TikTok, DeepSeek, and Salt Typhoon Incidents
Unless you’ve been living in a cave, you’ve probably heard of some major IT-related stories over the last couple of months that share a common theme. There’s the US ban on TikTok. Then there’s the release of DeepSeek’s low-cost AI models, the privacy risks of their mobile apps, and the resulting blast damage to AI-related stocks. Of course, we can’t forget the ongoing penetration of US telecommunications network by the Salt Typhoon threat actor group.
The common theme here, of course, is that all these stories involve China and cybersecurity. There are other prominent examples, too, and no doubt others will arise over the remainder of 2025, but these three all have another commonality: you can do something about them by improving your device management posture. The Intune customer success team posted a detailed article with step-by-step instructions on how to block the DeepSeek AI app on Intune-managed devices and it’s worth talking about what they recommend as a template for managing your own devices to keep the badness away.
What Intune Can Do
Intune offers a full suite of device management features for iOS, Android, Windows, and macOS devices. These features vary somewhat between operating systems, but in general, on a fully managed device you can install or uninstall applications, block and/or hide applications, report on which applications are installed, and control which app store(s) the device can use. When you combine these features, you get a toolset that lets you (for example) pre-configure your managed devices with the Microsoft 365 apps of your choice, block social media or game apps, and force users to an app store that only contains applications you want them to be able to install.
Beyond that, you can also prevent access to websites, including progressive web applications (PWAs), by using Defender for Endpoint or another access broker to block access to a set of websites. For example, Microsoft’s guidance shows how to block the DeepSeek website on Windows machines, which coincidentally blocks users from adding DeepSeek as a PWA. (Fun fact: you can do the same thing by blocking the copilot.microsoft.cloud endpoint but you’ll probably break some other pieces of the Microsoft 365 service if you do.)
All of this sounds awfully intrusive, but the fact of the matter is that on a corporate-managed device, the user doesn’t get to just do whatever he wants… something many of us have lost sight of during the slow encroachment of bring-your-own-device (BYOD) policies. Of course, there’s lots of other useful stuff you can do with Intune, much of which has been covered in previous Practical 365 articles.
Blocking DeepSeek, TikTok, or Other Unwanted Apps
Suppose you’ve decided that you don’t want your users running a particular app. This might be because a regulator says you have to (here’s an example, and here’s another), or because you think the app represents a network security threat, or just because you don’t want it on your managed devices. There are a few different ways to accomplish this goal.
First, you should probably start by using Intune’s “Discovered apps” report (Intune admin center > Apps > Monitor > Discovered apps) to inspect the scope of the problem. The report will show you which applications are installed on your managed devices, although there are some limitations on the displayed data depending on what kind of devices you’re talking about.
Device types are worth talking about because the type of device, and how it’s managed, will determine what you see in these reports, and what you can do thereafter:
- Personally-owned Windows 10/11, macOS, or iOS devices: you will only see managed apps (the ones controlled by Intune Mobile Application Management)
- Company-managed Windows 10/11, macOS, and iOS devices: you’ll see all apps installed on the device. On Windows machines, you may have to install the Intune management extension to see legacy Win32 apps.
- Android Enterprise devices: you’ll see apps installed in the user’s work profile.
After you use the reports to validate whether the app(s) you want to remove is even installed anywhere, you have some options in choosing what to do with the unwanted apps.
On iOS devices that have the unwanted apps installed, you can hide them and block them from being launched by blocking them with a device configuration profile. Assign the profile to the correct set of target devices and the app will become unavailable; it’s still installed on the devices, though.
Another option: on iOS and Android devices, you can forcibly uninstall the app by creating an app restriction. You’ll target the restriction at the appropriate devices or user groups and then select the Uninstall assignment action.
Handling BYOD
The problem with BYOD is that essentially, from a management perspective, the devices are unmanaged. You can’t prevent users from installing apps of their choice on their own devices, but you still have a few options. You can:
- Block devices with the unwanted apps from connecting to your M365 apps and services. To do this, the most straightforward way is to create a device compliance policy that marks devices with the app as “not compliant,” then use a conditional access policy with a deny action for all “not compliant” device statuses.
- Use the report showing which devices have the unwanted apps and block the devices or users individually. This is time-consuming and error-prone.
- Either replace the user’s BYOD device with a managed device or get their consent to put their device under management. As a veteran of many arguments about this very topic, I wish you the best of luck in convincing users to let your organization manage their personal devices!
- Ask users nicely to uninstall the app. This works more frequently than you might think; many users are horrified when they see the scope of privacy problems that TikTok and DeepSeek pose.
This is probably a good place to remind you that you can never really guarantee device management on personally-owned devices; you really should be moving away from BYOD as quickly as possible, but that’s a topic for another time.
What About Salt Typhoon?
This case is a little more tricky. The problem with the Salt Typhoon penetrations is that the attackers have embedded themselves into telecom providers’ networks, and there’s nothing you can do about that directly. In fact, there seems to be little that the telecom providers can do about it either, given the difficulty they seem to be having in evicting the APT. One thing you can do is follow the joint recommendation from CISA and the FBI to use messaging apps that support end-to-end encryption instead of mobile carrier SMS or RCS messaging. For example, Apple’s iMessage, the Signal Messenger app, and WhatsApp all offer robust end-to-end encryption that is (so far) believed to be good protection against APT threats such as Salt Typhoon. If your devices are managed with Intune, in fact, you could even push those applications to your users’ devices as part of your managed app catalog.
Expect More to Come
China is not the only sponsor of serious privacy and security threats, of course. So far, they have been the most successful at bundling those threats into a shiny candy-coated package that consumers want to put on their devices, but the techniques described above are equally useful if you want to block more targeted threats, or want to broadly prevent users from running apps that you think pose a security or privacy risk. Intune is complex, and you can do some very sophisticated things with it once you understand how it works, but the steps above are easy enough that they make a good first step towards protecting your network by keeping threat apps away from it.
