This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 45%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
We're using Corporate-owned devices with work profile (enrolling via QR code). Unfortunately I'm unable to restrict copy-paste from work profile to personal profile. Meaning user can copy some text from any app in work profile and paste it into personal profile. I'm aware of Intune-protected apps, but not all apps we require can be Intune protected and restricting copy-paste between Intune protected apps brings additional challenges.
My understanding "clipboard" should be controlled by Configuration profile setting "Copy and paste between work and personal profiles" (link).
The challenge is that the setting can be set only to "Allow" or "Not configured". As per linked documentation if left "Not configured", Intune will leave OS defaults (no clue what they are). The same documentation points to CrossProfileCopyPaste which technically has 2 values: COPY_FROM_WORK_TO_PERSONAL_DISALLOWED (default if unspecified) and CROSS_PROFILE_COPY_PASTE_ALLOWED. Implying if not configured, copy-paste should be disallowed.
I can see this issue across multiple Samsung models in our environment. Unfortunately Knox Service Plugin (OEMconfig) doesn't appear to have a setting for this specific function (happy to be proven wrong).
The frustrating part is that another MDM does restrict copying from work to personal profile, but we're migrating everyone to Intune. I also refuse to believe that our organization has unique requirement to restrict copy-paste from work to personal profile.
I would like to know how others are addressing this issue? Especially if you're using Samsung devices. Am I missing something obvious?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Simonas, Thanks for posting in Q&A. Based on my researching, I find for corporate device, Copy and paste between work and personal profiles: have the value of Allow or Not configured.
For Personal device, the setting has value Block and Not configured.
Currently, the setting for COPE does not have Block value. As a workaround, you can create an app protection policy to set "Restrict cut, copy and paste between other apps" as Policy managed apps. to only allow copy paste between policy managed apps.
https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-android
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for your response. Sounds like I need to start thinking how to sell this as a feature, not a bug :)
I did look into "Restrict cut, copy, and paste between other apps" setting , but it creates an issue where users can't copy things from email (Outlook) to non-protected app, even if that app is in a work profile. A lot of online material mentions only segregation between work and personal profiles so it's really difficult to explain to end-users what and why is going on.
The fact that even if App protection policy setting "Send org data to other apps" is set to "All Apps" users still can't copy/ move files between work and personal profiles makes the settings look inconsistent.
@Simonas, Thanks for the reply. Yes, for such scenario, app protection policy is not an option. I think you need to manually set it or change the enrollment method to Personally owned with work profile.
Meanwhile, for the feature design, to change it, you can feedback in the following link to see if we can change the feature in the future:
https://feedbackportal.microsoft.com/feedback/forum/ef1d6d38-fd1b-ec11-b6e7-0022481f8472
Thanks @Crystal-MSFT
For everyone else, if you run into this topic with the same issue, you can upvote feedback https://feedbackportal.microsoft.com/feedback/idea/dd8d290a-750b-ee11-a81c-000d3ae5b6f4