The ITAM Review forum now has a new home within the Virtual User Group. Below are some edited highlights of some of the discussions from the old forum. Thank you to everyone that contributed and sorry for the upheaval in moving things around.
I am looking for is software that is client-less, that I can use for our customers (AUTODESK Software ONLY, i.e., Autocad, Inventor, Showcase, Vault, etc) to scan and audit to return serial numbers that can be exported out to an Excel file or similar to help them with their SAM programs. Nothing more. Autodesk’s own Asset Locator won’t do the job as you can’t customize it per domains or IP addresses. I’ve tried a bunch already with not much luck. I’m also not looking to pay thousands of dollars for software either. Thanks
From what I remember about Autodesk products, the serial number can be accessed several ways, one being the registry e.g. HKLM\SOFTWARE\Autodesk\\R17.2\-7001:409
If this is still the case then you need a tool which can search the registry and report back the matching value. Does this have to be a SAM tool if this is all you are after? How about a registry reporting application?
Can a script be written to get this value and then run via Group Policy on all devices?
Just had a quick scan on the interweb looking for a network enabled registry scanning tool and found this
No idea if it will help you but if the license key is in the registry and you can get it with this typr of tool, then it will help keep your budget down.
I have never used this software so have no idea how good it is, but there are obviously other tools out there like it. You’d be able to use this as a quick test for free. Hope this helps.
A customer has received this statement from a publisher.
“If during an audit or visit made by a regulator, it is found that a machine belonging to a contractor or an employee has unlicensed software, the corresponding sanctions or liabilities are the customer´s responsibility since the machine and software is in use in its premises. The customer can have a clause where the employee or contractor is responsible for licensing their own machine, but this does not exempt the customer from having unlicensed software running within their premises.”
Do you agree with this? Does it make a difference if the machine belongs to a contractor or to an employee? Any thoughts or best practices?
The logic is sound.
If an employee wants to load an application on a company PC; ITAM policy absolutely should require prior approval through a standards process as well as POSSESSION of the original media, licensing documentation, or whatever else represents full ownership of the application prior to deployment to ensure the application it is allowed to run on a corporate enterprise and that it will not duplicate or “misbehave” with other applications already in use.
From the perspective of a software firm, contractor PCs can be no different.
More to the point; personal property accessing a corporate network is far more problematic than simply licensing. ITAM and Information Security should work in concert to establish and enforce a policy wherein corporate-approved assets must be used by any temporary worker requiring intranet access, that the associated costs are factored into any project requiring such provisioning and that there exist transparency and consistency in the end-to-end process.
Agree and sounds logical to me.
All contractors should use a corporate asset to do company business. If staff, contractors etc want to take work home with them and work on their hardware, then this should be done in line with company data sharing polices.
As we are talking about personally owned hardware then as am employer we dont have the right or ability to load or maintain what software is on the device, what AV is on there etc….. therefore the hardware should not be connected to the corporate network even before considering software compliance.
I would suggest a policy / system be put in place to restrict what hardware can be connected.
Hello. Let me clarify the scenario depicted in the question. The company has the policy that employees may either opt for a company supplied PC or acquire one from a specified list of suppliers / models and the company finances and partially subsidies it. In this latter case, it is a PC that belongs to the employee but is used in on-premises for work related purposes.
Sounds like an taxable HR benefit has got mixed up with the company hardware procurement policies. This sounds like a world of hurt and I would recommend scrapping the policy. There will be ways to subsidise computer purchasing for staff through HR so they can use at home.
You will have little or no control over the computer as the employee will see it as their personal device. The company is being put at risk from a compliance point and also a security / data breach / PCI point.
Yep, having seen that qualification to the original scenario, agree with Bugner here.
That’s just a mess & sounds similar to an opt-out company car scheme, but for computing equipment and programs that should be core to the operations of the company.
If the company is allowing employee-owned kit to be used and plugged into it’s corporate networks, then the SAM software should also be included on those employee-owned PC’s, and a re-charge back to the employee included in the deal for the compliance aspects.
This is a whole grey area being debated in many circles at present, in the guise of employee-owned mobile devices being connected to company networks, or not, depending on which side of the debate one is on. Talking about consumer iphones, ipads, android devices etc vs corporate devices.
I do have the situation where we’ve contracted out specialist services to an outsource supplier, and they bring their own computers and software onto our premises, however they are contractually responsible for their software licenses and compliance.
If we were found in breach (as we would be – it’s our business they’re working on) because of their lack of governance, the contract defers all penalties and charges incurred onto them, under a fair risk management arrangement.
We are also moving the same setup.. However do our company work we are providing with VM Machine to every user who has opted for option of bringing their oown machine and this will help us in audit as we are only responsible for the maintaining the complaince for software published within the VM machine.
Another great idea that is maybe not so great 🙂
Even though these may be personal machines, the company is fully liable for the software residing on the machines and should be discovering the software and managing regularly. Policies need to be in place not only for the licensing risk, but for security and if they are not up to a certain level, then they should be blocked.
I can’t really see the benefit to the employee in this scenario – fine if it was a laptop and could be used from home and for personal use, but really – is it a benefit to eother party.
Run software discovery on all PCs using the company premises.
Create a policy for Software Asset Management that dictates that software can only be installed when authorised by IT management.
Ensure updates and patches are regularly applied to all PCs.
I could not see where this is beneficial at all. It sounds as if there is very little structure in place and would also be a nightmare to support and manage. Strict guidelines have to be in place to avoid risk.
A key element that we’re not addressing is that, for the most part, enforcement audits rely on the “letter of the law” for all audit applications – including the audit process. The letter of the law in this case will be the license for each product being accessed by personally owned systems.
Recognize that, irregardless of your internal policies and procedures, the copyright holder is going to audit ANY system on the premises. Depending on the audit claim, they have the right to consider any device currently accessing the system. Their assumption, whether we like it or not, is that any system on site or linked with the enterprise systems is fair game for compliance with license Ts and Cs.
To resolve any related audit issues your option will be required to argue (successfully, we hope) that specific systems do not belong to the enterprise. If you prevail (that’s a big if), then there is a chance the copyright holder will permit an exclusion. Unfortunately, since most of these issues are settled out of court, it’s probably going to work like this:
You’ll take the audit hit and pay the fines and penalties. Then you have the option to file a civil claim (or the equivalent in your country) to recover costs from each individual computer owner of non corporate systems.
Any way you want to play it, read the license for your specific permissions. Then follow it to the letter. No amount of internal policies will supersede the license terms. You will be held responsible for whatever systems access your environment.
If you want more mutually beneficial terms in the license, negotiate them in – up front. In addition, I’m relatively certain that a majority of your license agreements do not detail the compliance audit process – they should & it’s (technically) the asset manager’s responsibility to ensure they do. Keep in mind that, if you don’t negotiate these types of details into agreements, the copyright holder (or their friends) can pretty much audit for any content and use any process they wish to prove you are non compliant with whatever clause they wish to cite (but those are entirely different issues).
There was a SAM engagement at our firm where Microsoft brought external auditors for an audit.We were over licensed for some software and under licensed on some.All of that is Microsoft software.My job is to find a way to cut the Indian Rupees 3 Million Bill that we have been given.Any suggestions are welcome and deeply appreciated. The firm is in India. Many thanks.
I’m afraid that the only way to challenge Microsoft is with facts.
Microsoft’s records will be for volume purchases, so assuming the external auditors didn’t look very hard for full retail product (FRP), you should try to find as much FRP as you can. Any FRP found usually will reduce your liability.
Has your company taken-over another company? If so, ask Microsoft if that company’s purchases have been taken into consideration. In doing this it is very important to list all forms of the companies names, as these will be used by Microsoft to search their database.
Lessons learnt. Ensure that you don’t find yourself in a similar position in a year or two’s time. If you don’t already have a discovery tool, then consider using Microsoft’s MAP tool – it’s free! Also, good record keeping is essential – you should keep precise details of all software licences purchased. What ever you do don’t forget when you purchase upgrades to keep evidence of the original purchase, again vitally important for FRP. Maintain your records – by reconciling discovered software against your proof-of-entitlement on a monthly basis, any anomalies can be addressed by your organisation before they become an embarrassing issue!
An answer I received anonymously:
The first thing to do is for the clientto validate the findings. The client needs to ask the auditors who would have prepareda deployment summary for a copy. Once the client has the summary they need to:
1. Check for server and desktopduplication – often there may be 3 versions of OfficePro installed on one device.You do not need to count that Office licence 3 times.
2. Servers – check that test servers (innon-prod environment) that have a MSDN user assigned to the server have notbeen counted.
3. If they have a developer toolsshortfall they need to check that each developer who has a MSDN licensedassigned lists every potential device they access in a non-prod environment toavoid duplicate purchasing.
4. Portable use rights – ensure that laptops of a user whose primary deviceis a desktop aren’t being counted.
There are a number of ways to reduce this bill.
1) Query and validate the auditors results – I have been involved with audit findings from everyone from KPMG/PWC through to specialist SAM consultancies paid for by Microsoft, and I have yet to agree with the findings. Did the auditors use manual audit data or did you have Inventory/LMS information to give?
2) Know Microsoft’s drivers – Microsoft would have instructed an audit to generate revenue – nothing else. The 3 million rupees cost is probably priced under Select or Open licensing – it would be good business sense to engage with a Large Account reseller and work out what other options such as an Enterprise Agreement, BPOS or Subscription Agreements could help save money, or at least spread this out. In my experience, if you go to a MS Business Manager with the promise of an EA (especially in the run up to June (MS Year end), MS are more willing to negotiate and give dispensation to cut a compliance or Enterprise deal. Don’t sign anything just yet…
Kevin T : The Auditors did the manual audit at some locations and the results were linearly extrapolated for the rest of the organisation.
We agreed to their logic and got started with issuing the Purchase Order for bridging the shortfall.Can we now roll back to disagreeing with the auditors’ results? Will that result in a Complete Audit of the entire organisation?
We have license excesses as well,can they somehow figure in the deal?
A sample cut of data will not give you a complete picture. Have you got any SAM tools, even SMS/SCCM? If not, either try and download MSIA (although anything over about 500 devices will be a struggle). Or you can get a 30/60 day project licence from a SAM tool provider. This will give you an idea of what has been delpoyed, and you can make the decision as to whether its worth conducting a full audit or not.
In terms of the licensing question, you wouldnlt be able to trade licences in. However if say you are under compliant on all of your Client Access Licences, it may make sense to take out a Core CAL component EA, or possibly a desktop Pro EA, or subscription agreements. That way you can combine the compliance order with future licence planning, and spread the costs.
Kevin T :
The auditors have given us a shortfall list.There is no strategy that we can use apart from purchasing the licenses?WE’ll try to comply in the future but what about this bill? Any tip ?
Unless you have signed an agreement to purchase those licenses, don’t do it yet! I agree with every answer prior – the auditors are there to generate income, and they are NOT on your side. We went through this three times last year, with Adobe, Microsoft and IBM. The auditors had little to no knowledge of the specific software, didn’t understand the multiple contracts we had, nor did they understand the differences between reader and a full blown version of the software. In addition, they were unable to differentiate between SQL server, and any product that runs using a portion of the product (and does not require the full license.) Much of our environment is virtualized, and that seemed to really confuse the auditors. Are you an IT person? If not, I suggest you immediately schedule a meeting with your head of IT and have them go through the audit findings with you. You may well be able to eliminate a good portion of the reported “overage” simply by understanding how your company deploys products.
And good luck!
unless the shortfall report categorically shows a full under-compliance picture, you have every right to challenge it. Invest in a project tool and perform a self audit, or commission a partner to do it on your behalf. In my experience, it will without doubt save money on the compliance bill.
Thanks a lot,I’ll definitely follow the approach you suggested.Asking the question really helped me,
You say that a manual audit has been conducted on just part of your estate. As previously mentioned the free inventory tool will enable you to remotely audit the whole estate, – Microsoft Assessment and Planning Toolkit (MAP). Free to download from the Microsoft website.
Accurate base data is essential, then you can follow the suggestions that others have made.
First of all, a formal SAM process should be implemented. This will help you better manage your software assets moving forward.
Regarding the current situation: your company is liable for under licensing. Removing those excess copies does not exempt your company of past infringement of copyright and IP laws.
My advice would be as follows:
1. Engage with the publisher (Microsoft) in this case in a friendly manner
2. Hire an outside consultant (not a reseller) to help you really understand all your options
3. Use the end of Microsoft´s FY as a leverage point
4. Check all current promotions in your geography
Agree with Jaskeen advise..and try to signoff a Enterprise agreement and include all the licenses in that agreement this will help you to pay the cost of 3 million ruppees in installments as per the agreement rules.
you did not specify the products that were out of compliance, but I will suggest a few ways to reduce costs without creating compliance issues.
1) Review products to see if you are using the actual product you are planning to buy – for example: did the sample show several Visio Pro licenses or Project Pro licenses? If so, is the user actually using those products to their full capability or are they using the functionality of the standard product or viewer?
2) Have virtualized servers been accounted for? Is there a way to solve the license problem with datacenter or enterprise licensing (example: Windows datacenter is licensed per processor and includes an unlimted number of virtualized instances for each physical processor licensed.
3) Are you licensing SQL servers in the most cost effective manner? Should you be using the per processor licenses or the server/CAL model? Do the math on both to see which is the most cost effective for your organization?
4) Have you compared the licensing of CALs as per device or per user? If you have multiple users sharing a device, license by device. If you have multiple devices for each user, license by user.
These are just a few samples of where you can save money without creating more challenges on the licensing side.
You mentioned on the forum that you originally agreed with the findings, so your purchase requirements may depend on whether you signed an intent to purchase or just agreed that the numbers might be right. If you have a lawyer, you may want to check with him/her. In these cases, it is often advantageous to have the lawyer review the findings before making a decision to move ahead.
If you have time, find an inexpensive and quick asset management product that will be able to inventory the machines that were not part of the sample to see what is actually installed. Sometimes there are significant differences between departments or geographical locations as to what software is installed.
Good luck in sorting this out, and please update us as to whether or not you were able to get this sorted out!
Thanks for all the answers.
The whole episode went quite well.
My organization had to pay up just a third of the Original costs.
Many Thanks to All.
You Guys Rock !!
Are you able to share which techniques worked to reduce your final invoice?
We did a lot of Software downgrades to utilize the excess software.
My Manager had good relations with the audit guys.
A lot of corrections were then made and we were able to help our client.
One thing I learnt was to delay the process as much as possible.
You know stretching the limits of small delays.
The little delays are ok and can provide you with some additional time to work with, but be sure to keep communications open while that is happening. I’ve found a few customers who ended up with some real perception issues from the vendors when they didn’t return calls right away and that translated into less cooperation and less flexibility on the part of the auditors. This is a place to practice perfect balance!
I’m glad to hear it went well.
If you had the leverage, what T&Cs would you like to include in the framework agreements you negotiate with your software publishers?
My mobile phone operator contacts me periodically and says “we’ve looked at your plan and adjusted it accordingly based on your usage, you are now on the optimal plan for your usage.” Something similar for software would be good. I want to structure a plan which a) makes it easy for us to calculate and reflects my business and b) can be changed in the future as our business changes without penalty.
Secondy. The ability to cleanse the past and not get tripped up by decisions we made 3 agreements ago.
No ELA, yet my firm can employ and/or share the publisher’s software any manner we choose without threat of audit.
But since we live in the real world…
The condition of the question suggests a strongly adversarial relationship exists with the vendor. While this is always present in a negotiation, I’d do what I could to improve the tenor of the relationship on BOTH sides of the table.
1. Level-setting that would dispense with any and all dependencies on prior agreements, upgrades, offers, etc.
2. Mutually-agreed definitions.
3. All contract boilerplate on the negotiating table.
4. Included professional assistance that does not necessarily originate from the vendor’s staff.
5. True-up that excludes third party involvement.
6. Included technical support through the life of the contract.
I would like to see clearly stated Ts & Cs within each agreement.
Downgrade rights given for all previous versions at the same level (proVstd).
Global agreement with the ability to transfer licenses internationally
A 1 month grace period that will allow cleansing of unused/dead installs prior to any audit request 🙂
1) Unlimited number of licenses, based on our expected number of users (don’t laugh, had this with Telelogic before IBM bought them). Some would call this usage based licensing – we weren’t that accurate.
2) An easy to use (controversial), speedy website showing license entitlement, with clear opportunities to correct holdings from disparate users (e.g. have adobe web-contacts and PTC web-contacts with licenses spread all over them and some are missing)…
3) If I lease licenses, at the end of the agreement some form of recognition of the money invested by retaining a perpetual holding
4) Free maintenance, since bugs should be made the responsibility of the software provider (we don’t get recalls in the software industry, instead the users get to pay for the vendor errors – this should stop).
5) Support on Time & Materials rather than fixed contract since I only want support when something breaks, not an insurance policy I’m not going to use for 3 years out of 5
6) Your software works and makes my user’s lives simpler and more productive, not just more bangs and whistles to distract them from the job in hand.
Of course, these are in my ideal world, yet other industries manage to live by these rules, why can’t a maturing software industry?.
This is where IMHO the open source industry scores highly over traditional vendors:
1 is a given,
2 is normally there,
3 is not needed,
4 is a given, and
there are third party companies for 5.
Hence the need for 6, where OSS falls down
(OSS normally can’t compete for productivity features with paid vendor products, e.g.
Subversion vs Serena Dimensions CMDB for management reporting,
Wireshark/EtherReal vs Network Instruments Observer)
The ability for us to audit the vendors entitlement records and if they are not accurate then they are banned from auditing that customer ever again.
Having had 3 on site / self audits recently from major vendors all who had little / no / bad records of what our entitlement was but had the nerve to come asking questions. Needless to say 2 of the 3 were sent packing and the other looks like going the same way.
Floating (concurrent) licenses …
After three major audits last year one clause I will absolutely insist upon is NO THIRD PARTY AUDITING. Third parties (often) haven’t a clue what they are looking at. The time it takes to explain it all to them is time I need to spend elsewhere. Additionally, I might limit when they can audit, and I agree with the previous poster, downgrade rights are essential.
Clear definitions are a must, and given a choice, I never want to have to name the country in which I am deploying. Several years ago we had a contract that was country specific, and ultimately it was cheaper to purchase new licenses than to pay them the fees they wanted to “relocate” the licenses.
Hi you have told quest people conducted audit. how did they conduct this audit? what was the methodology? did they use some tool or script?
Many of my other customers have furnished us with reports from Microsoft SMS, which is fine providing the below information is included. Obtaining the individual license keys will be necessary to confirm both version and configurations in the certification process. Although this is a simple process, it generally requires a brief 30 minute conference call with one of Quest Software’s technical experts to limit any technical interruptions. I have several open time slots to set up this technical call available for next week so please let me know which works best for you.
We are requesting receipt of a verification report from # by December 7th, xxxx. Please do not hesitate to contact me if you have any questions.
Sample Summary Report
Machine Name or ID
We have had an audit request from Quest and they did provide us with a complex report that they wanted us to run on SMS. I have not ran this report as I will be running my own report on the executables I use for monitoring. Once I have them, then I will be comparing both sets of results. If I feel that the Quest script does not accurately reflect our install base, then I will go back to them informing them that we already have this data from SMS and provide them with a rough summary of what we have. I will also ask them to provide me with all the license information that they have for us as there may be licenses my org have purchased but I am not aware of.
The installs V licenses should be fairly close, but the key is to be as honest as you can be. No vendor is out to totally screw you (maybe) and all they are trying to do is get revenue, but manage the process correctly – you are in control of the process.
Q. TOAD for Oracle discovery via SMS (SCCM)?
ur organization currently uses SCCM for discovery. SMS, or Configuration Manager as its now called, cannot interpret what constitutes a license nor can it determine if an application is truly installed. It simply gathers and relays information from each workstation’s registry according to how each app decides to register itself. If that information is incorrect because an app didn’t properly register on install or un-register on removal then Config Manager is oblivious. Garbage in garbage out. Having said that nearly all applications follow Microsoft’s standards for recording and removing that registry information. A small number do not. Most notably are Oracle applications, many of which choose not to register themselves period. These Oracle applications (such as TOAD for Oracle) are difficult to reconcile because we cannot make sense of the data populated by or SCCM report. Anyone have insight regarding this matter?
I know nothing about TOAD for Oracle, so can’t be specific for that (although did check out the TOAD World blogs at the link below).
In general, I’d move away from using SCCM/SMS for audit tracking and discovery. Anecdotal evidence suggests it’s not the best out there (can’t think of any sources right now, though)
Free discovery tools available include the OpenSource OCS (https://www.ocsinventory-ng.org/)
and SpiceWorks (https://www.ocsinventory-ng.org/)
However, I think they both used the Windows metadata included in the registry, so will probably give a similar result to what you already (don’t) have…
We purchased Layton Technology Audit Wizard as a relatively cheap software discovery tool, before I came on board. It works well at sniffing software, but we don’t use Oracle so I don’t know if it can handle that.
This document was given to us when we completed an audit with them:
Toad® for Oracle Asset Management
This is a quick guide to assist customers who are in the process of examining their environments for Toad for Oracle installations. The information provided in this document serves as a high level overview on what artifacts to look for when performing scans against the filesystem.
Toad’s Versions and Editions
Quest Software generally releases two versions of Toad for Oracle a year. The current version of Toad for Oracle is version (see release info). Each version of Toad is available in several different bundles or editions. The base product is referred to as ‘Toad Base’ (formerly known as ‘Standard’). We also have ‘Toad Professional’, ‘Toad Xpert’, ‘Toad DBA Suite’, and ‘Toad Development Suite’. Additionally, we have ‘Options’ which can be added to any edition of Toad, e.g. ‘DB Admin Module’ (formerly known as ‘DBA Module’). If you want to determine WHICH edition of Toad is present on a desktop, you will need to parse the license key information for that install.
Toad’s Licensing and Architecture
Each installation of Toad requires an authorized license key to function. This information is stored in a file named ‘QSAuth11.key’. We recommend you search for licensed copies of Toad in your organization by scanning for both the ‘toad.exe’ and ‘QSAuth11.key’ files. ‘QSAauth‘ simply stands for ‘Quest Software Authorization.’ ‘11’ is the internal product identifier for Toad. The license key file itself is stored as clear text and contains several pieces of information (depending on the version). The file can be examined to determine the current license key and authorization string. If the second (2nd) line of the file reads ‘Trial Version’, then the copy of Toad in the current folder is licensed as a Trial.
Here are examples of the information found in the QSAuth11.key file:
Example Contents of QSAuth11.key (up to Version 184.108.40.206):
The QSAuth11.key license file will be stored in the toad.exe folder for Toad standalone and network installations (Toad for Oracle 9.6 and earlier).
NB: For Toad 9.7 and higher, the QSAuth11.key license file will be stored in the User Settings folder for a particular installation of Toad (e.g. Toad can have a license key for each installation) on the user’s desktop (C:\Documents and Settings\username\Application Data\Quest Software\Toad for Oracle).
Example Contents of QSAuth11.key (from Version 220.127.116.11):
Toad® for Oracle Xpert Add-Ons: DB Admin module, e-Business Module, SQL Optimizer
For Citrix installations, the file will be located in the User Settings folder on the Citrix server.
Steps to complete:
Here are the basic steps required to identify existing licensed users in your environment:
1. Determine which computers/domains may have Toad installed. Also identify whether Citrix exists in your organization.
2. Scan for the computer’s filesystem for both the ‘QSAuth11.key’ and ‘Toad.exe’ in order to obtain the most accurate information about a Toad installation.
3. Read and record the contents of ‘QSAuth11.key.’ This will tell you which options have been enabled.
4. Please email your Quest Software Sales Representative the Excel spreadsheet containing raw data resulting from the desktop scan steps above. (Columns required: Machine name, Network Name, License Key, Site Message, Version, Filename, File Size, File Path)
Above: Sample Raw Data from Customer
For questions and technical assistance, please contact your Quest Software sales representative
You must identify how to determine deployment for each application separately, as they are all different. Your reseller may be able to help you, but if all else fails you may have no choice but to approach the publisher.
Although generally I do not recommend approaching publishers for information on how to identify deployments as it can trigger an audit, you can lessen the risk by stressing that this is a routine exercise you are under-taking for all applications as part of a your SAM improvement programme, and that you wish to identify an appropriate methodology that is applicable to your specific discovery tool.
I can confirm that Quest are very helpful in helping determine deployment, and when we approached them it did not trigger an audit (although that was pre-recession, and of course, ‘the times they are a-changing’!).
This is an edited summary of the old forum notes – the new forum can be found here.