Unauthorized software installations are a real risk. They slip into your network without approval. Sometimes by accident. Sometimes on purpose. Either way, they’re a problem.
To track unauthorized software installation effectively, a holistic approach is required. The software compliance policy should be there that combines reactive scanning and proactive measures. This includes using network monitoring, software inventory tools, and intrusion tracking systems.
In this guide, we’ll walk through practical steps on how to detect unauthorized software installation across major systems like Windows, macOS, and Linux.
What Is Unauthorized Software?
Unauthorized software is any program that’s installed without approval from your IT or security team. That includes apps employees download themselves, pirated tools, or even legitimate software that’s not properly licensed.
It doesn’t matter if the software works well. If it’s not on your approved list, it’s unauthorized.
Here are some common types:
- Shadow IT tools – apps installed by users to get around IT restrictions. Think file sharing tools, messaging apps, or unapproved remote access software.
- Cracked or pirated software – often used to avoid license fees, but risky and illegal.
- Outdated or abandoned tools – these may have once been authorized but no longer meet security or compliance standards.
- Duplicate licenses – even if the software is okay, using more copies than your license allows puts your company at risk.
Every unauthorized installation weakens your software compliance. It also increases your attack surface. The more unknown software you have, the harder it is to secure your systems.
That’s why finding and removing unauthorized software is not just good practice, IT’S NECESSARY!
Proactive and Reactive Measures to Strengthen Software Compliance
Unauthorized software installations are a constant risk. Detecting them once isn’t enough. You need a structured system that prevents, detects, and responds every time.
Here’s a quick breakdown of both proactive and reactive controls:
Proactive Measures
Software Inventory
Maintain a complete inventory of installed software across Windows, macOS, and Linux. Include software name, version, source, and install date.
Authorization Policy
Use a clear whitelist. Anything not on the list is unauthorized. Update quarterly and match by department or role.
Regular Audits
Run monthly audits to compare real installs against the approved list. Include remote and BYOD devices.
Endpoint Management
Use tools like Jamf, Intune, SCCM, or License Manager to manage devices, enforce install rules, and monitor compliance.
Network Monitoring
Monitor outbound traffic. Flag connections to unknown domains, high-risk IPs, or non-standard ports.
Vulnerability Scanning
Run scans using Nessus, OpenVAS, or Qualys to detect weaknesses in newly installed or unmanaged software.
Access Control
Use role-based access and system restrictions to prevent users from installing unapproved software.
Reactive Monitoring
Intrusion Detection Systems (IDS)
Deploy tools like Snort or Zeek to monitor unusual software behavior or suspicious network connections.
Event Log Analysis
Track Windows Event ID 11707, Linux audit logs, or macOS install logs to detect installation events.
Firewall Logs
Review logs to spot unauthorized applications attempting connections.
SIEM Integration
Use tools like Splunk or Sentinel to correlate software activity, user behavior, and network traffic in one place.
Additional Controls
Vendor Evaluation
Before approving new tools, review the vendor’s security practices and patch history.
User Education
Train employees on what’s allowed, how to request software, and the risks of going around policy.
Policy Reviews
Update your software compliance policy every 90 days. Remove unused tools. Add approved ones. Tighten controls where needed.
This combined approach, backed by reactive monitoring, is how you keep unauthorized software out and software compliance intact.
Why Detecting Unauthorized Software Matters
If you’re not actively detecting unauthorized software installations, you’re inviting trouble. That’s the truth.
These apps don’t belong in your environment. They weren’t tested, approved, or secured. And yet, they can quietly run on your devices, exposing you to legal issues, security breaches, and failed audits.
Here’s what happens when you ignore the problem:
- You break license agreements.
Running more copies than you paid for? That’s a violation. Vendors run audits. If you’re caught, you pay heavily. - You open the door to malware.
Most cracked or pirated software includes backdoors. It’s how attackers slip in. Once they’re in, they don’t ask for permission. - You lose control over your own systems.
When employees install whatever they want, your IT team loses visibility. You don’t know what’s running. You can’t protect what you can’t see. - You fail compliance checks.
Whether it’s ISO, GDPR, HIPAA, or internal policy, unauthorized software kills compliance. You either fix it or face the consequences.
This isn’t about being strict for the sake of it. It’s about protecting your business. If you don’t have full control over your software installations, you don’t have control over your infrastructure.
You either manage your software inventory, or it manages you.
Step-by-Step Guide to Detect Unauthorized Software Installations
Step 1: Build a Complete Software Inventory
If you can’t see it, you can’t control it.
The first step to stopping unauthorized software is knowing exactly what’s installed. Not just on a few machines. On every device in your network—Windows, macOS, and Linux.
This isn’t optional. Without full visibility, unauthorized software installations will keep slipping through.
Here’s what to do:
Windows
Use tools already built into the system:
- PowerShell – run scripts to list installed apps.
- WMI (Windows Management Instrumentation) – query software data.
- Event Viewer – check install logs.
- SCCM – if you have it, this helps track and manage large fleets.
These tools give you a clear list of everything that’s been added. Good or bad.
macOS
macOS has its own methods:
- Jamf – a strong choice for enterprise Apple management.
- Munki – open-source and effective for tracking app installs.
- Terminal commands – use system_profiler or find to list applications.
Most IT teams forget about Macs. Don’t. Unauthorized software runs just as easily on them.
Linux
Linux is flexible, but still needs structure:
- dpkg or rpm – shows installed packages depending on the distro.
- auditd – logs package changes and system events.
- OSQuery – a cross-platform tool that turns your OS into a queryable database.
Keep It Centralized
Don’t build three different inventories. Use a singular tool or platform that pulls from all OS types and shows everything in one place.
Software license management isn’t a task. It’s a requirement. Without it, you’re blind. And if you’re blind, you’re vulnerable.
Step 2: Monitor Software Installation Events in Real Time
It’s not enough to know what’s installed. You need to know when it happens.
Real-time monitoring catches unauthorized software installations the moment they occur. That gives you a chance to respond before damage is done.
Let’s break it down by operating system:
Windows
Windows logs installation events. You just have to listen.
- Event ID 11707 – triggered when a new app is installed via MSI.
- PowerShell scripts – can watch for changes and alert you.
- Group Policy + Task Scheduler – to automate checks and enforce restrictions.
This isn’t complex. It just needs to be done. If you ignore these logs, you’re giving users and attackers a free pass.
macOS
macOS doesn’t shout when something installs. But the signs are there.
- Watch /Applications folder – set up scripts to track new .app bundles.
- Check /var/log/install.log – lists system-level installations.
- Use Jamf or Munki – these tools can enforce install rules and monitor activity.
If you think your Mac fleet is safe by default, you’re wrong. They’re just as exposed if you’re not watching.
Linux
Linux gives you power. But with that comes responsibility.
- auditd – tracks package manager activity (like apt, yum, dnf).
- journald – logs system events that point to app installs.
- Use file integrity checks – tools like AIDE can detect changes to critical directories.
Set it up once. Let it run in the background. If someone installs something they shouldn’t, you’ll know.
Automate the Detection
Manual checks won’t scale. You need alerts.
Set up notifications for:
- New software installations
- Changes to install directories
- Unauthorized apps detected on any device
Send those alerts to email, Slack, or your ticketing system. Act fast when something’s wrong. Don’t wait for a quarterly review.
Real-time visibility turns guesswork into action. And when it comes to software compliance, action beats intention.
Step 3: Define What’s Authorized and What’s Not
If you don’t clearly define what counts as authorized software, you can’t expect people to follow the rules. Or enforce them.
Guesswork doesn’t work here. You need a software policy that spells it out, black and white.
Start with a Whitelist
Make a list of all the software that’s approved for use.
- It should include names, versions, and usage scope.
- Be specific. Don’t just write “PDF viewer.” Say “Adobe Acrobat Reader 2023.006.”
This becomes your baseline. Anything not on this list is unauthorized by default.
Keep a Blacklist Too
Some apps simply don’t exist in your network.
- Torrent clients
- Remote access tools
- Password dumpers
- Old, unpatched versions of known tools
- Anything pirated or cracked
If they’re a known risk, block them.
Match Software to Roles
Different teams need different tools. Developers may need Docker. Finance may not.
So, build your list around job roles. This keeps people productive while staying within the rules.
Example:
| Role | Allowed Software |
|---|---|
| Design | Figma, Adobe Illustrator, Sketch |
| Marketing | Canva, SEMrush, Microsoft Teams |
| Finance | QuickBooks, Excel, DocuSign |
Put the Policy in Writing
Don’t just store it in someone’s head. Write it down. Share it. Enforce it.
- Add it to onboarding.
- Review it with managers.
- Make sure users know how to request new tools.
And don’t ignore requests. People will install what they need if they feel unsupported.
No Room for Loopholes
Authorized means listed. Approved and audited.
Everything else is unauthorized software. That includes freeware, personal tools, or that “one-time use” installer someone grabbed from the internet. If you leave room for exceptions, you open the door to risk.
- Define your standards.
- Write them down.
- Stick to them.
That’s how you stay in control.
Step 4: Use Anomaly Detection to Catch What Slips Through
Even with rules and real-time network monitoring, things can get missed. Some users bypass controls. Some tools look harmless at first. That’s where anomaly detection comes in.
You need to catch what doesn’t look right.
Look for Unusual Behavior
Not every threat is loud. Sometimes the only sign is odd activity.
Here’s what to watch for:
- A user installs software outside business hours
- A new app sends traffic to strange IP addresses
- A program runs with admin rights it shouldn’t have
- An app installs and disappears quickly
These are signs of unauthorized software installations—or worse, malware.
Use the Tools You Already Have
Most systems already log useful data. You just need to connect the dots.
- SIEM tools like Splunk, Graylog, or Microsoft Sentinel
- EDR platforms that track process behavior and file access
- Log analyzers that flag suspicious install activity
You don’t need to build a full AI system. Just set alerts for things that look off.
Consider OSQuery and Fleet
These tools let you query devices like databases.
Ask questions like:
- What apps were installed in the last 24 hours?
- Which machines have Chrome extensions not on the approved list?
- Did anyone install software from outside the package manager?
This isn’t theory. It works. And it gives you real answers fast.
Take It Further with Machine Learning (If You’re Ready)
For large environments, ML can help detect subtle patterns humans miss.
- Use models trained on normal behavior
- Flag deviations in install patterns, access logs, or process trees
- Combine this with human review to avoid noise
But don’t start here. Start with logs and alerts. Then scale up.
Anomaly detection fills the gaps in your system. It finds the quiet problems, which are often the most dangerous.
Don’t wait for an alert. Start asking better questions. Let the data tell you when something’s wrong.
Step 5: Automate Alerts and Remediation
You can’t rely on people to manually check every alert. And by the time someone notices, it’s often too late.
Automation fixes that.
When an unauthorized software installation happens, your system should respond instantly, without waiting for human input.
Set Up Real-Time Alerts
Start simple. When new software is installed, trigger an alert.
- Send it to your IT team’s email.
- Post it in your security Slack channel.
- Create a ticket automatically in your helpdesk system.
Here’s what the alert should include:
- Device name
- Username
- Software name and version
- Time of installation
- Whether it’s authorized or not
Flag Unauthorized Installs Immediately
When the system spots unauthorized software, it should mark it clearly.
- Add it to a daily or weekly compliance report
- Update your software inventory
- Notify a manager if needed
Make sure the alert system connects back to your software inventory management platform. That’s how you keep everything in sync.
Automate the Fix If You Trust It
If your environment is locked down and your policies are solid, you can take the next step:
- Auto-uninstall blacklisted software
- Block the install path
- Disable the user account if the risk is high
- Quarantine the device from the network
These are serious actions. Don’t enable them unless you’ve tested them.
But when done right, they stop a small mistake from turning into a major incident.
Build a Simple Response Flow
Here’s a basic logic:
Software Detected → Check Against Whitelist →
Not Authorized? → Alert IT + Create Ticket →
Optional: Uninstall or Block Access
Keep it consistent. No guesswork.
Keep a Record
Every incident, whether it was resolved manually or automatically, should be logged.
- What happened
- When it happened
- How it was resolved
- Who was involved
This record proves you’re enforcing software compliance. And if you ever face an audit, it’ll save you.
If you’re still chasing down installs manually, you’re wasting time and taking risks. Automate what can be automated. Focus your people on the real problems.
Step 6: Keep Policy & Detection Sharp with Real Data
If you want to root out unauthorized software, you need real proof. Here are some hard facts that show why this matters and why hope isn’t a strategy.
Shadow SaaS & App Usage Are Out of Control
- 73% of security pros admit they used unapproved SaaS apps in the last year, despite knowing the risks.
- 64% of employees install apps without permission, causing blind spots and compliance risks
- 50% of organizations have had a security breach linked to shadow IT
That’s not a glitch, it’s the norm. When so much software runs without approval, software compliance efforts fail.
Shadow IT Raises the Stakes and the Costs
- Shadow IT makes breaches 16% more expensive on average
- Breaches involving unmanaged data, like untracked tools, cost $5.27 million on average
- Kenneth Verizon’s DBIR says 15% of breaches are related to software vulnerabilities and third-party installs
Ignoring unauthorized software installations isn’t saving money. It’s making your financial risk worse.
Why These Facts Related to Unauthorized Software Installations Matter
- Your company is likely not different.
- Employees are installing apps without telling IT.
- Those apps may store, share, or leak data.
- You’ll feel it in audit failings, license fines, or breach costs.
These stats show this isn’t a small IT hassle. It’s a business risk. If you want software compliance and safety, you need policies that use logs, automation, and real-time alerts.
And you need to act on them every single day.
Cross-Platform Tool Comparison Table
Tools help you detect unauthorized software. But no tool works unless it fits your setup. Here’s a side-by-side look at what’s available and how they stack up.
How to Choose the Right Tool
Here’s the simple rule: use the one that fits your environment.
- Managing mostly Apple devices? Go with Jamf or Munki.
- Want open-source flexibility? OSQuery and Fleet work across systems.
- Need enterprise-level software compliance with inventory controls? License Manager gives you that.
- Already using Microsoft tools? Netwrix fits right into Windows-heavy setups.
- Looking for broad visibility? Lansweeper offers detailed scans and reports.
But none of these replace the basics. You still need clear policies. You still need someone watching. The tools make it easier, but they don’t do the thinking for you.
Real-World Scenario: How One Finance Team Caught Unauthorized Remote Access Tools
A mid-sized finance company, with approximately 200 employees, noticed unusual login behavior. A user account was connecting outside regular hours, from an IP that wasn’t on their allowlist.
At first, IT thought it was just a VPN glitch. It wasn’t.
After checking the system logs, they found something worse: a copy of AnyDesk, a remote access tool, had been installed on three machines.
It wasn’t approved. It wasn’t even requested. And no one had reported it.
How They Caught It
Their detection system flagged the unauthorized software installation:
- The machines weren’t on the admin whitelist
- Event logs showed the app was installed using an employee’s credentials
- The tool wasn’t on the approved software list for the finance team
They didn’t get lucky. They had a working software inventory management system with alerts set up for unauthorized software installations. That’s what caught it.
What They Did Next
- Isolated the affected devices
- Disabled the user account pending investigation
- Triggered an audit on all other machines in the department
- Found that the same installer was downloaded from a free hosting site, clearly outside policy
- Used PowerShell to remotely uninstall the app across all machines where it was found
They also updated their software compliance policy to ban remote access tools unless requested in writing and reviewed by IT.
The Result
- No data was leaked
- No breach occurred
- But they stopped a hole that could have been used for credential theft, fraud, or worse
It took less than one hour from detection to remediation.
This is what a working system looks like. You don’t stop every threat by chance. You stop it because you’re watching and because you’ve built a process that catches what doesn’t belong.
Unauthorized software isn’t a theory. It’s already out there. The only question is whether you’re seeing it or not.
FAQs About Unauthorized Software Installations
What is unauthorized software?
Unauthorized software is any application installed without formal approval from your organization’s IT or security team. This includes cracked programs, unlicensed tools, and even legitimate apps that aren’t on the approved list. If it’s not part of your company’s official software inventory, it’s unauthorized.
How can I detect unauthorized software installations on Windows?
Start by monitoring Event ID 11707 using the Windows Event Viewer. This logs all MSI-based installations. Combine that with PowerShell scripts, WMI queries, or tools like SCCM or License Manager to detect new software and match it against your approved list.
How do I detect unauthorized software on macOS?
macOS doesn’t generate obvious install alerts, but you can:
- Track changes in the /Applications directory
- Review /var/log/install.log
- Use tools like Jamf or Munki to enforce policies and monitor activity
- Run scheduled scans using system_profiler or OSQuery
What’s the best way to monitor software on Linux systems?
Use auditd to watch for package installations via apt, yum, or dnf. Also monitor /var/log and journald entries. Pair this with OSQuery to run regular system queries and maintain a software inventory.
Why is software inventory management important?
Without a full and accurate inventory, you can’t detect what doesn’t belong. Inventory management helps you identify unauthorized software, ensure license compliance, and reduce the risk of breaches or audit failures.
What are Unauthorized Software Installation Detection Essentials [Final Checklist]
Use this checklist to make sure you’re covering the basics of detecting unauthorized software installations. If you can’t check off every item, you’re leaving gaps—and those gaps can cost you.
Software Inventory
- Do you maintain a complete software inventory across Windows, macOS, and Linux?
- Is your inventory updated automatically and regularly?
- Can you compare installed software against an approved list?
Policy Enforcement
- Do you have a written policy that defines authorized and unauthorized software?
- Is that policy shared with all employees?
- Do you enforce it through system tools or endpoint rules?
Real-Time Detection
- Are you monitoring installation logs and events (e.g., Event ID 11707 on Windows)?
- Do you use alerts to flag unauthorized software installations as they happen?
- Do your detection systems cover all platforms, not just Windows?
Automated Response
- Can your system automatically create tickets or send alerts when unauthorized software is found?
- Do you have scripts or tools to uninstall or quarantine apps quickly?
- Is there a process in place for escalations or repeated violations?
Regular Audits and Reviews
- Do you run monthly audits to detect changes in your software environment?
- Is there a quarterly review of the whitelist and blacklist?
- Are past violations tracked and reported?
Take Control with License Manager
If you’re serious about stopping unauthorized software installations, you need more than good intentions. You need visibility. You need automation. And you need enforcement that actually works.
That’s where License Manager helps.
