Ctrlk
Provectus Software GmbH

How to - Manage Contact Visibiltity for Contact Provider Extention with MDM

This article only applies if you have configured App Configuration for iOS and CPE activated.

Controlling Contact Visibility via MDM

When SCA is deployed on MDM-managed devices (via e.g., Intune or Jamf), and SCA is installed as a managed app, iOS treats the contacts from its Contact Provider Extension (CPE) as managed. This allows administrators to restrict access to CPE contacts from unmanaged apps.

User Experience

  • Users will still see CPE contacts in the native iOS Contacts and Phone apps, including when using CarPlay.

  • These contacts behave like standard contacts but remain protected from unmanaged third-party apps.

Administrative Control

  • Administrators can block unmanaged apps (such as WhatsApp, Messenger, or social media apps) from accessing CPE contacts, reducing the risk of data leakage.

  • This control applies only to MDM-enrolled devices with SCA deployed as a managed app.

  • It does not apply when using Intune App Protection Policies (MAM) alone

Configuring Contact Restrictions on MDM-Managed Devices

To successfully block unmanaged apps from accessing SCA contacts, you must configure these as Device Restriction policies on MDM-enrolled devices. First, establish the Global Data Boundary, then configure the specific Contact Restrictions.

Step 1: The “Master Switch” – Global Data Boundary

Establish the boundary between managed apps (SCA) and unmanaged apps (personal) on the device.

  • Purpose: Enables the global Managed Open In restriction. On many MDMs (like Intune), specific contact settings are ignored or disabled unless this boundary is active.

  • Apple MDM Key: allowOpenFromManagedToUnmanaged

    • Value: false (Do not allow)

  • Intune Setting: Block viewing corporate documents in unmanaged apps

    • Value: Yes

Step 2: The “Contacts Switch” – Specific Read Restriction

Once the global boundary is established, explicitly enforce the rule for reading contacts.

  • Purpose: Prevents unmanaged apps (like WhatsApp) from accessing, syncing, or importing SCA contacts.

  • Apple MDM Key: allowUnmanagedToReadManagedContacts

    • Value: false (Do not allow)

  • Intune Setting: Allow unmanaged apps to read from managed contacts accounts

    • Value: Not configured

These settings apply only to MDM-enrolled devices with SCA deployed as a managed app, and affect only contacts provided via the Contact Provider Extension (CPE).

Mandatory Intune-App Protection settings for CPE

If your organization applies Microsoft Intune App Protection Policies (APP) to the Secure Contacts App (SCA), certain settings must be enabled to ensure the Contact Provider Extension (CPE) works correctly.

These APP settings are required only when an Intune App Protection Policy is enforced, and they enable SCA to securely expose contact data to the native iOS environment:

Policy managed apps with Open-In/Share filtering – Required to allow secure data sharing between managed apps and ensure contact data can be used outside the SCA container.

Sync app data with native apps – Enables synchronization of managed app data with native iOS apps like Contacts and Phone, which is necessary for contact visibility and call functionality.

If these App Protection Policy settings aren’t enabled, the CPE won’t be able to share contact data with iOS, which may prevent features such as native contact lookup, caller ID, CarPlay, and similar integrations from working properly.

Last updated

Was this helpful?