Notes on using file state management software with KeyAccess
The idea of a file state management technology like Faronics Deep Freeze or Windows Unified Write Filter is to ensure a clean consistent system state between users. This means all changes are temporary and discarded on logout/reboot, which poses challenges for software like KeyAccess that needs to store audit data and Policy information for efficient and consistent operation. This document talks about how to work with these technologies with Sassafras. As a general concept, we must look to exclude the files documented in the Complete Files List from being reverted to an earlier state.
Note that the minimum required files listed here allow operation, where an expanded set of files needs to be excluded if you want automated updates to function. This is of course because an update must replace the executables and libraries, where operation only needs to write to preferences and settings. Again, consult the Complete Files List if you want to exclude all client data locations to allow for updates.
There are several concepts in using Deep Freeze that are important here. One is Thawed Space which is a location that is not frozen and therefore not reverted. However, Thaw Space specifically refers to a virtual disk mounted by the Deep Freeze software drivers, which can occur too late in the boot process in some cases relative to KeyAccess starting, and can therefore cause issues. As such, we do not recommend using Thaw Space, but rather using an unfrozen volume, be it a partition or physical drive.
The second part of this configuration then relies on using the Faronics Data Igloo application. This allows you to choose the files, folders, and registry values that you want to create junctions to in the unfrozen volume. You'll also want to ensure that users in general can not alter the target location for these junctions or the configuration could be corrupted, so be mindful of the permissions of the redirect location. Unfortunately this utility only exists for Windows, so other steps are needed on MacOS.
To ensure proper setup of the drive, follow these general steps:
C:\ProgramData\KeyAccess\ (if using a modern OS version)or
C:\Documents and Settings\All Users\Application Data\KeyAccess\ (if using a pre-Win7 OS)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KeyAccess\Settings\pref HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KeyAccess\Settings\settings
Note that if the Igloo complains about permissions you can change the file permissions as needed. We follow a best practice of least permission but the Igloo may want higer level access.
See customer example of using Powershell to work around Igloo Permissions requirements.
Get-Service "KeyAccess" | Stop-Service New-Item -Path T:\Data\KeyAccess -ItemType Directory -Force $orig_acl = get-acl "C:\ProgramData\KeyAccess\KeyAccess Audit" Get-ACL "C:\ProgramData\KeyAccess\KeyAccess Offline" | Set-ACL "C:\ProgramData\KeyAccess\KeyAccess Audit" Start-Process "C:\Windows\System32\igc.exe" -ArgumentList "/RedirectFolder C:\ProgramData\KeyAccess /loc:T:\Data" -Wait Start-Process "C:\Windows\System32\igc.exe" -ArgumentList "/RedirectRegKeyLocation /loc:T:\" -Wait Start-Process "C:\Windows\System32\igc.exe" -ArgumentList "/RedirectRegKey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KeyAccess\Settings\pref" -Wait Start-Process "C:\Windows\System32\igc.exe" -ArgumentList "/RedirectRegKey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KeyAccess\Settings\settings" -Wait Set-ACL "T:\Data\KeyAccess\KeyAccess Audit" -AclObject $orig_acl Get-Service "KeyAccess" | Start-Service
There is an ability to customize the directory KeyAccess stores its data in. If you already have a thaw space you can use this method rather than the above for the data folder location. When installing the client specify the directory per this example:
K2Client-x64.exe -v DIR_STATE=X:\Folder
This can be used with other install options as needed. X of course is the drive letter of your thaw drive, whereon the service will create a KeyAccess folder in the specified Folder path. The path will not be created, it MUST exist at service start or the client will fail back to the hard coded default. Note this does not change the need for registry redirection as specified above.
sudo killall kass killall KeyAccess sudo launchctl unload /Library/LaunchDaemons/com.sassafras.KeyAccess.plist sudo killall kass killall KeyAccess
/Volumes/Thawed/Data
sudo mv /Library/Preferences/KeyAccess /Volumes/Thawed/Data/KeyAccess
sudo ln -s /Volumes/Thawed/Data/KeyAccess /Library/Preferences/KeyAccess
On a somewhat related issue, when cloning a computer image, either to a physical disk or as a virtual computer image file, similar considerations apply - the private data preference files listed above should be excluded from the cloned image. For details regarding other settings that should also be excluded, read the cloning documentation.
Also related is the Client Deployment documentation. It may be of interest that with GPO deployment on Windows you can specify -v DIR_STATE=E:\KeyAccess -v PROP_HOSTNAME=yourhost.domain.com to set the persistent directory to an unfrozen location on a second drive. This avoids setting a folder redirection in Data Igloo for this folder. On a related note, you could script the symbolic link on a Mac deployment, depending on your deployment method.
While adding exceptions in Data Igloo for the other KeyAccess files can allow for updates, that isn't available on Mac. It may also be a better consideration to use Thaw periods to deploy updates. To this end, you may want to modify the auto update cycle of the client to coincide with a Thaw, or disable the updates and manually trigger them. On Windows, the Task Scheduler has an item for KeyAccess Auto-update Task. You can disable this, then trigger it from a Thaw script as needed, or modify it to run at a different time. On Mac, the schedule is handled by /Library/LaunchDaemons/com.sassafras.KeyAccess.kami.plist, which again can be modified or disabled as needed. Note that modification of these scripts is overwritten in an update, so you'll need to re-apply your modifications after an update.
While our automatic client update feature is convenient in most settings, it obviously will not get along well with Deep Freeze. However, if you want to leverage this feature for some divisions but not others, you can. If for example you have some labs froze, but other labs and employee machines do not use Deep Freeze, you can just disable updates for the select divisions. Right click and edit any division to disable the auto updates as needed.
UWF is an optional feature in Windows 10 that saves all drive writes in a virtual overlay that is cleared at logoff or reboot. It has a command line interface that can be used to enter Exclusions for files, folders, and registry entries. We assume you are familiar with this and have turned it on.
Uwfmgr.exe servicing enable
Uwfmgr.exe file add-exclusion C:\ProgramData\KeyAccess\
Uwfmgr.exe registry add-exclusion "HKLM\SYSTEM\CurrentControlSet\Services\KeyAccess\Settings\pref" Uwfmgr.exe registry add-exclusion "HKLM\SYSTEM\CurrentControlSet\Services\KeyAccess\Settings\settings"
Note that with UWF you can either add exclusions for the other file locations of KeyAccess to allow updates, or you could script deployment through another system that enters servicing mode, installs the update, and reboots.