I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?”
In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).
Table of contents:
- Introduction and common principles (avoid repeating)
- [This post] Android Work Profile
- Bonus: In-depth on Allow work contacts in personal contacts app
- Fully containerized iOS with Boxer
- Bonus: iOS managed contacts with EAS profile (iOS 11.3+)
- Private = personal = unmanaged = user space
- Work = enterprise = managed = work space
Plan of action:
- Ensure basic personal/work separation and containerization
- Deploy the Boxer app and explore the options that affect separation/integration
- Install a 3rd party app which and see if we can leak the work contacts
- Check that caller ID still works
Device: Google Pixel 1, Android 8.1 Work Profile
Separating work from private
Android has separation and caller ID support enabled by default thanks to Android Enterprise (ex. Android for Work): everything we push via EMM will be installed into the Work Profile Thus we really don’t have to do anything, but let’s explore some options – Android has a lot to offer (more than iOS, if you ask me).
First, let’s take a look at the default Restrictions (which we don’t even have to push!). Note that the separation is enabled, caller ID is enabled, and take a look at the last box: Allow work contacts in personal contacts app.
The naming is a bit confusing, as proven by the numerous discussions on the Internet. I’ll write a separate short post about this feature. What we need to know now, is that regardless of this checkbox 3rd party apps (LinkedIn, WhatsApp etc) still cannot access Work contacts.
We are pushing Restrictions, but do not push the Exchange ActiveSync profile. Thus Boxer will have to create one on the with run. Which will fail, unless we allow adding/deleting accounts (disabled by default). Alternatively, you can push the EAS profile yourself – Boxer will use the preconfigured one just fine.
Finally, we will configure a Permissions payload in the same profile, to automatically grant Boxer all necessary permissions, so that it doesn’t have to ask the user. Compare the two screenshots below – in one case the permissions were set by the user, and in another – via EMM console. Note that you can push permissions in a way that user can’t even touch them!
In summary, Android just works out of box, but there are lots of tweaks available.
Now that we all the preparations done, let’s push the app and test it.
Deploying the Boxer app
Deploying Boxer is the nearly the same for iOS and Android. It is a public app.
Since it is integrated with WorkSpaceONE UEM, the console conveniently shows extra options when you assign the app to devices. Provisioning email options here allows us to avoid creating a separate EAS profile – Boxer will take care of it.
Opening More Email Settings allows us to configure the security settings and Caller ID forwarding. We are interested in the below options:
- CallerID: Unrestricted. This basically exports contacts to the Work Contacts. Disabling it will disable keep the contacts solely within Boxer and caller ID will not function. It also disables the Export Contacts slider in Boxer (see the illustration below), which does the same thing.
- Personal Accounts: Restricted. When allowed, user can create additional accounts in their (Work!) Boxer. Since this is clearly a way to a data leak, we’ll keep it disabled.
- Personal Contacts: Restricted. Enabling it will result in Boxer displaying contacts from other sources in its own contact list. Full separation assumes that users private data won’t accidentally show up in work apps, so we should keep it off. Note that this also disables the Enable Device Contacts slider in Boxer.
That’s very much it, let’s push the app and see if our setup works.
After I had pushed Boxer, I am checking the contacts I am seeing and comparing to private/unmanaged space, where I have one test contact. One of the Boxer contacts has no phone number and is thus not displayed in phone’s Work Contacts. The last screen is a 3rd party Contacts app for comparison.
So far, it works. Let’s now search for work contacts in private apps and vice versa.
As you can see, Work apps cannot see the Private contacts, 3rd party apps cannot see Work contacts, but the stock Contacts (and Messages) app can search for Work contacts. This is where the two options we’ve discussed above come into play:
- Restrictions –> Allow work contacts in personal contacts app. Disables work contacts search/use in stock
- Boxer –> Personal contacts. Allows searching for personal contacts.
We can already see that a 3rd party app cannot see work contacts, but let’s also use LinkedIn’s “Import contacts” feature just to be sure.
Just as expected, LinkedIn can only see one private contact. Just like the 3rd party dialer.
Looks like our separation is working! Now, let’s see if we still have CallerID: let’s place some calls and trigger some notifications.
Looks like everything is working! Note the “work” word. Let’s summarize!
Android offers secure enterprise Email and Contacts without having to compromise on convenience of the CallerID (provided you have a capable EMM and mail client). Both separation and caller ID work out of box, but allow for lots of customization. Notes:
- + Works out of box on defaults, which make sense for the Enterprise.
- + Tons of fine-grained controls if you want to further tighten security or tweak your setup
- + Fully automated deployment without user intervention
- + Clear container boundary and clear separation between Work and Personal apps and data
- – Some users may find having two address books or two copies of the same app a bit cumbersome, we have examined tweaks for that
- – The separation does not affect the Messages app. SMS texts are all contained and processed on the personal side by design.
- – No cool features like per-app caller ID (which Apple CallKit allows) – contacts have to be exposed to the Contacts Provider.
- + The provider itself is containerized in the Work profile, so private apps can’t get anything anyway
- + You can manage the Contacts permission per-app if you don’t want other work apps to see those contacts
- + Works on Work Managed (Device Owner) devices as well
- Either set up Work Profile (Android 8.1+)
- Or manage Contacts permission per app
IMHO, a very good set of features. What are your thoughts?