Achieving M-23-13 OMB requirements

April 7, 2023

On February 27, 2023 memorandum M-23-13 was released from the Office of Management and Budget requiring government agencies to remove TikTok from all GFE devices (unless there is an exception) and block network connections to TikTok by a given date. This blog post explains how to comply with the policy on Windows devices or using other Microsoft tools. For completeness, there is also information on iOS devices. M-23-13 requires agencies to perform the following three tasks which will be the focus of this blog post.

The OMB memo requires that no later than 30 days after the issuance of this memorandum, agencies shall:

Identify the use or presence of a covered application on information technology.
Remove and disallow installations of a covered application on IT owned or operated by agencies, except in cases of approved exceptions.
Prohibit internet traffic from IT owned by agencies to a covered application, except in cases of approved exceptions.

There are serval ways to perform the required tasks outlined in M-23-13. However, each operating system (Windows, iOS, Android) functions differently when it comes to application management. Given their prevalence in federal environments we have chosen to focus on Windows and iOS as the two primary operating systems for this blog post.

*note: there are other Microsoft solutions like System Center Configuration Manager (ConfigMan) that can be used. However, this article will focus on Microsoft Defender for Endpoint (MDE), Microsoft Defender for Cloud Apps (MDCA), and Intune.

Discover/Identify

Microsoft Intune provides a list of installed applications for iOS, Android, Windows, and MAC devices. Organizations can logon to the Intune portal and navigate to > Apps > Monitor > Discovered apps to search for the TikTok application.

Below you can see two versions of TikTok, one installed on Windows, and one installed on iOS.

Figure 1 Intune Application Inventory

If you are running MDE’s Mobile Threat Defense (MTD), MDE’s software inventory will discover the mobile versions of the application running on IOS or Android.

Figure 2 MDE Software Inventory

The Windows application is a Progressive Web App (PWA) and will not show up in MDE software inventory. This requires the use of Advanced Hunting to discover the application on a Windows machine via MDE.

When the PWA is launched it calls two executables Pwahelper.exe and Msedge.exe (or the default browser). During the launch of the app, a command runs that includes the URL for TikTok.

Below is a simple KQL query that can be used to find the command calling TikTok URLs:

DeviceProcessEvents

| where ProcessCommandLine contains "TikTok"

Figure 3 Timeline event from MDE

Organizations can use the same query to create a custom detection rule to generate alerts/incidents to identify users and devices launching the PWA application.

Figure 4 MDE Custom Detection Rule incident

Since MDE is integrated with MDCA we can use that integration to assist with discovering what devices and users have been accessing the application

*Note: this integration works for Windows, Mac, and Linux. Mobile operating systems currently do not feed into MDCA but still consume the IOC rules created.

Figure 5 MDCA TikTok discovery

Figure 6 MDCA usage information

Network Blocks

Given many devices are mobile and move between networks and organizations, blocking or preventing network access typically requires implementing multiple controls. The good news is that MDE can create IOCs that block access to URLs, IPs, certs, and file hashes. These blocks work across device types (IOS, Android, Windows, Mac, and Linux) regardless of location.

There are two places an organization can create these blocks. However, MDE is the underlying service that performs the block.

The first, is the MDCA portal where staff can categorize an application as “unsanctioned” which will push the appropriate URL(s) into IOC blocks in MDE.

Figure 7 MDCA Unsanctioned

Figure 8 MDE IOC rules

The second is directly in MDE where staff can create a rule to block, warn, or audit the TikTok Domain(s)/Url(s) on Mobile (IOS and Android), Windows, Mac, and Linux devices.

Figure 9 MDE URL/Domain IOC creation

*Note: There could be several domains/URLs used by TikTok

Once these blocks are put into place and configured to generate alerts, the following information is produced by the alert showing the user, devices, and URLs being blocked.

Figure 10 MDE alert information from windows host and can vary by OS

When launching the PWA from a Windows device or directly in the browser from other devices the following block will occur.

Figure 11 MDE IOC website block

*Note: other browsers and operating systems require the network protection service to be configured and Defender AV in active mode.

Removal/Disallow

The challenging part of this task is each operating system provides various methods to control applications.

An efficient way to block certain apps would be to restrict access to the applications stores associated with each platform (e.g., Windows and Apple stores). In light of blocking the application store, the following section outlines a method to identify the application and mark devices on non-compliant.

For instance, if the TikTok App is not managed by Intune and the organization allows access to the application store, users will be able to install any application. Intune can uninstall only apps that are deployed through the mobile device management (MDM) channel.

Organizations can establish prohibited apps lists to identify devices with applications that are prohibited.

Prohibited apps are lists of apps that users aren't allowed to install and run. Users aren't prevented from installing a prohibited app. However, if a user installs an app from this list, the device is reported in the Devices with restricted apps report and can be set to non-compliant.

To configure a prohibited list, perform the following steps:

In the Intune Admin portal navigate to > Devices > Configuration Profile > Create Profile

Select iOS/iPadOS
Under Profile Type select Templates
Select Device Restrictions

Figure 12 Intune Configuration Policy creation

In the Device restriction policy under Restricted Apps input the following:

Configure the Types of Restricted app list = Prohibited

App Store URL = ‎TikTok

App Bundle ID = com.zhiliaoapp.musically

App Name = TikTok

Publisher = TikTok Ltd.

Figure 13 Prohibited App UI

After the policy has been created, organizations can review the restricted app report from the Intune admin portal à Deviceà Monitor à Device with restricted apps

Figure 14 Intune Prohibited App report

Organizations can create a compliance policy checking for the restricted application that will mark the device as non-compliant.

Figure 15 Intune IOS Compliance Policy

Figure 16 Devices marked as non-compliant from policy

Additionally, organizations can create conditional access policies looking for device compliance and deny access to an organization’s services. Organizations can even prompt the user with terms of service related to prohibited applications.

Figure 17 Azure AD Conditional Access Policy

APIs

M365 Defender and Intune both provide a rich set of APIs that can be used to pull information into other systems that the organization may be using (e.g., SIEM, PowerBi, etc.).

Below is an example of using the MDE API call for TikTok in the software inventory.

Figure 18 Example MDE API return