Today, most desktops are virtualized; the same has been true for servers for years. This means that Licensing has to deal with the issues related to impermanent storage and copying of deployed application instances.
Abuse of VMs leads to lost revenues and improper use of the customer's IP.
The API is using a nonce concept. Every request must contain a unique nonce value in the N-Nonce header. First, the Nonce is returned by the Create Activation endpoint. This nonce needs to be stored by the application and used in subsequent requests. Subsequent requests will return a new nonce, which needs to be used in the next request. Nonce values are returned in the N-Nonce header.
To learn more about the origins of a "nonce," go here.
In the Licensing API, a nonce will ensure only one application instance uses a single activation. This should solve issues managing applications running on Virtual Machines in a connected environment.
Requesting the Activate endpoint will create and return a new nonce value. Other requests will require this exact value to be set on request headers. The API will verify the provided nonce and create/return a new one.
These are requests that require nonce to be present:
get activation state
The Deactivate endpoint will not check this value - this ensures activation is not left in a limbo state if the nonce was lost. Deactivate uses data from access-token to determine the correct seat to deactivate.
Q: What happens when a user clones a virtual machine, and the cloned machine does not have access to the internet?
A: This depends on whether the machine was activated online or offline.
For offline activations, there is no real secure way to prevent cloning technically. ISVs should only allow offline activation for customers they generally trust. Or take into account that nothing offline without internet access is truly secure against cloning due to the lack of any real secure way to identify and lock to a virtual device without a way to check the number of running instances. Virtual machines, unlike physical devices, have no unique identifier that cannot be easily manipulated nor any secure API or secure storage provided by the developers of the VMs.
If the app in the VM was activated online, the clone can be used until the lease period expires. When this happens, all the clones must refresh the activation using the nonce mechanism. So, only the first clone will succeed. Others won't be able to refresh, and the activation will go into an expired state in any of the clones.