🇵🇱 Przejdź do polskiej wersji tego wpisu / Go to polish version of this post

Generative artificial intelligence entered mobile devices so quickly that many IT administrators didn’t even have time to finish their morning coffee, and their users were already dictating emails through Gemini, generating meeting summaries in Galaxy AI, and pasting sensitive customer data into ChatGPT „to format the table nicely.” Sound familiar?

The problem is that all these assistants — regardless of how convenient they are — are data vacuum cleaners. Sometimes they process data locally (not so bad), and sometimes they send it straight to the manufacturer’s cloud (quite a big problem). If you manage a fleet in finance, medicine, administration, or simply in a company that doesn’t want its sales strategy training a competitor’s language model — you need to take control.

Today I’ll show you step by step how to block or restrict AI features in the systems of two MDM market giants: Microsoft Intune and Samsung Knox Manage. Along the way, we’ll „deal with” Apple Intelligence, because iPhones in companies are now standard, not an exotic perk for management.

What are we actually blocking?

Before we start, we need to realize one thing: „AI on the phone” is not one magic switch. It’s a hydra with many heads. Microsoft in its documentation divided this into five categories. And this division makes sense:

1. Standalone AI applications — ChatGPT, Copilot, Claude, Gemini. Users download them from the store. Easiest to cut out, but that’s just the tip of the iceberg.
2. AI websites — blocked the app? A clever employee will go through the browser to chatgpt.com. We often forget about this.
3. Screen assistants — Circle to Search on Android or visual search. They analyze what’s displayed on the screen. If you have a confidential PDF open and launch the assistant — the content may go out into the world.
4. On-device AI services — Android’s Gemini Nano (AICore service). Powers the keyboard, SMS suggestions. Works locally, but auditors frown upon it.
5. Manufacturer AI (system-level) — Galaxy AI on Samsungs, Apple Intelligence on iOS. Deeply embedded in the system, with access to emails, photos, and calendar.

Good news: each of these heads can be cut off (or at least gagged). Bad news: you have to do it in layers.

Part 1: Microsoft Intune — Android Fortress

Microsoft has done its homework and gives us powerful weapons, especially for devices in Android Enterprise mode (Fully Managed or Work Profile).

Step 1: Blocking applications (Play Store)

This is the first line of defense. If you don’t want employees installing ChatGPT or Copilot.

Scenario A: you have a „closed” store (Allowlist – recommended) – if your users only see in Managed Google Play what you’ve made available to them — congratulations, you’re safe. Simply don’t add AI applications there.

Scenario B: you have an „open” store (all apps available) – you must explicitly block specific titles.

1. Go to: Apps -> Android -> Add -> Managed Google Play app
2. Search for and approve „suspects”: ChatGPT, Microsoft Copilot, Google Gemini, Perplexity, Claude, DeepSeek
3. After synchronization, go into each one, select Properties -> Assignments
4. Add a user group in the Uninstall section or if you have a restriction profile — simply block them by Bundle ID (e.g., com.openai.chatgpt) in the device configuration profile (Device Restrictions -> Restricted apps)

Step 2: Browser blocking in Edge and Chrome

Blocking the app isn’t enough. We need to seal the browser. Intune allows this to be done elegantly through App Configuration Policies.

For Microsoft Edge (and Chrome analogously):

1. Go to: Apps -> App configuration policies -> Add -> Managed devices
2. Select Android Enterprise and point to Microsoft Edge
3. In configuration settings, select Use configuration designer or paste JSON. We’re looking for the key: URLBlocklist.
4. In the value, enter addresses: ["https://chatgpt.com", "https://copilot.microsoft.com", "https://gemini.google.com", "https://claude.ai"]

Bonus: removing Copilot from the Edge bar – Copilot „lives” in the Edge browser as a button. To remove it, add in the same policy the key:

• Key: com.microsoft.intune.mam.managedbrowser.Chat
• Value type: Boolean
• Value: False

Step 3: Circle to Search and screen analysis

The „Circle to Search” feature is super convenient, but in a company it’s a DLP (Data Loss Prevention) nightmare. We block this in the Settings Catalog.

1. Devices -> Android -> Configuration -> New policy
2. Select Android Enterprise -> Settings Catalog
3. Type „Assist” in the search and find the General category
4. Check Block assist content sharing with privileged apps
5. Set to True (or Block)

This will prevent Google Assistant from being able to „read” what’s on the screen in the work profile.

Part 2: Microsoft Intune — Apple Intelligence (iOS)

Here the matter is simple: Supervised Devices or nothing. If you have BYOD without supervision, your options end with blocking applications. If you have Apple Business Manager — read on.

Apple Intelligence came with iOS 18.1. In Intune you’ll find this in restriction profiles.

1. Devices -> iOS/iPadOS -> Configuration -> New policy
2. Select Settings catalog (most frequently updated) or Templates -> Device restrictions
3. Search for „Intelligence” or „Math Notes”
4. Key options to block:
   • Genmoji (seriously, we don’t need emoji generation in reports)
   • Image Playground (image generation)
   • Writing Tools — this is the most important! Blocks AI rewriting and correcting emails
   • Image Wand

Part 3: Samsung Knox Manage — Korean Order (Galaxy AI)

Samsung in the Knox ecosystem gives us tools that others can only dream of. We’re talking about Knox Service Plugin (KSP). It’s an OEMConfig application that allows you to control features deeply embedded in Samsung’s system.

Requirements:

• Samsung device with One UI 6.1+
• KSP profile in Knox Manage

Three levels of Galaxy AI control in Knox Manage

We enter the Android profile edit, Applications section -> Knox Service Plugin -> OEM Configuration (Managed Configurations). We’re looking for the section Advanced Restriction policies (Premium) (names may differ depending on plugin version, look for „Artificial Intelligence”).

Option 1: „Paranoid” (Kill Switch) – we set Block all Galaxy AI to True. Effect: all AI features disappear from phone settings. Clean, safe, brutal.

Option 2: „Compromise” (Local Processing Only) – my favorite option. We look for the setting Allow process data only on device and set it to True. Effect: Galaxy AI works (live translation, notes), but not a single byte of data leaves the phone. Samsung doesn’t send it to the cloud for analysis. This is the perfect balance between modernity and security.

Option 3: „Surgeon” (Granular control) – you can select Block individual Galaxy AI operations and click to block e.g., only „Translator” or only „Notes Assistant”, leaving the rest

Let’s summarize

My advice at the end

Don’t fight windmills. If you block everything „hard”, people will start bringing private laptops and phones to „get the job done faster”. The best strategy is Local Processing on Samsungs and Managed App Protection on others, combined with a clear company policy: „Listen, we have corporate Copilot with an Enterprise license — use that because data is protected there. Don’t upload files to free ChatGPT”. Technology is one thing, education is another. But it’s worth having a kill-switch in Knox handy 😎

You read to the end – I’m extremely pleased – there will be a reward 😉

Below you’ll find a ready-made „blocking” batch. I dug through the Play Store, forums, and security reports. The topic is tricky because some of the „applications” are still Web-first solutions (working in the browser), not native mobile apps. Administrators often forget about this – they look for a package to block, don’t find it, and think „phew, all clear”. Meanwhile, the user just goes through Chrome.

That’s why I divided this list into two sections: .apk packages to block (Android) and domains to cut out (Web) – for those services that don’t yet have an official app but are „dangerous”.

📦 Section 1: mobile applications (Android Package Names) – this is a ready list to put into an Application Blacklist (Knox) / Restricted Apps (Intune) profile.

🚨 Category: Large models & official players

This is the foundation. If you don’t block this, it’s like leaving the server room door open.

🦠 Category: „Wrappers”

This is a plague. Thousands of apps named „AI Chat” that use the OpenAI API. Users install them en masse when the official app is blocked. I selected the most popular ones (millions of downloads).

🎙️ Category: Meeting recording and notes (audio leak risk)

These applications „listen” and do transcription in the cloud.

🎨 Category: Graphics and video (copyright / deepfake)

💔 Category: „Companions” and NSFW (image risk)

📥 Ready to copy (CSV)

App Name,Package Name,Category
ChatGPT,com.openai.chatgpt,Global AI
Microsoft Copilot,com.microsoft.copilot,Global AI
Google Gemini,com.google.android.apps.bard,Global AI
Claude,com.anthropic.claude,Global AI
Perplexity,ai.perplexity.app.android,Search AI
DeepSeek,com.deepseek.chat,Global AI
Poe,com.quora.poe,Aggregator
Microsoft Bing,com.microsoft.bing,Search AI
ChatOn,com.fitech.chat,Wrapper
Ask AI,com.codeway.chataskai,Wrapper
Nova,com.scaleup.chataihub,Wrapper
Genie,com.appnation.genie,Wrapper
Monica,com.monica.im,Productivity
Sider,com.sider.ai,Productivity
Otter.ai,com.aisense.otter,Meeting Recorder
Fireflies,com.fireflies.app,Meeting Recorder
Notta,com.langogo.transcribe,Meeting Recorder
Leonardo.ai,ai.leonardo.app,Image Gen
Lensa,com.lensa.app,Image Gen
Character.AI,ai.character.app,Entertainment
Replika,ai.replika.app,Entertainment
Chai,com.beauchamp.chai,Entertainment
DuckDuckGo,com.duckduckgo.mobile.android,Search AI
Pi,ai.inflection.pi,Personal AI
HuggingChat,co.huggingface.chat,Dev AI

🌐 Section 2: „Ghosts” (web-first services)

Applications that don’t have official, native applications in the Play Store (or are in beta/not publicly available). Users access them through the browser. To block them, you must use Web Content Filter (Intune/Knox). Blocking the package won’t help because the package doesn’t exist.

Until next time!

Puść ten artykuł w świat

XLinkedInMastodonFacebookWhatsAppFollow.itMessengerUdostępnij

×

Otrzymuj nowe artykuły na swój e-mail

Podając swój adres e-mail wyrażasz zgodę na przetwarzanie Twoich danych przez serwis follow.it. Zapoznaj się z Regulaminem oraz Polityką Prywatności serwisu.