fighting for truth, justice, and a kick-butt lotus notes experience.

iOS 11.3 Contact Containerization - It simply works

 März 5 2018 04:54:11 PM
Last month I published a blog post regarding the new iOS 11.3 Enterprise features. I received a few questions regarding the Contact Containerization:

Second new feature: Contact Containerization

Prevent contacts in managed accounts, like your IBM Traveler mail account, from being used in unmanaged apps like WhatsApp or other accounts.
Contacts now obey existing managed data restrictions.

That will be a huge improvement. Contacts will then finally be part of the managed / unmanaged definition and handling on the device.
You can use the native Apple Mail, Calendar and Contacts app and the unmanaged WhatsApp App for example will not be able to get access to your synced contacts via your managed ActiveSync (Traveler or Exchange) account.

There is no new iOS 11.3 restriction for Contacts in the Configuration Documentation from Apple mentioned. But starting with iOS 11.3 the Contacts will be part of the already existing Managed-Open-In restriction.
As a result you should already be able to test it by your own by using your existing MDM solution and a device already upgraded to iOS 11.3 Beta.

Image:iOS 11.3 Contact Containerization - It simply works

I made same tests this week with the current iOS 11.3 BETA and it works great. I did the tests with our own MDM solution mobile.profiler v7.0, which we released in October 2017.

I installed a managed ActiveSync mail account via MDM. The mail account had only 2 contact entries.

I used the myContacts Backup third party app for testing. When starting the app for the first time, it asks for permissions to access the contacts stored in the Apple native Contacts app.

During the test I installed the app first manually and opened the app. Without any restrictions enforced by the MDM the third party app can access my two contact entries from my ActiveSync account:

Image:iOS 11.3 Contact Containerization - It simply works

Then I pushed a set of restrictions via MDM to the device and enabled the Managed-Open-In control of iOS:

Image:iOS 11.3 Contact Containerization - It simply works

As a result the third party app no longer could access the contacts of my managed ActiveSync account.

After that I deleted the app on the device and pushed & installed the app via MDM as managed.

Image:iOS 11.3 Contact Containerization - It simply works
As a result the now managed third party app can access the contacts of my ActiveSync account.

To sum it up briefly:

With iOS 11.3, Apple finally offers the possibility to control access to contacts of company mail accounts using the native Apple Mail App via Managed Open-In restrictions.

In this way, the native iOS MDM interface can be used, for example, to prevent WhatsApp from accessing the company contacts of the managed ActiveSync account.