7 Replies Latest reply on May 13, 2020 7:13 AM by rterakedis

    iOS - Application SDK profile not applied

    dragan979 Novice

      Created iOS SDK profile




      In Global settings Copy/Paste is also disabled







      Assigned above SDK profile to MS Word application


      I CAN copy from MS Word to internal iOS app and vice-versa.


      How can i prevent copying/pasting from managed app to internal app and vice versa ?


      This works fine for Android devices, also unlike Android, "managed" applications have no "padlock" icons, and no restrictions applies to it.

      iOS device is enrolled using Intelligent Hub


      I'm getting this error, but in Profiles for iOS there is no option for disabling copy/paste



        • 1. Re: iOS - Application SDK profile not applied
          LukeDC Expert

          Hi! SDK profiles can only be used in conjunction with apps that have embedded the Airwatch SDK into it. Apps from VMware etc already come ready to apply SDK settings. Microsoft already uses MAM settings from intune, so I doubt they would do this for any of the office Apps.

          • 2. Re: iOS - Application SDK profile not applied
            dragan979 Novice

            Thanks, but what needs to be done for iOS managed apps, so Device/SDK profiles can be applied, is some step missing.


            For Android all works fine

            • 3. Re: iOS - Application SDK profile not applied
              LukeDC Expert

              MAM Functionality with VMware Workspace ONE SDK


              Thsi is the documentation you need to understand the SDK

              • 5. Re: iOS - Application SDK profile not applied
                RogerDeane Enthusiast
                VMware Employees

                As LukeDC mentioned, SDK Profiles only work on apps that have included the VMware Workspace ONE SDK in them and unfortunately the Microsoft Apps such as Word have not.   Also, Microsoft limits the ability to restrict two or three features including cut/copy/paste to Intune MAM only.   If you want to enforce this policy you will need to use Intune MAM (not the full Intune, just the MAM component).   The silver lining is that Workspace ONE UEM works with Intune MAM via APIs so you don't actually have to go into the Intune console to configure this, it can be done from UEM once the connection has been established between the two.

                1 person found this helpful
                • 6. Re: iOS - Application SDK profile not applied
                  dragan979 Novice

                  Okay, then why same setup work for Android devices and not for iOS devices. ?

                  And why, unlike Android, i don't have additional icons with padlock for managed apps ?

                  • 7. Re: iOS - Application SDK profile not applied
                    rterakedis Hot Shot
                    VMware Employees

                    dragan979 - I think what you're looking at is a fundamental difference between the data architectures in Android verusus iOS.


                    In modern Android platforms, the work profile physically separates data managed by MDM from data created by the user (the exception here being "work owned" or "corporate managed" android devices - see Understanding Android Device Mode ).  As such, there is a clearly defined boundary, and Android denotes the boundary by adding the briefcase icon to all the "Work Profile" apps.   Again, the briefcase icon denoting a work app is put there by the Android OS, not by Workspace ONE.


                    With regards to iOS, up until the recent introduction of "User Enrollment" there hasn't been a clear separation of work and personal data other than to say what was "managed" versus "unmanaged".   Also, unlike Android, Apple has never made any overlays on the app icons to denote a personal app versus a work app.  Apple has never provided a device-wide copy-paste restriction, and has instead simply chosen to focus on "managed open-in".   In other words, they focused on data-loss prevention by controlling whether you could move entire documents/files to personal apps.   If you look in the iOS restrictions payload, you'll see a number of settings to manage this:



                    But LukeDC and RogerDeane hinted at the underlying issue.   Copy/Paste restrictions (and a method of control) are left up to the individual app developer to implement.   VMware provides the Workspace ONE SDK (which we've already included in all the VMware Apps -- Hub, Boxer, Smartfolio, etc) to make this easier for individual app developers to implement, but again, it's up to them to implement.   In the case of the Microsoft Apps, Microsoft wrote their own method of copy/paste restriction and tied it to MAM (Mobile Application Management) controls in InTune, which can be controlled by Workspace ONE through API integration.


                    If copy/paste restrictions are a necessity, and iOS is a requirement, then you may need to look at using VMware's containerized apps (Boxer, etc) so that you can apply the SDK profile for stringent control.  

                    2 people found this helpful