Need a brainstorming session,

My manager has this obsession with blocking popular social media/cloud storage sites for our users. We currently have a Connectwise Automate plugin called ThirdWall which handles access to these sites via modifying the host file on endpoints. This also has the functionality of our team being able to temporarily allow access to certain websites via ThirdWall (it has an automated way of editing the host file, it isn't fancy)

We are now moving away from CWA to the CW RMM tool and my manager wants me to find replacements for most of the functionality that ThirdWall was doing. I've been able to accomplish most things with group policy or other systems we use, but the blocking sites and allowing temporary access one is causing me issues.

I could just deploy a host file to endpoints with all the sites She wants blocked and then use RMM scripts to automate edits to host file on endpoints but there feels like a better way to do it. We do have a VPN set up but it's not always on for remote endpoints (our cyber insurance wants the VPN locked behind 2fa, which we use DUO for) so I can't just block these sites at a network DNS level, and that still wouldn't solve the temporary access issue.

Does anyone have experience with a situation like this - blocking sites but allowing temporary access to them upon request - and how do you solve it in a modern way without just modifying host files.

Thanks!