I guess that they could. They could also install some software on all stations to monitor internet usage or install their certificate to perform MITM.
Firms that care do all that already. I meant to block stuff that can't be MitMed. Such as secure VPNs, or even SSH.