II. Quick Install & Tour
Rather than allow the Concurrent Use policy created in the previous step to float among all computers, we will now change the scope of the policy to a specified group. The ability to restrict the scope of a policy to a specific group is one of KeyServer’s more powerful (and hence dangerous) features:
24. Add a Scope to a Policy
In the “Policy Details for Calculator Policy”, type a new group name, “TryThis”, into the Scope field. Save the change and then launch Calculator. The launch will succeed, but unlike before, you will not see an In Use count for the policy.
When you add a Scope to a Manage Policy, the Policy only has any effect on computers in that group. In the absence of any other Policy, computers outside the group are able to run the programs in the product without any license granted. The product is managed for some computers, but not for others. Since there is no definition of what it means to be a member of the “TryThis” group, all computers fall outside the group, and the policy does not apply. However, with our current configuration, if you run an Event Dump, you will see a logged launch — remember the Observe Policy we added. Now the Observe Policy once again has an effect. Clients outside the scope of the Manage Policy might still be in the scope of some other policy. If there are no policies with a scope that includes the client, the launch is simply ignored. But because in our configuration there is a Observe Policy with Universal scope, the program launch is recorded. Note that Observe or Deny policies are only consulted when no Manage policy is found with a scope that includes the client. Whenever a relevant Manage policy exists, the launch will always either succeed with a license from the Manage policy, or be denied if none of the Manage policies can grant a license.
It is usually safer to define a group first and then drag it onto the group icon in a policy details window, rather than type the name of a group directly into a policy details window:
25. Define a Group
Use the Window menu to open the Groups window. Create a new group using a right click to bring up the context menu (or use “Create New” in the Edit menu). Let’s name this new group “Graphics Group”, and hit OK. Now select a computer from the Computers window – drag & drop it onto the newly created group item, “Graphics Group”, in the Groups window. To check that this computer node was successfully added to the group definition, double click to open “Group Details for Graphics Group” and look in the Nodes pane.
26. Drag & Drop onto the Group icon in Policy Details
Close up the group details window for “Graphics Group”, but keep its name selected in the Groups window. Open the window, “Policy Details for Calculator Policy”, then drag & drop the newly created group item onto the group icon in this window – don’t drop it onto the text field area, you must drop it on the icon.
You will see the old group restriction, “TryThis”, replaced by “Graphics Group”. Save the changes. Now you can experiment with Calculator launches on the various clients to demonstrate how the policy is granted only to the computers listed within the Graphics Group, while computers outside the group merely log usage.
Be careful when creating a policy that might limit the use of a program that is owned personally on a personal computer. If KeyAccess is installed and connected to your KeyServer, you must take care to ensure that your license policies do not have consequences beyond their intended scope. For example, if you have KeyAccess installed on both lab and personal computers, creating a Photoshop policy with universal scope will result in personal copies of Photoshop outside of labs consuming licenses. You probably should define a group which contains computers in the labs, and apply this group to the policy.
Rather than add individual computers to a Group, you may want to include a pre-defined set of computers, e.g., the set of all computers owned by the Art department. The Computers window lets you divide the list of computers into named subsets for just this purpose.
27. Create a Computer Division, then include it in a Group definition
Right click in the Divisions pane of the Computer window to create a new Division (e.g., “Art Department”) and then drag computers in from the computers list. Once you have made a division, drag it onto a Group name for inclusion – open the Group Detail window to check that the dragged in division name has been added to Divisions pane.
In addition to specifying computers for Group inclusion (referenced under its Nodes or Divisions panes), membership can also be granted based on location (e.g., network address ranges configured in the Locations window). If the KeyServer is configured to consult an external authentication service (e.g. Active Directory) then group membership can be further augmented by reference to an external group name. In this case, the complete list of externally defined groups may not appear in the Groups window and it is for this reason that a Policy Details window accepts a typed in group name as well as supporting drag & drop.
Finally, in addition to membership based on divisions, nodes, etc. you can add members based on filter conditions. This may be even easier than using a Division. For example you could have a group for all computers whose names begin with a certain prefix (e.g. “Rm4_graphics_lab”).
After deploying the Sassafras client throughout your site, it will be safest to test custom license rules and scopes using the KeyVerify Policy or a policy managing some unimportant game. Since Calculator is a standard OS utility, managing or disabling it by mistake (or on purpose) might be an unwelcome surprise on any client computer.