[HN Gopher] Normalize Identifying Corporate Devices in Your Soft...
___________________________________________________________________
Normalize Identifying Corporate Devices in Your Software
Author : Bogdanp
Score : 61 points
Date : 2025-10-29 15:16 UTC (6 days ago)
(HTM) web link (lgug2z.com)
(TXT) w3m dump (lgug2z.com)
| acuozzo wrote:
| Normalizing this would start a game of cat & mouse, no?
| thewebguyd wrote:
| That, and a lot of false positives.
|
| People that run an AD domain for their home lab, people that
| use apple configurator to create profiles for their own devices
| (can enable some settings/features that are otherwise gated
| behind using an MDM profile - like shared iPads), etc.
|
| On the flip side, you are also missing all of the solopreneurs
| using your software for commercial use but obviously aren't
| spinning up a whole endpoint IT infrastructure to manage their
| own single device. Or contractors doing BYOD without MDM
| enrollment. Or small businesses/startups that are mostly BYOD,
| or don't do any kind of endpoint/device management...
|
| So who are you going to catch, really?
| radicaldreamer wrote:
| A lot of people use MDM for managing their kids devices
| (pinning DNS for filtering etc.)
| SoftTalker wrote:
| First time I've seen "a lot of people" used to mean
| "practically nobody."
|
| Just joking, but seriously, I've never heard of anyone
| doing this, and I think maybe 1 in 100 people would even
| know that it's possible.
| radicaldreamer wrote:
| I mean, "many" people use SaaS apps which utilize MDM on
| end user devices, but many parents I know who are in tech
| roll their own to filter the net for their kids devices
| and (to a much lesser extent) monitor them proactively.
| jeroenhd wrote:
| I can't say much about the macOS market, but I do know
| that MDM-style APIs are practically the only way to write
| a third party control app for mobile devices. With the
| way Apple is moving macOS more and more towards their
| control, this may happen on the desktop in the future as
| well.
|
| Schools also tend to use MDMs, but often in combination
| with Chromebooks which don't typically run third party
| software anyway.
| thewebguyd wrote:
| > I can't say much about the macOS market,
|
| For certain types of apps from the mac app store vs
| installed directly (mostly VPNs), they also have to use
| the MDM APIs and install profiles on the device to
| function.
|
| So if a home user, for example, uses Tailscale and
| installed it via the mac app store, they'd flag as being
| MDM managed if the software used the code in the article.
|
| Fonts on iPad work the same way, the font apps install an
| MDM profile to install the fonts on the device because
| Apple gates this behind that for some stupid reason.
|
| Like you said, I suspect doing things through
| configuration/MDM profiles is going to become more and
| more common on desktop like it has on mobile.
| groby_b wrote:
| > People that run an AD domain for their home lab, people
| that use apple configurator to create profiles for their own
| devices (can enable some settings/features that are otherwise
| gated behind using an MDM profile - like shared iPads), etc.
|
| That's a tiny minority of your user base. You'll live.
| They'll live.
|
| > So who are you going to catch, really?
|
| Enterprises that are big enough to manage their fleet, but
| small enough to not enforce rules. Which is a good chunk of
| money.
| layer8 wrote:
| The minority are typically also enthusiasts who serve as a
| multiplier. Alienating them isn't the best strategy.
| bootlooped wrote:
| Below the code snippets the post states this is not a
| silver bullet, but only a starting point.
| layer8 wrote:
| The code snippets are the easy part here. Too easy to
| blindly deploy, because it might work for 95% of the
| cases. You know how these things go: KPM increased, move
| on to the next thing.
| __jonas wrote:
| How so? You think big corps would pressure corporate device
| management providers into making their services stealthier in
| order to avoid paying appropriate license fees for software
| that does this detection?
|
| I'd always assume the worst of corporations but I think it's a
| little far fetched, probably doesn't affect their bottom line
| to just pay for the software.
| ryandrake wrote:
| Yea, this seems to be sort of analogous to companies who check
| whether you have a rooted device in order to take some kind of
| action (usually preventing the software from running). If _that
| 's_ a shitty thing to do, then _this_ is, too.
|
| Software should not be in the business of trying to (badly)
| guess whether the user is _the right sort of user_ , based on
| inexact signals from the operating system. As others pointed
| out, the false positives will be annoyed, and the true
| positives will sidestep your efforts.
| p1necone wrote:
| (Anecdotally) I don't think most big corps using commercial
| software without a license are doing it
| intentionally/maliciously at an organizational level. Most of
| the time it's just individual employees downloading supposedly
| "free" software without reading the license and not realizing
| it isn't free for commercial use.
| thewebguyd wrote:
| > Most of the time it's just individual employees downloading
| supposedly "free" software without reading the license and
| realizing it's not free for commercial use.
|
| And chances are, that company's IT department would love to
| know when that's happening so they can put a stop to it.
|
| I work in ops, that's called "shadow IT" and it's a huge
| problem. It's really prevalent now because most SaaS is
| marketed toward individuals/small teams rather than marketing
| toward the business itself, so you get people within an org
| spinning up trials and free versions, putting company data
| into it with zero oversight, and often IT doesn't know about
| it until the quarterly budget review when they find out from
| accounting that it's been blown on software purchased outside
| of the IT org, now it's "critical" to operations and we're
| forced to onboard/support it.
|
| Obviously these code snippets won't work for SaaS, but a
| notification pop-up along the lines of "We see you're on a
| company device. Please contact your IT administrator to
| proceed with your free trial" would be great, but would kill
| a big sales avenue.
| TZubiri wrote:
| It sounds great from a sales and marketing perspective.
|
| Instead of convincing the guys with the wallets to shell
| something out. Just convince the devs to npm install
| solution, and then send an invoice.
|
| Win/win
| immibis wrote:
| Ah, the Oracle and Broadcom model - Java, Virtualbox,
| VMware, etc.
|
| Woe betide thee who doesn't notice the difference between
| Oracle Java and OpenJDK.
| immibis wrote:
| You can already easily pirate the software by running it on
| your personal device for free, and the software would never
| know you were also working for a corporation that was supposed
| to buy a license.
| IshKebab wrote:
| I don't think so - most organisations and employees don't
| _actively_ try to violate licenses, but if the path of least
| resistance is "eh" then individual employees definitely aren't
| going to bother. I bet there are thousands of people using the
| free version of MSVC commercially for example.
|
| Depending on what action you take with this, I'd say it has a
| pretty good chance of tipping people into emailing IT to get a
| license.
| whalesalad wrote:
| I don't think you will ever see this normalized, because it's a
| really dumb idea.
|
| You certainly can observe a correlation between a "corporate
| customer" and MDM/GPO and use that as a heuristic. But it's
| like relying on the color of the sky to determine temperature:
| "Is it grey? Well then it's obviously cold." It's a leaky
| abstraction.
| Spivak wrote:
| Oh no they'll find out my company is i.manage.microsoft.com/Devic
| eGatewayProxy/ioshandler.ashx?Platform=MacMDM
| stogot wrote:
| I heard folks here used MDM to give themselves more control over
| Apple security features that they otherwise don't. This code
| example and scenario penalizes them by side effect
| kotaKat wrote:
| This happens in a lot of software in the Windows world, too. As
| soon as you run it on a non-Home SKU you're suddenly The
| Enterprise, even as a home-gamer.
| bitwize wrote:
| Windows is gating a lot of basic configuration shit behind
| enterprise configs like Group Policies now, specifically so
| that the people slumming it on Home get all the ads, spyware,
| mandatory updates, stealthily enabled AI features, etc.
| dragonwriter wrote:
| I've used Pro (or Ultimate under Win 7) instead of Home for
| my personal devices since sometime in the XP era and
| literally never experienced this with anything.
| TZubiri wrote:
| That's fine, there's no enforcement suggested though, maybe
| they get a popup asking about licenses, not necessarily a
| brick.
| yjftsjthsd-h wrote:
| If it gets normalized for software to notice when there's MDM
| in play, do you really think it won't be treated as a strong
| signal and used to break things?
| TZubiri wrote:
| Curb your slippery slope buddy. I think it's more
| productive to speak about concrete news presented to us
| instead of the hypothetical consequences it might have,
| real or imagined.
| arccy wrote:
| much like https://sso.tax/ , if you need enterprisey
| features... someone thinks you can pay for it.
| paxys wrote:
| As with every similar heavy-handed approach to enforcement you
| are making life difficult for the 99% of regular, honest users
| while the remaining 1% can trivially bypass it.
| wmf wrote:
| The post doesn't say what you should do with this information.
| You could just remind the user that they're supposed to buy a
| license for commercial use.
| knute wrote:
| additionally with the proposal "put together a list of known
| corporate MDM server URLs in a public repository" I think the
| idea could be to only block users with an MDM server from
| that list. of course that would have to be quite a large list
| and maintaining it fairly could be a challenge
| TZubiri wrote:
| I disagree, corporate systems will try to be transparent about
| being a corporate device. And they will not particularly be
| avoidant of software licensing, they may refuse to use the
| software, but they'd rather have that than use unlicensed
| software.
|
| It seems like this makes things easier for everyone?
| thih9 wrote:
| Given that paying for WinRAR is still a popular meme, these
| percentages look inaccurate.
| jchw wrote:
| Never trust software that doesn't trust _you_.
|
| (And yeah, I know. That's a whole lot of software to never
| trust.)
| varenc wrote:
| I use MDM on my own systems because it gives me a bit more
| control. It's also a superior form of device oversight for kids.
| bikelang wrote:
| I'm curious to know how you use this on your kids devices.
| Which mdm do you use?
| paulddraper wrote:
| I have the same question.
|
| What MDM is priced to make this scale reasonable?
| breppp wrote:
| It always seemed weird to me when people call shell binaries from
| the middle of a desktop app. What's wrong with finding the actual
| OS API instead?
| IshKebab wrote:
| It's a lot harder, and for these sort of things maybe not even
| possible.
|
| But yeah generally it is better if you can do it.
| jeroenhd wrote:
| I tried to find the correct API for getting the current MDM
| enrollment status on macOS but I can't find anything other than
| people suggesting command line tools. Unless you're an MDM
| application yourself, I don't think there is an official API.
| TrueDuality wrote:
| Having a device enrolled in an MDM package does not make it a
| corporate device. Many corporations require personal devices be
| managed to support remote wiping. If I install a productivity or
| developer tool on my personal phone or laptop for personal non-
| corporate use I would get mistaken as a corporate user by this
| process.
|
| If you want to collect this information you should be clear about
| it and know and understand your edge cases before you start
| attempting enforcement actions based on it if that is the intent.
|
| In general in my experience, personal tools are a VERY hard
| market to sell into for corporate environments (I took a peek at
| what the software on OPs site requires a commercial license to
| use). I would bet most if not all of what you're catching here is
| unauthorized installs in a corporate environment and you're more
| likely to loose interested users than sell more commercial
| licenses.
| stoltzmann wrote:
| >Many corporations require personal devices be managed to
| support remote wiping.
|
| Corporations cannot require you to have your personal devices
| be managed by them. If you're surrendering your own gear to a
| company, it stops being your own device.
| teiferer wrote:
| But they can require things of devices connected to their
| wifi or being brought to their premises. You are welcome to
| leave the device at home if you don't want to consent.
| stoltzmann wrote:
| >connected to their wifi
|
| Absolutely, it's their own network.
|
| >being brought to their premises
|
| Depends on the local laws. Where I live, they can either
| deal with it, or provide a secured storage space for the
| duration of the visit.
|
| Either way, if a corporation wants their employees to use a
| device, they are obliged to make one available.
| Surrendering your private equipment to their management
| makes it not yours anymore.
| TrueDuality wrote:
| Yeah you're 100% right that it's optional. It's usually only
| required to allow company data such as email, slack, file
| sharing etc on your personal device. If you're on-call it is
| VERY rare for an employee to win a fight on making the
| company provide a dedicated device for that purpose (which
| can inherently make it a condition of your job but that's an
| exception).
|
| Most employees tend to not care about the why and are happy
| to just do it making "you" (the one bucking the trend) the
| oddball. The one not being the team player. It's not legally
| required, and you won't be fired for it, but its strongly
| socially encouraged and that makes it mandatory for anyone
| not willing to put up that fight.
| branon wrote:
| There appear to be ulterior sociopolitical motives held by the
| author, which involve using the blanket term "genocide-friendly
| software" [1] to refer to anything OSI-licensed (implicitly
| suggesting all contributors to anything not using his homebrewed
| license are supporters of genocide?)
|
| This does not look like a technical or business decision, but
| rather a malicious function used to identify users (and/or their
| employers) for arbitrary reasons, under the guise of "licensing
| compliance."
|
| [1] https://github.com/LGUG2Z/komorebi-license?tab=readme-ov-
| fil...
| jeroenhd wrote:
| While the whole genocide thing is a bit of an odd angle (though
| hardly a new one, the author themselves links to the FSF
| statement on free software used for evil), I get the idea of
| checking for corporate installs.
|
| The next step wouldn't be anything crazy like "MDM detected,
| send invoice to corporate"; there are too many false positives.
| It's better to use the MDM profile information to filter out
| the larger corporate MDM providers (InTune etc.) and filter out
| school MDMs before taking any action.
|
| Most software isn't important enough to pirate if the company
| in question needs to comply with certain standards (ISO etc.)
| where an auditor might catch such a popup and make it a
| problem. Plus, IT probably wants you to stop downloading
| freeware onto corporate devices anyway. Risking being slightly
| annoying to people with corporate devices may very well help
| more people than it hurts.
|
| Most software license violations I've spotted were purely
| accidental, at least at the start. An (occasional?) popup
| saying "hey, you need a corporate license to use this product
| for business use" may be enough to scare people away from your
| software (ending the violation). Convincing someone with
| financial power to buy your software is harder than making
| people seek out an alternative, but at least your software is
| less likely to be used by freebooters.
___________________________________________________________________
(page generated 2025-11-04 23:01 UTC)