Organisations with ITAM fully integrated into procurement process should be confident that they have details of all OEM installed components and their licensing. The Superfish incident indicates that this is not always the case.
Talking to asset managers who have rigorous processes around their hardware and OEM purchasing over the last few days I haven’t yet found one whose organisation has been impacted by Superfish, but this may be coincidence as the sample is small, and the asset managers concerned have a great deal of experience. For many organisations this is the first time the issue of OEM software has grabbed their attention (to be fair, there’s generally a lot going on, what with audits and stuff). And some are now wondering what else might be installed that they don’t know about.
During a recent research discussion on the topic of OEM software, my colleague Stewart Buchanan observed that:
Perhaps all digital technology should be labeled with the warning “May contain licensed software” in much the same way as food is labeled “may contain nuts”? “Read the list of ingredients carefully” is great advice if they’re declared, but there’s no IT equivalent of food labeling standards help to ensure transparency about the ingredients.
Our top tips for safe hardware procurement:
- Have a clear specification detailing exactly what you want included as OEM including all drivers and applications, not just the OS.
- Insist that vendor documentation includes details of all software components, including EULAs for OEM software and documentation from the licensor confirming their right to install the software
- Ensure that contracts make clear that the vendor will be liable for any licence compliance issues arising from software provided without the appropriate documentation.
- Ensure that contracts make clear that the vendor will be liable for any loss or damage resulting from the inclusion of software not specifically set out in the contract.
- Carry out thorough inspection and testing of a sample of the hardware either before confirming the order or on delivery as part of acceptance criteria. Any additional components not included in the specification or contract should be queried and resolved before payment is made.
- Software provided as OEM is not suitable for reimaging, as the licence is tied to the device, and editions and versions may vary based on the OEM and the date the hardware was procures.
- If creating a standard build, do not re image based on a copy of an OEM-supplied build. Your re-imaging rights for the Microsoft OS come from volume licensing, so use the volume licensing media for the image. Then ensure that any other components required for the build are also correctly sourced and licensed.
- Always ensure that the device being re imaged is clean and free of all previous software installations before applying the new image.
- If you are not reimaging the device but are using the pre-installed image, then careful testing of the device is even more important to ensure that no ‘extras’ have been delivered along with your build.
Remember, when you are buying hardware, you’re generally not just buying hardware. So make sure that the software comes with it is what you ordered, is correctly licensed and is safe for your organisation to use. Not all extras are like Superfish, but the potential for licensing issues to arise from unmanaged OEM software should not be underestimated.