I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?” This happens more often than you think – the infamous GetContact collected over 3.5B contacts in just a few months, all of which were officially available for sale! With GDRP in effect, how much could this cost?
Of course, both iOS and Android offer means to securely lock down enterprise data on BYOD devices. But this comes at a price of usability, the most cited problem being the caller it. We know that in the modern day an unhappy and discomforted user is essentially a backdoor waiting to happen. How can we keep this balance between security and productivity?
In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).
We will explore several approaches, their limitations and shortcomings for iOS and Android. This post lays the foundations and provides a TL:DR style summary/comparison of my current findings.
Table of contents:
- [This post] Introduction, common principles, comparison/summary
- Android Work Profile
- Bonus: In-depth on Allow work contacts in personal contacts app
- Fully containerized iOS with Boxer
- Bonus: iOS managed contacts with EAS profile (iOS 11.3+)
How can we have both secure contacts and caller ID?
Since the two OSes use different terminology, let’s set the terms now:
- Private = personal = unmanaged = user space
- Work = enterprise = managed = work space
As said before, if the goal is just to secure those managed contacts, we can always use a dedicated managed email app. This app will be containerized and totally inaccessible to user’s private space, including the address book. But, if the contacts are not in the address book, how will caller ID work?
The older solution was to export “limited” contacts to the device’s address book: names and numbers only, just for caller ID. But can we really call this protection?
Fortunately, recent generations of iOS and Android allow to achieve the goal, albeit in different ways. All we need is a combination of a capable EMM and capable email client.
I will use VMware WorkSpaceONE UEM (ex AirWatch) and VMware Boxer. Other EMM solutions and email clients might also work. These two, however, come from the same vendor and are developer in sync = less maintenance and more convenience due to direct integration in the UEM console.
Plan of action:
- Ensure basic personal/work separation and containerization
- Deploy the Boxer app and explore the options that affect separation/integration
- Install a 3rd party app which and see if we can leak the work contacts
- Check that caller ID still works
Both iOS and Android offer secure enterprise Email and Contacts without having to compromise on convenience of the CallerID (provided you have a capable EMM and mail client). Both achieve this goal, allowing full separation of work and private, while retaining the convenience of caller ID.
iOS pros, cons and notes:
- + CallKit allows an app to provide caller ID without ANY contacts integration, and even shows which apps provided it.
- – Doesn’t work in notifications for some reason.
- – Manual intervention required, user has more control than admin. Great for BYOD, not good for fully business-oriented devices.
- – More prep work required than Android (separation, manual caller ID activation)
- – Since Apple doesn’t have a clear container boundary (like Android’s Work Profile) things can be confusing. For example, had we deployed EAS profile, all contacts would have been in the same app, but they would behave differently, confusing the user.
- + CallKit CallerID allows us to not expose the EAS profile to other managed apps, unless we want it.
Android pros, cons and notes:
- + Works out of box on defaults, which make sense for the Enterprise.
- + Tons of fine-grained controls if you want to further tighten security or tweak your setup
- + Fully automated deployment without user intervention
- + Clear container boundary and clear separation between Work and Personal apps and data
- – Some users may find having two address books or two copies of the same app a bit cumbersome, we have examined tweaks for that
- – The separation does not affect the Messages app. SMS texts are all contained and processed on the personal side by design.
- – No cool features like per-app caller ID (which Apple CallKit allows) – contacts have to be exposed to the Contacts Provider.
- + The provider itself is containerized in the Work profile, so private apps can’t get anything anyway
- + You can manage the Contacts permission per-app if you don’t want other work apps to see those contacts
- + Works on Work Managed (Device Owner) devices as well
- Either set up Work Profile (Android 8.1+)
- Or manage Contacts permission per app
IMHO, both suffice, but Android is more logical and offers more features.
The following posts will explain these conclusions in detail.