As with every similar heavy-handed approach to enforcement you are making life difficult for the 99% of regular, honest users while the remaining 1% can trivially bypass it.
The post doesn't say what you should do with this information. You could just remind the user that they're supposed to buy a license for commercial use.
additionally with the proposal "put together a list of known corporate MDM server URLs in a public repository" I think the idea could be to only block users with an MDM server from that list. of course that would have to be quite a large list and maintaining it fairly could be a challenge
I disagree, corporate systems will try to be transparent about being a corporate device. And they will not particularly be avoidant of software licensing, they may refuse to use the software, but they'd rather have that than use unlicensed software.
It seems like this makes things easier for everyone?
Having a device enrolled in an MDM package does not make it a corporate device. Many corporations require personal devices be managed to support remote wiping. If I install a productivity or developer tool on my personal phone or laptop for personal non-corporate use I would get mistaken as a corporate user by this process.
If you want to collect this information you should be clear about it and know and understand your edge cases before you start attempting enforcement actions based on it if that is the intent.
In general in my experience, personal tools are a VERY hard market to sell into for corporate environments (I took a peek at what the software on OPs site requires a commercial license to use). I would bet most if not all of what you're catching here is unauthorized installs in a corporate environment and you're more likely to loose interested users than sell more commercial licenses.
>Many corporations require personal devices be managed to support remote wiping.
Corporations cannot require you to have your personal devices be managed by them. If you're surrendering your own gear to a company, it stops being your own device.
But they can require things of devices connected to their wifi or being brought to their premises. You are welcome to leave the device at home if you don't want to consent.
Depends on the local laws. Where I live, they can either deal with it, or provide a secured storage space for the duration of the visit.
Either way, if a corporation wants their employees to use a device, they are obliged to make one available. Surrendering your private equipment to their management makes it not yours anymore.
Yeah you're 100% right that it's optional. It's usually only required to allow company data such as email, slack, file sharing etc on your personal device. If you're on-call it is VERY rare for an employee to win a fight on making the company provide a dedicated device for that purpose (which can inherently make it a condition of your job but that's an exception).
Most employees tend to not care about the why and are happy to just do it making "you" (the one bucking the trend) the oddball. The one not being the team player. It's not legally required, and you won't be fired for it, but its strongly socially encouraged and that makes it mandatory for anyone not willing to put up that fight.
On iOS there is the concept of "Managed Apps" that is appropriate for a BYOD scenario. They are info sandboxed and can't share information (either direction) with unmanaged apps. That would count as an MDM enrollment, if you are looking for it.
There appear to be ulterior sociopolitical motives held by the author, which involve using the blanket term "genocide-friendly software" [1] to refer to anything OSI-licensed (implicitly suggesting all contributors to anything not using his homebrewed license are supporters of genocide?)
This does not look like a technical or business decision, but rather a malicious function used to identify users (and/or their employers) for arbitrary reasons, under the guise of "licensing compliance."
While the whole genocide thing is a bit of an odd angle (though hardly a new one, the author themselves links to the FSF statement on free software used for evil), I get the idea of checking for corporate installs.
The next step wouldn't be anything crazy like "MDM detected, send invoice to corporate"; there are too many false positives. It's better to use the MDM profile information to filter out the larger corporate MDM providers (InTune etc.) and filter out school MDMs before taking any action.
Most software isn't important enough to pirate if the company in question needs to comply with certain standards (ISO etc.) where an auditor might catch such a popup and make it a problem. Plus, IT probably wants you to stop downloading freeware onto corporate devices anyway. Risking being slightly annoying to people with corporate devices may very well help more people than it hurts.
Most software license violations I've spotted were purely accidental, at least at the start. An (occasional?) popup saying "hey, you need a corporate license to use this product for business use" may be enough to scare people away from your software (ending the violation). Convincing someone with financial power to buy your software is harder than making people seek out an alternative, but at least your software is less likely to be used by freebooters.
He describes OSI licenses as “genocide-friendly”, and links to the OSI page about how their licenses don’t prohibit the software being used for “evil”.
Yet his own license also has no such prohibition.
You are free to commit genocide using his tiling window manager, provided that your genocide is strictly non-commercial.
I tried to find the correct API for getting the current MDM enrollment status on macOS but I can't find anything other than people suggesting command line tools. Unless you're an MDM application yourself, I don't think there is an official API.
I heard folks here used MDM to give themselves more control over Apple security features that they otherwise don’t. This code example and scenario penalizes them by side effect
If it gets normalized for software to notice when there's MDM in play, do you really think it won't be treated as a strong signal and used to break things?
Curb your slippery slope buddy. I think it's more productive to speak about concrete news presented to us instead of the hypothetical consequences it might have, real or imagined.
This happens in a lot of software in the Windows world, too. As soon as you run it on a non-Home SKU you’re suddenly The Enterprise, even as a home-gamer.
I’ve used Pro (or Ultimate under Win 7) instead of Home for my personal devices since sometime in the XP era and literally never experienced this with anything.
Windows is gating a lot of basic configuration shit behind enterprise configs like Group Policies now, specifically so that the people slumming it on Home get all the ads, spyware, mandatory updates, stealthily enabled AI features, etc.
(Anecdotally) I don't think most big corps using commercial software without a license are doing it intentionally/maliciously at an organizational level. Most of the time it's just individual employees downloading supposedly "free" software without reading the license and not realizing it isn't free for commercial use.
> Most of the time it's just individual employees downloading supposedly "free" software without reading the license and realizing it's not free for commercial use.
And chances are, that company's IT department would love to know when that's happening so they can put a stop to it.
I work in ops, that's called "shadow IT" and it's a huge problem. It's really prevalent now because most SaaS is marketed toward individuals/small teams rather than marketing toward the business itself, so you get people within an org spinning up trials and free versions, putting company data into it with zero oversight, and often IT doesn't know about it until the quarterly budget review when they find out from accounting that it's been blown on software purchased outside of the IT org, now it's "critical" to operations and we're forced to onboard/support it.
Obviously these code snippets won't work for SaaS, but a notification pop-up along the lines of "We see you're on a company device. Please contact your IT administrator to proceed with your free trial" would be great, but would kill a big sales avenue.
No joke. Oracle will (happily) sink your company in license fees and litigation if they so much as git a whiff of Oracle Java being used commercially, accidentally or not.
You have violated my license by replying to my comment. Pay me $10,000 or my lawyer will be in touch.
Obviously this is sarcasm. But what if it wasn't - would you think it was sensible? Comment writers need to get paid, so it's reasonable, yeah?
Part of Oracle's business model is tricking you into thinking you don't need to pay to use stuff, then extracting a much bigger payment in the resulting lawsuit.
I don't find this to be always the case, there's many relationships were the nature of work cannot be established beforehand and we have open accounts, if you ever received an invoice you were part of such an account.
The proposal is simple, if you ever need a service and you request it of me, I will send you an invoice. It is implied in the request of my service that I would get paid, absent any negotiation for payment, I will send my best estimation.
Similarly if you download my software, absent any license, I have the right to send you an invoice. The fact that there's a license that explicitly mentions this is a nail on the coffin on the part of Oracle, but even without it there's quantum meruit.
People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
On the flip side, you are also missing all of the solopreneurs using your software for commercial use but obviously aren't spinning up a whole endpoint IT infrastructure to manage their own single device. Or contractors doing BYOD without MDM enrollment. Or small businesses/startups that are mostly BYOD, or don't do any kind of endpoint/device management...
I can't say much about the macOS market, but I do know that MDM-style APIs are practically the only way to write a third party control app for mobile devices. With the way Apple is moving macOS more and more towards their control, this may happen on the desktop in the future as well.
Schools also tend to use MDMs, but often in combination with Chromebooks which don't typically run third party software anyway.
For certain types of apps from the mac app store vs installed directly (mostly VPNs), they also have to use the MDM APIs and install profiles on the device to function.
So if a home user, for example, uses Tailscale and installed it via the mac app store, they'd flag as being MDM managed if the software used the code in the article.
Fonts on iPad work the same way, the font apps install an MDM profile to install the fonts on the device because Apple gates this behind that for some stupid reason.
Like you said, I suspect doing things through configuration/MDM profiles is going to become more and more common on desktop like it has on mobile.
I mean, “many” people use SaaS apps which utilize MDM on end user devices, but many parents I know who are in tech roll their own to filter the net for their kids devices and (to a much lesser extent) monitor them proactively.
> People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
That's a tiny minority of your user base. You'll live. They'll live.
> So who are you going to catch, really?
Enterprises that are big enough to manage their fleet, but small enough to not enforce rules. Which is a good chunk of money.
The code snippets are the easy part here. Too easy to blindly deploy, because it might work for 95% of the cases. You know how these things go: KPM increased, move on to the next thing.
If you aim for large-scale Enterprise sales (which you should if you take this step), no, the folks running home labs are not usually the ones making decisions.
Yea, this seems to be sort of analogous to companies who check whether you have a rooted device in order to take some kind of action (usually preventing the software from running). If that's a shitty thing to do, then this is, too.
Software should not be in the business of trying to (badly) guess whether the user is the right sort of user, based on inexact signals from the operating system. As others pointed out, the false positives will be annoyed, and the true positives will sidestep your efforts.
How so? You think big corps would pressure corporate device management providers into making their services stealthier in order to avoid paying appropriate license fees for software that does this detection?
I'd always assume the worst of corporations but I think it's a little far fetched, probably doesn't affect their bottom line to just pay for the software.
I don't think you will ever see this normalized, because it's a really dumb idea.
You certainly can observe a correlation between a "corporate customer" and MDM/GPO and use that as a heuristic. But it's like relying on the color of the sky to determine temperature: "Is it grey? Well then it's obviously cold." It's a leaky abstraction.
I don't think so - most organisations and employees don't actively try to violate licenses, but if the path of least resistance is "eh" then individual employees definitely aren't going to bother. I bet there are thousands of people using the free version of MSVC commercially for example.
Depending on what action you take with this, I'd say it has a pretty good chance of tipping people into emailing IT to get a license.
You can already easily pirate the software by running it on your personal device for free, and the software would never know you were also working for a corporation that was supposed to buy a license.
As with every similar heavy-handed approach to enforcement you are making life difficult for the 99% of regular, honest users while the remaining 1% can trivially bypass it.
The post doesn't say what you should do with this information. You could just remind the user that they're supposed to buy a license for commercial use.
additionally with the proposal "put together a list of known corporate MDM server URLs in a public repository" I think the idea could be to only block users with an MDM server from that list. of course that would have to be quite a large list and maintaining it fairly could be a challenge
I disagree, corporate systems will try to be transparent about being a corporate device. And they will not particularly be avoidant of software licensing, they may refuse to use the software, but they'd rather have that than use unlicensed software.
It seems like this makes things easier for everyone?
Given that paying for WinRAR is still a popular meme, these percentages look inaccurate.
I use MDM on my own systems because it gives me a bit more control. It's also a superior form of device oversight for kids.
I’m curious to know how you use this on your kids devices. Which mdm do you use?
I have the same question.
What MDM is priced to make this scale reasonable?
Having a device enrolled in an MDM package does not make it a corporate device. Many corporations require personal devices be managed to support remote wiping. If I install a productivity or developer tool on my personal phone or laptop for personal non-corporate use I would get mistaken as a corporate user by this process.
If you want to collect this information you should be clear about it and know and understand your edge cases before you start attempting enforcement actions based on it if that is the intent.
In general in my experience, personal tools are a VERY hard market to sell into for corporate environments (I took a peek at what the software on OPs site requires a commercial license to use). I would bet most if not all of what you're catching here is unauthorized installs in a corporate environment and you're more likely to loose interested users than sell more commercial licenses.
>Many corporations require personal devices be managed to support remote wiping.
Corporations cannot require you to have your personal devices be managed by them. If you're surrendering your own gear to a company, it stops being your own device.
But they can require things of devices connected to their wifi or being brought to their premises. You are welcome to leave the device at home if you don't want to consent.
>connected to their wifi
Absolutely, it's their own network.
>being brought to their premises
Depends on the local laws. Where I live, they can either deal with it, or provide a secured storage space for the duration of the visit.
Either way, if a corporation wants their employees to use a device, they are obliged to make one available. Surrendering your private equipment to their management makes it not yours anymore.
Yeah you're 100% right that it's optional. It's usually only required to allow company data such as email, slack, file sharing etc on your personal device. If you're on-call it is VERY rare for an employee to win a fight on making the company provide a dedicated device for that purpose (which can inherently make it a condition of your job but that's an exception).
Most employees tend to not care about the why and are happy to just do it making "you" (the one bucking the trend) the oddball. The one not being the team player. It's not legally required, and you won't be fired for it, but its strongly socially encouraged and that makes it mandatory for anyone not willing to put up that fight.
On iOS there is the concept of "Managed Apps" that is appropriate for a BYOD scenario. They are info sandboxed and can't share information (either direction) with unmanaged apps. That would count as an MDM enrollment, if you are looking for it.
Never trust software that doesn't trust you.
(And yeah, I know. That's a whole lot of software to never trust.)
There appear to be ulterior sociopolitical motives held by the author, which involve using the blanket term "genocide-friendly software" [1] to refer to anything OSI-licensed (implicitly suggesting all contributors to anything not using his homebrewed license are supporters of genocide?)
This does not look like a technical or business decision, but rather a malicious function used to identify users (and/or their employers) for arbitrary reasons, under the guise of "licensing compliance."
[1] https://github.com/LGUG2Z/komorebi-license?tab=readme-ov-fil...
While the whole genocide thing is a bit of an odd angle (though hardly a new one, the author themselves links to the FSF statement on free software used for evil), I get the idea of checking for corporate installs.
The next step wouldn't be anything crazy like "MDM detected, send invoice to corporate"; there are too many false positives. It's better to use the MDM profile information to filter out the larger corporate MDM providers (InTune etc.) and filter out school MDMs before taking any action.
Most software isn't important enough to pirate if the company in question needs to comply with certain standards (ISO etc.) where an auditor might catch such a popup and make it a problem. Plus, IT probably wants you to stop downloading freeware onto corporate devices anyway. Risking being slightly annoying to people with corporate devices may very well help more people than it hurts.
Most software license violations I've spotted were purely accidental, at least at the start. An (occasional?) popup saying "hey, you need a corporate license to use this product for business use" may be enough to scare people away from your software (ending the violation). Convincing someone with financial power to buy your software is harder than making people seek out an alternative, but at least your software is less likely to be used by freebooters.
He describes OSI licenses as “genocide-friendly”, and links to the OSI page about how their licenses don’t prohibit the software being used for “evil”.
Yet his own license also has no such prohibition. You are free to commit genocide using his tiling window manager, provided that your genocide is strictly non-commercial.
It always seemed weird to me when people call shell binaries from the middle of a desktop app. What's wrong with finding the actual OS API instead?
I tried to find the correct API for getting the current MDM enrollment status on macOS but I can't find anything other than people suggesting command line tools. Unless you're an MDM application yourself, I don't think there is an official API.
It's a lot harder, and for these sort of things maybe not even possible.
But yeah generally it is better if you can do it.
I heard folks here used MDM to give themselves more control over Apple security features that they otherwise don’t. This code example and scenario penalizes them by side effect
much like https://sso.tax/ , if you need enterprisey features... someone thinks you can pay for it.
That's fine, there's no enforcement suggested though, maybe they get a popup asking about licenses, not necessarily a brick.
If it gets normalized for software to notice when there's MDM in play, do you really think it won't be treated as a strong signal and used to break things?
Curb your slippery slope buddy. I think it's more productive to speak about concrete news presented to us instead of the hypothetical consequences it might have, real or imagined.
And that's how we get an industry full of entirely predictable consequences.
This happens in a lot of software in the Windows world, too. As soon as you run it on a non-Home SKU you’re suddenly The Enterprise, even as a home-gamer.
I’ve used Pro (or Ultimate under Win 7) instead of Home for my personal devices since sometime in the XP era and literally never experienced this with anything.
I've never had a problem with Pro either.
I ran actual server windows for a while, and one single program refused that (Backblaze).
Windows is gating a lot of basic configuration shit behind enterprise configs like Group Policies now, specifically so that the people slumming it on Home get all the ads, spyware, mandatory updates, stealthily enabled AI features, etc.
Normalizing this would start a game of cat & mouse, no?
(Anecdotally) I don't think most big corps using commercial software without a license are doing it intentionally/maliciously at an organizational level. Most of the time it's just individual employees downloading supposedly "free" software without reading the license and not realizing it isn't free for commercial use.
> Most of the time it's just individual employees downloading supposedly "free" software without reading the license and realizing it's not free for commercial use.
And chances are, that company's IT department would love to know when that's happening so they can put a stop to it.
I work in ops, that's called "shadow IT" and it's a huge problem. It's really prevalent now because most SaaS is marketed toward individuals/small teams rather than marketing toward the business itself, so you get people within an org spinning up trials and free versions, putting company data into it with zero oversight, and often IT doesn't know about it until the quarterly budget review when they find out from accounting that it's been blown on software purchased outside of the IT org, now it's "critical" to operations and we're forced to onboard/support it.
Obviously these code snippets won't work for SaaS, but a notification pop-up along the lines of "We see you're on a company device. Please contact your IT administrator to proceed with your free trial" would be great, but would kill a big sales avenue.
It sounds great from a sales and marketing perspective.
Instead of convincing the guys with the wallets to shell something out. Just convince the devs to npm install solution, and then send an invoice.
Win/win
Ah, the Oracle and Broadcom model - Java, Virtualbox, VMware, etc.
Woe betide thee who doesn't notice the difference between Oracle Java and OpenJDK.
No joke. Oracle will (happily) sink your company in license fees and litigation if they so much as git a whiff of Oracle Java being used commercially, accidentally or not.
As a software dev, that looks good to me. Software devs need to get paid.
You have violated my license by replying to my comment. Pay me $10,000 or my lawyer will be in touch.
Obviously this is sarcasm. But what if it wasn't - would you think it was sensible? Comment writers need to get paid, so it's reasonable, yeah?
Part of Oracle's business model is tricking you into thinking you don't need to pay to use stuff, then extracting a much bigger payment in the resulting lawsuit.
Purchases should be consensual. Including the ones that pay for software devs.
I don't find this to be always the case, there's many relationships were the nature of work cannot be established beforehand and we have open accounts, if you ever received an invoice you were part of such an account.
The proposal is simple, if you ever need a service and you request it of me, I will send you an invoice. It is implied in the request of my service that I would get paid, absent any negotiation for payment, I will send my best estimation.
Similarly if you download my software, absent any license, I have the right to send you an invoice. The fact that there's a license that explicitly mentions this is a nail on the coffin on the part of Oracle, but even without it there's quantum meruit.
Oracle makes it very easy to hit by accident and charges way too much when it happens. It's bad behavior.
They are not charging based on benefit or use, or triple that.
That, and a lot of false positives.
People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
On the flip side, you are also missing all of the solopreneurs using your software for commercial use but obviously aren't spinning up a whole endpoint IT infrastructure to manage their own single device. Or contractors doing BYOD without MDM enrollment. Or small businesses/startups that are mostly BYOD, or don't do any kind of endpoint/device management...
So who are you going to catch, really?
A lot of people use MDM for managing their kids devices (pinning DNS for filtering etc.)
First time I've seen "a lot of people" used to mean "practically nobody."
Just joking, but seriously, I've never heard of anyone doing this, and I think maybe 1 in 100 people would even know that it's possible.
I can't say much about the macOS market, but I do know that MDM-style APIs are practically the only way to write a third party control app for mobile devices. With the way Apple is moving macOS more and more towards their control, this may happen on the desktop in the future as well.
Schools also tend to use MDMs, but often in combination with Chromebooks which don't typically run third party software anyway.
> I can't say much about the macOS market,
For certain types of apps from the mac app store vs installed directly (mostly VPNs), they also have to use the MDM APIs and install profiles on the device to function.
So if a home user, for example, uses Tailscale and installed it via the mac app store, they'd flag as being MDM managed if the software used the code in the article.
Fonts on iPad work the same way, the font apps install an MDM profile to install the fonts on the device because Apple gates this behind that for some stupid reason.
Like you said, I suspect doing things through configuration/MDM profiles is going to become more and more common on desktop like it has on mobile.
I mean, “many” people use SaaS apps which utilize MDM on end user devices, but many parents I know who are in tech roll their own to filter the net for their kids devices and (to a much lesser extent) monitor them proactively.
> People that run an AD domain for their home lab, people that use apple configurator to create profiles for their own devices (can enable some settings/features that are otherwise gated behind using an MDM profile - like shared iPads), etc.
That's a tiny minority of your user base. You'll live. They'll live.
> So who are you going to catch, really?
Enterprises that are big enough to manage their fleet, but small enough to not enforce rules. Which is a good chunk of money.
The minority are typically also enthusiasts who serve as a multiplier. Alienating them isn’t the best strategy.
Below the code snippets the post states this is not a silver bullet, but only a starting point.
The code snippets are the easy part here. Too easy to blindly deploy, because it might work for 95% of the cases. You know how these things go: KPM increased, move on to the next thing.
If you aim for large-scale Enterprise sales (which you should if you take this step), no, the folks running home labs are not usually the ones making decisions.
Yea, this seems to be sort of analogous to companies who check whether you have a rooted device in order to take some kind of action (usually preventing the software from running). If that's a shitty thing to do, then this is, too.
Software should not be in the business of trying to (badly) guess whether the user is the right sort of user, based on inexact signals from the operating system. As others pointed out, the false positives will be annoyed, and the true positives will sidestep your efforts.
How so? You think big corps would pressure corporate device management providers into making their services stealthier in order to avoid paying appropriate license fees for software that does this detection?
I'd always assume the worst of corporations but I think it's a little far fetched, probably doesn't affect their bottom line to just pay for the software.
I don't think you will ever see this normalized, because it's a really dumb idea.
You certainly can observe a correlation between a "corporate customer" and MDM/GPO and use that as a heuristic. But it's like relying on the color of the sky to determine temperature: "Is it grey? Well then it's obviously cold." It's a leaky abstraction.
I don't think so - most organisations and employees don't actively try to violate licenses, but if the path of least resistance is "eh" then individual employees definitely aren't going to bother. I bet there are thousands of people using the free version of MSVC commercially for example.
Depending on what action you take with this, I'd say it has a pretty good chance of tipping people into emailing IT to get a license.
You can already easily pirate the software by running it on your personal device for free, and the software would never know you were also working for a corporation that was supposed to buy a license.
Oh no they'll find out my company is i.manage.microsoft.com/DeviceGatewayProxy/ioshandler.ashx?Platform=MacMDM