View and manage software installed on office terminals - Secure Access Service Edge

Software Management in SASE gives IT administrators centralized control over what runs on company office terminals. Use it to audit installed software across all endpoints, block unauthorized applications, distribute approved software from a curated library, and review employee requests for temporary access to restricted software.

Software statistics

The Software Statistics page shows all software installed across your company's office terminals in one view.

Log on to the Secure Access Service Edge (SASE) console.
In the left navigation pane, choose Terminal Management > Software Management.
On the Software Statistics tab, review the installed software across all terminals.
To see which terminals have a specific software installed, click the number in the Terminals Installed with Software column. The Installed Terminal Details panel opens with the full list.
To add software directly to the unauthorized software list, click Quick Import in the Actions column.

You can also view installed software per terminal by clicking Terminal Name on the device list page. For more information, see View the device list.

Disable software

Blocking unauthorized software prevents employees from running applications that don't meet your company's security or compliance requirements. SASE records every blocked attempt as a violation event, giving you an audit trail of policy enforcement.

The workflow is: add a software type → create the software entry → configure a blacklist policy.

SASE includes built-in application categories—instant messaging, cloud storage, cloud notes, and P2P download tools—that you can apply blacklist policies to directly.

Add a software type

Log on to the Secure Access Service Edge (SASE) console.
In the left navigation pane, choose Terminal Management > Software Management.
On the Software Blacklist tab, go to the Software Type section and click Add.
In the Add Software Type dialog box, enter a name and click OK. The name must be 1–128 characters and can include Chinese characters, letters, digits, hyphens (-), underscores (_), and periods (.). It must start with a Chinese character, letter, or digit. Example: Instant Messaging

Create software to be disabled

Click Create Software, then choose one of the following tabs:

Software List for Synchronization

Search for or select software from the list of software already detected on your terminals, then click OK to sync it into the blacklist.

Custom Software

Configure the following parameters and click OK.

Parameter	Description
Software name	1–128 characters; Chinese characters, letters, digits, hyphens (-), underscores (_), and periods (.). Must start with a Chinese character, letter, or digit.
Software type	Select from the drop-down list. Up to 10 types per software entry.
Terminal system	Select Windows or macOS, then specify the process name and installation directory. Each process name maps to one installation directory. Up to 20 entries.

Configure blacklist policies

If an employee needs to use unauthorized software temporarily, they can submit an application. See Review employee applications for how to handle these requests.

Click Blacklist Policy Settings, then on the Blacklist Policy Settings page click Create Policy. In the Create Policy panel, configure the following parameters and click OK.

Parameter	Description
Policy name	1–128 characters; Chinese characters, letters, digits, hyphens (-), underscores (_), and periods (.). Must start with a Chinese character, letter, or digit.
Action	Block Startup: prevents the software from launching. Prompt Only: allows it to run but shows a warning.
Applicable user	All Users or Certain Users (specify user groups).
Exception user	Users exempt from this policy. Separate multiple users with commas (,).
Blacklist software	Select software by By Name (up to 100 names) or By Type (up to 100 types).
Policy status	Enable or disable the policy.
Priority	0–99. A lower number means higher priority.
Approval process configuration	Specify whether employees can submit approval requests to use the software. If enabled, select an approval process. See Configure an approval process.
Prompt display configuration	The message shown when unauthorized software is blocked. Supports Chinese and English.

View violation events

The Software Blacklist tab shows:

A trend chart of Violation Events
The top 5 Unauthorized Software entries by number of violations
The top 5 Users in Violation by number of violations

To see the full list of unauthorized software and violating users, click Details.

More operations

View details of unauthorized software

On the Unauthorized Software page, find the software and click Details in the Actions column.

Edit unauthorized software

On the Unauthorized Software page, find the software and click Edit in the Actions column.

Delete unauthorized software

On the Unauthorized Software page, find the software and click Delete in the Actions column. After deletion, use of that software is no longer recorded as a violation.

Important

If unauthorized software is not being blocked, check that the Process Name in the Details panel is correct.
Before deleting unauthorized software, make sure no active policies reference it. Otherwise, the deletion fails.

Software library

The software library is a centralized repository for your company's approved software. Upload installation packages, configure visibility and installation verification settings, and then either let employees install software themselves from the SASE client, or push software to terminals automatically using Software Distribution.

Manage software

Go to the Software Library page.

Add software

Click Add Software. In the Add Software panel, configure the following parameters and click OK.

Parameter	Description
Software name	A custom display name for the software.
Software description	A description of the software.
Software category	Select an existing category or click Add Category to create one.
Upload logo	An icon for the software. Supported formats: PNG, JPG, JPEG, WEBP. Maximum size: 20 MB.
Visibility scope	Controls who can see this software in the SASE client: Specific User Group, Specific Device Tag, Specific Device, All Users, All Devices, or Not Configured (not visible in the client).
Installation check	Verifies whether software is successfully installed during distribution. If enabled, select at least one OS and provide the identifiers below. Windows: Software Full Name and English Name (see Obtain the full name of a Windows software and Obtain the full English name of a Windows software). Mac: Bundle ID (see Obtain the Bundle ID of a macOS application).

Edit software

Find the software and click View in the Actions column. In the panel, click Edit at the top.

Delete software

Find the software and click Delete in the Actions column, then follow the on-screen instructions.

Software with a Running Software Distribution task cannot be deleted. Stop the distribution task first.

Manage software versions

Go to the Software Library page, find the software, and click View in the Actions column.

Add a version

In the Version Information section, click Add Version.
In the Add Software Version dialog box, configure the following parameters and click OK.

Parameter	Description
Operating system	Windows, macOS(Apple), or macOS(Intel).
Software publisher	Local Upload: click Upload Local File to upload an installation package. Windows supports `.exe` and `.msi`. macOS supports `.dmg` and `.pkg`. Third-party Links: enter an external download URL.
MD5	The MD5 hash of the installation package, used to verify integrity. Generated automatically for local uploads.
Software version number	The specific version number.

Publish a version

Turn on the switch in the Status column for the target version. After publishing, employees with SASE client version 5.0 or later can view and install it by going to Settings > Tools > Software Library.

Distribute a version

Find the version and click Deploy in the Actions column. Fill in the distribution parameters (see Create a software distribution task) and click OK. The system automatically sends an installation command to SASE clients version 5.0 or later.

To monitor the task, go to the Software Distribution page.

Edit a version

Find the version and click Edit in the Actions column.

Delete a version

Find the version and click Delete in the Actions column.

Versions with a Running Software Distribution task cannot be deleted. Stop the distribution task first.

Software distribution

Software Distribution pushes installation packages from the software library to specified terminals running SASE client version 5.0 or later, which then install the software automatically. Configure the distribution time, scope, validity period, download speed limit, and retry policy to control how the rollout proceeds.

Important

Stopped distribution tasks cannot be restarted. To distribute software again after stopping a task, create a new distribution task.

Create a software distribution task

Go to the Software Distribution page and click Software Distribution.
In the Software Distribution dialog box, configure the following parameters and click OK.

Parameter	Description
Task name	A name for the distribution task.
Distribute software	The software to distribute, selected from the software library.
Distribution time	Deploy Now: starts immediately after the task is created. Specify Time: set one or more time windows. The task runs once and stops after the first successful completion—it does not repeat across subsequent windows.
Installation parameters	Any parameters required by the software installer.
Effective scope	The target terminals: Specific User Group, Specific Device Tag, Specific Device, All Users, or All Devices.
Validity period	Valid Days: 1–100 days. Indefinite: the task never expires.
Rate limit	Enable: set a maximum download speed for SASE clients (KB/s). Disable: no speed limit.
Distribution retry count	Number of automatic retries after a failed distribution. Range: 0–5.
Timeout	The timeout for task execution, in seconds. Range: 0–86400.

Stop a software distribution task

Go to the Software Distribution page, find the task, and stop it using one of these methods:

In the Actions column, click Stop and follow the on-screen instructions.
In the Actions column, click View. In the panel, click Stop Distribution / Installation and follow the on-screen instructions.

View the status of a software distribution task

Go to the Software Distribution page, find the task, and use the following options:

View distribution status

Check the Status column. Possible values: Pending, Running, Stopped.

View execution results

Hover over the Task Result column to see a breakdown by status: All, Pending, Running, Execution Successful, Execution Failed.

View complete task details

In the Actions column, click View. The panel shows the total number of target devices, status distribution, software installation status, and per-device details.

View terminal execution logs

In the Actions column, click View. Find the device record and click View Logs in the Actions column.

Download distribution records

In the Actions column, click View. In the panel, click Policy Export Tasks to download the detailed records.

Review employee applications

If an employee needs to use unauthorized software for a legitimate reason, they can submit an application. Review these applications on the User Application tab.

Log on to the Secure Access Service Edge (SASE) console.
In the left navigation pane, choose Terminal Management > Software Management.
On the User Application tab, find the application and select one of the following actions:

Action	Outcome
Allow	The employee can use the software for the specified period. Usage during this period is not recorded as a violation.
Reject	The employee cannot use the software. Any usage is recorded as a violation.

Appendix: Obtain unique software identifiers

Software identifiers are required when configuring Installation Check for software in the library. Use these identifiers so SASE can verify that software is actually installed on a terminal.

Obtain the full name of a Windows software

The full name uniquely identifies a Windows application and is a built-in system property. Use one of the following methods:

From Software Management in the SASE console (recommended)

Use this method if the software has already been detected on a terminal.

Go to the Software Statistics page, set Terminal Type to Windows, find the target software, and copy the name from the Software Name column.

From "Uninstall or change a program" in Windows

Use this method if the software has not yet been detected by SASE.

Open Uninstall or change a program in Windows.
Find the software name in the list.

Obtain the full English name of a Windows software

If your Windows display language is already English, the name obtained in the previous section is the English name. No additional steps are needed.

If Windows is not set to English, the name shown in Uninstall or change a program will be localized. To get the English name:

In Windows Settings, go to Time & Language.
In the Preferred languages section, add English (United Kingdom).
Install the language pack and set English (United Kingdom) as your Windows display language.
Open Uninstall or change a program in Windows.
Find the software name in the list—it now appears in English.

Obtain the Bundle ID of a macOS application

The Bundle ID uniquely identifies a macOS application and is a built-in system property. Use one of the following methods:

From Software Management in the SASE console (recommended)

Use this method if the software has already been detected on a terminal.

Go to the Software Statistics page, set Terminal Type to macOS, and find the target software.
Click the number in the Terminals Installed with Software column. In the Installed Terminal Details panel, find the bundleId value in the list.

The Bundle ID may differ depending on the installation channel (for example, App Store vs. direct download). If you're unsure which channel was used, you can add multiple Bundle IDs when configuring the software.

To find the Bundle ID for a specific terminal and user, query by that terminal in the panel.

From the macOS terminal

Use this method if the software has not yet been detected by SASE.

Open the Terminal application on macOS.
Run the following command, replacing the path with your application's path:
```
codesign -dvvv /Applications/DingTalk.app
```
In the output, the value of the Identifier field is the Bundle ID.