Texas Block 2.0 Blocking Apps/Services in adherence to Executive Order GA-48

Summary of action

This document details a planned approach to blocking restricted applications, domains, and services using Microsoft Defender and DNS network restrictions. UT Austin is currently out of compliance with Executive Order GA-48. The targeted applications to be blocked according to the Governor's Executive Order include:

Alipay	Tencent Holdings Ltd.
ByteDance Ltd.	Tiger Brokers
CamScanner	TikTok
DeepSeek	VMate
Kaspersky	WeBull
Lemon8	WeChat
Moomoo	WeChat Pay
QQ Wallet	WPS Office
RedNote	Any subsidiary or affiliate of an entity listed above

Objectives

Demonstrate compliance with Executive Order GA-48/Texas State law:
- https://gov.texas.gov/news/post/governor-abbott-issues-executive-order-hardening-state-government-from-the-chinese-communist-party
- https://dir.texas.gov/information-security/covered-applications-and-prohibited-technologies
For Managed Endpoints - Use Microsoft Defender for Endpoints (MDE) on MacOS and Windows for a modern, automated, and unified enterprise solution
For Unmanaged Endpoints - Rely on network controls (DNS)
To successfully provide the most coverage for blocking restricted technology, Cisco AMP will need to be removed from workstations in favor of MDE.

Schedule

Testing of added application block for the week of February 21st
ITSO testing of the Cisco removal process during the weeks of February 21st
Removal of Cisco AMP on February 25th
ITSOs verify MDE is not in passive mode by Feb 26th
Begin blocking all restricted applications for MDE and Networking DNS on COB Thursday February 27th

QA for Managed Endpoints using MDE

Already completed testing:

The proposed blocking solution leveraging MDE will be using the same mechanisms that have been in place for 2 years on Windows devices with the TikTok block. The primary change is moving from manual curation to an automated vendor supported solution so that we can more easily include an expanded list of restricted technologies.
The EPM team has blocked DeepSeek on all MDE enrolled devices using the new capability and curated list from Microsoft, as it was in use by a limited audience (86 out of 18,459) and the block was successful with no unintended consequences.
The testing and publication of CiscoAmp removal
Identify another low use application to enroll in blocking by COB February 19th

Next Steps:

Publish the results to the EPM committee by February 21st

What to Expect

Networking: Implement DNS filtering of restricted technologies and applications in alignment with MDE
EPM: Enact block of restricted technologies and applications via MDE Network Protection
EPM: Remove Cisco AMP from all workstations and install MDE
ITSOs: Responsible for ensuring MDE is on all devices and not in passive mode.
End User Experience: End users will experience limitations in accessing certain restricted applications on university own devices and via the UT network.
Applications will not be uninstalled from devices.
Personal devices are out of scope for EPM management and will not be controlled by MDE.

Examples of alerts for an end-user:

Risks and Challenges

UT Austin must attest to compliance with this state law and it’s likely we’ll be audited. If the proposal isn’t adopted UT Austin will be in violation of Texas State Law, which will make UT liable and vulnerable to legal action.
The MDE block solution will be all or nothing. All devices using MDE will receive the EO complaint restricted application blocks. Exceptions will require unenrolling from management.
A risk of EPM removing AMP is that some may have enabled Group or Local Policy to disable Defender. So that in removing Amp, Defender will not re-enable. Endpoints could be left without required Threat and Vulnerability Management software like Anti-Virus.

Exceptions

Based on DIR’s guidance:

ITSOs will follow the current exception process to submit a request.
The ISO will review and when ready, the request will then go to Legal Affairs for review, as well as the President for internal awareness/approval.
After the President’s review, the request will then be submitted to the Board of Regents for awareness and also to DIR for review/approval.

Communication Plan

Clear and consistent communication will be maintained with all stakeholders to ensure awareness and understanding of the blocking measures.

Communication	Channels of Communication	Audience
UT Legal to send out announcement of need to comply with new EO	University Wide Email	Campus Wide
ISO to announce legal requirement to block restricted technology and what to expect as well as the implementation date (see above)	UT IT Community, ISO website	Campus Wide
EPM cross post ISO announcement on Teams	EPM ITSO Teams Channel	ITSO admins
EPM email to ITSOs	IT Updates UT List	Campus IT Community
Networking announcements more communication and engagement will follow from the Networking team once a DNS filtering process is in place.	IT Updates UT List	Campus IT Community

Technical Implementation

Managed Endpoints:
Windows hosts in MDE: Select applicable services to block from the available list.
macOS hosts in MDE: Implement similar blocking measures as Windows hosts.
Unmanaged Endpoints:
- Rely on network-based filters to block restricted applications.

General Approach

On managed endpoints move towards DNS name-based filtering based on filtering domains associated with prohibited services at the endpoint
Maintenance of associated domains will be handled by Microsoft
Categories/names of services in MDE to be blocked to be decided by ISO and Legal
For unmanaged hosts DNS domain resolution filtering will be used
Networking will implement DNS firewalling on the campus DNS resolver
Domains will align with the Microsoft-curated domains in MDE

Scope

UT-owned, centrally managed devices 29,654
Policy prohibits installation and use of prohibited technologies
Enforcement via EPM/MDE controls
Controls applied on device and enforced on and off campus
UT-owned, non-centrally managed devices ~2,225*i
Policy prohibits installation and use of prohibited technologies
Enforcement via network controls while device connected to UT network
Non-UT-owned devices ~300,000
Enforcement via network controls while device connected to UT network

Managed Endpoints

Windows hosts in MDE
Select applicable services to block from available list
macOS hosts in MDE
Select applicable services to block from available list

Unmanaged Endpoints

Rely on network controls (DNS)

Network

DNS filtering implemented on campus DNS resolvers
Align filter lists with domains associated with blocked services in MDE (updated daily)

Reference for Compliance and Security

Required according to Texas State law
https://gov.texas.gov/news/post/governor-abbott-issues-executive-order-hardening-state-government-from-the-chinese-communist-party
https://dir.texas.gov/information-security/covered-applications-and-prohibited-technologies

Section Content