Securing work contacts while keeping caller ID 02: Android

I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?”

In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).

Table of contents:

Recap

Terminology:

  • Private = personal = unmanaged = user space
  • Work = enterprise = managed = work space

Plan of action:

  • Ensure basic personal/work separation and containerization
  • Deploy the Boxer app and explore the options that affect separation/integration
  • Install a 3rd party app which and see if we can leak the work contacts
  • Check that caller ID still works

Device: Google Pixel 1, Android 8.1 Work Profile

Separating work from private

Android has separation and caller ID support enabled by default thanks to Android Enterprise (ex. Android for Work): everything we push via EMM will be installed into the Work Profile Thus we really don’t have to do anything, but let’s explore some options – Android has a lot to offer (more than iOS, if you ask me).

First, let’s take a look at the default Restrictions (which we dont even have to push!). Note that the separation is enabled, caller ID is enabled, and take a look at the last box: Allow work contacts in personal contacts app.

ContactsCallerID-03
Android Work Profile restrictions offer more options than OS and are good by default, we don’t even need to push them

The naming is a bit confusing, as proven by the numerous discussions on the Internet. I’ll write a separate short post about this feature. What we need to know now, is that regardless of this checkbox 3rd party apps (LinkedIn, WhatsApp etc) still cannot access Work contacts.

We are pushing Restrictions, but do not push the Exchange ActiveSync profile. Thus Boxer will have to create one on the with run. Which will fail, unless we allow adding/deleting accounts (disabled by default). Alternatively, you can push the EAS profile yourself – Boxer will use the preconfigured one just fine.

ContactsCallerID-04
Make sure to enable this if you are not pushing the EAS profile separately

Finally, we will configure a Permissions payload in the same profile, to automatically grant Boxer all necessary permissions, so that it doesn’t have to ask the user. Compare the two screenshots below – in one case the permissions were set by the user, and in another – via EMM console. Note that you can push permissions in a way that user can’t even touch them!

ContactsCallerID-05
Boxer app permissions configured by user | pre-configured by EMM profile

In summary, Android just works out of box, but there are lots of tweaks available.

Now that we all the preparations done, let’s push the app and test it.

Deploying the Boxer app

Deploying Boxer is the nearly the same for iOS and Android. It is a public app.

ContactsCallerID-07

Since it is integrated with WorkSpaceONE UEM, the console conveniently shows extra options when you assign the app to devices.  Provisioning email options here allows us to avoid creating a separate EAS profile – Boxer will take care of it.

ContactsCallerID-08
Note that I am using the variables here, which I have already pre-configured in my WorkSpaceONE UEM user account in VMware’s test Office 365 instance.

Opening More Email Settings allows us to configure the security settings and Caller ID forwarding. We are interested in the below options:

  • CallerID: Unrestricted. This basically exports contacts to the Work Contacts. Disabling it will disable keep the contacts solely within Boxer and caller ID will not function. It also disables the Export Contacts slider in Boxer (see the illustration below), which does the same thing.
  • Personal Accounts: Restricted. When allowed, user can create additional accounts in their (Work!) Boxer. Since this is clearly a way to a data leak, we’ll keep it disabled.
  • Personal Contacts: Restricted. Enabling it will result in Boxer displaying contacts from other sources in its own contact list. Full separation assumes that users private data won’t accidentally show up in work apps, so we should keep it off. Note that this also disables the Enable Device Contacts slider in Boxer.
ContactsCallerID-10
UEM Console settings and their counterparts in Boxer Android app. Click for a larger image

That’s very much it, let’s push the app and see if our setup works.

Testing: Android

After I had pushed Boxer, I am checking the contacts I am seeing and comparing to private/unmanaged space, where I have one test contact. One of the Boxer contacts has no phone number and is thus not displayed in phone’s Work Contacts. The last screen is a 3rd party Contacts app for comparison.

ContactsCallerID-11
Android contacts separation in action: Work Boxer | Work Contacts | Private Contacts | Private 3rd party app. Click for a larger image.

So far, it works. Let’s now search for work contacts in private apps and vice versa.

ContactsCallerID-12
Work contact search works in stock private Contacts/Messages apps, controlled via Allow work contacts in personal contacts app restriction. Click for a larger image.

As you can see, Work apps cannot see the Private contacts, 3rd party apps cannot see Work contacts, but the stock Contacts (and Messages) app can search for Work contacts. This is where the two options we’ve discussed above come into play:

  • Restrictions –> Allow work contacts in personal contacts app. Disables work contacts search/use in stock
  • Boxer –> Personal contacts. Allows searching for personal contacts.

We can already see that a 3rd party app cannot see work contacts, but let’s also use LinkedIn’s “Import contacts” feature just to be sure.

ContactsCallerID-13
Even if stock Contacts app can see work contacts, 3rd party apps like LinkedIn cannot.

Just as expected, LinkedIn can only see one private contact. Just like the 3rd party dialer.

Looks like our separation is working! Now, let’s see if we still have CallerID: let’s place some calls and trigger some notifications.

ContactsCallerID-14
Caller ID notifications in Android Work Profile

Looks like everything is working! Note the “work” word. Let’s summarize!

Summary

Android offers secure enterprise Email and Contacts without having to compromise on convenience of the CallerID (provided you have a capable EMM and mail client). Both separation and caller ID work out of box, but allow for lots of customization. Notes:

  • + Works out of box on defaults, which make sense for the Enterprise.
  • + Tons of fine-grained controls if you want to further tighten security or tweak your setup
  • + Fully automated deployment without user intervention
  • + Clear container boundary and clear separation between Work and Personal apps and data
  • – Some users may find having two address books or two copies of the same app a bit cumbersome, we have examined tweaks for that
  • – The separation does not affect the Messages app. SMS texts are all contained and processed on the personal side by design.
  • – No cool features like per-app caller ID (which Apple CallKit allows) – contacts have to be exposed to the Contacts Provider.
    • + The provider itself is containerized in the Work profile, so private apps can’t get anything anyway
    • + You can manage the Contacts permission per-app if you don’t want other work apps to see those contacts
  • + Works on Work Managed (Device Owner) devices as well
    • Either set up Work Profile (Android 8.1+)
    • Or manage Contacts permission per app

IMHO, a very good set of features. What are your thoughts?

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

<span>%d</span> bloggers like this: