Support Tip: Enabling Outlook iOS Contact Sync with iOS12 MDM Controls
Published Dec 10 2018 01:03 PM 92.6K Views

By Ross Smith, IV | Principal Program Manager on the Enterprise Mobility and Customer Experience Engineering Team

 

Summary: 

As documented in Support Tip: iOS 11.3 and Native Contacts App, with iOS 11.3, Apple changed the behavior of two device restriction controls to limit access to the native iOS Contacts app. Customers noted that Outlook for iOS was prevented from syncing Outlook’s contacts to the native iOS Contacts app. With iOS12.1 (it was iOS 12, but Apple put a fix into 12.1), Apple provided additional device restriction controls to influence the behavior of the native iOS contacts app. You can now use Intune to configure the contact device restriction settings in the UI to allow or block Outlook for iOS’s ability to save contacts to the native iOS Contacts app.

 

This support tip outlines the configuration options to control managed contacts transfer between Outlook mobile and the native iOS contacts app.  In particular, the “Enabling Save Contacts” topic describes how to restore the pre-iOS 11.3 for sharing contacts on enrolled devices.  

 

Details:

As documented in Support Tip: iOS 11.3 and Native Contacts App, with iOS 11.3, Apple changed the behavior of the following device restriction controls to limit access to the native iOS Contacts app:

 

iOS user friendly control name

Control name 

Control value 

Description 

Intune control name

Impacts Outlook for iOS 

Opening documents from managed to unmanaged apps  

allowOpenFromManagedToUnmanaged 

True (default);  

False 

When set to false, this setting prevents writing to iOS Contacts app 

Viewing corporate documents in unmanaged apps

Yes 

Opening documents from unmanaged to managed apps 

allowOpenFromUnmanagedToManaged 

True (default);  

False 

When set to false, this setting prevents reading from iOS Contacts app 

Viewing non-corporate documents in corporate apps

Yes 

 

When either of these settings are configured on enrolled devices, Outlook for iOS is prevented from syncing Outlook’s contacts to the native iOS Contacts app. The first setting prevents Outlook for iOS from writing (e.g., saving a new contact). The second setting prevents Outlook for iOS from reading (e.g., executing the reconciliation subroutine, which removes duplicates).  

 

With iOS12.1, Apple provided additional device restriction controls to influence the behavior of the native iOS contacts app: 

iOS user friendly control name

Control name

Control value

Description

Intune control name

Impacts Outlook for iOS

Managed apps write to unmanaged contacts

allowManagedToWriteUnmanagedContacts

True;

False (default)

When set to true, this setting allows writing to iOS Contacts app (if allowOpenFromManagedToUnmanaged = false)

Allow managed apps to write contact to unmanaged contact accounts

Yes

Unmanaged apps read managed contacts

allowUnmanagedToReadManagedContacts

True;

False (default)

When set to true, this setting allows unmanaged apps to access managed contacts (if allowOpenFromManagedToUnmanaged = false)

Allow unmanaged apps to read from managed contacts accounts

No

 

Specific combinations of these three device restriction controls can either allow or block Outlook for iOS’s ability to save contacts to the native iOS Contacts app.  

 

Enabling Save Contacts 

For enrolled devices, either of the following device restriction configurations will enable Outlook for iOS to save contacts into the native iOS Contacts app: 

 

iOS user friendly control name

Control name 

Control value 

Opening documents from managed to unmanaged apps not allowed 

allowOpenFromManagedToUnmanaged   

false 

Opening documents from unmanaged to managed apps allowed 

allowOpenFromUnmanagedToManaged 

true 

Managed apps write to unmanaged contacts allowed 

allowManagedToWriteUnmanagedContacts  

true 

 

Control 

Control name 

Control value 

Opening documents from managed to unmanaged apps allowed 

allowOpenFromManagedToUnmanaged   

true 

Opening documents from unmanaged to managed apps allowed 

allowOpenFromUnmanagedToManaged 

true 

NOTE - carefully consider allowOpenFromManagedToUnmanaged implications prior to changing your configuration as it will allow managed data to be opened in unmanaged apps.   

 

 

Preventing Save Contacts 

For enrolled devices, the following device restriction configuration will prevent Outlook for iOS from saving contacts into the native iOS Contacts app (however, Outlook for iOS will not report any errors): 

iOS user friendly control name

Control name 

Control value 

Opening documents from managed to unmanaged apps not allowed 

allowOpenFromManagedToUnmanaged   

false 

Managed apps write to unmanaged contacts allowed 

allowManagedToWriteUnmanagedContacts  

false 

 

With any of the below device restriction configurations deployed to enrolled devices, users will see the following prompt when attempting to enable Save Contacts in Outlook for iOS:

RossPost_enableiCLoud.PNG

 

This prompt occurs because Outlook for iOS is unable to access and read from the native iOS contacts container. 

 

iOS user friendly control name

Control name 

Control value 

Opening documents from managed to unmanaged apps not allowed 

allowOpenFromManagedToUnmanaged   

false 

Opening documents from unmanaged to managed apps not allowed 

allowOpenFromUnmanagedToManaged 

false 

Managed apps write to unmanaged contacts allowed 

allowManagedToWriteUnmanagedContacts  

false 

 

iOS user friendly control name

Control name 

Control value 

Opening documents from managed to unmanaged apps allowed 

allowOpenFromManagedToUnmanaged   

true 

Opening documents from unmanaged to managed apps not allowed 

allowOpenFromUnmanagedToManaged 

false 

 

iOS user friendly control name

Control name 

Control value 

Opening documents from managed to unmanaged apps not allowed 

allowOpenFromManagedToUnmanaged   

false 

Opening documents from unmanaged to managed apps not allowed 

allowOpenFromUnmanagedToManaged 

false 

Managed apps write to unmanaged contacts allowed 

allowManagedToWriteUnmanagedContacts  

true 

 

How do I deploy the new settings? 

Starting January 10, 2019 with the 1812 release, you can now configure the contact device restriction settings in the UI. Here's screen shots of where you can configure them:

Contacts-1.PNG

 

And the default settings are here:

Contacts-2.PNG

You can read more about how to deploy the new settings through the documentation here:

 

NOTE: There is a UI bug that indicates that the "Allow managed apps to write contacts to unmanaged contacts accounts" and "Allow unmanaged apps to read from managed contacts accounts" both are supervised only. That is not the case - you do not need supervised to work with this feature. This is a UI bug that will be fixed in a future release. There's no service-side check for supervised for these features. 

 

When a user can save contacts, they will see an experience similar to the following:

RossPost12_10_18_IMG_0700.PNG 

 

We are leaving how to deploy a custom profile if that's something you'd like to do in the future. We'd recommend though you use the settings in the UI.  However, you can deploy a custom profile to enrolled iOS devices to enable the allowManagedToWriteUnmanagedContacts control. For information on how to deploy a custom configuration, see https://docs.microsoft.com/intune/custom-settings-ios.

 

A sample script is provided below (this sample assumes that another profile already exists that has configured allowOpenFromManagedToUnmanaged=false and allowOpenFromUnmanagedToManaged=true). As with all scripts, be sure to test!

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>Configures restrictions</string>
            <key>PayloadDisplayName</key>
            <string>Restrictions</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.applicationaccess.5301A395-9C13-41BD-A0E8-D35F4EE21805</string>
            <key>PayloadType</key>
            <string>com.apple.applicationaccess</string>
            <key>PayloadUUID</key>
            <string>5301A395-9C13-41BD-A0E8-D35F4EE21805</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>allowManagedToWriteUnmanagedContacts</key>
            <true/>
          </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Untitled 2</string>
    <key>PayloadIdentifier</key>
    <string>Contoso-iMac.1988A13E-0734-4215-A83B-19F21007FA52</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>F6B505A3-29D8-40A8-BF12-BF072E912E77</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
 

 

Blog post updated:

  • 12/11/18 with enable iCloud contacts sync prompt screen shot
  • 12/12/18 added summary to the post 
  •  1/11/19 updated with new settings shipped in January; also updated iOS 12 to iOS 12.1 due to an Apple bug fix
  • 8/29/19 - With revised screenshots for the Intune device restriction settings.
49 Comments
Copper Contributor

Hi,

thanks for sharing these new capabilities with iOS 12.

Is there any chance to sync contacts from Outlook to the native App AND protected them from been accessed by third-party apps? or did I miss anything?

BR

Simon

Microsoft
@Simon - We have no way to create "managed contacts" within the iOS Contacts app. If you want to minimize data leakage, we recommend using our Contact Field Sync controls (http://aka.ms/omappconfig) that are available with our App Protection Policies and limit what data is exported to the native contacts app.
Copper Contributor

Just as a sanity check...

We don't currently use device restrictions (as we have a mix of enrolled and MAMWE), so we use App Protection Policies to restrict data transfer to "policy managed apps" but have not disabled Contact Sync

 

Would we need to apply any of these changes, or are they only applying to those restricting via the device configurations rather than app protection policies?

thanks

Microsoft
@John - If you aren't using device configuration policies to control device and app behavior, this won't affect your deployment.
Copper Contributor

how does one in a hybrid Intune deployment go about deploying this new configuration setting?

@Myles Taylor just checked with our hybrid lead. These settings are not in hybrid. Per the announcement here  - https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Move-from-Hybrid-Mobile-Device-Manage... - do be aware that hybrid MDM is nearing end of support. FastTrack is resource that may be available to you to help move from hybrid to stand alone.

Copper Contributor

Is it also possible to configure the button "save contacts"? I want to auto enable it for all users and this configuration is only for setting up restrictions.

Copper Contributor

@Intune_Support_Teamthanks for the clarification, all to familiar with the upcoming support change regarding hybrid deployments, slowly but surely we're migrating over. 

Microsoft
@JoeriJ - Soon! :)
Copper Contributor

@Ross Smith IV  Is this available only for supervised devices? We're implementing Outlook with Intune MDM but the contacts are not syncing with local Contacts on iOS. The weird  part is that on my iPhone it did not sync but  on my iPad it did.

Microsoft
@Charlies_Silva - No, this does not require supervised devices (that's a bug in the Intune UI that will removed later this month). If you are using the same account on both devices, Outlook recognizes that you have contact sync enabled on one iOS device and prevents you from enabling it on a second iOS device. If you have contacts enabled in iCloud, then your exported contacts will be available on all of your iOS devices.
Copper Contributor

Thank you @Ross Smith IV . We were finally able to allow the contact export to iOS and keep corporate data protected.

Copper Contributor

Hi, I am testing the "Retire device" function in Intune.  The behavior is not as expected.  The managed apps are deleted from the device after synching, but company contacts on the device are still present.  Is there a setting that needs to be activated to also remove company contacts that were synched with Outlook?  I would have thought this would be done by default.  iOs version 12.2 with contacts toggle set to enable in the Outlook app before wipe.  Thank you.

Microsoft
@skoropi - That is currently by design. When you issue a retire command, that instructs the OS to uninstall any pinned apps to the management profile. An OS uninstall does not trigger any function within the app to do cleanup (does not trigger profile removal), and that results in the exported contacts being orphaned. This is standard OS behavior (same as user intentionally uninstalling an app). The only way the exported contacts can be removed is through a profile removal within Outlook. Our recommendation is to issue an App Protection Policy selective wipe prior to issuing a device retire. Selective Wipe triggers Outlook's profile removal process.
Bronze Contributor
@Charles_Silva: how did you accomplish this? I want to allow Outlook to Save Contacts, but block any other app from reading them.
Copper Contributor

Hi @Ivan Unger ,

 

I allowed Outlook app contacts to be synced with the local Contacts app. From there I don't have management on the contact data that had been exported (other apps have access to contact information as it normally would). I don't know if you can allow the export and then limit which apps can have access to exported data.

In the previous comment Ross explained how you can force remove the data if you want to retire de device but if I understood correctly, that's not what you're trying to acomplish.

Bronze Contributor

Okay, I've  misunderstood your comment then.

Bronze Contributor

Hi @Ross Smith IV ,

 

I'm having trouble understanding something here: When utilizing the Outlook MAM Policy to force-write contacts to the local iOS Contacts app, are the contacts considered managed or unmanaged?

 

If they are managed, how do I use this setting to block 3rd party from accessing these contacts?

I see this setting here in your post allowUnmanagedToReadManagedContacts  but I don't know which Intune UI control this is, since the wording is different. Could you possibly update your wording in this blog post to reflect the current Intune implementation.

Microsoft
@Ivan Unger - The contacts are considered unmanaged. Only managed EAS MDM profiles are able to create "managed contacts". The setting "allowUnmanagedToReadManagedContacts" - is the device restrictions - app store, doc viewing, gaming "Allow unmanaged apps to read from managed contacts accounts". This is documented at https://docs.microsoft.com/en-us/intune/device-restrictions-ios.
Copper Contributor

Hi, 

 

is it possible to somehow differentiate between company account and personal (hotmail) account? I would like to disable the Save Contacts option in the Outlook Settings for company accounts only but I want to give users the option to save their personal contacts from their private hotmail account.

 

Best regards,

Labinot

Copper Contributor

Hi @Labinot Jashanica ,

 

you can use MAM Policies to block contact sync for your business Profile.

https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios#functionality

BR

Simon

Copper Contributor

Hi @Simon Scharschinger 

 

thank you for your reply. Could you further elaborate on the MAM policies? I looked into the articel you provided. However, I was not able to find the needed options and settings which would fit my requirements. 

 

Best regards,

Labinot

Copper Contributor

Hi @Labinot Jashanica ,

in the documentation, you'll find a setting 'Sync app with native contacts app'. This is the setting you want to configure.

BR

Simon

Copper Contributor

hi @Simon Scharschinger,

sadly this is not a feasible solution because of the following reasons:

 

First of all, when the option to save contacts in Outlook is enabled the company contacts are not saved to the native contact app as a type of "company document" but is instead synced into the contact app as a normal contact which allows non-managed apps (such as WhatsApp) to sync these company contacts. I haven't found a solution yet that allows me to sync company contacts from the Outlook app settings into the native contact app without non-managed apps being able to access and sync them. In my device configuration profile I blocked that unmanaged apps can view corporate documents already. Additionally I set the setting "Send Org data to other apps" in my app protection policy to "Policy managed apps".

 

The only way for me to prevent this from happening was as follows:

Disable the option to sync contacts in the Outlook app and allow users only to save contacts from within the native iOS Settings app under "Accounts & Passwords". This way the contacts are treated as "company documents" and therefore not visible for apps like WhatsApp and Co. 

 

Now my problem is, that some users would like to use their private hotmail account in the Outlook App and sync their private contacts which they cannot do because the option to save contacts is disabled for the whole Outlook app. I would need to make this restriction only for the company account. 

 

I hope that everything is understandable. 

Microsoft

@Labinot Jashanica - only EAS profiles pushed down via an MDM solution can have "managed contacts". Apple does not provide a way for third-party solutions to create "managed contacts".

 

An alternative solution is to minimize the data that is exported via our contact field sync controls using App Protection Policies. See http://aka.ms/omappconfig and Courtenay’s blog (https://blogs.technet.microsoft.com/cbernier/2018/11/01/outlook-app-configuration-contact-field-expo...).

 

 

Copper Contributor

Hello, is there anyway of getting contacts in Outlook for iOS (from Exchange) to sync to the native contact list without iCloud?  With the use of VPP we have eliminated the use of Apple ID's on our devices, however still have the need to get the user's contacts into the native app for call and text identification.

 

thank you

Bronze Contributor

Are you sure you meant "iCloud" ? There was never a need for iCloud to get exchange contacts into the native iOS Contacts app.

 

If One Way Sync (Exchange Mailbox to iOS Device) for contacts is enough, then just create an outlook application management (MAM) policy, and enable the toggle for contacts sync

 

If you require Two Way Sync (contacts created on the device shall be synced back to the mailbox) then you need to deploy a configuration policy and configure an exchange profile.

Microsoft

@techcommunityuser @Ivan Unger - Outlook for iOS requires a contact container to exist in order to sync contacts into the native app. When you enable save contacts, Outlook attempts a read action, if that fails (either because Outlook has no capability to read due to MDM controls, or because there exists no container in which to read from), Outlook will prompt the user to enable iCloud sync for Contacts – this is because Outlook has no capability to create a container and iCloud sync will create one (iOS only supports three types of containers – local, Exchange, cardDAV – from their names you probably understand how they get created, e.g., Exchange is an EAS profile).

Copper Contributor

Hello Ross Smith, thank you for that explanation, that makes sense.  Is there anyway to create this contacts container without EAS or iCloud.  The only way that I've found to restrict the user's access to login to iCloud is to block "Account Modification", which also removes the user's ability to create or manage EAS profiles.  I thought this would be fine and I could just have the users use Outlook for iOS instead, however the users do still need their contacts to be available so I was hoping that I would be able to get those contacts down to the contacts app by just using Outlook for iOS.  Thoughts?

Copper Contributor

@Ross Smith IV @Ivan Unger Thank you both for your feedback, after more testing it appears that if you have ANY (even a generic shared mailbox) Exchange account configured in iOS under Settings-Passwords & Accounts (EAS), then you will be unable to choose "Save Contacts" in Outlook for iOS, and you will then get an iCloud error about not having an iCloud account configured (assuming you actually don't).  However, if you first configure "Save Contacts" in Outlook for iOS without having an EAS profile configured, then that will be successful.  However, the big downside to this that I see is that, although I am aware and ok with this being a one-way sync to the phone, I don't see anyway to create or modify any of the user's contacts from within the Outlook for iOS app, which would be quite a burden on the user to require that they do all their contact management in Outlook/OWA.  Not only is there no option to create a new field in an existing contact, but there also is no add contact button in the app.  Is there something I'm missing here?  I thought since there is a one-way sync that the suggested contact mgmt process would be to use the Outlook for iOS instead of the native contacts app, but these features seem to not be available now.

Microsoft

@techcommunityuser - Two things could cause that:

  1. You are using an account that does not support contact management within Outlook (e.g., an on-premises account authenticated using basic auth).
  2. Outlook hasn't been granted permissions to access the native Contacts app. Outlook mobile leverages the native OS controls for creating/editing contacts. If permissions haven't been granted, then you can't use contact management. I'm going off memory, but I believe Outlook only asks for permissions to access Contacts after successfully enabling Save Contacts. You can check in iOS settings - Outlook and if Contacts is listed in "Allow Outlook to access" section.
Copper Contributor

@Ross Smith IV ok yes that makes sense, these are on prem/basic auth Exchange mailboxes.  So can I assume that if these mailboxes were in Exchange Online and were authenticated using advanced auth that this behavior would change?  Do you know how?  As in, still one way sync?  two way sync?  Options to add/modify contacts would now be there?   Also, what about on prem Exchange mailboxes with advanced auth, would that give contact mgmt options to the user?  Or would this be an Exchange Online only feature?  thanks!

Microsoft

Outlook for iOS does not support bi-directional contact synchronization between the native Contacts app and Outlook; this is irrespective of the account used.

 

To manage contacts within Outlook (e.g., create/edit), you need to be using an account that supports modern authentication - this is either an Exchange Online account or an on-premises Exchange account that leverages hybrid modern authentication (http://aka.ms/hmaom). 

Copper Contributor

Copy that, makes sense, thank you for the clarification on all this @Ross Smith IV 

Iron Contributor

Hello 

Is there any way to sync iCloud contacts to Outlook for iOS please ? 

We would like to apply this for all users of our company. 

Save Contacts option in Outlook for iOS sync contacts from Outlook to iOS device. But how we could sync iContacts to Outlook please ? 

 

Thank you 

Sofiane

Hi @Sofianeda1st, there are a couple of ways where we can sync Outlook contacts to the Native Contacts app for iOS. More information about both scenarios can be found below:

Hope this helps your deployment!

Microsoft

Odd my reply never got posted.

 

@Sofianeda1st - due to architectural OS platform limitations we are unable to sync native contacts into Outlook for iOS.

Iron Contributor

Hello @Intune_Support_Team 

Thank you for the answer. 

Iron Contributor

Hello @Ross Smith IV 

Thank you for the answer.

Copper Contributor
Hello @Ross Smith IV, Will that feature become available of being able to sync new contacts from the IOS native app to Outlook so that they can get stored. Thanks
Microsoft

@Amphibious - As mentioned in a prior response, we cannot enable that functionality due to Apple platform limitations.

Copper Contributor
@Ross Smith IV - Thank you very much for that. Do by any chance have a Whitepaper/Datasheet for the Apple platform limitations? The company we are rolling Intune out to, heavily use their exchange contacts for their personal and work requirements. From an Apple aspect what other options do we have besides making it sync to iCloud? Thanks
Copper Contributor

@Ross Smith IV  Hi, due to GDPR we are obliged to separate professional data from private data. Therefor unmanaged apps cannot access data from managed apps and vice versa. With Outlook for iOS this means that there is no caller identification. Other PIM applications are using Apple CallKit for this use case. The contact is still secured inside the app, but iOS can access it and shows phone number and contact (with an hint where the contact comes from).

Will you ever implement this into Outlook for iOS?

Microsoft

@DaNiggo Thanks for the feedback. We have no current plans to support CallKit.

Copper Contributor

Hello,

We currently have supervised ios devices.

Is there any way to be able to maintain the contact sync, and also block the 'Viewing Non Corporate documents in corporate apps'? For example we would like to able to block the mail attachments in IOS native email app from being able to be copied to our protected word application? Right now it seems to we can copy to word, and save under a different name.

 

Thanks

 

Copper Contributor

Hi @sammentions 

 

have a look at these new changes: https://techcommunity.microsoft.com/t5/intune-customer-success/new-contact-sync-scenario-available-w...

 

You can enable the contact sync via the e-mail device configuration profile. That way, contacts are treated as "company documents". Hence, they cannot be accessed by any non-managed App (e.g. WhatsApp, Twitter, etc.).

Additionally, you need to create an App Configuration Profile (as described in the link above) to block the contact sync that can be done via the Outlook app. All contacts synced via the Outlook app are not treated as company documents.

 

If you do not want to create an App Configuration Profile, you can use the normal App Protection Policy and disable the Contact Sync there: iOS App Protection Policy (the setting you want is: Sync app with native contacts app set to Block). However, this applies to all targeted apps. To only block contact sync for Outlook you need an App Configuration Profile.

 

I hope this helps you. Please provide us with feedback, whether this solution meets your requirement.

 

Best regards,

Labinot

 

I hope this helps.

Copper Contributor

Hi @Labinot Jashanica 

 

"Thank you for directing me to the article : “New contact sync scenario available with Outlook for iOS on enrolled devices”. This does look like something that would meet my requirements.

I’m going to have to test this out, and if all goes well, then I can check this item off my list :smiling_face_with_smiling_eyes:"

 

Copper Contributor

hey, the thread is old but the info is super cool.

 

I am looking for some help where my users moving from AW to Intune. IN AW they are using Native mail client and saving contacts in "Contacts" app on iOS device. when i move the user to Intune, the contacts saved stays on phone. As we are not resetting the device. But when we enroll to Intune and install MS Outlook app for corporate emails, i am not able to sync these existing Contacts to MS Outlook. 

I have tried to sync these from iPHone settings - Outlook App - "contacts" and "Background app refresh" buttons are enabled. But still when i see MS Outlook app, i do not find the contacts saved in Contacts app. Any help would be much appreciated. 

Copper Contributor

@Ross Smith IV  @Intune_Support_Team 

 

Hi,

 

Would this also impact other MDM solutions (Third party MDMs) since the controls are implemented by Apple ?

Version history
Last update:
‎Dec 19 2023 01:30 PM
Updated by: