[Ethan Hexnode 8 December 2021 Ethan Moderator]

Hi @Fabio!

Thank you for reaching out to us!

Would you please clarify if these are personal or corporate devices? Are these apps for personal or business use?

[Fabio Participant 8 December 2021 Fabio Participant]

They are personal devices of our employees. The apps are for personal use as well. We don’t want them to access corporate contacts. We have a wfh situation going on, its just a temporary measure until we can ship them their work stations.

[Ethan Hexnode 8 December 2021 Ethan Moderator]

That’s alright, @Fabio. Since these are personal devices with personal apps, we need to separate them from corporate data. For employees using their personal iOS devices, we can limit unmanaged apps from accessing managed content. For example, you can sync your corporate contacts on Exchange ActiveSync or CardDAV to the device to have a managed contact list. You can configure these by navigating to the Policies tab under iOS and associating them with the devices.

Once the contacts are managed, navigate to the Policies tab, select iOS and click on Business Container and disable Unmanaged apps can read Managed Contact Accounts. This will prevent the personal apps from accessing the corporate contacts and limit access to just the personal contact list. Business Container prevents personal and corporate data from interacting with each other by limiting data flow between managed and unmanaged apps.

For Android devices, we recommend setting up a work profile on the employee device to separate work apps and personal apps. Apps on the personal profile will not have access to the contacts in the work profile. Check out the steps to enroll a device in Android Enterprise profile owner.

Hope this answer meets your requirement.

Ethan Miller
Hexnode UEM

[Fabio Participant 8 December 2021 Fabio Participant]

Thank you so much Ethan! We will roll out these policies soon. Once our fully managed corporate devices are shipped to them, we can have them fully move on over to those devices. How much do these policies differ for corporate devices?

[Ethan Hexnode 8 December 2021 Ethan Moderator]

Hi @Fabio,

Glad we could be of help!

Just to be clear, are you talking about a situation where users use their personal apps on corporate owned devices?

[Fabio Participant 8 December 2021 Fabio Participant]

Yes… Given the circumstances, we need to be careful with our devices and data.

[Ethan Hexnode 8 December 2021 Ethan Moderator]

I understand, @Fabio. Ideally, personal apps are not allowed on corporate-owned devices. Apps that hinder productivity are usually blacklisted on corporate devices. If relaxations are allowed, certain restrictions can be configured in iOS to limit interaction between personal and corporate data.

Managing content in corporate-owned devices is easier as we have more control over the device. As mentioned earlier, we can prevent personal apps on corporate devices from accessing corporate contacts using Business Containers. Since the personal app is unmanaged and the contacts are managed, you can disable the option Unmanaged apps can read Managed Contact Accounts.

On Android, devices enrolled in Android Enterprise device owner does not have a way to restrict personal apps from accessing work contacts. However, you could prevent the user from installing personal apps on the device by blacklisting such apps or whitelisting the apps that are essential to your use case.

Hope this answer suits your requirement.

Ethan Miller
Hexnode UEM

[Cecelia Participant 6 January 2022 Cecelia Participant]

we have a similar scenario, but our employees use their personal devices for work communication. We don’t want the work app to access their personal contacts. We have asked them to enroll their devices to the uem. How do we do this remotely?

[Ethan Hexnode 6 January 2022 Ethan Moderator]

Hey @Cecelia,

Thank you for choosing Hexnode!

If a corporate-based communication app is installed in your employee’s personal device, and you want to prevent it from accessing their personal contact, install the communication app as a managed app with Hexnode. Use Business Container to disable the Managed apps can write to Unmanaged Contact Accounts option. This will prevent the corporate app from accessing and modifying unmanaged personal contacts on your employee’s device.

On Android devices, we recommend setting up a work profile to prevent work apps from accessing personal profile contacts and data.

Hope this answers your queries

Ethan Miller
Hexnode UEM