Let’s discuss Different Methods to Block or Remove the DeepSeek App and Website from Managed Devices using Intune. Microsoft Intune allows users to block and remove the DeepSeek AI Assistant app on their managed endpoints.
Last month, all government bodies, except corporate organisations like Australia Post and the ABC, were forced to immediately remove all DeepSeek products from their devices. An unacceptable risk occurred due to DeepSeek’s national security, which is the reason for banning.
Organizations want to Block and remove DeepSeek from their tenant immediately. We already covered an article related to blocking DeepSeek using the Defender portal. More than that, you should block and remove Intune Managed Devices.
In this blog post, I share the different methods to block or remove the DeepSeek AI Assistant and its associated websites . However, you can also use the provided guidance for other apps and websites. Here, I will share step-by-step guidance on how to block Deepseek in each managed device.
Table of Contents
Different Methods to Block or Remove the DeepSeek App and Website from Managed Devices using Intune
As mentioned above, there are Different Methods to Block or Remove the DeepSeek App and Website from Managed Devices using Intune. In this blog post, I am going to share different methods to block or remove the DeepSeek app and its associated website from Managed devices. The following table shows the table of managed devices and methods for blocking and removing DeepSeek.
| Managed Devices | Method |
|---|---|
| iOS/iPadOS devices | Corporte Device(Supervised) – Hide and prevent the launch of the DeepSeek AI Assistant app |
| Uninstall the DeepSeek – AI Assistant app | |
| Personal Devices – Bring your own device (BYOD) | |
| Identify personal devices that have DeepSeek – AI Assistant installed and prevent access to corporate resources | |
| Android devices | Android Enterprise corporate owned, fully managed devices |
| Uninstall DeepSeek | |
| Android Enterprise personally owned devices with work profile | |
| Windows devices | Using Microsoft Defender for Endpoint to block access to websites in Microsoft Edge |
| Using Defender for Endpoint to block websites in other browsers | |
| macOS | Enable Network Protection |
- How to Block Personal Windows Devices Enrollment Enrollment Restrictions Options
- Intune Integration with Microsoft Defender for Endpoint
- Easy way to Block Pause Updates Ability in Windows Update for Business via Intune
iOS/iPadOS Devices
You can use different methods to block and remove DeepSeek AI Assistant on your iOS/iPadOS Devices. Using Settings Catalog, you can hide and prevent the launch of the DeepSeek AI Assistant app for Corporate Devices. For Personal Devices, use the Bring Your Own Device (BYOD) method. This will completely stop the DeepSeek AI Assistant app’s functions.
Hide and Prevent the Launch of the DeepSeek
Apple iOS/iPadOS supervised mode gives administrators more options when managing Apple devices, making it useful for corporate-owned devices deployed at scale. Block the app from being shown or being launchable, is the most effective way for supervised iOS/iPadOS. The following list shows the steps to block.
- Login to Microsoft Intune Admin Center
- Devices > Configuration > +Create > New Policy
- From the Create a profile page, select iOS/iPadOS as Platform and Settings Catalog as Profile type
- Click on the Create button
- On the Basic Tab, you can give a name and description for the policy
- Name – Hide and Prevent the Launch of the DeepSeek
- Description – This policy is created to Hide and Prevent the Launch of the DeepSeek
- Click on the Next button
- On the Configuration Tab, click on the +Add settings
- On the Settings Picker, search for the Blocked App Bundle IDs.
- Select Restrictions category
- Select the checkbox next to the Blocked App Bundle IDs setting.
Then, you can close the settings picker window. The Blocked App Bundle IDs policy settings are shown on the Configuration settings tab. In the text box shown under the Blocked App Bundle IDs, you can enter the Bundle ID: “com. deepseek.chat“. Click on the Next button.
You can skip the scope tab section, and it is not mandatory. Click on the Next button on this tab. On the Assignment tab, you can Assign the policy to either a device or user group. Select the group and click on the Select and Next buttons. On the Review tab, recheck the details and click on the Create button.
Uninstall the DeepSeek – AI Assistant App
The previously described policy applies if the DeepSeek app is not installed from the Apple app store. If you install DeepSeek from the Apple App Store, you can uninstall it from the Apple App Store. Use the steps below to automatically uninstall the app on devices that have it installed. This policy will also uninstall the app if it somehow gets installed at any point in the future while the policy remains assigned.
- Apps > iOS/iPadOS > iOS/iPadOS app
- Click on the + Create button
- Choose the iOS Store app from the Select App type window
- Click on the Create button
- On the App Information window, click on the Search the App Store hyperlink.
- Search the DeepSeek AI Assistant app.
- Select the App and Click on the Select button
Then you can see the details of the DeepSeek app on the App Information tab. Click on the Next button. Next is the Scope tab section, you can simply skip this tab and click on the Next button. On the Assignment you can select groups from the uninstall section.
Click on the +Add groups then select group, next button. On the Review tab, you can verify all the details. After that you can click on the create button to uninstall the DeepSeek.
Personal Devices – Bring Your Own Device (BYOD)
To manage settings and apps on personal devices Admins have fever options. Apple provides no facility on unsupervised (including personal) iOS/iPadOS devices to hide or block access to specified apps. The following list shows the options available for admins.
- Use an Intune compliance policy to prevent access to corporate data via Microsoft Entra Conditional Access (simplest and quickest to implement).
- Use a report to identify personal devices with specific apps installed.
- Takeover the app with the user’s consent.
- Uninstall the app.
Identify Personal Devices that Have DeepSeek – AI Assistant
Identify Personal Devices that Have DeepSeek – AI Assistant installed and prevent access to corporate resources. To mark a device as either “compliant” or “not compliant” based on several properties, such as whether a specific app is installed, you can use compliance policies in Intune. By using Conditional Access you can now prevent the user from accessing protected company resources when using a non-compliant device.
- Open Microsoft Intune Admin Center
- Go to Devices > iOS/iPadOS > Compliances
- Click on the +Create Policy
- From the Create a policy page, platform and profile type are automatically added
- Click on the Create button
- On the Basic tab enter the name and Descriptions as your preference
- Click on the Next button
- On the Compliance Settings tab click on the drop down arrow near System Security
Under the System security you can see Device Security option. On the text box you can add the Restricted app name and App bundle ID.
- Name: DeepSeek – AI Assistant
- Bundle ID: com.deepseek.chat
Under Actions for noncompliance, leave the default action Mark device noncompliant configured to Immediately and then select Next. Assign any Scope tags as required and select Next. Assign the policy to a user or device group and select Next. Review the policy and select Create.
- Devices that have the DeepSeek – AI Assistant app installed are shown in the Monitor section of the compliance policy.
- Navigate to the compliance policy and select Device status, under Monitor > View report.
- Devices that have the restricted app installed are shown in the report and marked as “Not compliant”.
When combined with the Require device to be marked as compliant grant control, Conditional Access blocks access to protected corporate resources on devices that have the specified app installed.
Android Devices
For Android Devices, You can Uninstall Deepseek by using the Managed Google Play app. To block Deepseek in Android Enterprise personally owned devices with a work profile, use the same settings as described in the Android Enterprise corporate-owned, fully managed devices section. This method allows you to uninstall and prevent the installation of restricted apps in the work profile.
Android Enterprise Corporate Owned, Fully Managed Devices
By configuring Allow access to all apps in Google Play store in a device restrictions policy, admins can optionally choose to allow only designated apps to be installed on corporate owned fully managed devices. If Block or Not Configured(by default) setting has been configured, to additional configuration is required as users are only able to install apps allowed by the administrator.
Uninstall DeepSeek
Using Google Play Store, you can easily Uninstall DeepSeek and prevent it from being installed. Follow the below steps to uninstall DeepSeek.
- Apps > Android > Add, then select Managed Google Play app from the drop-down menu
- On the search bar search for DeepSeek – AI Assistant, select the app in the results and click Select and then Sync.
Navigate to Apps > Android and select DeepSeek – AI Assistant > Properties > Edit next to Assignments.
Under the Uninstall section, add a user or device group and select Review + save and then Save.
After the next sync, Google Play will uninstall the app, and the user will receive a notification on their managed device that the app was “deleted by your admin”. The Google Play Store will no longer display the app. If the user attempts to install or access the app directly via a link, the example error below is displayed on the user’s managed device.
Android Enterprise Personally Owned Devices with Work Profile
You can use the same settings as described in the Android Enterprise corporate owned, fully managed devices section to uninstall and prevent the installation of restricted apps in the work profile for Android Enterprise personally owned devices with a work profile.
Windows Device
Using the Microsoft Defender for Endpoint portal, you can block users from accessing the DeepSeek website on Windows devices that are enrolled. Look at the below details to know more about it.
Using Microsoft Defender for Endpoint to Block Access to Websites in Microsoft Edge
On the Defender portal you have to enable Custom Network Indicators firstly. After configuring this setting, it may take up to 48 hours after a policy is created for a URL or IP Address to be blocked on a device. Follow the below steps.
- Sign in to Microsoft Defender admin center
- Navigate to Settings > Endpoints > Advanced features and enable Custom Network Indicators by selecting the corresponding radio button.
- Select Save preferences.
To create a Custom Network Indicator, Navigate to Settings > Endpoints > Indicators and select URLs/Domains and click Add Item.
- Enter the following, and then click Next:
- URL/Domain: https://deepseek.com
- Title: DeepSeek
- Description: Block network access to DeepSeek
- Expires on (UTC): Never
- You can optionally generate an alert when a website is blocked by network protection by configuring the following and click Next:
- Generate alert: Ticked
- Severity: Informational
- Category: Unwanted software
- Change the above settings according to your organization’s requirements.
- Select Block execution as the Action and click Next, review the Organizational scope and click Next.
- Review the summary and click Submit.
After configuring the Custom Network Indicator, it can take up to 48 hours for the URL to be blocked on a device. Once the Custom Network Indicator becomes active, the user will experience the following when attempting to access the DeepSeek website via Microsoft Edge.
Using Defender for Endpoint to Block Websites in Other Browsers
To block access to DeepSeek in other browser admins can leverage Network Protection policy setting on Intune. Using the Settings Catalog you can do this method. Follow the below steps to enable Network protection.
- On the Intune Portal Navigate to Devices > Windows > Configuration
- Create > New Policy
- On the Create a profile page select Windows 10 and later as platform and Settings Catalog as Profile type. Click on the Create button
- On the Basic Tab enter the name and Description of the policy
- Click on the Next button
- On the Configuration tab click on the +Add Settings hyperlink
- On the Settings Picker select Defender Category
- Select Network Protection policy settings
After selecting the settings, it will shown on the Configuration Settings Window. Then select to Enabled (block mode) and click Next. Then Assign Scope Tags as required and click Next. Assign the policy to a user or device group and click Next. Review the policy and click Create.
macOS
macOS devices that are onboarded to Defender for Endpoint and have Network Protection enabled are also unable to access the DeepSeek website in any browser as the same Custom Network Indicator works across both Windows and macOS.
Enable Network Protection
You can easily Enable the Network Protection policy settings from the Settings Catalog. To do this Open the Intune Portal and Navigate to Devices > macOS > Configuration > + Create > New Policy > Settings Catalog and select Create.
- On the Basic tab you can enter the Name and Description as your preference. Then click on the Next button to continue.
- On the Configuration tab, click on the +Add settings hyperlink
- Search for Network protection and select Microsoft Defender Network Protection Category.
- Select Enforcement Level Policy
After selecting the Enforcement Level policy, it will shown on the Configuration settings tab. Here you can select the the Value Block to block DeepSeek AI Assistant. Click on the Next button.
Add Scope Tags as required and select Next. Assign the policy to a user or devices group and select Next. Review the policy and select Create. The user when attempting to access the website will experience site can’t be reached.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Resource
Blocking and removing apps on Intune managed devices (Windows, iOS/iPadOS, Android and macOS)
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.