DeployLX provides hardware locking and activation similar to the those found in Windows®, Office® and other high end software. Hardware locking provides an extremely powerful way of managing the use of your protected software. This topic discusses how to use hardware locking with your software.
The DeployLX Licensing activation process involves building a profile of the client machine and associating a serial number with that profile. When the serial number has been associated with a profile it cannot be used on another machine without additional authorization.
When a license has not been activated, or the hardware on the machine has changed, DeployLX will ask the user to activate their license. Depending on the options chosen on the Activation limit the user will be given options to activate online, manually be entering a code, or activate later.
During license activation the machine hardware is profiled and a hash is created that can be used to compare the relative differences between two profiles. The machine profile that was active at the time of activation must match the current machine profile during license validation for the license to be considered valid. If the profiles differ by an amount greater than the configured tolerance then the software must be re-activated.
When the user selects to activate online, DeployLX contacts the license server configured in the license and asks for a new license that has been activated. The server will determine if the serial number associated with the license has been used to activate the software on a different machine. If the serial number has already been activated then the user will not be permitted to activate the license and will be prevented from using the software. If the serial number has not been activated or the user has been granted an additional activation then the license is updated with the client machine's hash and returned to the client machine.
The behavior of the server can be modified to suit your organizations specific needs. See Support Online Activation later in this topic for details.
If the user does not have Internet access, or you have elected not to use a license server, they can select to activate their software manually be entering an unlock code. Activation codes are generated based on the license keys used to sign the license and the hardware profile of the client machine. The activation unlock code can only be used to unlock the license with the serial number and machine profile provided when the code was generated. After the user enters the unlock code the license is updated to associate the serial number, machine profile and unlock code for later validation.
See Generating Activation Unlock Codes later in this topic for more information.
During the activation grace period the user may choose to skip activation until they are ready. For instance if they do not currently have Internet access while traveling but will have access later. Once the grace period has expired the user is required to activate to continue using the software. If they do not activate then the license is not valid and will throw an exception if no other licenses are available.
See the Activation Limit topic for details on configuring the grace period.
DeployLX uses an advanced machine profiling system for monitoring the use of protected software. At the core of the activation process is the hardware profile which is tracked and compared to determine if the user has moved the license to a new machine, upgraded their machine or is activating for the first time.
The MachineProfile class is used to generate a hash code representing the installed hardware on the client machine. The generated hash contains information about components of each of the 8 hardware classes.
You can use the Profile.Hash property of the MachineProfile class to retrieve the hash of the current machine's hardware profile. This hash may differ slightly than the hash used during activation if the default weights or settings have been customized in the associated Activation limit.
The hash values created by the MachineProfile class contain only enough information to determine if two hardware components are different and cannot be used to obtain any personally identifiable information.
The DeployLX licensing system tracks 8 relatively stable hardware classes that, when taken together, easily be used to distinguish between two different machines.
| Hardware Class | Description |
|---|---|
| MAC Address | The MAC Address is a globally unique value that is guaranteed to be unique for every machine. While the MAC Address is certain to be unique it is also easy for users to move network cards between two different machines and should not be the only component relied on for machine comparisons. DeployLX detects attempts to spoof the MAC address and invalidates the license when detected. |
| CPU | Many activation systems claim that you can use the serial number of the CPU to uniquely identify a system. This is incorrect as the Pentium III was the only CPU to support a unique serial number and came disabled by default in later editions. DeployLX instead will track the actual CPU model, speed and features. With so many different models available this is an effective distinguishing feature when comparing machines. |
| System Drive | DeployLX will attempt to obtain the physical serial number of the operating sytem drive. Using the physical serial number is extremely effective in distinguishing machines. When the physical serial number cannot be obtained either because the drivers do not support it or the hard drive configuration does not present a unique number (such as a RAID array) DeployLX will use the model of the hard drive, volume label and disk size to create a pseudo number. |
| Memory | The machine profile will track information about the amount of RAM installed on the machine. No other information about the brand or model of RAM is considered. |
| CD-ROM | The machine profile will track the model and vendor information of all CD/DVD-ROM drives installed on the machine. |
| Video Card | The machine profile will track the model and vendor information of all video cards installed on the machine. |
| IDE Controller | The machine profile will track the model and vendor information of the IDE controller installed on the machine. In almost all cases the IDE controller is integrated directly into the motherboard and can usually be considered an effective identifier of the motherboard itself. |
| SCSI Controller | The machine profile will track the model and vendor information of all SCSI controllers installed on the machine. SCSI controllers include legacy true SCIS systems as well as modern RAID controllers that support IDE or SATA drives. |
When two machine profiles are compared each hardware class is evaluated separately. Each class is given a weight which is used to determine the relative importance of that class of hardware when determining how different two machines are. When the components are compared if a difference is found then the weight is tallied to create a difference rating. If the rating is greater than the configured tolerance of the license then the two profiles are considered different.
When comparing hardware profiles DeployLX considers 3 different weights for each class and will tally the weight of all mismatched components to generate a difference rating. If the rating is greater than the configured tolerance than the machine profiles are considered different.
| Weight | Description |
|---|---|
| No Match | When no components of a class in one hash match any components of the same class in the other hash. |
| Partial Match | When some components of a class in one hash are found in the same class in the other hash. |
| File Moved | When the host .LIC file has been moved outside the licensing api. This can happen if the user attempts to copy the license from another machine even if the other machine or has attempted to backup the license file and restore it in an attempt to circumvent the licensing. You can also select the Invalidate On File Moved option on the Activation limit in the Advanced License Editor to automatically force a mismatch of all machine comparisons if the file has been moved. |
DeployLX also supports cumulative changes to support minor upgrades on a machine over time. For example if the user adds additional memory to their machine the license will not need to be reactivated. If they later change their network card the the combination of differences will require the license to be reactivated. When cumulative changes are allowed the difference between the memory change and network change is less than the cumulative tolerance the user will not be required to reactivate.
When Cumulative Changes is selected you should also select the Invalidate On File Moved option to prevent copying between similar machines.
If the user upgrades their motherboard the MAC Address and IDE Controller are likely to change. Using the default weight options the difference rating between the two hardware profiles would be 4 (MAC Address +3, IDE controller +1). Since that is greater than the default tolerance of 3 the user would be required to reactivate.
If the user upgrades their memory, CPU and video card but keeps all other components the same the difference rating would be 3 (CPU +1, memory +1, video card +1). Since that is less than or equal to the default tolerance of 3 and would not be required to reactivate. If the same user later modified any other component the would be required to activate.
The Activation limit can track multiple hardware profiles simultaneously for a single license. This can be used to allow the user to install the license on multiple machines, or to track multiple states for a single machine such as docked or undocked.
Users will invariably need to move software activated on one machine to another. To support this DeployLX includes a de-activation system to allow the user to completely remove the software from the current machine before they are allowed to install it on another machine.
Once the software has been de-activated the user will need to re-enter their serial number and re-activate to use the software on the same machine. The license server will check to see if they installed it on another machine and prevent them from reusing the license on the original machine.
You can start the deactivation wizard directly from the protected software or as part of the installation packages uninstall routines. Refer to the installer's documentation on how to call an external library.
When using the Easy License Editor all editions of the product will use the same set of limits. To configure different rules for each edition you must edit the license in the Advanced License Editor.
This sample demonstrates how to initiate the deactivation wizard.
Private _license = SecureLicenseManager.Validate(Me, Nothing, Nothing)
If SecureLicenseManager.Deactivate(_license, Me, Nothing, Nothing) Then
MessageBox.Show("The software has been deactivated.")
Application.Exit()
End If
_license = SecureLicenseManager.Validate( this, null, null );
if( SecureLicenseManager.Deactivate( _license, this, null, null ) )
{
MessageBox.Show( "The software has been deactivated." );
Application.Exit();
}To support online activation you must create a license server and modify the CanActivate and RecordActivation methods of the generated ASMX file and modify the license to point to the generated server.
See the License Servers in DeployLX topic for details on creating and deploying the license server.
When using the Easy License Editor all editions of the product will use the same set of limits. To configure different rules for each edition you must edit the license in the Advanced License Editor.
The default behavior of the license server generated by the Server Wizard allows the user to install the license on a single machine for each profile in the Activation limit. The default implementation will also support deactivation if selected in the license.
To customize the behavior of the activation process on the license server you can modify the CanActivate and RecordActivation methods.
| Method | Description |
|---|---|
| CanActivate | The CanActivate method is called during online activation to determine if the software may be installed on the machine. The method created by the wizard will check the database to see if a license with the same serial number has already been activated. If there were no previous attempts to activate then CanActivate returns true. If there is an existing activation record then one of two actions are taken. If the AllowNewMachine field in the database is set then the new activation is permitted. This field will be set by the deactivation wizard when the software is removed from the user's machine. If not set then CheckProfile is called to determine if the new request is a close match to the previous activation or permitted to override the existing record. |
| RecordActivation | RecordActivation is called if the activation request is determined to be valid and records the license and hardware information into the database. |
To customize the behavior of the deactivation process on the license server you can modify the CanDeactivate and RecordDeactivation methods.
| Method | Description |
|---|---|
| CanDeactivate | The CanDeactivate method is called when the user requests that the license be deactivated from the user's machine and is used to determine if the user is allowed to remove software and install on another machine. The method created by the wizard checks to see if the software has already been deactivated and will return false if there is already a pending request to deactivate the software. This method will be called twice during the deactivation process once for each phase. |
| RecordDeactivation | RecordDeactivation is called if the deactivation request is determined to be valid and sets the AllowNewMachine field of the database. This method will only be called after the software has been deactivated and removed from the user's machine during the Commit phase. |
You can provide backup activation options to your users by phone and email when they do not have access to the Internet for online activation.
You must be licensed by XHEO to use DeployLX Licensing for each each machine that will generate activation codes. If you create your own activation code generating tools you must still obtain a license for the machines that use your tool.
If your resellers or partners generate activation codes on your behalf you must obtain a separate license from XHEO for each reseller. You may not create a web service or other automated tool that exposes the activation code generation features to an unlicensed 3rd party. Contact XHEO for information about reseller discounts.
The serial number, machine hash code and machine id are displayed on the activation form and should be included in any email from the user or read over the phone.
This sample demonstrates how to generate an activation unlock code in code. See the MakeActivationCode method for details.
Private key As New LicenseKey("Path to LSK keys file")
key.DeployLxSerialNumbers = New String() {
"Your DeployLX Serial Number." }
Private serialNumber As String = key.MakeActivationCode(_
"PRO-",_
"PRO-XXXXX-XXXXX-XXXX-XXXX",_
"PRO-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX",_
1,_
DateTime.MinValue,_
Nothing,_
CodeAlgorithm.NotSet)
LicenseKey key = new LicenseKey( "Path to LSK keys file" );
key.DeployLxSerialNumbers = new string[] {
"Your DeployLX Serial Number." };
string serialNumber = key.MakeActivationCode(
"PRO-",
"PRO-XXXXX-XXXXX-XXXX-XXXX",
"PRO-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX",
1,
DateTime.MinValue,
null,
CodeAlgorithm.NotSet );