TeamViewer normally uses 5938 outbound and needs no open inbound ports, i.e., no SNAT to internal systems. It will try 443, too, if 5938 is not open. TV can be set to force UDP which can help with blocking. I don't allow UDP 443 outbound.
Assuming you do egress filtering, an outbound packet filter on a schedule may work, going from Any-Trusted (or a specific computer IP or range) on TCP & UDP ports 5938, set to Allow, and going To Any-External. You also could add an HTTPS proxy To the TeamViewer domains and allow on a schedule.
Maybe put policies above these that are Deny to the same things, on a schedule of time when you want to block.