Keeping Kids from Stealing Apps
Novell Cool Solutions: Trench
Digg This -
Posted: 9 May 2003
We recently posted this Q&A with an OPEN CALL for more suggestions.
Question: Armand L. wrote: An idea that's been bouncing around at the high school where I work is to provide a wireless access point in our library for students to connect to the school network from their own notebook computers. While we do have this technology and I do believe that this is a good step towards the future, I am concerned with our ZfD 3.2 applications being installed and taken home - which is stealing, whether the students know it or not. Is there an easy way to prevent "foreign" notebooks from accessing our applications, or will we have to create and maintain a manual list or workstation group of our 300 workstations to limit access to those workstations only?
Answer: OPEN CALL: Here's one thought. Create a registry key, file or similar on each 'school' machine; make each application dependent on that feature being present. Also, lock down your workstations and servers. Anyone else got a slicker idea? Fire when ready...
To expand on your proposed solution:
We currently use identical images for computers located in several labs at our high school. We place a simple text file (LAB-room#.txt) on each computer in a lab and only launch an application if a specific LAB-file exists.
This allows us to turn software on/off at will to entire lab groups, so when a lab goes "down" we can immediately transfer classes to another lab using pre-established customized environment, drive-mappings, etc. developed just for that class, while still staying within our licensed-seat count. We can also change custom-configurations during different times of the day using the Application Schedule function. Works great!
We use a product from Sassafras called KeyServer. It runs under NetWare, Windows, Linux, Mac OS and Mac OS X. http://www.sassafras.com/
It works by modifying the executable slightly (zero-byte change). The user has to have the KeyClient software installed on their workstation in order to get permission from the KeyServer to run the app. The app can be installed on the workstation or a server.
It also allows you to manage concurrent licenses, provides reporting and auditing, and has a mechanism to allow users to check out a key for times when they are disconnected from the network.
You can restrict access to an app by IP address, so if you have a lot of "foreign" laptops, you may want to take that additional measure, and make sure you give them IP addresses in the restricted range on the off-chance they have the KeyClient installed (seems unlikely). There are some other ways to restrict access, but Sassafras's docs can describe them better than me.
I use DHCP and manually assign ip's to valid mac addresses.
Your suggestion of using a registry key is probably the easiest, but instead of having to push it down every time, use the feature in MS Sysprep. There is a key that can be pushed during the sysprep run called "OEMDuplicatorString". When Sysprep runs, it writes a user-defined value to HKLM\System\Setup\OemDuplicatorString. We use this as verison control to keep track of what version of our baseline image is on a desktop. It's in a location a restricted user can't get to, and even an admin would have to know what they are looking for (and what your default key is) to be able to change it.
This is simple, doesn't require reinventing the wheel, and can be used for lots of different things.
Just my .02
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com