By Ross Smith, IV | Principal Program Manager on the Enterprise Mobility and Customer Experience Engineering Team
Summary:
As documented in Support Tip: iOS 11.3 and Native Contacts App, with iOS 11.3, Apple changed the behavior of two device restriction controls to limit access to the native iOS Contacts app. Customers noted that Outlook for iOS was prevented from syncing Outlook’s contacts to the native iOS Contacts app. With iOS12.1 (it was iOS 12, but Apple put a fix into 12.1), Apple provided additional device restriction controls to influence the behavior of the native iOS contacts app. You can now use Intune to configure the contact device restriction settings in the UI to allow or block Outlook for iOS’s ability to save contacts to the native iOS Contacts app.
This support tip outlines the configuration options to control managed contacts transfer between Outlook mobile and the native iOS contacts app. In particular, the “Enabling Save Contacts” topic describes how to restore the pre-iOS 11.3 for sharing contacts on enrolled devices.
Details:
As documented in Support Tip: iOS 11.3 and Native Contacts App, with iOS 11.3, Apple changed the behavior of the following device restriction controls to limit access to the native iOS Contacts app:
|
iOS user friendly control name |
Control name |
Control value |
Description |
Intune control name |
Impacts Outlook for iOS |
|
Opening documents from managed to unmanaged apps |
allowOpenFromManagedToUnmanaged |
True (default); False |
When set to false, this setting prevents writing to iOS Contacts app |
Viewing corporate documents in unmanaged apps |
Yes |
|
Opening documents from unmanaged to managed apps |
allowOpenFromUnmanagedToManaged |
True (default); False |
When set to false, this setting prevents reading from iOS Contacts app |
Viewing non-corporate documents in corporate apps |
Yes |
When either of these settings are configured on enrolled devices, Outlook for iOS is prevented from syncing Outlook’s contacts to the native iOS Contacts app. The first setting prevents Outlook for iOS from writing (e.g., saving a new contact). The second setting prevents Outlook for iOS from reading (e.g., executing the reconciliation subroutine, which removes duplicates).
With iOS12.1, Apple provided additional device restriction controls to influence the behavior of the native iOS contacts app:
|
iOS user friendly control name |
Control name |
Control value |
Description |
Intune control name |
Impacts Outlook for iOS |
|
Managed apps write to unmanaged contacts |
allowManagedToWriteUnmanagedContacts |
True; False (default) |
When set to true, this setting allows writing to iOS Contacts app (if allowOpenFromManagedToUnmanaged = false) |
Allow managed apps to write contact to unmanaged contact accounts |
Yes |
|
Unmanaged apps read managed contacts |
allowUnmanagedToReadManagedContacts |
True; False (default) |
When set to true, this setting allows unmanaged apps to access managed contacts (if allowOpenFromManagedToUnmanaged = false) |
Allow unmanaged apps to read from managed contacts accounts |
No |
Specific combinations of these three device restriction controls can either allow or block Outlook for iOS’s ability to save contacts to the native iOS Contacts app.
Enabling Save Contacts
For enrolled devices, either of the following device restriction configurations will enable Outlook for iOS to save contacts into the native iOS Contacts app:
|
iOS user friendly control name |
Control name |
Control value |
|
Opening documents from managed to unmanaged apps not allowed |
allowOpenFromManagedToUnmanaged |
false |
|
Opening documents from unmanaged to managed apps allowed |
allowOpenFromUnmanagedToManaged |
true |
|
Managed apps write to unmanaged contacts allowed |
allowManagedToWriteUnmanagedContacts |
true |
|
Control |
Control name |
Control value |
|
Opening documents from managed to unmanaged apps allowed |
allowOpenFromManagedToUnmanaged |
true |
|
Opening documents from unmanaged to managed apps allowed |
allowOpenFromUnmanagedToManaged |
true |
NOTE - carefully consider allowOpenFromManagedToUnmanaged implications prior to changing your configuration as it will allow managed data to be opened in unmanaged apps.
Preventing Save Contacts
For enrolled devices, the following device restriction configuration will prevent Outlook for iOS from saving contacts into the native iOS Contacts app (however, Outlook for iOS will not report any errors):
|
iOS user friendly control name |
Control name |
Control value |
|
Opening documents from managed to unmanaged apps not allowed |
allowOpenFromManagedToUnmanaged |
false |
|
Managed apps write to unmanaged contacts allowed |
allowManagedToWriteUnmanagedContacts |
false |
With any of the below device restriction configurations deployed to enrolled devices, users will see the following prompt when attempting to enable Save Contacts in Outlook for iOS:
This prompt occurs because Outlook for iOS is unable to access and read from the native iOS contacts container.
|
iOS user friendly control name |
Control name |
Control value |
|
Opening documents from managed to unmanaged apps not allowed |
allowOpenFromManagedToUnmanaged |
false |
|
Opening documents from unmanaged to managed apps not allowed |
allowOpenFromUnmanagedToManaged |
false |
|
Managed apps write to unmanaged contacts allowed |
allowManagedToWriteUnmanagedContacts |
false |
|
iOS user friendly control name |
Control name |
Control value |
|
Opening documents from managed to unmanaged apps allowed |
allowOpenFromManagedToUnmanaged |
true |
|
Opening documents from unmanaged to managed apps not allowed |
allowOpenFromUnmanagedToManaged |
false |
|
iOS user friendly control name |
Control name |
Control value |
|
Opening documents from managed to unmanaged apps not allowed |
allowOpenFromManagedToUnmanaged |
false |
|
Opening documents from unmanaged to managed apps not allowed |
allowOpenFromUnmanagedToManaged |
false |
|
Managed apps write to unmanaged contacts allowed |
allowManagedToWriteUnmanagedContacts |
true |
How do I deploy the new settings?
Starting January 10, 2019 with the 1812 release, you can now configure the contact device restriction settings in the UI. Here's screen shots of where you can configure them:
And the default settings are here:
You can read more about how to deploy the new settings through the documentation here:
- https://docs.microsoft.com/intune/device-restrictions-configure; or
- https://docs.microsoft.com/intune/device-restrictions-ios for more information.
NOTE: There is a UI bug that indicates that the "Allow managed apps to write contacts to unmanaged contacts accounts" and "Allow unmanaged apps to read from managed contacts accounts" both are supervised only. That is not the case - you do not need supervised to work with this feature. This is a UI bug that will be fixed in a future release. There's no service-side check for supervised for these features.
When a user can save contacts, they will see an experience similar to the following:
We are leaving how to deploy a custom profile if that's something you'd like to do in the future. We'd recommend though you use the settings in the UI. However, you can deploy a custom profile to enrolled iOS devices to enable the allowManagedToWriteUnmanagedContacts control. For information on how to deploy a custom configuration, see https://docs.microsoft.com/intune/custom-settings-ios.
A sample script is provided below (this sample assumes that another profile already exists that has configured allowOpenFromManagedToUnmanaged=false and allowOpenFromUnmanagedToManaged=true). As with all scripts, be sure to test!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures restrictions</string>
<key>PayloadDisplayName</key>
<string>Restrictions</string>
<key>PayloadIdentifier</key>
<string>com.apple.applicationaccess.5301A395-9C13-41BD-A0E8-D35F4EE21805</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadUUID</key>
<string>5301A395-9C13-41BD-A0E8-D35F4EE21805</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>allowManagedToWriteUnmanagedContacts</key>
<true/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Untitled 2</string>
<key>PayloadIdentifier</key>
<string>Contoso-iMac.1988A13E-0734-4215-A83B-19F21007FA52</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>F6B505A3-29D8-40A8-BF12-BF072E912E77</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Blog post updated:
- 12/11/18 with enable iCloud contacts sync prompt screen shot
- 12/12/18 added summary to the post
- 1/11/19 updated with new settings shipped in January; also updated iOS 12 to iOS 12.1 due to an Apple bug fix
- 8/29/19 - With revised screenshots for the Intune device restriction settings.