Update: This post has been modified to announce that the feature is returning to Intune with both iPad and iPadOS support.
The Intune App Protection (APP) policy for the iOS setting for “Third party keyboards” is designed to allow only built-in keyboards when accessing company data. When this setting is set to "Disable", the Intune APP SDK instructs the OS to not load keyboard extensions/ third party keyboards while company data is actively being used in the app.
Currently, if an application is launched with a company account or it has protected data being used actively, then the Intune APP SDK signals the OS to block keyboard extensions. Thus third party keyboards are correctly managed.
However, we’ve noticed an issue where keyboard extensions are not blocked in situations where:
- the application is launched with a personal account or personal data is active
- the user switches to a personal account.
If a user switches to the company account or views company data subsequently in the application, the signal from the Intune App SDK to the OS to block the keyboard extensions is ignored. In such a situation, the application must be closed and relaunched from the company account.
We worked with Apple and they have acknowledged our feedback on the OS change but are not committing to an OS fix. Therefore, we are removing support for this feature due to the potential data protection concerns. for data are working with Apple to resolve this issue and we’ll keep you updated. In the meantime, if you have this setting enabled, we want you to be aware of the limitations listed above.
Update:
We’ve been working with Apple, and are delighted to announce that the feature is returning to Intune with both iPad and iPadOS support. This behavior of this policy setting differs slightly from the previous implementation. In multi-identity apps using SDK version 12.0.16 and later, targeted by app protection policies with this setting configured to Block, end-users will be unable to opt for third party keyboards in both their org and personal accounts. It will take a few weeks for the setting to deploy in production and for apps to adopt the new SDK with the control, but in the interim, you can update the previous configurations you had for this policy setting.
The ability to configure this setting will return with the November service release, but we’ve given you a UI to toggle this setting on or off in our preview environment which will save to production so you can check or change how you had it set before the feature fully rolls out.
Check your existing setting and make any changes you’d like to the updated setting by following the steps below.
- Head to: https://aka.ms/mamprivatepreview.
- Navigate to Intune > Client apps – App protection policies and select the iOS/iPadOS policies you wish to change. From the selected policy, select Properties, find the Data protection section and select Edit. Configure the Third party keyboards setting as you see fit and then select Review and Save.
- Keep in mind these settings won’t be applied until the apps adopt the SDK version 12.0.16 and later. Apps using earlier SDK versions, to 8.0.14, will demonstrate the behavior documented above as a known issue.
- Repeat these steps for any additional app protection policies you wish to change.
- When the November service releases and this change is announced in What's New, discontinue use of the aka listed above and just make any changes to the setting directly in the production UI.
11/6/19: Updated support statement on this feature
3/11/19: Updated support statement on this feature
2/15/19: Screenshot updated