Updated 8/15/18: Added an additional scenario in Step 5 after a recent case.
We’ve received a few customer calls about iOS 11.3 and contact data. With iOS 11.3, Apple introduced a new security feature that changed the way mobile device management (MDM) works with the native contacts app. Apple now prevents contacts in managed accounts from being used in unmanaged apps/accounts. This new security feature changes how MDM providers (not just Intune, EAS, or MDM for Office 365, but all MDM providers) integrate with the native contacts app in iOS 11.3.
If accessing contacts between apps such as WhatsApp and Outlook are important to you, you may want to ask end users to not upgrade to 11.3, or if you use Intune, we’re sharing a workaround you can use below. Our engineering teams are actively investigating this new feature and we’ll keep this post updated as we learn more.
Note that Intune customers will only see this if you’ve set an iOS device restriction policy “Viewing corporate documents in unmanaged apps.” When this policy is enabled, contacts will not be accessible by unmanaged apps.
Here’s what we’ve had reported and found in our own testing on MDM-managed devices updated to iOS 11.3:
- End users cannot create or edit contacts from within Outlook on an MDM managed device as Outlook leverages the OS native controls for creating and editing contacts.
- Outlook's Save Contacts feature (exports contacts from Outlook to the native OS contacts app to facilitate caller-id, text messaging, etc.) no longer functions and existing contacts that had been previously exported prior to upgrade of 11.3 are no longer accessible via unmanaged apps.
The following steps can be followed to configure policies in Intune to make this scenario work:
- Login with your Intune service credentials at https://portal.azure.com and head to the Intune blade.
- Select Device Configuration, then Managed Profiles.
- Find your iOS Device Restriction Profile.
4. Select the policy and more information will open. Under Manage Properties check what settings are configured in the Device restrictions for iOS App Store, Doc Viewing, Gaming category.
5. "Viewing corporate documents in unmanaged apps” or "Viewing non-corporate documents in corporate apps" set to Block will prevent Contact Sync from working.
Alternatively, if you still want to block unmanaged apps data transfer, you can still do so through an applicable Intune App Protection policy setting.
- To do this, head to Manage Mobile Apps.
- Select App Protection Policies and create a policy setting. Going this route would ensure that only corporate identities in the approved apps can access corporate data. You can add in apps that support Intune App protection policies or those you choose to exempt.
Known Issue with App Protection Policies and Mobile Device Management
We do have one known issue that we’re currently working on a fix for, but the scenario is quite specific. For devices that received App Protection Policies settings that were configured in Intune Classic console (the Silverlight console) and deployed through Mobile Device Management, the existing workaround steps will leave Org data in an unprotected state. This will affect users that enrolled prior to migration to Intune in the Azure console.
There are two options, for customers in this situation and please know we are actively working on other options:
- End users unenroll and reenroll with Microsoft Intune – this will reset the APP state pushed through MDM and allow the existing workaround steps to continue to protect the Org Data.
- Wait for a product update from Microsoft – this will take the form of an Intune APP SDK for iOS update and application updates to release with the updated SDK. The Intune APP SDK update is planned for release in Q2 2018. We will update this post when the SDK is released; just note it will take a bit longer then for the apps to adopt the new SDK.
- This new feature has been discussed on Apple’s forum here: https://discussions.apple.com/thread/8338871.
- The specific release notes for this new feature are posted here: https://developer.apple.com/library/content/releasenotes/General/RN-iOS-11.3/index.html and also cut and paste below from Apple’s site for your awareness.
Mobile Device Management
- Added new configuration settings for device management. For details of the new settings, see the Configuration Profile Reference and the MDM Protocol Reference.
- Prevent unmanaged apps from accessing contacts in managed accounts.
- For more information on configuring Intune App protection head to the documentation here: https://docs.microsoft.com/en-us/intune/app-protection-policy
Again, we’ll update this post after investigation is completed into this new feature.
4/27 - Blog post temporarily removed pending investigation into a customer's case.
4/30 - Updated with a known issue after investigation.
5/29 - Minor re-wording to clarify the solution steps.