Learn how to use Microsoft Intune blocking unauthorized apps on iOS devices accessing company data. This guide will show you how to protect your organization’s sensitive information and keep your devices compliant with company policies.
Table of Contents
The Background On Blocking Unauthorized Apps
After reading a LinkedIn post and listening to a podcast from NSM covering the challenges related to the consumption of company data on the same devices where sinister apps from the private sphere live, I was tempted to find ways to address this through Intune. The LinkedIn post from Simen Bakke addressed (but was not limited to) TikTok and the number of resources certain apps require access to on the mobile phone (GPS location, contact list, calendar, storage media, clip board, etc). The podcast by Roar Thon and Jørgen Dyrhaug did also address the challenges from TikTok and other apps installed on the smartphones and all the information they have access to.
This has since been regularly mentioned in the news. Some examples:
- Ekspert: Brøt sikkerhetsråd (dagbladet.no)
- Justisminister Emilie Enger Mehl hadde TikTok på tjenestemobilen – VG
- Justisminister Mehl hadde TikTok på tjenestetelefonen – NRK Norge – Oversikt over nyheter fra ulike deler av landet
- Morgenbladet: Artikkel om statsråder og stortingsrepresentanters bruk av TikTok
- NRK Nyhetsmorgen, 02.02.2023, 07:11
I have earlier published a blog post covering how you can let Intune stimulate mobile updates, which relates to this topic. This time I have to focus on the MDM part (Mobile Device Management) part since MAM (Mobile Application Management) does not have the necessary control surfaces to achieve the goal of blocking company data on devices holding restricted apps.
The Troublesome Apps
It is important to understand that TikTok is not the only challenging app available. We will therefore have a huge challenge in targeting which apps should be prohibited on devices handling graded information, especially if we are dealing with blacklisting. The task will be more manageable on fully managed devices where we can operate with whitelists of approved apps instead.
Apps can be restricted for several reasons related to security and productivity. Some apps like Dropbox, Google Drive, SkyDrive and Sugarsync are banned to prevent data leakage. Other apps are being banned to protect against malware while some apps are banned to increase worker productivity (Facebook, Pandora, Angry Birds, Netflix are examples on the latter). All of these apps are typically freely available, meaning you are the actual product.
If you have specific needs for security, MDM protection of corporate data on private devices might not be enough. You might want to set conditions for a fully managed device where you have full control of all third-party apps installed on the device.
If you have Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps in your environment, you can find good insights into applications installed on your onboarded devices. This can form a good basis for where to focus regarding applications. I will cover this a bit in a later chapter.
The iOS Configuration
I will target this challenge for iOS devices by use of a Microsoft Intune Device Compliance policy combined with an Azure Conditional Access policy. This will require the devices to be enrolled under MDM management to gain access to company data. I can’t block users from installing apps this way, but I can block access to company data if any app on the blacklist is installed on the device. This will give some kind of control for our data even if the user has access from a BYOD device.
iOS App Bundle ID
To be able to block an application on iOS, I need to find the Bundle ID for the app. I have followed this routine to find the BundleID for TikTok on iOS.
iOS Compliance Policy
I will create a separate iOS Compliance Policy in Intune covering the restricted applications.
The only thing this compliance policy will handle is the bundle IDs for apps that should be restricted. All other general compliance settings are covered in a separate compliance policy. When multiple compliance policies hit a device, the effective policy will be the most restrictive of all applicable policies. A device with at least one app installed which is found on the restricted apps list will be marked as non-compliant.
Next the actions for noncompliance is added. At this point the device should be marked as noncompliant immediately. I will also let the system send an email to the end user informing of the action taken. This is based on message templates created in the Intune Admin Center under Devices – Compliance Policies – Notifications. This mail will give the recipient instructions on necessary actions to get the device to a compliant state with access to the company data.
The compliance policy should now be assigned to relevant groups of users.
iOS Conditional Access rule
In order to block access to company data on non-compliant iOS devices, a Conditional Access policy is used. This policy will grant access only from units marked as compliant.
This should conclude the iOS configuration.
What about Android?
The challenge of users installing unmanaged applications is present on the Android platforms as well, where the public Play Store can be accessed to download personal apps. For fully managed devices this is not a problem.
The older Android Device Administrator platform in Intune could use the same approach as described for iOS to configure restricted apps. We are however not using Android Device Administrator anymore. Now we are using the more modern Android Enterprise which gives a wealth of possibilities.
Dealing with personal device with a work profile which as a typical BYOD scenario, the device will have both a personal profile and a work profile. The work profile will be isolated, and can have only approved apps installed. It will have app protection policies and configuration policies helping us administrating and securing the company interests. The personal profile on the other hand will have no impacts from Intune. We can configure how data can be shared between the work profile and the private profile, but nothing more. No management or inventory of what is installed will be shared from the private profile.
One way of blocking defined applications like TikTok from Android devices is to look at the Fully Managed device where access to the public Play store has been opened. To handle the application on this platform, we need to add the application to Intune before we assign it as an Uninstall operation on our devices. This should effectively make the app unavailable on the targeted devices.
Microsoft Defender Cloud Apps to the rescue?
Microsoft Defender for Cloud Apps and its integration with Microsoft Defender for Endpoint can give an overview of unwanted apps on managed devices. By logging in to https://security.microsoft.com, we can check Cloud Discovery filed under Cloud Apps. From the map on this page we can easily list all apps whose headquarter is based in China.
This will give a list of all apps filtered on their headquarter location. The table will have details of the app’s distribution among the onboarded devices.
Clicking an app will give you more insight of the usage.
Microsoft Defender for Cloud Apps has the option to tag an app as Unsanctioned. This will mark cloud apps as prohibited to use. Domains used by unsanctioned apps are blocked by the Network Protection SLA within Microsoft Defender for Endpoint.
The documentation from Microsoft related to Govern discovered apps using Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps describes this configuration in detail. It’s worth mentioning that one of the prerequisites for this configuration is the Windows operating system at a given level. I still hope that Microsoft Defender for Endpoint with Network Protection activated on mobile devices can also act on this within a short time.
Microsoft Defender for Cloud Apps also have the option to warn users when they access risky apps rather than blocking.