SAMP - Reconciliation process for shared devices

Lionel Falk · ‎03-12-2025

Hi SAM Community!

I'm still looking for tips and best practices for reconciling user subscriptions (per user) for software products on non-personal / shared devices. Such a device, like a workstation deployed in retail stores, showrooms, which does not have an assigned user (Assign to = empty), as it can be used by multiple users.

SAMP flags this case as non-compliant, because SAMP cannot reconciliate software installations found on the device with the user of the device (empty) even though that Microsoft and/or Adobe, for examples, allow their users to install fat-client applications on their devices because they still need a valid user subscription to use these applications. Which means that the case described above is compliant, for a contract stand point, for these 2 example publishers, and for many others.

Applying a "per-device" license in this case doesn't solve the problem, as this type of license limits the core functionality expected by users. For example, for Microsoft, Teams and OneDrive will be unavailable to the user.

Any advice how to move forward and get the compliance flag in SAMP reflecting a reality?

Thank you.

Best regards,

Lionel
#samp, #reconciliation, #compliance

dreinhardt · ‎03-12-2025

Hello Lionel,

As you have already explained very well, the multiple user changes cannot be mapped in the CMDB for a variety of reasons.

If your policies allow it, I would create one generic or multiple kiosk/store user accounts in AD. These are assigned to the respective devices as “Assigned To” and at the same time are assigned a corresponding (low-priced) license in the publisher portals. By assigning a license in the portal for the store-user, we avoid the respective devices being displayed as In-compliant due to missing subscriptions. Most portals do not rely on (need) the classic software metering usage information, but obtain their usage information from the respective portal logins. This means that we are also covered this part and receive information via the portal about the respective user software usage for possible optimizations.

Looking forward to your answer! Best, Dennis

Should my response prove helpful, please consider marking it as the Accepted Solution/Helpful to assist closing this thread.

Lionel Falk · ‎03-13-2025

Dear Dennis,

Thank you very much for the proposal.
In your point of view, what would be the results of an official audit required by a publisher, such as Microsoft?
How to prove that physical (real) users are actually using this laptop and that they have a license?

Furthermore, this solution would have to be adapted for each publisher. In Microsoft's case, the generic user could cover a maximum of 5 non-personal devices, given the license agreements. And perhaps for another publisher, only 1 device could be covered. Therefore will limit the number of devices covered for Microsoft to 1 as well, which will result in a significant increase in licensing costs.

What I can't understand is that the Microsoft Publisher Pack for ServiceNow, in this case, doesn't take the publisher's agreements into account. Namely, a fat-client is authorized on a device even if its user doesn't have a license since this app cannot be used.

dreinhardt · ‎03-22-2025

Hi @Lionel Falk,

thanks for the further details and justified comments regarding MSFT licensing and the 5-device limit per user/license or other publishers with a 1-device policy – this would actually lead to unwanted over consumption.

In your point of view, what would be the results of an official audit required by a publisher, such as Microsoft? How to prove that physical (real) users are actually using this laptop and that they have a license?

In my opinion, you have already answered this question yourself to some extent. If it is a subscription license, the user can only use the software with a valid subscription and thus at least this case would be compliant.

The other ideas that come to mind spontaneously are workarounds that would generate unnecessary effort:
1) Assign kiosk computers via an additional software model (Install Conditions) and set the “License Under Management” flag to false. This ensures that these installations are no longer counted on the device.
2) Alternatively, use a script to set the corresponding products in the SW Install table to “Active = False” before each Reconcile.

What I can't understand is that the Microsoft Publisher Pack for ServiceNow, in this case, doesn't take the publisher's agreements into account. Namely, a fat-client is authorized on a device even if its user doesn't have a license since this app cannot be used.

I got your point, SAMP continues to focus on software installations in order to provide information about active subscriptions without installation, etc., and due to the product type "licensesable" + SaaS, it requires an Assigned User + Saas Subscription to be compliant ...

@SrinivasRamanu1 any suggestions from ITAM PM?

Best, Dennis

Should my response prove helpful, please consider marking it as the Accepted Solution/Helpful to assist closing this thread.