Combatting enterprise app sprawl on desktop systems

What is app sprawl?

App sprawl is the proliferation of locally installed programs, unmanaged executables, redundant utilities, scripts, browser extensions and other applications with no governance and likely, no patching mechanism. It is a symptom of decentralized application installation, local administrative accounts and privileges, shadow IT behaviors and poor inventory management. It is also a serious concern for enterprise desktops.

It can be common in smaller or hybrid work environments, BYOD scenarios and settings with third-party or contractor support systems. However, large enterprises are not immune to the problem. Recognizing and addressing app sprawl is critical to streamlining processes and improving a company's overall security stance.

How does desktop sprawl hurt enterprise operations?

The effect of app sprawl on enterprise operations absolutely justifies attention. Today's IT leaders worry about security, compliance, return on investment (ROI) and performance. App sprawl is more than just an inconvenience. It has a wide-ranging effect that can potentially expose the organization to significant damage.

Major downsides include the following:

• System performance and reliability. Applications, especially those that launch at system startup, affect system performance and consume resources that are better dedicated to valid business workflows.
• Security exposure. Unpatched apps, insecure browser extensions and unknown applications can lead to vulnerabilities and exploitation.
• Compliance. Unknown apps installed on local endpoints could violate compliance requirements without the IT team even knowing that they are present.
• Administrative overhead. Unknown apps impose a larger support effort and make troubleshooting more complex.
• Costs. Application licensing could be more expensive, support costs might rise and the ROI for the hardware could be reduced. Some users might request employee training on apps the organization does not normally support.

One of the most serious concerns is that unmanaged applications might not be properly patched or updated, leaving critical security flaws unaddressed and creating gaping security holes that weaken an organization's defenses. This lack of management could also leave the organization non-compliant with industry or government requirements.

App sprawl is a barrier to standardization, modernization and automation that IT leaders cannot ignore.

Establish an application governance loop

Addressing app sprawl is relatively straightforward. Organizations can begin by establishing a governance loop that aligns applications with its standards, security stance and compliance requirements.

The loop consists of: Inventory > Rationalize > Enforce > Monitor.

Step 1: Inventory

The goal here is to establish a complete view of endpoint apps.

• Use automated discovery and inventory tools for efficiency.
• Include scripts and browser extensions.
• Use a tagging system to identify business-critical, allowed and disallowed apps.

Step 2: Rationalize allowed and disallowed applications

Understand why the apps found in the inventory exist. Interview employees to see what apps they really use and how. Look for redundancies or applications that users no longer need.

• Standardize the app catalog and remove redundancies.
• Assess the risks of each app and establish its update requirements.
• Map apps to business needs and licensing options.

Step 3: Create and enforce policies

Establish desktop control policies and enforcement mechanisms. These can include the following Microsoft tools and administrative actions:

• Active Directory Group Policy, AppLocker and Windows Defender Application Control to restrict unauthorized applications.
• Intune App Protection Policies to enforce data and app-level controls.
• A distribution portal for approved software installs.
• Removal of local administrator rights from standard users to eliminate unauthorized changes.

Step 4: Continuous monitoring

Monitoring is crucial, or the organization will slowly slide back into old habits. It is important to watch out for the following activities:

• Configuration drift.
• Unauthorized installations, both failed and successful.
• Browser extension installations.
• Gaps in app updates.

Strive for continuous improvement by evaluating incidents and modifying rationalization and enforcement policies.

Best practices to address application sprawl

Successfully eliminating app sprawl relies on executive leadership and a cohesive vision. It also requires organizational discipline. Use the following best practices to address app sprawl successfully:

• Treat desktop application governance as a core security and operational directive.
• Connect desktop app management to other security and operational workflows, like zero-trust, the principle of least privilege (POLP) and baseline security configurations.
• Ensure IT has the necessary mandate, tools and cross-functional backing to control the desktop environment. Provide employee training on application governance to help users better understand the situation.

One common area of pushback relates to laptop users and local administrator accounts. Modern OSes typically do not require local administrative privileges for traveling business users. Adhere carefully to the POLP. Only permit users to install software or exercise other admin privileges when absolutely necessary.

Combatting app sprawl on desktop systems is critical to security and operational efficiency. Start by inventorying existing applications -- most organizations are surprised by the number of unmanaged apps.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.