I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?”
In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).
Table of contents:
- Introduction and common principles (avoid repeating)
- Android Work Profile
- Bonus: In-depth on Allow work contacts in personal contacts app
- [This post] Fully containerized iOS with Boxer
- Bonus: iOS managed contacts with EAS profile (iOS 11.3+)
- Private = personal = unmanaged = user space
- Work = enterprise = managed = work space
Plan of action:
- Ensure basic personal/work separation and containerization
- Deploy the Boxer app and explore the options that affect separation/integration
- Install a 3rd party app which and see if we can leak the work contacts
- Check that caller ID still works
Device: iPhone7, iOS 11.4
Separating work from private
In iOS world everything deployed via EMM is considered Managed, while everything installed by the user is Unmanaged. In order to ensure that no 3rd party app will be able to grab our contacts, we need to:
- Deploy contacts as Managed This can be achieved in two ways.
- Via EAS profile (into native contacts app). This requires iOS 11.3+ to work. We will explore it in a separate post.
- Deploy Boxer email app as Managed and let Boxer deliver contacts, which will too count as Managed. This allows for greater degree of separation and that’s what we’ll do in this post.
- Deploy a Restriction so that Unmanaged apps do not have access to Managed data. By default this separation is disabled.
Pushing Boxer via EMM will automatically make it managed. All we really need to do is to push the Restrictions profile with the following box unchecked:
Now that we all the preparations done, let’s push the app and test it.
Deploying the Boxer app
Deploying Boxer is the nearly the same for iOS and Android. It is a public app.
Since it is integrated with WorkSpaceONE UEM, the console conveniently shows extra options when you assign the app to devices. Provisioning email options here allows us to avoid creating the EAS profile, which in turn
- ensures proper separation on older iOS devices (<11.3)
- prevents work emails/calendars/contacts from popping up in stock Mail/Calendar/Contacts apps.
Opening More Email Settings allows us to configure the security settings and Caller ID forwarding. We are interested in the below options:
- CallerID: Restricted. On modern versions of iOS (10.0+) Apple had introduced a technology called CallKit, which allows apps to provide Caller ID services. This switch relates to the legacy “export” method and as such we don’t need it.
- Personal Accounts: Restricted. When allowed, user can create additional accounts in their (Managed!) Boxer. Since this is clearly a way to a data leak, we’ll keep it disabled.
- Personal Contacts: Restricted. Enabling it will result in Boxer displaying contacts from other sources in its own contact list. Full separation assumes that users private data won’t accidentally show up in work apps, so we should keep it off. Note that this also disables the Local Contacts slider in Boxer.
That’s very much it, let’s push the app and see if our setup works.
Testing the separation and Caller ID
I have pushed Boxer, launched it and waited until the work contacts are synchronized. I have also installed two 3rd party apps that can access contacts: LinkedIn (“Invite Contacts” feature) and a 3rd party contacts backup app. Here’s what I see in every app.
The separation seems to be working!
- Boxer shows work contacts and doesn’t show private contacts
- Other apps only show private contacts, and not work.
This way we get a very clear, understandable and manageable Work/Private separation similar to Android Work Profile. However, the user now has to use essentially two separate contact apps. Here’s what we can do to address it:
- Use Boxer as the main Contacts app:
- Set Personal Contacts: Unrestricted (as discussed before).
- Use the native Contacts app as the main one:
- Push a EAS profile. In addition, work emails/calendars will appear in the native apps, which may or may not be what you are looking for. Despite appearing all piles up and mixed with private Contacts/Emails/Calendars, they are still protected and separated (iOS 11.3+). As mentioned before – separate post.
OK, let’s get the CallerID to work. According to Apple’s official security & privacy stance, user MUST manually enable CallerID for every CallKit enabled app (and take full responsibility for the consequences), so full automation is unfortunately impossible.
Boxer hints us that the setting is located in Settings –> Phone –> Call Blocking & Identification. Let’s turn it on and see what happens.
iOS even shows which app provided the Caller ID! Note that it doesn’t work in the notifications, however. I’m probably not holding my phone right…
Ok, we have it all working. Let’s summarize!
iOS offers secure enterprise Email and Contacts without having to compromise on convenience of the CallerID (provided you have a capable EMM and mail client). Notes:
- + CallKit allows an app to provide caller ID without ANY contacts integration, and even shows which apps provided it.
- – Doesn’t work in notifications for some reason.
- – Manual intervention required, user has more control than admin. Great for BYOD, not good for fully business-oriented devices.
- – More prep work required than Android (separation, manual caller ID activation)
- – Since Apple doesn’t have a clear container boundary (like Android’s Work Profile) things can be confusing. For example, had we deployed EAS profile, all contacts would have been in the same app, but they would behave differently, confusing the user.
- + CallKit CallerID allows us to not expose the EAS profile to other managed apps, unless we want it.
Looks like the goal is achieved. What are your thoughts? Have I forgotten to test something.