We’ve received a few customer calls about iOS 11.3 and contact data. With iOS 11.3, Apple introduced a new security feature that changed the way mobile device management (MDM) works with the native contacts app. Apple now prevents contacts in managed accounts from being used in unmanaged apps/accounts. This new security feature changes how MDM providers (not just Intune, EAS, or MDM for Office 365, but all MDM providers) integrate with the native contacts app in iOS 11.3.
If accessing contacts between apps such as WhatsApp and Outlook are important to you, you may want to ask end users to not upgrade to 11.3, or if you use Intune, we’re sharing a workaround you can use below. Our engineering teams are actively investigating this new feature and we’ll keep this post updated as we learn more.
Note that Intune customers will only see this if you’ve set an iOS device restriction policy “Viewing corporate documents in unmanaged apps.” When this policy is enabled, contacts will not be accessible by unmanaged apps.
Here’s what we’ve had reported and found in our own testing on MDM-managed devices updated to iOS 11.3:
- End users cannot create or edit contacts from within Outlook on an MDM managed device as Outlook leverages the OS native controls for creating and editing contacts.
- Outlook's Save Contacts feature (exports contacts from Outlook to the native OS contacts app to facilitate caller-id, text messaging, etc.) no longer functions and existing contacts that had been previously exported prior to upgrade of 11.3 are no longer accessible via unmanaged apps.
Here’s an Intune workaround you can enable today while we investigate:
- Login with your Intune service credentials at https://portal.azure.com and head to the Intune blade.
- Select Device Configuration, then Managed Profiles.
- Find your iOS Device Restriction Profile.
4. Select the policy and more information will open. Under Manage Properties check what settings are configured in the Device restrictions for iOS App Store, Doc Viewing, Gaming category.
5. If you have Blocked viewing corporate documents in unmanaged apps, you’ll want to flip that to not configured.
Alternatively, if you still want to block unmanaged apps data transfer, you can still do so through an applicable Intune App Protection policy setting.
- To do this, head to Manage Mobile Apps.
- Select App Protection Policies and create a policy setting. Going this route would ensure that only corporate identities in the approved apps can access corporate data. You can add in apps that support Intune App protection policies or those you choose to exempt.
Additional Information
- This new feature has been discussed on Apple’s forum here: https://discussions.apple.com/thread/8338871.
- The specific release notes for this new feature are posted here: https://developer.apple.com/library/content/releasenotes/General/RN-iOS-11.3/index.html and also cut and paste below from Apple’s site for your awareness.
Mobile Device Management
- Added new configuration settings for device management. For details of the new settings, see the Configuration Profile Reference and the MDM Protocol Reference.
- Prevent unmanaged apps from accessing contacts in managed accounts.
- For more information on configuring Intune App protection head to the documentation here: https://docs.microsoft.com/en-us/intune/app-protection-policy
Again, we’ll update this post after investigation is completed into this new feature.