Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1063632%22%20slang%3D%22en-US%22%3ENew%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063632%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20many%20of%20you%20know%2C%20Outlook%20for%20iOS%20supports%20a%20one-way%20contact%20export%20process%20whereby%20contacts%20from%20within%20Outlook%20can%20be%20exported%20into%20the%20native%20iOS%20Contacts%20app.%20This%20functionality%20enables%20Caller-ID%2C%20iMessage%2C%20and%20FaceTime%20integration%20for%20users%E2%80%99%20Outlook%20contacts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20recognize%20that%20there%20are%20limitations%20and%2For%20concerns%20with%20our%20contact%20export%20process%2C%20such%20as%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20lack%20of%20a%20two-way%20synchronization%20mechanism%20means%20that%20users%20must%20remember%20to%20manage%20(create%2C%20edit%2C%20or%20delete)%20contacts%20from%20within%20Outlook%20and%20not%20the%20native%20iOS%20Contacts%20app.%20Contact%20changes%20within%20the%20native%20iOS%20Contacts%20app%20don%E2%80%99t%20get%20synchronized%20back%20to%20the%20appropriate%20Outlook%20account%2C%20which%20may%20lead%20to%20data%20loss%20when%20Outlook%E2%80%99s%20contact%20export%20process%20is%20triggered%20as%20the%20exported%20contacts%20get%20overwritten.%3C%2FLI%3E%0A%3CLI%3EOn%20enrolled%20devices%2C%20in%20order%20to%20leverage%20Outlook%E2%80%99s%20contact%20export%20process%2C%20several%20changes%20to%20device%20restrictions%20are%20required%2C%20as%20documented%20in%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIntune-Customer-Success%2FSupport-Tip-Enabling-Outlook-iOS-Contact-Sync-with-iOS12-MDM%2Fba-p%2F298453%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ESupport%20Tip%3A%20Enabling%20Outlook%20iOS%20Contact%20Sync%20with%20iOS12%20MDM%20Controls%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EOn%20enrolled%20devices%2C%20the%20exported%20Outlook%20contacts%20are%20considered%20unmanaged%20and%20are%20accessible%20to%20unmanaged%2C%20personal%20apps.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EUnfortunately%2C%20these%20issues%20are%20not%20something%20that%20Outlook%20for%20iOS%20can%20solve%20as%20we%E2%80%99re%20completely%20dependent%20on%20the%20operating%20system%20to%20provide%20a%20supported%20mechanism%20for%20bi-directional%20synchronization%20and%20for%20delivering%20managed%20contacts.%20However%2C%20with%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIntune-Customer-Success%2FManaged-Exchange-ActiveSync-Profile-improvements-in-iOS-13%2Fba-p%2F1031891%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EManaged%20Exchange%20ActiveSync%20Profile%20improvements%20introduced%20in%20iOS13%2FiPadOS%3C%2FA%3E%2C%20organizations%20now%20have%20an%20additional%20capability%20to%20configure%20how%20users%20can%20manage%20contacts%20on%20mobile%20devices.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20enrolled%20devices%2C%20users%20can%20leverage%20an%20Exchange%20ActiveSync%20profile%20that%20only%20synchronizes%20contacts.%20With%20this%20contact%20synchronization%20model%20in%20place%2C%20users%20no%20longer%20need%20to%20leverage%20Outlook%20for%20iOS%E2%80%99s%20contact%20export%20synchronization%20process.%20This%20approach%20results%20in%20two%20synchronization%20paths%20%E2%80%93%20Outlook%20leverages%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Foutlook-for-ios-and-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Enative%20Microsoft%20sync%20technology%3C%2FA%3E%20for%20synchronizing%20data%20within%20Outlook%2C%20and%20ActiveSync%20is%20leveraged%20by%20iOS%20to%20synchronize%20the%20contacts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20770px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161536iC3BF479B47EA866B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Outlook%20EAS%20contact%20sync.png%22%20title%3D%22Outlook%20EAS%20contact%20sync.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EOrganizations%20can%20adopt%20this%20approach%20by%20deploying%20the%20following%20policies%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EDeploy%20a%20managed%20Exchange%20ActiveSync%20(EAS)%20profile%20for%20contact%20synchronization.%3C%2FLI%3E%0A%3CLI%3EDeploy%20an%20Outlook%20App%20Configuration%20Policy%20(ACP)%20that%20disables%20Save%20Contacts.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EHowever%2C%20this%20approach%20should%20not%20be%20performed%20until%20all%20user%20devices%20are%20upgraded%20to%20iOS%2013%2B%20or%20iPadOS.%20This%20is%20because%20the%20managed%20EAS%20profile%20recommendation%20utilizes%20functionality%20only%20available%20in%20iOS%2013%2B%20%2F%20iPadOS.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIntune-Customer-Success%2FManaged-Exchange-ActiveSync-Profile-improvements-in-iOS-13%2Fba-p%2F1031891%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EManaged%20Exchange%20ActiveSync%20Profile%20improvements%20introduced%20in%20iOS13%2FiPadOS%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3A%20Due%20to%20app%20configuration%20delivery%20timing%2C%20some%20users%20may%20experience%20duplicate%20contacts%20in%20the%20native%20iOS%20Contacts%20app.%20Once%20Outlook%20for%20iOS%20contact%20synchronization%20is%20disabled%2C%20the%20duplicates%20are%20removed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDeploy%20the%20managed%20EAS%20profile%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EUsing%20the%20general%20instructions%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fconfiguration%2Femail-settings-ios%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAdd%20e-mail%20settings%20for%20iOS%20devices%20in%20Microsoft%20Intune%3C%2FA%3E%2C%20configure%20and%20deploy%20the%20below%20managed%20EAS%20profile%20to%20your%20enrolled%20user%20base%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161537i8A89E653F37F375E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22MEM-Contacts%20EAS.PNG%22%20title%3D%22MEM-Contacts%20EAS.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20managed%20EAS%20profile%20forces%20OAuth%20as%20the%20authentication%20method%2C%20only%20allows%20Contacts%20synchronization%2C%20and%20prevents%20the%20user%20from%20changing%20what%20data%20types%20are%20synchronized.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3A%20Changing%20an%20existing%20EAS%20profile%20with%20these%20new%20settings%20results%20in%20a%20new%20profile%20being%20pushed%20to%20the%20device.%20Users%20will%20be%20forced%20to%20enter%20their%20credentials%20and%20the%20profile%20changes%20won%E2%80%99t%20take%20effect%20until%20authentication%20is%20complete.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDeploy%20the%20Outlook%20ACP%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EUsing%20the%20general%20instructions%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Foutlook-for-ios-and-android-configuration-with-microsoft-intune%23deploying-configuration-scenarios-with-intune-for-unenrolled-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDeploying%20Outlook%20for%20iOS%20and%20Android%20app%20configuration%20settings%3C%2FA%3E%2C%20configure%20and%20deploy%20an%20Outlook%20managed%20apps%20App%20Configuration%20Policy%20to%20your%20enrolled%20user%20base%20that%20(at%20a%20minimum)%20disables%20Save%20Contacts%20and%20prevents%20the%20user%20from%20enabling%20the%20setting%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161538iD18A53C9A05EF919%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22MEM-Disable%20Contacts.PNG%22%20title%3D%22MEM-Disable%20Contacts.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3A%20A%20managed%20apps%20ACP%20requires%20the%20assigned%20users%20to%20have%20an%20App%20Protection%20Policy.%20For%20more%20information%20on%20recommended%20approaches%20to%20deploying%20Outlook%20general%20app%20configuration%2C%20see%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fomappconfig%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fomappconfig%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20the%20above%20changes%2C%20Contacts%20for%20the%20user%E2%80%99s%20account%20synchronize%20into%20the%20native%20iOS%20Contacts%20app%20via%20the%20managed%20EAS%20profile.%20As%20these%20changes%20are%20driven%20by%20IT%2C%20end%20users%20do%20not%20need%20to%20take%20any%20action%20other%20than%20entering%20their%20credentials%20for%20the%20managed%20EAS%20profile.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20are%20the%20benefits%20of%20this%20approach%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20user%20can%20use%20the%20native%20iOS%20Contacts%20app%20for%20all%20contact%20management%2C%20if%20they%20desire.%20Contacts%20synchronize%20back%20into%20the%20user%E2%80%99s%20Exchange%20mailbox%20via%20the%20ActiveSync%20protocol%20and%20synchronize%20into%20Outlook%20for%20iOS%20over%20the%20Microsoft%20sync%20technology.%20Likewise%2C%20if%20the%20user%20performs%20any%20contact%20management%20within%20Outlook%20for%20iOS%2C%20those%20changes%20propagate%20to%20the%20native%20iOS%20Contacts%20app%20through%20ActiveSync%20synchronization.%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20native%20iOS%20Contacts%20app%2C%20users%20can%20manually%20search%20the%20global%20address%20list.%3C%2FLI%3E%0A%3CLI%3EScenarios%20that%20can%20result%20in%20contact%20duplication%20are%20minimized%20(if%20not%20removed%20completely).%3C%2FLI%3E%0A%3CLI%3EWhen%20coupled%20with%20other%20device%20enrollment%20restrictions%2C%20like%20%3CSTRONG%3EViewing%20corporate%20documents%20in%20unmanaged%20apps%20%3C%2FSTRONG%3E(allowOpenFromManagedToUnmanaged)%2C%20the%20managed%20EAS%20profile%E2%80%99s%20contacts%20are%20inaccessible%20to%20unmanaged%2C%20personal%20apps.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3EWhat%20are%20the%20limitations%20and%2For%20things%20to%20think%20through%20with%20this%20approach%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3EThis%20approach%20requires%20iOS%2013%2B%20%2F%20iPadOS%3C%2FEM%3E.%20Older%20iOS%20versions%20ignore%20the%20data%20type%20restriction%20and%20sync%20all%20data%20types.%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EDevice%20enrollment%20is%20required%3C%2FEM%3E.%20Many%20organizations%20use%20App%20Protection%20Policies%20and%20not%20full%20device%20or%20user%20enrollment%20on%20personally-owned%20devices.%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EConditional%20access%20policy%20changes%20are%20required%3C%2FEM%3E.%20The%20%E2%80%9CRequire%20approved%20client%20app%E2%80%9D%20or%20%E2%80%9CRequire%20app%20protection%20policy%E2%80%9D%20grant%20controls%20cannot%20be%20targeted%20against%20the%20iOS%20platform%20and%20Office%20365%20Exchange%20Online%20cloud%20app%20for%20modern%20authentication%20capable%20clients.%20Instead%2C%20the%20%E2%80%9CRequire%20device%20to%20be%20marked%20as%20compliant%E2%80%9D%20grant%20control%20must%20be%20used.%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EIT%20organizations%20are%20not%20able%20to%20control%20which%20messaging%20apps%20are%20used%3C%2FEM%3E.%20As%20the%20%E2%80%9CRequire%20app%20protection%20policy%E2%80%9D%20or%20%E2%80%9CRequire%20app%20protection%20policy%E2%80%9D%20grant%20controls%20are%20not%20applied%20to%20Exchange%20Online%20for%20iOS%20devices%2C%20any%20modern%20authentication%20capable%20messaging%20client%20will%20be%20able%20to%20connect%20(e.g.%2C%20an%20Exchange%20Web%20Services%20or%20third-party%20ActiveSync%20client)%20and%20access%20messaging%20data%20on%20enrolled%20iOS%20devices.%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EUsers%20may%20be%20able%20to%20access%20work%20or%20school%20content%20before%20an%20app%20protection%20policy%20is%20applied%3C%2FEM%3E.%20As%20the%20%E2%80%9CRequire%20app%20protection%20policy%E2%80%9D%20grant%20control%20cannot%20be%20used%20with%20Exchange%20Online%20and%20iOS%20devices%2C%20policy%20assurance%20for%20Outlook%20for%20iOS%20is%20not%20guaranteed.%20Also%2C%20messaging%20apps%20that%20do%20not%20support%20App%20Protection%20policies%20will%20be%20able%20to%20access%20messaging%20data%20on%20enrolled%20iOS%20devices.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWe%20believe%20that%20for%20the%20vast%20majority%20of%20organizations%2C%20the%20recommendations%20we%E2%80%99ve%20outlined%20in%20the%20Ignite%202019%20session%2C%20%3CA%20href%3D%22https%3A%2F%2Fmyignite.techcommunity.microsoft.com%2Fsessions%2F81024%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EOutlook%20mobile%3A%20The%20gold%20standard%20for%20secure%20communications%20in%20the%20enterprise%3C%2FA%3E%20%2C%20and%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Foutlook%2Fmobile%2Fmedia%2Foutlook-mobile-security-for-enterprise.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EOutlook%20mobile%20security%20in%20the%20enterprise%3C%2FA%3E%20whitepaper%20provides%20IT%20and%20users%20a%20viable%20and%20secure%20contact%20management%20solution.%20This%20includes%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUse%20of%20the%20%E2%80%9CRequire%20app%20protection%20policy%E2%80%9D%20Azure%20Active%20Directory%20Conditional%20Access%20grant%20control%20to%20block%20Exchange%20ActiveSync%20and%20other%20modern%20authentication%20capable%20messaging%20protocol%20apps%2C%20by%20only%20allowing%20Outlook%20for%20iOS%20and%20Android.%3C%2FLI%3E%0A%3CLI%3EUse%20of%20Intune%20App%20Protection%20Policies%20to%20protect%20school%20or%20work%20content%20within%20the%20apps%20and%20between%20accounts.%3C%2FLI%3E%0A%3CLI%3EUse%20of%20Intune%20App%20Configuration%20Policies%20to%20enable%20Save%20Contacts%20and%20limit%20the%20exported%20contact%20data%20fields%20that%20are%20exported%20to%20the%20native%20iOS%20Contacts%20app.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWith%20any%20solution%20you%20need%20to%20balance%20your%20security%20requirements%20with%20end%20user%20productivity.%20We%20recognize%20the%20need%20for%20this%20flexibility%2C%20so%20we%20hope%20you%20find%20the%20above%20scenario%20useful.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23ff6600%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20color%3D%22%23ff6600%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ERoss%20Smith%20IV%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20%2F%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EPrincipal%20Program%20Manager%3C%2FSPAN%3E%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20%2F%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ECustomer%20Experience%20Engineering%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1063632%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20article%2C%20Ross%20shares%20how%20the%20new%26nbsp%3B%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Edata%20type%20synchronization%20options%20available%20in%20iOS%2013%20and%20iPadOS%20for%20managed%20Exchange%20ActiveSync%20profiles%20can%20be%20used%20in%20conjunction%20with%20Outlook%20for%20iOS%20to%20provide%20an%20alternative%20contact%20synchronization%20experience.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1063632%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EiOS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070208%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070208%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Ross%2C%20thanks%20for%20this%20update.%20We%20have%20been%20looking%20at%20InTune%20as%20a%20viable%20option%20move%20from%20an%20existing%20EMM%20provider%20with%20predominately%20enrolled%20corporate%20iOS%20devices.%26nbsp%3B%20Given%20the%20limitations%20highlighted%20above%20with%20this%20approach%2C%20and%20the%20limitations%20of%20the%20alternative%20option%20(one-way%20export%20to%20un-managed%20contacts%20requiring%20an%20iCloud%20account)%2C%20we're%20left%20wondering%20why%20there%20are%20no%20plans%20to%20utilize%20the%20Apple%20Call%20Kit%20as%20per%20other%20EMM%20providers%20solution.%26nbsp%3B%20%26nbsp%3B%20It%20still%20doesn't%20seem%20like%20a%20happy%20balance%20can%20be%20struck%20-%20with%20the%20approach%20above%20we'd%20need%20to%20be%20looking%20at%20having%20to%20whitleist%2Fblacklist%20apps%20due%20to%20the%20issue%20of%20other%20app%20clients%20being%20able%20to%20communicate%20with%20EOL.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070225%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070225%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20my%20biggest%20fear%20around%20ActiveSync%20in%20the%20past%20had%20been%20Basic%20Auth%2C%20but%20it%20looks%20as%20though%20this%20method%20allows%20us%20to%20leverage%20OAuth.%20It's%20still%20certainly%20not%20a%20solution%20to%20this%20problem%2C%20but%20it%20seems%20a%20viable%20workaround.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071673%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071673%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Ross%2C%20thanks%20for%20this%20guide%20on%20how%20to%20achieve%20caller-ID%2C%20iMessage%2C%20etc.%20while%20having%20a%20working%20two-way%20sync%20of%20contact%20details.%20But%20how%20about%20password%20changes%2C%20does%20the%20user%20needs%20to%20change%20the%20password%20in%20Outlook%20and%20in%20the%20native%20app%20%2F%20profile%3F%20Also%20why%20can%C2%B4t%20there%20be%20some%20kind%20of%20solution%20on%20Apple%C2%B4s%20end%2C%20to%20get%20caller-ID%20working%20with%20third%20party%20apps%20like%20Outlook%3F%20Our%20enterprise%20strictly%20separates%20company%20data%20and%20private%20data%20on%20iOS%20and%20Android%20devices%20(far%20better%20on%20Android%20because%20of%20work%20profiles)%2C%20thus%20syncing%20to%20the%20native%20app%20also%20enables%20other%20un-managed%20apps%20to%20access%20company%20data%20like%20phone%20numbers%20(e.g.%20WhatsApp%2C%20WeChat%2C%20you%20name%20it).%20It%C2%B4s%20kind%20of%20a%20struggle%20to%20handle%20company%20contacts%2C%20either%20you%20are%20following%20GDPR%20(we%20have%20several%20branches%20in%20Europe)%20and%20have%20it%20separated%20or%20you%20have%20the%20comfort%20of%20having%20caller-ID%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Funamused_40x40.gif%22%20alt%3D%22%3Aunamused%3A%22%20title%3D%22%3Aunamused%3A%22%20%2F%3E%20I%20hope%20there%20will%20be%20a%20real%20solution%20and%20Apple%20gets%20something%20like%20Android%20Work%20Profiles%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsad_40x40_1.gif%22%20alt%3D%22%3Asad%3A%22%20title%3D%22%3Asad%3A%22%20%2F%3E%3C%2FP%3E%3CP%3EMike%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071697%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071697%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F444466%22%20target%3D%22_blank%22%3E%40mike688%3C%2FA%3E%26nbsp%3Bsimilar%20requirements%20here%2C%20ideally%20we%20would%20like%20to%20apply%20the%20'Account%20modification'%20restriction%20policy%20that%20blocks%20ability%20add%20all%20accounts%20including%20iCloud.%26nbsp%3B%20%26nbsp%3BThe%20issue%20with%20that%20is%20using%20the%20EAS%20Contact%20sync%20solution%20with%20username%2Fpassword%20auth%2C%20you%20cannot%20change%20the%20update%20the%20password%20when%20it%20expires.%26nbsp%3B%20The%20only%20alternative%20as%20far%20as%20I%20can%20see%20is%20SCEP%20authentication%2C%20which%20is%20more%20unwanted%20complexity%20for%20a%20small%20capability%2C%20albeit%20we%20do%20use%20it%20against%20an%20existing%20on-prem%20EMM.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074061%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074061%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F444466%22%20target%3D%22_blank%22%3E%40mike688%3C%2FA%3E%26nbsp%3B-%20Yes%2C%20when%20the%20user's%20password%20expires%2C%20the%20OAuth%20refresh%20token%20will%20be%20revoked%20and%20the%20user%20will%20be%20prompted%20to%20authenticate%20again%20once%20the%20active%20token%20expires.%20The%20user%20will%20have%20to%20authenticate%20separately%20in%20iOS%20and%20Outlook.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F491440%22%20target%3D%22_blank%22%3E%40Frazzled%3C%2FA%3E%26nbsp%3B-%20Not%20sure%20I%20follow%20-%20the%20user%20will%20get%20prompted%20to%20authenticate%20once%20the%20token%20expires.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074145%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074145%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3BTo%20clarify%2C%20it%20is%20not%20viable%20for%20us%20to%20allow%20un-managed%20contacts%20via%20the%20Outlook%20App%20contact%20export%20(option%201).%26nbsp%3B%20To%20even%20get%20this%20to%20work%20you%20need%20to%20have%20an%20iCloud%20account%20enabled%2C%20so%20immediately%20you%20are%20in%20a%20data%20loss%20position%2C%20even%20if%20limiting%20the%20data%20fields%20that%20can%20be%20exported.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20fallback%20is%20then%20the%20EAS%20profile%20as%20described%20in%20your%20article%2C%20which%20has%20two%20issues.%26nbsp%3B%20Firstly%2C%20it%20would%20be%20preferable%20(for%20us)%20on%20Corporate%20Owned%20devices%20to%20apply%20the%20MDM%20'Account%20Restriction'%20with%20a%20block%20setting.%26nbsp%3B%20This%20has%20the%20effect%20of%20locking%20out%20the%20EAS%20account%20under%20iOS%20Settings%20-%20when%20the%20configuration%20is%20deployed%20the%20user%20cannot%20enter%20credentials.%26nbsp%3B%20The%20only%20way%20around%20this%20is%20using%20SCEP%20for%20authentication%20as%20far%20as%20I%20can%20see%20which%20is%20a%20lot%20of%20overhead%20unless%20there%20is%20a%20requirement%20elsewhere.%26nbsp%3B%20%26nbsp%3B%20The%202nd%20issue%20is%20one%20of%20usability%20-%20the%20user%20has%20to%20enter%20credentials%20twice%20upon%20password%20resets%20%2F%20token%20expiry%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20if%20Caller-ID%20were%20available%20using%20Apple%20CallKit%20capability%20through%20the%20Outlook%20App%2C%20it%20would%20require%20much%20less%20management%20and%20a%20deliver%20a%20better%20user%20experience%20as%20we%20would%20have%20less%20concerns%20about%20opening%20up%20the%20rest%20of%20the%20devices%20for%20personal%20usage.%26nbsp%3B%20In%20my%20opinion!%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074196%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074196%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F491440%22%20target%3D%22_blank%22%3E%40Frazzled%3C%2FA%3E%26nbsp%3BOutlook%20for%20iOS%20does%20not%20require%20an%20iCloud%20account%20for%20contact%20export.%20The%20prompt%20is%20somewhat%20misleading%20(mentioned%20here%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIntune-Customer-Success%2FSupport-Tip-Enabling-Outlook-iOS-Contact-Sync-with-iOS12-MDM%2Fba-p%2F298453%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIntune-Customer-Success%2FSupport-Tip-Enabling-Outlook-iOS-Contact-Sync-with-iOS12-MDM%2Fba-p%2F298453%3C%2FA%3E).%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xmsonormal%22%3EOutlook%20for%20iOS%20requires%20a%20contact%20container%20to%20exist%20in%20order%20to%20sync%20contacts%20into%20the%20native%20app.%20When%20you%20enable%20save%20contacts%20we%20attempt%20a%20read%20action%2C%20if%20that%20fails%20(either%20because%20Outlook%20has%20no%20capability%20to%20read%20due%20to%20MDM%20controls%2C%20or%20because%20there%20exists%20no%20container%20in%20which%20to%20read%20from)%2C%20Outlook%20will%20prompt%20the%20user%20to%20enable%20iCloud%20sync%20for%20Contacts%20%E2%80%93%20this%20is%20because%20Outlook%20has%20no%20capability%20to%20create%20a%20container%20and%20iCloud%20sync%20will%20create%20one%20(iOS%20only%20supports%20three%20types%20of%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdeveloper.apple.com%252Fdocumentation%252Fcontacts%252Fcncontainertype%26amp%3Bdata%3D02%257C01%257Crosssmi%2540exchange.microsoft.com%257C7d78ae3f81064f4da16608d6b9352759%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636900035324145609%26amp%3Bsdata%3DvejkimOFj2ZOi2LH%252FvdonJLVBB5kEtHICizIZTdGlhY%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Econtainers%3C%2FA%3E%20%E2%80%93%20local%2C%20Exchange%2C%20cardDAV%20%E2%80%93%20from%20their%20names%20you%20probably%20understand%20how%20they%20get%20created%20%E2%80%93%20Exchange%20is%20an%20EAS%20profile).%3C%2FP%3E%0A%3CP%20class%3D%22xmsonormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xmsonormal%22%3ESince%20you've%20deployed%20supervised%20devices%2C%20it%20makes%20sense%20that%20you're%20seeing%20this%20prompt.%3C%2FP%3E%0A%3CP%20class%3D%22xmsonormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xmsonormal%22%3EAs%20for%20CallKit%2C%20it%20would%20provide%20caller-ID%20for%20phone%20numbers%20found%20within%20Outlook%2C%20that's%20it.%20If%20users%20want%20a%20complete%20end-to-end%20solution%20for%20all%20scenarios%20(e.g.%2C%20text%20messaging)%2C%20users%20will%20only%20get%20that%20by%20having%20the%20contact%20in%20the%20local%20contacts%20app%2C%20which%20means%20they%20are%20creating%20contacts%20to%20get%20that%20ease%20of%20use%20capability.%3C%2FP%3E%0A%3CP%20class%3D%22xmsonormal%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074220%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3Bnoted%20thanks%20Ross%2C%20I%20appreciate%20you%20have%20to%20workaround%20the%20limitations%20of%20the%20OS.%26nbsp%3B%20%26nbsp%3BI%20think%20the%20full%20contacts%20sync%20option%20is%20neat%20and%20a%20better%20user%20experience%2C%20however%20as%20noted%20in%20your%20article%20there%20is%20a%20security%20trade-off%20it%20seems%20around%20the%20conditional%20access%20policies.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074364%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074364%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20not%20clear%20to%20me%20what%20is%20stopping%20the%20user%20from%20creating%20their%20own%20mail-enabled%20profile%20of%20their%20own%20volition.%26nbsp%3B%20If%20I%20deploy%20a%20locked-down%20%22Contacts-only%22%20profile%2C%20they%20can%20still%20create%20an%20%22Everything-but-contacts%22%20profile%20to%20circumvent%20my%20controls%2C%20correct%3F%26nbsp%3B%20There%20are%20no%20conditional%20access%20policies%20that%20block%20authentication%20attempts%20only%20when%20using%20an%20unmanaged%20profile%20that%20I%20know%20of.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074769%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074769%22%20slang%3D%22en-US%22%3E%3CP%3EOh%2C%20I%20think%20I%20see.%26nbsp%3B%20If%20you%20try%20to%20create%20a%20second%20Exchange%20profile%20on%20an%20iOS%20device%20with%20the%20same%20Email%20address%20as%20an%20existing%20profile%2C%20you%20are%20stopped%20with%20a%20message%20stating%20%22%3CSTRONG%3ECannot%20Create%20Account%3C%2FSTRONG%3E%20An%20identical%20Exchange%20account%20already%20exists.%22%26nbsp%3B%20So%20a%20compliance%20policy%20requiring%20a%20managed%20email%20profile%20coupled%2C%20conditional%20access%20policies%20requiring%20compliant%20devices%20and%20the%20locked-down%20Contacts-only%20configuration%20profile%20should%20indeed%20do%20the%20trick.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147562%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147562%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131751%22%20target%3D%22_blank%22%3E%40Philip%20Kluss%3C%2FA%3E%2C%20good%20point%2C%20however%20as%20I%20understand%20it%20if%20a%20user%20has%20an%20alias%20email%20addresses%20they%20maybe%20able%20to%20create%20a%20second%20iOS%20EAS%20profile%20and%20get%20around%20the%20%22Cannot%20Create%20account%2C%20An%20identical%20Exchange%20account%20already%20exists.%22.%20Also%2C%20if%20a%20different%20host%20alias%20is%20used%20they%20would%20be%20able%20to%20create%20a%20second%20profile.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1169546%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1169546%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20also%20have%20to%20enable%20EAS%20in%20the%20users%20Exchange%20profile%2C%20or%20are%20the%20policy%20and%20config%20enough%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1171739%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171739%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20reference%20to%20my%20previous%20question.%26nbsp%3B%20The%20reason%20I%20was%20asking%20was%20because%20many%20of%20the%20user%20in%20our%20test%20group%20were%20being%20presented%20with%20a%20%22Need%20Admin%20Approval%22%20screen%20after%20receiving%20the%20EAS%20profile%2C%20and%20trying%20to%20authenticate.%26nbsp%3B%20It%20turned%20out%20we%20had%20to%20have%20Integrated%20Apps%20allowed%20for%20the%20tenant%20in%20order%20for%20them%20to%20authenticate.%26nbsp%3B%20A%20few%20of%20us%20did%20not%20experience%20this.%26nbsp%3B%20Can%20you%20explain%20what%20the%20need%20is%20for%20Integrated%20Apps%20and%20why%20it%20wasn't%20consistent%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1171960%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171960%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F554951%22%20target%3D%22_blank%22%3E%40Rob_Pasell%3C%2FA%3E%26nbsp%3B-%20EAS%20has%20to%20be%20enabled%20for%20the%20user%20within%20Exchange.%20I%20cannot%20speak%20to%20what%20%22Need%20Admin%20Approval%22%20screen%20is%20as%20I've%20never%20seen%20that%20before%20nor%20do%20I%20know%20what%20%22Integrated%20Apps%22%20references.%20Probably%20best%20to%20open%20a%20support%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1173947%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1173947%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3BI%20think%20the%20fact%20that%20you%20need%20to%20turn%20on%20EAS%20for%20each%20user%20in%20the%20Exchange%20profile%20should%20be%20mentioned%20in%20the%20%22%3CSTRONG%3EWhat%20are%20the%20limitations%20and%2For%20things%20to%20think%20through%20with%20this%20approach%3F%22%26nbsp%3B%3C%2FSTRONG%3Esection.%26nbsp%3B%20In%20our%20initial%20reading%20we%20were%20generally%20okay%20with%20(though%20not%20thrilled%20about)%20the%20solution%20because%20we%20were%20under%20the%20impression%20the%20profile%20would%20bypass%20the%20Exchange%20profile%20setting%20for%20this%20one%20attribute.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1176918%22%20slang%3D%22en-US%22%3ERe%3A%20New%20contact%20sync%20scenario%20available%20with%20Outlook%20for%20iOS%20on%20enrolled%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1176918%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Ross%2C%3C%2FP%3E%3CP%3Ethank%20you%20for%20sharing%20this%20very%20helpful%20article.%20I%20see%20many%20improvements%20in%20the%20end-to-end%20scenario.%3CBR%20%2F%3EOur%20customers%20still%20have%20an%20issue%20with%20some%20best%20practice%20MDM%20Controls%20and%20the%20Outlook%20app%20like%20you%20described%20here.%3C%2FP%3E%3CP%3EIn%20the%20case%2C%20you%20block%20access%20from%20outlook%20to%20the%20native%20contact%20app%2C%20you%20will%20be%20not%20able%20to%20create%20contacts%20from%20within%20the%20Outlook%20app.%3CBR%20%2F%3EDid%20I%20miss%20anything%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

As many of you know, Outlook for iOS supports a one-way contact export process whereby contacts from within Outlook can be exported into the native iOS Contacts app. This functionality enables Caller-ID, iMessage, and FaceTime integration for users’ Outlook contacts.

 

We recognize that there are limitations and/or concerns with our contact export process, such as:

  • The lack of a two-way synchronization mechanism means that users must remember to manage (create, edit, or delete) contacts from within Outlook and not the native iOS Contacts app. Contact changes within the native iOS Contacts app don’t get synchronized back to the appropriate Outlook account, which may lead to data loss when Outlook’s contact export process is triggered as the exported contacts get overwritten.
  • On enrolled devices, in order to leverage Outlook’s contact export process, several changes to device restrictions are required, as documented in Support Tip: Enabling Outlook iOS Contact Sync with iOS12 MDM Controls.
  • On enrolled devices, the exported Outlook contacts are considered unmanaged and are accessible to unmanaged, personal apps.

Unfortunately, these issues are not something that Outlook for iOS can solve as we’re completely dependent on the operating system to provide a supported mechanism for bi-directional synchronization and for delivering managed contacts. However, with the Managed Exchange ActiveSync Profile improvements introduced in iOS13/iPadOS, organizations now have an additional capability to configure how users can manage contacts on mobile devices.

 

On enrolled devices, users can leverage an Exchange ActiveSync profile that only synchronizes contacts. With this contact synchronization model in place, users no longer need to leverage Outlook for iOS’s contact export synchronization process. This approach results in two synchronization paths – Outlook leverages the native Microsoft sync technology for synchronizing data within Outlook, and ActiveSync is leveraged by iOS to synchronize the contacts.

 

Outlook EAS contact sync.png

Organizations can adopt this approach by deploying the following policies:

  1. Deploy a managed Exchange ActiveSync (EAS) profile for contact synchronization.
  2. Deploy an Outlook App Configuration Policy (ACP) that disables Save Contacts.

However, this approach should not be performed until all user devices are upgraded to iOS 13+ or iPadOS. This is because the managed EAS profile recommendation utilizes functionality only available in iOS 13+ / iPadOS. For more information, see Managed Exchange ActiveSync Profile improvements introduced in iOS13/iPadOS.

 

Note: Due to app configuration delivery timing, some users may experience duplicate contacts in the native iOS Contacts app. Once Outlook for iOS contact synchronization is disabled, the duplicates are removed.

 

Deploy the managed EAS profile

Using the general instructions in Add e-mail settings for iOS devices in Microsoft Intune, configure and deploy the below managed EAS profile to your enrolled user base:

 

MEM-Contacts EAS.PNG

 

This managed EAS profile forces OAuth as the authentication method, only allows Contacts synchronization, and prevents the user from changing what data types are synchronized.

 

Note: Changing an existing EAS profile with these new settings results in a new profile being pushed to the device. Users will be forced to enter their credentials and the profile changes won’t take effect until authentication is complete.

 

Deploy the Outlook ACP

Using the general instructions in Deploying Outlook for iOS and Android app configuration settings, configure and deploy an Outlook managed apps App Configuration Policy to your enrolled user base that (at a minimum) disables Save Contacts and prevents the user from enabling the setting:

 

MEM-Disable Contacts.PNG

 

Note: A managed apps ACP requires the assigned users to have an App Protection Policy. For more information on recommended approaches to deploying Outlook general app configuration, see http://aka.ms/omappconfig.

 

With the above changes, Contacts for the user’s account synchronize into the native iOS Contacts app via the managed EAS profile. As these changes are driven by IT, end users do not need to take any action other than entering their credentials for the managed EAS profile.

 

What are the benefits of this approach?

  • The user can use the native iOS Contacts app for all contact management, if they desire. Contacts synchronize back into the user’s Exchange mailbox via the ActiveSync protocol and synchronize into Outlook for iOS over the Microsoft sync technology. Likewise, if the user performs any contact management within Outlook for iOS, those changes propagate to the native iOS Contacts app through ActiveSync synchronization.
  • From within the native iOS Contacts app, users can manually search the global address list.
  • Scenarios that can result in contact duplication are minimized (if not removed completely).
  • When coupled with other device enrollment restrictions, like Viewing corporate documents in unmanaged apps (allowOpenFromManagedToUnmanaged), the managed EAS profile’s contacts are inaccessible to unmanaged, personal apps.

What are the limitations and/or things to think through with this approach?

  • This approach requires iOS 13+ / iPadOS. Older iOS versions ignore the data type restriction and sync all data types.
  • Device enrollment is required. Many organizations use App Protection Policies and not full device or user enrollment on personally-owned devices.
  • Conditional access policy changes are required. The “Require approved client app” or “Require app protection policy” grant controls cannot be targeted against the iOS platform and Office 365 Exchange Online cloud app for modern authentication capable clients. Instead, the “Require device to be marked as compliant” grant control must be used.
  • IT organizations are not able to control which messaging apps are used. As the “Require app protection policy” or “Require app protection policy” grant controls are not applied to Exchange Online for iOS devices, any modern authentication capable messaging client will be able to connect (e.g., an Exchange Web Services or third-party ActiveSync client) and access messaging data on enrolled iOS devices.
  • Users may be able to access work or school content before an app protection policy is applied. As the “Require app protection policy” grant control cannot be used with Exchange Online and iOS devices, policy assurance for Outlook for iOS is not guaranteed. Also, messaging apps that do not support App Protection policies will be able to access messaging data on enrolled iOS devices.

We believe that for the vast majority of organizations, the recommendations we’ve outlined in the Ignite 2019 session, Outlook mobile: The gold standard for secure communications in the enterprise​, and in our Outlook mobile security in the enterprise whitepaper provides IT and users a viable and secure contact management solution. This includes:

  • Use of the “Require app protection policy” Azure Active Directory Conditional Access grant control to block Exchange ActiveSync and other modern authentication capable messaging protocol apps, by only allowing Outlook for iOS and Android.
  • Use of Intune App Protection Policies to protect school or work content within the apps and between accounts.
  • Use of Intune App Configuration Policies to enable Save Contacts and limit the exported contact data fields that are exported to the native iOS Contacts app.

With any solution you need to balance your security requirements with end user productivity. We recognize the need for this flexibility, so we hope you find the above scenario useful.

 

Ross Smith IV
Principal Program Manager
Customer Experience Engineering

16 Comments
Regular Visitor

Hi Ross, thanks for this update. We have been looking at InTune as a viable option move from an existing EMM provider with predominately enrolled corporate iOS devices.  Given the limitations highlighted above with this approach, and the limitations of the alternative option (one-way export to un-managed contacts requiring an iCloud account), we're left wondering why there are no plans to utilize the Apple Call Kit as per other EMM providers solution.    It still doesn't seem like a happy balance can be struck - with the approach above we'd need to be looking at having to whitleist/blacklist apps due to the issue of other app clients being able to communicate with EOL.   

Visitor

Thanks, my biggest fear around ActiveSync in the past had been Basic Auth, but it looks as though this method allows us to leverage OAuth. It's still certainly not a solution to this problem, but it seems a viable workaround.

New Contributor

Hello Ross, thanks for this guide on how to achieve caller-ID, iMessage, etc. while having a working two-way sync of contact details. But how about password changes, does the user needs to change the password in Outlook and in the native app / profile? Also why can´t there be some kind of solution on Apple´s end, to get caller-ID working with third party apps like Outlook? Our enterprise strictly separates company data and private data on iOS and Android devices (far better on Android because of work profiles), thus syncing to the native app also enables other un-managed apps to access company data like phone numbers (e.g. WhatsApp, WeChat, you name it). It´s kind of a struggle to handle company contacts, either you are following GDPR (we have several branches in Europe) and have it separated or you have the comfort of having caller-ID :unamused: I hope there will be a real solution and Apple gets something like Android Work Profiles :sad:

Mike

Regular Visitor

@mike688 similar requirements here, ideally we would like to apply the 'Account modification' restriction policy that blocks ability add all accounts including iCloud.   The issue with that is using the EAS Contact sync solution with username/password auth, you cannot change the update the password when it expires.  The only alternative as far as I can see is SCEP authentication, which is more unwanted complexity for a small capability, albeit we do use it against an existing on-prem EMM.  

Microsoft

@mike688 - Yes, when the user's password expires, the OAuth refresh token will be revoked and the user will be prompted to authenticate again once the active token expires. The user will have to authenticate separately in iOS and Outlook.

 

@Frazzled - Not sure I follow - the user will get prompted to authenticate once the token expires.

Regular Visitor

@Ross Smith IV To clarify, it is not viable for us to allow un-managed contacts via the Outlook App contact export (option 1).  To even get this to work you need to have an iCloud account enabled, so immediately you are in a data loss position, even if limiting the data fields that can be exported. 

 

The fallback is then the EAS profile as described in your article, which has two issues.  Firstly, it would be preferable (for us) on Corporate Owned devices to apply the MDM 'Account Restriction' with a block setting.  This has the effect of locking out the EAS account under iOS Settings - when the configuration is deployed the user cannot enter credentials.  The only way around this is using SCEP for authentication as far as I can see which is a lot of overhead unless there is a requirement elsewhere.    The 2nd issue is one of usability - the user has to enter credentials twice upon password resets / token expiry etc.

 

So, if Caller-ID were available using Apple CallKit capability through the Outlook App, it would require much less management and a deliver a better user experience as we would have less concerns about opening up the rest of the devices for personal usage.  In my opinion! :smile:

 

 

Microsoft

@Frazzled Outlook for iOS does not require an iCloud account for contact export. The prompt is somewhat misleading (mentioned here - https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Enabling-Outlook-iOS-Cont...). 

Outlook for iOS requires a contact container to exist in order to sync contacts into the native app. When you enable save contacts we attempt a read action, if that fails (either because Outlook has no capability to read due to MDM controls, or because there exists no container in which to read from), Outlook will prompt the user to enable iCloud sync for Contacts – this is because Outlook has no capability to create a container and iCloud sync will create one (iOS only supports three types of containers – local, Exchange, cardDAV – from their names you probably understand how they get created – Exchange is an EAS profile).

 

Since you've deployed supervised devices, it makes sense that you're seeing this prompt.

 

As for CallKit, it would provide caller-ID for phone numbers found within Outlook, that's it. If users want a complete end-to-end solution for all scenarios (e.g., text messaging), users will only get that by having the contact in the local contacts app, which means they are creating contacts to get that ease of use capability.

 

Regular Visitor

@Ross Smith IV noted thanks Ross, I appreciate you have to workaround the limitations of the OS.   I think the full contacts sync option is neat and a better user experience, however as noted in your article there is a security trade-off it seems around the conditional access policies. 

 

 

 

Contributor

It's not clear to me what is stopping the user from creating their own mail-enabled profile of their own volition.  If I deploy a locked-down "Contacts-only" profile, they can still create an "Everything-but-contacts" profile to circumvent my controls, correct?  There are no conditional access policies that block authentication attempts only when using an unmanaged profile that I know of.

Contributor

Oh, I think I see.  If you try to create a second Exchange profile on an iOS device with the same Email address as an existing profile, you are stopped with a message stating "Cannot Create Account An identical Exchange account already exists."  So a compliance policy requiring a managed email profile coupled, conditional access policies requiring compliant devices and the locked-down Contacts-only configuration profile should indeed do the trick.

 

Thanks.

Senior Member
@Philip Kluss, good point, however as I understand it if a user has an alias email addresses they maybe able to create a second iOS EAS profile and get around the "Cannot Create account, An identical Exchange account already exists.". Also, if a different host alias is used they would be able to create a second profile.
Visitor

Do you also have to enable EAS in the users Exchange profile, or are the policy and config enough?

Visitor

In reference to my previous question.  The reason I was asking was because many of the user in our test group were being presented with a "Need Admin Approval" screen after receiving the EAS profile, and trying to authenticate.  It turned out we had to have Integrated Apps allowed for the tenant in order for them to authenticate.  A few of us did not experience this.  Can you explain what the need is for Integrated Apps and why it wasn't consistent?

Microsoft

@Rob_Pasell - EAS has to be enabled for the user within Exchange. I cannot speak to what "Need Admin Approval" screen is as I've never seen that before nor do I know what "Integrated Apps" references. Probably best to open a support case.

Visitor

@Ross Smith IV I think the fact that you need to turn on EAS for each user in the Exchange profile should be mentioned in the "What are the limitations and/or things to think through with this approach?" section.  In our initial reading we were generally okay with (though not thrilled about) the solution because we were under the impression the profile would bypass the Exchange profile setting for this one attribute.

Senior Member

Hi Ross,

thank you for sharing this very helpful article. I see many improvements in the end-to-end scenario.
Our customers still have an issue with some best practice MDM Controls and the Outlook app like you described here.

In the case, you block access from outlook to the native contact app, you will be not able to create contacts from within the Outlook app.
Did I miss anything?