Block TikTok using Intune device compliance policy and Conditional Access

This blog post will show you how to Block TikTok Microsoft Intune on iOS and Android. This strategy can be used for any app.

TikTok was recently caught accessing user clipboard data when running in the background, potentially exposing passwords or other sensitive data. The behaviour was revealed because of a new feature in iOS 14, and it’s unclear how long it had been present in the app. TikTok has since removed the feature, but the privacy scare underscored long-standing privacy concerns over the app, which is owned by China-based ByteDance.

The NY Times also reported that TikTok has been under scrutiny as a potential national security threat. Amazon has also asked its employee to remove TikTok from their corporate phone to keep email access.

So, with all this information, it’s possible that your company asks you to block TikTok from your corporate devices. This post will show you how to bloc TikTok using Microsoft Intune device compliance policy and Conditional Access.

Can we block the TikTok app in an enterprise environment? You can’t block users from installing it and using it, but you can block their company access if they are.

If you’re starting with Intune, you may be tempted to use a device configuration profile and use an Application Restriction policy. This look like exactly done for that… but after trying it ourselves for hours, we never got it to work. The documentation is poorly made and the troubleshooting tools and reports are just bad. Impossible to know what’s wrong with our policy.

So we didn’t stop there and we decide to go with a good old Device Compliance policy. In short, the policy checks for our app (TikTok) and mark the device as “Non-Compliant”. After, we’ll set up a Conditional Access policy to block all devices that is not compliant to company resources.

Block TikTok Microsoft Intune – Device compliance policy and Conditional Access

iOS

We will start by show how to block Tiktok on iOS.

Bundle IDs for native iOS and iPadOS apps are all well documented but third party app is more tricky to find. The easiest way is to use the method documented in this blog post. In our case, we found the Tik Tok App BundleID: com.zhiliaoapp.musically

At the end of this post, we gather some popular BundleID for you to use if you want to block more app than just Tiktok.

Now that we have the BundleID, we’ll create our Device Compliance Policy.

• To block TikTok app with Intune, navigate to https://portal.azure.com and click on Intune
• Click on Device compliance / Policies and Create Policy
• Platform: iOS/iPadOS
• Click Create at the bottom

• In the Basic tab, enter a Name and Description, click Next

• On the  iOs Compliance Policy tab, select System Security
• In Restricted Apps , enter a friendly name and the App BundleID
  • Name : TikTok
  • Bundle ID : com.zhiliaoapp.musically
• Click Next

• In the Action for Compliance tab
• Keep the Mark device noncompliant at 0
• I like to add a Send Email to end User option to notify the user. Once selected, you need to select the message template. If you haven’t created a template yet, skip this step, you could come back and add it later.
• Click Next

• In the Scope tab, select a scope. We leave it to the Default scope, click Next

• iOS Compliance Policy must be assigned to groups of users.
• On the Assignment tabs, Select the group you want to deploy your restriction to. We select our Test groups, click Next

• On the Review + Create tab, select Create at the bottom

Android

The Android version is pretty similar to a single change at the start. Follow all iOS steps except when creating your policy, select Android

• Click on Device compliance / Policies and Create Policy
• Platform: Android Device Administrator
• Click Create at the bottom

Conditional Access Policy

Now that we have a Device Compliance Policy, we must create a Conditional Access Policy to decide what to do with our non-compliance devices.

If you’re not familiar with Conditional Access Policy, read the Microsoft documentation as you can lock the user out your company resources.

• In the Intune Portal click Conditional Access

• Click Policy / New Policy

• Enter a Policy Name
• Click User and Groups, select the group you want to target with your policy. We select our Test group

• In Cloud Apps or actions, select All Cloud App. Full list of cloud app is available on the Microsoft documentation

• In Conditions, select Device Platforms and select iOS (and Android – if applicable)

• Still in Conditions, select Client App and select Browser and Mobile Apps and desktop clients – More information

• In Access Controls, select Grant Access and Require Device to be marked as compliant. This is where we are saying to grant access only to compliant device (based on if there’s TikTok on the device)

• At the bottom, enable your policy and click Save

Block TikTok Microsoft Intune – End UserResults

We will now test our configuration. Wait a couple of minutes for the Policy to synchronise.

• Go to Device Compliance/ Policies
• Select the TikTok policy and select Device Status under Monitor
• Ensure that your test devices are Compliant. My device is compliant because I don’t have the TikTok app installed.

• In the Company Portal, I check my device compliance status. Since my phone is compliant, I can access comany ressource.

• I’ll now add TikTok and see how it goes
• My Company Portal is now reporting that I must update my setting and that I may not be able to access company resources.
• Let’s press on Check Status

• I got the notification to uninstall the App to meet company policy

• I also received an email since I enable the notification in my device policy

• If I try to access a cloud app, I’m not able to access it.

• The only way to regain access it to remove the restricted app which is exactly what we want to do.

We hope this blog post helped achieve your security policy. Let us know what are you blocking

Popular App BundleID

Here are some of the most common asked app to be blocked in a corporate environment

• RSA SecureID: com.rsa.securid.iphone.SecurID
• Zoom Meeting : us.zoom.videomeetings
• Google Meet : com.google.meetings
• Webex Meeting : com.webex.meeting
• Goto Webinar : com.logmein.gotowebinar
• Goto Meeting : com.logmein.gotomeeting
• Slack : com.tinyspeck.chatlyio
• Messenger : com.facebook.Messenger
• Whatsapp Business : net.whatsapp.WhatsAppSMB
• Adobe Scan : com.adobe.scan.ios