One of the biggest challenges any enterprise faces is how to manage software license compliance. We all know the story: The purchasing department (working with IT) approves a certain number of licenses for each software suite needed throughout the enterprise. IT then uses its software distribution system of choice to distribute the software. Then it’s up to IT to ensure it doesn’t exceed the number of purchased, licensed apps within the environment to ensure the organization is “legal” and doesn’t accidentally become software pirates and the object of a license audit from one of the major software distributors (nobody wants that!)
While most organizations have the practice of software deployment ironed out, tracking license compliance is a different story. At Lockstep, we’ve seem multiple attempts to implement effective license management solutions with varying rates of success. Most methods of management involve passive software inventory tracking applications (ManageEngine, Altiris, SCCM,etc.). Basic agents are installed on PCs and report back to the central console the applications installed on each system. IT must then reconcile against the number of owned licenses.
While this all sounds good in theory, the practical application is different story for many different reasons. Applications wind up getting installed through approved and unapproved channels. PCs are rebuilt or re-imaged, skewing the software tracking database. The process of reconciliation becomes time consuming and resource intensive and once it’s done, IT needs to remove unlicensed apps (or buy more licenses). By then it’s time to do the process all over again – it becomes an un-winnable battle.
Be Proactive – Control Application Execution
At Lockstep, we believe that in the case of application licensing management, simplicity is a better approach. Instead of taking the passive route of reporting and reconciliation, and easier route is to control application execution itself based on a roles-based approach for both users and devices. That is, let’s allow application execution for approved company apps and measure license entitlement based on group membership, i.e Active Directory, and stop the arduous, labor intensive approach used in the past.
OK, sounds good, right? So how do we do it? We’ll show you.
These are the key components for the solution:
- Enforcement Mechanism: we need a tool to control which applications are allowed to run on a PC
- Application Entitlement Mechanism: we need the ability to group users or PCs into logical groups based on the number of licenses owned by the corporation and then allow or deny execution based on membership.
- Reporting on Licensing Thresholds: once we’ve got enforcement and entitlement down, we need the ability to easily report on the number of users and devices that have been provisioned for application entitlement so we can easily demonstrate compliance.
Enforcement Mechanism: AppSense Application Manager
Our favorite tool for application execution enforcement is AppSense Application Manager, which is part of the Appsense DesktopNow Suite. AppSense AM allows us to control application execution, manage granular user rights (privilege escalation and de-escalation), among other really cool things. If you haven’t checked this product out, you need to.
Application Manager has a simple mechanism for controlling execution of non-approved apps, called “Trusted Ownership”. With Trusted Ownership, non-IT approved applications simply won’t execute. We’ll set that up first.
Once we’ve enabled this option, only software that was installed with one of the accounts defined in the list of Trusted Ownership is allowed to run.
In the screenshot below, see what happens when a user tries to download and execute software from the Internet.
Cool, huh. So users are now blocked from running non-IT approved apps, out-of-the-box, with one simple setting.
Now that we can prevent unapproved applications from running, let’s deal with managing licensed applications.
Within AppSense we’ll do this via a couple of rules. First we need to create a signature for our approved, licensed applications. For the purpose of this article, I’m going to profile Microsoft Office.
Also for simplicity, I’m going to use a per-user licensing model for management instead of device, but we can handle device level as well. See below: AppSense can control application execution based on groups, users, devices, or via custom scripts or processes.
OK, next, before we create our rules, we need to create a digital signature for Microsoft Office. This is not a requirement – you can just list the executable names themselves, but this allows you to ensure that your current software library is 100% accurate and this will ensure proper enforcement.
Below, we scan the Microsoft Office directories and files, and then a signature (hash) is generated that we can use in our rulesets.
OK, so now that we’ve got our application signatures, let’s create some enforcement rules.
We’ll create 2 rules for this:
1. Rule 1: Deny “Everyone” from executing the Office suite.
2. Rule 2: Allow a specific Active Directory to execute the Office suite.
The net effect of this rule is that nobody will be able to run Microsoft Office unless they’re in the Active Directory group will enables execution, even if the software is installed in their desktops. This is what the ruleset will look like:
Allow Execution for AD Group
OK, now let’s see it in action. So we have Office 2010 installed on a virtual desktop with which we’ll be testing. First we’ll ensure that users who have not been approved for Office access are denied access.
Let’s check our AD Group, APPS-AllowMicrosoftOffice, to ensure we have no members in it.
With our current AppSense Application Manager configuration, Office should only execute if the user is in the AD group. Since no members are in this group, we should not be allowed to execute. Let’s test this.
OK, great, that works, Application Manager stops execution of the app. Now let’s make sure the user is granted access to Office once we’ve placed them in the proper AD group.
Now let’s try to execute Office.
Success! Using a combination of AppSense Application Manager and a roles-based Active Directory infrastructure, we can easily manage application entitlement and compliance (as well as really increase our security by preventing rouge apps and malware from executing).
Reporting – How to Track License Thresholds
So now that we’ve got a nice enforcement and entitlement mechanism, how about a simple reporting mechanism.
Since we’re now leveraging Active Directory groups for our software entitlement, AD can be the basis of our reporting. We just need to know how many licenses we’ve bought per group and how many users (or devices) are in the group. We can accomplish this via inserting the number of licenses in a field within the group and then tracking the number of users within the group.
Take a look at the Notes field in this group:
We’ll use the number of licenses noted here to compare against the total number of users in the group. Using PowerShell and the Quest Active Roles Commandlets, we can read the value from the notes field (using the colon as a delimiter) and then query the number of users in the group.
We’ll run our script we wrote for reporting:
The script will return a simple report that looks like this:
Cool, huh? If you’d like to demo the AppSense suite or a get copy of the the PowerShell script we used for license reporting, let us know.