Obviously it's not perfect for everyone and technical staff will often need to run esoteric and constantly-changing applications, so whitelisting isn't always possible. In that case, using a checksum and having the central server is a better way of handling it. Better yet is something like FireEye which can intercept your file downloads and scan them before it hits your machine. I can't speak for which next-gen endpoint solution works best since that's not my area of expertise, but I can say it's better than traditional AV (which is basically useless). In that case, blacklisting is the better choice, for software no one should have installed.

"Spying on employees" is an interesting take on what I consider to be basic security. I'm heavily involved in technology that, if the end user saw what we could see, they'd be horrified. Basically, if you're in the US and using your employer's laptop on your employer's network, you have zero privacy and everything you do and every site you visit is being logged into a central log repository and can be made available to the security and audit teams at a moment's notice. Most of the time no one is watching it, no one except an AI looking for anomalies and reporting on outliers, but it's possible. If you're doing DNS lookups to your company's DNS server, they know every site you've visited. If you're using telnet or ftp or POP3, they know your passwords too, because they're likely sniffing internal network traffic as well and storing packet captures. And they may even be breaking SSL at the proxy or gateway level, so that doesn't help you.

Basically, if you're worried that Carbon Black sending a list of your installed applications is your employer "spying" on you, they're already collecting far more data than you think. Installed applications is the least of your concern. But again... that's not your laptop and it's not your network. It's all owned by your company, and governed by their acceptable use policy in the employee handbook.