Skip to main content

IT deployment guide

This guide is written for corporate IT teams deploying VirtuCath™ onto managed Windows machines. It documents what VirtuCath does on the network, how to install it across a fleet, and how to lock down or loosen specific behaviours via Group Policy / Intune.

If you are an end user and your laptop is not corporate-managed, you can ignore this page — the defaults in the standard installer are designed for individual engineers.


Network footprint

VirtuCath is largely an offline desktop application. It contacts the internet only for the calls below, all over HTTPS / TLS 1.2 or higher. There is no telemetry, no background data upload, and no analytics.

EndpointWhen calledPurposeOptional?
https://*.cryptlex.com (license server — Cryptlex is the third-party licensing service VirtuCath uses for paid tiers)Online activation and periodic license refresh inside the grace period, for commercial licenses only (Academic, Innovator, Team Starter, Enterprise)License validation against Cryptlex. Subject to the Cryptlex IP / domain list.No (unless using offline activation)
https://virtucath.com/api/activateOnline activation and periodic re-check, for legacy beta licenses only (key prefix VC-BET-…)License validation against the legacy D1-backed activation endpoint. Commercial licenses do not use this endpoint.No (for beta users)
https://virtucath.com/api/versionManual or automatic update check (typically on app start)Returns the latest available version + download URL.Yes (auto-update can be suppressed — see Enterprise mode)
https://virtucath.com/api/report-bugOnly when the user clicks Help → Report a Problem → Send to VirtuCath SupportUploads a diagnostic bundle. Catheter configuration is opt-in.Yes (user action only)
Update installer download URL (e.g. https://virtucath.com/...)Only when the user (or, in standard mode, the auto-updater) elects to install an updateDownloads a signed .exe installer for the new version.Yes — in enterprise mode the installer is never downloaded automatically.

Activation flow at a glance. The desktop application detects which activation path to use from the license key itself. Keys minted before our migration to Cryptlex (prefix VC-BET-…) use the legacy /api/activate endpoint; keys issued by Cryptlex for paid plans (an opaque GUID-shaped string) use Cryptlex's own activation API. From an IT firewall-allowlist perspective, both endpoints should be reachable if you have a mix of beta-bundled and commercial installations.

Domains to allowlist if your firewall uses an explicit allowlist:

  • virtucath.com and *.virtucath.com
  • *.cryptlex.com (or the specific Cryptlex region endpoints — see Cryptlex docs)
  • virtucath.customer.cryptlex.com (the VirtuCath customer self-service portal — only needed on machines where users will manage licenses or perform offline activation in a browser; not needed for runtime)
  • *.onfastspring.com (only on machines where users will purchase or upgrade licences via the web; not needed for runtime)

TLS interception note. If your network performs TLS interception (a common pattern for next-gen firewalls), VirtuCath's HTTPS calls will fail certificate verification and the auto-updater's Authenticode check will also fail. Either allowlist virtucath.com and *.cryptlex.com to bypass interception, or install your corporate root CA into the machine's Windows trust store before deploying VirtuCath.

MDM / DNS-filtering note. If your MDM (Jamf for Windows, Intune, Workspace ONE, etc.) or a corporate DNS resolver filters or rewrites DNS responses for unfamiliar domains, license activation and update checks can fail before TLS ever gets involved — usually with a confusing "could not reach license server" error rather than a clear DNS error. Apply the same allowlist (virtucath.com, *.virtucath.com, *.cryptlex.com) at the DNS layer in addition to the firewall layer. If your MDM forces a custom DNS resolver via policy, verify that resolver returns the same answers an unmanaged resolver does for the allowlisted domains.

Customer portal note. The VirtuCath self-service customer portal lives at https://virtucath.customer.cryptlex.com. End users only need browser reachability to that subdomain — there is no desktop-side connection to it. If you allowlist *.cryptlex.com you already cover it; if you use an explicit per-host allowlist, add virtucath.customer.cryptlex.com.


Install modes

VirtuCath ships as an Inno Setup .exe installer. The installer supports both per-user and per-machine installation; the choice is made either interactively or via a command-line flag.

Interactive install

When run with no flags, the installer is per-user by default (installed under %LOCALAPPDATA%\Programs\VirtuCath, no UAC prompt). The wizard shows an "Install for all users" option at the top that elevates to per-machine (C:\Program Files\VirtuCath, requires admin).

Scripted install (SCCM / Intune / PowerShell)

# Per-machine, silent, no UAC prompts, no reboot
.\VirtuCath-Setup.exe /ALLUSERS /SILENT /SUPPRESSMSGBOXES /NORESTART

# Per-user, silent
.\VirtuCath-Setup.exe /CURRENTUSER /SILENT /SUPPRESSMSGBOXES /NORESTART

# Uninstall (silent)
"C:\Program Files\VirtuCath\unins000.exe" /SILENT /NORESTART

The installer also accepts:

  • /DIR="<path>" — override the install directory
  • /NOICONS — skip start-menu shortcuts
  • /LOG="<path>" — write a setup log to the given path (useful for SCCM error diagnostics)
  • /TASKS="desktopicon" — opt the user into a desktop shortcut

A /CURRENTUSER or /ALLUSERS install will be remembered on subsequent upgrades (via Inno's UsePreviousPrivileges flag), so an Intune-deployed machine won't accidentally switch to a per-user install when a user double-clicks an updated installer.

Installer exit codes

The installer is built with Inno Setup and returns the standard Inno Setup exit codes. SCCM/Intune deployment scripts should branch on these:

CodeMeaningTreat as
0Setup completed successfully.Success
1Setup failed to initialize.Failure
2User clicked Cancel in the wizard before the install started.User-cancelled
3Fatal error preparing to move to the next phase (e.g. cannot create install dir, permission denied).Failure
4Fatal error during the install itself (file copy / registry / unpack error).Failure
5User cancelled during the install, or the install was aborted by code.User-cancelled
6Setup process was forcefully terminated by the debugger or system.Failure
7PrepareToInstall returned non-empty — preparation failed before install started.Failure
8Setup succeeded but a system restart is required to complete the install.Success-with-reboot

In silent mode, /SUPPRESSMSGBOXES is required to make codes 1-7 exit without ever showing an error dialog. Without that flag, the installer blocks waiting for user acknowledgement and Intune/SCCM will time out.


Enterprise mode

VirtuCath has an enterprise mode that shifts user-facing defaults toward what corporate IT expects:

  • The auto-updater is suppressed. Update notifications still appear, but the installer is never downloaded or executed automatically. IT is expected to push updates via SCCM / Intune.
  • The bug-report dialog defaults to local-save only and excludes the catheter configuration from the bundle unless the user explicitly ticks the include checkbox (engineering-IP exfiltration risk).
  • The current mode is displayed in Help → About so users and auditors can confirm what mode the install is running in.

Enterprise mode is detected at startup from three sources, in this precedence (highest first):

a. Environment variable (dev / opt-in)

VIRTUCATH_ENTERPRISE_MODE = 1

Accepted truthy values: 1, true, yes, on (case-insensitive). Set machine-wide via System Properties → Environment Variables, or per-user via PowerShell:

[Environment]::SetEnvironmentVariable("VIRTUCATH_ENTERPRISE_MODE", "1", "Machine")
[HKEY_LOCAL_MACHINE\SOFTWARE\VirtuCathLLC\VirtuCath]
"EnterpriseMode"=dword:00000001

Push via Group Policy Preferences (Registry), Intune (Custom OMA-URI), or reg add in a deployment script:

reg add "HKLM\SOFTWARE\VirtuCathLLC\VirtuCath" /v EnterpriseMode /t REG_DWORD /d 1 /f

Reverse with /d 0 or reg delete.

c. License metadata (automatic for enterprise tiers)

When a license is activated against a Cryptlex policy that has enterprise_mode = true in its metadata, the app reads that on startup and enables enterprise mode automatically — no IT action required. This is the default for the Enterprise and Academic license tiers VirtuCath sells to large customers.

Verifying

Open Help → About. The dialog now includes a "Deployment" line that reads either:

  • Standard mode
  • Enterprise mode (via environment variable)
  • Enterprise mode (via machine-wide registry policy)
  • Enterprise mode (via license tier)

Code signing

The VirtuCath.exe binary and pyarmor_runtime.pyd are signed with an Authenticode certificate issued to VirtuCath, LLC. The auto-updater verifies this signature before launching any downloaded installer; you can verify it yourself in PowerShell:

Get-AuthenticodeSignature "C:\Program Files\VirtuCath\VirtuCath.exe"

A status of Valid and a SignerCertificate.Subject containing VirtuCath indicates an unmodified binary.


Logs and bug reports

  • Session logs are written to <install-dir>\logs\session_<timestamp>.log, the last 10 sessions are retained, older ones are auto-pruned.
  • The Help → Report a Problem feature builds a zip bundle from those logs, optional catheter configuration, and basic system metadata.
  • The bundle is always saved locally to %LOCALAPPDATA%\VirtuCathLLC\VirtuCath\bug-reports\ so the user has a copy even if upload fails.
  • License keys, hardware IDs, and email addresses other than the submitter's are redacted from the bundle automatically.

Offline grace period

Activated VirtuCath installations can run up to 30 days offline before the app requires a successful re-check against the license server. The grace period resets on every successful online validation. This applies to all license tiers and is set on the licensing-platform side, not in the client — there is no Group Policy / registry switch to extend it.

For IT teams operating fleets behind strict egress controls, this means a workstation that goes longer than 30 days without reaching *.cryptlex.com will degrade to Unlicensed Mode on the next launch. Practical mitigations:

  • Allow at least one routine egress to *.cryptlex.com per month (the call is small, just a license validation ping).
  • For genuinely air-gapped workstations, use the offline-activation flow (see Licensing and activation) — once activated offline, no further network call is made and the grace period does not apply.

Offline activation

For air-gapped environments, VirtuCath supports offline activation via a two-file exchange with the VirtuCath customer portal at https://virtucath.customer.cryptlex.com. The portal exchange runs from any internet-connected browser; the offline workstation itself never needs network access.

See Licensing and activation for the end-user step by step. Once activated offline, all subsequent license validation happens locally — no network call to the license server is made from the workstation.

For IT-managed fleets, the customer-portal account is provisioned per purchase email. In most enterprise procurement flows the purchase is run by finance or procurement, while the people who actually need to manage licenses (free seats, run offline activations, transfer to new hardware) sit in IT or engineering — different inboxes entirely.

To use a separate license-management email, email [email protected] from the purchasing email with: (1) your order ID from the original license-key email, (2) the additional addresses you want attached to your licenses (a shared [email protected] mailbox is fine, as are individual engineers), and (3) whether each address should have organization-admin rights (can manage everything on the account) or plain user rights (read-only view). VirtuCath attaches the additional portal users on the Cryptlex side; they then go to virtucath.customer.cryptlex.com and click Forgot password? with their newly-attached address to set their own password. The purchase-email account remains active, so finance keeps its audit trail and IT gets day-to-day control. This pattern also covers off-boarding — if the engineer holding the license-management credentials leaves the company, email support to swap them out without having to involve procurement or open a new order.

Alternatively, if you anticipate this need at purchase time, you can just purchase under a long-lived shared service email ([email protected], [email protected], etc.) so the portal account is owned by the team from day one.


Single Sign-On (Enterprise only)

VirtuCath supports SAML 2.0 single sign-on into the customer portal for Enterprise customers on request. SSO is not enabled by default — the stock Cryptlex login page renders a "Continue with SSO" button for every tenant, but it only functions once SAML has been configured per-customer against your corporate IdP.

Why it's gated to Enterprise: SSO is a per-organization integration (metadata exchange, attribute mapping, connection testing) that carries both upstream platform costs and per-connection engineering time. Bundling it into the Enterprise tier keeps it sustainable; it's not available on Innovator or Team Starter. Raise SSO needs early in procurement by emailing [email protected] so the integration can be scoped and the timeline confirmed before the contract is signed.

What you get: users in your organization log into virtucath.customer.cryptlex.com by clicking Continue with SSO and authenticating against your IdP (Okta, Microsoft Entra ID / Azure AD, Google Workspace, OneLogin, Ping, ADFS, JumpCloud — anything that speaks SAML 2.0). No portal password to manage, automatic deprovisioning when an employee leaves your IdP, and your IdP's MFA policy applies.

What to send us to scope the integration:

  1. The IdP you want to federate against.
  2. Your IdP's SAML metadata URL (or XML file).
  3. The email domain(s) you want recognized as your organization (e.g. yourco.com, yourco.eu). Users authenticating from those domains will be auto-routed to your SSO connection.
  4. Whether you want Just-In-Time provisioning (new users are auto-created on first SSO login) or strict membership (only pre-provisioned emails can authenticate; everyone else is rejected).
  5. The role new SSO users should get by default: organization-admin (can manage all licenses on the account) or user (read-only view plus offline activation for their own seat).

Email [email protected] with the subject line beginning [SSO] and those five items. The first reply will confirm the timeline.

Caveat for IT-managed fleets without SSO: if you've decided not to use SSO (or haven't set it up yet), instruct your users to ignore the "Continue with SSO" button on the portal login page and log in with email + password instead. The button exists in Cryptlex's stock UI but will fail to find an IdP connection for your domain.


Support

For IT-specific questions (deployment errors, fleet rollout planning, custom installer requirements), email [email protected] with the subject line beginning [IT].