Having a device enrolled in an MDM package does not make it a corporate device. Many corporations require personal devices be managed to support remote wiping. If I install a productivity or developer tool on my personal phone or laptop for personal non-corporate use I would get mistaken as a corporate user by this process.
If you want to collect this information you should be clear about it and know and understand your edge cases before you start attempting enforcement actions based on it if that is the intent.
In general in my experience, personal tools are a VERY hard market to sell into for corporate environments (I took a peek at what the software on OPs site requires a commercial license to use). I would bet most if not all of what you're catching here is unauthorized installs in a corporate environment and you're more likely to loose interested users than sell more commercial licenses.
>Many corporations require personal devices be managed to support remote wiping.
Corporations cannot require you to have your personal devices be managed by them. If you're surrendering your own gear to a company, it stops being your own device.
Yeah you're 100% right that it's optional. It's usually only required to allow company data such as email, slack, file sharing etc on your personal device. If you're on-call it is VERY rare for an employee to win a fight on making the company provide a dedicated device for that purpose (which can inherently make it a condition of your job but that's an exception).
Most employees tend to not care about the why and are happy to just do it making "you" (the one bucking the trend) the oddball. The one not being the team player. It's not legally required, and you won't be fired for it, but its strongly socially encouraged and that makes it mandatory for anyone not willing to put up that fight.
But they can require things of devices connected to their wifi or being brought to their premises. You are welcome to leave the device at home if you don't want to consent.
Depends on the local laws. Where I live, they can either deal with it, or provide a secured storage space for the duration of the visit.
Either way, if a corporation wants their employees to use a device, they are obliged to make one available. Surrendering your private equipment to their management makes it not yours anymore.
As with every similar heavy-handed approach to enforcement you are making life difficult for the 99% of regular, honest users while the remaining 1% can trivially bypass it.
The post doesn't say what you should do with this information. You could just remind the user that they're supposed to buy a license for commercial use.
additionally with the proposal "put together a list of known corporate MDM server URLs in a public repository" I think the idea could be to only block users with an MDM server from that list. of course that would have to be quite a large list and maintaining it fairly could be a challenge
I disagree, corporate systems will try to be transparent about being a corporate device. And they will not particularly be avoidant of software licensing, they may refuse to use the software, but they'd rather have that than use unlicensed software.
It seems like this makes things easier for everyone?
There appear to be ulterior sociopolitical motives held by the author, which involve using the blanket term "genocide-friendly software" [1] to refer to anything OSI-licensed (implicitly suggesting all contributors to anything not using his homebrewed license are supporters of genocide?)
This does not look like a technical or business decision, but rather a malicious function used to identify users (and/or their employers) for arbitrary reasons, under the guise of "licensing compliance."
While the whole genocide thing is a bit of an odd angle (though hardly a new one, the author themselves links to the FSF statement on free software used for evil), I get the idea of checking for corporate installs.
The next step wouldn't be anything crazy like "MDM detected, send invoice to corporate"; there are too many false positives. It's better to use the MDM profile information to filter out the larger corporate MDM providers (InTune etc.) and filter out school MDMs before taking any action.
Most software isn't important enough to pirate if the company in question needs to comply with certain standards (ISO etc.) where an auditor might catch such a popup and make it a problem. Plus, IT probably wants you to stop downloading freeware onto corporate devices anyway. Risking being slightly annoying to people with corporate devices may very well help more people than it hurts.
Most software license violations I've spotted were purely accidental, at least at the start. An (occasional?) popup saying "hey, you need a corporate license to use this product for business use" may be enough to scare people away from your software (ending the violation). Convincing someone with financial power to buy your software is harder than making people seek out an alternative, but at least your software is less likely to be used by freebooters.
I tried to find the correct API for getting the current MDM enrollment status on macOS but I can't find anything other than people suggesting command line tools. Unless you're an MDM application yourself, I don't think there is an official API.
I heard folks here used MDM to give themselves more control over Apple security features that they otherwise don’t. This code example and scenario penalizes them by side effect
If it gets normalized for software to notice when there's MDM in play, do you really think it won't be treated as a strong signal and used to break things?
Curb your slippery slope buddy. I think it's more productive to speak about concrete news presented to us instead of the hypothetical consequences it might have, real or imagined.
This happens in a lot of software in the Windows world, too. As soon as you run it on a non-Home SKU you’re suddenly The Enterprise, even as a home-gamer.
I’ve used Pro (or Ultimate under Win 7) instead of Home for my personal devices since sometime in the XP era and literally never experienced this with anything.
Windows is gating a lot of basic configuration shit behind enterprise configs like Group Policies now, specifically so that the people slumming it on Home get all the ads, spyware, mandatory updates, stealthily enabled AI features, etc.
(Anecdotally) I don't think most big corps using commercial software without a license are doing it intentionally/maliciously at an organizational level. Most of the time it's just individual employees downloading supposedly "free" software without reading the license and not realizing it isn't free for commercial use.
> Most of the time it's just individual employees downloading supposedly "free" software without reading the license and realizing it's not free for commercial use.
And chances are, that company's IT department would love to know when that's happening so they can put a stop to it.
I work in ops, that's called "shadow IT" and it's a huge problem. It's really prevalent now because most SaaS is marketed toward individuals/small teams rather than marketing toward the business itself, so you get people within an org spinning up trials and free versions, putting company data into it with zero oversight, and often IT doesn't know about it until the quarterly budget review when they find out from accounting that it's been blown on software purchased outside of the IT org, now it's "critical" to operations and we're forced to onboard/support it.
Obviously these code snippets won't work for SaaS, but a notification pop-up along the lines of "We see you're on a company device. Please contact your IT administrator to proceed with your free trial" would be great, but would kill a big sales avenue.
People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
On the flip side, you are also missing all of the solopreneurs using your software for commercial use but obviously aren't spinning up a whole endpoint IT infrastructure to manage their own single device. Or contractors doing BYOD without MDM enrollment. Or small businesses/startups that are mostly BYOD, or don't do any kind of endpoint/device management...
I can't say much about the macOS market, but I do know that MDM-style APIs are practically the only way to write a third party control app for mobile devices. With the way Apple is moving macOS more and more towards their control, this may happen on the desktop in the future as well.
Schools also tend to use MDMs, but often in combination with Chromebooks which don't typically run third party software anyway.
I mean, “many” people use SaaS apps which utilize MDM on end user devices, but many parents I know who are in tech roll their own to filter the net for their kids devices and (to a much lesser extent) monitor them proactively.
> People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
That's a tiny minority of your user base. You'll live. They'll live.
> So who are you going to catch, really?
Enterprises that are big enough to manage their fleet, but small enough to not enforce rules. Which is a good chunk of money.
The code snippets are the easy part here. Too easy to blindly deploy, because it might work for 95% of the cases. You know how these things go: KPM increased, move on to the next thing.
Yea, this seems to be sort of analogous to companies who check whether you have a rooted device in order to take some kind of action (usually preventing the software from running). If that's a shitty thing to do, then this is, too.
Software should not be in the business of trying to (badly) guess whether the user is the right sort of user, based on inexact signals from the operating system. As others pointed out, the false positives will be annoyed, and the true positives will sidestep your efforts.
How so? You think big corps would pressure corporate device management providers into making their services stealthier in order to avoid paying appropriate license fees for software that does this detection?
I'd always assume the worst of corporations but I think it's a little far fetched, probably doesn't affect their bottom line to just pay for the software.
I don't think you will ever see this normalized, because it's a really dumb idea.
You certainly can observe a correlation between a "corporate customer" and MDM/GPO and use that as a heuristic. But it's like relying on the color of the sky to determine temperature: "Is it grey? Well then it's obviously cold." It's a leaky abstraction.
I don't think so - most organisations and employees don't actively try to violate licenses, but if the path of least resistance is "eh" then individual employees definitely aren't going to bother. I bet there are thousands of people using the free version of MSVC commercially for example.
Depending on what action you take with this, I'd say it has a pretty good chance of tipping people into emailing IT to get a license.
You can already easily pirate the software by running it on your personal device for free, and the software would never know you were also working for a corporation that was supposed to buy a license.
Having a device enrolled in an MDM package does not make it a corporate device. Many corporations require personal devices be managed to support remote wiping. If I install a productivity or developer tool on my personal phone or laptop for personal non-corporate use I would get mistaken as a corporate user by this process.
If you want to collect this information you should be clear about it and know and understand your edge cases before you start attempting enforcement actions based on it if that is the intent.
In general in my experience, personal tools are a VERY hard market to sell into for corporate environments (I took a peek at what the software on OPs site requires a commercial license to use). I would bet most if not all of what you're catching here is unauthorized installs in a corporate environment and you're more likely to loose interested users than sell more commercial licenses.
>Many corporations require personal devices be managed to support remote wiping.
Corporations cannot require you to have your personal devices be managed by them. If you're surrendering your own gear to a company, it stops being your own device.
Yeah you're 100% right that it's optional. It's usually only required to allow company data such as email, slack, file sharing etc on your personal device. If you're on-call it is VERY rare for an employee to win a fight on making the company provide a dedicated device for that purpose (which can inherently make it a condition of your job but that's an exception).
Most employees tend to not care about the why and are happy to just do it making "you" (the one bucking the trend) the oddball. The one not being the team player. It's not legally required, and you won't be fired for it, but its strongly socially encouraged and that makes it mandatory for anyone not willing to put up that fight.
But they can require things of devices connected to their wifi or being brought to their premises. You are welcome to leave the device at home if you don't want to consent.
>connected to their wifi
Absolutely, it's their own network.
>being brought to their premises
Depends on the local laws. Where I live, they can either deal with it, or provide a secured storage space for the duration of the visit.
Either way, if a corporation wants their employees to use a device, they are obliged to make one available. Surrendering your private equipment to their management makes it not yours anymore.
As with every similar heavy-handed approach to enforcement you are making life difficult for the 99% of regular, honest users while the remaining 1% can trivially bypass it.
The post doesn't say what you should do with this information. You could just remind the user that they're supposed to buy a license for commercial use.
additionally with the proposal "put together a list of known corporate MDM server URLs in a public repository" I think the idea could be to only block users with an MDM server from that list. of course that would have to be quite a large list and maintaining it fairly could be a challenge
Given that paying for WinRAR is still a popular meme, these percentages look inaccurate.
I disagree, corporate systems will try to be transparent about being a corporate device. And they will not particularly be avoidant of software licensing, they may refuse to use the software, but they'd rather have that than use unlicensed software.
It seems like this makes things easier for everyone?
I use MDM on my own systems because it gives me a bit more control. It's also a superior form of device oversight for kids.
I’m curious to know how you use this on your kids devices. Which mdm do you use?
I have the same question.
What MDM is priced to make this scale reasonable?
Never trust software that doesn't trust you.
(And yeah, I know. That's a whole lot of software to never trust.)
There appear to be ulterior sociopolitical motives held by the author, which involve using the blanket term "genocide-friendly software" [1] to refer to anything OSI-licensed (implicitly suggesting all contributors to anything not using his homebrewed license are supporters of genocide?)
This does not look like a technical or business decision, but rather a malicious function used to identify users (and/or their employers) for arbitrary reasons, under the guise of "licensing compliance."
[1] https://github.com/LGUG2Z/komorebi-license?tab=readme-ov-fil...
While the whole genocide thing is a bit of an odd angle (though hardly a new one, the author themselves links to the FSF statement on free software used for evil), I get the idea of checking for corporate installs.
The next step wouldn't be anything crazy like "MDM detected, send invoice to corporate"; there are too many false positives. It's better to use the MDM profile information to filter out the larger corporate MDM providers (InTune etc.) and filter out school MDMs before taking any action.
Most software isn't important enough to pirate if the company in question needs to comply with certain standards (ISO etc.) where an auditor might catch such a popup and make it a problem. Plus, IT probably wants you to stop downloading freeware onto corporate devices anyway. Risking being slightly annoying to people with corporate devices may very well help more people than it hurts.
Most software license violations I've spotted were purely accidental, at least at the start. An (occasional?) popup saying "hey, you need a corporate license to use this product for business use" may be enough to scare people away from your software (ending the violation). Convincing someone with financial power to buy your software is harder than making people seek out an alternative, but at least your software is less likely to be used by freebooters.
It always seemed weird to me when people call shell binaries from the middle of a desktop app. What's wrong with finding the actual OS API instead?
I tried to find the correct API for getting the current MDM enrollment status on macOS but I can't find anything other than people suggesting command line tools. Unless you're an MDM application yourself, I don't think there is an official API.
It's a lot harder, and for these sort of things maybe not even possible.
But yeah generally it is better if you can do it.
I heard folks here used MDM to give themselves more control over Apple security features that they otherwise don’t. This code example and scenario penalizes them by side effect
much like https://sso.tax/ , if you need enterprisey features... someone thinks you can pay for it.
That's fine, there's no enforcement suggested though, maybe they get a popup asking about licenses, not necessarily a brick.
If it gets normalized for software to notice when there's MDM in play, do you really think it won't be treated as a strong signal and used to break things?
Curb your slippery slope buddy. I think it's more productive to speak about concrete news presented to us instead of the hypothetical consequences it might have, real or imagined.
This happens in a lot of software in the Windows world, too. As soon as you run it on a non-Home SKU you’re suddenly The Enterprise, even as a home-gamer.
I’ve used Pro (or Ultimate under Win 7) instead of Home for my personal devices since sometime in the XP era and literally never experienced this with anything.
Windows is gating a lot of basic configuration shit behind enterprise configs like Group Policies now, specifically so that the people slumming it on Home get all the ads, spyware, mandatory updates, stealthily enabled AI features, etc.
Normalizing this would start a game of cat & mouse, no?
(Anecdotally) I don't think most big corps using commercial software without a license are doing it intentionally/maliciously at an organizational level. Most of the time it's just individual employees downloading supposedly "free" software without reading the license and not realizing it isn't free for commercial use.
> Most of the time it's just individual employees downloading supposedly "free" software without reading the license and realizing it's not free for commercial use.
And chances are, that company's IT department would love to know when that's happening so they can put a stop to it.
I work in ops, that's called "shadow IT" and it's a huge problem. It's really prevalent now because most SaaS is marketed toward individuals/small teams rather than marketing toward the business itself, so you get people within an org spinning up trials and free versions, putting company data into it with zero oversight, and often IT doesn't know about it until the quarterly budget review when they find out from accounting that it's been blown on software purchased outside of the IT org, now it's "critical" to operations and we're forced to onboard/support it.
Obviously these code snippets won't work for SaaS, but a notification pop-up along the lines of "We see you're on a company device. Please contact your IT administrator to proceed with your free trial" would be great, but would kill a big sales avenue.
It sounds great from a sales and marketing perspective.
Instead of convincing the guys with the wallets to shell something out. Just convince the devs to npm install solution, and then send an invoice.
Win/win
Ah, the Oracle and Broadcom model - Java, Virtualbox, VMware, etc.
Woe betide thee who doesn't notice the difference between Oracle Java and OpenJDK.
That, and a lot of false positives.
People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
On the flip side, you are also missing all of the solopreneurs using your software for commercial use but obviously aren't spinning up a whole endpoint IT infrastructure to manage their own single device. Or contractors doing BYOD without MDM enrollment. Or small businesses/startups that are mostly BYOD, or don't do any kind of endpoint/device management...
So who are you going to catch, really?
A lot of people use MDM for managing their kids devices (pinning DNS for filtering etc.)
First time I've seen "a lot of people" used to mean "practically nobody."
Just joking, but seriously, I've never heard of anyone doing this, and I think maybe 1 in 100 people would even know that it's possible.
I can't say much about the macOS market, but I do know that MDM-style APIs are practically the only way to write a third party control app for mobile devices. With the way Apple is moving macOS more and more towards their control, this may happen on the desktop in the future as well.
Schools also tend to use MDMs, but often in combination with Chromebooks which don't typically run third party software anyway.
I mean, “many” people use SaaS apps which utilize MDM on end user devices, but many parents I know who are in tech roll their own to filter the net for their kids devices and (to a much lesser extent) monitor them proactively.
> People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
That's a tiny minority of your user base. You'll live. They'll live.
> So who are you going to catch, really?
Enterprises that are big enough to manage their fleet, but small enough to not enforce rules. Which is a good chunk of money.
The minority are typically also enthusiasts who serve as a multiplier. Alienating them isn’t the best strategy.
Below the code snippets the post states this is not a silver bullet, but only a starting point.
The code snippets are the easy part here. Too easy to blindly deploy, because it might work for 95% of the cases. You know how these things go: KPM increased, move on to the next thing.
Yea, this seems to be sort of analogous to companies who check whether you have a rooted device in order to take some kind of action (usually preventing the software from running). If that's a shitty thing to do, then this is, too.
Software should not be in the business of trying to (badly) guess whether the user is the right sort of user, based on inexact signals from the operating system. As others pointed out, the false positives will be annoyed, and the true positives will sidestep your efforts.
How so? You think big corps would pressure corporate device management providers into making their services stealthier in order to avoid paying appropriate license fees for software that does this detection?
I'd always assume the worst of corporations but I think it's a little far fetched, probably doesn't affect their bottom line to just pay for the software.
I don't think you will ever see this normalized, because it's a really dumb idea.
You certainly can observe a correlation between a "corporate customer" and MDM/GPO and use that as a heuristic. But it's like relying on the color of the sky to determine temperature: "Is it grey? Well then it's obviously cold." It's a leaky abstraction.
I don't think so - most organisations and employees don't actively try to violate licenses, but if the path of least resistance is "eh" then individual employees definitely aren't going to bother. I bet there are thousands of people using the free version of MSVC commercially for example.
Depending on what action you take with this, I'd say it has a pretty good chance of tipping people into emailing IT to get a license.
You can already easily pirate the software by running it on your personal device for free, and the software would never know you were also working for a corporation that was supposed to buy a license.
Oh no they'll find out my company is i.manage.microsoft.com/DeviceGatewayProxy/ioshandler.ashx?Platform=MacMDM