Full Walkthrough

First Steps

Adding the License

Once you purchase the Sassafras KeyServer Platform you will be sent a server.lic file by our Sales team. This license will set the number of active seats on your server, as well as the product level (KeySight, LabSight, or AllSight). Adding this to your server is easy, and indeed can be done at any point after your initial setup and configuration. One note is that when the server license changes from the default demo to the full purchased entitlement, the server ID changes. Any client that is connected when the server restarts with a new ID will be forced to disconnect and reconnect, which might trigger a required close and relaunch of any tracked software. If you were given an expanded evaluation license by Sassafras, this is not a concern as the full license will have the same ID as the eval.

To add the license, simply put it in your KeyServer Data Folder on the server and restart the KeyServer service:

Windows: C:\Program Files\Sassafras K2\Server\KeyServer Data Folder by default. Then use Windows Services to restart the KeyServer service. There is a shortcut in the Server folder.

Macintosh: Macintosh HD > Library > KeyServer > KeyServer Data Folder. There is an applescript in the root KeyServer folder called ks-StartStop. Run this to stop the service, then again to start the service.

Linux: /usr/local/k2/KeyServer Data Folder. After adding the lic file restart the service via sudo service keyserver restart or sudo systemctl restart keyserver or the like depending on your distro.

Additional Settings

Once you log on using the password you sent during the setup wizard, navigate to Settings and look at the following sections for a few baseline items.

Computer IDs

While you chose the primary ID during the prior setup steps, it's advisable to review all the options and consider your environment in detail. It's also much harder to change these down the road once data is in place as a database conversion is needed. Some items of note:

Thin Client Name is the top default for any TS/RDS style technology connections. You can choose to put Thin Client User above this if you like. This will use the authenticated user name instead of the connecting computer name in the "name" column of the Computers page for these connections. This is simply a readability choice in many cases. However, depending on your environment it may be less records as well. That is, if one user connects from 5 computers to the RDS farm, that's 5 computer records in AllSight. If however you use Name then it's one record. But, if there is limited access to the farm from thin stations, maybe there are only 20 computer names possible but hundreds of user names possible. Consider the infrastructure when making this choice.

QND is used in our Japan market and meaningless anywhere else and will be skipped. You can remove this for clarity.

Most sites will use Serial as the primary after the Thin choice. Combined Serial is a good backup for this to put in 3rd place.

Virtual systems with no serial will fall back to something else, in which case Computer Name or Virtual Computer Name may be a good fallback before Hardware Digest is hit as the last resort.

Click here for comments on other ID Types.

In more complex settings the exact order of IDs for fallbacks can be very important. Consult with Sassafras Support as needed to ensure the best outcome.

MAC

This was a popular choice 20 years ago. However in modern times there tend to be a couple problems using this as an ID outside of special cases:

If you image 10 laptops on the same dock, they are 1 computer because they have the same primary MAC at creation. This can be retained in deployment making it appear only one shows up at a time in the server because they are constantly updating the shared record with their details.

If a laptop had no onboard NIC and uses multiple docks and dongles, it can have an "identity crisis". This leads to multiple duplicate records being made as the primary interface previously used is missing entirely and a new one has been found.

Combined Serial

This can be a good secondary to Serial. If the OEM serial can't be found due to not existing (custom built system) or a WMI fault or similar issue, then if any serial between the BIOS or Mainboard can be found, all available serials will be used in a string. This gives a unique ID like serial, but it's not as clean so not usually the primary choice.

Name vs Virtual Name

If you like the idea of Name being a fallback for serial that applies to both physical and virtual computers. However, maybe you don't want to use it as a fallback for physical computers, but you do have a thick VDI pool. Serial won't work for those, and Name usually will if it's a pool of fixed names. This is where using Virtual Computer Name comes in to play. Physical machines will skip it as it does not apply, just as a virtual will skip serial (in almost all cases, rare case where the hypervisor passes host serial to guest). This means the two IDs can be in either order with each other.

Mail

Generally you will want to set up the STMP settings so the server can send emails, and then enable the daily status emails. Only one address can be set to receive these daily emails and the critical alerts, so use of a list is often prudent. If you don't allow the server to send email, you won't have alerts, expiration notices, or be able to use scheduled reports.

Account Setup

If you want to use external authentication like AD or Azure, this is where that is set up. Support is happy to assist as the topic of Permissions quickly follows and is a deep topic due to granularity.

Clients

If you enabled the AD mapping in the prior setup steps, it will be enabled here. You likely want to make the default Use all OUs for Division Mapping so you get the whole "folder" structure you see normally in AD, rather than just using the first level OU. You may also want to disable the option for Mapping takes precedence over Rules. This allows flexibility for local rule override of AD mapping should you ever need it.

PRS

On a nightly basis your local server checks with our Product Recognition Service to see if there are new product definitions to import based on local computer audits. It's prudent to make sure your Firewalls are set up to allow this communication. Clicking the Now button performs a check, which should only take seconds on a fresh server. Reload the page to ensure it was a successful check.

Audits

As a very rough statement, any site with less than 5000 endpoints should consider making the default audit cycle daily. By default this is 14 days on a fresh install for safety, but most people don't want to wait 2 weeks to see if computers are up to date after a deployment action. If you make this daily, the option to Send Program management settings to client during audits can be enabled as it will be an effective proactive option.

Network

Once you have a CNAME set for your server, you'll want to set that in the hostname field on this page. This is of course also the name you want to get on your SSL certificate.

Updates

The server can tell clients to silently update to the latest client version when they check in. This version does have to be Accepted on each release. The green dot in the UI flags attention that a new update is available to accept and serve out. Ensure the download URLs are using the FQDN of the server (the CNAME for which you have an ssl cert is best).

Adding a Certificate

Because we are working in an authenticated web UI, it is advisable to install a SSL certificate on the server and force all traffic to HTTPS. We have extensive documentation on this process. This is often quick, easy and familiar on a Windows Server using the Certificates MMC, with no additional configuration needed once the cert is imported.

In the event you are on another OS, or your DNS is complex, or you need to have multiple certs on the server that share a DNS name thereby causing KeyReporter to pick up the wrong file, consult the full documentation. If you have questions do not hesitate to contact Sassafras Software Support.

Initial Tasks

The rest of this page directly applies to LabSight only as the prompts talked about here do not show if you have an AllSight license in place. In that case you can skip to the next section of the walkthrough: Using the Web UI. However, reading over this page will give useful insight into the operation of the platform and recommended next steps, even if you don't see these prompts in the UI.

Upon Logging in to the Web UI the first time (using the password you entered during setup, pro tip: when logging in if you do not enter a name it will assume Administrator), you will be presented with a helper modal titled "Not seeing much data?" to help you through further initial steps. Clicking the items will take you to the portions of the UI related to that task. As mentioned, please use a supported browser (i.e. not IE). This will occasionally pop up until all items have ben completed. If at any point you wish to trigger the popup on demand, click on the Help navigation item at the bottom of the left hand navigation list. The popup will reflect a step as complete once it has been seen as done by the system.

As the outline to the right indicates, these steps go through getting clients connected to the server and organizing them into Divisions so they can be used on Maps. We then move on to choosing some Software to track detailed usage for. These steps are important because if computers are not in Divisions they can not easily be put on Maps, and are not organized for Reports. If you don't track Software usage, you have inventory information of where programs are installed, but no idea who used them for how long.

Without client installations pointed at the server, there is no data, and really no further features. We have extensive documentation on methods of mass deploying the client via GPO, SCCM, JAMF, and other mechanisms. For the purposes of an initial setup, you can simply run the platform appropriate ksp-client installer on a workstation or three via the install package you downloaded previously. While many customizations can be done in a full deployment, those are a more granular side topic. Once a client is installed and has an active session (see client installation above) it will show up in the Computers window of the Web UI and KeyConfigure. It will automatically perform an initial audit on first contact. This audit will contain a full hardware and software inventory which then forms the basis of software tracking and reporting.

Troubleshooting tips

Ensure the KeyAccess client is installed and running. On Windows, open Control Panels -> KeyAccess. On Mac open System Preferences -> KeyAccess.

Ensure KeyAccess is pointed to the correct server name (or IP) and shows a connected status. If it's not connected, click the Logon button in the control panel/preference pane to see what happens.

Make sure any network firewalls are allowing KeyAccess to talk to the KeyServer on UDP 19283. You may also need to make a rule for this in the local firewall on the server OS (especially in the case of Linux).

Computers provide your data, but there are some features you will only be able to leverage once you have organized them into Divisions. Divisions are like OUs in Active Directory (and can be based on the latter automatically) or Folders of objects in other UIs. Click on the Computers navigation item and you will see a sub navigation pane for Divisions. By default there is only Uncategorized, which is not actually a division, it's a holding area for computers not assigned to one. Click the + next to DIVISIONS to make a new division. Note that if you are using Active Directory mapping for clients, this should not be necessary. In that case, divisions should be automatically created and computers allocated when they connect to the server.

You can right click on a Division to Edit the name or Delete it, or make a New Division nested underneath it.

Computer Divisions

We will cover more advanced topics of organizing divisions using Sections and "sub divisions" in the laters parts of this walkthrough in KeyConfigure.

Once you have divisions made, you can drag computers into them to organize your environment. Again this is not needed if you're using AD mapping, only if you're organizing manually. There are advanced options for organizing computers that will be covered when talking about the computers window in KeyConfigure later.

Divisions are important as logical containers for targeting things like Maps, Policies, and Reports. You may choose to use things like department, room number, or some hierarchy thereof to organize your computers. Then when running reports the results can be grouped by division. When managing software you can easily scope an enforcement policy to a division. And of course divisions are the primary structure for creating Maps.

We have extensive documentation talking about Maps. At the most basic level, a Map is a set of divisions graphically shown on a page as a list of locations or geographically pinned to a street map. Each Division item when clicked can show a list of computers or a graphic Foorplan. This Floorplan is by default a simple list view, which you can then add a graphic layout to. There is also an Info page to detail anything about the location and show things like Schedules. In these views you can see how many computers are in use or available for use, along with those that are offline or in maintenance. Printers can also be added to maps to show their status and information.

While this feature is mainly used in education for lab settings, it also sees use in corporate settings for use by IT staff. Visualizing your computer assets on a building floorplan and seeing their status can be quite useful. Maps can be public or private depending on a rich number of permission settings if needed.

Map page

For the simple purpose of this walkthrough and wizard, simply click on the Maps navigation item. You will see the default map set which lists all your Divisions (not Uncategorized as again that's not a division just a holding area). Each line will simply have a + on the far right. Clicking anywhere on one of these lines will prompt you to set details to make the initial Floorplan. The basics for making a public list of computers are:

Information Tab: Enter a common Name if the default division name isn't clear for the public.

Options Tab: Turn on Visible to Public Viewers

Click the Add button

And that's it. You have made a publicly visible list view of the computers in this division. Now clicking the line item in Maps will show you the computers and their status. You can click individual computers to expand the list of Products they have installed.

You can refer to further documentation on specific features of maps, such as Remote links capability, the Info page, and the Floorplan editor to draw rooms.

Accessible under the Software -> Manage navigation item, this screen allows for simple one click tracking of discovered Products and control over list visibility in the Web UI. By default if there are new products you have not made a decision about, you will be taken to the Attention section of the Filters. Regardless of filters, the same options are available - the Attention filter is simply a convenience to help ensure you do not miss new items having been found and choosing an action. A green dot will also appear by the main Manage item when there are new discoveries.

Software Management

Each line item shows a Product. Products are defined by Sassafras Software and pulled down automatically from our Product Recognition Service (PRS) based on the Programs that the KeyAccess client finds on your computers. You can add your own Products if needed which we will cover in KeyConfigure. Most will have an icon that is 4 squares. This is a Family product that contains all sub versions of the product. The box icon is a stand alone Edition product that has no Family. The relation from Program to Product to Family is best illustrated with something like Microsoft or Adobe. Word is a Program that is in one or more Products like Office Home 2019 and Office Business 2020. Microsoft Office Home versions 2018, 2019, 2020, etc will all be a part of the Office Home family product. In this way, acting on the family allows for tracking of all versions of all apps in the suite backward and forward as versions are released and added to PRS. Other columns show Platform and Publisher details for reference.

Manage Product Options

The options are quite simple and summarized in the alert header:

Observe usage of the software by clicking the Green dot. This will cause the system to create an Observe policy, which causes all clients to record launches and quits of the Product in question. See Policies in KeyConfigure later on for Management options for AllSight users.

Ignore usage by clicking the Red dot. You will still have all the Audit (inventory) data available, this just says you're not interested in the granular usage details of who ran it when on what machine for how long. Audit data still gives you where everything is installed, when it was first seen, and when it was last used.

Show the product on lists. By removing the Checkmark in the last column you hide this Product from appearing on the Software page and software lists when clicking Computers on Maps. This is useful for things like security software that are useful to be able to report on when needed, but which don't need to clutter the Guest view of "useful" applications that are available for use

I. Walkthrough Start II. Initial Tasks III. Using the Web UI