TikTok Block

Background and Purpose

EPM is a new service launching for campus and is currently onboarding customers. The purpose of this document is to provide guidance on change management processes.

In all cases, EPM will be following ITIL change management processes in Service Now. 

EPM Enhancement Requests Form

ITSO's can suggest changes to MECM, PatchMyPC, Jamf or Jamf application management by completing the EPM Change Request Form. Every change request will be vetted and validated by the EPM team. If your change is approved, it will follow the ITS change management process. Some requested changes will be reviewed with the EPM Committee before implementation. 

EPM Change Request Form

Change Scope

IN SCOPE 

The scope of the ITS Change Management Process is to manage all changes to IT service assets that may impact production Service Offerings. Listed below are example changes that are in scope for the ITS Change Management Process:  

• Software – Installation, patching, upgrade, or removal of software products, including operating systems, access methods, commercial off-the-shelf (COTS) packages, internally developed packages, and utilities. 
• Configuration Changes – Any additions, deletions, or modifications to the centralized environments, including permissions and configuration settings, Extension Attribute (EA) changes in Jamf.

OUT OF SCOPE 

Examples of activities that are outside the scope of the ITS Change Management Process include:  

• Changes to development, test, or pre-production environments, including environments for  
• Contingency, continuity, or disaster recovery 

Many other types of reports are available https://aus-sccm.austin.utexas.edu/reports/browse/ConfigMgr_AUS

In support of the Texas Governor's order, the Endpoint Management team (EPM) has developed to the following solutions for globally blocking access to TikTok on devices enrolled in EPM platforms. 

Summary of action

EPM is blocking access to TikTok on all devices enrolled in EPM. We'll be blocking and removing the application on iOS devices. If already installed on Windows devices, the app will need to be removed by the user or ITSO technical staff. This block will prohibit the application from communicating but doesn't remove the application. There is no application for macOS. 

Estimated timelines

Windows and iOS:

Testing with TRECS and eligible academic ITSOs from 12/19/22 to 12/22/22. Successful testing criteria: 100% of devices enrolled block access to TikTok across all browsers. No other network activity is impacted. 

In production globally on 1/02/23.

macOS:

Testing with TRECS and eligible academic ITSOs from 12/20/22 to 12/22/22. Successful testing criteria: 100% of devices enrolled block access to TikTok across all browsers. No other network activity is impacted.  

In production globally as of 01/02/23. 

Windows

Requirements:

ITSOs must be onboarded to MECM and MDE and have removed any 3rd party antivirus (ex: Amp, Norton, etc) 

Steps:

Configuration Manager Introduction and Onboarding

Microsoft Defender for Endpoint (MDE) Introduction and Onboarding

Support notes:

Systems should be running a supported release version to be compatible with Network Protection in order for the block to be successfully applied.
Windows 10 any supported release version
Windows 11 any supported release version

End-user experience:

Some may see a SmartScreen notice such as the one below, many will see the various TikTok related domains returning an error that it's not available. 

The Microsoft store download itself is not blocked, so a user would be able to install the app however they will not be able to launch it.
Since the apps requires Edge, they will see the SmartScreen notification even if their default browser is set to something else:

The Windows Security message will appear for anyone attempts to open TikTok or a TikTok cookie is active in the background. If the notification is showing up persistently, cookies will need to be cleared from the browser going back to before TikTok was accessed. 

Apple

iOS:

Requirements:

iPad, or iOS device Supervised* and enrolled in central Jamf instance

Steps:

Configuration profile will be scoped globally. No additional steps are needed from ITSOs to take advantage of the TikTok block provided by EPM

Support notes:

*iOS devices are supervised when enrolled via Automated device enrollment. This can be accomplished using Apple School Manager or Apple Configurator 2. On device you will see "This device is supervised and managed by University of Texas as Austin" in the top most area of the settings app. 

End-user experience:

TikTok app will be removed from the iOS device if installed. If an end user tries to navigate to a TikTok URL they will see "You cannot browse this page at "tiktok.com" because it is restricted"

MacOS:

Requirements:

macOS computer is enrolled into the central Jamf Instance

Steps:

After the Jamf policy has been installed, the web browser will need to be quit for changes to take effect. If the browser is left running during installation, the URL redirect will not be enforced until it is next opened

macOS Policy will be scoped globally. No additional steps are needed from ITSOs to take advantage of the TikTok block provided by EPM

Support notes:

Policy is set to run at next check in of machine. (0-15 minute check in) 

End-user experience:

On macOS we are routing all TikTok URLs to a dead IP address. End users will see a failed to load webpage unique to the browser they are using. (ex: Safari can't open the page because the address isn't valid) No app exists for TikTok on macOS.