This page is not available for the language you chose. Would you like to view a Google Translate version for pages lacking translation?

Home > Blogartikel > How Enterprise IT Teams Deliver Corporate Contacts to Managed iPhones Without Installing an App 
Share on share on Facebook share on Twitter share on Facebook share by email

You manage 2,000 iOS devices across a distributed financial institution, and every one of them needs accurate, up-to-date corporate contacts. The obvious fix, a third-party sync app on each phone, requires broad Exchange Online permissions you cannot safely grant at scale. The fallback most teams settle for is manual. There is a better path. 

CiraSync Mobile Direct now supports Microsoft Intune and Workspace ONE alongside SOTI, Jamf, Mosyle, and Sophos for CardDAV-based contact delivery to managed iOS devices. No app installs on employee phones. No end-user configuration. This is how enterprise IT teams solve corporate contact delivery without creating new governance problems. 

TL;DR 

CiraSync Mobile Direct now supports Microsoft Intune and Workspace ONE for CardDAV-based contact delivery to managed iOS devices. No app installs on employee phones. No end-user configuration. CardDAV is an open, HTTP-based protocol built natively into Apple iOS. IT deploys a configuration profile through its existing MDM platform, and contacts appear automatically in the native iOS Contacts app. CiraSync connects to the Microsoft 365 source once, at the tenant level, through the Microsoft Azure Consent Framework. No passwords are sent to CiraSync, and the consent token cannot be reused by any other application. Contacts synced this way are classified as managed contacts within iOS. Because the CardDAV account rides on an MDM configuration profile, it is removed when that profile is removed, either on demand by IT or automatically when a device is unenrolled or retired. The deployment supports users without Exchange mailboxes and mixed device populations.  

Why Third-Party Apps Create Enterprise Governance Problems 

Most contact sync applications that live on the phone require Exchange Online permissions that are all or nothing. You cannot grant sync access without also granting broader access that creates compliance exposure, and for firms under SEC, FINRA, or GDPR oversight, that is an untenable position. 

The core issue is permission scope. On-device apps typically request application-level permissions across the entire Exchange Online tenant, and once granted, those cannot be selectively revoked without breaking the service. They also pass user tokens to external systems and give IT no reliable way to confirm which devices hold which version of the directory. Regulated firms are moving away from on-device contact apps for exactly these reasons. 

What CardDAV Is and Why It Solves This 

CardDAV is an open, HTTP-based protocol built natively into Apple iOS. It operates at the operating system level, so there is no app to install and no user configuration. IT deploys a configuration profile through its existing MDM platform, and contacts appear automatically in the native iOS Contacts app. 

The architecture is what makes this work for regulated environments. CiraSync connects to the Microsoft 365 source once, at the tenant level, through the Microsoft Azure Consent Framework, to read the Global Address List or shared mailbox you choose. No passwords are sent to CiraSync, and the consent token cannot be reused by any other application. Contact data then reaches each device over a managed, encrypted CardDAV connection that passes no user OAuth tokens down to the device or to any on-device app. and needs no Exchange permissions on the device side. 

Contacts synced this way are classified as managed contacts within iOS, unlike on-device apps that write to the user’s primary container. Because the CardDAV account rides on an MDM configuration profile, it is removed when that profile is removed, either on demand by IT or automatically when a device is unenrolled or retired. The directory stays under IT control for its full lifecycle. 

How MDM Deployments Work 

The deployment model is built for scale. IT enables Mobile Direct inside a CiraSync Sync Tunnel, downloads a pre-configured profile, and deploys it as a custom configuration profile through Intune or Workspace ONE. The profile carries everything the device needs, including the CardDAV principal URL, sync tunnel details, user Object ID, and secure access credentials, and it installs silently on targeted devices. 

Freshness runs on two cycles, and it is worth being precise about both. CiraSync caches the directory from the source on a schedule you set: daily, weekly, or monthly. Each device then pulls from that cache on its own interval, following the iOS Fetch New Data setting (15, 30, or 60 minutes, manual, or Push where supported). A source change reaches devices on the next caching cycle, not within 15 minutes, so match the source schedule to how quickly your directory actually changes. If someone edits or deletes a synced contact on the phone, the next cycle restores the authoritative record without IT intervention. 

Governance, Compliance, and Data Residency 

Where the data sits matters, and Mobile Direct is explicit about it. To serve contacts over CardDAV, CiraSync caches the selected directory in CiraSync Cloud, which means contact data is processed outside your Microsoft 365 tenant.
What you get in return: 

  • SOC 2 Type II certified and GDPR-compliant processing. 
  • Searchable audit logs for every sync action. 
  • Data residency selectable at the tenant level . 
  • Least-privilege consent at the tenant level, revocable in Entra ID at any time. 

Treat CiraSync as a vetted processor and confirm certifications and residency settings during your standard vendor review. 

Edge Cases Enterprises Actually Face 

Real environments are rarely clean, and a few scenarios stall most deployments. 

Users without Exchange mailboxes, including field workers, contractors, and temporary accounts, are supported. Licensing is tied to a unique Object ID embedded in the configuration URL rather than to a mailbox, which keeps provisioning auditable for every user CiraSync targets. 

Mixed device populations are supported as well. CiraSync runs two delivery paths from the same source directory: CardDAV through MDM for managed fleets, and mailbox-based sync for devices outside MDM control. Both draw from one source, so the directory stays consistent regardless of who owns the device. 

Be accurate about where the data sits. To serve contacts over CardDAV, CiraSync caches a copy of the selected directory in CiraSync Cloud, so in the Mobile Direct model contact data is processed outside your Microsoft 365 tenant rather than staying inside it. CiraSync Cloud is SOC 2 Type II certified and GDPR-compliant, every sync action is written to searchable audit logs, and data residency can be set on the tenant dashboard. Treat CiraSync as a vetted processor and confirm its certifications and residency settings in your standard vendor review. 

See how enterprise IT teams deploy corporate contacts to every managed iOS device: no apps on employee phones, no permission gaps, no manual work. See how enterprise financial institutions automate contact management at scale with CiraSync. 

Frequently asked questions 

Why do third-party contact sync apps create enterprise governance problems? 

Most contact sync applications that live on the phone require Exchange Online permissions that are all or nothing. You cannot grant sync access without also granting broader access that creates compliance exposure. On-device apps typically request application-level permissions across the entire Exchange Online tenant, and once granted, those cannot be selectively revoked without breaking the service. They also pass user tokens to external systems and give IT no reliable way to confirm which devices hold which version of the directory. 

What is CardDAV and why does it solve this for regulated environments? 

CardDAV is an open, HTTP-based protocol built natively into Apple iOS. It operates at the operating system level, so there is no app to install and no user configuration. IT deploys a configuration profile through its existing MDM platform, and contacts appear automatically in the native iOS Contacts app. Contacts synced this way are classified as managed contacts within iOS, unlike on-device apps that write to the user’s primary container. Because the CardDAV account rides on an MDM configuration profile, it is removed when that profile is removed, either on demand by IT or automatically when a device is unenrolled or retired. 

How does CiraSync authenticate with Microsoft 365 without sending passwords? 

CiraSync connects to the Microsoft 365 source once, at the tenant level, through the Microsoft Azure Consent Framework, to read the directory or shared mailbox you choose. No passwords are sent to CiraSync, and the consent token cannot be reused by any other application. 

How do enterprise Intune and Workspace ONE deployments work? 

IT enables Mobile Direct inside a CiraSync Sync Tunnel, downloads a pre-configured profile, and deploys it as a custom configuration profile through Intune or Workspace ONE. The profile carries everything the device needs, including the CardDAV principal URL, sync tunnel details, Device ID, user Object ID, and secure access credentials, and it installs silently on targeted devices. 

How quickly do contact changes reach managed iOS devices? 

Freshness runs on two cycles. CiraSync caches the directory from the source on a schedule you set: daily, weekly, or monthly. Each device then pulls from that cache on its own interval, following the iOS Fetch New Data setting, as often as every 15 minutes or via push. A source change reaches devices on the next caching cycle, not within 15 minutes, so match the source schedule to how quickly your directory actually changes. 

What happens if a user edits or deletes a synced contact on their phone? 

If someone edits or deletes a synced contact on the phone, the next cycle restores the authoritative record without IT intervention.  

Can CiraSync deliver contacts to users without Exchange mailboxes? 

Yes. Users without Exchange mailboxes, including field workers, contractors, and temporary accounts, are supported. Licensing is tied to a unique Object ID embedded in the configuration URL rather than to a mailbox, which keeps provisioning auditable for every user CiraSync targets. 

Can CiraSync deliver contacts directly to mobile devices for users with active Exchange mailboxes, skipping delivery to their mailboxes? 

Yes. CiraSync can sync contacts directly to users‘ mobile devices, even for users with active Exchange mailboxes. This bypasses the traditional synchronization to the mailbox and delivers contacts directly to the mobile device. 

 

soc2comliant
GDPR
[gtranslate]