Every now and then there is bad about a (mobile) app in the news, because of all kinds of reasons. Encryption isn`t in place, the Chinese government might be using the app to spy on the whole world or whatever other reason.
Whatever the reason is, it might be a reason for companies to block the app on the end-users device which has access to corporate access. With Microsoft Intune (Endpoint Manager) we have the possibility to block such apps on iOS and Android.
For both operating systems we need to use another approach. On iOS we don`t have an option to block the installation of an app, we need to use a Compliance Policy, to block access to corporate data as soon as a restricted app is installed.
On Android, we do have a way to block the installation of the app on a mobile device.
To write this post, I used the popular mobile app TikTok.
Block TikTok on Android devices
On Android at the moment of writing we have two management solutions, Fully Managed and Work Profile (Corporate Owned, Personally Enabled (COPE) is coming in Preview very soon). If you only allow corporate work apps on a Fully Managed device, there is no need to use this configuration as the public Play Store cannot be accessed to download personal apps. Same for the Work Profile section on a personal device.
This configuration is only applicable for Fully Managed devices where access to the public Play Store is allowed and probably will be applicable for Android COPE devices.
An app like TikTok can be blocked on an Android device by assigning the app as Uninstall. This makes sure the app isn`t shown in the Play Store.
- Sign-in to the Endpoint Manager admin center
- Browse to Apps – Android app
- Click + Add
- Choose Managed Google Play app as App type
- Click Select
- Search for the app you want to block, in this case, TikTok
- Click on the app to open it
- Click Approve (Twice)
- Click Done
- Back in the Google Play Store search screen click Sync in the top left corner
- Back in the Endpoint Manager admin center app view, open the app as soon as the sync is finished
- Click Properties
- Click Edit next to Assignments
- Under Uninstall assign the app to a group or for example to All Devices
- Click Review + save – Click Save
That`s all for blocking TikTok on our Intune managed Android devices.
End-user experience on Android
To show the end-user experience on an Android device I only need one screenshot. As you can see I searched in the (public) Google Play store for TikTok, but the app isn`t available for installation.
Now also let`s have a look what we need to configure to block TikTok on iOS devices.
Block TikTok on iOS devices
Unfortunately, we don`t have a solution to block the installation of apps on iOS. For iOS, we need to have a Compliance Policy in place, which blocks non-compliant devices to access corporate data. In a Compliance Policy we add the app Bundle ID of TikTok, so as soon as an user installs the app, the device is marked as not compliant and access to corporate data is blocked.
I assume you have such a Compliance Policy already in place, if that`s not the case, you can get some information on that by reading this article.
To find the Bundle ID of TikTok, use a browser to search for the app in the Apple App Store. In the URL, in the end, you`ll find the app ID. Note the number after ID.
Still using a browser enter https://itunes.apple.com/lookup?id=835599320
A small file txt file is downloaded. Open the file in a text editor and search for bundleid to find the Bundle ID, for TikTok that`s com.zhiliaoapp.musically
This is an example for TikTok, if you want to block another app replace 835599320 with the number you found for that app.
Now that we have found the Bundle ID, let`s configure the Compliance policy in Intune.
- Switch back to the Endpoint Manager admin center
- Browse to Devices – iOS/ iPadOS
- Browse to Compliance policies
- Click + Create Policy
- Choose iOS/ iPadOS as Platform
- Click Create
- Give the policy a Name
- Enter a Description (Optional)
- Click Next
- Open System Security
- Under Restricted apps enter the app Name and Bundle ID
- Click Next
Assign the policy to a security group of choice or to All Users.
End-user experience on iOS
The user is still able to install the mobile app on iOS, but as soon as the restricted app is installed, the device is marked as not compliant.
If you click on You need to update settings on this device, the reason is shown why the device is marked as not compliant and which app needs to be uninstalled to get compliant again.
Side note
For iOS, in the Device Restrictions profile, we also find a setting which mentions Restricted apps.
Where the description states Device enrollment and automated device enrollment, this setting is only applicable to Apple Business Manager (formerly known as DEP) enrolled devices. And this only provides a reporting functionality, it does not block the installation of prohibited apps.
I`d like to thank Jeroen Burgerhout for inspiring me to write this article 🙂
Thank you for reading my post and happy testing!
3 Comments
For iOS you can also use the standard ABM/DEP MDM function to “Show or Hide” app to block prohibited apps. Setting apps as “Hidden” in Intune will effectively ‘removed’ from the user’s device. Yes, they can see the app in the App Store, but will not be able to run it.
I tried to do this, but when I blocking an app with Chinese URL, for example https://apps.apple.com/cn/app/%E7%99%BE%E5%BA%A6%E7%BD%91%E7%9B%98-%E9%87%8A%E6%94%BE%E6%89%8B%E6%9C%BA%E7%A9%BA%E9%97%B4/id547166701, it will display an error in Intune portal.
When I follow this, Once I get to where I can select TikTok, the select button never changes. There is no Approve button.