Cut, Copy, Paste in App Protection Policies
Implementation Effort: Low – IT administrators only need to configure this setting within the App Protection Policies in Microsoft Intune.
User Impact: Medium – A subset of users may experience changes in how they can move or share content between apps, especially when using personal or unmanaged apps.
Overview
The “Restrict cut, copy, and paste between other apps” setting in Microsoft Intune App Protection Policies (APP) controls how users can transfer data between managed and unmanaged apps. This is a key control for preventing data leakage, especially in BYOD environments or on devices with both personal and work profiles.
Available Options for Android and iOS:
- Blocked – Prevents all cut, copy, and paste actions between managed and unmanaged apps.
- Policy managed apps – Allows cut, copy, and paste only between apps that are managed by Intune.
- Policy managed apps with paste in – Allows paste from unmanaged apps into managed apps, but blocks copying from managed apps to unmanaged ones.
- Any app – No restrictions; users can cut, copy, and paste between any apps 1 2.
Additional Control:
- Cut and copy character limit – Admins can define a maximum number of characters that can be copied from managed apps, even when restrictions are in place 1.
Available Options for Windows:
- Any destination and any source – Org users can paste data from and cut/copy data to any account, document, location, or application.
- No destination or source – Org users can't cut, copy, or paste data to or from external accounts, documents, locations or applications from or into the org context. NOTE: For Microsoft Edge, No destination or source blocks cut, copy, and paste behavior within the web content only. Cut, copy, and paste are disabled from all web content, but not application controls, including the address bar. This setting supports the Zero Trust principle of assume breach by ensuring that sensitive organizational data cannot be exfiltrated via clipboard operations to unmanaged or personal apps. If not configured properly, users may inadvertently copy confidential information from apps like Outlook or Teams into personal apps like WhatsApp or Notes.