Blocking DeepSeek is Harder Than You Think

Many IT teams think blocking DeepSeek is simple. They assume that restricting the app through a Unified Endpoint Management (UEM) or Mobile Device Management (MDM) system is enough. But that’s a mistake.

Consider these holes:

• DeepSeek is more than just an app. It can also be (and often is!) accessed through a web browser. Without proper browser and network controls, users can bypass app restrictions easily. 
• Many organisations have devices that are not enrolled in the UEM at all. Generally they don’t know this, because it has evolved over time.
• UEM/MDM settings are complex  and involve more than just app blacklists, such as MAM alignment, containerisation, BYOD awareness, and more. All of these need to be set properly and actively tuned to block unauthorised workarounds.

 The Browser Problem

Blocking the DeepSeek app via UEM or MDM only stops the app from running. But what about browsers? DeepSeek works through a web interface, meaning anyone can access it from Chrome, Edge, Safari, or other browsers. If an organisation doesn’t control browser access, employees can still use DeepSeek even if the app is blocked.

Even worse, users can install alternative browsers. If one browser is restricted, they can simply download another and continue using DeepSeek. This makes browser control a critical part of any security policy.

 The Device Dilemma

Not all devices are enrolled in UEM or MDM. This creates gaps in enforcement. Here’s where the biggest risks come in:

– Personal Devices (BYOD) – Employees may use their own phones or laptops, which often fall outside of UEM or MDM control.

– Unenrolled Corporate Devices – Some corporate-owned devices might not be properly enrolled, leaving loopholes in access controls.

– Dual-Use Devices – Some employees use one device for both work and personal tasks. Without containerisation, they can access DeepSeek on the personal side of their device, bypassing controls.

 The Only Real Solution: A Layered Approach

To truly block DeepSeek, organisations need more than just UEM or MDM. They need a Secure Access Service Edge (SASE) or zero-trust system, like Zscaler and others. This ensures that all traffic—whether from apps or browsers—is monitored and controlled.

A telecoms management provider is also essential. They help ensure every device is correctly enrolled, settings stay up-to-date, and new security gaps are quickly addressed. Without this, enforcement weakens over time.

 Conclusion

Blocking DeepSeek is harder than it looks. Simply restricting the app won’t stop users from accessing it via a browser. Without full browser control, URL filtering, and enforcement on all devices—including BYOD and dual-use devices—DeepSeek will still be accessible.

DeepSeek usage is real and is happening now. We have uncovered plenty of it already. Telestar manages over 900,000 devices and services for enterprises and governments across Australia, and already controls access to DeepSeek and other restricted services for many organisations.

The only way to fully block it is a combination of UEM/MDM, SASE/zero-trust security, and ongoing telecoms management. Anything less leaves gaps that users can exploit.