ChrisProTech

The AppStack Was Pirated.

New Project 3

Written by

Chris

in

, , ,

In a previous role, I worked for a large healthcare company running a VMware Horizon non-persistent VDI environment.

If you’ve ever managed Horizon in a healthcare setting, you already know how “fun” that combination can be – duplicate sessions, pool unavailability, network issues, and the constant battle of keeping clinical staff happy without breaking anything.

image 1
VMware Horizon in Prod – Credit

Our setup was pretty complex: Windows 10 virtual desktops, a stack of AppVolumes packages, and a plethora of departmental customizations sprinkled across different user groups.

Most users lived their entire day inside a session that was completely wiped the moment they logged off. Everything they needed had to come from Network storage, logon scripts, or an attached AppStack.

One of those AppStacks was Adobe Acrobat.
In fact, we had four different versions of Adobe Acrobat:

How did we handle licensing?

We had a poorly documented process for each:

  • Adobe Reader free – the standard version of Adobe that all users got by default. No purchase/approval needed.
  • Adobe Acrobat Standard DC – subscription-based, assigned only to admin or power users who actually needed editing capabilities. We’d raise a ticket to procurement who would buy a license in the Adobe portal, and we’d make the user an Adobe Account and assign the license + appstack.
image 2 edited 1
  • Adobe Acrobat Pro – subscription-based, used by executives and operational teams. We would pass these straight to our procurement team, they’d then purchase a license and assign it through an internal system (or so we thought), then pass the ticket back so we can update the user’s assigned appstack.
image 8
  • Adobe Acrobat 2017 – perpetually licensed version that some operational teams used, because they had old licenses for it. We’d keep the licenses attached to tickets within our ITSM system, which made them easy to find – yeah…
image

What went wrong?

Well, it all started on a Monday morning when I came into the office and saw an influx of tickets regarding Adobe being “broken”.

It turns out, our VDI guys had pushed new appstacks for Adobe Reader/Standard, updating them to the latest version – which had quite a different user interface from what users were used to.

Not much was actually broken, users just saw the app looking a bit different and got scared, the only real issue was that one of the PDF editing tools wouldn’t load correctly because it relied on a DLL or something that was omitted from the appstack.

So we got that sorted and thought all was well, but then we started to see some more tickets come in, from all over the business, about a licensing error.

image 9 edited 1
Pretend this says Pro, I can’t find a better screenshot than this.

Huh, nothing changed with licensing, what’s going on here?

Where did our licenses go?

So it turns out that alongside Adobe Reader and Standard, Adobe Pro was updated as well.

Normally, this would be fine, however it revealed something rather scary, nobody knows where the Adobe Pro licenses for all of these users are, we only have the tickets with approvals from our procurement team, so we asked them about it.

Oh, we have no action needed on our end for these, we just review the request and assign back to you guys for the technical work.

Well, that tells us exactly what I was afraid of, we had dozens of users without valid licenses for Adobe Pro, and they need it now.

And so began a procurement spree, getting a list of users that need Adobe Pro and actually buying licenses this time.

Our packaging guy had a well-kept secret

The guy that actually packaged all our apps, for both VDI and non-VDI, was an older gentleman, who very much wanted to retire, but he was just “too good” at what he did.

image 11
Arthur, our (illustrative purposes only) app packaging engineer.

I had a chat with him after we figured out what the issue was, and he told me that the Adobe Pro appstack was basically built for 2 specific VIP’s in the company.

I let him know that there were about 50 users in it right now, and he proceeded to get very pissed off at us/SD.

In the end, someone from management got through to him, and found out that Adobe’s DRM had been bypassed when appstacking Adobe Pro – meaning we were effectively running a pirated Appstack for months.

Well, that was fun.

Yep, the business sort of turned this into a bit of a cost-saving opportunity as well.

None of the managers wanted to use their IT budgets on this issue so we were advised to only procure a license if someone explicitly raised a ticket about it.

In the end, everyone already hated VDI, and we had a bad reputation because of it – so it didn’t really impact us all that badly.

Adobe, if you are reading this, know 3 things:

  • Our company paid for licenses immediately after identifying the issue.
  • I no longer work for this company, this issue was years ago, and I was just in a standard L2 role, not at all in a position where I could be accountable for this.
  • The method of activation used was later found to be approved by an Adobe rep, which eliminated any concerns about accidental misuse.

Hope you enjoyed!

🙉 Wanna know when I post?

I don’t spam! – Just one email, every couple of days, when there’s a new post.

Sharing is caring!

Comments

Note: any comments identifying companies or individuals discussed above will not be approved.

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts