Understanding Defender Licensing (44179)

How is Defender licensed? What are the different license types? How are licenses imported?

Defender licenses are stored as objects in Active Directory. The License is valid for all Domains in the AD Forest. Each AD user will consume one user license, in addition to one token license for each token assigned. To import a license, open Active Directory Users & Computers (ADUC) on a system where the Defender Administration Console is installed. Select the Defender menu at the top and click "License".


Version 5.8 and above


1. User license.  A license key will be emailed to the customer, which can then be imported into AD. A User License is required for each AD user who will be assigned a Defender token. 

2. Hardware Token License. Requires a file to be imported. Older GO-7 tokens have an EXPORT.DPX file with a key. Newer GO-7 and YubiKey tokens are imported with a .CSV file. Each physical token will be represented by an object in AD, which can then be assigned to a user. The name of the object will match the serial number of the token it is associated with. If you need replacement files please contact your Account Manager or submit a Support Service Request.

3. Defender Soft Token License.  This license covers all types of One Identity Defender software tokens, including iOS, Android, Windows, Java, Email and SMS tokens. One license is required for each token that is programmed. Multiple soft tokens can be assigned to each user. Soft tokens are disposable and can only be activated once. When a soft token is unassigned from a user, the associated object should be deleted. Non-native soft tokens that are supported for use with Defender, such as Google Authenticator and Authy tokens do not consume a Soft Token License.

4. GrIDsure token licenses.  These tokens are excluded from the normal Soft Token license, and require their own specific license. One license is required for each GriDsure token assigned.


Version 5.7 and below


1. The User license (appears as DEFLIC0000000000 in Active Directory and "Type" is "Defender License".)  This license covers the number of users who will be assigned tokens, irrespective of token type.  User licenses are not cumulative - only one can be installed at a time and it is domain specific.

2. Hardware Token License.  This will be in the form of files that need to be imported (.DPX).  Hardware tokens include GO-3, GO-6 and GO-7.  In addition to the .DPX files provided to import hardware tokens, a data key is required (included with your physical shipment).

3. Defender Soft Token License.  This license covers the amount of Desktop/Soft Tokens that can be created - Blackberry, iTokens, Android etc.  Token licenses are cumulative, multiple can be installed. Unassigned soft tokens do consume a soft token license. In Defender 5.7 the "Universal Desktop Token" license was also introduced.

4. GrIDsure token licenses.   This license covers the amount of native GrIDSure soft tokens that can be created. GrIDsure token licenses are cumulative, multiple can be installed. 

The "Universal" license (appearing as "PGODTL_UNIVERSAL" in AD) and replaces individual Desktop Token licenses.  When upgrading to 5.7 the existing token licenses will be converted to ‘Universal’ Desktop Token licenses and will allow for any type of token to be generated.  Thus, the Universal license allows for any "soft" token to be created without relying on a specific license type for that token type, i.e. Blackberry or Android.

NOTE: In Defender 5.7 and below, when requesting a new user license from either your sales representative or Licensing, be sure to let them know the total number of users you need licensed.  User license files do not get appended when you import them, so any license being imported must be for your total needs and not a fraction of the total.