IT deployment guide
This guide is written for corporate IT teams deploying VirtuCath™ onto managed Windows machines. It documents what VirtuCath does on the network, how to install it across a fleet, and how to lock down or loosen specific behaviours via Group Policy / Intune.
If you are an end user and your laptop is not corporate-managed, you can ignore this page — the defaults in the standard installer are designed for individual engineers.
Network footprint
VirtuCath is largely an offline desktop application. It contacts the internet only for the calls below, all over HTTPS / TLS 1.2 or higher. There is no telemetry, no background data upload, and no analytics.
| Endpoint | When called | Purpose | Optional? |
|---|---|---|---|
https://*.cryptlex.com (license server — Cryptlex is the third-party licensing service VirtuCath uses for paid tiers) | Online activation and periodic license refresh inside the grace period, for commercial licenses only (Academic, Innovator, Team Starter, Enterprise) | License validation against Cryptlex. Subject to the Cryptlex IP / domain list. | No (unless using offline activation) |
https://virtucath.com/api/activate | Online activation and periodic re-check, for legacy beta licenses only (key prefix VC-BET-…) | License validation against the legacy D1-backed activation endpoint. Commercial licenses do not use this endpoint. | No (for beta users) |
https://virtucath.com/api/version | Manual or automatic update check (typically on app start) | Returns the latest available version + download URL. | Yes (auto-update can be suppressed — see Enterprise mode) |
https://virtucath.com/api/report-bug | Only when the user clicks Help → Report a Problem → Send to VirtuCath Support | Uploads a diagnostic bundle. Catheter configuration is opt-in. | Yes (user action only) |
Update installer download URL (e.g. https://virtucath.com/...) | Only when the user (or, in standard mode, the auto-updater) elects to install an update | Downloads a signed .exe installer for the new version. | Yes — in enterprise mode the installer is never downloaded automatically. |
Activation flow at a glance. The desktop application detects which activation path to use from the license key itself. Keys minted before our migration to Cryptlex (prefix
VC-BET-…) use the legacy/api/activateendpoint; keys issued by Cryptlex for paid plans (an opaque GUID-shaped string) use Cryptlex's own activation API. From an IT firewall-allowlist perspective, both endpoints should be reachable if you have a mix of beta-bundled and commercial installations.
Domains to allowlist if your firewall uses an explicit allowlist:
virtucath.comand*.virtucath.com*.cryptlex.com(or the specific Cryptlex region endpoints — see Cryptlex docs)virtucath.customer.cryptlex.com(the VirtuCath customer self-service portal — only needed on machines where users will manage licenses or perform offline activation in a browser; not needed for runtime)*.onfastspring.com(only on machines where users will purchase or upgrade licences via the web; not needed for runtime)
TLS interception note. If your network performs TLS interception (a
common pattern for next-gen firewalls), VirtuCath's HTTPS calls will fail
certificate verification and the auto-updater's Authenticode check will
also fail. Either allowlist virtucath.com and *.cryptlex.com to bypass
interception, or install your corporate root CA into the machine's
Windows trust store before deploying VirtuCath.
MDM / DNS-filtering note. If your MDM (Jamf for Windows, Intune,
Workspace ONE, etc.) or a corporate DNS resolver filters or rewrites DNS
responses for unfamiliar domains, license activation and update checks can
fail before TLS ever gets involved — usually with a confusing "could not
reach license server" error rather than a clear DNS error. Apply the same
allowlist (virtucath.com, *.virtucath.com, *.cryptlex.com) at the DNS
layer in addition to the firewall layer. If your MDM forces a custom DNS
resolver via policy, verify that resolver returns the same answers an
unmanaged resolver does for the allowlisted domains.
Customer portal note. The VirtuCath self-service customer portal lives at
https://virtucath.customer.cryptlex.com.
End users only need browser reachability to that subdomain — there is no
desktop-side connection to it. If you allowlist *.cryptlex.com you already
cover it; if you use an explicit per-host allowlist, add
virtucath.customer.cryptlex.com.
Install modes
VirtuCath ships as an Inno Setup .exe installer. The installer
supports both per-user and per-machine installation; the choice is made
either interactively or via a command-line flag.
Interactive install
When run with no flags, the installer is per-user by default
(installed under %LOCALAPPDATA%\Programs\VirtuCath, no UAC prompt).
The wizard shows an "Install for all users" option at the top that
elevates to per-machine (C:\Program Files\VirtuCath, requires admin).
Scripted install (SCCM / Intune / PowerShell)
# Per-machine, silent, no UAC prompts, no reboot
.\VirtuCath-Setup.exe /ALLUSERS /SILENT /SUPPRESSMSGBOXES /NORESTART
# Per-user, silent
.\VirtuCath-Setup.exe /CURRENTUSER /SILENT /SUPPRESSMSGBOXES /NORESTART
# Uninstall (silent)
"C:\Program Files\VirtuCath\unins000.exe" /SILENT /NORESTART
The installer also accepts:
/DIR="<path>"— override the install directory/NOICONS— skip start-menu shortcuts/LOG="<path>"— write a setup log to the given path (useful for SCCM error diagnostics)/TASKS="desktopicon"— opt the user into a desktop shortcut
A /CURRENTUSER or /ALLUSERS install will be remembered on subsequent
upgrades (via Inno's UsePreviousPrivileges flag), so an Intune-deployed
machine won't accidentally switch to a per-user install when a user
double-clicks an updated installer.
Installer exit codes
The installer is built with Inno Setup and returns the standard Inno Setup exit codes. SCCM/Intune deployment scripts should branch on these:
| Code | Meaning | Treat as |
|---|---|---|
0 | Setup completed successfully. | Success |
1 | Setup failed to initialize. | Failure |
2 | User clicked Cancel in the wizard before the install started. | User-cancelled |
3 | Fatal error preparing to move to the next phase (e.g. cannot create install dir, permission denied). | Failure |
4 | Fatal error during the install itself (file copy / registry / unpack error). | Failure |
5 | User cancelled during the install, or the install was aborted by code. | User-cancelled |
6 | Setup process was forcefully terminated by the debugger or system. | Failure |
7 | PrepareToInstall returned non-empty — preparation failed before install started. | Failure |
8 | Setup succeeded but a system restart is required to complete the install. | Success-with-reboot |
In silent mode, /SUPPRESSMSGBOXES is required to make codes 1-7 exit
without ever showing an error dialog. Without that flag, the installer
blocks waiting for user acknowledgement and Intune/SCCM will time out.
Enterprise mode
VirtuCath has an enterprise mode that shifts user-facing defaults toward what corporate IT expects:
- The auto-updater is suppressed. Update notifications still appear, but the installer is never downloaded or executed automatically. IT is expected to push updates via SCCM / Intune.
- The bug-report dialog defaults to local-save only and excludes the catheter configuration from the bundle unless the user explicitly ticks the include checkbox (engineering-IP exfiltration risk).
- The current mode is displayed in Help → About so users and auditors can confirm what mode the install is running in.
Enterprise mode is detected at startup from three sources, in this precedence (highest first):
a. Environment variable (dev / opt-in)
VIRTUCATH_ENTERPRISE_MODE = 1
Accepted truthy values: 1, true, yes, on (case-insensitive).
Set machine-wide via System Properties → Environment Variables, or
per-user via PowerShell:
[Environment]::SetEnvironmentVariable("VIRTUCATH_ENTERPRISE_MODE", "1", "Machine")
b. HKLM registry key (recommended for IT-managed fleets)
[HKEY_LOCAL_MACHINE\SOFTWARE\VirtuCathLLC\VirtuCath]
"EnterpriseMode"=dword:00000001
Push via Group Policy Preferences (Registry), Intune (Custom OMA-URI),
or reg add in a deployment script:
reg add "HKLM\SOFTWARE\VirtuCathLLC\VirtuCath" /v EnterpriseMode /t REG_DWORD /d 1 /f
Reverse with /d 0 or reg delete.
c. License metadata (automatic for enterprise tiers)
When a license is activated against a Cryptlex policy that has
enterprise_mode = true in its metadata, the app reads that on
startup and enables enterprise mode automatically — no IT action
required. This is the default for the Enterprise and Academic license
tiers VirtuCath sells to large customers.
Verifying
Open Help → About. The dialog now includes a "Deployment" line that reads either:
Standard modeEnterprise mode (via environment variable)Enterprise mode (via machine-wide registry policy)Enterprise mode (via license tier)
Code signing
The VirtuCath.exe binary and pyarmor_runtime.pyd are signed with an
Authenticode certificate issued to VirtuCath, LLC. The auto-updater
verifies this signature before launching any downloaded installer; you
can verify it yourself in PowerShell:
Get-AuthenticodeSignature "C:\Program Files\VirtuCath\VirtuCath.exe"
A status of Valid and a SignerCertificate.Subject containing
VirtuCath indicates an unmodified binary.
Logs and bug reports
- Session logs are written to
<install-dir>\logs\session_<timestamp>.log, the last 10 sessions are retained, older ones are auto-pruned. - The Help → Report a Problem feature builds a zip bundle from those logs, optional catheter configuration, and basic system metadata.
- The bundle is always saved locally to
%LOCALAPPDATA%\VirtuCathLLC\VirtuCath\bug-reports\so the user has a copy even if upload fails. - License keys, hardware IDs, and email addresses other than the submitter's are redacted from the bundle automatically.
Offline grace period
Activated VirtuCath installations can run up to 30 days offline before the app requires a successful re-check against the license server. The grace period resets on every successful online validation. This applies to all license tiers and is set on the licensing-platform side, not in the client — there is no Group Policy / registry switch to extend it.
For IT teams operating fleets behind strict egress controls, this means
a workstation that goes longer than 30 days without reaching
*.cryptlex.com will degrade to Unlicensed Mode on the next launch.
Practical mitigations:
- Allow at least one routine egress to
*.cryptlex.comper month (the call is small, just a license validation ping). - For genuinely air-gapped workstations, use the offline-activation flow (see Licensing and activation) — once activated offline, no further network call is made and the grace period does not apply.
Offline activation
For air-gapped environments, VirtuCath supports offline activation via a two-file exchange with the VirtuCath customer portal at https://virtucath.customer.cryptlex.com. The portal exchange runs from any internet-connected browser; the offline workstation itself never needs network access.
See Licensing and activation for the end-user step by step. Once activated offline, all subsequent license validation happens locally — no network call to the license server is made from the workstation.
For IT-managed fleets, the customer-portal account is provisioned per purchase email. In most enterprise procurement flows the purchase is run by finance or procurement, while the people who actually need to manage licenses (free seats, run offline activations, transfer to new hardware) sit in IT or engineering — different inboxes entirely.
To use a separate license-management email, email
[email protected] from the purchasing email with: (1) your order
ID from the original license-key email, (2) the additional addresses you
want attached to your licenses (a shared [email protected] mailbox is
fine, as are individual engineers), and (3) whether each address should
have organization-admin rights (can manage everything on the account) or
plain user rights (read-only view). VirtuCath attaches the additional
portal users on the Cryptlex side; they then go to
virtucath.customer.cryptlex.com
and click Forgot password? with their newly-attached address to set
their own password. The purchase-email account remains active, so finance
keeps its audit trail and IT gets day-to-day control. This pattern also
covers off-boarding — if the engineer holding the license-management
credentials leaves the company, email support to swap them out without
having to involve procurement or open a new order.
Alternatively, if you anticipate this need at purchase time, you can just
purchase under a long-lived shared service email
([email protected], [email protected], etc.) so the portal
account is owned by the team from day one.
Single Sign-On (Enterprise only)
VirtuCath supports SAML 2.0 single sign-on into the customer portal for Enterprise customers on request. SSO is not enabled by default — the stock Cryptlex login page renders a "Continue with SSO" button for every tenant, but it only functions once SAML has been configured per-customer against your corporate IdP.
Why it's gated to Enterprise: SSO is a per-organization integration
(metadata exchange, attribute mapping, connection testing) that carries
both upstream platform costs and per-connection engineering time.
Bundling it into the Enterprise tier keeps it sustainable; it's not
available on Innovator or Team Starter. Raise SSO needs early in
procurement by emailing [email protected] so the integration can be
scoped and the timeline confirmed before the contract is signed.
What you get: users in your organization log into virtucath.customer.cryptlex.com by clicking Continue with SSO and authenticating against your IdP (Okta, Microsoft Entra ID / Azure AD, Google Workspace, OneLogin, Ping, ADFS, JumpCloud — anything that speaks SAML 2.0). No portal password to manage, automatic deprovisioning when an employee leaves your IdP, and your IdP's MFA policy applies.
What to send us to scope the integration:
- The IdP you want to federate against.
- Your IdP's SAML metadata URL (or XML file).
- The email domain(s) you want recognized as your organization (e.g.
yourco.com,yourco.eu). Users authenticating from those domains will be auto-routed to your SSO connection. - Whether you want Just-In-Time provisioning (new users are auto-created on first SSO login) or strict membership (only pre-provisioned emails can authenticate; everyone else is rejected).
- The role new SSO users should get by default:
organization-admin(can manage all licenses on the account) oruser(read-only view plus offline activation for their own seat).
Email [email protected] with the subject line beginning [SSO] and
those five items. The first reply will confirm the timeline.
Caveat for IT-managed fleets without SSO: if you've decided not to use SSO (or haven't set it up yet), instruct your users to ignore the "Continue with SSO" button on the portal login page and log in with email + password instead. The button exists in Cryptlex's stock UI but will fail to find an IdP connection for your domain.
Support
For IT-specific questions (deployment errors, fleet rollout planning,
custom installer requirements), email [email protected] with
the subject line beginning [IT].