Notomia for software licenses

Notomia – that was Leonardo da Vinci’s synonym for anatomy. In 1515, when a Papal decree prohibited the dissection of humans, he ignored this decree and dissected 30 men and women who had been executed, in order to study the structure and functioning of the human body. Neither the decree nor the significant risk of infection through dead bodies kept him from doing what he wanted to do, and his success justified the risks he had taken: he discovered arteriosclerosis and was probably the first among mankind to create drawings of a child in the mother’s womb. Even today, his 200 or so anatomic drawings are precious works of arts, combined with scientific precision and detail. And what applied to Leonardo da Vinci, is well worth to be applied to software license management: the more precise and accurate knowledge is supplied to license managers on the company’s license landscape, the better they can manage, control and optimize enterprise licenses.

Perpetual versus subscription

Software product offerings are based on all kinds of licensing models and conditions. The typical licensing model for traditional on-premise applications is a one-time fee per device (computer-bound license), often combined with an annual maintenance fee for enterprise environments that entitles the company to receive updates, as defined by the software vendor. Very often, license utilization is based on specific multiple installation rules, such as the permission to install software on multiple devices, provided that these devices are not used concurrently.

The increasing use of software-as-a-service applications has changed software licensing models, since SaaS applications are operated in the cloud, i.e., they are updated by the software vendor, and no maintenance fee is charged. Also, users work with such SaaS applications on multiple devices via the browser or a mobile app; hence, licensing per device is insufficient and does not support the vendor’s business model, nor does it address the customers’ requirements. As a result, software leasing per active user per month has evolved into the most frequently used licensing model, replacing the perpetual license including maintenance by a monthly fee per user (user-bound license).


Bringing back order into the license chaos

Now, that’s the theory. In practice, each company is challenged to manage a mix of multiple licensing models, and Matrix42, as an experienced vendor of software asset management solutions, has developed respective best practices. The Matrix42 Software Asset Management and Compliance Suite divides license management into two areas:

  1. License requirements determination: The license requirements define how many licenses are needed in the company; in most cases, an inventory solution is used to capture the installation status on individual devices. Determining the license requirements, based on bookings in a service catalog, is another frequently used and valid option.
  2. License inventory management: The license inventory defines how many and which licenses the company is entitled to use, based on respective contracts, very often, enterprise agreements that are negotiated with respective vendors to cover longer terms of contracts.

The Software Asset Management Suite is used to avoid underlicensing or overlicensing situations, i.e., to maintain a balance between license requirements and license inventory.


Software asset management in the SaaS universe

SaaS applications come with new kinds of licensing models and also new challenges for software asset managers. Creating software accounts increases license requirements, while also expanding the license inventory, since additional licenses are simply booked and included within the monthly bill, which means that software asset managers must monitor and also optimize the use of licenses, scrutinizing and checking whether all entitled users really use their licenses or whether direct and fast cost savings could be achieved by disabling unused accounts. Also, they must determine whether certain users could use another, less costly subscription without functional limitations. MyWorkspace, in combination with the Matrix42 Software Asset Management Suite, can answer these and other relevant questions. MyWorkspace takes over the task of dynamically updating the license requirements and the license inventory to deliver real licensing requirements, based on continuous usage analysis to automatically show where subscriptions can be reduced or optimized accordingly. Thus, MyWorkspace is the ideal anatomy tool for examining and controlling license landscapes.


IT managers who do without license anatomy also do without related insights, knowledge and management options. For Leonardo da Vinci, this was not acceptable, and he took on considerable risks to gain such knowledge, as opposed to license managers, who will not risk anything, but can only benefit from related improvement opportunities, based on a detailed analysis of the license landscape; any risks that may arise are related to NOT leveraging these options. In this respect, Leonardo da Vinci can also serve as a role model for license managers, and the only bad news is: license reports will probably not make it into the museums; they are functional, rather than having the esthetic appeal of da Vinci’s anatomic drawings, but are certainly at least as precise and detailed.

Are you interested? Contact us to plan to initiated your first license audit for SaaS, Web and legacy applications based on MyWorkspace and Workspace Management 8.1! Follow this blog via e-mail or twitter to join or next Office365 live webinar.

Posted in Uncategorized | 1 Comment

Weekly Feature Update – CW21/2016

The MyWorkspace team is pleased to announce the launch of the following new features and platform changes:

  • Remote Desktop Gateway – revised version management
    During the last projects we learned a lot about deploying remote desktop gateways in complex infrastructures. Also for this we want to follow our philosophy that the enterprise administrator decides about the version and not we. Because of that we revised the management command line tool for the Matrix42 Remote Desktop Gateway. It’s now possible to switch between different versions manually. Check out our knowledge base for further information here. We will use this feature in the future to give customers access to early non stable versions as well.
  • Updated Windows 10 Agent  
    Our Windows 10 Agent can be used now with all important browsers, currently these are Microsoft Edge, Internet Explorer, Chrome, Safari on Mac and Firefox. Please visit the Clients & Extensions page to download the latest and greatest version.

It has been crafted to reflect what our users told us they need and it also builds upon new technology capable of addressing future needs.

Interested in the new capabilities?
Try the new features today by simply logging into your MyWorkspace instance. All features are active and usable instantly.

Any questions, wishes or ideas? Try our ideas portal, check out our knowledge base or drop a mail to

Posted in Features & Updates | Leave a comment

Sit down, that’s a fail!

Traditional software asset management is no longer good enough – and the cloud is to blame for it

If traditional software asset management solutions were to go to school and had to undergo a PISA test, they wouldn’t have a chance, because they are not able to master the new and increasingly important “cloud” subject.


More than 70 percent of businesses with 500 and more employees are already using cloud solutions. In the wake of significant cloud growth rates and according to Gartner, by 2017, employees in 75 percent of organizations will use SaaS applications without the company’s authorization and control. Obviously, companies are facing major cloud challenges and it would be highly dangerous to slacken the reins.

Managing the mixed log-in salad

While it is highly comfortable for users to work with software from the Internet, we should not ignore related disadvantages. Users’ browser access is not based on single sign-on, which means that users need to know the log-in credentials for each SaaS application and must manage a variety of Internet addresses, user names and passwords. The company’s IT support team is often not able to help in case of problems. Since access to the respective software is individualized and not controlled and authorized by the corporate IT department, such approach bears many hidden risks such as potential breaches of contract or privacy infringements.

Nearly as easy as buying pencils

IT, on the other hand, is facing challenges related to the fact that buying SaaS applications is nearly as easy as buying pencils. Users from the lines of business do not need any IT know-how to engage in contractual obligations with a provider and get access to an application. Once such access is available, they map their own processes and information, bypassing corporate standard software procurement processes. This might be an issue for the help desk, since the IT department is expected to provide support in any case when problems occur.

Compliance, privacy, cost risks

However, governance and compliance issues constitute the most serious problems by far. How can the company ensure compliance with privacy regulations for cloud-hosted applications? To be able to do so, it must know where the data are stored and located and must check whether the application is used in compliance with contractual terms and conditions.

The audit risk is underestimated

Many companies think that SaaS applications do not cause any underlicensing problems, but unfortunately, they are wrong. The software is operated by the vendor, who therefore has a clear overview of how the application is used, which enables him to detect any misuse immediately – for instance, a personalized access that is shared with colleagues. Market research company Gartner positions Google among the top-10 software vendors that conduct respective audits. Companies that work with a subscription-based SaaS solution must expect the software vendor to visit the company to engage in discussions about the compliant usage of their software, and respective audits bear significant financial risks for the company.

SaaS is changing software asset management

This situation has a serious impact on software asset management (SAM) and license management. The cloud shifts SAM requirements away from simply counting installed applications towards controlling and measuring the actual usage. Cloud computing requires a usage-based analysis to generate cost optimization potentials, prevent any misuse and avoid financial risks.

Traditional SAM tools will become useless

As a result, Gartner expects traditional SAM tools to become useless within the next three years, because they are not able to meet the majority of requirements related to the significantly increased degree of cloud adoption! A SAM tool that is able to master the SaaS universe consists of three elements:

  1. Integration of an identity & access management solution
    Effective control is only possible through “encapsulated” access to SaaS applications, which means that the user does not know, need not know and must not know his own password. Users benefit from such approach, because they need not remember all sorts of log-in credentials and can use applications in compliance with respective company policies. The company also enjoys certain benefits, because shadow structures are avoided and because the company is able to control and ensure cloud-based software usage in compliance with respective contracts, while being provided up-to-date information on how often which licenses are used and which licenses are not used at all, therefore generating unnecessary cost.
  2. Automated account provisioning
    Encapsulated integration with the benefits described above is only possible through automated access provisioning. Manual integration would be time- and cost-intense, completely inefficient and error-prone. Automation comprises the configuration of the SaaS user account, including password and browser access, and also the provision of the mobile app which is normally supplied by the SaaS provider for smartphones and tablets; these devices use the same access and must be preconfigured accordingly.
  3. Centralized application portal, reports and dashboards
    Users should be offered all SaaS applications from within a centralized application portal, their “start menu” for the cloud. This way, the users will always know where to find their applications. Cost owners, on the other hand, benefit from centralized analysis options with metrics and usage profiles that can be used to optimize respective contracts.

Cloud-based applications have caused a profound and alarming change of paradigms for all companies that have not implemented a SAM solution yet as well as for those companies that are actively managing their licenses already; after all, the cloud puts both processes and tools in use to test!

It is imperative that the IT department takes the reins, identifies SaaS solutions within the company, sets up processes, provides an overview of contracts and also supplies users easy access to applications in compliance with license and security regulations and policies, generating respective benefits for users, the IT organization and the whole company, thereby successfully passing the “Cloud PISA Test”.

Matrix42 offers with MyWorkspace in combination with the Compliance Suite a modern which passes the“Cloud PISA Test”, read more here…


Posted in Strategy | Leave a comment

Weekly Feature Update – CW20/2016

The MyWorkspace team is pleased to announce the launch of the following new features and platform changes:

  • MyWorkspace Mobile App – Influencer Program
    Also this week we added a couple new features in our M42Mobile app to improve the experience of our mobile end users. Become a part of our influencer program and register right now here for the early bird version of our mobile application.
  • Management of Office 365
    MyWorkspace is now able to get in deep information about your Office 365 tenant. This will help you in the future to automate permissions and optimize your license pool. At the moment we offer this feature for preview customers, feel free to contact us to get a first look.

It has been crafted to reflect what our users told us they need and it also builds upon new technology capable of addressing future needs.

Interested in the new capabilities?
Try the new features today by simply logging into your MyWorkspace instance. All features are active and usable instantly.

Any questions, wishes or ideas? Try our ideas portal, check out our knowledge base or drop a mail to

Posted in Features & Updates | Leave a comment

“Video Killed the Radio Star”


How legacy applications can be integrated with the cloud workspace

In 1979, “The Buggles” stormed the charts with their song “Video Killed the Radio Star”. However, the radio is still alive, coexisting peacefully with other media. While it has lost some of its significance, it has survived successfully by adapting to the new conditions. In the new world of SaaS and cloud applications, legacy applications are “threatened” by the crowding out that is occurring in the market. However, legacy applications, too, will survive.

Goal: Peaceful coexistence

The number of SaaS and cloud applications in business environments is continuously increasing; these are, however, no green-field environments, but are populated with existing and sometimes dearly cherished Windows applications such as SAP R3 or AS400-based host applications. After all, no company will simply replace its existing application landscape by new applications, but will migrate existing applications into the new cloud universe, while minimizing related work and cost as well as impacts on end-users, with the goal to allow for the peaceful coexistence of all kinds of applications within today’s device-independent workspace without any usage- and management-related problems and issues.

Move legacy applications to the workspace with the speed of light

Terminal server farms are playing a key role when it comes to integrating existing applications. They move them into the workspace with the speed of light by allowing companies to provision their legacy applications even on devices that are not able to execute Windows applications. In many cases, client software must be installed for this purpose, which is affecting the degree of flexibility.

Warp drive for integration: MyWorkspace

MyWorkspace allows companies to connect existing with new applications with even more speed and greater ease-of-use. MyWorkspace is seamlessly integrated with the Microsoft Remote Desktop Services, enabling the usage of legacy Windows applications on any device, without the need to install software on the respective device. The browser-based approach ensures that no business-critical information is stored on unmanaged devices.


MyWorkspace allows all companies to implement BYOD or COPE initiatives on all device platforms, including device classes that do not enjoy a high degree of adoption yet, such as smart TVs or displays in IoT devices.

MyWorkspace has been designed to help every company on its way into the cloud – without cost-intense migration or modification of existing processes and workflows. And, to speak with Gerhard Uhlenbruck, for some long-cherished legacy applications, MyWorkspace allows for “peaceful coexistence, which means that you continue to play the first fiddle, even in a piano concerto.”

Posted in Technical details | Leave a comment

Weekly Feature Update – CW19/2016

The MyWorkspace team is pleased to announce the launch of the following new features and platform changes:

  • Help us to improve our product
    We will ask you as an administrator of MyWorkspace from time to time now to give us feedback about our software.Please help us and use the chance to influence how MyWorkspace evolves:
  • MyWorkspace Mobile App – Influencer Program
    We are working a lot on our upcoming integration of MyWorkspace into the M42Mobile application. We accepting additional registrations for the influencer program which gives you early access to the latest version of our mobile app. Register right now here.
  • Remote Apps in your Mobile Enterprise Sandbox
    With MyWorkspace we are beaming your Remote Apps directly into your mobile enterprise sandbox. This makes it possible to serve Remote Apps, Terminal Sessions and full virtual desktops in a very convenient way to managed and un-managed devices. All form factors are supported. The M42Mobile application becomes your day by day companion to make your workspace mobile. Register to our influencer program right now.
  • Windows 10 Agent is available
    Beside the Mac OS X agent we also offer a Windows 10 agent which allows users to launch locally installed applications directly from your browser. End users can get a single aggregated view on their modern workspace. It doesn’t matter if the user wants to use SaaS, Web, Remote or Local apps. The Windows 10 agent is available here.

It has been crafted to reflect what our users told us they need and it also builds upon new technology capable of addressing future needs.

Interested in the new capabilities?
Try the new features today by simply logging into your MyWorkspace instance. All features are active and usable instantly.

Any questions, wishes or ideas? Try our ideas portal, check out our knowledge base or drop a mail to

Posted in Features & Updates | Leave a comment

The menhir has had its day…

… but of course, only when it comes to IT… We will certainly continue to pay due interest and respect to the archeologically noteworthy menhirs or monoliths from ancient times, not to forget Obelix whom we can hardly imagine without his menhir. For IT, on the other hand, the time has come to do without monolithic applications where user/rights management was included within the business application. In the wake of cloud computing and SaaS, this link between application servers and identity infrastructures has been cut, to be closed again with methodologies such as federated security.

Common monoliths – directory services

Certainly you still remember the 2000ies with their Y2K issues. Within this first decade of the 21st century, Microsoft, vendor of the de-facto standard Windows Domain System, launched Active Directory as a state-of-the-art and powerful LDAP directory. This technology was quickly adopted by many applications, creating an ecosystem where single sign-on became the standard for Windows applications.

Federated security for IT

The 2000ies are over, and our world has experienced profound and dramatic changes. As opposed to Asterix and Obelix, who fought successfully against the changes going on in their world, IT must be flexible and responsive to such changes. Software-as-a-service applications find their way into business environments. Applications are provisioned by managed service providers, and temporary business allies collaborate within one service. IT is challenged to grant application access to end users without allowing the application to query the user database, for instance, Active Directory, directly. Server-to-server communications are highly unsuitable for such scenario and also much too restrictive on applications. Therefore, federated security is used for software-as-a service, web and, increasingly, for on-premise or native applications. In simple terms, only the client (web browser) needs access to the authorization mechanism and the actual application when this method is used. Both must be trusted applications, which is defined in common protocols such as SAML2 or oAuth2.

Obelix the gold-seeker – about tokens & claims

Both the SAML2 and the oAuth2 protocol are essentially based on the exchange of security tokens between both systems; i.e., the browser as client requests an authorization token at the server that handles the log-in. This token normally has a digital signature by the private key of the authorization system; information within the token is not encrypted, but this is not really necessary. The primary goal is to ensure that authorization information about a user comes from a trusted source and is not changed on its way to the application. TLS/SSL-based encryption is evolving into a standard. The application can validate the signed token with the public key of the authorization system. For this purpose, Matrix42 MyWorkspace uses an end-to-end asymmetric encryption methodology, based on X509 certificates.

If a security token can be created and validated by an authorization system, information on a user’s rights to use an application can be stored within this token; these “claims” define which rights and roles a user is granted in the target application. The oAuth2 protocol uses the JWT token format, which is described in more detail in the this article.

Resisting changes, in a positive sense

Federated security is an approach that ensures security by protecting information against changes, rather than encrypting this information, which means that while authorizations are not encrypted, but can be viewed by all involved parties, their origin and consistency are protected by a digital signature – one of the next blog articles will examine the most popular protocols, SAML2p and oAuth2, from a technical perspective.

While IT monoliths can be replaced, Obelix, on the other hand, shall be allowed to keep his monolithic menhir as a powerful “supporting argument” to defend and protect his world.

Posted in Technical details | Leave a comment

Weekly Feature Update – CW18/2016

The MyWorkspace team is pleased to announce the launch of the following new features and platform changes:

  • New HowTo: Integrate Remote Desktop Services into MyWorkspace
    MyWorkspace offers a comprehensive integration of the Remote Desktop Services to offer client-less access to Virtual Desktops, Terminal Server Sessions or Remote Apps. Our new technical getting started guide describes step-by-step how to integrate an existing Remote Desktop Services farm into MyWorkspace. Read the full article in our knowledge base here.
  • MyWorkspace Mobile App
    We see more and more users who want to use MyWorkspace from their mobile device, smartphone or table. Because of that our M42Mobile app offers access to your modern cloud based workspace and integrates the identity federation platform.

    IMG_0745 IMG_0746

    If you are interested in participating our Mobile Apps Beta program please drop us a message with your preferred iTunes account here.

  • Platform improvements & performance enhancements
    Also this week we used the chance to enhance our identity and access management platform to offer you a secure, reliable and scalable service. Especially the performance during the log in process was increased dramatically.

It has been crafted to reflect what our users told us they need and it also builds upon new technology capable of addressing future needs.

Interested in the new capabilities?
Try the new features today by simply logging into your MyWorkspace instance. All features are active and usable instantly.

Any questions, wishes or ideas? Try our ideas portal, check out our knowledge base or drop a mail to

Posted in Features & Updates | Leave a comment

Tips on How to Set up the Cloud Workspace

Sir Winston Churchill once said: “We shape our buildings; thereafter they shape us.” This is also true or even especially true for the workspace; in the age of the mobile workforce the focus is more on the design of the personal cloud-based workspace, rather than on spatial concepts. After all, high workforce productivity and satisfaction are directly related to the functionality, efficiency and security of the work environment. Similar to the ancient Greek temple builders, MyWorkspace relies on the tested and proven pillar principle.


No company that moves into the cloud will just throw away their equipment to set up completely new cloud workspaces. Most companies take their existing “furniture”, i.e., existing applications along and add some cloud “furnishings” to set up hybrid clouds where multiple applications are connected and data are exchanged automatically. Independent from the details of the workspace set-up, it is the following three pillars that form the foundation of the cloud workspace:

1) Identity & Access Management

Employees want to access their applications and data anytime, from any device and anywhere without having to manage a plethora of web addresses and log-in data themselves. MyWorkspace requires one single password to be used as access portal to their personal workspace – a very easy and convenient approach for end users, ensuring highly satisfied employees. Therefore, it is mandatory for the IT staff to have a look at identity & access management when setting up the cloud-based workspace. MyWorkspace combines new federated security methodologies with existing infrastructures such as the local Active Directory, which makes it possible to put all applications, be it SaaS, web or legacy applications, under the same “cloud roof”; it is also a prerequisite for on- and especially off-boarding processes. The option to withdraw permissions in case of need immediately and completely is invaluable. Therefore, identity & access management is one of the supporting pillars of the (hybrid) cloud-based workspace. It looks as follows:


2) Remote and legacy apps

Employees want access to all of their applications and normally they do not distinguish between services and applications that are provisioned from the cloud or those that are provisioned locally for their work. Therefore, MyWorkspace integrates locally installed applications as well as the Microsoft Remote Desktop Services seamlessly into the modern workspace, no matter whether it is provisioned on-premise or from the cloud. Here is a video with more detailed information:

3) Software and license compliance

New subscription-based licensing models increase the flexibility of cloud services and provide all companies access to solutions that were previously reserved to large corporations only. However, usage-based billing models often lack transparency, which is requested and urgently needed by IT and finance departments. Therefore, MyWorkspace ensures a detailed overview of all cost and concrete utilization rates of cloud services, SaaS and web apps – in compliance with works council regulations and in anonymized form, if desired. Such overview looks as follows:


These three pillars provide every company a stable and sustainable basis, on which cloud-based workspaces can be set up according to company-specific requirements. Finally, let’s come back again to the ancient Greeks and say that MyWorkspace is an advocate of Pericles who said: “It’s the people that make a city, not the buildings.”

Posted in Technical details | Tagged , , , | 1 Comment

Weekly Feature Update – CW17/2016

The MyWorkspace team is pleased to announce the launch of the following new features and platform changes:

  • Proxy Support for AD Connector
    The MyWorkspace Active Directory Connector just needs a working outbound HTTPs connection to the internet to establish a trustworthy and secure tunnel to MyWorkspace. Sometimes enterprises need to follow a pre-authorized proxy policy which means the proxy server requires special credentials. The MyWorkspace AD Connector now support proxy servers, incl. pre-authorisation. More details can be found in our Knowledge-Base: read the article.
  • Visibility Conditions
    Sometimes it happens that Software as a Service or Web-Applications are not working in every browser. To not confuse your end users MyWorkspace offers now visibility conditions on the application level to dynamically show or hide applications based on the browser and the underlaying operating system.


    Define simple or complex visibility conditions for your applications based on the browsers user agent definition.

  • Frontend Performance
    We upgrade the underlaying frameworks of our frontends to the latest and greatest stable versions. This brings a better performance esp. in older browser for free. In addition the new version of our UI framework delivers better compatibility between the different browser vendors.

It has been crafted to reflect what our users told us they need and it also builds upon new technology capable of addressing future needs.

Interested in the new capabilities?
Try the new features today by simply logging into your MyWorkspace instance. All features are active and usable instantly.

Any questions, wishes or ideas? Try our ideas portal, check out our knowledge base or drop a mail to

Posted in Features & Updates | Leave a comment