Since iOS 11.3 we had an issue when using Intune MDM and Outlook, managed via App Protection Policies (MAM) together. In this scenario the Outlook app was not allowed to write to contacts to the native iOS Contacts app since the data was considered corporate data when setting viewing corporate documents in unmanaged apps was blocked.
Reason for this is the stricter separation of corporate and private data in iOS 11.3 due to GDPR, contacts are considered as corporate data. Lots of customers were suffering due to this issue.
Great news! With the release of iOS 12.1 Apple created two settings that allow you to control if contacts can be written to the contacts app by managed apps and a setting that allows you to control if unmanaged apps can read the managed contacts accounts.
So as from now if you have the Viewing corporate documents in unmanaged setting configured to block, you are now also able to configure to allow managed apps to write contacts to the unmanaged part of the contacts app.
According to the Intune Support Team on Twitter (good one to follow!) the requirement of supervised only is a UI bug.
When deploying this to your MDM managed iOS devices you will see the contacts exported again, you might want to disable and enable the sync in Outlook to trigger it.
If you look in the management profile you will see the policy listed.
Till next time.
Read also my blog on Search Mobile Computing about Outlook and App Protection here.
I heard about the managed or unmanaged apps, But I really don’t know what is an unmanaged contact account is,
can you please clear my doubt
Dear Peter,
as I am having issues with the decribed features (iPhone w. IOs 12.4) and INTUNE I searched the Internet and found your post. My demand is to split private from corporate contacts in order to grant users installing private communication apps (e.g. WhatsApp). The private apps must not be allowed to access coporate contacts stored in the iPhone built-in contact app. Anyway corporate contacts have to be stored in the built-in contact app in order to show clear names at incoming calls.
I was not able to get this running, the setting I tried are:
Viewing corporate documents in unmanaged apps –> BLOCK
Allow managed apps to write contacts to unmanaged contacts accounts –> ALLOW
Allow unmanaged apps to read from managed contacts accounts –> NOT Configured
I would be grateful I you might give me a hint on this, in the microsoft blog from Ross Smith I found an article which I understood to the direction that the scenario I am looking for is not available. If this would be true Ifear that I did get something wrong on the above options.
Anyway thanks for giving some explanation in your blog.
A hint would be highly appreciated.
Best regards
Sven
Hello Peter,
are the contacts then also protected from unmanaged apps like Whatsapp, Facebook etc.?
If yes, is there a specific setting or are the contacts protected by default when enabling “Allow managed apps to write contacts to unmanaged contacs accounts” ?