This article provides information necessary for understanding the licensing scheme, types, and enforcement specifics of the Acronis DeviceLock DLP 9.0 solution, as well as ordering limitations.
Licensing
Solution structure and licensing scheme
Solution structure
Acronis DeviceLock DLP is an endpoint data loss prevention (DLP) solution designed as a modular architecture of products and their functional components whose capabilities are complementary to each other while their management is unified. To ensure maximal flexibility for customers, Acronis uses a licensing scheme with optional components.
These products and components can be used in various combinations, allowing Acronis customers to choose cost-optimized options with only those functions necessary to satisfy their current security needs. Yet this modular architecture enables customers to incrementally upgrade the functionality of the deployed DLP solution as their data protection requirements grow from the basic device/port control up to the all-inclusive content-aware DLP.
Fig. 1. Structure of Acronis DeviceLock DLP products and components
The solution, whose structure is depicted in Fig. 1, includes two products which can be used independently or together: Acronis DeviceLock Endpoint DLP and Acronis DeviceLock Discovery.
Acronis DeviceLock Endpoint DLP (hereinafter referred to as “Endpoint DLP”) consists of several functional components including Acronis DeviceLock Core, Acronis DeviceLock NetworkLock, Acronis DeviceLock ContentLock, Acronis DeviceLock User Activity Monitor, and Acronis DeviceLock Search Server (hereinafter referred to as “DeviceLock Core,” “NetworkLock,” “ContentLock,” “UAM,” and “Search Server,” respectively).
Licensable items
All five components are included and shipped in a single distribution package, but licenses for each one can be purchased separately. As a result, the aggregate set of features available in a particular Endpoint DLP installation depends on the set of licensed functional components.
DeviceLock Core is the fundamental component of Endpoint DLP and can be licensed and used independently as an entry-level DLP solution. As it includes all management servers and consoles of the solution, DeviceLock Core is a mandatory component for any deployment of Endpoint DLP.
In addition to DeviceLock Core, any Endpoint DLP deployment could include ContentLock, NetworkLock, UAM, Search Server, or any combination thereof. These four functional components are optional add-ons to DeviceLock Core — they can be licensed together with DeviceLock Core, but none of them can be licensed as an independent product.
For customers who need a full-function endpoint DLP solution for both local and network channels, a special discounted bundle is offered that includes DeviceLock Core, NetworkLock, and ContentLock.
Another product in the DLP solution, Acronis DeviceLock Discovery (hereinafter referred to as “DeviceLock Discovery”) can be licensed and used independently. It does not contain any functional components.
In some cases, customers want their analytical tools to be able to access data stored in the central DLP log database directly at the record level, in order to generate custom analytical reports of their choice. These customers can obtain such access by licensing a special optional add-on feature to DeviceLock Core called Acronis DeviceLock Enterprise Server DB Access.
The full set of SKUs available for licensing in Acronis DeviceLock DLP is presented in Fig. 2.
Fig. 2. Licensable items in Acronis DeviceLock DLP
Product to SKU mappings
For easy understanding of the licensing logic and as a help for quotation, the diagram in Fig. 3 outlines how Acronis DeviceLock DLP’s products and functional components (depicted on the left) are mapped to SKUs available in the pricelist (depicted on the right).
Fig. 3. Products and components to SKUs mapping
In addition to six direct product/component-to-SKU mappings, the SKU rectangle with three inbound arrows represents in the pricelist the bundle of three functional components: DeviceLock Core with NetworkLock and ContentLock.
Another special SKU for Acronis DeviceLock Enterprise Server DB Access is added in the pricelist because it is a separately licensed add-on feature of DeviceLock Core. In Fig. 3, this mapping is indicated by a curved arrow from DeviceLock Core to the SKU with Enterprise Server DB Access.
SKUs for use on Windows and Mac computers
Only one SKU family is available for computers running macOS: Acronis DeviceLock Core for Mac.
SKUs that don’t specify an operating system in their name are for use on computers running Windows.
License types
The subscriptions can be renewed by purchasing one-year subscription license renewals. To acquire a product subscription for more than one year, customers must buy a one-year subscription license for the product and complement it with the additional amount of one-year subscription license renewals (for the same product) that are necessary to cover any subsequent years of the aggregate subscription term.Renewals for maintenance and support can be purchased for one, two, and three-year terms.
Renewals for maintenance and support of products with perpetual licenses purchased before the change to the subscription-based licensing (July 1, 2021) can be purchased for one or two-year terms.
It is no longer possible to buy upgrade licenses for product maintenance and support when the maintenance and support term of perpetual product licenses has expired. Instead, customers may purchase one-year subscription licenses for product components with expired maintenance and support terms.
DeviceLock Core, NetworkLock, ContentLock, User Activity Monitor (UAM), and DeviceLock Discovery are licensed per number of endpoints protected by DLP agents. The endpoint might be a laptop, desktop, server, virtual desktop, or virtual application or desktop session.
Search Server is licensed per number of log entries in the central DLP log database where content is indexed for full-text searching, including the following log entry types: shadow copies; UAM keyboard input records; and records of various event logs (Audit Log, Deleted Shadow Log, Server Log, Monitoring Log, and Policy Log).
The Enterprise Server DB Access add-on is licensed per number of endpoints whose collected logs can be directly accessed in the DLP log database.
Ordering
License enforcement specifics
The following license enforcement specifics must be taken into account when ordering DeviceLock DLP products:
- There is a separate license type for each functional product component, including DeviceLock Core, NetworkLock, ContentLock, UAM, Search Server, and Discovery. A separate license type is also used for Enterprise Server DB Access.
- For license provisioning, a special “license file”. Each license file is used for provisioning one or more licenses of only one particular license type. For example, if 30 DeviceLock Core licenses, 30 NetworkLock licenses, and 30 ContentLock licenses are ordered in a deal, at least three license files should be generated when provisioning these licenses — one with 30 DeviceLock Core licenses, a second with 30 NetworkLock licenses, and a third with 30 ContentLock licenses.
- For license activation, a license file must be registered in DeviceLock Management Console, which enforces endpoint licenses for DeviceLock Core, NetworkLock, ContentLock, and UAM.
- One or more license files of different types can be activated in a single Management Console.
- One or more license files of the same type can be activated in a single Management Console. In this case, the total quantity of functional components of this license type managed from this Management Console is equal to the sum of quantities of licenses provisioned by these license files.
- There are also two other specific conditions of license enforcement:
-
- As all management components of the solution are included in DeviceLock Core, its license must be used in any Endpoint DLP deployment.
- For any Management Console, the total number of licenses of each add-on type must be equal to the total number of DeviceLock Core licenses — this rule applies to NetworkLock, ContentLock, and UAM.
As a result of the above conditions, in any DLP project where different endpoints should be protected by different sets of functional components, more than one Management Console must be used in order to ensure that equal numbers of various license types are activated in each of these Management Consoles.
Consequently, for some types of licenses used in such a project, their total quantity must be split between more than one license file and each of these files should be activated in a particular Management Console used in the deployment.
Fig. 4. Example of a purchase order with component license split between several license files.
Prices are given as an example and are subject to change without notice.
The example in Fig. 4 shows how the total quantity of ordered licenses of each type should be split between the three Management Consoles, as is necessary to fully utilize all functional licenses ordered for this particular DLP solution.
It is important to note that in similar scenarios, customers (advised by Acronis Solutions Engineers) have to determine how many Management Consoles are needed for their DLP solution and then split the total quantity of ordered licenses of each type between the appropriate number of license files to be used in these Management Consoles. This split must be indicated for each ordered endpoint DLP component in the purchase order.
Required information and instructions for purchase orders