Back to Intelligence

Shadow IT on the Endpoint: Managing Unauthorized Software Like the 'Notepad++ for Mac' Fiasco

SA
AlertMonitor Team
May 4, 2026
5 min read

The recent news about the Notepad++ developer threatening legal action against a third-party macOS port highlights a pervasive issue in IT operations: users will do whatever it takes to use the tools they want, regardless of policy or platform.

While Don Ho is busy protecting his trademark, IT managers and MSP technicians are left dealing with the fallout. When a developer ports a Windows-only utility to macOS without official support, users inevitably install it. This introduces unsigned binaries, potential security vulnerabilities, and licensing liabilities into your environment. If your monitoring stack doesn't see it, and your RMM can't manage it, you are flying blind.

The Problem: The 'Wild West' of End-User Computing

For internal IT departments and MSPs, the "Notepad++ for Mac" scenario is a microcosm of a larger operational headache known as Shadow IT.

The Siloed Tool Trap

Most IT environments suffer from fragmentation. You might have a robust RMM for your Windows fleet, but what about the Macs? Or perhaps your network monitoring alerts you to bandwidth usage, but it doesn't tell you which unauthorized application is hogging it.

Common gaps include:

  • Incomplete Asset Visibility: Traditional RMMs often treat macOS as a second-class citizen or require a separate agent/portal. When a user installs a rogue app like an unofficial Notepad++ port, it doesn't show up in your standard software inventory reports.
  • Disconnected Remediation: You see an alert (or worse, a user submits a ticket) about a glitchy app. To fix it, you have to RDP into the machine, or worse, physically walk over to the user's desk because your remote control tool is separate from your monitoring console.
  • The "Who Installed This?" Loop: When software crashes, the helpdesk wastes time investigating whether it's a sanctioned update or a user-installed experiment. Without a unified timeline of software installations linked to monitoring events, this takes hours.

Real-World Impact

The cost isn't just theoretical. An unauthorized port often lacks the security scrutiny of the official release. If that specific piece of software becomes a vector for malware, your traditional siloed tools won't correlate the event. Your antivirus might flag the file, but your RMM won't automatically uninstall it across the affected group.

For an MSP managing 50 clients, this is a reputation killer. You promise security, but you can't control what software runs on the endpoints you manage.

How AlertMonitor Solves This

AlertMonitor’s architecture is built specifically to eliminate the gap between detecting an issue and remediating it. We don't just monitor; we manage.

Unified Visibility Across OS Types

Whether the endpoint is running Windows Server or macOS, AlertMonitor ingests data into a single NOC dashboard. When a user installs that unauthorized Notepad++ port, AlertMonitor's software inventory module detects the new application immediately. It doesn't matter if it's a standard .exe or a homebrewed .app wrapping a Windows binary—we see it.

Integrated RMM and Scripting

This is where the speed happens. In a traditional stack, you would:

  1. Receive a ticket about a weird app.
  2. Log into the RMM.
  3. Search for the machine.
  4. Remote control in.
  5. Manually uninstall.

With AlertMonitor, the workflow is:

  1. Alert: AlertMonitor flags "Unauthorized Software Detected: Notepad++ (Unofficial Port)" on a MacBook in the Finance department.
  2. One-Click Remediation: From the exact same alert timeline, you click "Run Script." You don't switch tabs. You don't open a VPN.
  3. Execution: AlertMonitor’s agent executes a removal script on the target macOS device immediately.
  4. Verification: The script output is fed back into the timeline. The alert auto-resolves.

Script Results in Context

Because AlertMonitor combines monitoring with RMM, the result of your uninstall script becomes part of the device's permanent history. You don't just have a "resolved" ticket; you have a log showing that on Tuesday at 2 PM, the rogue package was removed, and the system service was restarted.

Practical Steps: Automating Software Compliance

Don't wait for a trademark dispute to remind you to audit your endpoints. You can use AlertMonitor's integrated scripting engine to scan for and remove unauthorized software today.

Step 1: Audit for the Rogue App (macOS)

Use this Bash script in AlertMonitor to scan your macOS endpoints for common locations where users might drop unauthorized apps. This script checks the /Applications folder for the specific "Notepad++" identifier or other unsigned apps.

Bash / Shell
#!/bin/bash
# AlertMonitor Script: Check for Unauthorized macOS Apps

TARGET_APP="Notepad++" FOUND=0

Check main Applications folder

if [ -d "/Applications/$TARGET_APP.app" ]; then echo "[ALERT] Found $TARGET_APP in /Applications" FOUND=1 fi

Check user-specific Applications folders (Common for non-admin installs)

for user_home in /Users/*; do if [ -d "$user_home/Applications/$TARGET_APP.app" ]; then echo "[ALERT] Found $TARGET_APP in $user_home/Applications" FOUND=1 fi done

if [ $FOUND -eq 0 ]; then echo "[OK] No unauthorized software detected." exit 0 else exit 1 fi

Step 2: Enforce Removal (Windows)

If the Shadow IT issue is on your Windows side—for example, users installing portable versions of apps or unauthorized utilities—you can use PowerShell to find and remove them.

PowerShell
# AlertMonitor Script: Remove specific unauthorized software

$UnauthorizedProcesses = @("notepad++.port.exe", "unauthorized_tool.exe")

foreach ($Proc in $UnauthorizedProcesses) {
    # Check if process is running
    $Running = Get-Process -Name $Proc -ErrorAction SilentlyContinue
    
    if ($Running) {
        Write-Host "Stopping unauthorized process: $Proc"
        Stop-Process -Name $Proc -Force
    }

    # Check common install paths (User profile and Program Files)
    $Paths = @(
            "$env:LOCALAPPDATA\$Proc",
            "C:\Program Files\$Proc",
            "C:\Program Files (x86)\$Proc"
            )
    
    foreach ($Path in $Paths) {
        if (Test-Path $Path) {
            Write-Host "Removing unauthorized files at: $Path"
            Remove-Item -Path $Path -Recurse -Force
        }
    }
}

Write-Host "Remediation complete."

By deploying these scripts via AlertMonitor’s Group Policy management, you turn a reactive legal headache into a proactive, automated hygiene task. Your team stops playing "whack-a-mole" with user-installed apps and gets back to strategic initiatives.

Related Resources

AlertMonitor RMM & Remote Management AlertMonitor Platform Overview Book a Demo RMM & Remote Management Resources

rmmremote-managementremote-supportendpoint-managementalertmonitorshadow-itsoftware-managementmacos

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action