Hi @farhan.

Basically, sanctioned/unsanctioned relates to SaaS apps that would have allowed access, according to corporate security policies. The point here is to "tag" apps as Unsanctioned, and that later could be blocked using Netskope, for instance.

Managed apps is a term we use to refer to apps that are not only allowed access, but also the organization has administrative responsibilities. MS 365 (OneDrive...) and Google Workspace (Drive, Docs, ...) are clear examples of those. Also, they can be monitored by Netskope using API (CASB API), for data-at-rest visibility/control use cases.

Please let me know if it's clear now.

Hi @msouza Thanks for your reply.  So please correct me if i m wrong now As per your definition of sanctioned and unsanctioned and Managed Unmanaged.

I understand that the sanctioned application are those which is used by there organization.

For example : My organization used O365 suite so One drive Teams Sharepoint outlook all the apps of O365 is under sanctioned application while Gsuite will be tagged as unsanctioned application in my org as we are using o365 suite already.

Managed app are like O365 GSUITE SALESFORCE SLACK etc

Unmanaged app are like Zippy anydesk teamviewer Wetransfer etc

Using you example:

• The corporate instances of MS O365 apps (Sharepoint, Onedrive, ...) would have to be identified, and those would be your "sanctioned" MS O365 apps. Why is that? Because personal instances of Onedrive, for example, would probably not be allowed (these would be "unsanctioned"). But for the purpose of creating Netskope NGSWG policies (real-time policies), you would then focus on the instance identification itself (again, allowing corporate instances and probably blocking or alerting the user when "non-identified" / personal instances of MS O365 apps are used).


• GSuite would be "unsanctioned" and you would probably create policies to alert/block, since the organization already has O365 as the "official/sanctioned" productivity suite.


• O365, Gsuite, Salesforce, Slack would be examples of "managed" apps. Let's say this term only matters when we are talking about CASB API. Basically, since they are "managed" (in other words, you have a coporate instance of those apps and you can manage them), and since they are supported by Netskope CASB through API, you could leverage our CASB API-enabled Protection over them.


• Apps like Zippy, Anydesk, Teamviewer, Wetransfer, if not allowed by corporate policies (probably not), would be considered unsanctioned. They could be categorized as unmanaged, yes, but let's say that such term only matters for CASB API purposes, to make things simpler.

Okay i understand i will block the personal instance of O365 by real time policies but as per my understanding I gave you the example of this like 0365 and Gsuite of sanctioned and Unsanctioned coz people are misunderstanding as they believe sanctioned apps are managed apps which kind of right but also sanctioned are those who are trusted by organisation so i came.up with this example of 0365 and Gsuite to understand the sanctioned and Unsanctioned thankyou for you precious time .