programs with Manage Policies is recorded as usual).
    • Prior to 6.1.2.0, KeyAccess cannot observe or manage unkeyed usage. Only keyed programs can be managed on these older clients.
    • Prior to 6.0, KeyAccess does not do an audit of installed programs.
    • Prior to 5.2, KeyAccess does not choose a unique computer node ID, so will not appear in the Computers window.

    The version control setting will cause a dialog to appear on client computers, but whether your users contact you or not is up to them. You may wish to sort the Computers window by Version, in order to proactively identify computers with old versions of KeyAccess.

    Note that if you are able to deploy software, updating KeyAccess is very easy. The KeyAccess installer can be customized in such a way that a silent install can be done remotely, e.g. via GPO - for more details read the Deployment documentation.