Copy-paste issue (COPE)

Simon
Level 1.6: Donut

Hello Everyone,

I have a slight issue with copy-paste on Corporate owned, personal enabled devices (COPE) managed via Intune. To put it simple - people can copy text from work profile to personal. Happy to be pointed to the basics if I missed something obvious, but I feel stuck.

Intune configuration for COPE devices has 2 values: "allow" or "not configured" (not helpful). I had support cases open with Microsoft and Samsung, but former blames OS defaults, while latter blames Intune (not helpful).

I couldn't identify the setting in OEMConfig (Knox Service Plugin), so got Google Enterprise account, configured it for Zero Touch enrolment using Intune token and realised that I was looking into "crossProfileCopyPaste" control and don't have a clue how to use it in DPC extras and if that's even possible.

Is it possible to use AMAPI with Intune management? If yes, does anyone have any examples? What are other ways to restrict copy-paste from work profile to personal? I find it difficult to believe I'm the only one having the issue.

Thank you in advance

12 REPLIES 12

Moombas
Level 4.0: Ice Cream Sandwich

In our MDM is an option to turn off the possibility to copy/paste from work profile to the user profile.

Same for sharing from work profile to personal profile.
But i never tested that but pretty sure someone would have raised an issue about that in the community of our MDM already if that would have been the case but haven't seen something like this the last years.

Moombas_0-1720419330065.png

So, i think it's not an Android issue but more likely again an Intune issue (I'm so happy we didn't swithc to it in the past when i read all the issue here about it + our testing exerience).

But it would be good if someone with experience with using this functionality could shortly verify here that it's working on their end (from any MDM).

Michel
Level 2.0: Eclair

Did you try the option "Data sharing between work and personal profiles"  in Intune? You can find it in the restrictions profiles under general settings. 

 

Michel_0-1720422861820.png

 

I have no test devices in Intune at the moment, but I believe this should do the trick. 

 

In KSP you have an option to allow clipboard sharing between work container en personal profile, but this is disabled by default:

 

Michel_1-1720422994902.png

 

Moombas
Level 4.0: Ice Cream Sandwich

Just to add here, i see more options available in KSP as well:

Moombas_0-1720425209028.png

 

Simon
Level 1.6: Donut

Settings related to files is what Samsung guys initially suggested, but it has no effect on copy-paste of text according to my testing.

Re your earlier comment, Intune is not perfect, but I find working with Intune protected apps (Intune App SDK) refreshing.

Moombas
Level 4.0: Ice Cream Sandwich

In my opinion the lowest option ("Enable sharing of Clipboard Data to Owner") should be the one to look into.

Everyone is fine to choose his/her prefered MDM 😉 And to be honest, i don'T have experience with Intune protected apps as it looks like something i don't use but as long as i can use managed app config and also Microsoft 365 integration in our MDM i stay with that 😛

Simon
Level 1.6: Donut

Thanks for your response. That Intune setting is for file access only. It restricts accessing files from personal profile, which in my world is part of the job. Re text copy-paste Intune has another:

Simon_0-1720424910470.png

What's worse, is that if policy is created for BYOD and not COPE, the settings are "Block" and "Not configured".

 

I did set the KSP setting you mentioned to "false", but it had no effect in my scenario. The documentation I found implies it's to do with clipboard sharing between the devices. Not bothered about that currently 😊

 

I strongly believe I need to find a way how to control CrossProfileCopyPaste setting:

https://developers.google.com/android/management/reference/rest/v1/enterprises.policies#crossprofile...

Michel
Level 2.0: Eclair

ah okay, i understand!

 

Just to be sure: You want to block copy and paste from work to personal, but keep the option to transer files from work to personal?

 

 

Simon
Level 1.6: Donut

The goal is to block copy-paste from work to personal profile (text and files), but leave the option to copy-paste from personal to work profile (text and files). In a nutshell, data transfer is possible only one way

Michel
Level 2.0: Eclair

I just tested the policies mentioned by @Moombas , and it seems to do exactly what you want. When set up like shown in the picture below, i'm unable to copy and paste text or files from work to personal while still being able copy from personal to work. 

 

Michel_0-1720445481780.png

 

This can be configured within the KSP plugin, the screenshot is from Knox Manage but it shows the KSP part which works the same for both. 

  1. Set Enable work profile policies to true
  2. Find RCP policy (premium function, you need the free KPE licenses from your knox tenant)
  3. Set as shown in above picture.  

Simon
Level 1.6: Donut

Thanks for testing. I would say I have the same config:

Simon_1-1720448369678.png

KSP has no errors on the phone, displays new profile name and all the settings, but I still can launch Chrome in work profile, copy text and paste into any app in the personal profile.

Michel
Level 2.0: Eclair

Did you enter a KPE license? You need to generate one and then add it to KSP. Knox Platform for Enterprise licenses | Knox Platform for Enterprise | Samsung Knox Documentation

 

And, not sure, you might need to enable "Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)" as well. I've had some strange issues before when I had this part not enabled. 

 

I've been told that it activates some aspects that are also needed by the work profile policies (someone didn't think this one trough I think 😅)

Simon
Level 1.6: Donut

The license is there (deleted it in the screenshot). KSP on the device displays message "Successfully activated license key ending with..." So I ruled license issues out


Added additional setting as per your message:

Simon_0-1720451657879.png

Still the same experience - can copy text from work profile apps.

Would be funny if it wasn't sad 😑