Forum Discussion

Simon's avatar
Simon
Level 2.0: Eclair
9 months ago

Copy-paste issue (COPE)

Hello Everyone, I have a slight issue with copy-paste on Corporate owned, personal enabled devices (COPE) managed via Intune. To put it simple - people can copy text from work profile to personal. H...
Michel's avatar
Michel
Level 2.3: Gingerbread
8 months ago
Simon wrote:

 

Thanks for the screenshots. What I find interesting, that you profile doesn't appear to have "Allow moving files from work profile to personal space" configured.

 

Thats what i found very strange as well, but it did the trick on multiple devices. And there are no other policies assigned to those devices. 

 

Are you sure there is no conflict somewhere with another policy? And getting back to basics: Are you sure you are not enrolling as BYOD / personal device? (Its probably correct but still, might worth to check again). 

 

I like your theories, I know that some MDM solutions required migrating to new policies after a big change in Android about two years ago (can't remember the exact reason). This had to do with some backend settings that they didn't want to mess with so they kept the original and asked you to migrate to new profiles which had the same settings but where different in the backend of the MDM solution. So that might very well be the case. Did you try this all with fresh / new policies or did you edit an existing one? 

 

In Intune there are a lot of areas to cover, but for Android it shouldn't be that difficult: 

  • Your configuration policies
  • Your Samsung Knox Service plugin OEM config
  • Your app configurations
  • Enrollment profiles and restrictions. 

 

Just out of my head, these are the ones you need. What did MS support suggested regarding this? 

Simon's avatar
Simon
Level 2.0: Eclair
8 months ago

Re conflicts, I can't see any conflicts in Intune. Single configuration profile assigned to the device according to Intune device properties page, KSP is not in production and there's only one configuration in the tenant (testing), app configurations excluded for testing, enrolment restrictions do exist, but they're blocking old OS versions, enrolment itself does succeed. So pretty sure there are no conflicts.

Devices appear as Android Enterprise (not Android for work) in Intune, ownership is corporate. We enrol them via QR code or Android Zero touch (details uploaded to Google by reseller), so they're enrolled as expected as much as I know.

Microsoft support was... doing their thing. Explained that setting is "Not configured", so they don't control the setting and I need to speak with the phone manufacturer re "OS defaults". When I asked how I can prevent the data leak, I was told to use applications which can be protected via Application Protection Policy (Intune App SDK) and if apps I need don't support that, I need to speak with software developers so their apps are compatible with Intune Application Protection Policies. In a nutshell - it's not our problem until you prove it's our problem.

  • Michel's avatar
    Michel
    Level 2.3: Gingerbread
    8 months ago

    Well, thats a very helpful answer from MS. ðŸ˜‘

     

    I'm running out of ideas, sorry! When I have the change is will see if I can find what is working for me. Its the most basic Intune environment there is, so it should not be that hard to see why its working for me. 

     

    If I find something or come up with another suggestion, I will let you know! 

Recent Discussions