Feb 21 2021 04:47 PM
Hello,
is it possible to protect synced contacts on a iOS device?
Lets say I have a byod iPhone or a company owned one.
And all my apps like Outlook etc. are managed and have app protection policies assigned.
Is it possible to use the native iOS contacts + calling app without giving other apps like Whatsapp or Facebook access to the contacts which were synced by the company Outlook?
Whats the most convenient way to use an iOS device while also protecting company data as good as possible?
Thanks in advance to anyone helping.
Feb 22 2021 03:46 AM
Hello @nirispa
Hmm, I feel like there no easy way to do this without disabling the whole Contact sync with Native apps.
With App Protection policy you can Block the Sync policy managed app data with native apps setting that will keep the company Contacts within Outlook app which might be pretty inconvenient for most users but will definitely guarantee the contact security.
Referred Docs: iOS/iPadOS app protection policy settings
Other option would be to make a compliance policy for Unwanted apps and just mark the device as incompliant and block access to cloud resources with Conditional Access policy until the user removes the violating app.
Feb 22 2021 02:02 PM
@Alo Press Hello,
I have found this link which seems to make it work:
How to enable iOS unmanaged apps to read managed contacts & write unmanaged contacts without comprom...
I will try this tomorrow to see if this works and reply back later.
Also this Link is interesting:
iOS 12.1 allows managed contacts to be written from managed apps to native contacts app | Enterprise...
"Great news! With the release of iOS 12.1 Apple created two settings that allow you to control if contacts can be written to the contacts app by managed apps and a setting that allows you to control if unmanaged apps can read the managed contacts accounts."
Do you have any idea if this is ture?
Feb 22 2021 10:56 PM - edited Feb 22 2021 10:59 PM
Hi @nirispa
Good find! Not sure, and the wording has changed a little but I suggest you try a limited scope profile on your own user to find out, it does sound like it could be what you were looking for.
Check out the MS Docs: iOS/iPadOS device settings in Microsoft Intune - Azure | Microsoft Docs
Block viewing non-corporate documents in corporate apps: Yes prevents viewing non-corporate documents in corporate apps. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow any document to be viewed in corporate managed apps. Yes also prevents contact export synchronization in Outlook for iOS/iPadOS.
For more information on the specific values that can be configured I suggest you take a closer look at this Support Tip: Support Tip: Enabling Outlook iOS/iPadOS Contact Sync with iOS12 MDM Controls.
Feb 24 2021 12:30 AM
@nirispa Hi nirispa, maybe you can take a look at the discussion here: New contact sync scenario available with Outlook for iOS on enrolled devices - Microsoft Tech Commun... it´s basically the same requirement from what I understood in your post.
Regarding your link to iOS 12.1:
The main issue here is even though you can sync from managed (MEM) Outlook to contacts app, once the contacts are synced to the contacts app of iOS they are in an unmanaged app, meaning that you can´t control any further if e.g. WhatsApp gets access to them or not.
The second setting just controls, wether unmanaged apps can directly access contacts within a managed app like Outlook, which is not very useful for our case IMHO.
Mike
Feb 25 2021 04:43 PM