Solved: Citrix Mobile Productivity Apps, Business Contacts and Compliance with EU GDPR

by Thorsten Rood, CTP

I’ve never been an office worker…

My mobile life spans almost my whole career, so over the course of time, I actually used communication tools and toys of almost any flavor, vendor and technical generation. In the earlier days, the technical challenges making the mobile workforce use-case happen were so overwhelmingly complex that nobody asked about the legal perspective (at least it has been left unspoken and unregulated most of the time). Nowadays, the game has changed. Simplicity and ubiquitousness of email everywhere is a given fact. With more and more devices/form factors and more and more flexibility granted to our employees, we learned it is a good idea keeping an eye on your belongings from a corporate perspective and not treat each device as a monolithic all-in unit, but more as a kind of component puzzle. Just saying, COPE (Corporate Owned, Personally Enabled), BYOD (Bring your own device), …

We might need more apps, specialized for business?!

(Hint: this primarily is an Apple iOS story. Maybe I will discuss the “other guy” later, but for now let me focus on what has changed in the app ecosystem with the latest Citrix Mobile Productivity Apps release.)

Business or personal device usage?

The idea of sandboxing business data into separate containers (apps) was born in the early 2010s. Citrix jumped on the train around 2012 (at least I was at Citrix Synergy 2013 presenting a CTP breakout session about Me@Work and other mobile mail needs) using the MDX technology. Once you started using the new paradigm, having your personal apps/data side-by-side with business items on the same managed or even unmanaged device, you learned the obvious discrepancy the hard way: by 99% chance, you are using a mail-enabled Smartphone and CallerID is lost for all your business contacts if you really adopt to the story. Your personal contacts reside in a native address book (maybe also synced to iCloud) and the business ones now live in a dedicated application space. By consequence, CallerID, the mechanism of dynamically translating incoming phone numbers into friendly display names, has only access to one-half of your communication universe. This is not a matter of Citrix doing the code just right, it malfunctions because of the device not allowing address book repositories other than the built-in one (the native ActiveSync mail client is an exception to the rule). Along with the introduction of personal vs. business apps and the shutdown of public native ActiveSync capabilities in the infrastructure, our security departments have deployed a reasonable methodology to protect corporate data, but it fully ignored user acceptance needs.

I don’t want to work this way. I simply ignore most daily calls that have no real world contact name shown (welcome to my voice mail, please have some patience). I’ve tried running around without “business CallerID” in the real world, including car connectivity, and I can assure this has been way outside of my comfort zone. It’s even dangerous.

Crossover!

Citrix was about to solve the problem by adding export capabilities and dynamic sync onwards: an export functionality duplicated the business contacts into the native address book. The first version copied all existing contact attributes, which felt wrong–on the one side you had an isolated business container but at the same time you copied data one-way into the unmanaged world? Soon, a policy allowed you to limit the export to just the core information such as name and number, essentially enough to allow full the CallerID experience. The majority of customers decided this trade-off was fair enough. Did this solution leave behind a bad taste? Yes, it did, but nobody cared about it, likely because of the lack of alternate configuration options. Going back to native mail? That has downsides too.

This is the old way of doing CallerID in Endpoint Management (XenMobile) app settings:

I admit, I told my customers in a similar way that the minimized export functionality in SecureMail would represent an acceptable workaround to a recurring important user demand.

In compliance with EU GDPR?

The world moved on, and so legal did, too. The “European Union General Data Protection Regulation (GDPR)” established new standards that affect both EU and non-EU companies. In a nutshell: when you’re dealing with personal identifiable information (PII), special regulations come into play if this person has European citizenship. Storing a name and its associated number in a digital address book with no doubt is a PII. The GDPR describes what you now may do to this data and defines expensive fines if data is abused, regardless of your own legal boundaries (including the US). One natural concept and requirement is making sure that PII is not spread around outside your own controls.

Does the GDPR imply a lightweight address book export is forbidden? Nope, it doesn’t. But if the same device now runs WhatsApp or any other application that was granted access to your address book, it might create a per-app individual problem. WhatsApp actually is a problem. I don’t want to be a laywer nor a wise guy, just in short: from a practical perspective, it has become impossible having business contacts inside the local address book. Or, you could uninstall and prohibit WhatsApp usage per se (and other apps), but such lockdown is hard to implement and you’ll likely fail the attempt.

I don’t want to work this way. Why should I refrain from using my social apps? Why should I disable my business contact export functionality? Why can’t I have them both? I actually cannot, because it creates a huge risk to my company. Try explaining this to your user base. If you have read the industry buzz, you’ve probably seen a bunch of examples where corporate management officially stopped some critical app usage on their employees’ mobile assets and it all happened around the magic date of May 25 this year when the GDPR’s last stage became effective: the fines. This is where the fun ended overnight.

Hey Citrix:

  • I use WhatsApp.
  • I need corporate email.
  • I like the SecureMail (I forgot to mention, it has become a very mature mail client that exceeds what the built-in one can do by far – yes, I like the product).
  • I need CallerID.
  • I need all this on a single device, that probably is fully unmanaged BYOD.

Help me. Please. NOW. I’m personally negatively affected and the same applies to many customers I talk to in regards to their mobile strategies and policies.

(Hint: In a fully-managed environment, there exists functionality to deploy contact zoning, but it requires a much more complex technology and security stack than what you might have in mind if the solution should be fundamentally secure and not fail the GDPR in other aspects. Just saying, CBA ActiveSync Managed Contacts…)

Pretty much good friends!

We need a best-of-all-worlds approach. Ideally, it’s not too hard to implement the solution.

Citrix has listened. SecureMail with CallKit support has arrived. Thanks to the crew for making this happen.

So what is CallKit? Starting with iOS 10, apps may announce themselves to the operating system as being a CallerID-provider, allowing the phone to have “secondary address books” other than the built-in one. Coming back to the initial example with business contacts not exported to the native address book, the SecureMail application now becomes the CallKit provider once you enable the functionality. With practically no configuration efforts, you get back the full user experience that might have been missing since spring 2018. It’s shipping through the public app store now, so watch out for SecureMail at least version 10.8.65 and update. 

CallKit is supported in the native display experience in direct interaction with the Smartphone (local call interface) and also works great in Apple CarPlay. This makes a huge usability difference and closes an important functionality gap. A great feature addition to Secure Mail and Citrix Mobile Productivity Apps. If you haven’t used SecureMail yet, I recommend you try it out with this new feature set.

This is how it looks in the real world:

Local device mode – incoming call

Local device mode – call history

CarPlay – incoming call

CarPlay – call history

Configuration

Of course, you now need to prohibit contact export in SecureMail settings in case it is still allowed in your organization. Cleaning the devices (and potentially iCloud because of contact sync) likely is a nightmare, but please don’t forget about this important housekeeping step.

Make sure to swap the .MDX definition with a new one from the downloads page and explicitly enable the feature, as otherwise, the app will not offer this mode.

This is how the new setting looks in Endpoint Management (XenMobile) app settings:

Then enable the functionality inside your phone settings:

Competition?

To be sure, using CallKit API is not the only way to achieve full GDPR compliance. One of the alternate magic keywords is called “managed contacts.” Some other mobility vendors heavily rely on this method. But, this implies two more aspects: you still need to lockdown the ActiveSync public availability to avoid your users taking bypasses to your policies (appVPN tunneling, strong authentication requirements, …) and, even more important, the MDM ownership is required at the device level. This makes some BYOD scenarios inflexible or useless.

CallKit on the opposite is a lightweight implementation with just minimal dependencies and I also would say it’s the least costly approach. It even works perfectly without enforcing MDM device ownership at all. Not only has Citrix adopted CallKit, but their overall solution package feels much more feature complete, such as the built-in ActiveSync tunneling technology through Gateway security. Others just provide apps and leave the rest on you.

Keep in mind: not every problem is a nail, so don’t use a hammer without first verifying what the users’ needs are. From a KISS-perspective (keep it stupid simple) I’m optimistic that the CallKit feature will become an important option in your mobility toolbox. It satisfies great for mass adoption with minimal efforts while maintaining compliance. And for those demands where CallKit does not perfectly fit, you still have the option of deploying managed contacts mode as an either/or solution depending on the audience with the same product offering. This is what “choice” is about. Citrix probably is now the largest vendor that offers an enterprise-grade sandboxing technology with its own apps now taking care about legal compliance needs in different technology flavors side-by-side.

One more thing…

Open words: with any light, there is always shadow. CallKit does not emulate an address book per se, it’s a dynamic translation provider that acts per app and per number. The most obvious limitation comes from Bluetooth hands-free mode car entertainment, which cannot provide full CallPlay functionality (non-premium setup), along with voice dialing. That’s not a programming flaw. That is the way Apple wants the iOS to behave (maybe they’ll change their mind one day). But it is not a showstopper: remember what I wrote about “choice” before? 😉

If you’re interested in more details and a deep-dive, I’d like to invite you to attend my November speaking engagements, either at Citrix Technology Exchange (Bonn/Germany) or E2EVC (Athens/Greece), waiting for an upcoming CUGC webinar or another community event (schedule is t.b.d.).

Enjoy SecureMail!

Credits to the Citrix Endpoint Management team! It has been an interesting journey giving birth to this important feature and in particular, thank you Sankar, for discussing the market needs and applying the code changes.

Leave a Reply