Quest Software Licensing

Quest are one of the software vendors currently being quite aggressive on the Auditing front.

They have previous too with a high profile case against sportswear giants Nike.

With the different licensing models, definitions of users v non-humans and inactive accounts, you can quickly get yourself into a bit of a nasty place with Quest licensing and subsequently find yourself on the wrong end of an audit.

So how do you manage Quest licensing?
What technologies do you use?
Any governance and control processes you use to keep on top of consumption and compliance?

And finally, how would you manage a Quest audit?

1 Like

We do a monthly comparisons report from our SAM tool looking for any changes to deployments for our high risk vendors including Quest.

1 Like

What’s your experience with false-positives for Quest products mainly TOAD? I’ve found that when folk uninstall it it always leaves traces in the registry, XML pieces in the AppData and ProgramData folders. Wondering if you’ve stumbled across any “cleanup”script that would be useful for Quest.

Keep track of the versions - don’t allow more higher versions than we are entitled to.
Capture license key screenshots from all users and maintain this process for additional users.
Ensure all dodgy license keys or keys not registered to your company, are replaced with valid keys.
Identify and remove all trial licenses
Identify and uninstall unintended SQL Optimiser deployments where your license only entitles for Toad Base since Optimiser requires an Expert license.
Establish regular re-harvesting of non-used Quest software.

Audit:
Raise NDA to limit scope to specific product/families and geographies.
Only supply information on machines which are in scope - i.e. those machines which appear as part of the keyword search.
Refuse any script deployment and only provide license key screenshots as part of submission.
Quest loves to uncover usage on Servers and point to the maximum number of users who can access the server as a starting point for usage. Note that users who connect to a server copy of the software might not actually have a desktop installation. Meaning that they own a license key but your inventory does not pick up the user through desktop reports. A good way to identify actual users of a server copy is to inventory user profiles on a server - an application folder will exist on their server user profile that belies their use of the software and their license key will be stored there.

1 Like

Indeed. Haven’t found a way to clean yet. My inventory tool picks up said registry entries when performing the key word search and some false positives. Would also be interested.

A lot of stuff has been covered, but Quest can be a nightmare:

  • Changing metrics; The Fairview court case highlighted this. An “Enabled user” metric doesn’t mean enabled user. It means all users. This changed sometime about 8-10 years ago in the metric definitions, but Quest kept selling it on a enabled user basis up until recently. It was what the product reported as in use, its what their sales pricing manual said until at least 2015.
  • License keys; for the Toad products you need to know what license keys are deployed to each machine to understand the enabled features. You also need to understand the bundling.
  • License keys part 2: Quest is licensed based on copies of “Object Code”. The presence of any license key without it being applied to an installation is not licensable.
  • Toad Data Point - this used to be included with all toad products as Toad for data analysts. when it was unbundled, certain versions/ editions of Toad products came with a free entitlement to Data point. I’ve seen Quest “forget” about this in audits.

Theres a lot more to this vendor, if anyone wants to chat let me know.

Hi David, Quest seems to be topping our audit defence charts at the moment so we have published an article about this earlier in the month. One particularly contentious point is on the matter of “Enable Users” licence metric - where Quest claims disable users as part of “enable users” count! More details here:

Enable or Not Enabled?