After companies apply Mobile Application Management (MAM) / App Protection Policies to their employees’ mobile devices, and forced them to use the Managed Outlook app instead of the native mail application, one of the most frequently asked questions are “how can I see who’s calling me?” and “where are my contacts? I don’t see them in my native contacts app”. This has everything to do with the fact that contacts are now in a “isolated/secured app container” and not accessible by other non-managed / secured applications.
Within an App Protection policy you can Allow contact sync with the native contacts application so users can see who’s calling again, but it’s still a manual step the end user has to do. Most of the time, this end user will call the support desk for it which causes quite a load on that department after such an implementation.
Sometimes companies are also worried about syncing contacts from the Managed Outlook application to the native unsecured Contacts application, this partly because they are afraid of data leaks and the fact that other non-managed applications can have access to the contacts that are synced to the native unsecured Contacts application.
Fortunately, with a separate App Config policy, you can force Contact Sync for the end user, so users don’t have to call the support desk anymore, and you can limit the Contact fields that may be synchronized to the native Contacts application, for example; only name and phone number and block all other information from syncing. This to possibly limit the damage in case of a data leak, and on the other hand, keep it workable for the end user.
The good news is that you can apply this policy even to devices that you are not managing with an MDM profile. This works on a BYOD device with only an MAM profile as well.
I will show you step-by-step in this blog post how to configure this App Config policy, and I will also show you the end user experience.
Before we start I will tell you something about my environment and how I will test the results. For this blog/demo I have created a new test user that will configure Microsoft Outlook on his iPad for the first time. This iPad is NOT under management of Microsoft Endpoint Manager. In the Microsoft Endpoint Manager environment, an App protection policy is created as shown in the below screenshot.
In this App Protection policy Sync app with native contacts app is set to Allow. This policy is assigned to the new test user.
I have logged to the Outlook web-interface with this test user and created a new Contact. Note that I have also filled in the Company name, Business address and Notes fields.
Create the App Configuration Policy
For the next steps, login to the Microsoft Endpoint Manager admin center
Navigate to Apps > App configuration policies
Click the + Add button and choice for Managed apps (for applying this policy on unmanaged / BYOD devices)
Give the App configuration policy a Name and click on + Select public apps. Search for Outlook. In this case I will add Outlook for both iOS/iPadOS and Android devices. Click Select
Click on Outlook configuration settings so all the Outlook configuration options become visible.
If you set Save Contacts to Yes, contact syncing will automatically be enabled on the end users device. You can also configure to Allow user to change setting, if you want to give the end user the possibility to turn it off again.
If you scroll down to the Sync contact fields to native contact app configuration, you can see that you can specify which fields may be syncing to the native contacts application. For this blog/demo I set everything to NO, accept related Name fields.
I also allow all related Phone Number fields. Click Next
Assign this policy to a group of users and click Next
And final step, click Create
Test the result
Let’s test the results on an iPad device with these policies applied.
As you can see, no contacts are at this moment in the Native Contacts application
When the user starts the Microsoft Outlook app for the first time and configured his/her Office 365 mail account, the App Protection policies are applied. Tab OK
Set or enter the App PIN
Now you see that the App Configuration policy is applied and that Contacts Sync will be enabled. Therefor Microsoft Outlook needs permission to access the Contacts. Tab OK
Tab Turn On (if you want to)
After that you see in the Native Contacts application that the Contacts are synced, but only with the Contacts Fields that were allowed by the policy. All Company information, Email address and Notes are not available.