iOS Device Restriction Settings - Enable Outlook to save managed contacts to device

%3CLINGO-SUB%20id%3D%22lingo-sub-334126%22%20slang%3D%22en-US%22%3EiOS%20Device%20Restriction%20Settings%20-%20Enable%20Outlook%20to%20save%20managed%20contacts%20to%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-334126%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3EHello%20guys%2C%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3EI%20am%20struggling%20with%20a%20specific%20use-case%3A%20I%20would%20like%20to%20allow%20users%20to%20save%20Outlook%20contacts%20(company%20email%20%3D%3D%20company%20contacts)%20to%20the%20native%20iOS%20contacts%20app.%20Outlook%20is%20a%20managed%20app%20and%20is%20available%20to%20all%20users.%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3ENow%20I%20am%20not%20quite%20sure%20based%20on%20the%3CSPAN%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIntune-Customer-Success%2FSupport-Tip-Use-Intune-custom-profile-settings-with-the-iOS%2Fba-p%2F298453%22%20target%3D%22_self%22%3Erecent%20blog%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3Eand%20the%3CSPAN%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdevice-restrictions-ios%23app-store-doc-viewing-gaming%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eofficial%20documentation%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3Ehow%20to%20configure%20it%20properly%20without%20allowing%20un-managed%20apps%20(like%20WhatsApp)%20so%20see%20or%20sync%20the%20managed%20contacts%20that%20were%20synced%20from%20Outlook%20to%20the%20native%20contacts%20app.%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3EEspecially%20the%20official%20documentation%20is%20a%20bit%20confusing.%20On%20the%20setting%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EViewing%20non-corporate%20documents%20in%20corporate%20apps%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eit%20states%20that%20it%20blocks%20%22%3CEM%3Eviewing%20non-corporate%20documents%20in%20unmanaged%20apps%3C%2FEM%3E%22.%20Which%20does%20not%20make%20sense%20from%20my%20point%20of%20view.%20Instead%20it%20should%20be%20%22prevents%20viewing%20corporate%20documents%20in%20unmanaged%20apps%22%20or%20am%20I%20missing%20something%3F%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3EJust%20to%20rephrase%20my%20use-case%20and%20what%20I%20want%20to%20achieve%2C%20for%20better%20understanding%3A%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3EI%20want%20to%20log-in%20in%20Outlook%20with%20my%20work%20account%20and%20sync%20my%20business%20contacts%20to%20the%20native%20iOS%20contacts%20app.%20However%2C%20I%20want%20to%20prevent%20unmanaged%20apps%20to%20be%20able%20to%20see%20or%20sync%20the%20business%20contacts.%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3ECurrently%20I%20have%20the%20device%20restriction%20profile%20configured%20as%20follows%3A%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22_3Oa0THmZ3f5iZXAQ0hBJ0k%20s4fxb12-0%20hhQITl%22%3E%3CA%20href%3D%22https%3A%2F%2Fi.redd.it%2F9hrib77ikwf21.png%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fi.redd.it%2F9hrib77ikwf21.png%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FDIV%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22s90z9tc-10%20fHRkcP%22%3EThank%20you%20for%20your%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-334126%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EContact%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Econtacts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EiOS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enative%20app%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2187502%22%20slang%3D%22de-DE%22%3ESubject%3A%20iOS%20Device%20Restriction%20Settings%20-%20Enable%20Outlook%20to%20save%20managed%20contacts%20to%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2187502%22%20slang%3D%22de-DE%22%3E%3CP%3EI%20do%20have%20the%20same%20issue.%20Any%20hints%20on%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2187633%22%20slang%3D%22en-US%22%3ERe%3A%20iOS%20Device%20Restriction%20Settings%20-%20Enable%20Outlook%20to%20save%20managed%20contacts%20to%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2187633%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F146090%22%20target%3D%22_blank%22%3E%40Labinot%20Jashanica%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20recommend%20take%20a%20closer%20look%20at%20App%20Configuration%20policy%20instead%2C%20there%20is%20a%20long%20section%20about%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Foutlook-for-ios-and-android-configuration-with-microsoft-intune%23save-contacts%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESave%20Contacts%3C%2FA%3E%20in%20Microsoft%20docs.%20What%20you%20need%20to%20do%20is%20first%20go%20over%20the%20flowchart%20to%20determine%20which%20type%20of%20policy%20you%20should%20create%20and%20once%20that%20is%20on%20lock%2C%20you%20can%20start%20playing%20around%20with%20the%20App%20configuration%20policy%20(chart%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Foutlook-for-ios-and-android-configuration-with-microsoft-intune%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Esource%3C%2FA%3E)%20to%20see%20if%20the%20results%20fit%20your%20expectations%20and%20there%20is%20no%20accidental%20leaks.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22acp_flowchart%22%20style%3D%22width%3A%20200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261164i71E48D134391B089%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20role%3D%22button%22%20title%3D%22acp_flowchart%22%20alt%3D%22acp_flowchart%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThere%20was%20a%20similar%20question%20asked%20just%20recently%20in%20this%20forum%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-intune%2Fios-outook-sync-to-contact-app-protection-from-non-managed-apps%2Fm-p%2F2154337%22%20target%3D%22_self%22%3EiOS%20Outook%20sync%20to%20Contact%20app%2C%20protection%20from%20non%20managed%20apps%3C%2FA%3E%2C%20probably%20a%20good%20idea%20to%20go%20through%20that%20as%20well%2C%20as%20there%20is%20a%20lot%20of%20nuance%20to%20this%20topic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2187764%22%20slang%3D%22en-US%22%3ERe%3A%20iOS%20Device%20Restriction%20Settings%20-%20Enable%20Outlook%20to%20save%20managed%20contacts%20to%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2187764%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20managed%20to%20%22solve%22%20this%20issue.%20At%20the%20end%20of%20the%20day%2C%20I%20decided%20to%20not%20use%20the%20contacts%20that%20are%20being%20synced%20out%20of%20Outlook.%20Instead%20I%20am%20pushing%20an%20E-Mail%20profile%20and%20sync%20contacts%20as%20well%20as%20calendar%20from%20there%20(more%20details%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Femail-settings-ios%23exchange-activesync-profile-configuration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Femail-settings-ios%23exchange-activesync-profile-configuration%3C%2FA%3E).%20Please%20note%20that%20OAuth%20must%20be%20enabled%20if%20the%20user%20accounts%20are%20secured%20with%20MFA.%3CBR%20%2F%3E%3CBR%20%2F%3EThen%20I%20used%20the%20app%20protection%20policy%20to%20block%20the%20possibility%20for%20users%20to%20sync%20the%20contacts%20out%20of%20outlook%20by%20setting%20%22Sync%20policy%20managed%20app%20data%20with%20native%20apps%22%20to%20Block.%20(more%20info%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fapps%2Fapp-protection-policy-settings-ios%23functionality%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fapps%2Fapp-protection-policy-settings-ios%23functionality%3C%2FA%3E).%20When%20this%20is%20set%20to%20block%2C%20the%20option%20%22Save%20contacts%22%20within%20the%20Outlook%20settings%20of%20your%20work%20account%20will%20disappear%20all%20together.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20hope%20this%20helps%20anyone%20in%20the%20future.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%2C%3CBR%20%2F%3ELabinot%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello guys,

I am struggling with a specific use-case: I would like to allow users to save Outlook contacts (company email == company contacts) to the native iOS contacts app. Outlook is a managed app and is available to all users.

 

Now I am not quite sure based on the recent blog and the official documentation how to configure it properly without allowing un-managed apps (like WhatsApp) so see or sync the managed contacts that were synced from Outlook to the native contacts app.

 

Especially the official documentation is a bit confusing. On the setting Viewing non-corporate documents in corporate apps it states that it blocks "viewing non-corporate documents in unmanaged apps". Which does not make sense from my point of view. Instead it should be "prevents viewing corporate documents in unmanaged apps" or am I missing something?

 

 

Just to rephrase my use-case and what I want to achieve, for better understanding:

I want to log-in in Outlook with my work account and sync my business contacts to the native iOS contacts app. However, I want to prevent unmanaged apps to be able to see or sync the business contacts.

 

Currently I have the device restriction profile configured as follows:

 

 

Thank you for your help!

5 Replies

I do have the same issue. Any hints on that?

Hello @Labinot Jashanica 

 

I recommend to take a closer look at App Configuration policy instead, there is a long section about Save Contacts in Microsoft docs. What you need to do is first go over the flowchart to determine which type of policy you should create and once that is on lock, you can start playing around with the App configuration policy (chart source) to see if the results fit your expectations and there is no accidental leaks. 

acp_flowchart

There was a similar question asked just recently in this forum iOS Outook sync to Contact app, protection from non managed apps, probably a good idea to go through that as well, as there is a lot of nuance to this topic.

 

Hello,

I have managed to "solve" this issue. At the end of the day, I decided to not use the contacts that are being synced out of Outlook. Instead I am pushing an E-Mail profile and sync contacts as well as calendar from there (more details here: https://docs.microsoft.com/en-us/mem/intune/configuration/email-settings-ios#exchange-activesync-pro...). Please note that OAuth must be enabled if the user accounts are secured with MFA.

Then I used the app protection policy to block the possibility for users to sync the contacts out of outlook by setting "Sync policy managed app data with native apps" to Block. (more info here: https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios#functionality). When this is set to block, the option "Save contacts" within the Outlook settings of your work account will disappear all together.

I hope this helps anyone in the future.

Best regards,
Labinot

@Labinot Jashanica Thanks for the fast reply.

 

But let me ask another question. If you sync the contacts with an E-Mail profile on the device, isnt whatspp (for example) having also access to these?

 

My aim is to have something similar like a "work profile". When the user is called they should see who is calling but whatsapp/threema or other apps should not be possible to see that information.

 

Do you know what i want to achieve? Is that even possible with InTune?

 

Best regards,

Michael

Hi Michael,

no because the contacts that are being synced from the E-Mail device configuration profile are treated as "company/managed data" whereas the data that is synced from Outlook is not. Hence, the managed data cannot be seen by WhatsApp or other "private" apps if you set "Block viewing corporate documents in unmanaged apps" to Yes in the device configuration profile (https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-ios#app-store-doc-view...).

I would suggest you to just test my mentioned setup. Note that if you push the E-Mail profile, you have to re-enter your work account password once the enrollment of the device is done. Once that is done and you open the iOS Settings a pop-up will come stating that you need to enter the password of your work account. Only then, the mails, calendar and contacts can be synced via iOS Settings > Mail > Accounts.

Best regards,
Labinot