September 7, 2017 MDM Piracy by Default
From Computer Labs to BYOD
It’s an undeniable trend, more and more students are relying on their own personal devices for their computing needs. Students are still using computer labs however. One of the major reasons being that computer labs can deliver software like: Logic Pro X, Final Cut Pro X, and other high-end specialized software that is not easily afforded on a student’s budget. Historically, there hasn’t been much of a choice on the matter, but what if we could find a way to give students a choice?
About 10 months ago, I started trying to implement a Bring Your Own Device (BYOD) program here at the Marriott Library. The concept was simple: allow students to use software licenses we had purchased on their own personal devices. They would be able to use the software for as long as they were affiliated with the University of Utah, and as soon as they weren’t, we would be able to reclaim the licenses for use by other students.
On paper, the concept sounds amazing! We could reduce the overhead of buying hardware and reallocate that money into more software licenses for students. We had all the tools in place, between Apple’s Volume Purchase Program (VPP) and JAMF Pro as our Mobile Device Management (MDM) server, we could finally get this longtime goal up and running.
Alas, as many of you know, getting something of this scale up and off the ground is never that easy. Barring the typical procedural and technical hurdles like establishing our departmental VPP account, maintaining 3rd-Party Installer Certificates, designing custom workflows to allow for proper scoping and distribution of software licenses, and a very limited budget, we came across one hurdle that completely stopped the entire project in its tracks… Almost 6 months later, and we’re still waiting for Apple to fix it. So I wanted to start by putting this out there:
Without going into too much technical detail, here’s the general idea: Apple’s VPP allows an institution or business to purchase licenses of any software available on the App Store. Using any MDM solution, those licenses can then be distributed out to any client system enrolled.
Here at the Marriott Library, we use JAMF Pro as our MDM server which includes some very nifty features that allow us to make VPP apps available via Self Service. This allows us to automatically assign the VPP license to the client then starts the download of the application. From the user’s perspective, it’s seamless and intuitive. Once there are no longer any VPP licenses available, the application cannot be downloaded by any other users until one of the licenses is no longer in use; no muss, no fuss.
JAMF Pro gives administrators the ability to finely tune the scoping of these licenses that keeps everything nice, neat and very modular. With a few API calls, extension attributes, and a little imagination, the entire process with queuing and license revocation can all be automated. Effectively giving your institution its own “App Store” of software with available licenses.
If you would like to know more about MDM, JAMF has some great resources here: Mobile Device Management 101
VPP License Assignment
When I originally started the pilot project for our BYOD, I planned on having a group of about 50 students and asked them about the software they would be most interested in. Unsurprisingly, the overwhelming majority of requests on macOS were for professional editing software like Final Cut Pro and Logic Pro. The problem was that these programs are very expensive and I did not have enough funding to get 5 licenses each, let alone 50 licenses.
So, using over half of my budget, I purchased 3 licenses for Final Cut Pro and 2 licenses for Logic Pro. Now I had a new problem: The original idea was to let students “own” this software for as long as they were associated with the university. When they graduated, I could reclaim the license and pass it along to another student. However, I only had a total of 5 licenses, meaning this program would be awesome for the first 5 students, and useless for everyone else.
I was afraid that the program would be dead in the water without a great pool of software to choose from, so I had to come up with a way to spread this software out. I figured, “We’re a library. We check books out, why not software?” Perfect!
I set up a policy to grant the licenses out to students on a 1-2 week time limit, reclaim the licenses automatically and then let another student checkout the software. It took a while to build some custom policies and scripts in JAMF Pro, but I eventually figured it out and it seemed to be working!
As I had my test boxes checking out the software, I noticed something odd… I had Final Cut Pro running on 4 different machines, but I only had 3 licenses… I reclaimed the licenses, and Final Cut Pro kept running on all 4 machines. I even distributed the licenses to 3 additional machines, thinking that the previous machines would stop working if all the licenses were in use elsewhere. Nope, now I had 7 machines running fully operational copies of Final Cut Pro with only 3 licenses.
This is where I stopped my testing, but I imagine I could have pulled those 3 licenses again and handed them out ad infinitum.
Up to this point, the general workflow was:
- User Enrolls in Program
- Selects Software in Self Service
- VPP License is Assigned and Software is Installed
- Expiration Condition (Checkout Expires, No Longer Affiliated with University)
- VPP License is Revoked
Software is Uninstalled or Rendered Unusable
Except that step 6 didn’t work… And I had to find out why.
Apple MDM Protocol
I originally thought this was a bug with JAMF, so I reached out to their technical team. They thought it was strange as well, and after some back-and-forth emails and an escalation or two, I was finally sent a link to the Apple Developer Mobile Device Management (MDM) Protocol Reference. More specifically the section on Managed Applications, which reads:
While Apple’s MDM Protocol is fully supported on iOS, it is only partially implemented on macOS, which leads to a very interesting problem. While apps can be installed on macOS, there’s currently no way to remove that software from the clients at a later date using the MDM protocol. The licenses can be reclaimed, but the installed software remains completely functional and intact.
Now, it has been claimed by Apple that once the license has been removed, it can no longer be updated by the user, but what wasn’t made clear was: if updating an unlicensed app rendered the software unusable, or if updates no longer became available on the App Store. It was also originally claimed by Apple that the software would simply stop running after a month or two without a license.
Now, there is a section in Apple’s Volume Purchase Program for Education under Managed Distribution, step 4, that discusses a 30 day grace period. However, I had an unlicensed copy of Final Cut Pro running on a system for well over what Apple claimed would work, and though I would like to perform some more tests as I am writing this, the system seems to have been re-imaged at some point ¯\_(ツ)_/¯
However, for the sake of testing, I was able to assign a license for Final Cut Pro to one of my clients, install the app, revoke the license, and was STILL able to install “Pro Video Formats” as well as “Final Cut Pro X Supplemental Content” from the App Store a day later. So Apple’s claim doesn’t appear to be valid here either.
Why Hasn’t This Been Brought To Apple’s Attention?
Well, it has… We brought it up to them about 6 months ago, but we have not heard anything concrete from them as of yet, and so far nothing seems to have changed. My only guess is that it doesn’t break in a way that is inconvenient for anyone, so nobody has noticed.
Users keep getting to use the software, and system administrators keep getting to hand out licenses. No one gets left out in the rain… Well… Except for developers that is.
Now, I don’t imagine that there are 1,000,000+ unlicensed apps out in the wild as a result of lax VPP licensing, but then, I don’t think anyone is turning around licenses quite at the pace that I am planning.
If I am cycling through all 5 of my licenses per week, and not getting repeat checkouts (and why would I? the software never stopped working) then the math goes as follows:
(Logic Pro: $199.99 x 2) + (Final Cut Pro: $299.99 x 3) = $1,299.95/week (or $47,198.42/year)
Take those same numbers at a daily rate of distribution and the total amount of lost revenue comes to $474,481.75/year after distributing 1,825 (5*365) licenses. This is a very probable figure seeing as 2016 enrollment of University of Utah was 31,860 and each student could potentially have a working copy of both of these programs.
This isn’t some special method developers aren’t calling, it isn’t a specific value they forgot to set. This is default MDM functionality, and there isn’t much that can be done until Apple decides to fully implement Managed Applications on macOS.
There is absolutely nothing stopping me from buying a single license of Final Cut Pro X and allowing any student to download a copy, and then automatically reclaim the license once it’s done. Also I may have forgot to mention, this is Apple’s software I’m talking about, if it isn’t working for them, it’s definitely not working for you.
To make it perfectly clear though, this is NOT what we are doing…
We are working very hard to make sure this doesn’t happen, however seeing as this is default behavior with macOS I believe that it could be happening elsewhere, accidentally or otherwise.
What Can Be Done?
I’m not sure much can be done until Apple does fully support Managed Applications on macOS, I mean there are ways around this like installing a backdoor that goes through, removes the application and then removes itself, but my experience is that users tend to be pretty adverse to this option. We’ve also been toying with the idea of an auto-removal package (though that would create some overhead for us).
It has also been mentioned that developers can distribute their applications to validate the App Store Receipt and provide a workaround for this missing functionality with the MDM specification on macOS. System administrators may be able to create and distribute payload-free installers that can uninstall the app when it is no longer licensed, but all of these are work-arounds, the best option is to pressure Apple into fixing the MDM client on macOS.
We have submitted bug reports using Apple Bug Reporter that have been closed due to duplicate issue notices, but if you feel like open a bug with them, feel free. The important part is that both developers and system administrators are aware that this going on.
I’m currently still figuring out the intricacies of MDM for myself and am looking into other ways of querying systems for expired licenses, I’ll be sure to keep you posted as I discover more.