Changelog

What Changed

Navigation reduced from 3 clicks to 0–1 — The browser extension now opens directly to the app page instead of requiring users to click through multiple menus.

New Behavior

• Recognized domain — When you're on a website that maps to a known Shadow IT app, the extension opens directly to that app's Overview page with zero extra clicks.

• Unrecognized domain — The extension opens to an All Applications view where selecting an app takes just 1 click.

• Top-level tab navigation — The old "Back to menu" flow has been removed and replaced with persistent top-level tabs: "Shadow IT Apps" and "Employee".

  

• Search from main view — Users can search and switch between apps directly from the landing view without navigating through the old multi-step menu flow.

UI Updates

• Overview as default landing page — The Shadow IT Apps Overview page is now the default view when admins open the extension.

• Compacted navigation — The main page navigation has been streamlined for a cleaner, more focused experience.

• Employee tab — Employee list is now accessible via a top-level tab alongside Shadow IT Apps.

We've completely redesigned the main dashboard with a modern, consistent UI built on ShadCN components.

What's New

• KPI Widgets — Employees, Devices, and MDM Coverage are now displayed as clean KPI cards with absolute weekly increments (e.g., +5 this week) instead of percentage trends, making changes easier to understand at a glance.

• Device Platform Distribution — Replaced the old pie chart with a mixed bar chart for clearer platform comparisons.

• Risk Score by App — Now shows a multi-app item-based list with risk scores and descriptions, replacing the single-app gauge chart.

• Recent Account Signups — Switched from a table layout to a feed-style component for easier scanning.

• Application Categories — Renamed from "All Applications," now includes a description and weekly growth indicators per category.

• Chart & Info Tooltips — All charts and info icons now use standardized ShadCN tooltips for a consistent hover experience.

• Dropdowns — Enrollment Guides and the Device Added vs. Compliant Status time range selector now use ShadCN Select components.

Removed

• Compliance Controls Achieved widget — removed as it was always zero when fully compliant.

• Shadow IT Needs Review widget — now covered in the dedicated Shadow IT Insights dashboard.

Improvements

• Loading states — Skeleton loaders per widget instead of blank screens while data loads.

• Empty states — Friendly messaging for first-time users or when no data is available.

• Responsive design — Optimized layouts for desktop, tablet, and mobile with no breakage.

• Accessibility — Full keyboard navigation, visible focus states, WCAG AA contrast compliance, and non-color status indicators.

We've added the ability to automatically provision a default device account on macOS devices enrolled through Apple's Automated Device Enrollment (ADE).

What's New

• Account Setup in Device Enrollment Settings — A new "Account Setup for macOS" section is available under Settings > General > Device Enrollment Configuration. Admins can enable or disable automatic account provisioning with a simple toggle.

• Default Account Configuration — When enabled, admins can set a default username and password that will be automatically applied to ADE-enrolled devices. The permission level is fixed to Admin (read-only).

• Password Policy Detection — If an Apple password policy exists for the team, an informational alert is displayed below the password fields so admins are aware of the active requirements before saving.

• Validation & Error Handling — The form validates for empty usernames, empty passwords, and password mismatches, with clear error messages and toast notifications.

• Unsaved Changes Indicator — An "Unsaved changes" badge appears when inputs are modified, along with a Save Changes button to confirm updates.

How to Use

Navigate to Settings > General > Device Enrollment Configuration, enable the Account Provisioning toggle, fill in the desired username and password, and click Save Changes. Your team must have Apple Business Manager (ABM) linked for this feature to be available.

For more details, see the help article.

Admins can now add custom company resources — such as support portals, employee handbooks, internal wikis, and more — directly into the Swif desktop app.

What's new:

• A new Learn / Resources section in the desktop app displays company-specific resource links configured by your admin under Workspace Settings.

• When custom resources are configured, they replace the default Swif content (Newsletter, Blogs, Podcasts), giving employees a fully branded experience.

• If no custom resources are configured, the default Swif resources continue to appear.

Availability: macOS, Windows, and Linux.

Learn more: Managing Swif's Desktop App UI and Company Resources

Platforms: macOS, Windows, Linux (when allowed in policy)
Docs: Temporary Admin Elevation | Help Center | Swif.ai
We’ve added a new end‑user flow in the Swif DeskApp that lets eligible users temporarily elevate themselves to local admin on their own device, based on the Temporary Admin Access policy configured in the Swif web app.

What’s new for end users

When Temporary Admin Access is enabled and the device/user is in scope:

• New “Request temporary admin access” entry point in DeskApp

  • Appears on supported devices and OSes (macOS / Windows / Linux as allowed in policy).

  • Explains that admin access will be temporary and controlled by IT.

• Request Admin Access modal

  • Users can:

    • See how long the admin session can last (per your policy).

    • Enter a reason for elevation (e.g., “Install Xcode”, “Update Docker CLI”).

  • The app validates required fields and shows clear inline errors if anything is missing.

  • On confirmation, the device enters elevated mode for the configured session duration.

• Active elevated session view

  • When elevation is active, DeskApp clearly shows:

    • That the user is currently an elevated admin on that device.

    • A countdown timer for remaining admin time (auto‑updates during the session).

    • A primary action: End admin access now to drop back to a standard user at any time.

  • When the session ends (time‑out or ended early), local admin rights are automatically revoked and the UI returns to the non‑elevated state.

• Guardrails & messaging

  • If elevation isn’t available (feature disabled, device out of scope, OS not supported, limits hit, cooldown active, etc.), DeskApp shows a clear explanation rather than offering the request option.

  • The backend enforces your configured rules (session duration, per‑day limits, cooldowns, etc.), and DeskApp surfaces friendly error messages when a limit is reached.

What’s new for admins

These changes work together with the existing Temporary Admin Elevation configuration and logs in the Swif web app:

• Configuration lives in the web app

  • Configure under Settings → Local Account Controls → Temporary Admin Access:

    • Enable/disable Temporary Admin Access.

    • Scope to all devices or selected device groups.

    • Choose supported OSes (macOS / Windows / Linux).

    • Set max session duration, session frequency limits, and cooldowns.

• Device‑level elevation history

  • Each elevation session from DeskApp is recorded and visible under:

    • Devices → [Device] → Device Details → Accounts → Temporary Admin Access log

  • For each session you can see:

    • Status (Active / Ended / Canceled / Failed).

    • Local account that was elevated.

    • Reason, start time, end time, and total duration.

    • Time remaining and an End admin access now control for active sessions.

For a full overview of configuration, user flows, guardrails, and logs, see:
Temporary Admin Elevation | Help Center | Swif.ai

We’ve released three related capabilities in Swif’s browser extension and admin console to help security and IT teams monitor sensitive activity and control risky file uploads—without disrupting employees’ normal workflows.

This update introduces:

1. PII Tracking in Swif’s Browser Extension
   PII Tracking in Swif’s Browser Extension | Help Center | Swif.ai

2. Sensitive App Prolonged Activity Tracking
   Sensitive App Prolonged Activity Tracking in Swif’s Browser Extension | Help Center | Swif.ai

3. File Upload Restriction in Swif’s Browser Extension
   File Upload Restriction in Swif’s Browser Extension | Help Center | Swif.ai

1. PII Tracking in Swif’s Browser Extension

Swif can now detect and track Personally Identifiable Information (PII) activity in AI tools and web apps, using admin-defined rules.

What’s new

• Team‑level PII tracking rules in the Swif admin console:

  • Configure under Settings → Teams → Shadow IT → PII Tracking.

  • Target specific user groups (e.g., Engineering, Finance, All employees).

  • Scope which apps/domains are monitored (e.g., ChatGPT, Gemini, internal AI tools).

  • Choose whether to monitor prompts, file uploads, or both.

• Silent PII detection in the browser extension on MDM‑managed devices:

  • Monitors prompt submissions and file uploads on in‑scope apps.

  • Reports PII events to Swif for analysis and storage.

  • No pop‑ups or banners shown to end users for PII detection itself.

• PII reporting dashboards:

  • Org‑level and team‑level counts of PII events.

  • Employee PII event detail reports with:

    • Counts of prompt vs upload events.

    • App / rule context.

    • Redacted snippets by default (e.g. <EMAIL_ADDRESS>, <PERSON>).

    • Optional “revealed” view for privileged admins.

Why it matters

• Gives security and compliance teams visibility into where and how PII is flowing into AI tools and SaaS apps.

• Uses a privacy‑first model (local‑first detection, redaction, and strict role‑based access) so admins get context without broadly exposing raw PII.

Full details:
PII Tracking in Swif’s Browser Extension | Help Center | Swif.ai

2. Sensitive App Prolonged Activity Tracking

A new Sensitive App Prolonged Activity capability tracks when users spend extended time on high‑risk apps or domains you define as sensitive.

What’s new

• Sensitive App Monitoring rules at the team level:

  • Configure under Settings → Teams → Sensitive App Monitoring.

  • Define:

    • User groups the rule applies to.

    • Sensitive domains (manual entry or uploaded domain lists).

  • Rules can be created, edited, disabled, or deleted by admins.

• Prolonged activity detection in the extension:

  • Runs on Swif MDM‑enrolled devices.

  • Detects sessions per device + domain + browser tab.

  • Marks a session as “prolonged” once it passes a defined time threshold.

  • Reports:

    • Device and team identifiers.

    • Rule ID and domain (subject to privacy settings).

    • Session start/end timestamps and derived duration.

  • Ignores domains not covered by active rules and fails safe if rules can’t be loaded.

• Shadow IT / Sensitive App Monitoring insights:

  • “Sensitive App Prolonged Activity” summary widget:

    • Total prolonged activity detections in the selected timeframe.

  • “Top Devices with Sensitive App Prolonged Activity” widget:

    • Devices with the highest prolonged time on sensitive apps, including:

      • Device and assigned user.

      • Total prolonged time, session count, and last activity.

  • Per‑device detail views:

    • Breakdown by rule and domain.

    • Session counts and durations per domain.

Why it matters

• Highlights unusual or sustained access to sensitive systems (e.g., CRM exports, payment processors, HR systems, data rooms).

• Helps teams prioritize investigations based on time spent on high‑risk apps, not just login events.

Full details:
Sensitive App Prolonged Activity Tracking in Swif’s Browser Extension | Help Center | Swif.ai

3. File Upload Restriction in Swif’s Browser Extension

Swif now lets you control where employees can upload files on the web, with in‑browser enforcement and analytics in the Shadow IT dashboard.

What’s new

• File Upload Restriction rules at the team level:

  • Configure under Settings → Teams → File Upload Restriction.

  • Each rule includes:

    • Rule name and status (active/disabled).

    • Target user groups.

    • Domain coverage (destinations covered by the policy).

  • Empty state plus “Create rule” CTA when no rules exist.

• Flexible domain configuration:

  • Manual Domain mode:

    • Enter domains like example.com or subdomain.example.com.

    • Handles whitespace, duplicates, and preserves supported wildcard patterns (e.g. *.example.com) or surfaces validation errors when unsupported.

  • Domain List mode (upload):

    • Upload a CSV (and other supported formats where available).

    • Backend parses domains, normalizes entries, and rejects invalid content with clear errors.

• Enforcement in the browser extension:

  • Detects file uploads and evaluates:

    • Organization and device context.

    • Active user/user group (including non‑login token scenarios).

    • Destination domain.

  • Blocks or restricts uploads based on your rules.

  • Shows an inline Blocked Upload Notice:

    • Clear explanation that the upload was blocked by policy.

    • Accessible design (keyboard and screen‑reader friendly).

    • Graceful handling of long filenames and messages.

    • Optional CTAs such as “Learn more” or “Contact IT”.

• Shadow IT Insight Dashboard widgets:

  • “File Upload Blocks” KPI widget:

    • Total number of blocked upload events over the selected time window.

  • “Blocked File Uploads” activity widget:

    • Per‑user view of blocked upload attempts on restricted domains.

    • Detail panel for deeper context.

  • Both widgets handle loading, empty, and error states gracefully.

Why it matters

• Gives you policy‑based control over file exfiltration from managed browsers.

• Pairs with PII tracking and Sensitive App Monitoring to build a cohesive data protection posture across prompts, uploads, and app usage.

Full details:
File Upload Restriction in Swif’s Browser Extension | Help Center | Swif.ai

When importing employees via CSV or HRIS, you’ll now see a Review import modal whenever any email address already exists in another team.

• For CSV imports, after you upload your file and click Import, the flow will show a review step instead of silently finishing if duplicates are detected.

• For HRIS imports (full or partial syncs), the same review experience appears when duplicates are found, with your HRIS provider logo (e.g., Google Workspace, Okta, Azure, Deel) displayed in the header.

In the Review import modal:

• Employees are split into Excluded employees (duplicates that won’t be imported) and Included employees (new records that will be imported).

• Excluded employees is expanded by default so you can immediately see what was blocked.

• Included employees is collapsed by default, but you can expand it to confirm everything that will be imported.

• Copy clearly explains that excluded rows were not imported because they already exist in another team.

If no duplicates are found, imports continue with the existing success flow—no modal, just the standard completion behavior.

We’ve added a dedicated GlobalProtect application template to streamline VPN app setup while keeping package management fully under the customer’s control.

What’s new

• New GlobalProtect app template is now available in the WebApp catalog.

• Template metadata is pre‑configured: app name (“GlobalProtect”), domain, catalog/category (e.g., VPN/Security), and the installed app name based on research.

• The template is intentionally script‑free (no pre‑install or post‑install scripts) and acts as a clean naming/template profile only.

• App creation from this template requires admins to upload their own installer; no default GlobalProtect.zip is bundled, reinforcing manual package management.

• Flow is verified end‑to‑end: uploading a valid GlobalProtect.zip succeeds, displays correct file details, and allows admins to proceed with app creation without errors.