Forum Discussion
Copy-paste issue (COPE)
You are correct, missed that one! Thanks for checking.
Please don't apologise that you need to get back to work, I appreciate your time and effort and have no expectations you have a solution. The purpose of posting here is to get ideas/ suggestions, which hopefully would lead to a solution.
Re report (export), I don't know how things should be represented, but Intune still shows values as per my screenshot. At this point I can't compare it against anything else as I don't have a "working" solution.
Re "Set Enable work profile policies" it's probably not represented in the log as without it other policies are not processed and I get some errors in KSP.
Thanks for the screenshots. What I find interesting, that you profile doesn't appear to have "Allow moving files from work profile to personal space" configured.
Either way I fully replicated the settings you shared (OEMConfig + restriction profile) and can still copy-paste text from work to personal profile 😖
The only 3 theories I have at the moment:
- Microsoft updated Intune "templates" and newly created policies behave differently from the older ones, this would explain why you couldn't restrict data leak with the new profile, but I understand it's at a conspiracy level theory
- The tenant configuration is different - over a year ago we had an issue where available apps were missing in the store and the fix applied by Microsoft was to migrate our tenant to the new Android API (whatever that means)
- There's a setting outside the areas I'm looking into
The dream continues
Simon wrote:Thanks for the screenshots. What I find interesting, that you profile doesn't appear to have "Allow moving files from work profile to personal space" configured.
Thats what i found very strange as well, but it did the trick on multiple devices. And there are no other policies assigned to those devices.
Are you sure there is no conflict somewhere with another policy? And getting back to basics: Are you sure you are not enrolling as BYOD / personal device? (Its probably correct but still, might worth to check again).
I like your theories, I know that some MDM solutions required migrating to new policies after a big change in Android about two years ago (can't remember the exact reason). This had to do with some backend settings that they didn't want to mess with so they kept the original and asked you to migrate to new profiles which had the same settings but where different in the backend of the MDM solution. So that might very well be the case. Did you try this all with fresh / new policies or did you edit an existing one?
In Intune there are a lot of areas to cover, but for Android it shouldn't be that difficult:
- Your configuration policies
- Your Samsung Knox Service plugin OEM config
- Your app configurations
- Enrollment profiles and restrictions.
Just out of my head, these are the ones you need. What did MS support suggested regarding this?
Re conflicts, I can't see any conflicts in Intune. Single configuration profile assigned to the device according to Intune device properties page, KSP is not in production and there's only one configuration in the tenant (testing), app configurations excluded for testing, enrolment restrictions do exist, but they're blocking old OS versions, enrolment itself does succeed. So pretty sure there are no conflicts.
Devices appear as Android Enterprise (not Android for work) in Intune, ownership is corporate. We enrol them via QR code or Android Zero touch (details uploaded to Google by reseller), so they're enrolled as expected as much as I know.
Microsoft support was... doing their thing. Explained that setting is "Not configured", so they don't control the setting and I need to speak with the phone manufacturer re "OS defaults". When I asked how I can prevent the data leak, I was told to use applications which can be protected via Application Protection Policy (Intune App SDK) and if apps I need don't support that, I need to speak with software developers so their apps are compatible with Intune Application Protection Policies. In a nutshell - it's not our problem until you prove it's our problem.
Well, thats a very helpful answer from MS. 😑
I'm running out of ideas, sorry! When I have the change is will see if I can find what is working for me. Its the most basic Intune environment there is, so it should not be that hard to see why its working for me.
If I find something or come up with another suggestion, I will let you know!
