diff --git a/src/content/docs/cloudflare-one/applications/app-library.mdx b/src/content/docs/cloudflare-one/applications/app-library.mdx
index 25efbb2eff4c359..00bfc74f01611f2 100644
--- a/src/content/docs/cloudflare-one/applications/app-library.mdx
+++ b/src/content/docs/cloudflare-one/applications/app-library.mdx
@@ -11,6 +11,8 @@ The Application Library allows users to manage their SaaS applications in Cloudf
To access the App Library in [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **App Library**. Each application card will list the number of hostnames associated with the application, the supported Zero Trust product usage, and the [app type](/cloudflare-one/policies/gateway/application-app-types/#app-types).
+The App Library groups [Do Not Inspect applications](/cloudflare-one/policies/gateway/application-app-types/#do-not-inspect-applications) within the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**. Traffic that does not match a known application will not be included in the App Library.
+
## View application details
Select an application card to view details about the application.
@@ -20,7 +22,7 @@ Select an application card to view details about the application.
The **Overview** tab shows details about an application, including:
- Name
-- Shadow IT [review status](/cloudflare-one/insights/analytics/shadow-it-discovery/#approval-status)
+- Shadow IT [review status](#review-applications)
- Number of hostnames
- [App type](/cloudflare-one/policies/gateway/application-app-types/#app-types)
- Supported Zero Trust applications
@@ -42,14 +44,6 @@ The Shadow IT Discovery dashboard will provide more details for discovered appli
## Review applications
-To organize applications into their approval status for your organization, you can mark them as **Unreviewed** (default), **In review**, **Approved**, and **Unapproved**. The App Library synchronizes application review statuses with [approval statuses](/cloudflare-one/insights/analytics/shadow-it-discovery/#approval-status) from Shadow IT Discovery.
-
-
-
-To set the status of an application:
-
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **App Library**.
-2. Locate the card for the application.
-3. In the three-dot menu, select the option to mark your desired status.
+The App Library synchronizes application review statuses with approval statuses from the [Shadow IT Discovery SaaS analytics](/cloudflare-one/insights/analytics/shadow-it-discovery/) dashboard.
-Once you mark the status of an application, its badge will change. You can filter applications by their status to review each application in the list for your organization.
+
diff --git a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx
index be8402640e3c6a2..2a4f4740cd3e267 100644
--- a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx
+++ b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx
@@ -1,100 +1,61 @@
---
pcx_content_type: reference
-title: Shadow IT Discovery
+title: Shadow IT SaaS analytics
sidebar:
order: 5
---
import { Render } from "~/components";
-Shadow IT Discovery provides visibility into the SaaS applications and private network origins your users are visiting. This information allows you to create identity and device-driven Zero Trust policies to secure your users and data.
+Shadow IT SaaS analytics provides visibility into the SaaS applications your users are visiting. This information allows you to create identity and device-driven Zero Trust policies to secure your users and data.
-To view Shadow IT Discovery in [Zero Trust](https://one.dash.cloudflare.com), go to **Analytics**, then select **Shadow IT Discovery**.
+To access Shadow IT SaaS analytics, in [Zero Trust](https://one.dash.cloudflare.com), go to **Analytics** > **Dashboards**, then select **Shadow IT: SaaS analytics**.
-## Turn on Shadow IT Discovery
+## Prerequisites
-To allow Zero Trust to discover shadow IT in your traffic:
+To allow Cloudflare to discover shadow IT in your traffic, you must set up [HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/).
-- Turn on the [Gateway proxy](/cloudflare-one/policies/gateway/proxy/) for HTTP and network traffic.
-- Turn on [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) to inspect HTTPS traffic.
-- Ensure any network traffic you want to inspect is not routed around Gateway by a [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/).
+## Use Shadow IT SaaS analytics
-## SaaS applications
+### 1. Review applications
-For an overview of SaaS applications your users have visited, go to **Analytics** > **Access** > **SaaS**. This tab displays the following information:
+The first step in using the Shadow IT SaaS analytics dashboard is to review applications in the [Application Library](/cloudflare-one/applications/app-library/). The App Library synchronizes application review statuses with approval statuses from the Shadow IT Discovery SaaS analytics dashboard.
-- **Unique application users**: Chart showing the number of different users who accessed SaaS applications over time.
-- **Top approved applications**: SaaS applications marked as [**Approved**](#approval-status) which had the greatest number of unique visitors.
-- **Top unapproved applications**: SaaS applications marked as [**Unapproved**](#approval-status) which had the greatest number of unique visitors.
-- **Zero Trust**: Metrics for your Access applications including the total number of accessed applications, failed logins, and connected users over the selected time period.
-- **Logins**: Chart showing the number of logins for an individual Access application over time.
-- **Top applications accessed**: Access applications with the greatest number of logins.
-- **Top connected users**: Users who logged in to the greatest number of Access applications.
+
-### Review discovered applications
+### 2. Monitor usage
-You can view a list of all discovered SaaS applications and mark them as approved or unapproved. To review an application:
+Review the Shadow IT SaaS analytics dashboard for application usage. Filter the view based on:
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Analytics**, then select **Shadow IT Discovery**
-2. Go to **SaaS**.
-3. In the **Unique application users** chart, select **Review all**. The table displays the following fields:
+ | Field | Description |
+ | ---------------- | ---------------------------------------------------------------------------------------------------------------------------- |
+ | Application | SaaS application's name and logo. |
+ | Application type | [Application type](/cloudflare-one/policies/gateway/application-app-types/#app-types) assigned by Cloudflare Zero Trust. |
+ | Status | Application's approval status. |
+ | Secured | Whether the application is currently secured behind Cloudflare Access. |
+ | Users | Number of users who connected to the application over the period of time specified on the Shadow IT Discovery overview page. |
-| Field | Description |
-| ---------------- | ---------------------------------------------------------------------------------------------------------------------------- |
-| Application | SaaS application's name and logo. |
-| Application type | [Application type](/cloudflare-one/policies/gateway/application-app-types/#app-types) assigned by Cloudflare Zero Trust. |
-| Status | Application's [approval status](#approval-status). |
-| Secured | Whether the application is currently secured behind Cloudflare Access. |
-| Users | Number of users who connected to the application over the period of time specified on the Shadow IT Discovery overview page. |
+To manage application statuses in bulk, select **Set Application Statuses** to review applications your users commonly visit and update their approval statuses.
-3. Select a specific application to view details.
-4. Assign a new [approval status](#approval-status) according to your organization's preferences.
+### 3. Create policies
-The application's status will now be updated across charts and visualizations on the **SaaS** tab. You can block unapproved applications by creating a [Gateway policy](/cloudflare-one/policies/gateway/).
+After marking applications, you can create [HTTP policies](/cloudflare-one/policies/gateway/http-policies/) based on application review status. For example, you can create policies that:
-## Private network origins
+- Launch all **Unreviewed** and **In review** applications in an [isolated browser](/cloudflare-one/policies/gateway/http-policies/common-policies/#1-isolate-unreviewed-or-in-review-applications).
+- [Block access](/cloudflare-one/policies/gateway/http-policies/common-policies/#2-block-unapproved-applications) to all **Unapproved** applications.
+- Limit file upload capabilities for specific application statuses.
-To see an overview of the private network origins your users have visited, go to **Analytics** > **Access** > **Private Network**. This tab displays the following information:
+To create an HTTP status policy directly from Shadow IT Discovery:
-- **Unique origin users**: Chart showing the number of different users accessing your private network over time.
-- **Top approved origins**: Origins marked as [**Approved**](#approval-status) which had the greatest number of unique visitors.
-- **Top unapproved origins**: Origins marked as [**Unapproved**](#approval-status) which had the greatest number of unique visitors.
-- **Zero Trust**: Metrics for your Access applications including the total number of accessed applications, failed logins, and connected users over the selected time period.
-- **Logins**: Chart showing the number of logins for an individual Access application over time.
-- **Top applications accessed**: Access applications with the greatest number of logins.
-- **Top connected users**: Users who logged in to the greatest number of Access applications.
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Analytics** > **Dashboards**, then select **Shadow IT: SaaS analytics**.
+2. Select **Set application statuses**.
+3. Select **Manage HTTP status policies**, then choose an application status and select **Create policy**.
-### Review discovered origins
+## Available insights
-You can view a list of all discovered origins and mark them as approved or unapproved. To review a private network origin:
+The Shadow IT SaaS analytics dashboard includes several insights to help you monitor and manage SaaS application usage.
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Analytics**, then select **Shadow IT Discovery**
-2. Go to **Private Network**.
-3. In the **Unique origin users** chart, select **Review all**. The discovered origins that appear on this page are defined by unique combinations of IP address, port, and protocol.
-
-| Field | Description |
-| ---------- | ----------------------------------------------------------------------------------------------------------------------- |
-| IP address | Origin's internal IP address in your private network. |
-| Port | Port used to connect to the origin. |
-| Protocol | Protocol used to connect to the origin. |
-| Hostname | Hostname used to access the origin. |
-| Status | Origin's [approval status](#approval-status) |
-| Users | Number of users who connected to the origin over the period of time specified on the Shadow IT Discovery overview page. |
-
-3. Select a specific origin to view details.
-4. Assign a new [approval status](#approval-status) according to your organization's preferences.
-
-The origin's status will now be updated across charts and visualizations on the **Private Network** tab. You can block unapproved origins by creating a [Gateway policy](/cloudflare-one/policies/gateway/).
-
-## Approval status
-
-Within Shadow IT Discovery, applications are labeled according to their status. The default status for a discovered application is **Unreviewed**. Your organization can determine the status of each application and change their status at any time.
-
-
-
-| Status | Description |
-| ---------- | ------------------------------------------------------------------------------------------------------ |
-| Approved | Applications that have been marked as sanctioned by your organization. |
-| Unapproved | Applications that have been marked as unsanctioned by your organization. |
-| In review | Applications in the process of being reviewed by your organization. |
-| Unreviewed | Unknown applications that are neither sanctioned nor being reviewed by your organization at this time. |
+- **Number of applications by status**: A breakdown of how many applications have been categorized into each [approval status](#1-review-applications). The list of applications is available in the [App Library](/cloudflare-one/applications/app-library/).
+- **Data transferred per application status**: A time-series graph showing the amount of data (in gigabytes) transferred to an application in the given status.
+- **User count per application status**: A time-series graph showing the number of users who have interacted with at least one application in a given status. For example, a user can use an **Approved** application shortly followed by an **In review** application, contributing to counts for both of those statuses.
+- **Top-N metrics**: A collection of metrics providing insights into top applications, users, devices, and countries.
diff --git a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx b/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx
index 10be6ed5fa661d3..c49f326ac5d0762 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx
@@ -13,6 +13,8 @@ Gateway allows you to create DNS, Network, and HTTP policies based on applicatio
When you choose the _Application_ selector in a Gateway policy builder, the **Value** field will include all supported applications and their respective app types. Alternatively, you can use the [Gateway API](/api/resources/zero_trust/subresources/gateway/subresources/app_types/methods/list/) to fetch a list of applications, app types, and ID numbers.
+To manage a consolidated list of applications across Zero Trust, you can use the [Application Library](/cloudflare-one/applications/app-library/).
+
## App types
Gateway sorts applications into the following app type groups:
@@ -57,8 +59,9 @@ To ensure Gateway evaluates traffic with your desired precedence, order your mos
Gateway automatically groups applications incompatible with TLS decryption into the _Do Not Inspect_ app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can [create a Do Not Inspect HTTP policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) with the entire _Do Not Inspect_ app type selected.
-:::note[Install Cloudflare certificate manually to allow TLS decryption]
+When managing applications with the [Application Library](/cloudflare-one/applications/app-library/), Do Not Inspect applications will appear under the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**.
+:::note[Install Cloudflare certificate manually to allow TLS decryption]
Instead of creating a Do Not Inspect policy for an application, you may be able to configure the application to [trust a Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications). Doing so will allow the application to function without losing visibility into your traffic.
:::
diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx
index 9383f397fecf3e6..e341d48bf772113 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx
@@ -291,6 +291,78 @@ When accessing origin servers with certificates not signed by a public certifica
For more information on supported file types, refer to [Download and Upload File Types](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-types).
+## Isolate or block shadow IT applications
+
+Isolate shadow IT applications discovered by the [Application Library](/cloudflare-one/applications/app-library/) that have not been reviewed yet or are currently under review, and block applications that are not approved by your organization.
+
+For more information on reviewing shadow IT applications, refer to [Review applications](/cloudflare-one/applications/app-library/#review-applications).
+
+### 1. Isolate unreviewed or in review applications
+
+Isolate applications if their approval status is _Unreviewed_ or _In review_.
+
+
+
+| Selector | Operator | Value | Logic | Action |
+| ------------------ | -------- | ------------ | ----- | ------- |
+| Application Status | is | _Unreviewed_ | Or | Isolate |
+| Application Status | is | _In review_ | | |
+
+
+
+
+
+
+
+
+
+### 2. Block unapproved applications
+
+Block applications if their approval status is _Unapproved_.
+
+
+
+| Selector | Operator | Value | Action |
+| ------------------ | -------- | ------------ | ------ |
+| Application Status | is | _Unapproved_ | Block |
+
+
+
+
+
+
+
+
+
## Block Google services
To enable Gateway inspection for Google Drive traffic, you must [add a Cloudflare certificate to Google Drive](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#google-drive).
diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
index 44cf247c884a64e..895a9124766b0e9 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
@@ -8,7 +8,7 @@ sidebar:
import { Details, InlineBadge, Render } from "~/components";
:::note
-To use HTTP policies, install the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/).
+To use HTTP policies, install a [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/).
:::
HTTP policies allow you to intercept all HTTP and HTTPS requests and either block, allow, or override specific elements such as websites, IP addresses, and file types. HTTP policies operate on Layer 7 for all TCP (and [optionally UDP](/cloudflare-one/policies/gateway/initial-setup/http/#1-connect-to-gateway)) traffic sent over ports 80 and 443.
@@ -399,6 +399,14 @@ Gateway matches HTTP traffic against the following selectors, or criteria:
product="cloudflare-one"
/>
+### Application Approval Status
+
+The review approval status of an application from [Shadow IT Discovery](/cloudflare-one/insights/analytics/shadow-it-discovery/) or the [Application Library](/cloudflare-one/applications/app-library/). For more information, refer to [Review applications](/cloudflare-one/applications/app-library/#review-applications).
+
+| UI name | API example |
+| ------------------ | ------------------------------------ |
+| Application Status | `any(app.statuses[*] == "approved")` |
+
### Application
diff --git a/src/content/partials/cloudflare-one/app-library-review-apps.mdx b/src/content/partials/cloudflare-one/app-library-review-apps.mdx
new file mode 100644
index 000000000000000..e2f59fc93e08611
--- /dev/null
+++ b/src/content/partials/cloudflare-one/app-library-review-apps.mdx
@@ -0,0 +1,28 @@
+---
+{}
+---
+
+import { Render } from "~/components";
+
+To organize applications into their approval status for your organization, you can mark them as **Unreviewed** (default), **In review**, **Approved**, and **Unapproved**.
+
+| Status | API value | Description |
+| ---------- | ------------ | ------------------------------------------------------------------------------------------------------ |
+| Approved | `approved` | Applications that have been marked as sanctioned by your organization. |
+| Unapproved | `unapproved` | Applications that have been marked as unsanctioned by your organization. |
+| In review | `in review` | Applications in the process of being reviewed by your organization. |
+| Unreviewed | `unreviewed` | Unknown applications that are neither sanctioned nor being reviewed by your organization at this time. |
+
+To set the status of an application:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **App Library**.
+2. Locate the card for the application.
+3. In the three-dot menu, select the option to mark your desired status.
+
+Once you mark the status of an application, its badge will change. You can filter applications by their status to review each application in the list for your organization. The review status for an application in the App Library and Shadow IT Discovery will update within one hour.
+
+:::note
+Approval status does not impact a user's ability to access an application. Users are allowed or blocked according to your [Access](/cloudflare-one/policies/access/) and [Gateway policies](/cloudflare-one/policies/gateway/).
+:::
+
+{/* TODO update this note to call out the Gateway app status selector */}
diff --git a/src/content/partials/cloudflare-one/approval-status-block.mdx b/src/content/partials/cloudflare-one/approval-status-block.mdx
deleted file mode 100644
index ad16344af95452c..000000000000000
--- a/src/content/partials/cloudflare-one/approval-status-block.mdx
+++ /dev/null
@@ -1,7 +0,0 @@
----
-{}
----
-
-:::note
-Approval status does not impact a user's ability to access the application. Users are allowed or blocked according to your Access and Gateway policies.
-:::
diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx
index 44ca8d1db1a76db..7916586a4246967 100644
--- a/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx
+++ b/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx
@@ -5,7 +5,7 @@
import { GlossaryTooltip } from "~/components";
:::note
-After seven days, view your [shadow IT analytics](/cloudflare-one/insights/analytics/shadow-it-discovery/) and block additional applications based on what your users are accessing.
+After seven days, view your [Shadow IT SaaS Analytics](/cloudflare-one/insights/analytics/shadow-it-discovery/) and block additional applications based on what your users are accessing.
:::
To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools: