As many of you know, Outlook for iOS supports a one-way contact export process whereby contacts from within Outlook can be exported into the native iOS Contacts app. This functionality enables Caller-ID, iMessage, and FaceTime integration for users’ Outlook contacts.
We recognize that there are limitations and/or concerns with our contact export process, such as:
Unfortunately, these issues are not something that Outlook for iOS can solve as we’re completely dependent on the operating system to provide a supported mechanism for bi-directional synchronization and for delivering managed contacts. However, with the Managed Exchange ActiveSync Profile improvements introduced in iOS13/iPadOS, organizations now have an additional capability to configure how users can manage contacts on mobile devices.
On enrolled devices, users can leverage an Exchange ActiveSync profile that only synchronizes contacts. With this contact synchronization model in place, users no longer need to leverage Outlook for iOS’s contact export synchronization process. This approach results in two synchronization paths – Outlook leverages the native Microsoft sync technology for synchronizing data within Outlook, and ActiveSync is leveraged by iOS to synchronize the contacts.
Organizations can adopt this approach by deploying the following policies:
However, this approach should not be performed until all user devices are upgraded to iOS 13+ or iPadOS. This is because the managed EAS profile recommendation utilizes functionality only available in iOS 13+ / iPadOS. For more information, see Managed Exchange ActiveSync Profile improvements introduced in iOS13/iPadOS.
Note: Due to app configuration delivery timing, some users may experience duplicate contacts in the native iOS Contacts app. Once Outlook for iOS contact synchronization is disabled, the duplicates are removed.
Deploy the managed EAS profile
Using the general instructions in Add e-mail settings for iOS devices in Microsoft Intune, configure and deploy the below managed EAS profile to your enrolled user base:
This managed EAS profile forces OAuth as the authentication method, only allows Contacts synchronization, and prevents the user from changing what data types are synchronized.
Note: Changing an existing EAS profile with these new settings results in a new profile being pushed to the device. Users will be forced to enter their credentials and the profile changes won’t take effect until authentication is complete.
Deploy the Outlook ACP
Using the general instructions in Deploying Outlook for iOS and Android app configuration settings, configure and deploy an Outlook managed apps App Configuration Policy to your enrolled user base that (at a minimum) disables Save Contacts and prevents the user from enabling the setting:
Note: A managed apps ACP requires the assigned users to have an App Protection Policy. For more information on recommended approaches to deploying Outlook general app configuration, see http://aka.ms/omappconfig.
With the above changes, Contacts for the user’s account synchronize into the native iOS Contacts app via the managed EAS profile. As these changes are driven by IT, end users do not need to take any action other than entering their credentials for the managed EAS profile.
What are the benefits of this approach?
What are the limitations and/or things to think through with this approach?
We believe that for the vast majority of organizations, the recommendations we’ve outlined in the Ignite 2019 session, Outlook mobile: The gold standard for secure communications in the enterprise, and in our Outlook mobile security in the enterprise whitepaper provides IT and users a viable and secure contact management solution. This includes:
With any solution you need to balance your security requirements with end user productivity. We recognize the need for this flexibility, so we hope you find the above scenario useful.
Ross Smith IV
Principal Program Manager
Customer Experience Engineering
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.