# How to - Manage Contact Visibiltity for Contact Provider Extention with MDM

##

This article only applies if you have configured App Configuration for iOS and CPE activated.

## **Controlling Contact Visibility via MDM**

When SCA is deployed on **MDM-managed devices** (via e.g., Intune or Jamf), and SCA is installed as a **managed app**, iOS treats the contacts from its Contact Provider Extension (CPE) as *managed*. This allows administrators to restrict access to CPE contacts from unmanaged apps.

**User Experience**

* Users will still see **CPE contacts** in the native iOS Contacts and Phone apps, including when using **CarPlay**.
* These contacts behave like standard contacts but remain protected from unmanaged third-party apps.

**Administrative Control**

* Administrators can block **unmanaged apps** (such as WhatsApp, Messenger, or social media apps) from accessing CPE contacts, reducing the risk of data leakage.
* This control applies **only to MDM-enrolled devices** with SCA deployed as a managed app.
* **It does not apply when using Intune App Protection Policies (MAM) alone**

### **Configuring Contact Restrictions on MDM-Managed Devices**

&#x20;To successfully block unmanaged apps from accessing SCA contacts, you must configure these as **Device Restriction policies** on MDM-enrolled devices. First, establish the **Global Data Boundary**, then configure the specific **Contact Restrictions**.

&#x20;**Step 1: The “Master Switch” – Global Data Boundary**

Establish the boundary between managed apps (SCA) and unmanaged apps (personal) on the device.

* **Purpose:** Enables the global *Managed Open In* restriction. On many MDMs (like Intune), specific contact settings are ignored or disabled unless this boundary is active.
* **Apple MDM Key:** `allowOpenFromManagedToUnmanaged`
  * **Value:** `false` (Do not allow)
* **Intune Setting:** **Block viewing corporate documents in unmanaged apps**
  * **Value:** Yes

**Step 2: The “Contacts Switch” – Specific Read Restriction**

Once the global boundary is established, explicitly enforce the rule for reading contacts.

* **Purpose:** Prevents unmanaged apps (like WhatsApp) from accessing, syncing, or importing SCA contacts.
* **Apple MDM Key:** `allowUnmanagedToReadManagedContacts`
  * **Value:** `false` (Do not allow)
* **Intune Setting:** **Allow unmanaged apps to read from managed contacts accounts**
  * **Value:** Not configured

<div align="left"><figure><img src="/files/dd4UkoXBRyYmIVI51RrH" alt="" width="375"><figcaption></figcaption></figure></div>

{% hint style="success" %}
These settings apply only to **MDM-enrolled devices** with SCA deployed as a **managed app**, and affect only contacts provided via the **Contact Provider Extension (CPE)**.
{% endhint %}

## Mandatory Intune-App Protection settings for CPE&#x20;

If your organization applies **Microsoft Intune App Protection Policies (APP)** to the Secure Contacts App (SCA), certain settings **must** be enabled to ensure the Contact Provider Extension (CPE) works correctly.

These APP settings are required *only when an Intune App Protection Policy is enforced*, and they enable SCA to securely expose contact data to the native iOS environment:

• **Policy managed apps with Open-In/Share filtering** – Required to allow secure data sharing between managed apps and ensure contact data can be used outside the SCA container.

<div data-with-frame="true"><figure><img src="/files/EenjAl3HAvgacwem6EYM" alt=""><figcaption></figcaption></figure></div>

• **Sync app data with native apps** – Enables synchronization of managed app data with native iOS apps like Contacts and Phone, which is necessary for contact visibility and call functionality.

<div data-with-frame="true"><figure><img src="/files/Uc76PTqDqBn4J7P5jSAd" alt=""><figcaption></figcaption></figure></div>

{% hint style="warning" %}
If these App Protection Policy settings aren’t enabled, the CPE won’t be able to share contact data with iOS, which may prevent features such as native contact lookup, caller ID, CarPlay, and similar integrations from working properly.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.secure-contacts.com/how-to/how-to-manage-contact-visibiltity-for-contact-provider-extention-with-mdm.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.