Explained

What Is an Application Catalog and How Does It Work?

An application catalog is a managed library of approved software IT uses to control what runs on devices, cut shadow IT, and support compliance audits.

Mountain landscape representing leadership perspective and vision
Written by
Trio Content Team
Published on
30 Sep 2025
Modified on
15 Apr 2026

Most IT managers don't go looking for an application catalog, they go looking for a way to stop finding unauthorized software on company devices. The problem shows up as a Slack message from legal, a surprise during an audit, or a help desk ticket about an app nobody approved. At some point, the question becomes structural: how do you control what's installed across a fleet of devices?

An application catalog is the structural answer. It's a centralized, IT-managed list of approved software that gets deployed to enrolled devices — not a browsable storefront, not a wish list, but an admin-controlled library where every entry has been reviewed before it's available.

The scale of the problem makes this non-negotiable. Shadow IT accounts for 52% of app portfolios at midsize and large companies, and 68% at smaller ones (Productiv, 2024). The average organization carries 142 unapproved apps. An application catalog doesn't restrict productivity — it makes the approved path easier than the unapproved one.

This guide covers the difference between an app catalog and an enterprise app store, how catalogs work across Windows, macOS, iOS, and Android, what actually belongs in one, how it supports compliance, and what tools IT teams use to manage this today.

TL;DR
  • An application catalog is a curated, IT-managed list of approved software deployed to devices — it's not a public app store, and users don't browse it freely.

  • Shadow IT accounts for 52–68% of app portfolios depending on company size; the average organization carries 142 unapproved apps and loses around $18M per year in wasted SaaS licenses.

  • Every major platform has its own catalog mechanism: Windows uses the Intune Enterprise App Catalog (Win32, requires Intune Suite); macOS uses ABM/VPP for App Store titles plus tools like Installomator for non-store apps; iOS uses ABM + VPP; Android uses Managed Google Play.

  • A catalog works best when paired with application whitelisting or blacklisting policies — without enforcement, determined users can still install software from the web.

  • What goes in the catalog matters as much as how you build it: separate mandatory apps (pushed on enrollment) from optional apps (available on request), and govern both tiers.

  • ABM/VPP tokens expire annually on Apple platforms — if the token lapses, catalog delivery to iOS and macOS devices stops with no warning to end users. Track the renewal date.

  • An application catalog creates audit evidence for SOC 2 access control requirements, GDPR software documentation obligations, and HIPAA application authorization controls.

What Is an Application Catalog?

If you're already running an MDM-enrolled device fleet and just need to know how to set up the catalog, skip ahead to How an Application Catalog Works Across Platforms.

An application catalog is a structured, admin-managed list of approved software that IT teams maintain, deploy, and update across enrolled devices. Every entry has been reviewed before it's made available — nothing reaches a device unless IT put it there.

The naming is inconsistent across the industry. "App catalog," "app catalogue" (the British spelling), "apps catalog," "enterprise app store," and "software catalog" appear interchangeably in vendor documentation and community discussions. For this article: an application catalog is the broader concept. An enterprise app store is one specific implementation — typically one that includes a self-service interface where employees can browse and request apps. Not all catalogs have a self-service layer.

Application Catalog vs. Public App Store

A public app store (Apple App Store, Google Play) lets any developer publish and any user install freely. An application catalog is the opposite: IT-curated only, with deployment controlled by admin push or optionally self-service within a pre-approved list.

One ITSM distinction worth knowing for larger teams: a service catalog (what IT supports and how users request it) is different from a software catalog (tracking license usage and deployments). They can coexist in the same platform, but they answer different questions.

Why Every Managed Fleet Eventually Needs One

Shadow IT makes up 52% of app portfolios at midsize and large companies (500+ employees). At companies under 500 employees, that number climbs to 68% (Productiv, 2024). The average organization carries 142 shadow IT apps. That's not a rounding error — it's most of the software stack.

Enterprises lose an average of $18 million annually in SaaS license waste, from a dataset of 30 million licenses and $34 billion in spend (Zylo 2024 SaaS Management Index). Without a structured approach to software usage tracking, IT has no baseline to work from — and no defensible record when a vendor audit arrives.

Shadow IT doesn't happen because employees are careless. 61% of employees aren't satisfied with the IT-provided tools available to them (Quandary, 2024), so they find their own. When the approved option is harder than the unapproved one, you've designed a system that creates shadow IT. The catalog inverts this by making the approved path the easiest one.

The risk goes beyond wasted spend. One-third of successful cyber attacks originate from shadow IT (Quandary, 2024). Unmanaged apps are an attack surface, not just an accounting problem.

One downstream consequence that often gets missed: when IT finally conducts a software audit after years without a catalog, the discovery process itself becomes a weeks-long project. There's no clean inventory to start from, and every finding triggers a new round of questions about who approved what and when. That's the situation a properly structured catalog — and an MDM platform that maintains software inventory automatically — is designed to prevent.

The most common reason shadow IT goes unaddressed isn't technical — it's that cleaning it up requires buy-in from managers whose teams are actively using the unapproved tools. That's an organizational bottleneck, not a platform one. The catalog helps because it changes what "easy" looks like for end users.

How an Application Catalog Works Across Platforms

An application catalog is not a single technology. It's a concept implemented differently on every major OS, with each platform providing its own distribution infrastructure and the MDM layer sitting on top to manage access and deployment. This is a core function of mobile application management — the MDM handles the delivery, the catalog defines what gets delivered.

Building the catalog is only half the work. For the application catalog to actually control what runs on devices, pair it with application whitelisting policies to define what's permitted. Use application blacklisting alongside it to block specific titles outright — without enforcement at the OS level, determined users can still sideload software from the web.

Windows — The Intune Enterprise App Catalog

The Microsoft Intune Enterprise App Catalog is a collection of prepackaged Win32 apps prepared by Microsoft for Intune deployment. When an admin adds an app from this catalog of apps, Intune auto-prefills all installation parameters: install commands, uninstall commands, return codes, and installation behavior. This eliminates manual packaging for covered titles.

Coverage is Windows-only. macOS apps in Intune require separate packaging workflows and are not part of this catalog. The Enterprise App Catalog was announced in October 2023 and became generally available in February 2024 as part of the Intune Suite. The June 2025 Intune update (2506) added new Enterprise App Catalog integration capabilities.

Troubleshooting: If Enterprise App Catalog apps aren't appearing in your Intune tenant, check whether your license includes the Intune Suite add-on or the standalone "Microsoft Intune Enterprise Application Management" SKU from admin.microsoft.com. Standard Intune does not include this feature — it requires an additional license, which is a consistent point of confusion in the admin community.

macOS — ABM, VPP, and the Installomator Layer

A macOS app catalog works in two layers. The first covers Mac App Store apps distributed via Apple Business Manager (ABM) and the Volume Purchase Program (VPP). The second covers non-App Store titles — which includes most professional tools: Adobe, Chrome, Slack, and similar apps that never went through App Store review.

For app catalog for macOS coverage beyond the App Store, Installomator is the widely used open-source solution. It has over 1,400 GitHub stars, 240 contributors, and reached V10.8 in March 2025. Some MDM vendors build Installomator directly into their catalog engine, handling the integration transparently. Experienced admins typically take a hybrid approach: MDM-native catalog for mainstream apps, Installomator for apps the catalog doesn't cover.

Operational gotcha: VPP tokens expire annually. When a token lapses, catalog delivery stops for all Apple devices with no warning to end users. The first sign is often a spike in help desk tickets from users who can't install apps they previously could. Track the renewal date and set a reminder 30 days out.

iOS — ABM + VPP App Distribution

iOS app distribution follows the same ABM + VPP model as macOS. When configured correctly, apps install silently — users never see App Store purchase prompts. VPP tracks license consumption automatically: when a device is unenrolled, the license is reclaimed and becomes available for the next user.

As of 2025, new VPP app assignments in Intune default to the "device" license type rather than "user." Existing assignments are unchanged, but admins setting up new VPP-linked catalogs in Intune should verify their intended license model before deployment.

Custom in-house apps distribute via Apple Business Manager using the organization's Enterprise distribution certificate — these never go through the public App Store review process.

Android — Managed Google Play

Android app catalog delivery runs through Managed Google Play, which functions as an enterprise application store scoped to the organization. Admins approve apps in the Managed Google Play console, and only those approved apps appear on enrolled devices. Users browse within that boundary — they can't install anything outside the approved list from the work profile.

Custom and private apps upload directly to Managed Google Play without public review. As of the June 2025 Android Enterprise Feature Drop, Managed Google Play now supports Android App Bundles (AAB) for private apps, which simplifies deployment and updates for custom or in-house applications.

Application Catalog Mechanisms by Platform

PlatformCatalog MechanismApp CoverageSelf-Service for Users?Key PrerequisitesGotcha to Know
WindowsIntune Enterprise App CatalogWin32 apps only; macOS apps need a separate workflowOptionally via Company PortalIntune Suite add-on or standalone Enterprise App Management SKUNot included in standard Intune — requires an additional license purchase
macOS (App Store apps)ABM + VPP via MDMAny paid or free Mac App Store titleAdmin push or optional user-initiated from MDMABM account + VPP token linked to MDMVPP token expires annually; a lapsed token stops all catalog delivery
macOS (non-App Store)Installomator or MDM vendor catalog engine400+ titles (varies by vendor)Admin push onlyMDM + Installomator integration (built in by some vendors)Apps not in any catalog require custom scripts
iOSABM + VPP via MDMApp Store + custom enterprise appsAdmin push (silent install)ABM account + VPP tokenSame token expiry risk as macOS; device vs. user license model matters in Intune
AndroidManaged Google PlayPublic Play Store + private/custom appsUser browses approved apps in Managed Google PlayMDM linked to Managed Google Play; Android Enterprise enrollmentAAB now supported for private apps (June 2025 Feature Drop)
LinuxVaries by distro and MDM; typically custom package deploymentDepends on MDM supportAdmin push onlyMDM with Linux support; .deb/.rpm packagingLeast standardized — coverage varies significantly by MDM vendor

What Actually Belongs in Your Application Catalog

Configuring the tool is the easy part. Deciding what goes in your application catalog is where most IT teams stall — because no vendor article tells you which apps to actually put in it, and no two organizations start from the same place.

The most useful framework is a two-tier structure. Deciding what goes in your app catalog gets simpler when you separate apps that everyone needs from apps that only some roles need.

Tier 1 — Mandatory apps (pushed automatically on enrollment):

  • Endpoint security and antivirus
  • VPN client
  • Corporate communication tools (email client, chat platform)
  • SSO client or identity provider agent
  • Department-specific line-of-business tools tied to the role

Tier 2 — Optional apps (available in the catalog, not auto-pushed):

  • Creative tools like Adobe or Figma — not every role needs them
  • Developer utilities — relevant for engineers, not for the whole company
  • Productivity add-ons users may request through IT

Three practical rules for deciding what belongs in either tier:

  • If IT supports it when it breaks, it belongs in the catalog.
  • If it touches company data, it belongs in the catalog — and may need a data classification review.
  • If employees are already installing it themselves, it belongs in the catalog so IT gains version control and visibility over it.

The bottleneck in building a catalog is rarely the tooling — it's getting department heads to agree on which apps are officially supported. That conversation needs to happen before you build the catalog structure, not after.

Should this app go in your catalog?

Does IT support it when it breaks? → Yes → Put it in the catalog (mandatory or optional depending on role coverage)

Does it touch company data? → Yes → Put it in the catalog and document the data classification

Are employees installing it themselves already? → Yes → Put it in the catalog to gain version control and visibility

Not sure? → Start with the apps IT is already receiving help desk tickets about — those are your first catalog entries.

When apps leave the catalog, treat it as a formal event. Follow software upgrade best practices when updating catalog entries. For deprecations, document the removal, notify affected users with a replacement option, and verify the app is removed from devices if it was auto-pushed.

As a minimum metadata standard for each catalog entry, admins who've built catalogs from scratch recommend tracking: app name, version, license type, owner or department, renewal date, and support contact. These are the fields you'll wish you tracked from day one when a vendor audit arrives.

Application Catalog and Compliance

An application catalog doesn't just keep software organized — it creates audit evidence. Three compliance frameworks connect directly to what a catalog produces.

SOC 2 (Type II): Access control and authorization controls are evaluated in SOC 2 Type II audits. An application catalog that enforces an approved software list creates documentation that only authorized applications are accessible to employees — directly supporting the availability and security criteria auditors examine.

GDPR: GDPR-regulated organizations must identify, protect, and document applications that handle EU personal data. A catalog with metadata tracking (app name, data classification, owner) makes GDPR-relevant software inventory possible and auditable. Without it, producing that documentation on demand is a manual, error-prone process.

HIPAA: HIPAA's access control standard (45 CFR § 164.312) requires organizations to restrict access to applications that handle healthcare data. A catalog that controls which health-data-touching apps are installed on enrolled devices supports this requirement with a verifiable deployment record.

License compliance: Software vendor audits from Microsoft, Adobe, and Oracle test whether deployed app counts match purchased licenses. A catalog with VPP/ABM license tracking on Apple devices, or software inventory on Windows and Android, creates a defensible record. Enterprises lose an average of $18 million annually in SaaS license waste (Zylo, 2024) — the catalog is also the cost control mechanism that prevents that loss from compounding year over year.

How Trio MDM Helps You Build and Manage an Application Catalog

For IT teams managing a mixed device fleet, getting the application catalog right requires a platform that handles deployment consistently across operating systems without requiring separate tooling for each one. Trio MDM's app management capability covers this through a combination of the Trio App Catalog and custom app deployment across all supported platforms.

The Trio App Catalog is a curated library of commonly used, regularly updated applications maintained by Trio MDM. It's available for macOS, Windows, and Linux devices. Admins push apps from this catalog directly to enrolled devices through Software Management — no repackaging required for covered titles. For iOS devices, Trio MDM supports App Store distribution and Enterprise App deployment.

For Android devices enrolled through Android Enterprise, Trio MDM supports app distribution via Managed Google Play. For devices enrolled via Basic RMM, custom APK deployment is available.

For apps outside the Trio App Catalog, admins upload custom files in the appropriate format for each platform:

  • macOS: .dmg and .app files
  • Windows: MSI (silent install) or EXE
  • iOS: Enterprise App distribution (via Apple's enterprise distribution certificate)
  • Android: APK files
  • Linux: .deb and .rpm files

For iOS and macOS, Trio MDM integrates with Apple's VPP (Volume Purchase Program) for app distribution. When connected, apps install silently on Apple devices and licenses are automatically allocated. On unenrollment, VPP licenses are reclaimed and made available for reassignment — no manual cleanup required.

Adding software to Trio MDM's software inventory is the required first step before deployment. This creates the foundational catalog structure and gives IT a baseline for software audits.

On the compliance side, Trio MDM supports the technical implementation layer of GDPR and HIPAA programs — covering cybersecurity controls within MDM scope. Trio MDM can sign a DPA for GDPR and a BAA for HIPAA, subject to a review of your organization's business type and scale. Non-technical framework requirements fall outside MDM scope and require separate program work.

Trio MDM starts at $5/device/month (Pro plan, iOS and Android). Ready to see how it works in your environment? Start your free trial or book a demo to walk through the setup with the Trio MDM team.

Ready-to-use Templates

Must-have Template Toolkit for IT Admins

Explore All
Template Toolkit

Start your free trial

No credit card required
Full access to all features

Get Ahead of the Curve

Every organization today needs a solution to automate time-consuming tasks and strengthen security. Without the right tools, manual processes drain resources and leave gaps in protection. Trio MDM is designed to solve this problem, automating key tasks, boosting security, and ensuring compliance with ease.

Don't let inefficiencies hold you back.

Every organization today needs a solution to automate time-consuming tasks and strengthen security. Without the right tools, manual processes drain resources and leave gaps in protection. Trio MDM is designed to solve this problem, automating key tasks, boosting security, and ensuring compliance with ease.

Smiling womanAbstract geometric patternAbstract geometric patternSmiling womanSmiling woman

Frequently Asked Questions (FAQ)

Have questions? We've got answers. This section covers some of the most commonly asked questions related to this topic.

A traditional software inventory lists all installed software but lacks user access controls or deployment capabilities. An Application Catalog centralizes approved apps with streamlined discovery, automated provisioning via UEM/MDM, and governance workflows, making it more user-friendly and secure.

Integration enables seamless, policy-driven app deployment, automatic updates, and real-time usage tracking. IT admins gain centralized control while end-users benefit from self-service app access without manual IT intervention, improving security and reducing operational overhead.

Yes. Modern Application Catalogs support role-based access controls and customized views, allowing IT to present relevant apps to specific departments, teams, or job functions, enhancing user experience and minimizing access risks.

Regular updates are crucial. Organizations should audit the catalog at least quarterly to remove obsolete apps, add new approved software, and adjust policies based on evolving security requirements and user feedback.

For MDM-enrolled devices, unenrolling the device removes MDM-managed apps. On Apple devices, VPP-licensed apps have their licenses automatically reclaimed on unenrollment, making them available for the next user. On Android, apps installed through the work profile are removed when the work profile is deleted. Personally owned apps outside the catalog are not affected by MDM unenrollment.

Custom and proprietary apps deploy via direct upload to the MDM. macOS uses .dmg or .app files, Windows uses MSI or EXE, iOS uses Enterprise App distribution, and Android uses APK sideloading. These apps require manual version management — no catalog auto-update mechanism covers them, so version drift becomes a maintenance responsibility.

Partially. Android Enterprise's work profile separates personal and corporate apps — only the work profile is MDM-managed, and the personal side is untouched. Apple's user enrollment for personal iOS devices allows MDM-managed work apps without accessing personal data or apps. Full catalog enforcement — mandatory app push and software inventory — typically applies only to supervised or fully enrolled corporate-owned devices.
What Is an Application Catalog and How Does It Work?