January 29, 2025

The AI world shaken by DeepSeek: protecting managed mobile devices with Workspace ONE UEM

DeepSeek, a revolutionary AI app from China, has surged to the top of download charts, raising significant security alarms due to extensive user data collection. Organizations must act swiftly using Workspace ONE UEM to detect, restrict, and manage this threat, ensuring the protection of sensitive corporate information. Stay secure, stay informed!

This week, the AI landscape experienced a major shakeup with the launch of DeepSeek, a groundbreaking Chinese AI app that has taken the world by storm. Known for its advanced AI capabilities for ChatGPT-like features, DeepSeek has not only dominated discussions around optimizing AI chip usage but has also skyrocketed to the top of the Apple Store charts, becoming the #1 downloaded app.

However, this meteoric rise has also sparked serious security concerns. DeepSeek’s privacy policy discloses the collection of extensive user data, including usernames, passwords, device models, operating systems, keystroke patterns, IP addresses, and more. The app has been blocked from the Google and Apple stores in Italy and Ireland. Unsurprisingly, corporate customers have been quick to respond, seeking ways to block access to the app and its website to safeguard sensitive information.

For Omnissa Workspace ONE Unified Endpoint Management (UEM) customers, several tools are available to mitigate these risks. These features empower IT administrators to identify devices with the app installed, prevent further installations, and restrict access to DeepSeek’s website entirely. This blog outlines actionable steps to protect your organization.

If the DeepSeek – AI Assistant app is already installed on devices, Workspace ONE UEM provides IT administrators with the ability to detect, restrict, and remediate affected devices while maintaining user privacy. To achieve this, UEM requires limited visibility into installed apps, strictly adhering to configured privacy policies. However, standard corporate privacy and BYOD policies often restrict the collection of personal app data. If your organization enforces such policies, mitigating risks from applications outside the corporate scope may not be possible unless UEM privacy settings are adjusted.

By configuring UEM privacy settings to allow the collection of minimal personal application data (limited to non-intrusive app metadata), UEM administrators can:

  • Identify affected devices using UEM console, Omnissa Intelligence reports and dashboards.
  • Restrict app usage by configuring application control profiles.
  • Enforce compliance policies for unauthorized apps.
  • Automate responses with Freestyle workflows, such as sending user alerts, tagging devices, or restricting access.

For detailed guidance on configuring privacy settings, refer to the following resources:

Organizations can proactively prevent users from accessing the DeepSeek mobile app on their managed devices using Workspace ONE UEM profiles.

For Android devices, administrators can configure an Application Control profile to disable the DeepSeek app when uses have installed the app in:

  • The personal profile of Android Corporate Owned Personally Enabled (COPE) devices. 
  • The Work Profile or on a fully managed device.

For Android BYOD (Work Profile only) and COPE devices, Workspace ONE UEM enhances security and visibility with the Mobile Threat Defense Dual Enrollment feature. This capability allows administrators to identify apps installed on the personal profile, ensuring protection through the Lookout for Work app while also detecting the presence of the DeepSeek app. When a flagged app such as DeepSeek is identified, Dual Enrollment provides administrators with the necessary visibility, enabling them to notify the user and guide them in removing the flagged app.

For iOS supervised devices, administrators can configure a restriction profile to hide apps. Hiding DeepSeek – AI Assistant app on devices where it is already installed will prevent it from running on the device. For non-supervised iOS devices, it's recommended to use the compliance engine, integrating it with the denylist apps list outlined in the following section.

Unauthorized apps like DeepSeek can pose significant risks to corporate resources. The Workspace ONE UEM compliance engine allows administrators to enforce security policies and automatically respond to non-compliant devices.

Steps to Implement Compliance Policies:

  1. Create a Compliance Policy for unauthorized apps:
    1. Define a denylist that includes DeepSeek.
    2. Associate this denylist with a compliance policy to automatically detect non-compliant devices.
  2. Automate Responses for Non-Compliant Devices:
    1. Mark devices as non-compliant, which blocks devices from having profiles assigned to them and prevents managed applications from being installed.
    2. Take one or multiple device actions, such as:
      1. Notify the user of the device non-compliant state and provide information about ways to remediate, e.g. remove the unauthorized app(s).
      2. Remove managed apps and profiles.
      3. Wipe sensitive corporate data or perform a full device wipe if necessary.

These steps ensure that non-compliant devices are blocked from accessing corporate resources through Workspace ONE Tunnel and Omnissa Access when using conditional access, minimizing potential security risks. For more information, check out these resources:

Also, Omnissa’s Freestyle Orchestrator workflows can also be used to identify devices with DeepSeek app and tag those to trigger the compliance engine. This approach allows the UEM administrator to evaluate additional attributes to determine the compliance of the device. For more information and detailed example see the following Tech Zone blog: “Streamlining Device Compliance and Tags with Workspace ONE UEM”.

In addition to managing devices, Workspace ONE UEM offers tools to block access to DeepSeek’s website. Configuring network and web-filtering policies can effectively restrict access to specified URLs and safeguard your organization from potential threats. DeepSeek’s website includes multiple subdomains. Blocking the entire domain is the most effective way to restrict access.

Methods to block access to DeepSeek’s website with Workspace ONE UEM:

  1. For devices with a proxy configured via UEM Profile:
    • Block the *.deepseek.com domain directly on the proxy. This approach is the most efficient as it requires no additional configuration on individual devices. For iOS must be supervised.
  2. For devices without proxy configured:
    • Using Workspace ONE Tunnel: Create a block action rule as part of the device traffic rule, adding the *deepseek.com domain. Workspace ONE Tunnel can be configured to tunnel full device traffic or per-app traffic. When using per-app tunneling, this approach will limit the block action to the configured tunneling apps.
    • Using Workspace ONE Mobile Threat Defense: Add the *.deepseek.com domain to the Denylisted Content list. This method will block access to the domain from any app on the device.
  3. Restricting access through Safari on iOS supervised devices
    • Deploy a UEM Profile with content filter payload configured adding *.deepseek.com domain to the list of deny websites; this restriction applies only to the Safari browser.
  4. Restricting access through Chrome on Android
    • Workspace ONE UEM can also configure Chrome settings on Android devices through profiles. Adding the *.deepseek.com domain to the "Block Access to a List of URLs" setting will prevent users from loading pages from the DeepSeek website; this restriction applies only to the Chrome browser.

IT might want to add additional MDM restriction on corporate devices during this time, Workspace ONE UEM provides full support for MDM profiles; below some examples of profile restriction that can be applied to iOS and Android devices:

  • iOS payloads
    • Allow App Store icon on Home Screen - Removes the Apple App Store icon from the device and deactivates the App Store so the end user cannot install public applications.
    • Allow installing public apps - Deactivates the Apple App Store so end-users cannot install or update their apps.
  • Android payloads
    • Allow Non-Market App Installation - Controls whether a user can install applications from sources other than the Google Play Store.
    • Allow Installing Applications – Remove user ability to install application on the device.
    • Allowed Accounts in Google Play and Allow Google Accounts – Prevents users from adding personal Google accounts and using them to install apps from the Play Store that are not approved by the organization.

For more information on device profiles for iOS and Android, visit the following documentation links.

Conclusion

The rapid rise of DeepSeek underscores the need for organizations to remain vigilant about emerging technologies and their potential risks. While DeepSeek’s success highlights the power of AI innovation, its privacy implications cannot be ignored. Organizations must stay vigilant and proactively mitigate threats before they compromise sensitive data.

With Workspace ONE UEM, you can:

  • Detect unauthorized apps before they become a threat.
  • Restrict access to safeguard corporate data.
  • Automate compliance enforcement for stronger security.

Take action today! Explore our detailed documentation, learn more about Omnissa Security and Compliance solutions, engage with the Omnissa Community for expert insights, and contact your Omnissa Workspace ONE UEM representative for further assistance.

Filter Tags

Workspace ONE Workspace ONE UEM Blog Announcement Android iOS

Andreano Lanusse

Read More from the Author

Staff Architect, End User Computing. Andreano Lanusse is an experienced professional with a diverse background in multiple technologies, including the Omnissa portfolio. He has successfully led some of Omnissa's largest Digital Workspace deployments within the financial sector. In his role as Staff Architect, he serves as a subject matter expert, empowering the technical community through the creation of comprehensive technical content across the Omnissa Platform, Security, and Workspace ONE. His contributions include developing Reference Architectures for Workspace ONE and Horizon, fostering innovation and best practices in digital workspace solutions.