Overview
User-installed apps are applications that employees install directly on their devices outside of your organization's managed software catalog. Unlike managed-installed apps (deployed through your MDM policy), user-installed apps are detected from enrolled devices and reported in the Shadow IT section of your admin console.
Monitoring user-installed apps helps IT administrators maintain visibility into software running across the organization, identify potential security risks, and enforce compliance policies — for example, identifying at a glance which users have a specific app like Granola installed.
How User-Installed Apps Are Detected
When a device is enrolled in Swif, the agent collects application inventory data from the device. Each application is classified as one of three types:
System apps — Pre-installed operating system applications (e.g., Safari, Calculator)
Managed-installed apps — Applications deployed through your organization's MDM manifest
User-installed apps — Applications installed by the user outside of the managed manifest
An app is classified as user-installed when it meets all three conditions:
Condition | Meaning |
| The app is present on the device |
| The app is not part of the managed deployment manifest |
| The app is not a pre-installed system application |
If any condition is not met — for example, if the app is flagged as a system app or is already in the managed manifest — it will not appear under user-installed.
Shadow IT Report — Main Applications Table
Navigate to Shadow IT > Applications in your admin console to view all detected applications, including user-installed apps.
Usage Column
The main table includes a Usage column with two clickable metrics for each application:
Metric | Description | Click Action |
User Count | Number of user accounts using the app (from browser-based access) | Redirects to the Users tab (Active Accounts) |
Device Count | Number of devices with the app user-installed | Redirects to the Devices tab (User Installed) |
Usage Filter
Use the Usage filter to narrow your view:
Has Desktop app (user-installed apps) Usage — Shows only apps with user-installed desktop usage, excluding browser-only apps and apps with no usage data.
Apps with No Usage Data
Apps with "No Usage Data" occur when a custom app was created but no user is currently using it, or previous users have been removed. These apps:
Display "No Usage Data" in the Usage column
Are automatically sorted to the end of the main Shadow IT table
Shadow IT Report — Per-Device Display
Each application in the Shadow IT report shows the individual devices where it was user-installed. For each device entry, the following information is displayed:
Field | Description |
Device Name | The enrolled device's hostname or friendly name |
Serial Number | The hardware serial number of the device |
Device Type | The device category (e.g., laptop, desktop, mobile) |
Manufacturer | The device manufacturer (e.g., Apple, Dell, Lenovo) |
OS Name | The operating system running on the device (macOS, Windows, Linux, iOS/iPadOS, Android) |
This device-level visibility allows administrators to see every user-installed instance of an app across the organization and identify exactly which endpoints have unapproved software installed.
Application Details — Users Tab (Active Accounts)
Click the User Count in the Usage column to open the application's Users tab. This tab shows browser-based usage:
Column | Description |
Employee | The user account |
Last Active | Last time the app was accessed via browser |
Account Source | Where the account originates |
Permission Level | The user's permission level for the app |
Location is derived from browser app detection.
A notice clarifies that this tab shows browser apps usage data only.
If no users are currently using the app via browser, the tab displays a "No Usage Data" state.
Application Details — Devices Tab (User Installed)
Click the Device Count in the Usage column to open the application's Devices tab.
This tab shows all devices where the app is user-installed:
Column | Description |
Device | The device identifier |
Device Name | Friendly name of the device |
Last Active | Last time the app was accessed via user-installed desktop app |
Status | Device enrollment status |
Location is derived from user-installed app activity (device location), not browser data.
A notice clarifies that this tab shows user-installed apps usage data only.
OS Filters
Filter devices by operating system:
macOS
Windows
Linux
iOS/iPadOS
Android
Application Details — Device Groups Tab
The Device Groups tab aggregates user-installed app data by device group:
Column | Description |
Group Name | The device group name |
Description | Group description |
Devices | Number of devices in the group with the app user-installed |
Last Active | Most recent user-installed app activity across the group's devices |
A notice clarifies that this tab shows user-installed apps usage data only.
Click a device group record to view the Device Group Details page, which lists individual devices within that group and their Last Active activity.
Group Type Filter
Filter device groups by:
Manual — Manually created device groups
Smart — Dynamically populated smart groups
User View — Active Accounts Tab
From the User View, select a user account to see their application activity in the Active Accounts tab:
Column | Description |
Usage > User Count | Number of user accounts in Shadow IT for that app |
Usage > Device Count | Number of user-installed app instances on this user's devices |
Last Active | Most recent activity (from browser or desktop usage) |
Location | Derived from browser app or user-installed app location |
Combined Usage Display Rules
When a user has both desktop and browser access:
The row shows the source and permission level (browser-based) even if the most recent activity was via desktop.
When a user has only desktop access:
The source/permission information shows N/A.
Software Page — OS Breakdown View
On the Software Page (Application Management), user-installed apps include an OS-specific breakdown.
OS Scope Labels
The User Installed count displays an OS scope indicator:
Label | Meaning |
(All OSs) | The app is detected across all supported platforms (macOS, Windows, Linux) |
(Across X OSs) | The app is detected on a subset of platforms (e.g., "Across 2 OSs") |
(macOS), (Windows), (Linux) | The app is detected on a single platform only |
Clicking the User Installed count on the Software Page redirects to the Devices tab (User Installed) in the Shadow IT application details.
Tooltip — Per-OS Device Breakdown
Hover over the User Installed count to see a tooltip with the per-OS device count breakdown (e.g., macOS: 5, Windows: 3, Linux: 1).
For apps present on only one OS, the tooltip displays the device count for that single OS.
Switching Views
The Software Page supports two views:
Per-OS view — Apps grouped and displayed by operating system
All OSes combined view — An aggregated view across all operating systems
Totals in the combined view always match the sum of counts across individual OS views.
Device Details — Installed Apps Tab
From Device Management, select a device and navigate to the Apps > Installed Apps tab. This view shows all applications installed on the device, including user-installed apps. From here, you can:
View the full list of installed applications
Select user-installed app rows and add them to a blocklist
Trigger consolidated blocking actions for selected apps
Taking Action on User-Installed Apps
Add to Blocklist
Block user-installed apps directly from the device's installed apps page:
Navigate to Device Details > Apps > Installed Apps
Select one or more user-installed app rows
Click Add to Blocklist
The selected apps are pre-filled in the consolidated blocking modal
Confirm to add the apps to your App Blocker Policy
Types of Blocking
Swif supports three blocking methods for applications:
Method | Description | Implementation |
Uninstall | Removes the application from devices | Managed via manifest |
Kill -9 | Forcefully terminates the app process without uninstalling | App Blocker Policy |
Domain Filtering | Blocks access to the app's web domains | Web Filtering Policy |
Important Notes
Classification is strict. Only apps meeting all three conditions (
isInstalled,!isInManifest,!systemApp) appear under user-installed. Apps flagged as system apps by the OS or already in your managed manifest are excluded — even if they were originally user-installed.OS filters in the App Catalog do not affect user-installed app data. User-installed information is sourced directly from enrolled devices, independent of App Catalog OS filters. All enrolled devices are displayed and grouped regardless of catalog-level OS filtering.
Count discrepancies between views are expected. The Software Page (Applications) and Shadow IT may show different device counts for the same app because they use different backend data sources and filtering logic. Shadow IT applies stricter criteria (active device, enrolled status, app inventory match) compared to the broader MDM installed-app view.
Data consistency — Counts remain consistent when switching between per-OS and combined views on the Software Page.
Google Workspace integration — When connected, Swif reads login logs from services like Google Workspace, which can surface additional apps that employees access via OAuth or browser.
Frequently Asked Questions
Q: Why does Shadow IT show fewer devices than the Applications page for the same app?
Shadow IT filters devices using the classification rule (isInstalled && !isInManifest && !systemApp) applied against the device's application inventory. The Applications page may use a broader MDM query that includes devices without a matching app inventory record. This is expected behavior.
Q: What's the difference between the Users tab and the Devices tab?
The Users tab shows browser-based usage (accessed via browser apps) with account-level details. The Devices tab shows user-installed desktop app usage with device-level details. Each tab has its own data source and location tracking.
Q: Why do I see apps in Shadow IT that I didn't expect?
When integrations like Google Workspace are connected, Swif reads login logs from those services. This can surface apps that employees access via OAuth or browser, in addition to locally installed software.
Q: Can I filter user-installed apps by device group?
Yes. Navigate to the application details and use the Device Group tab to see user-installed app data grouped by device group, with filters for group type (Manual or Smart).
Q: What happens if an app is both managed-installed and user-installed on different devices?
The app will appear in both the Managed-Installed and User Installed views. Each view shows only the devices relevant to that installation type.
Q: Are BYOD devices included?
User-installed app detection works on enrolled devices. The level of visibility depends on the enrollment type and device supervision status.