On February 27, 2023 memorandum M-23-13 was released from the Office of Management and Budget requiring government agencies to remove TikTok from all GFE devices (unless there is an exception) and block network connections to TikTok by a given date. This blog post explains how to comply with the policy on Windows devices or using other Microsoft tools. For completeness, there is also information on iOS devices. M-23-13 requires agencies to perform the following three tasks which will be the focus of this blog post.
The OMB memo requires that no later than 30 days after the issuance of this memorandum, agencies shall:
- Identify the use or presence of a covered application on information technology.
- Remove and disallow installations of a covered application on IT owned or operated by agencies, except in cases of approved exceptions.
- Prohibit internet traffic from IT owned by agencies to a covered application, except in cases of approved exceptions.
There are serval ways to perform the required tasks outlined in M-23-13. However, each operating system (Windows, iOS, Android) functions differently when it comes to application management. Given their prevalence in federal environments we have chosen to focus on Windows and iOS as the two primary operating systems for this blog post.
*note: there are other Microsoft solutions like System Center Configuration Manager (ConfigMan) that can be used. However, this article will focus on Microsoft Defender for Endpoint (MDE), Microsoft Defender for Cloud Apps (MDCA), and Intune.
Discover/Identify
Microsoft Intune provides a list of installed applications for iOS, Android, Windows, and MAC devices. Organizations can logon to the Intune portal and navigate to > Apps > Monitor > Discovered apps to search for the TikTok application.
Below you can see two versions of TikTok, one installed on Windows, and one installed on iOS.
If you are running MDE’s Mobile Threat Defense (MTD), MDE’s software inventory will discover the mobile versions of the application running on IOS or Android.
The Windows application is a Progressive Web App (PWA) and will not show up in MDE software inventory. This requires the use of Advanced Hunting to discover the application on a Windows machine via MDE.
When the PWA is launched it calls two executables Pwahelper.exe and Msedge.exe (or the default browser). During the launch of the app, a command runs that includes the URL for TikTok.
Below is a simple KQL query that can be used to find the command calling TikTok URLs:
DeviceProcessEvents
| where ProcessCommandLine contains "TikTok"
Organizations can use the same query to create a custom detection rule to generate alerts/incidents to identify users and devices launching the PWA application.
Since MDE is integrated with MDCA we can use that integration to assist with discovering what devices and users have been accessing the application
*Note: this integration works for Windows, Mac, and Linux. Mobile operating systems currently do not feed into MDCA but still consume the IOC rules created.
Network Blocks
Given many devices are mobile and move between networks and organizations, blocking or preventing network access typically requires implementing multiple controls. The good news is that MDE can create IOCs that block access to URLs, IPs, certs, and file hashes. These blocks work across device types (IOS, Android, Windows, Mac, and Linux) regardless of location.
There are two places an organization can create these blocks. However, MDE is the underlying service that performs the block.
The first, is the MDCA portal where staff can categorize an application as “unsanctioned” which will push the appropriate URL(s) into IOC blocks in MDE.
The second is directly in MDE where staff can create a rule to block, warn, or audit the TikTok Domain(s)/Url(s) on Mobile (IOS and Android), Windows, Mac, and Linux devices.
*Note: There could be several domains/URLs used by TikTok
Once these blocks are put into place and configured to generate alerts, the following information is produced by the alert showing the user, devices, and URLs being blocked.
When launching the PWA from a Windows device or directly in the browser from other devices the following block will occur.
*Note: other browsers and operating systems require the network protection service to be configured and Defender AV in active mode.
Removal/Disallow
The challenging part of this task is each operating system provides various methods to control applications.
An efficient way to block certain apps would be to restrict access to the applications stores associated with each platform (e.g., Windows and Apple stores). In light of blocking the application store, the following section outlines a method to identify the application and mark devices on non-compliant.
For instance, if the TikTok App is not managed by Intune and the organization allows access to the application store, users will be able to install any application. Intune can uninstall only apps that are deployed through the mobile device management (MDM) channel.
Organizations can establish prohibited apps lists to identify devices with applications that are prohibited.
Prohibited apps are lists of apps that users aren't allowed to install and run. Users aren't prevented from installing a prohibited app. However, if a user installs an app from this list, the device is reported in the Devices with restricted apps report and can be set to non-compliant.
To configure a prohibited list, perform the following steps:
In the Intune Admin portal navigate to > Devices > Configuration Profile > Create Profile
- Select iOS/iPadOS
- Under Profile Type select Templates
- Select Device Restrictions
In the Device restriction policy under Restricted Apps input the following:
Configure the Types of Restricted app list = Prohibited
App Store URL = https://apps.apple.com/us/app/tiktok/id835599320
App Bundle ID = com.zhiliaoapp.musically
App Name = TikTok
Publisher = TikTok Ltd.
After the policy has been created, organizations can review the restricted app report from the Intune admin portal à Deviceà Monitor à Device with restricted apps
Organizations can create a compliance policy checking for the restricted application that will mark the device as non-compliant.
Additionally, organizations can create conditional access policies looking for device compliance and deny access to an organization’s services. Organizations can even prompt the user with terms of service related to prohibited applications.
APIs
M365 Defender and Intune both provide a rich set of APIs that can be used to pull information into other systems that the organization may be using (e.g., SIEM, PowerBi, etc.).
Below is an example of using the MDE API call for TikTok in the software inventory.
Additional information
Here are some additional links to information related to the topics in the blog.
Access the Microsoft Defender for Endpoint APIs | Microsoft Learn
Intune Graph API - Reports and properties | Microsoft Learn
Terms of use in Azure Active Directory - Microsoft Entra | Microsoft Learn
iOS/iPadOS device settings in Microsoft Intune | Microsoft Learn
Use network protection to help prevent connections to bad sites | Microsoft Learn
Microsoft Defender Vulnerability Management | Microsoft Learn