Having a device enrolled in an MDM package does not make it a corporate device. Many corporations require personal devices be managed to support remote wiping. If I install a productivity or developer tool on my personal phone or laptop for personal non-corporate use I would get mistaken as a corporate user by this process.
If you want to collect this information you should be clear about it and know and understand your edge cases before you start attempting enforcement actions based on it if that is the intent.
In general in my experience, personal tools are a VERY hard market to sell into for corporate environments (I took a peek at what the software on OPs site requires a commercial license to use). I would bet most if not all of what you're catching here is unauthorized installs in a corporate environment and you're more likely to loose interested users than sell more commercial licenses.
>Many corporations require personal devices be managed to support remote wiping.
Corporations cannot require you to have your personal devices be managed by them. If you're surrendering your own gear to a company, it stops being your own device.
But they can require things of devices connected to their wifi or being brought to their premises. You are welcome to leave the device at home if you don't want to consent.
Depends on the local laws. Where I live, they can either deal with it, or provide a secured storage space for the duration of the visit.
Either way, if a corporation wants their employees to use a device, they are obliged to make one available. Surrendering your private equipment to their management makes it not yours anymore.
As with every similar heavy-handed approach to enforcement you are making life difficult for the 99% of regular, honest users while the remaining 1% can trivially bypass it.
The post doesn't say what you should do with this information. You could just remind the user that they're supposed to buy a license for commercial use.
additionally with the proposal "put together a list of known corporate MDM server URLs in a public repository" I think the idea could be to only block users with an MDM server from that list. of course that would have to be quite a large list and maintaining it fairly could be a challenge
I disagree, corporate systems will try to be transparent about being a corporate device. And they will not particularly be avoidant of software licensing, they may refuse to use the software, but they'd rather have that than use unlicensed software.
It seems like this makes things easier for everyone?
I heard folks here used MDM to give themselves more control over Apple security features that they otherwise don’t. This code example and scenario penalizes them by side effect
If it gets normalized for software to notice when there's MDM in play, do you really think it won't be treated as a strong signal and used to break things?
Curb your slippery slope buddy. I think it's more productive to speak about concrete news presented to us instead of the hypothetical consequences it might have, real or imagined.
This happens in a lot of software in the Windows world, too. As soon as you run it on a non-Home SKU you’re suddenly The Enterprise, even as a home-gamer.
I’ve used Pro (or Ultimate under Win 7) instead of Home for my personal devices since sometime in the XP era and literally never experienced this with anything.
Windows is gating a lot of basic configuration shit behind enterprise configs like Group Policies now, specifically so that the people slumming it on Home get all the ads, spyware, mandatory updates, stealthily enabled AI features, etc.
(Anecdotally) I don't think most big corps using commercial software without a license are doing it intentionally/maliciously at an organizational level. Most of the time it's just individual employees downloading supposedly "free" software without reading the license and not realizing it isn't free for commercial use.
> Most of the time it's just individual employees downloading supposedly "free" software without reading the license and realizing it's not free for commercial use.
And chances are, that company's IT department would love to know when that's happening so they can put a stop to it.
I work in ops, that's called "shadow IT" and it's a huge problem. It's really prevalent now because most SaaS is marketed toward individuals/small teams rather than marketing toward the business itself, so you get people within an org spinning up trials and free versions, putting company data into it with zero oversight, and often IT doesn't know about it until the quarterly budget review when they find out from accounting that it's been blown on software purchased outside of the IT org, now it's "critical" to operations and we're forced to onboard/support it.
Obviously these code snippets won't work for SaaS, but a notification pop-up along the lines of "We see you're on a company device. Please contact your IT administrator to proceed with your free trial" would be great, but would kill a big sales avenue.
People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
On the flip side, you are also missing all of the solopreneurs using your software for commercial use but obviously aren't spinning up a whole endpoint IT infrastructure to manage their own single device. Or contractors doing BYOD without MDM enrollment. Or small businesses/startups that are mostly BYOD, or don't do any kind of endpoint/device management...
I mean, “many” people use SaaS apps which utilize MDM on end user devices, but many parents I know who are in tech roll their own to filter the net for their kids devices and (to a much lesser extent) monitor them proactively.
> People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
That's a tiny minority of your user base. You'll live. They'll live.
> So who are you going to catch, really?
Enterprises that are big enough to manage their fleet, but small enough to not enforce rules. Which is a good chunk of money.
The code snippets are the easy part here. Too easy to blindly deploy, because it might work for 95% of the cases. You know how these things go: KPM increased, move on to the next thing.
Yea, this seems to be sort of analogous to companies who check whether you have a rooted device in order to take some kind of action (usually preventing the software from running). If that's a shitty thing to do, then this is, too.
Software should not be in the business of trying to (badly) guess whether the user is the right sort of user, based on inexact signals from the operating system. As others pointed out, the false positives will be annoyed, and the true positives will sidestep your efforts.
How so? You think big corps would pressure corporate device management providers into making their services stealthier in order to avoid paying appropriate license fees for software that does this detection?
I'd always assume the worst of corporations but I think it's a little far fetched, probably doesn't affect their bottom line to just pay for the software.
I don't think so - most organisations and employees don't actively try to violate licenses, but if the path of least resistance is "eh" then individual employees definitely aren't going to bother. I bet there are thousands of people using the free version of MSVC commercially for example.
Depending on what action you take with this, I'd say it has a pretty good chance of tipping people into emailing IT to get a license.
You can already easily pirate the software by running it on your personal device for free, and the software would never know you were also working for a corporation that was supposed to buy a license.
Having a device enrolled in an MDM package does not make it a corporate device. Many corporations require personal devices be managed to support remote wiping. If I install a productivity or developer tool on my personal phone or laptop for personal non-corporate use I would get mistaken as a corporate user by this process.
If you want to collect this information you should be clear about it and know and understand your edge cases before you start attempting enforcement actions based on it if that is the intent.
In general in my experience, personal tools are a VERY hard market to sell into for corporate environments (I took a peek at what the software on OPs site requires a commercial license to use). I would bet most if not all of what you're catching here is unauthorized installs in a corporate environment and you're more likely to loose interested users than sell more commercial licenses.
>Many corporations require personal devices be managed to support remote wiping.
Corporations cannot require you to have your personal devices be managed by them. If you're surrendering your own gear to a company, it stops being your own device.
But they can require things of devices connected to their wifi or being brought to their premises. You are welcome to leave the device at home if you don't want to consent.
>connected to their wifi
Absolutely, it's their own network.
>being brought to their premises
Depends on the local laws. Where I live, they can either deal with it, or provide a secured storage space for the duration of the visit.
Either way, if a corporation wants their employees to use a device, they are obliged to make one available. Surrendering your private equipment to their management makes it not yours anymore.
As with every similar heavy-handed approach to enforcement you are making life difficult for the 99% of regular, honest users while the remaining 1% can trivially bypass it.
The post doesn't say what you should do with this information. You could just remind the user that they're supposed to buy a license for commercial use.
additionally with the proposal "put together a list of known corporate MDM server URLs in a public repository" I think the idea could be to only block users with an MDM server from that list. of course that would have to be quite a large list and maintaining it fairly could be a challenge
Given that paying for WinRAR is still a popular meme, these percentages look inaccurate.
I disagree, corporate systems will try to be transparent about being a corporate device. And they will not particularly be avoidant of software licensing, they may refuse to use the software, but they'd rather have that than use unlicensed software.
It seems like this makes things easier for everyone?
I use MDM on my own systems because it gives me a bit more control. It's also a superior form of device oversight for kids.
I’m curious to know how you use this on your kids devices. Which mdm do you use?
I have the same question.
What MDM is priced to make this scale reasonable?
Never trust software that doesn't trust you.
(And yeah, I know. That's a whole lot of software to never trust.)
It always seemed weird to me when people call shell binaries from the middle of a desktop app. What's wrong with finding the actual OS API instead?
It's a lot harder, and for these sort of things maybe not even possible.
But yeah generally it is better if you can do it.
I heard folks here used MDM to give themselves more control over Apple security features that they otherwise don’t. This code example and scenario penalizes them by side effect
much like https://sso.tax/ , if you need enterprisey features... someone thinks you can pay for it.
That's fine, there's no enforcement suggested though, maybe they get a popup asking about licenses, not necessarily a brick.
If it gets normalized for software to notice when there's MDM in play, do you really think it won't be treated as a strong signal and used to break things?
Curb your slippery slope buddy. I think it's more productive to speak about concrete news presented to us instead of the hypothetical consequences it might have, real or imagined.
This happens in a lot of software in the Windows world, too. As soon as you run it on a non-Home SKU you’re suddenly The Enterprise, even as a home-gamer.
I’ve used Pro (or Ultimate under Win 7) instead of Home for my personal devices since sometime in the XP era and literally never experienced this with anything.
Windows is gating a lot of basic configuration shit behind enterprise configs like Group Policies now, specifically so that the people slumming it on Home get all the ads, spyware, mandatory updates, stealthily enabled AI features, etc.
Normalizing this would start a game of cat & mouse, no?
(Anecdotally) I don't think most big corps using commercial software without a license are doing it intentionally/maliciously at an organizational level. Most of the time it's just individual employees downloading supposedly "free" software without reading the license and not realizing it isn't free for commercial use.
> Most of the time it's just individual employees downloading supposedly "free" software without reading the license and realizing it's not free for commercial use.
And chances are, that company's IT department would love to know when that's happening so they can put a stop to it.
I work in ops, that's called "shadow IT" and it's a huge problem. It's really prevalent now because most SaaS is marketed toward individuals/small teams rather than marketing toward the business itself, so you get people within an org spinning up trials and free versions, putting company data into it with zero oversight, and often IT doesn't know about it until the quarterly budget review when they find out from accounting that it's been blown on software purchased outside of the IT org, now it's "critical" to operations and we're forced to onboard/support it.
Obviously these code snippets won't work for SaaS, but a notification pop-up along the lines of "We see you're on a company device. Please contact your IT administrator to proceed with your free trial" would be great, but would kill a big sales avenue.
It sounds great from a sales and marketing perspective.
Instead of convincing the guys with the wallets to shell something out. Just convince the devs to npm install solution, and then send an invoice.
Win/win
Ah, the Oracle and Broadcom model - Java, Virtualbox, VMware, etc.
Woe betide thee who doesn't notice the difference between Oracle Java and OpenJDK.
That, and a lot of false positives.
People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
On the flip side, you are also missing all of the solopreneurs using your software for commercial use but obviously aren't spinning up a whole endpoint IT infrastructure to manage their own single device. Or contractors doing BYOD without MDM enrollment. Or small businesses/startups that are mostly BYOD, or don't do any kind of endpoint/device management...
So who are you going to catch, really?
A lot of people use MDM for managing their kids devices (pinning DNS for filtering etc.)
First time I've seen "a lot of people" used to mean "practically nobody."
Just joking, but seriously, I've never heard of anyone doing this, and I think maybe 1 in 100 people would even know that it's possible.
I mean, “many” people use SaaS apps which utilize MDM on end user devices, but many parents I know who are in tech roll their own to filter the net for their kids devices and (to a much lesser extent) monitor them proactively.
> People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
That's a tiny minority of your user base. You'll live. They'll live.
> So who are you going to catch, really?
Enterprises that are big enough to manage their fleet, but small enough to not enforce rules. Which is a good chunk of money.
The minority are typically also enthusiasts who serve as a multiplier. Alienating them isn’t the best strategy.
Below the code snippets the post states this is not a silver bullet, but only a starting point.
The code snippets are the easy part here. Too easy to blindly deploy, because it might work for 95% of the cases. You know how these things go: KPM increased, move on to the next thing.
Yea, this seems to be sort of analogous to companies who check whether you have a rooted device in order to take some kind of action (usually preventing the software from running). If that's a shitty thing to do, then this is, too.
Software should not be in the business of trying to (badly) guess whether the user is the right sort of user, based on inexact signals from the operating system. As others pointed out, the false positives will be annoyed, and the true positives will sidestep your efforts.
How so? You think big corps would pressure corporate device management providers into making their services stealthier in order to avoid paying appropriate license fees for software that does this detection?
I'd always assume the worst of corporations but I think it's a little far fetched, probably doesn't affect their bottom line to just pay for the software.
I don't think so - most organisations and employees don't actively try to violate licenses, but if the path of least resistance is "eh" then individual employees definitely aren't going to bother. I bet there are thousands of people using the free version of MSVC commercially for example.
Depending on what action you take with this, I'd say it has a pretty good chance of tipping people into emailing IT to get a license.
You can already easily pirate the software by running it on your personal device for free, and the software would never know you were also working for a corporation that was supposed to buy a license.
Oh no they'll find out my company is i.manage.microsoft.com/DeviceGatewayProxy/ioshandler.ashx?Platform=MacMDM