Copy-paste issue (COPE)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2024 03:04 PM
Hello Everyone,
I have a slight issue with copy-paste on Corporate owned, personal enabled devices (COPE) managed via Intune. To put it simple - people can copy text from work profile to personal. Happy to be pointed to the basics if I missed something obvious, but I feel stuck.
Intune configuration for COPE devices has 2 values: "allow" or "not configured" (not helpful). I had support cases open with Microsoft and Samsung, but former blames OS defaults, while latter blames Intune (not helpful).
I couldn't identify the setting in OEMConfig (Knox Service Plugin), so got Google Enterprise account, configured it for Zero Touch enrolment using Intune token and realised that I was looking into "crossProfileCopyPaste" control and don't have a clue how to use it in DPC extras and if that's even possible.
Is it possible to use AMAPI with Intune management? If yes, does anyone have any examples? What are other ways to restrict copy-paste from work profile to personal? I find it difficult to believe I'm the only one having the issue.
Thank you in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2024 11:13 PM - edited 07-07-2024 11:17 PM
In our MDM is an option to turn off the possibility to copy/paste from work profile to the user profile.
Same for sharing from work profile to personal profile.
But i never tested that but pretty sure someone would have raised an issue about that in the community of our MDM already if that would have been the case but haven't seen something like this the last years.
So, i think it's not an Android issue but more likely again an Intune issue (I'm so happy we didn't swithc to it in the past when i read all the issue here about it + our testing exerience).
But it would be good if someone with experience with using this functionality could shortly verify here that it's working on their end (from any MDM).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2024 12:16 AM
Did you try the option "Data sharing between work and personal profiles" in Intune? You can find it in the restrictions profiles under general settings.
I have no test devices in Intune at the moment, but I believe this should do the trick.
In KSP you have an option to allow clipboard sharing between work container en personal profile, but this is disabled by default:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2024 12:54 AM
Just to add here, i see more options available in KSP as well:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2024 01:16 AM
Settings related to files is what Samsung guys initially suggested, but it has no effect on copy-paste of text according to my testing.
Re your earlier comment, Intune is not perfect, but I find working with Intune protected apps (Intune App SDK) refreshing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2024 01:25 AM
In my opinion the lowest option ("Enable sharing of Clipboard Data to Owner") should be the one to look into.
Everyone is fine to choose his/her prefered MDM 😉 And to be honest, i don'T have experience with Intune protected apps as it looks like something i don't use but as long as i can use managed app config and also Microsoft 365 integration in our MDM i stay with that 😛
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2024 12:57 AM
Thanks for your response. That Intune setting is for file access only. It restricts accessing files from personal profile, which in my world is part of the job. Re text copy-paste Intune has another:
What's worse, is that if policy is created for BYOD and not COPE, the settings are "Block" and "Not configured".
I did set the KSP setting you mentioned to "false", but it had no effect in my scenario. The documentation I found implies it's to do with clipboard sharing between the devices. Not bothered about that currently 😊
I strongly believe I need to find a way how to control CrossProfileCopyPaste setting:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2024 01:23 AM
ah okay, i understand!
Just to be sure: You want to block copy and paste from work to personal, but keep the option to transer files from work to personal?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2024 02:20 AM
The goal is to block copy-paste from work to personal profile (text and files), but leave the option to copy-paste from personal to work profile (text and files). In a nutshell, data transfer is possible only one way
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2024 06:33 AM
I just tested the policies mentioned by @Moombas , and it seems to do exactly what you want. When set up like shown in the picture below, i'm unable to copy and paste text or files from work to personal while still being able copy from personal to work.
This can be configured within the KSP plugin, the screenshot is from Knox Manage but it shows the KSP part which works the same for both.
- Set Enable work profile policies to true
- Find RCP policy (premium function, you need the free KPE licenses from your knox tenant)
- Set as shown in above picture.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2024 07:21 AM
Thanks for testing. I would say I have the same config:
KSP has no errors on the phone, displays new profile name and all the settings, but I still can launch Chrome in work profile, copy text and paste into any app in the personal profile.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2024 07:33 AM
Did you enter a KPE license? You need to generate one and then add it to KSP. Knox Platform for Enterprise licenses | Knox Platform for Enterprise | Samsung Knox Documentation
And, not sure, you might need to enable "Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)" as well. I've had some strange issues before when I had this part not enabled.
I've been told that it activates some aspects that are also needed by the work profile policies (someone didn't think this one trough I think 😅)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2024 08:17 AM
The license is there (deleted it in the screenshot). KSP on the device displays message "Successfully activated license key ending with..." So I ruled license issues out
Added additional setting as per your message:
Still the same experience - can copy text from work profile apps.
Would be funny if it wasn't sad 😑
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2024 10:52 PM
Maybe now it makes sense to open a support case @Samsung but one thing you could check before (and maybe grab for such a case) is enabling the debug mode and check what it tells you. Maybe for some reason the clipboard poilcy fails to apply. But if not, there is maybe an issue in the firmware or so.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2024 02:27 AM
Very strange. A support case with Samsung might help as Moombas suggested. Just to be sure, you have pushed the KSP app as well?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2024 03:30 AM
The case with Samsung is open for a while now, but it's not looking promising. I was told "we're limited to what we can do in Intune"
KSP app has debug mode enabled. The app is installed, Knox license is accepted, profile name (version) match what I see in Intune.
The only setting which is not supported is "Enable RPC data sync policy (Configure profiles below)" with the following message "This policy is not supported for this knox version or higher". Not too worried as according to Samsung's documentation it's not supported from Knox 3.8.0 and phone is on 3.10.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2024 04:02 AM
Do you mind sharing the xml export from the debug mode?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2024 08:59 AM
Hopefully we're talking about the same thing:
{
"mCategoryMap": {
"RCP_CATEGORY": {
"mKeyMap": {
"poRCPMoveFilesFromWorkProfileToPersonal": {
"mData": null,
"mMessage": "[Allow moving files from work profile to personal space in Work profile policies (Profile Owner) successfully processed.]",
"mPolicyStatus": true,
"mReportStatus": 1
},
"poRCPMoveFilesFromPersonalToWorkProfile": {
"mData": null,
"mMessage": null,
"mPolicyStatus": false,
"mReportStatus": 0
},
"poRCPShareClipboardToData": {
"mData": null,
"mMessage": "[Enable Sharing of Clipboard Data to Owner in Work profile policies (Profile Owner) successfully processed.]",
"mPolicyStatus": true,
"mReportStatus": 1
},
"poRCPDataSyncPolicy": {
"mData": null,
"mMessage": "[Enable RCP data sync policy (Configure profiles below) in Work profile policies (Profile Owner) is not supported by this device.][14001][This policy is not supported for this knox version or higher.]",
"mPolicyStatus": true,
"mReportStatus": 1
}
}
},
"CMFA_CATEGORY": {
"mKeyMap": {}
},
"KPU_CATEGORY": {
"mKeyMap": {
"profileName": {
"mData": null,
"mMessage": "Knox policies in EMEA_v1.34 successfully processed",
"mPolicyStatus": true,
"mReportStatus": 1
},
"kpePremiumLicenseKey": {
"mData": null,
"mMessage": "Successfully activated license key ending with ...PNJZ",
"mPolicyStatus": true,
"mReportStatus": 1
}
}
}
},
"mStatus": "SUCCESS",
"mTimeStamp": 1721038679013
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2024 02:31 AM
That looks like the one I was looking for but it seems to be lacking some information.
Couple of things that I see in this config (you might have configured it but did not copy it to your post):
- No license key - You need a KPE license (free) at least (RCP is marked as a premium function which used to be a paid license)
- The policy to allow files from work to personal (first one in the code) appears to be set to true, while you had it set to false in the screenshot you shared earlier.
- Same for clipboard data
- The RCP function is indeed not needed here, you don't need to set it to true of false.
- The section above the RCP policies is not enabled ( Work profile polices (Profile Owner) -> Set Enable work profile policies to true).
I tried to replicate the issue you are experiencing since I don't understand why it should not work. But with all the settings mentioned in this topic, I was still able to copy paste from work to personal. Since I had to get back to work, I moved my user account of my demo device back to its original group I use for trainings and that group seems to have a policy, or a mix of policies, that solved it.
I'm not able to copy paste form work to personal, and i'm not able to move files from work to personal. But I am able to copy paste to my work profile and share files with work profile apps.
I will share the config below and leave it up to you to figure out what works for you, since I really have to get back to my work 😂
Knox Service plugin. (with a free Knox platform for Enterprise license key)
And the Intune - Android Enterprise restrictions profile:
Good luck and please let me know what did the trick if you find out!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2024 02:36 AM
Reg. license key: he did copy this:
"kpePremiumLicenseKey": {
"mData": null,
"mMessage": "Successfully activated license key ending with ...PNJZ",
"mPolicyStatus": true,
"mReportStatus": 1
Which means a license key is there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2024 04:08 AM
You are correct, missed that one! Thanks for checking.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2024 05:53 AM
Please don't apologise that you need to get back to work, I appreciate your time and effort and have no expectations you have a solution. The purpose of posting here is to get ideas/ suggestions, which hopefully would lead to a solution.
Re report (export), I don't know how things should be represented, but Intune still shows values as per my screenshot. At this point I can't compare it against anything else as I don't have a "working" solution.
Re "Set Enable work profile policies" it's probably not represented in the log as without it other policies are not processed and I get some errors in KSP.
Thanks for the screenshots. What I find interesting, that you profile doesn't appear to have "Allow moving files from work profile to personal space" configured.
Either way I fully replicated the settings you shared (OEMConfig + restriction profile) and can still copy-paste text from work to personal profile 😖
The only 3 theories I have at the moment:
- Microsoft updated Intune "templates" and newly created policies behave differently from the older ones, this would explain why you couldn't restrict data leak with the new profile, but I understand it's at a conspiracy level theory
- The tenant configuration is different - over a year ago we had an issue where available apps were missing in the store and the fix applied by Microsoft was to migrate our tenant to the new Android API (whatever that means)
- There's a setting outside the areas I'm looking into
The dream continues
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2024 12:26 AM
@Simon wrote:
Thanks for the screenshots. What I find interesting, that you profile doesn't appear to have "Allow moving files from work profile to personal space" configured.
Thats what i found very strange as well, but it did the trick on multiple devices. And there are no other policies assigned to those devices.
Are you sure there is no conflict somewhere with another policy? And getting back to basics: Are you sure you are not enrolling as BYOD / personal device? (Its probably correct but still, might worth to check again).
I like your theories, I know that some MDM solutions required migrating to new policies after a big change in Android about two years ago (can't remember the exact reason). This had to do with some backend settings that they didn't want to mess with so they kept the original and asked you to migrate to new profiles which had the same settings but where different in the backend of the MDM solution. So that might very well be the case. Did you try this all with fresh / new policies or did you edit an existing one?
In Intune there are a lot of areas to cover, but for Android it shouldn't be that difficult:
- Your configuration policies
- Your Samsung Knox Service plugin OEM config
- Your app configurations
- Enrollment profiles and restrictions.
Just out of my head, these are the ones you need. What did MS support suggested regarding this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2024 05:30 AM
Re conflicts, I can't see any conflicts in Intune. Single configuration profile assigned to the device according to Intune device properties page, KSP is not in production and there's only one configuration in the tenant (testing), app configurations excluded for testing, enrolment restrictions do exist, but they're blocking old OS versions, enrolment itself does succeed. So pretty sure there are no conflicts.
Devices appear as Android Enterprise (not Android for work) in Intune, ownership is corporate. We enrol them via QR code or Android Zero touch (details uploaded to Google by reseller), so they're enrolled as expected as much as I know.
Microsoft support was... doing their thing. Explained that setting is "Not configured", so they don't control the setting and I need to speak with the phone manufacturer re "OS defaults". When I asked how I can prevent the data leak, I was told to use applications which can be protected via Application Protection Policy (Intune App SDK) and if apps I need don't support that, I need to speak with software developers so their apps are compatible with Intune Application Protection Policies. In a nutshell - it's not our problem until you prove it's our problem.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2024 09:27 PM
Well, thats a very helpful answer from MS. 😑
I'm running out of ideas, sorry! When I have the change is will see if I can find what is working for me. Its the most basic Intune environment there is, so it should not be that hard to see why its working for me.
If I find something or come up with another suggestion, I will let you know!
- Intune - Tenant has been unbound via the Google Play console in General discussions
- Samsung devices getting stuck during enrolment when using zero-touch or QR in Germany in General discussions
- Enroll Device Using Qr Code in General discussions
- Automatic system updates with mobile data in General discussions
- Assistance Required for Google Play Account Verification Delays in General discussions