Summary of action
EPM is blocking access to the below listed applications and services on all devices enrolled in EPM using Microsoft Defender for Endpoints.
AlipayThis document details a planned approach to blocking restricted applications, domains, and services using Microsoft Defender and DNS network restrictions. UT Austin is currently out of compliance with Executive Order GA-48. The targeted applications to be blocked according to the Governor's Executive Order include:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Estimated timelines
Windows and iOS:
Testing with TRECS and eligible academic ITSOs from 12/19/22 to 12/22/22. Successful testing criteria: 100% of devices enrolled block access to TikTok across all browsers. No other network activity is impacted.
In production globally on 1/02/23.
macOS:
Testing with TRECS and eligible academic ITSOs from 12/20/22 to 12/22/22. Successful testing criteria: 100% of devices enrolled block access to TikTok across all browsers. No other network activity is impacted.
In production globally as of 01/02/23.
Windows
Requirements:
ITSOs must be onboarded to MECM and MDE and have removed any 3rd party antivirus (ex: Amp, Norton, etc)
Steps:
Configuration Manager Introduction and Onboarding
Microsoft Defender for Endpoint (MDE) Introduction and Onboarding
Support notes:
Systems should be running a supported release version to be compatible with Network Protection in order for the block to be successfully applied.
Windows 10 any supported release version
Windows 11 any supported release version
End-user experience:
Some may see a SmartScreen notice such as the one below, many will see the various TikTok related domains returning an error that it's not available. 
Since the apps requires Edge, they will see the SmartScreen notification even if their default browser is set to something else:
The Windows Security message will appear for anyone attempts to open TikTok or a TikTok cookie is active in the background. If the notification is showing up persistently, cookies will need to be cleared from the browser going back to before TikTok was accessed.
Apple
iOS:
Requirements:
iPad, or iOS device Supervised* and enrolled in central Jamf instance
Steps:
Configuration profile will be scoped globally. No additional steps are needed from ITSOs to take advantage of the TikTok block provided by EPM
Support notes:
*iOS devices are supervised when enrolled via Automated device enrollment. This can be accomplished using Apple School Manager or Apple Configurator 2. On device you will see "This device is supervised and managed by University of Texas as Austin" in the top most area of the settings app.
End-user experience:
TikTok app will be removed from the iOS device if installed. If an end user tries to navigate to a TikTok URL they will see "You cannot browse this page at "tiktok.com" because it is restricted"
MacOS:
Requirements:
macOS computer is enrolled into the central Jamf Instance
Steps:
After the Jamf policy has been installed, the web browser will need to be quit for changes to take effect. If the browser is left running during installation, the URL redirect will not be enforced until it is next opened
macOS Policy will be scoped globally. No additional steps are needed from ITSOs to take advantage of the TikTok block provided by EPM
Support notes:
Policy is set to run at next check in of machine. (0-15 minute check in)
End-user experience:
On macOS we are routing all TikTok URLs to a dead IP address. End users will see a failed to load webpage unique to the browser they are using. (ex: Safari can't open the page because the address isn't valid) No app exists for TikTok on macOS.
Objectives
Demonstrate compliance with Executive Order GA-48/Texas State law:
For Managed Endpoints - Use Microsoft Defender for Endpoints (MDE) on MacOS and Windows for a modern, automated, and unified enterprise solution
For Unmanaged Endpoints - Rely on network controls (DNS)
To successfully provide the most coverage for blocking restricted technology, Cisco AMP will need to be removed from workstations in favor of MDE.
Schedule
Testing of added application block for the week of February 21st
ITSO testing of the Cisco removal process during the weeks of February 21st
ITSOs verify MDE is not in passive mode by Feb 26th
Begin blocking all restricted applications for MDE and Networking DNS on COB Thursday February 27th
QA for Managed Endpoints using MDE
Already completed testing:
The proposed blocking solution leveraging MDE will be using the same mechanisms that have been in place for 2 years on Windows devices with the TikTok block. The primary change is moving from manual curation to an automated vendor supported solution so that we can more easily include an expanded list of restricted technologies.
The EPM team has blocked DeepSeek on all MDE enrolled devices using the new capability and curated list from Microsoft, as it was in use by a limited audience (86 out of 18,459) and the block was successful with no unintended consequences.
The testing and publication of CiscoAmp removal
Identify another low use application to enroll in blocking by COB February 19th
Next Steps:
Publish the results to the EPM committee by February 21st
What to Expect
Networking: Implement DNS filtering of restricted technologies and applications in alignment with MDE
EPM: Enact block of restricted technologies and applications via MDE Network Protection
EPM: Remove Cisco AMP from all workstations and install MDE
ITSOs: Responsible for ensuring MDE is on all devices and not in passive mode.
End User Experience: End users will experience limitations in accessing certain restricted applications on university own devices and via the UT network.
Applications will not be uninstalled from devices.
Personal devices are out of scope for EPM management and will not be controlled by MDE.
Examples of alerts for an end-user:
Risks and Challenges
UT Austin must attest to compliance with this state law and it’s likely we’ll be audited. If the proposal isn’t adopted UT Austin will be in violation of Texas State Law, which will make UT liable and vulnerable to legal action.
The MDE block solution will be all or nothing. All devices using MDE will receive the EO complaint restricted application blocks. Exceptions will require unenrolling from management.
A risk of EPM removing AMP is that some may have enabled Group or Local Policy to disable Defender. So that in removing Amp, Defender will not re-enable. Endpoints could be left without required Threat and Vulnerability Management software like Anti-Virus.
Exceptions
Based on DIR’s guidance:
ITSOs will follow the current exception process to submit a request.
The ISO will review and when ready, the request will then go to Legal Affairs for review, as well as the President for internal awareness/approval.
After the President’s review, the request will then be submitted to the Board of Regents for awareness and also to DIR for review/approval.
Communication Plan
Clear and consistent communication will be maintained with all stakeholders to ensure awareness and understanding of the blocking measures.
Communication | Channels of Communication | Audience |
UT Legal to send out announcement of need to comply with new EO | University Wide Email | Campus Wide |
ISO to announce legal requirement to block restricted technology and what to expect as well as the implementation date (see above) | UT IT Community, ISO website | Campus Wide |
EPM cross post ISO announcement on Teams | EPM ITSO Teams Channel | ITSO admins |
EPM email to ITSOs | IT Updates UT List | Campus IT Community |
Networking announcements more communication and engagement will follow from the Networking team once a DNS filtering process is in place. | IT Updates UT List | Campus IT Community |
Technical Implementation
Managed Endpoints:
Windows hosts in MDE: Select applicable services to block from the available list.
macOS hosts in MDE: Implement similar blocking measures as Windows hosts.
Unmanaged Endpoints:
Rely on network-based filters to block restricted applications.
General Approach
On managed endpoints move towards DNS name-based filtering based on filtering domains associated with prohibited services at the endpoint
Maintenance of associated domains will be handled by Microsoft
Categories/names of services in MDE to be blocked to be decided by ISO and Legal
For unmanaged hosts DNS domain resolution filtering will be used
Networking will implement DNS firewalling on the campus DNS resolver
Domains will align with the Microsoft-curated domains in MDE
Scope
UT-owned, centrally managed devices 29,654
Policy prohibits installation and use of prohibited technologies
Enforcement via EPM/MDE controls
Controls applied on device and enforced on and off campus
UT-owned, non-centrally managed devices ~2,225*i
Policy prohibits installation and use of prohibited technologies
Enforcement via network controls while device connected to UT network
Non-UT-owned devices ~300,000
Enforcement via network controls while device connected to UT network
Managed Endpoints
Windows hosts in MDE
Select applicable services to block from available list
macOS hosts in MDE
Select applicable services to block from available list
Unmanaged Endpoints
Rely on network controls (DNS)
Network
DNS filtering implemented on campus DNS resolvers
Align filter lists with domains associated with blocked services in MDE (updated daily)
Reference for Compliance and Security
Required according to Texas State law
https://dir.texas.gov/information-security/covered-applications-and-prohibited-technologies
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
| Panel | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
|