Forum Discussion
Copy-paste issue (COPE)
Hello Everyone,
I have a slight issue with copy-paste on Corporate owned, personal enabled devices (COPE) managed via Intune. To put it simple - people can copy text from work profile to personal. Happy to be pointed to the basics if I missed something obvious, but I feel stuck.
Intune configuration for COPE devices has 2 values: "allow" or "not configured" (not helpful). I had support cases open with Microsoft and Samsung, but former blames OS defaults, while latter blames Intune (not helpful).
I couldn't identify the setting in OEMConfig (Knox Service Plugin), so got Google Enterprise account, configured it for Zero Touch enrolment using Intune token and realised that I was looking into "crossProfileCopyPaste" control and don't have a clue how to use it in DPC extras and if that's even possible.
Is it possible to use AMAPI with Intune management? If yes, does anyone have any examples? What are other ways to restrict copy-paste from work profile to personal? I find it difficult to believe I'm the only one having the issue.
Thank you in advance
In our MDM is an option to turn off the possibility to copy/paste from work profile to the user profile.
Same for sharing from work profile to personal profile.
But i never tested that but pretty sure someone would have raised an issue about that in the community of our MDM already if that would have been the case but haven't seen something like this the last years.So, i think it's not an Android issue but more likely again an Intune issue (I'm so happy we didn't swithc to it in the past when i read all the issue here about it + our testing exerience).
But it would be good if someone with experience with using this functionality could shortly verify here that it's working on their end (from any MDM).
Did you try the option "Data sharing between work and personal profiles" in Intune? You can find it in the restrictions profiles under general settings.
I have no test devices in Intune at the moment, but I believe this should do the trick.
In KSP you have an option to allow clipboard sharing between work container en personal profile, but this is disabled by default:
Just to add here, i see more options available in KSP as well:
Settings related to files is what Samsung guys initially suggested, but it has no effect on copy-paste of text according to my testing.
Re your earlier comment, Intune is not perfect, but I find working with Intune protected apps (Intune App SDK) refreshing.
Thanks for your response. That Intune setting is for file access only. It restricts accessing files from personal profile, which in my world is part of the job. Re text copy-paste Intune has another:
What's worse, is that if policy is created for BYOD and not COPE, the settings are "Block" and "Not configured".
I did set the KSP setting you mentioned to "false", but it had no effect in my scenario. The documentation I found implies it's to do with clipboard sharing between the devices. Not bothered about that currently ๐
I strongly believe I need to find a way how to control CrossProfileCopyPaste setting:
ah okay, i understand!
Just to be sure: You want to block copy and paste from work to personal, but keep the option to transer files from work to personal?
Hopefully we're talking about the same thing:
{
"mCategoryMap": {
"RCP_CATEGORY": {
"mKeyMap": {
"poRCPMoveFilesFromWorkProfileToPersonal": {
"mData": null,
"mMessage": "[Allow moving files from work profile to personal space in Work profile policies (Profile Owner) successfully processed.]",
"mPolicyStatus": true,
"mReportStatus": 1
},
"poRCPMoveFilesFromPersonalToWorkProfile": {
"mData": null,
"mMessage": null,
"mPolicyStatus": false,
"mReportStatus": 0
},
"poRCPShareClipboardToData": {
"mData": null,
"mMessage": "[Enable Sharing of Clipboard Data to Owner in Work profile policies (Profile Owner) successfully processed.]",
"mPolicyStatus": true,
"mReportStatus": 1
},
"poRCPDataSyncPolicy": {
"mData": null,
"mMessage": "[Enable RCP data sync policy (Configure profiles below) in Work profile policies (Profile Owner) is not supported by this device.][14001][This policy is not supported for this knox version or higher.]",
"mPolicyStatus": true,
"mReportStatus": 1
}
}
},
"CMFA_CATEGORY": {
"mKeyMap": {}
},
"KPU_CATEGORY": {
"mKeyMap": {
"profileName": {
"mData": null,
"mMessage": "Knox policies in EMEA_v1.34 successfully processed",
"mPolicyStatus": true,
"mReportStatus": 1
},
"kpePremiumLicenseKey": {
"mData": null,
"mMessage": "Successfully activated license key ending with ...PNJZ",
"mPolicyStatus": true,
"mReportStatus": 1
}
}
}
},
"mStatus": "SUCCESS",
"mTimeStamp": 1721038679013
}That looks like the one I was looking for but it seems to be lacking some information.
Couple of things that I see in this config (you might have configured it but did not copy it to your post):
- No license key - You need a KPE license (free) at least (RCP is marked as a premium function which used to be a paid license)
- The policy to allow files from work to personal (first one in the code) appears to be set to true, while you had it set to false in the screenshot you shared earlier.
- Same for clipboard data
- The RCP function is indeed not needed here, you don't need to set it to true of false.
- The section above the RCP policies is not enabled ( Work profile polices (Profile Owner) -> Set Enable work profile policies to true).
I tried to replicate the issue you are experiencing since I don't understand why it should not work. But with all the settings mentioned in this topic, I was still able to copy paste from work to personal. Since I had to get back to work, I moved my user account of my demo device back to its original group I use for trainings and that group seems to have a policy, or a mix of policies, that solved it.
I'm not able to copy paste form work to personal, and i'm not able to move files from work to personal. But I am able to copy paste to my work profile and share files with work profile apps.
I will share the config below and leave it up to you to figure out what works for you, since I really have to get back to my work ๐
Knox Service plugin. (with a free Knox platform for Enterprise license key)
And the Intune - Android Enterprise restrictions profile:
Good luck and please let me know what did the trick if you find out!
Reg. license key: he did copy this:
"kpePremiumLicenseKey": {
"mData": null,
"mMessage": "Successfully activated license key ending with ...PNJZ",
"mPolicyStatus": true,
"mReportStatus": 1Which means a license key is there.
Thanks all for your input. I'm being vague intentionally (NDA), but this is now being looked into and should be fixed.
Sharing workaround if someone else runs into this before resolution:
Create a new device restriction policy
Set copy/ paste to Allow and save
Reset copy/paste to Not configured and save.
Please note workaround doesn't work for existing policies, you need to create a new policy
Glad to stumble upon this thread and see that I'm not the only one experiencing this. Annoying because it had previously worked, and I only discovered it while migrating devices to a newer configuration profile. (Side note, it is ridiculously frustrating how Microsoft makes us create whole new profiles to get access to newer settings instead of updating existing to new templates, but I digress.)
If I understand correctly, it sounds like Microsoft is working on a fix? Any chance they gave an idea of WHEN it will be fixed that you can share?
I don't have the full picture, so please take this with the pinch of salt.
The way I was explained, it's not Microsoft fixing things this time, and it should be fixed "beginning of August".
Being sarcastic - nobody said which year, but I'm happy there's a workaround ๐
Hi there,
It sounds like you're facing a tricky situation with managing copy-paste between work and personal profiles on COPE devices. You've already done a lot of groundwork by exploring Intune settings, OEMConfig, and even delving into Google Enterprise solutions.
Regarding your question, AMAPI (Android Management API) can indeed be used to enforce stricter policies, but integrating it with Intune might not be straightforward, as Intune generally abstracts a lot of the lower-level controls that AMAPI provides.
For crossProfileCopyPaste, while it's possible to control this through DPC extras in a pure Android Enterprise setup, doing so within the confines of Intune can be challenging, especially since Intune's configuration options may not expose all the granular controls you need.
You might want to consider setting up a custom policy using Intuneโs Device Configuration Profiles, where you can explicitly block copy-paste actions via App Protection Policies. This might not directly expose crossProfileCopyPaste but could achieve a similar effect by limiting data sharing between work and personal profiles.
Additionally, you could explore Samsung Knox's advanced settings in more detail, as Knox provides more granular controls over work profiles that could complement what Intune offers. Combining Knox with Intune might give you the additional layers of security you're looking for.
I hope this helps, and feel free to reach out if you have more questions!
