fighting for truth, justice, and a kick-butt lotus notes experience.

iOS 11.3 Contact Containerization - It simply works

 März 5 2018 04:54:11 PM
Last month I published a blog post regarding the new iOS 11.3 Enterprise features. I received a few questions regarding the Contact Containerization:

Second new feature: Contact Containerization

Prevent contacts in managed accounts, like your IBM Traveler mail account, from being used in unmanaged apps like WhatsApp or other accounts.
Contacts now obey existing managed data restrictions.

That will be a huge improvement. Contacts will then finally be part of the managed / unmanaged definition and handling on the device.
You can use the native Apple Mail, Calendar and Contacts app and the unmanaged WhatsApp App for example will not be able to get access to your synced contacts via your managed ActiveSync (Traveler or Exchange) account.


There is no new iOS 11.3 restriction for Contacts in the Configuration Documentation from Apple mentioned. But starting with iOS 11.3 the Contacts will be part of the already existing Managed-Open-In restriction.
As a result you should already be able to test it by your own by using your existing MDM solution and a device already upgraded to iOS 11.3 Beta.

Image:iOS 11.3 Contact Containerization - It simply works

I made same tests this week with the current iOS 11.3 BETA and it works great. I did the tests with our own MDM solution mobile.profiler v7.0, which we released in October 2017.

I installed a managed ActiveSync mail account via MDM. The mail account had only 2 contact entries.

I used the myContacts Backup third party app for testing. When starting the app for the first time, it asks for permissions to access the contacts stored in the Apple native Contacts app.

During the test I installed the app first manually and opened the app. Without any restrictions enforced by the MDM the third party app can access my two contact entries from my ActiveSync account:

Image:iOS 11.3 Contact Containerization - It simply works


Then I pushed a set of restrictions via MDM to the device and enabled the Managed-Open-In control of iOS:

Image:iOS 11.3 Contact Containerization - It simply works

As a result the third party app no longer could access the contacts of my managed ActiveSync account.

After that I deleted the app on the device and pushed & installed the app via MDM as managed.

Image:iOS 11.3 Contact Containerization - It simply works
As a result the now managed third party app can access the contacts of my ActiveSync account.

To sum it up briefly:

With iOS 11.3, Apple finally offers the possibility to control access to contacts of company mail accounts using the native Apple Mail App via Managed Open-In restrictions.

In this way, the native iOS MDM interface can be used, for example, to prevent WhatsApp from accessing the company contacts of the managed ActiveSync account.
Kommentare

1Dominic  07/10/2019 5:13:23 PM  iOS 11.3 Contact Containerization - It simply works

We are struggling to get the IBM Verse Contacts out of the IBM Verse App into the apple contacts managed space. It only works for Exchange Active Sync yet, but we wonder if we could make that happen only using IBM Verse.

Because we have a policy active, that prevents unmanaged apps (like whatsapp) to access contacts of managed apps (like IBM Verse) the sync will also not happen from IBM Verse to apple contacts. Only If we would allow this kind of sync, the IBM Verse contacts will be synced into the apple contacts app (but also mixed up with the private area somehow...)

Any guesses?

  •  
  • Hinweis zum Datenschutz und Datennutzung:
    Bitte lesen Sie unseren Hinweis zum Datenschutz bevor Sie hier einen Kommentar erstellen.
    Zur Erstellung eines Kommentar werden folgende Daten benötigt:
    - Name
    - Mailadresse
    Der Name kann auch ein Nickname/Pseudonym sein und wird hier auf diesem Blog zu Ihrem Kommentar angezeigt. Die Email-Adresse dient im Fall einer inhaltlichen Unklarheit Ihres Kommentars für persönliche Rückfragen durch mich, Detlev Pöttgen.
    Sowohl Ihr Name als auch Ihre Mailadresse werden nicht für andere Zwecke (Stichwort: Werbung) verwendet und auch nicht an Dritte übermittelt.
    Ihr Kommentar inkl. Ihrer übermittelten Kontaktdaten kann jederzeit auf Ihren Wunsch hin wieder gelöscht werden. Senden Sie in diesem Fall bitte eine Mail an blog(a)poettgen(punkt)eu

  • Note on data protection and data usage:
    Please read our Notes on Data Protection before posting a comment here.
    The following data is required to create a comment:
    - Name
    - Mail address
    The name can also be a nickname/pseudonym and will be displayed here on this blog with your comment. The email address will be used for personal questions by me, Detlev Pöttgen, in the event that the content of your comment is unclear.
    Neither your name nor your e-mail address will be used for any other purposes (like advertising) and will not be passed on to third parties.
    Your comment including your transmitted contact data can be deleted at any time on your request. In this case please send an email to blog(a)poettgen(dot)eu

Archive