It’s 2:17 PM on a Tuesday when your field technician John pulls over to the curb, work order open on his managed iPhone. The job is straightforward: replace a failed compressor at a client site. But when he dials the emergency facilities number stored in his contacts, the line goes dead. Disconnected. He tries the site supervisor. Voicemail full. He tries the after-hours escalation path. Wrong number.
John is not having a connectivity problem. His device is fully enrolled and compliant under Microsoft Intune. What John has is a contact management problem, and it is one that no MDM platform was ever built to solve.
The MDM Promise and the Contact Gap
IT teams invest in Mobile Device Management platforms like Microsoft Intune, Jamf Pro, and VMware Workspace ONE expecting comprehensive control. These tools excel at policy enforcement, app deployment, conditional access, and remote wipe. They are the backbone of modern enterprise mobility.
But there is a category of data MDM was never designed to curate: live, accurate, role-based corporate contact directories.
Consider what Intune’s device configuration profiles actually cover: Exchange ActiveSync settings, Wi-Fi and VPN payloads, certificates, app protection policies. What you will not find is a native corporate directory sync payload that pushes contacts into the device’s address book. Intune can govern the device itself thoroughly, but it has no mechanism to deliver and maintain a curated, up-to-date contact list in the native Phone app where caller ID and emergency dialing actually happen.
The result is a specific operational gap: users can search the corporate directory inside Outlook Mobile, but those contacts do not resolve in the native dialer or Messages app. When a colleague calls from a company number, the screen shows an unknown caller. When a technician needs a vendor after hours, the stored number may be three org charts out of date.
This is the intune contact sync problem that no policy configuration can close on its own.
Why the GAL Won’t Save You
Many administrators assume the Global Address List (GAL) will bridge this gap. If every user is in Exchange Online or Entra ID, shouldn’t those identities flow to the device?
The reality is more limited. Microsoft’s Outlook for Android does sync contacts to the native Android contacts app under certain configurations, specifically with Intune App Protection Policies and account configuration in place. On iOS, Microsoft has introduced managed Exchange ActiveSync profiles and Outlook App Configuration Policies that can, under specific conditions, push contacts to the native Contacts app. But in both cases there is a fundamental constraint: the sync is scoped to the user’s own mailbox contacts, not the full corporate directory. The GAL itself, the complete organizational address book, does not travel to the device through this pathway.
This means the approach requires Outlook as the client on every device, applies only to mailbox-owning users, and still does not deliver a true corporate directory to the native address book. For field workers and frontline staff on shared devices or without corporate Exchange mailboxes, these pathways are non-starters entirely.
The GAL remains a directory you can search inside an email client, not an address book that travels with you.
The Cost of Stale Contacts
The business impact of this gap is rarely tracked in IT dashboards, but it surfaces everywhere operations touch mobile devices:
- Delayed response times when alarms reach the wrong on-call engineer
- Manual dispatching because systems rely on outdated phone trees
- Compliance exposure when terminated employees remain in emergency contact lists
- Lost revenue when sales teams cannot identify incoming client calls
Traditional workarounds compound the problem rather than solve it. PowerShell scripts that write GAL entries into each user’s mailbox require ongoing maintenance, break when APIs change, and create edit conflicts when users modify local copies. CSV imports are snapshots that begin decaying the moment they are distributed.
CardDAV: The Protocol Layer MDM Left Behind
The solution is not a replacement for your MDM platform. It is a complementary protocol layer that MDM can deploy but does not natively provide. That layer is CardDAV.
CardDAV is an open standard (RFC 6352) built on WebDAV and vCard that creates a persistent sync relationship between a server-side address book and the native contacts store on iOS and Android devices. Unlike a one-time import, CardDAV maintains an ongoing connection. When a contact changes on the server, the update propagates to every enrolled device on the next sync cycle.
CardDAV offers several advantages that align cleanly with managed device workflows:
- Native Integration: iOS supports CardDAV accounts natively through configuration profiles. Android integrates via managed sync connectors. Contacts appear in the default Contacts app, enabling caller ID and system-wide address resolution.
- MDM Deployable: CardDAV account configurations can be packaged and pushed at scale. Jamf Pro and VMware Workspace ONE expose CardDAV as a native configuration payload type. Microsoft Intune requires a custom configuration profile approach for iOS CardDAV delivery, but the result is the same: silent, zero-touch setup with no help desk tickets.
- One-Way Sync Control: Enterprise CardDAV platforms can be configured to enforce one-way sync from server to device, preserving the corporate directory as the single source of truth. This behavior is a feature of the server-side platform, not a native property of the CardDAV protocol itself, so it depends on the solution you deploy.
- Role-Based Segmentation: Modern CardDAV platforms allow IT to define filtered address books. Emergency contacts for field teams. Client rosters for sales. Vendor lists for procurement. No need to expose the entire GAL to every device.
- No Mailbox Dependency: CardDAV profiles can be deployed to devices independent of Exchange ActiveSync or Outlook Mobile licensing. This is critical for shared devices and frontline fleets without corporate email accounts.
Enterprise IT teams also tend to prefer managed CardDAV architectures because they reduce reliance on third-party contact applications and fragmented sync workflows.
In many deployments, contacts remain centrally controlled through existing MDM governance, allowing organizations to maintain tighter oversight over directory accuracy, provisioning, and lifecycle management.
This becomes especially important in regulated environments where security teams want to minimize unnecessary permission scopes, reduce token exposure, and avoid disconnected copies of corporate contact data living across unmanaged applications.
Platforms such as CiraSync help operationalize this model by centrally managing and distributing role-based contact directories across enterprise mobile fleets.
Closing the Loop
Implementing CardDAV does not require ripping out your existing MDM investment. The most effective deployments treat CardDAV as a managed payload delivered by the same Intune, Jamf, or Workspace ONE console already governing the device.
A centralized contact management platform maintains the authoritative address book. IT exports the CardDAV configuration and uploads it as a device configuration payload in the MDM console. The MDM pushes the profile to the target device group silently. Within minutes, the native Contacts app populates with the curated directory, and subsequent changes flow automatically without any user action.
For Microsoft 365 organizations, this fills the exact void that Intune leaves open at the directory layer. You retain the device control of an MDM and gain the data currency of a live directory sync, without forcing every user into a single email client or exposing the full organizational GAL to every managed device.
Conclusion
MDM platforms were built to secure and govern the device. That is genuinely important work. But securing a device and ensuring it carries accurate, current contact data are two different problems, and only one of them ships with your MDM license.
CardDAV is the missing layer. It transforms your MDM deployment from a security gate into a complete mobility platform, one where every managed device carries an accurate,
role-appropriate, centrally controlled directory in its native address book. For IT teams managing mobile workforces, that is the difference between a connected workforce and a field technician stranded with a disconnected number.
