Copy-paste issue (COPE)

Simon
Level 2.0: Eclair

Hello Everyone,

I have a slight issue with copy-paste on Corporate owned, personal enabled devices (COPE) managed via Intune. To put it simple - people can copy text from work profile to personal. Happy to be pointed to the basics if I missed something obvious, but I feel stuck.

Intune configuration for COPE devices has 2 values: "allow" or "not configured" (not helpful). I had support cases open with Microsoft and Samsung, but former blames OS defaults, while latter blames Intune (not helpful).

I couldn't identify the setting in OEMConfig (Knox Service Plugin), so got Google Enterprise account, configured it for Zero Touch enrolment using Intune token and realised that I was looking into "crossProfileCopyPaste" control and don't have a clue how to use it in DPC extras and if that's even possible.

Is it possible to use AMAPI with Intune management? If yes, does anyone have any examples? What are other ways to restrict copy-paste from work profile to personal? I find it difficult to believe I'm the only one having the issue.

Thank you in advance

29 REPLIES 29

Simon
Level 2.0: Eclair

Thanks all for your input. I'm being vague intentionally (NDA), but this is now being looked into and should be fixed.

 

Sharing workaround if someone else runs into this before resolution:

Create a new device restriction policy

Set copy/ paste to Allow and save

Reset copy/paste to Not configured and save.

Please note workaround doesn't work for existing policies, you need to create a new policy

Glad to stumble upon this thread and see that I'm not the only one experiencing this. Annoying because it had previously worked, and I only discovered it while migrating devices to a newer configuration profile. (Side note, it is ridiculously frustrating how Microsoft makes us create whole new profiles to get access to newer settings instead of updating existing to new templates, but I digress.)

 

If I understand correctly, it sounds like Microsoft is working on a fix? Any chance they gave an idea of WHEN it will be fixed that you can share?

I don't have the full picture, so please take this with the pinch of salt.

The way I was explained, it's not Microsoft fixing things this time, and it should be fixed "beginning of August".

Being sarcastic - nobody said which year, but I'm happy there's a workaround 🙂

That makes me think perhaps it's more of an Android issue, so maybe with the updates for Device Policy app or Android monthly updates, etc. Either way, that's great to hear some idea of time around it. Here's hoping they do mean August 2024, lol.

JacS
Level 1.5: Cupcake

Hi there,

It sounds like you're facing a tricky situation with managing copy-paste between work and personal profiles on COPE devices. You've already done a lot of groundwork by exploring Intune settings, OEMConfig, and even delving into Google Enterprise solutions.

Regarding your question, AMAPI (Android Management API) can indeed be used to enforce stricter policies, but integrating it with Intune might not be straightforward, as Intune generally abstracts a lot of the lower-level controls that AMAPI provides.

For crossProfileCopyPaste, while it's possible to control this through DPC extras in a pure Android Enterprise setup, doing so within the confines of Intune can be challenging, especially since Intune's configuration options may not expose all the granular controls you need.

You might want to consider setting up a custom policy using Intune’s Device Configuration Profiles, where you can explicitly block copy-paste actions via App Protection Policies. This might not directly expose crossProfileCopyPaste but could achieve a similar effect by limiting data sharing between work and personal profiles.

Additionally, you could explore Samsung Knox's advanced settings in more detail, as Knox provides more granular controls over work profiles that could complement what Intune offers. Combining Knox with Intune might give you the additional layers of security you're looking for.

I hope this helps, and feel free to reach out if you have more questions!