Summary of action
EPM is blocking access to the below listed applications and services on all devices enrolled in EPM using In order to facilitate adhering to the EO easily and in an enterprise way, Microsoft Defender for Endpoints .
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
Estimated timelines
Windows and iOS:
Testing with TRECS and eligible academic ITSOs from 12/19/22 to 12/22/22. Successful testing criteria: 100% of devices enrolled block access to TikTok across all browsers. No other network activity is impacted.
In production globally on 1/02/23.
macOS:
Testing with TRECS and eligible academic ITSOs from 12/20/22 to 12/22/22. Successful testing criteria: 100% of devices enrolled block access to TikTok across all browsers. No other network activity is impacted.
In production globally as of 01/02/23.
Windows
Requirements:
ITSOs must be onboarded to MECM and MDE and have removed any 3rd party antivirus (ex: Amp, Norton, etc)
Steps:
Configuration Manager Introduction and Onboarding
Microsoft Defender for Endpoint (MDE) Introduction and Onboarding
Support notes:
Systems should be running a supported release version to be compatible with Network Protection in order for the block to be successfully applied.
Windows 10 any supported release version
Windows 11 any supported release version
End-user experience:
Some may see a SmartScreen notice such as the one below, many will see the various TikTok related domains returning an error that it's not available. 
Since the apps requires Edge, they will see the SmartScreen notification even if their default browser is set to something else:
The Windows Security message will appear for anyone attempts to open TikTok or a TikTok cookie is active in the background. If the notification is showing up persistently, cookies will need to be cleared from the browser going back to before TikTok was accessed.
Apple
iOS:
Requirements:
iPad, or iOS device Supervised* and enrolled in central Jamf instance
Steps:
Configuration profile will be scoped globally. No additional steps are needed from ITSOs to take advantage of the TikTok block provided by EPM
Support notes:
*iOS devices are supervised when enrolled via Automated device enrollment. This can be accomplished using Apple School Manager or Apple Configurator 2. On device you will see "This device is supervised and managed by University of Texas as Austin" in the top most area of the settings app.
End-user experience:
TikTok app will be removed from the iOS device if installed. If an end user tries to navigate to a TikTok URL they will see "You cannot browse this page at "tiktok.com" because it is restricted"
MacOS:
Requirements:
macOS computer is enrolled into the central Jamf Instance
Steps:
After the Jamf policy has been installed, the web browser will need to be quit for changes to take effect. If the browser is left running during installation, the URL redirect will not be enforced until it is next opened
macOS Policy will be scoped globally. No additional steps are needed from ITSOs to take advantage of the TikTok block provided by EPM
Support notes:
Policy is set to run at next check in of machine. (0-15 minute check in)
End-user experience:
On macOS we are routing all TikTok URLs to a dead IP address. End users will see a failed to load webpage unique to the browser they are using. (ex: Safari can't open the page because the address isn't valid) No app exists for TikTok on macOS.
| borderColor | black |
|---|---|
| titleColor | white |
| titleBGColor | #005f86 |
| borderStyle | solid |
| title | Section Content |
has been selected to achieve this. In order for MDE to reliably apply all of the protections required, Cisco AMP must be removed. Having Cisco AMP installed side-by-side with MDE places MDE in passive mode which cannot effectuate the protections required by the EO. To that end EPM has identified 543 Windows endpoints and 1,480 MacOS endpoints with some named version of AMP installed, that will have to be removed to meet the requirements.
| Table of Contents | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Configuration Manager has a Software Package already available to begin this. It is available for ITSOs to apply today to get ahead. Given the breadth and depth of the AMP installs, this package may not get everything installed on an endpoint. It uses the vendor prescribed method, but there may be conditions that exist on your endpoints that prevent the vendor method from succeeding, so please be vigilant if you deploy the package ahead of EPM.
Jamf has made the Cisco AMP removal script created by LAITS globally available.
In Scope:
All EPM enrolled endpoints are required to remove AMP
Out of scope:
Servers
Impact:
The removal of AMP will require a reboot
Timeline:
AMP will removed by EPM on February 25th - however, we ask ITSOs to be vigilante and act to remove AMP in advance of this timeline to ensure successful compliance.
How:
Windows
A Linkedin learning course on deploying packages and programs in Configuration Manager.
If a password was set on the installer follow this process provided by Cisco https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215440-procedure-to-uninstall-the-amp-connector.html
Jamf
A is a link to the global script to remove AMP that ITSOs can use to deploy to their site.
https://mdm.utexas.edu/view/settings/computer-management/scripts/1010?tab=script
Note: this script requires a user to be logged in for successful deployment.
Search UT EPM Documentation |
|---|
Service Links |
|---|
Get Help |
|---|
EPM is available to IT Support Organizations (ITSOs) with any endpoint management questions. If you have a question about a specific endpoint client, please reach out to your local endpoint client support organization. |
SERVICE STATUS |
|---|
|
Section Content