First published on TechNet on Apr 17, 2018
Updated on 1/15/19 - the blog post has also been updated and the new settings have gone into the portal as described here: https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Use-Intune-custom-profile.... Please refer to this post for the latest information.
Updated on 12/10/18 - Resolved! See the new post: https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Use-Intune-custom-profile....
Updated 8/15/18: Added an additional scenario in Step 5 after a recent case.
We’ve received a few customer calls about iOS 11.3 and contact data. With iOS 11.3, Apple introduced a new security feature that changed the way mobile device management (MDM) works with the native contacts app. Apple now prevents contacts in managed accounts from being used in unmanaged apps/accounts. This new security feature changes how MDM providers (not just Intune, EAS, or MDM for Office 365, but all MDM providers) integrate with the native contacts app in iOS 11.3.
If accessing contacts between apps such as WhatsApp and Outlook are important to you, you may want to ask end users to not upgrade to 11.3, or if you use Intune, we’re sharing a workaround you can use below. Our engineering teams are actively investigating this new feature and we’ll keep this post updated as we learn more.
Note that Intune customers will only see this if you’ve set an iOS device restriction policy “Viewing corporate documents in unmanaged apps.” When this policy is enabled, contacts will not be accessible by unmanaged apps.
Here’s what we’ve had reported and found in our own testing on MDM-managed devices updated to iOS 11.3:
The following steps can be followed to configure policies in Intune to make this scenario work:
4. Select the policy and more information will open. Under Manage Properties check what settings are configured in the Device restrictions for iOS App Store, Doc Viewing, Gaming category.
5. "Viewing corporate documents in unmanaged apps” or "Viewing non-corporate documents in corporate apps" set to Block will prevent Contact Sync from working.
Alternatively, if you still want to block unmanaged apps data transfer, you can still do so through an applicable Intune App Protection policy setting.
Known Issue with App Protection Policies and Mobile Device Management
We do have one known issue that we’re currently working on a fix for, but the scenario is quite specific. For devices that received App Protection Policies settings that were configured in Intune Classic console (the Silverlight console) and deployed through Mobile Device Management, the existing workaround steps will leave Org data in an unprotected state. This will affect users that enrolled prior to migration to Intune in the Azure console.
There are two options, for customers in this situation and please know we are actively working on other options:
Mobile Device Management
- Added new configuration settings for device management. For details of the new settings, see the Configuration Profile Reference and the MDM Protocol Reference.
- Prevent unmanaged apps from accessing contacts in managed accounts.
Again, we’ll update this post after investigation is completed into this new feature.
4/27 - Blog post temporarily removed pending investigation into a customer's case.
4/30 - Updated with a known issue after investigation.
5/29 - Minor re-wording to clarify the solution steps.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.