Dynamics 365 – ISV Protection?


As an ISV, with solutions for both Dynamics 365 and Power Apps, I was encouraged about the attention that Business Applications ISVs are getting recently. Unfortunately, I.P. protection is not one of the items coming anytime soon.

Managed Solution Myth

Many ISVs believe that their managed solutions are safe. Having taken great pains to ensure that their managed solution never gets in the wrong hands, by requiring that their own teams install it for example. Thanks to some utilities in free open source solutions like XrmToolBox for example, managed solutions are not even close to safe. Using a tool in the XrmToolBox called “Manage Solution” for example, I can login to any instance I have access to, and view a list of both managed and unmanaged solutions. The good news is I can only download to disk a copy of unmanaged solutions. However I can copy a managed solution into an unmanaged one, and then of course download a copy. So getting an unmanaged copy, of your managed solution that is installed on an instance I have access to, would take me about 30 seconds. I can now install your unmanaged solution on another instance, and poof, I have absconded with your I.P.. I can even take Microsoft’s own Managed Solutions.

Plugins

Many ISVs feel that Plugins are safe. Well, using the “Assembly Recovery Tool” (also in XrmToolBox), I can download any dlls, managed or unmanaged. Pop open a freely available decompiler, and poof, I now have your Plugin I.P.

Power App Components

Forget about it, these run client side and I can scrape your I.P. right from my browser.

Reverse Engineering

Using a few freely available tools, an unscrupulous party can rip off and reverse engineer anything we have today. It happens. Sometimes it is a creepy, but savvy customer who just wants to get out of paying us for our solutions. Tinker here, tweak there and boom, they have it for free. Worse yet is unscrupulous parties that will take your I.P., re-brand it as their own, and resell it. At least I have been told by Microsoft that if we see that in AppSource, they will remove it.

What Helps?

Shifting necessary code off of your solution to your Azure is one scenario. At least on “your” Azure you can turn it off or on. If your solution has to reach outside, to get some bit of code or information to make it run, you at least have created a minor barrier. Code obfuscation is another technique that can help, but that is also not 100%.

What Works?

The only defense you have, in my opinion, is marketing. You have to build a brand and a reputation, that sane people will value over some low-cost knockoff. This is easier sad than done. It has taken us almost five years to establish a brand (RapidStartCRM) and a reputation, and still I hear people confusing us with knockoffs with similar names. There is of course, nothing illegal about liking someone’s idea, and creating your own variation of it. But it still sucks to the one who did it first.

What is not worth the effort?

Let’s face it. Most I.P could be reverse engineered even if I could not get your code. Just using it and understanding what it does is enough for a smart person to go create their own version. While their at it, they may as well go ahead and improve on your idea. In our solutions we have forgone the potentially very expensive, and not very effective anyway, I.P. protection efforts. We are able to track usage, and let customers know when they are out of compliance. This works with the 95% of customers who are honest. To me it was not worth the investment to attempt to thwart the %5. In retail, they call it “shrinkage”. Obviously if you have extremely valuable, or highly proprietary I.P. you may look at it differently.

Windows

I have used this analogy for many things about Microsoft, and ISV solutions are no different. When you think you have identified an idea, a window opens. Shortly after you go through it, others will follow. In a relatively short amount of time, that same window starts to close. Either too many people went through it and there are no margins left, or Microsoft patched the hole you found and your solution is no longer needed. Today, windows close as fast as they open. If you are going to be in the ISV game, you need to move very fast with ideas, and always been thinking about what you will do next.

Steve Mordue MVP

Steve Mordue, a Microsoft Business Applications MVP, is the CEO of Forceworks, a 2014 Microsoft Partner of the Year. Steve started his business applications consulting career in 2001, originally supporting Salesforce.com as a Certified Consultant. Steve transitioned his consulting practice to Dynamics CRM, (now Dynamics 365) in 2011. Steve has been engaged in hundreds of deployments over the course of his career. As one of the leading Microsoft Business Application Consultants, recognized by Microsoft as an expert, Steve has provided training, on behalf of Microsoft, to other Microsoft Partners globally on how to launch and build successful practices. Steve is a member of the Worldwide Dynamics Partner Advisory Council, and is a frequent presenter and panelist at global Microsoft events. The opinions shared in this blog are Steve's alone. If you are looking for Microsoft confidential information, you will not find any here.

1 Response

  1. Mauro Maniforti says:

    “The good news is I can only download to disk a copy of unmanaged solutions. However I can copy a managed solution into an unmanaged one, and then of course download a copy. So getting an unmanaged copy, of your managed solution that is installed on an instance I have access to, would take me about 30 seconds. I can now install your unmanaged solution on another instance, and poof, I have absconded with your I.P.. I can even take Microsoft’s own Managed Solutions.”

    Are you sure Steve?
    You can for sure create an unmanaged copy of a managed solution referencing the same artifacts, but if you export the unmanaged you don’t get exported the managed artifacts in it… or I’m missing something?

Add your 2 cents, but don't use my comments to pimp your stuff!

This site uses Akismet to reduce spam. Learn how your comment data is processed.