Restricting TeamViewer access in corporate network

An external company wants to offer remote support for an on-premise product to our employees via TeamViewer.

I currently block TeamViewer completely via DNS filtering (*.teamviewer.com) and restriction (remote DNS queries are not allowed from client network). Due to security policy, I cannot allow unrestricted TeamViewer acces just from any source.

Is there any possibility to allow selected support providers to connect via TeamViewer, eg. via:

• whitelisting selected IP networks of support providers on a network level,
• locally enforcing certain whitelisting policies on a workstation level (eg. via TeamViewer-accepted GPO-based registry changes),
• locally enforcing domain authentication for TeamViewer connections (same as above).

Currently, the only idea I came up with would be to redirect DNS servers to a local proxy that would perform Man-in-the-middle scanning of Client-to-TeamViewer-Servers connections. MitM should not be a problem provided TeamViewer client accepts client-configured enterprise CA. But I have no guarantee that revengineering communications would be simple, or that the data exchanged would be sufficient to filter which connections to allow and which to break. It would also take a lot of time etc.

Any simpler solution?