Block TikTok with Workspace ONE on Android

With different government bodies as well companies moving to block TikTok a lot of question are being raised on how to achieve it. This article aim to list all the method possible with the Workspace ONE platform.

Privacy

While we all aim to address the issue and sort everything out quickly, it is necessary to review the privacy policy.
In order for Workspace ONE UEM to take action, it needs to know that the application is installed on the device which means capturing the data on personal applications.

Depending on the IT policy as well as the privacy law this might be difficult, always align with the privacy policy of the country where the user is attached to. Also, capturing personal application, can reveal personal details, for example, a user have pregnancy app or an app talking about cancer and you know from the application name some context of the user.

In Workspace ONE UEM, the privacy settings are set across 4 devices type: Corporate Dedicated, Corporate Shared, Employee owned and unassigned, it is very important that the devices are categorized properly within the console also Workspace ONE UEM separate corporate applications and personal application.

The recommandation is to collect but do not display the information to the administrator which allow Workspace ONE to act but without the administrator knowing what are the other applications on the device.

Work Profile

Nothing can be done on the personal side. This is an Android OS design. More information : What policies is my organization enforcing on my device? – Android Enterprise Help

Corporate side is managed by Workspace ONE and only apps approved in the Google Play Store are installed and available. If TikTok was approved then deleting the app will remove the app from the devices.

Note: If USB debugging is not blocked, an application can be sideloaded into the work profile. To prevent it, “USB debugging” should be disabled also compliance policy with application control should be deployed. Review Compliance and Application control in the COPE section below

Deleting the app from the console

In the Workspace ONE UEM console, go to the Application List, on the Public Tab, search for TikTok, select the Application and then click on Delete.

The console will warn that there is assignment attached to the application, click OK

The application is now inactive within UEM to display the application, modify the filter to list Inactive applications.

Unapprove the app from the Play Store

To unapprove the app, the easiest is to use the iFrame, got to the Public Application list view click on Add Application select Android and search for TikTok

Once the iFrame of the Play Store is open select TikTok and click on Unapprove

Confirm unapproval by clicking OK

Work Managed

Applications are only deployed if approved in the Google Play Store.

If TikTok is already approved, then deleting the app will remove the app from the devices. Follow deleting the app in the Work Profile section followed by the unapproving the app in the Play Store.

Note: Compliance policy with application control should be deployed as a precaution. Review Compliance and Application control in the COPE section below

Work Managed Personally Enabled a.k.a COPE a.k.a Enhanced Work Profile

While COPE allow the user to install any apps from the Play Store, it sometimes necessary to control what the user is capable to install on the device.

The level of control depends on the version of Android on the device. Between Android 9, 10 and 11 COPE have evolved and change the way a MDM server can access the data on the personal side.

Android 10 and below:

The design in Android 10 and below allow MDM agent to list personal application and manage them.

Android 11

Android 11 have been built with privacy in mind, and to that and, google decided to change the way mdm is handled. Under Android 11, COPE is name Enhanced Work Profile and does allow management of personal application with a specific profile however a change in the Workspace ONE UEM console was necessary to support it and this functionality only exist from 2302 onwards.

For customer with 2212 and below, the situation is the same as a regular work profile meaning the inability to manage the personal side.

Application Deny List with Application Control for Android 10 and below

Applies to Android 10 and below with any supported UEM.

To configure a list of denied application, a list needed to be created first then Application Control profile need to be used to deploy it to the devices.

Application Deny List

Go to the App Group list view then click on Add Group

Select Denylist, select Android for the platform give it a name. In application name put TikTok, does not have to be the exact name, the Application ID the attribute used for matching. Use the application ID

com.zhiliaoapp.musically

Tips: You can use click on the blue magnifier to search in the store and it will pull the corresponding application ID.

Assign it to the targeted user.

Application Control profile

Create an Android profile and select Application Control and click on Add

Assign it to the targeted user.

Custom Profile

Applies to Android 10 and below with any supported UEM.

If application control profile is not available in the console, the following custom profile can be used to target the personal side:

<characteristic uuid="db76d492-17b6-4db2-96a9-f735b17143e4"
                type="com.airwatch.android.androidwork.application"
                target="2">
	<parm name="PreventInstallBlacklistedApps"
	      value="True"/>
	<parm name="BlacklistApplicationName"
	      value="TikTok"
	      type="string"/>
	<parm name="BlacklistApplicationId"
	      value="com.zhiliaoapp.musically"
	      type="string"/>
</characteristic>

Compliance

Applies to Android 11 with UEM 2302 and Android 10 and below with any supported UEM.

Compliance can be used to remediate automatically a device and a good way of tracking users.

To create a compliance, go to Compliance Policies list view and click on Add.

Select Application List then Contains and use the following Application Identifier then click on Next

com.zhiliaoapp.musically

Tips: if multiple application needs to be denied, you can use Denied Application Group and then select Contains Denied App(s) in the compliance policy.

In the Actions section, select Application then Block/Remove Managed App with the same application identifier.

Assign to the targeted users.

Application Deny List with Application Control for Android 11

Applies to Android 11 with UEM 2302 only

To configure a list of denied application, a list needed to be created first then Application Control profile need to be used to deploy it to the devices.

Application Deny List

Go to the App Group list view then click on Add Group

Select Android COPE Denylist and give it a name. In application name put TikTok, does not have to be the exact name, the Application ID the attribute used for matching. Use the application ID

com.zhiliaoapp.musically

Tips: You can use click on the blue magnifier to search in the store and it will pull the corresponding application ID.

Assign it to the targeted user.

Application Control profile

Create an Android profile and select Application Control and click on Add

In the Personal Play Store Restrictions section select Denylist

Assign it to the targeted user.

Written by
Website | + posts

vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.

Previous Article
Next Article

One thought on “Block TikTok with Workspace ONE on Android

  • Tim Duke
    2023-06-15 at 11:07
    Reply

    Great article, Camille! Thanks for the excellent write-up! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Copyright digitalworkspace.one All right reserved
BCF Shop Theme By aThemeArt.
BACK TO TOP