Securing work contacts while keeping caller ID 03: iOS with Boxer

I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?”

In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).

Table of contents:

Recap

Terminology:

  • Private = personal = unmanaged = user space
  • Work = enterprise = managed = work space

Plan of action:

  • Ensure basic personal/work separation and containerization
  • Deploy the Boxer app and explore the options that affect separation/integration
  • Install a 3rd party app which and see if we can leak the work contacts
  • Check that caller ID still works

Device: iPhone7, iOS 11.4

Separating work from private

In iOS world everything deployed via EMM is considered Managed, while everything installed by the user is Unmanaged. In order to ensure that no 3rd party app will be able to grab our contacts, we need to:

  • Deploy contacts as Managed This can be achieved in two ways.
    • Via EAS profile (into native contacts app). This requires iOS 11.3+ to work. We will explore it in a separate post.
    • Deploy Boxer email app as Managed and let Boxer deliver contacts, which will too count as Managed. This allows for greater degree of separation and that’s what we’ll do in this post.
  • Deploy a Restriction so that Unmanaged apps do not have access to Managed data. By default this separation is disabled.

Pushing Boxer via EMM will automatically make it managed. All we really need to do is to push the Restrictions profile with the following box unchecked:

ContactsCallerID-02
Uncheck this box in iOS Restrictions profile to enable separation

Now that we all the preparations done, let’s push the app and test it.

Deploying the Boxer app

Deploying Boxer is the nearly the same for iOS and Android. It is a public app.

ContactsCallerID-06

Since it is integrated with WorkSpaceONE UEM, the console conveniently shows extra options when you assign the app to devices. Provisioning email options here allows us to avoid creating the EAS profile, which in turn

  • ensures proper separation on older iOS devices (<11.3)
  • prevents work emails/calendars/contacts from popping up in stock Mail/Calendar/Contacts apps.
ContactsCallerID-08
Note that I am using the variables here, which I have already pre-configured in my WorkSpaceONE UEM user account in VMware’s test Office 365 instance.

Opening More Email Settings allows us to configure the security settings and Caller ID forwarding. We are interested in the below options:

  • CallerID: Restricted. On modern versions of iOS (10.0+) Apple had introduced a technology called CallKit, which allows apps to provide Caller ID services. This switch relates to the legacy “export” method and as such we don’t need it.
  • Personal Accounts: Restricted. When allowed, user can create additional accounts in their (Managed!) Boxer. Since this is clearly a way to a data leak, we’ll keep it disabled.
  • Personal Contacts: Restricted. Enabling it will result in Boxer displaying contacts from other sources in its own contact list. Full separation assumes that users private data won’t accidentally show up in work apps, so we should keep it off. Note that this also disables the Local Contacts slider in Boxer.
ContactsCallerID-09
UEM Console settings and their counterparts in Boxer iOS app. Click for a larger image

That’s very much it, let’s push the app and see if our setup works.

Testing the separation and Caller ID

I have pushed Boxer, launched it and waited until the work contacts are synchronized. I have also installed two 3rd party apps that can access contacts: LinkedIn (“Invite Contacts” feature) and a 3rd party contacts backup app. Here’s what I see in every app.

ContactsCallerID-15
Contact separation on iOS: Boxer | Stock Contacts app | LinkedIn | 3rd part contacts backup. Click to enlarge.

The separation seems to be working!

  • Boxer shows work contacts and doesn’t show private contacts
  • Other apps only show private contacts, and not work.

This way we get a very clear, understandable and manageable Work/Private separation similar to Android Work Profile. However, the user now has to use essentially two separate contact apps. Here’s what we can do to address it:

  • Use Boxer as the main Contacts app:
    • Set Personal Contacts: Unrestricted (as discussed before).
ContactsCallerID-17
Un-restricting Personal Contacts in the UEM Console enables the Local Contacts slider in Boxer
  • Use the native Contacts app as the main one:
    • Push a EAS profile. In addition, work emails/calendars will appear in the native apps, which may or may not be what you are looking for. Despite appearing all piles up and mixed with private Contacts/Emails/Calendars, they are still protected and separated (iOS 11.3+). As mentioned before – separate post.
ContactsCallerID-16
The Exchange accounts is fully local to Boxer and not present in neither Accounts and Passwords, nor Device Management.
If you want Work (Managed) contacts to appear in local Contacts app – deploy the EAS profile.

OK, let’s get the CallerID to work. According to Apple’s official security & privacy stance, user MUST manually enable CallerID for every CallKit enabled app (and take full responsibility for the consequences), so full automation is unfortunately impossible.

Boxer hints us that the setting is located in Settings –> Phone –> Call Blocking & Identification. Let’s turn it on and see what happens.

ContactsCallerID-18
Enabling caller ID on iOS. Must be done manually. Thanks, Apple.

iOS even shows which app provided the Caller ID! Note that it doesn’t work in the notifications, however. I’m probably not holding my phone right…

ContactsCallerID-20
Working Caller ID on iOS. Tap for a larger image.

Ok, we have it all working. Let’s summarize!

Summary

iOS offers secure enterprise Email and Contacts without having to compromise on convenience of the CallerID (provided you have a capable EMM and mail client). Notes:

  • + CallKit allows an app to provide caller ID without ANY contacts integration, and even shows which apps provided it.
  • – Doesn’t work in notifications for some reason.
  • – Manual intervention required, user has more control than admin. Great for BYOD, not good for fully business-oriented devices.
  • – More prep work required than Android (separation, manual caller ID activation)
  • – Since Apple doesn’t have a clear container boundary (like Android’s Work Profile) things can be confusing. For example, had we deployed EAS profile, all contacts would have been in the same app, but they would behave differently, confusing the user.
  • + CallKit CallerID allows us to not expose the EAS profile to other managed apps, unless we want it.

Looks like the goal is achieved. What are your thoughts? Have I forgotten to test something.

6 thoughts on “Securing work contacts while keeping caller ID 03: iOS with Boxer

Add yours

      1. I’ve seen a tech note regarding that for Boxer and a new version was scheduled, but I don’t know it it’s released yet. Try the latest version or the latest beta from the beta portal.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑

<span>%d</span> bloggers like this: