Approved Applications

Overview

Approved Applications is a per-organization allowlist of software. Each entry is keyed by application Name and matched case-insensitively, so Slack and slack are the same entry. The list is what ET Ducky compares your fleet's installed software against when it surfaces installs that nobody has signed off on.

Two cards work together on one tab. The Approved Applications card is where admins maintain the list. The Unapproved Applications card lists software detected across the fleet that is not on the list, with a count of how many agents have each app and one-click bulk approval. Any member of the organization can view both cards; adding, editing, and removing entries is restricted to workspace admins.

Where it lives: Systems → Approved Applications. This card previously lived under Integrations; it now sits under Systems because it describes fleet posture rather than a third-party integration. If you have an old bookmark to the Integrations tab, update it.

The Approved Applications card

This card holds the list itself. Each row shows the application Name, optional Notes (for example, "Approved per IT 2026-04"), and when it was added.

  • Add — type an application name and optional notes in the inline row at the bottom of the card, then click Add (or press Enter). The name is required; notes are optional.
  • Edit — change an entry's name or notes.
  • Remove — delete an entry from the list. You are asked to confirm first.

Adding a name that is already present (case-insensitively) returns a duplicate error and leaves your typed input intact, so you don't lose what you entered. Mutations are admin-only: members who are not workspace admins see the list as read-only with a note explaining that only admins can edit it.

The Unapproved Applications card

This card is the inverse of the list. It shows software found in the latest inventory snapshot from each agent whose name is not on the approved list. It is the practical way to build out the allowlist: instead of typing names from memory, you approve what's actually installed.

What each row shows

  • Name — the application's installed name, exactly as inventory reported it.
  • Publisher — the vendor, taken from inventory. Publisher may be blank for some apps; rows with no publisher simply show no vendor.
  • Agent count — how many agents have the app installed. Rows are sorted by this count (most-installed first), so the software with the widest reach is at the top.
  • Managed By: what can patch the app, derived from inventory: winget (winget can upgrade it), Other PM (a Linux package manager: apt, dnf, snap, flatpak, and so on), or No PM (no package manager owns it, so updating it needs a vendor script from the Software Catalog). No PM rows show a Set up patching button that opens that flow, where you can register the installer and optionally distribute it through the Distribution Hub. In that dialog, Suggest with AI can pre-fill the latest version, official download URL, and silent-install arguments for you to verify before saving (it never invents a SHA-256, and the URL is a suggestion to confirm against the vendor). This is the same signal on the Approved Applications card, where an app not present in any agent's latest inventory shows "Unknown". The Set up patching dialog's Suggest with AI is grounded — it prefers the real winget manifest (or web search) over model memory where available.
  • Available Managers — the package managers that could take over an app that isn't managed today. If an app was installed as a raw exe/MSI but winget actually recognizes it (or a Linux PM could), that's surfaced right here, so you don't have to open the Software Catalog to discover it. For admins, an unmanaged app with an available manager shows an inline Migrate to winget button: it queues a job to adopt the app into the package manager on every agent that has it installed. Migrating asks whether to uninstall the existing copy first (a clean reinstall through the package manager) or adopt it in place (the default, non-destructive). Once migrated, the app patches through its package manager like anything else — no vendor script needed.

Selection and bulk approval

  • Filter — narrow the list by name or publisher.
  • Managed by: a dropdown on both the Approved and Unapproved tabs to show only winget-managed, other-package-manager, or unmanaged apps. Use it to find, for example, everything that would need a vendor script (No PM) versus what winget can already patch.
  • Select all (filtered) — check every row currently matching the filter.
  • Select trusted publishers — one click checks every row whose publisher matches either your organization's saved trusted-publisher list or a built-in set of well-known vendors (Microsoft, Google, Mozilla, Adobe, Apple, 7-Zip, and more). The match is against the publisher inventory reported, so rows with no publisher are never selected — review those by hand.
  • Approve selected — add every checked application to the approved list in one request. Names already present are skipped rather than erroring, and the card reports how many were added and how many were already approved.

Trusted publishers

Beyond the one-click shortcut, you can maintain a persistent, per-organization trusted publishers list right on the Unapproved Applications card — type a publisher into the box and click Trust publisher, or remove one with the × on its chip. Trusting a publisher does two things:

  • Approves its current apps immediately. Adding a publisher bulk-approves the apps from that publisher already detected in your fleet.
  • Auto-selects its future apps for review. When a new app from a trusted publisher is detected, it's pre-checked in the Unapproved list for one-click approval — surfaced for you to confirm, never approved silently. The "Select trusted publishers" shortcut also matches your saved list, not just the built-in vendors.

After a bulk approval, both cards refresh: the newly-approved apps move into the Approved Applications card and leave the Unapproved list. Bulk approval and managing trusted publishers are admin-only.

Tip: Trust the vendors you always allow (Microsoft, your RMM/AV vendors, your standard toolset) once, and their software is cleared on sight from then on — you only hand-review what's left: in-house tools, niche utilities, and apps with a blank publisher.

How approved applications are consumed

The allowlist isn't enforcement — it doesn't block or uninstall anything. It's a reference set that other parts of ET Ducky read to surface installs you haven't approved.

  • Smart Reports — the not_in_approved query path and the "unapproved application" report angle anti-join the fleet's installed software against the approved list. A query like "show me apps installed in the fleet that aren't approved" returns exactly the set you see in the Unapproved Applications card.
  • Clearing a finding — approving an app removes it from the unapproved set, so it stops appearing in those reports. There's no separate "acknowledge" step; approval is the action that clears it.

Names must match the installed name

Matching is by name (case-insensitive), so an approved entry only takes effect when its name matches the name the agent actually reported for the installed app. If you type a name that differs from the installed name — even slightly — the install stays flagged as unapproved. This is why approving from the Unapproved Applications card is the reliable path: those names are copied directly from inventory, so they're guaranteed to match.

How to clear unapproved installs

  1. Open the tab. Go to Systems → Approved Applications. The Unapproved Applications card loads the apps detected across your fleet that aren't yet approved.
  2. Review. Scan the list, most-installed first. Use the filter to focus on a particular name or vendor.
  3. Select. Check the apps you want to approve. Use Select trusted publishers to grab known-vendor and your-trusted-publisher software in one click, or Select all (filtered) after filtering, then uncheck anything you don't want. Apps from a trusted publisher are already pre-checked. To stop hand-approving a vendor's software, add it under Trust publisher instead.
  4. Approve. Click Approve selected. The selected names are added to the approved list in one pass.
  5. Confirm. The approved apps leave the Unapproved list and appear in the Approved Applications card. They no longer surface in Smart Reports unapproved-install findings.

Repeat as new software shows up. As agents report fresh inventory, anything newly installed and not yet approved appears in the Unapproved Applications card on the next refresh.

Related

See Smart Reports for the queries that surface unapproved installs, and Patch Management for the Software Catalog and the workflow for updating the apps you've approved.