Volume Number: 25
Issue Number: 09
Column Tag: System administration

Using Sassafras' KeyServer to Manage Licenses

by Criss Myers

One of the many challenges that face an Apple Mac Network System Manager is the control and management of Application software. One of the issues involved in this is licensing. Anyone who installs a piece of software has a legal duty to comply with the license agreement shipped with the software. On a network, this challenge becomes much harder when we take into account that we may have many more client machines than available software licenses. There is naturally no reason to purchase a single license for every Mac on the network when each application is not used concurrently on all the clients [Ed. Note: This depends on the End User License Agreement itself.]. With this in mind there is a legal need to comply with the installed license agreements. Some software developers have their own means of controlling their license agreements. Apple offers a "network aware volume license," Quark has their own license server and many others use an iLok or USB dongle control feature. However, the majority of software available does not offer a network license; it is shipped with a single use license. Even those that do come with a network license come with no means of enforcing this, or of preventing unauthorized launching of the software when all licenses are used.

Further licensing issues occur when a client imaging system is used. One of the easiest ways to manage a large number of networked Macs is to image them centrally. This means that each Mac has the same software installed onto it. Which also means that the same license code is installed on to every client during imaging. Some software licenses are network aware, but in general, the same license code will allow you to launch the software on every client at once. This, of course, would breach the license agreement.

One approach to this problem is to use KeyServer by Sassafras Software. Sassafras has been around for nearly 20 years (since 1990). With KeyServer, you can control and monitor the usage of each license on your network. The KeyServer manages your list of available licenses and grants access based on your license preferences; each client requires a KeyServer license.

The server software can be installed on a OS X-based server (can be OS X, or OS X Sever), a Windows server, a Novell server or a Linux server. The client software can be run on a Mac, Linux or Windows client, which means that the same solution can help you to control both your Mac and Windows licenses from a single setup. A single KeyServer license will work on both platforms, as the license is per client machine registered with the server, irrelevant of the platform from which it runs.

In addition to controlling the software licenses, Keyserver has the ability to monitor software usage, because it can be set up to log all activity and display it as a graph over a given period of time. This can help you to comply with auditor's requirements as well as facilitating the planning of future software purchases.

A license entry can be created for any piece of software.

A license entry can be keyed, preventing the software from being launched, when there is no access to the server.

A queuing feature places those that request an unavailable license in a queue, informing them when a license becomes available.

Releasing idle licenses for those who are queued

A report of software usage can help to plan future software purchase and save money on unnecessary purchases.

Can be used for tracking computer usage and logons as well as license usage.

Compare usage stats for various Applications such as Safari vs Firefox giving you an idea of clients preferences.

The KeyServer is easy to install and setup. A full version of the software can be downloaded and installed from Sassafras for a limit period of time, for a limited number of clients for evaluation. Once you have downloaded the "K2" software to the server you need to install the K2Server.app on the server. When you purchase a license from Sassafras you will receive a single license file, (".lic") extension, for the number of clients that you purchased. Place this in the KeyServer folder located at "/Library/KeyServer/KeyServer Data Folder". If you purchase an increase to your number of clients you simply replace this file.

Figure 1 shows the server's library folder containing the ks-StartStop application,, the ks, KeyServer Data Folder containing the .lic license file and the KSddConsist Application, which checks the consistency of the KeyServer files.

Fig 1. Library Folder.

Once installed, the server can be started and stopped via the "ks-StartStop" or via the command line executing the "ks" executable. The server requires very little processor power, memory or disk space. The K2Server will launch at startup after its first run.

Figure 2 shows the ks-StartStop window confirming that the KeyServer is running.

Fig 2. ks-StartStop

The KeyServer supports what are called "shadows", which are replicas of the main server, so that if the main server is offline, the shadows can be used to authorize license requests and log usage.

To create a shadow, you need to create a shadow license file via the K2 Admin tool, KeyConfigure. Then, on a second server, replace the .lic file with the Shadow.lic file. The first time you start the Shadow KeyServer you will need to start it via the command line, as you will need to enter the password you created when creating the Shadow license file.

Figure 3. The KeyConfigure menu for creating a Shadow license.

You will need to add the KeyServer to your firewall on both the main and shadow servers, the K2 port is UPD ports 19283 and 19315 and TCP port 19283.

The client software is installed via the K2Client.mkpg or the K2Mobile.mkpg. The difference between these two is that the mobile version allows you to sign out licenses on mobile clients for use offline. The client installer installs KeyAccess, KeyVerify and a PreferencePane. When you install the client, it asks for the address of the server, either via FQDNS or IP address.

Figure 4. The K2 Client installer, the KeyServer Address is required before the installation starts.

The PreferencePane allows you to logon to the Keyserver, and lists the available shadows. Once connected, the client will reconnect at each logon. Every time you login to the computer it will connect to the KeyServer and log the activity along with the logging of each license that is granted, denied or queued.

Figure 5. The PreferencePane shows you the status of the connection between the client and the server as well as known Shadow servers as well as the version number, i.e. 6.1.4.4 The first time you logon you get the above message.

The K2 Server is administered from a client computer. Installing the K2Admin.mpkg will install the KeyConfigure application in the Applications folder. When you launch the KeyConfigure Application it asks for the Server address and authentication. The default password is "Sassafras".

Figure 6 and 7 show the logon and password change windows.

Figure 6. The KeyConfigure login window.

Figure 7. KeyConfigure's request to change the default password.

KeyConfigure is the Administration program for the entire configuration and monitoring of the KeyServer. The "Window" menu gives you access to the various different windowpanes for monitoring and setting up the KeyServer.

Figure 8 shows the Window menu in KeyConfigure, this is where you open the various windowpanes.

Fig 8. KeyConfigure's Window menu.

The first task after you have created a Shadow license is to setup the license entries for the programs you wish to manage. Open the "Licenses" windowpane. This lists all the license entries you create.

Figure 9 shows the license entries that have been setup.

Fig 9. License window pane

To create a license entry, just drag the application icon onto this license window. A new window then opens where you can select the appropriate options. Choose from a "Keyed Program" or an "Unkeyed Program". The difference between Key and Unkeyed is that the applications.app folder is modified by the KeyServer so that the program cannot be launched without a valid connection to the Keyserver. This prevents the program from being copied to another computer via CD or external drive. Some applications are self-contained within their .app bundle folder, which makes it easy to copy them to another machine. By keying the application, it can never be opened anywhere else. Some programs do like being keyed and once you key an application, you cannot unkey it without reinstalling, so make sure you test the applications you key. Click "Ok": the entry is created and the advance window is opened.

Figure 10 and Figure 11 show the configuration windows for setting up a license.

Fig 10. The new license entry creation window. Select between Keyed or Unkeyed and whether to allow the application to launch when the KeyServer is offline.

Fig 11. This window opens automatically after you create the license entry but can be accessed later by double clicking the entry in the license window.

Some of the main features that can be set are:

Limits: Choose the type of license you possess, and the number of concurrent licenses. Under Custom limits you can limit a license to certain groups, or create priority schedules for certain times. You can connect the KeyServer to a directory, such as active Directory, or LDAP to access existing groups.

Idle: Here you can set what happens when the user stops using the program for a certain length of time. Each program can have its own settings or you can set global settings, which allows you to set the queuing preferences. This can be very useful if you have a limited number of licenses but you expect that users may use the program for a short while and then leave it open. This would normally prevent other uses from using the program, but there is an option to queue new requests for the program and either warn users who are idle, or quit the program from them. Once a license is released due to idle settings the queued user will be notified that a license is now available for them.

Custom Message: Here you can create a message that gets displayed on screen when the application is launched. You can create a 'custom deny' or a queued message informing the user of the reason why they cannot launch the program. You can also create a one-time or on going general launch message, for example, "This program may crash if you remove the camera before quitting the application".

Once you have create the licenses you then need to add the computers, Every computer running keyAccess that logs on to the KeyServer gets audited by the KeyServer and added to the "Computers" window's discovery list.

Figure 12 shows the "Computers" windowpane.

Fig 12. Computers window.

Each new computer has a pink discovery icon next to it, to acknowledge the computer, right click on the name and select acknowledge. You can customize the categories to display such as MAC address and IP address. Under the divisions menu you can create separate divisions or computer groups. This can help you when you create reports so that you can view usage or activity based on computer groups.

Now you have the KeyServer installed and setup the final thing to do is monitor usage and create reports.

Figure 13 shows the currently logged in computers and users. This windowpane shows the maximum clients available for the purchased license as well as the name of the KeyServer.

Fig 13 The Users of the KeyServer

Double click on a user and you can view the licenses they have signed out as well as the times that they logged in. You can also send a bulletin message to the user.

When you have used the KeyServer for a few months and built up a database of usage, you can build reports. These will allow you to gather useful information that can help you to plan for the future. There are many reports you can create, to include data such as: computer usages, license usages, weekly and daily reports, logins, list of denials etc. The data can be displayed as histograms. To create a report you select the appropriate report from the "Reports" menu. You then get a popup box to edit the criteria. You can select other reports to run and then choose the time period in which to run the reports. The resulting report can then be saved as either an html file or an xml file.

Fig 14. The KeyConfigure's reports popup window.

One of the many issues Mac system administrators have to address is software licensing and tracking. A KeyServer solution offers a great way of solving this issue as well as offering other services. The software is easy to setup, requires limited resources and can have multiple backup servers. It can manage any program as well as monitoring logins and logouts. You can add the KeyServer to a directory service and then use existing groups to assign licenses. If you divide your computers into divisions you can track software and computer use by division, if you wish to assign a division to a particular building then you can compare usage between different physical locations. Then once setup you can use the reporting feature to analyse different usage patterns to enable you to plan for the future. There are many other features that have not been discussed here, that a KeyServer can offer. Not only can the KeyServer monitor usage of license it can also control who has access and when, which means much greater flexibility in license management. For more information and to obtain a trial copy, go to www.sassafras.com.

Criss Myers is a Business Support Analyst (Mac Services), for Learning and Information Services, at the University of Central Lancashire, Preston, United Kingdom. He has been a Systems Server Administrator from the very first version of OS X Server. He Works with Macs as well as Linux, Unix and Windows and specializes in image deployment and maintenance as well as client management.