I'm wondering how this sort of thing can work with software, and how does one enforce the policy to make sure the company is not cheating.
There are 2 ways to enforce how your customer use your software: contractually and technologically. You should use both methods in tandem. Gary E covered the legal and written-contract side of things, so I'll just cover the technological way of enforcing how your customers use your software.
(Technologically) Enforcing how your customers use your software
The way you limit how many times your customers install your software is by using "hardware-locked" licensing. I'm founder of the company that makes LimeLM (hardware-locked licensing for Windows/Mac/Linux/etc.), so obviously I'm going to recommend you go with our solution. But I'm also going to describe how to build this yourself. And I can go into further detail if you want.
The most commonly used method of hardware-locked licensing is online activation. This is what greater than 99% of end-users of companies using LimeLM use. There are other variants of hardware-locked licensing ("offline" activation, dongles, floating licensing, etc.). However, for most companies, online activation is the best bet.
Most people have encountered the "online activation" type of licensing when they purchase a copy of Microsoft Windows or Microsoft Office.
When a customer uses well designed online activation it looks nearly identical to “serial-only” licensing. That is, the customer buys a copy of your software and gets a 20 to 30 character serial number like “ABCD-EFGH-IJKL-MNOP-…”. The customer enters this serial number into your program or your program’s installer. Then, when the user clicks an “Activate” button, some “magic” happens behind the scenes. Your app will either let the customer use your app on that machine or your app will tell the customer to buy another license.
What’s the “magic” behind online activation? (a.k.a. how to build it yourself)
If you don't want to buy a 3rd party licensing solution like LimeLM, you can always build it yourself. But what you build has to be technologically sound.
The broad overview of how any well-designed online activation licensing system works is like this:
- Your customer enters a serial (e.g. “ABCD-EFGH-IJKL-MNOP-…”).
- Your software generates a “fingerprint” to uniquely and anonymously identify the customer’s computer.
- This serial and the computer's unique "fingerprint" are sent to an activation server.
- If the server allows the activation then the serial & fingerprint are cryptographically signed and sent back to the user.
- Based on this cryptographically signed block your app or installer will know whether the user is allowed to use your application or not.
The whole activation process is a huge topic that can get exceedingly technical. This is the condensed version. The hardware "fingerprinting" in itself is a gigantic topic. There are a thousand wrong ways to do it (using an IP address, MAC address, etc., etc.).
The best way to get a fingerprint for a computer is to use every piece of hardware in the computer (RAM, CPU, motherboard, bios, primary hard disk, networking card internal details, etc., etc.).
If you want me to go into further detail, just ask.