Home

Support Tip: Use Intune custom profile settings with the iOS Native Contacts App

By Ross Smith, IV | Principal Program Manager on the Enterprise Mobility and Customer Experience Engineering Team

 

Summary: 

As documented in Support Tip: iOS 11.3 and Native Contacts App, with iOS 11.3, Apple changed the behavior of two device restriction controls to limit access to the native iOS Contacts app. Customers noted that Outlook for iOS was prevented from syncing Outlook’s contacts to the native iOS Contacts app. With iOS12.1 (it was iOS 12, but Apple put a fix into 12.1), Apple provided additional device restriction controls to influence the behavior of the native iOS contacts app. You can now use Intune to configure the contact device restriction settings in the UI to allow or block Outlook for iOS’s ability to save contacts to the native iOS Contacts app.

 

This support tip outlines the configuration options to control managed contacts transfer between Outlook mobile and the native iOS contacts app.  In particular, the “Enabling Save Contacts” topic describes how to restore the pre-iOS 11.3 for sharing contacts on enrolled devices.  

 

Details:

As documented in Support Tip: iOS 11.3 and Native Contacts App, with iOS 11.3, Apple changed the behavior of the following device restriction controls to limit access to the native iOS Contacts app:

 

Control 

Control name 

Control value 

Description 

Impacts Outlook for iOS 

Opening documents from managed to unmanaged apps  

allowOpenFromManagedToUnmanaged 

True (default);  

False 

When set to false, this setting prevents writing to iOS Contacts app 

Yes 

Opening documents from unmanaged to managed apps 

allowOpenFromUnmanagedToManaged 

True (default);  

False 

When set to false, this setting prevents reading from iOS Contacts app 

Yes 

 

When either of these settings are configured on enrolled devices, Outlook for iOS is prevented from syncing Outlook’s contacts to the native iOS Contacts app. The first setting prevents Outlook for iOS from writing (e.g., saving a new contact). The second setting prevents Outlook for iOS from reading (e.g., executing the reconciliation subroutine, which removes duplicates).  

 

With iOS12.1, Apple provided additional device restriction controls to influence the behavior of the native iOS contacts app: 

 

Control 

Control name 

Control value 

Description 

Impacts Outlook for iOS 

Managed apps write to unmanaged contacts 

allowManagedToWriteUnmanagedContacts  

True;  

False (default) 

When set to true, this setting allows writing to iOS Contacts app (if allowOpenFromManagedToUnmanaged = false) 

Yes 

Unmanaged apps read managed contacts 

allowUnmanagedToReadManagedContacts  

True;  

False (default) 

When set to true, this setting allows unmanaged apps to access managed contacts (if allowOpenFromManagedToUnmanaged = false) 

No 

 

Specific combinations of these three device restriction controls can either allow or block Outlook for iOS’s ability to save contacts to the native iOS Contacts app.  

 

Enabling Save Contacts 

For enrolled devices, either of the following device restriction configurations will enable Outlook for iOS to save contacts into the native iOS Contacts app: 

 

Control 

Control name 

Control value 

Opening documents from managed to unmanaged apps not allowed 

allowOpenFromManagedToUnmanaged   

false 

Opening documents from unmanaged to managed apps allowed 

allowOpenFromUnmanagedToManaged 

true 

Managed apps write to unmanaged contacts allowed 

allowManagedToWriteUnmanagedContacts  

true 

 

Control 

Control name 

Control value 

Opening documents from managed to unmanaged apps allowed 

allowOpenFromManagedToUnmanaged   

true 

Opening documents from unmanaged to managed apps allowed 

allowOpenFromUnmanagedToManaged 

true 

NOTE - carefully consider allowOpenFromManagedToUnmanaged implications prior to changing your configuration as it will allow managed data to be opened in unmanaged apps.   

 

 

Preventing Save Contacts 

For enrolled devices, the following device restriction configuration will prevent Outlook for iOS from saving contacts into the native iOS Contacts app (however, Outlook for iOS will not report any errors): 

Control 

Control name 

Control value 

Opening documents from managed to unmanaged apps not allowed 

allowOpenFromManagedToUnmanaged   

false 

Managed apps write to unmanaged contacts allowed 

allowManagedToWriteUnmanagedContacts  

false 

 

With any of the below device restriction configurations deployed to enrolled devices, users will see the following prompt when attempting to enable Save Contacts in Outlook for iOS:

RossPost_enableiCLoud.PNG

 

This prompt occurs because Outlook for iOS is unable to access and read from the native iOS contacts container. 

 

Control 

Control name 

Control value 

Opening documents from managed to unmanaged apps not allowed 

allowOpenFromManagedToUnmanaged   

false 

Opening documents from unmanaged to managed apps not allowed 

allowOpenFromUnmanagedToManaged 

false 

Managed apps write to unmanaged contacts allowed 

allowManagedToWriteUnmanagedContacts  

false 

 

Control 

Control name 

Control value 

Opening documents from managed to unmanaged apps allowed 

allowOpenFromManagedToUnmanaged   

true 

Opening documents from unmanaged to managed apps not allowed 

allowOpenFromUnmanagedToManaged 

false 

 

Control 

Control name 

Control value 

Opening documents from managed to unmanaged apps not allowed 

allowOpenFromManagedToUnmanaged   

false 

Opening documents from unmanaged to managed apps not allowed 

allowOpenFromUnmanagedToManaged 

false 

Managed apps write to unmanaged contacts allowed 

allowManagedToWriteUnmanagedContacts  

true 

 

How do I deploy the new settings? 

Starting January 10, 2019 with the 1812 release, you can now configure the contact device restriction settings in the UI. Here's screen shots of where you can configure them:

Allow Contacts.PNG

 

And the default settings are here:

default settings.PNG

You can read more about how to deploy the new settings through the documentation here:

 

NOTE: There is a UI bug that indicates that the "Allow managed apps to write contacts to unmanaged contacts accounts" and "Allow unmanaged apps to read from managed contacts accounts" both are supervised only. That is not the case - you do not need supervised to work with this feature. This is a UI bug that will be fixed in a future release. There's no service-side check for supervised for these features. 

supervised.png

 

 

Updated 1/11/19 with strikethrough since we added the contact controls: Currently, the iOS12 contact controls are not available in Intune’s device restrictions profile configuration.  We are leaving how to deploy a custom profile if that's something you'd like to do in the future. We'd recommend though you use the settings in the UI.  However, you can deploy a custom profile to enrolled iOS devices to enable the allowManagedToWriteUnmanagedContacts control. For information on how to deploy a custom configuration, see https://docs.microsoft.com/intune/custom-settings-ios. When a user can save contacts, they will see an experience similar to the following:

RossPost12_10_18_IMG_0700.PNG 

 

A sample script is provided below (this sample assumes that another profile already exists that has configured allowOpenFromManagedToUnmanaged=false and allowOpenFromUnmanagedToManaged=true). As with all scripts, be sure to test!

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>Configures restrictions</string>
            <key>PayloadDisplayName</key>
            <string>Restrictions</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.applicationaccess.5301A395-9C13-41BD-A0E8-D35F4EE21805</string>
            <key>PayloadType</key>
            <string>com.apple.applicationaccess</string>
            <key>PayloadUUID</key>
            <string>5301A395-9C13-41BD-A0E8-D35F4EE21805</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>allowManagedToWriteUnmanagedContacts</key>
            <true/>
          </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Untitled 2</string>
    <key>PayloadIdentifier</key>
    <string>Contoso-iMac.1988A13E-0734-4215-A83B-19F21007FA52</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>F6B505A3-29D8-40A8-BF12-BF072E912E77</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
 

 

Blog post updated:

  • 12/11/18 with enable iCloud contacts sync prompt screen shot
  • 12/12/18 added summary to the post 
  •  1/11/19 updated with new settings shipped in January; also updated iOS 12 to iOS 12.1 due to an Apple bug fix
12 Comments
Senior Member

Hi,

thanks for sharing these new capabilities with iOS 12.

Is there any chance to sync contacts from Outlook to the native App AND protected them from been accessed by third-party apps? or did I miss anything?

BR

Simon

Microsoft
@Simon - We have no way to create "managed contacts" within the iOS Contacts app. If you want to minimize data leakage, we recommend using our Contact Field Sync controls (http://aka.ms/omappconfig) that are available with our App Protection Policies and limit what data is exported to the native contacts app.
Regular Visitor

Just as a sanity check...

We don't currently use device restrictions (as we have a mix of enrolled and MAMWE), so we use App Protection Policies to restrict data transfer to "policy managed apps" but have not disabled Contact Sync

 

Would we need to apply any of these changes, or are they only applying to those restricting via the device configurations rather than app protection policies?

thanks

Microsoft
@John - If you aren't using device configuration policies to control device and app behavior, this won't affect your deployment.
Occasional Contributor

how does one in a hybrid Intune deployment go about deploying this new configuration setting?

@Myles Taylor just checked with our hybrid lead. These settings are not in hybrid. Per the announcement here  - https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Move-from-Hybrid-Mobile-Device-Manage... - do be aware that hybrid MDM is nearing end of support. FastTrack is resource that may be available to you to help move from hybrid to stand alone.

Occasional Visitor

Is it also possible to configure the button "save contacts"? I want to auto enable it for all users and this configuration is only for setting up restrictions.

Occasional Contributor

@Intune Support Teamthanks for the clarification, all to familiar with the upcoming support change regarding hybrid deployments, slowly but surely we're migrating over. 

Microsoft
@JoeriJ - Soon! :)
Occasional Visitor

@Ross Smith IV  Is this available only for supervised devices? We're implementing Outlook with Intune MDM but the contacts are not syncing with local Contacts on iOS. The weird  part is that on my iPhone it did not sync but  on my iPad it did.

Microsoft
@Charlies_Silva - No, this does not require supervised devices (that's a bug in the Intune UI that will removed later this month). If you are using the same account on both devices, Outlook recognizes that you have contact sync enabled on one iOS device and prevents you from enabling it on a second iOS device. If you have contacts enabled in iCloud, then your exported contacts will be available on all of your iOS devices.
Occasional Visitor

Thank you @Ross Smith IV . We were finally able to allow the contact export to iOS and keep corporate data protected.