Restricting AI Desktop Apps Like Claude and ChatGPT on Managed Devices

The rapid adoption of powerful desktop AI applications like Claude and ChatGPT presents a new challenge for enterprise IT and security teams. This article explores the risks of ungoverned AI apps and provides a technical overview of methods for restricting them on managed corporate devices.

The use of AI tools in the workplace has expanded beyond the browser. Standalone desktop applications from providers like Anthropic and OpenAI offer powerful, integrated experiences for employees. However, their installation on managed devices creates a significant governance gap. This "shadow AI" usage, where employees use AI tools without IT approval, introduces risks of data leaks, compliance violations, and a lack of oversight. An effective strategy to manage these applications requires a multi-layered approach, from network controls to endpoint-native solutions.

The Rise of Shadow AI on the Desktop

Shadow IT, the use of technology without explicit IT department approval, is not a new problem. Shadow AI is its latest and most potent variant. Driven by the desire for productivity, employees now frequently download and use AI desktop clients to summarize documents, write code, and analyze data.

This behavior creates significant blind spots. When an employee pastes proprietary source code, customer data, or sensitive internal documents into a desktop AI tool, that information leaves the protected corporate environment. Unlike web-based traffic that might be routed through a company proxy, desktop application traffic can be harder to inspect and control, bypassing traditional security measures.

Methods for Restricting AI Desktop Applications

Organizations can use several technical methods to control the use of unauthorized AI applications on managed devices. These range from broad network-level blocks to more granular, policy-driven controls.

Network-Level Blocking

One of the most straightforward methods is to block access to the domains these applications rely on. This can be accomplished at the network perimeter using firewalls, DNS filtering, or secure web gateways.

• DNS Filtering: By configuring network DNS resolvers to block domains associated with specific AI services, any request from an application to its backend servers will fail. For example, to block ChatGPT's desktop and mobile applications, an administrator could block desktop.chatgpt.com, android.chat.openai.com, and ios.chat.openai.com.
• Firewall Rules: Network firewalls can be configured with rules to deny outbound traffic to the known IP addresses or domains of AI service providers. This prevents the application from communicating with its servers, rendering it non-functional.

While effective for outright blocking, this approach lacks granularity. It typically blocks all access to a service, including potentially sanctioned web-based versions, and can be circumvented by users on non-corporate networks.

Endpoint-Based Application Control

A more direct approach involves using endpoint management tools to prevent the applications from running in the first place.

• Application Whitelisting/Blacklisting: Using a Mobile Device Management (MDM) or Unified Endpoint Management (UEM) platform, administrators can create policies that explicitly block certain application executables. Tools like Microsoft Intune or Jamf can enforce application control policies that prevent users from launching or installing unapproved software like the Claude or ChatGPT desktop apps.
• OS-Level Policies: Both Windows and macOS provide native tools for application control. On Windows, AppLocker or Windows Defender Application Control can be used to create rules that block specific applications based on their signature or path.

This method is highly effective for managed devices but requires maintaining up-to-date lists of applications and may not cover unmanaged or BYOD devices.

Tenant Control and Identity-Based Restrictions

For organizations that have adopted enterprise versions of AI tools, the goal is often not to block the tool entirely, but to prevent the use of personal accounts.

• Cloud Application Security Brokers (CASB): Some security solutions can enforce tenant restrictions at the network or endpoint level. These tools inspect authentication flows and can inject headers to enforce login to a specific corporate workspace ID, effectively blocking personal account usage. OpenAI's ChatGPT Enterprise offers a "Workspace Blocking" feature that relies on this mechanism.
• Restricting OAuth Consent: Administrators can configure their identity provider, like Microsoft Entra ID, to prevent users from granting consent for third-party applications to access their corporate account data. This can stop a key channel through which AI tools might gain unauthorized access to company information.

These controls allow for sanctioned use while mitigating the risks of data commingling and exfiltration through personal accounts.

Centralized Governance with an AI Gateway and Endpoint Agent

The most comprehensive solution goes beyond simple blocking and focuses on centralized visibility and governance. This approach combines a central control plane with an endpoint agent to bring all AI traffic, including from desktop apps, under a unified policy.

An AI gateway like Bifrost, an open-source AI gateway from Maxim AI, serves as a central point for routing, authentication, and policy enforcement for all configured AI traffic. However, a gateway alone cannot see the traffic from desktop apps that have not been manually configured to use it.

This is the gap that an endpoint agent like Bifrost Edge is designed to close. By deploying an agent to managed devices via MDM, all AI traffic from supported desktop apps, coding agents, and even browser sessions is automatically and transparently routed through the central Bifrost gateway.

This architecture enables:

• Universal Visibility: All AI usage, regardless of the application, becomes visible in a central audit log.
• Consistent Policy Enforcement: The same governance controls, such as budget limits, rate limits, and access rules configured in the gateway, are applied to desktop app traffic.
• Endpoint Security: Sensitive data can be redacted by gateway-level guardrails before it ever leaves the corporate network, even when sent from a desktop app. The Bifrost Edge agent can also enforce app governance policies, blocking unapproved applications directly on the device.

By combining a gateway with an endpoint agent, organizations can move from a reactive blocking posture to proactive, granular AI governance that enables safe and productive use of powerful AI tools.

Conclusion

Restricting unmanaged AI desktop applications is a critical step in mitigating the risks of shadow AI. While network-level blocking and endpoint application control offer effective ways to prevent unauthorized use, they can be blunt instruments. A more mature strategy involves leveraging identity controls and, for the most complete coverage, deploying a centralized AI gateway with an endpoint agent. This approach allows organizations to gain full visibility and enforce consistent security and compliance policies across all AI usage, turning a potential liability into a governed, productive asset.

Teams looking to establish comprehensive AI governance can explore solutions like the Bifrost AI gateway and request a demo to see how endpoint-aware control works.

Sources

• Anthropic, "Enterprise configuration for Claude Desktop"
• Anthropic, "Deploy Claude Desktop for Windows"
• Maxim AI, "From AI Gateway to the Endpoint: Closing the Last Mile of AI Governance"
• Microsoft, "Application Control for Windows"
• OpenAI, "Corporate Network Controls in ChatGPT Enterprise"
• Palo Alto Networks, "What Is Shadow AI? How It Happens and What to Do About It"