Thanks, but what needs to be done for iOS managed apps, so Device/SDK profiles can be applied, is some step missing.

For Android all works fine

MAM Functionality with VMware Workspace ONE SDK

Thsi is the documentation you need to understand the SDK

As LukeDC​ mentioned, SDK Profiles only work on apps that have included the VMware Workspace ONE SDK in them and unfortunately the Microsoft Apps such as Word have not.   Also, Microsoft limits the ability to restrict two or three features including cut/copy/paste to Intune MAM only.   If you want to enforce this policy you will need to use Intune MAM (not the full Intune, just the MAM component).   The silver lining is that Workspace ONE UEM works with Intune MAM via APIs so you don't actually have to go into the Intune console to configure this, it can be done from UEM once the connection has been established between the two.

Okay, then why same setup work for Android devices and not for iOS devices. ?

And why, unlike Android, i don't have additional icons with padlock for managed apps ?

dragan979​ - I think what you're looking at is a fundamental difference between the data architectures in Android verusus iOS.

In modern Android platforms, the work profile physically separates data managed by MDM from data created by the user (the exception here being "work owned" or "corporate managed" android devices - see Understanding Android Device Mode​ ).  As such, there is a clearly defined boundary, and Android denotes the boundary by adding the briefcase icon to all the "Work Profile" apps.   Again, the briefcase icon denoting a work app is put there by the Android OS, not by Workspace ONE.

With regards to iOS, up until the recent introduction of "User Enrollment" there hasn't been a clear separation of work and personal data other than to say what was "managed" versus "unmanaged".   Also, unlike Android, Apple has never made any overlays on the app icons to denote a personal app versus a work app.  Apple has never provided a device-wide copy-paste restriction, and has instead simply chosen to focus on "managed open-in".   In other words, they focused on data-loss prevention by controlling whether you could move entire documents/files to personal apps.   If you look in the iOS restrictions payload, you'll see a number of settings to manage this:

But LukeDC​ and RogerDeane​ hinted at the underlying issue.   Copy/Paste restrictions (and a method of control) are left up to the individual app developer to implement.   VMware provides the Workspace ONE SDK (which we've already included in all the VMware Apps -- Hub, Boxer, Smartfolio, etc) to make this easier for individual app developers to implement, but again, it's up to them to implement.   In the case of the Microsoft Apps, Microsoft wrote their own method of copy/paste restriction and tied it to MAM (Mobile Application Management) controls in InTune, which can be controlled by Workspace ONE through API integration.

If copy/paste restrictions are a necessity, and iOS is a requirement, then you may need to look at using VMware's containerized apps (Boxer, etc) so that you can apply the SDK profile for stringent control.