Many apps, like social media and email apps would like to access your iOS contacts. If the device is used for business and has also the company contacts synced into the contacts list, this easily becomes a data security issue. From data security point of view, for instance due to EU's GDPR (General Data Protection Regulation), companies should not reveal any business data to external parties, such as these apps.
iOS contact list's visibility to both managed and unmanaged apps has been an dilemma for some time, but luckily since release of iOS 11.3 there has been a way to manage this. In iOS version 11.3 Apple released a new feature which allows mobile device management (MDM) products such as Miradore Online to block unmanaged apps from accessing the contacts in managed accounts:
See iOS 11.3 release notes: https://developer.apple.com/library/archive/releasenotes/General/RN-iOS-11.3/index.html
How to restrict unmanaged apps's access to managed account's contacts
Example setup before restrictions:
- iOS 11.4.1 device managed with Miradore Online
- Email account deployed using "Mail for Exchange" configuration profile
- Local Contacts app has 4 contacts: two from the managed email account (Microsoft Exchange), one from GMail account and one locally stored.
The Contacts app lists following contacts:
To test the unmanaged app's access to contacts, I installed just an app that requires access to contacts. In this case I used a free app called "My Contacts Backup".
Before any restrictions are in place, the app tells it is able to see all four contacts:
- I created a new Restrictions configuration profile to my Miradore Online site:
- The only two settings I configured inside this configuration profile, under Security and privacy section, were:
Deny documents from managed sources in unmanaged destination
Deny documents from unmanaged sources in managed destination
You can see them marked in this screenshot:
- I deployed the configuration profile to my test device and opened the test app again. Now it is able to see only two of the contacts, so the access to contacts under managed Mail for Exchange email account has been blocked: