Is SUMo FREE not permitted on Windows Enterprise?

MartinPC
Posts: 5
Joined: Sat Oct 20, 2018 9:13 pm

Is SUMo FREE not permitted on Windows Enterprise?

Post by MartinPC »

In some countries, it's legal for individuals to purchase personal Windows Enterprise "seats" from a "bucket shop" (~wholesaler) that has negotiated an Enterprise license. Also, some companies with Enterprise licenses in countries where this is not legal provide seats to their employees for their personal computers as a perk.

My dad falls into the latter category, but when I tried to install the latest version of sumo-lite on his personal Windows 10 Enterprise computer, I got a message that it couldn't be installed. Does sumo-lite assume that all Windows Enterprise computers are used commercially and refuse to install on that basis? (I've run into this with at least one other free-for-personal-use program.) Was this just a fluke? Or could something else be preventing installation?

My dad's computer is already running a version of sumo-lite that's two or three months old, and I haven't had any trouble updating sumo-lite until now. (I'm the de facto sysadmin for his personal computers and I fell behind because he had to relocate to a different state to stay safe during the COVID-19 epidemic. We recently started using TeamViewer so I can administer his computers remotely, and now I'm all caught up except for SUMo.)

Any tips would be appreciated!

Kyle_Katarn
Site Admin
Posts: 1419
Joined: Sun Jul 03, 2011 8:13 pm

Re: Is SUMo FREE not permitted on Windows Enterprise?

Post by Kyle_Katarn »

Nothing prevents installing SUMo on Windows Enterprise editions, however, SUMo Free is for Personnal use only.
For use in a company context, you have to use SUMo PRO (with of course volume discounts)

Regarding the error you get, plese contact our tech support with more details (screenshts, error codes,...).

MartinPC
Posts: 5
Joined: Sat Oct 20, 2018 9:13 pm

Re: Is SUMo FREE not permitted on Windows Enterprise?

Post by MartinPC »

Thanks, Kyle. I'll give it another shot during my next TeamViewer updating session with my dad and note the details of sumo-lite's refusal-to-install message (if it happens again).

To the extent my dad uses his personal home computers for "commercial" work -- research at a public university -- it's done by using Remote Desktop to access his university computer. The software on his office computer is used for professional work and is administered by university department sysadmins. The software on his personal computers (which is what I want SUMo to check) is used for personal work and is administered by me on his behalf.

Additionally, because my dad's work is subject to strict privacy requirements (HIPAA), department techs do the initial encryption and security setup on all of his personal devices (computers, phone, tablet), if only to protect the integrity of Remote Desktop connections, email, and the odd work-related document. (This is not a perfect solution, since it's my dad and I who are responsible for keeping personal devices updated, and at least a couple Remote Desktop Protocol vulnerabilities have been revealed and patched in the past year or so. If we don't keep on top of them, newly discovered vulnerabilities persist.)

Finally, once in a blue moon, if Internet service, my dad's office computer, or his department's servers are down, he might temporarily do a limited amount of professional work locally on his personal laptop. This is a rare occurrence. He even does his work email via Remote Desktop whenever possible. It's just plain easier for him.

If any of the above is enough to disqualify use of the free sumo-lite installer on my dad's personal laptop, please let me know.

By the way, I really appreciated your prompt reply to my post!

PS: In case it's relevant, my dad's department installs a Sophos antimalware product (Sophos Endpoint Security?) on employees' personal Windows computers as part of the initial security setup. If you think Sophos might be the issue -- although I didn't get a blocked-install notification -- I can probably get the password to Sophos's "super-administrator" user account.

Kyle_Katarn
Site Admin
Posts: 1419
Joined: Sun Jul 03, 2011 8:13 pm

Re: Is SUMo FREE not permitted on Windows Enterprise?

Post by Kyle_Katarn »

Should something prevents SUMo installation, this doe not come from our installer. Please check with your IT department (they may have rules that prevent the use of software update monitors)

MartinPC
Posts: 5
Joined: Sat Oct 20, 2018 9:13 pm

Re: Is SUMo FREE not permitted on Windows Enterprise?

Post by MartinPC »

I downloaded sumo-lite for the third time during this week's remote-updating session, today, and it installed fine. I'm relatively new to Windows 10 on my own computer, and I've noticed weird, irreproducible glitches from time to time. I'm going to write off the trouble I had installing SUMo on my dad's Windows 10 computer to a similar glitch. (I didn't bother searching my dad's Events logs for a more specific explanation, since there was no need to.)

At any rate, thanks very much for your patience and responsiveness. For now, problem solved!

scheff
Posts: 110
Joined: Tue Apr 16, 2019 3:00 pm
Location: DE

Re: Is SUMo FREE not permitted on Windows Enterprise?

Post by scheff »

Kyle_Katarn wrote:
Tue Jun 02, 2020 6:25 am
Nothing prevents installing SUMo on Windows Enterprise editions, however, SUMo Free is for Personnal use only.
For use in a company context, you have to use SUMo PRO (with of course volume discounts)
  • When did the licensing terms for SUMo Lite change so?
  • And where may I find this difference between Lite and Pro edition reported on web product page and where in licensing terms?
  • So do you mean there is a bug in the licensing terms and product web page as I couldn't find these terms documented there?
  • How are non-profit organisations and how are education organisations considered on respect of different editions of SUMo?
While its perfectly fine to have such terms to distinguish between editions, I can't find these documented on product web page nor in licensing terms.

Have a look at TreeSize in its various editions. It comes with more specific and similar restrictions and more editions per version. TreeSizeFree installs and works well in commercial business workgroup network configuration of Windows as well as on Windows Pro edition. But you would need a TreeSize (Personal) edition for running in a Windows active directory configuration or on a Windows server.

Windows workgroup network configurations are intended for families, households and small organisations, commercial ones as well as for non-profits. And then there exist non-profit organisations beyond the limits of small organisations like Amnesty International or Greenpeace. Windows Pro editions are for private use as well as for business use and hence doesn't allow a distinction for intended purpose by looking just on the edition.
MartinPC wrote:
Thu Jun 04, 2020 12:42 am
I who are responsible for keeping personal devices updated, and at least a couple Remote Desktop Protocol vulnerabilities have been revealed and patched in the past year or so. If we don't keep on top of them, newly discovered vulnerabilities persist.
There are various specifics to the Windows Enterprise edition which sounds strange to the quoted requirement to keep it up to date. One such aspect is that this edition is exempted by Microsoft from mandatory Windows updates as such obligations may violate such mentioned HIPAA regulations and certainly doesn't allow the staff members to update their devices without prior approval by the organisation as far as I know. And Microsoft provides and allows updates for this edition much longer than for most other editions as these are long term support (LTS) editions.
  • So how happens this approval process on your dads laptop?
  • And is your dads personal laptop also on a Windows domain while connected to his office computer?
MartinPC wrote:
Sun Jun 07, 2020 2:36 am
I didn't bother searching my dad's Events logs for a more specific explanation, since there was no need to.
I would have expected traces in Windows events logs and also in the result of appropriate gpresult command to reveal a corresponding GPO to enforce such approval processes for installing and updating software on HIPAA regulated devices.

Kyle_Katarn
Site Admin
Posts: 1419
Joined: Sun Jul 03, 2011 8:13 pm

Re: Is SUMo FREE not permitted on Windows Enterprise?

Post by Kyle_Katarn »

Indicated here : https://www.kcsoftwares.com/?buy but I'll make licence T&C more explicit if required.
At this stage, there is no "technical" blockers on our side for the use of SUMo Free in a Windows Enterprise environment.

MartinPC
Posts: 5
Joined: Sat Oct 20, 2018 9:13 pm

Re: Is SUMo FREE not permitted on Windows Enterprise?

Post by MartinPC »

@scheff:

While there is an entire for-profit industry centered around "making Windows 10 HIPAA-compliant," Microsoft itself is still entirely silent on the question of whether that's possible. To my knowledge, only one older build of Windows 10 Enterprise has been thoroughly tested and found -- preliminarily found -- to be generally "secure" ... at that point in time, without taking subsequently discovered vulnerabilities into account. If DHHS hasn't banned the use of Windows 10 by people handling patient information, I'm pretty sure it's because of Microsoft's near-monopoly in the desktop-OS market and its huge political and economic clout, not because of any technical study proving that it can be adequately secured. I believe the Defense Department gets its own custom build of Windows 10, which suggests to me that even competently administered off-the-shelf Enterprise LTSC may not be "good enough" from a security and privacy standpoint.

My dad's department runs Enterprise Semi-Annual Channel. Based on what I've read and experienced first-hand, security updates for Enterprise SAC builds stop being delivered after 18 months, same as with Windows 10 Pro. You can defer build/feature upgrades (and I do), but you can't put them off indefinitely without exposing yourself to known security vulnerabilities. If I'm wrong, please correct me. (Why don't they run Enterprise LTSC? Maybe because it was too expensive or maybe it requires too much in-house administration. I don't know.)

This is a cash-strapped state university we're talking about, not the Pentagon or a Fortune 500 company. Staff are even responsible for cleaning their own offices! My dad's lab is 100% NIH-funded, and, like state funding, NIH funding is not without limit. Spending significantly more on computer support would mean firing a critical member of an already barebones research team. The real-world trade-off is between more perfect protection of patient privacy and faster progress toward cures for devastating diseases. Ideally we should have both, but when money is tight, compromises have to be made.

Again, leaving staff responsible for post-setup administration of any device used to access patient information, even just via Remote Desktop, is a very imperfect solution, but those are the financial realities. I just do the best I can to keep my dad's personal laptop secure, private (with respect to data, at least), and up to date on security patches and apps. Thankfully, he rarely works directly with personally identifiable patient information, which minimizes the consequences of a breach.

EXECUTIVE SUMMARY: Not remotely ideal, but probably the best that can be done under less-than-ideal circumstances.

Kyle_Katarn
Site Admin
Posts: 1419
Joined: Sun Jul 03, 2011 8:13 pm

Re: Is SUMo FREE not permitted on Windows Enterprise?

Post by Kyle_Katarn »

ok, topic closed.

scheff
Posts: 110
Joined: Tue Apr 16, 2019 3:00 pm
Location: DE

Re: Is SUMo FREE not permitted on Windows Enterprise?

Post by scheff »

MartinPC wrote:
Fri Jun 12, 2020 1:13 am
Based on what I've read and experienced first-hand, security updates for Enterprise SAC builds stop being delivered after 18 months, same as with Windows 10 Pro. You can defer build/feature upgrades (and I do), but you can't put them off indefinitely without exposing yourself to known security vulnerabilities. If I'm wrong, please correct me.
With Windows 10 1903 the update period should have been prolonged to 30 months for a few editions including the enterprise edition. The enterprise edition should alloe to disable updates altogether. And the delaying of updates should be the same as with the Pro edition of up to 12 months. As Windows 10 2004 is not yet ready for my devices with Microsoft warning me not to install that updated version until further notice, I don't know for sure what I've read second hand that this delay option has been shortened again with version 2004 and I don't know if this includes the enterprise edition.
MartinPC wrote:
Fri Jun 12, 2020 1:13 am
While there is an entire for-profit industry centered around "making Windows 10 HIPAA-compliant," Microsoft itself is still entirely silent on the question of whether that's possible. To my knowledge, only one older build of Windows 10 Enterprise has been thoroughly tested and found -- preliminarily found -- to be generally "secure" ... at that point in time, without taking subsequently discovered vulnerabilities into account. If DHHS hasn't banned the use of Windows 10 by people handling patient information, I'm pretty sure it's because of Microsoft's near-monopoly in the desktop-OS market and its huge political and economic clout, not because of any technical study proving that it can be adequately secured. I believe the Defense Department gets its own custom build of Windows 10, which suggests to me that even competently administered off-the-shelf Enterprise LTSC may not be "good enough" from a security and privacy standpoint.
I've never been to the US. So I may not know all details for the situation in the US. But HIPAA compliance isn't limited to the US. My countrys federal security agency (BSI) has audited Windows 10 and continuous to do so, with agreed access to source code as far as I know. This auditing is if Windows 10 is fit for deployment on government computers. If I remember right, they published an intermediate report. Accordingly, Windows 10 may be deployed but needs some customization and an external security box. There exist comercial solutions of a cooperation of that agency with a device manufacturer and a few others. As far as I understood, the PiHole project is a non-comercial solution for such an external box. Without an external security box, Windows 10 has been found not to be possible to make compliant with federal regulation for deployment on goverment computers. (This doesn't imply that no agency has installed Windows 10 nevertheless and not awaited findings of federal security audits.)

As far as I know there doesn't exist a custom build for the DoD. But I wouldn't wonder if they have their own security boxes to separate their installations from Internet resp. to provide special Internet gateway security boxes for those in need (a kind of proxy appliance). But I agree that off the shelves, Windows 10 is not good enough.

I'm not aware of an entire for-profit industry for making Windows 10 HIPAA compliant. What I know is the existence of regional comercial service providers managing the IT of medical labs in the US. I don't remember having read of PiHole in that context in the US while I've read so in the context of my country.
MartinPC wrote:
Fri Jun 12, 2020 1:13 am
My dad's lab is 100% NIH-funded, and, like state funding, NIH funding is not without limit.
Do I guess correctly that co-funding by private sponsors would be allowed but is difficult for smaller universities and hence didn't materialize for the department of your dad?
MartinPC wrote:
Fri Jun 12, 2020 1:13 am
Again, leaving staff responsible for post-setup administration of any device used to access patient information, even just via Remote Desktop, is a very imperfect solution, but those are the financial realities.
Didn't understand what is included in a HIPAA compliant setup. I would expect more than just the deployment of comuting devices with operating systems but also appropriate configuration, customization, user training, management handbooks and compliance audit. If less is covered by setup service, how may this be compliant?
MartinPC wrote:
Fri Jun 12, 2020 1:13 am
he rarely works directly with personally identifiable patient information, which minimizes the consequences of a breach.
As far as I understand, the requirements for securing personal patient health information cannot be met without databases and encryption of such information. Due to database storage, unauthorized people should have difficulties in accessing these data. And due to encryption of this kind of data, consequences of a breach should be limited.

But you're correct that we don't live in an ideal world. I don't remember how many months ago press news made the round even to the US of some medical labs in my country storing unencrypted patient health records in a backup on a server accessible via Internet without password access protection. These security breaks have been fixed within days in cooperation with supervising authorities.

Locked