Forum Discussion

Simon's avatar
Simon
Level 2.0: Eclair
9 months ago

Copy-paste issue (COPE)

Hello Everyone, I have a slight issue with copy-paste on Corporate owned, personal enabled devices (COPE) managed via Intune. To put it simple - people can copy text from work profile to personal. H...
Michel's avatar
Michel
Level 2.3: Gingerbread
8 months ago

That looks like the one I was looking for but it seems to be lacking some information. 

 

Couple of things that I see in this config (you might have configured it but did not copy it to your post):

  • No license key - You need a KPE license (free) at least (RCP is marked as a premium function which used to be a paid license)
  • The policy to allow files from work to personal (first one in the code) appears to be set to true, while you had it set to false in the screenshot you shared earlier. 
  • Same for clipboard data
  • The RCP function is indeed not needed here, you don't need to set it to true of false. 
  • The section above the RCP policies is not enabled ( Work profile polices (Profile Owner) -> Set Enable work profile policies to true). 

 

I tried to replicate the issue you are experiencing since I don't understand why it should not work. But with all the settings mentioned in this topic, I was still able to copy paste from work to personal. Since I had to get back to work, I moved my user account of my demo device back to its original group I use for trainings and that group seems to have a policy, or a mix of policies, that solved it. 

 

I'm not able to copy paste form work to personal, and i'm not able to move files from work to personal. But I am able to copy paste to my work profile and share files with work profile apps. 

 

I will share the config below and leave it up to you to figure out what works for you, since I really have to get back to my work ðŸ˜‚

 

Knox Service plugin. (with a free Knox platform for Enterprise license key)

 

 

And the Intune - Android Enterprise restrictions profile:

 

 

Good luck and please let me know what did the trick if you find out! 

Moombas's avatar
Moombas
Level 4.1: Jelly Bean
8 months ago

Reg. license key: he did copy this:

 

"kpePremiumLicenseKey": {
"mData": null,
"mMessage": "Successfully activated license key ending with ...PNJZ",
"mPolicyStatus": true,
"mReportStatus": 1

 

Which means a license key is there.

  • Michel's avatar
    Michel
    Level 2.3: Gingerbread
    8 months ago

    You are correct, missed that one! Thanks for checking. 

    • Simon's avatar
      Simon
      Level 2.0: Eclair
      8 months ago

      Please don't apologise that you need to get back to work, I appreciate your time and effort and have no expectations you have a solution. The purpose of posting here is to get ideas/ suggestions, which hopefully would lead to a solution.

      Re report (export), I don't know how things should be represented, but Intune still shows values as per my screenshot. At this point I can't compare it against anything else as I don't have a "working" solution.

      Re "Set Enable work profile policies" it's probably not represented in the log as without it other policies are not processed and I get some errors in KSP.

      Thanks for the screenshots. What I find interesting, that you profile doesn't appear to have "Allow moving files from work profile to personal space" configured.

      Either way I fully replicated the settings you shared (OEMConfig + restriction profile) and can still copy-paste text from work to personal profile ðŸ˜–

      The only 3 theories I have at the moment:

      • Microsoft updated Intune "templates" and newly created policies behave differently from the older ones, this would explain why you couldn't restrict data leak with the new profile, but I understand it's at a conspiracy level theory
      • The tenant configuration is different - over a year ago we had an issue where available apps were missing in the store and the fix applied by Microsoft was to migrate our tenant to the new Android API (whatever that means)
      • There's a setting outside the areas I'm looking into

      The dream continues

      • Michel's avatar
        Michel
        Level 2.3: Gingerbread
        8 months ago
        Simon wrote:

         

        Thanks for the screenshots. What I find interesting, that you profile doesn't appear to have "Allow moving files from work profile to personal space" configured.

         

        Thats what i found very strange as well, but it did the trick on multiple devices. And there are no other policies assigned to those devices. 

         

        Are you sure there is no conflict somewhere with another policy? And getting back to basics: Are you sure you are not enrolling as BYOD / personal device? (Its probably correct but still, might worth to check again). 

         

        I like your theories, I know that some MDM solutions required migrating to new policies after a big change in Android about two years ago (can't remember the exact reason). This had to do with some backend settings that they didn't want to mess with so they kept the original and asked you to migrate to new profiles which had the same settings but where different in the backend of the MDM solution. So that might very well be the case. Did you try this all with fresh / new policies or did you edit an existing one? 

         

        In Intune there are a lot of areas to cover, but for Android it shouldn't be that difficult: 

        • Your configuration policies
        • Your Samsung Knox Service plugin OEM config
        • Your app configurations
        • Enrollment profiles and restrictions. 

         

        Just out of my head, these are the ones you need. What did MS support suggested regarding this? 

Recent Discussions