Intune managed Android Enterprise device (COPE) unable to restrict copying from work profile to personal

Simonas 0 Reputation points
2023-06-12T16:56:00.3733333+00:00

We're using Corporate-owned devices with work profile (enrolling via QR code). Unfortunately I'm unable to restrict copy-paste from work profile to personal profile. Meaning user can copy some text from any app in work profile and paste it into personal profile. I'm aware of Intune-protected apps, but not all apps we require can be Intune protected and restricting copy-paste between Intune protected apps brings additional challenges.

My understanding "clipboard" should be controlled by Configuration profile setting "Copy and paste between work and personal profiles" (link).

The challenge is that the setting can be set only to "Allow" or "Not configured". As per linked documentation if left "Not configured", Intune will leave OS defaults (no clue what they are). The same documentation points to CrossProfileCopyPaste which technically has 2 values: COPY_FROM_WORK_TO_PERSONAL_DISALLOWED (default if unspecified) and CROSS_PROFILE_COPY_PASTE_ALLOWED. Implying if not configured, copy-paste should be disallowed.

I can see this issue across multiple Samsung models in our environment. Unfortunately Knox Service Plugin (OEMconfig) doesn't appear to have a setting for this specific function (happy to be proven wrong).

The frustrating part is that another MDM does restrict copying from work to personal profile, but we're migrating everyone to Intune. I also refuse to believe that our organization has unique requirement to restrict copy-paste from work to personal profile.

I would like to know how others are addressing this issue? Especially if you're using Samsung devices. Am I missing something obvious?

Microsoft Intune Android
Microsoft Intune Android
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Android: An open-source mobile platform based on the Linux kernel, developed by Google, and maintained by the Open Handset Alliance.
266 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Crystal-MSFT 46,171 Reputation points Microsoft Vendor
    2023-06-13T02:20:19.9366667+00:00

    @Simonas, Thanks for posting in Q&A. Based on my researching, I find for corporate device, Copy and paste between work and personal profiles: have the value of Allow or Not configured.

    https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android-for-work#corporate-owned-work-profile-devices

    For Personal device, the setting has value Block and Not configured.

    https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android-enterprise-personal#general-settings

    Currently, the setting for COPE does not have Block value. As a workaround, you can create an app protection policy to set "Restrict cut, copy and paste between other apps" as Policy managed apps. to only allow copy paste between policy managed apps.

    https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-android

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Simonas 0 Reputation points
    2023-06-15T12:28:34.6566667+00:00

    Thanks @Crystal-MSFT

    For everyone else, if you run into this topic with the same issue, you can upvote feedback https://feedbackportal.microsoft.com/feedback/idea/dd8d290a-750b-ee11-a81c-000d3ae5b6f4

    0 comments No comments