iOS 15 Managed Pasteboard and Intune MAM/MDM Protections

I recalled reading about the Managed Pasteboard feature in the iOS 15 release notes but the full import of it hadn’t hit me until today.

If you are using an Intune App Protection policy to “sandbox” your managed apps and you are also using Intune’s MDM, you will find that Pasting from the clipboard behaves a bit differently after upgrading your devices to iOS and iPadOS 15.

Previously, in Microsoft’s Office 365 ecosystem you used App Protection policies to specify which apps are “Managed”. You would specify what kind of actions could be done with data with respect to those apps. Only certain apps were “enlightened” or compiled with the SDK that recognized Intune’s MAM requirements so you had a very limited ecosystem of apps you could use in this fashion.

Things like saving files from a managed app to local storage, or copy-and-pasting data from inside of one of those apps to another app would be controlled this way.

In my institution, we allow people to copy-and-paste into these managed apps, but not vice-versa.

I’m not an expert on other MDM solutions having only worked with MobileIron and BlackBerry in the past, but I understand Intune’s approach is a bit different in that, for the Office 365 primary apps (Outlook, Word, OneDrive, etc.), the apps themselves are primarily responsible for enforcing the MAM requirements imposed by the Administrators.

More so, each app discriminates between Corporate data and personal data on an account-by-account basis. i.e. You can be using Outlook to access your Corporate email AND your personal Gmail account. This means you can have emails side by side in your aggregated inbox and you can copy-and-paste from the personal Gmail messages to any other app you please on your device, but try to paste from any of your Corporate emails and all you get is “Your organization’s data cannot be pasted here.” pasted in any non-managed receiving apps.

This was fine and worked well enough. We were satisfied that our data was protected.

However, it seems Apple understood the MDM piece of the equation, which would allow data from managed apps to be pasted to non-managed apps to be a gap which they rectified in iOS / iPadOS 15 with the Managed Pasteboard. The issue here is that it cannot have the nuance of Microsoft’s App Protection policy solution. Apple doesn’t know about the contents of the Managed apps, it’s unaware that some data contained in the app is personal and some is Corporate. Basically, if the MDM pushed down the app, then it’s managed and you’re not moving ANY data out of this to any but another managed app.

I’m using cut-and-paste as my typical use-case, but this will affect any data movement from managed to unmanaged apps – saving files, opening files in other apps, etc.

I’m hopeful that Apple will introduce the ability to disable the Managed Pasteboard feature should we want to. I recognize that their approach is probably a bit more “standard” but I feel that usability suffers.

Android gets around this issue by having an entire area sectioned off (Work Profile) where EVERYTHING inside the work profile is work only – nothing leaves there, and everything outside is personal. The distinction is so clear that you will actually have two separate copies of any app that would be used for work purposes. So you can use Outlook for your personal Gmail account outside of the work profile completely unfettered and you use another copy of Outlook for your Corporate mail within the work profile under the limitations your company feels are appropriate to prevent the data from being exfiltrated in some undetectable fashion.

I recall that Apple seemed to be working on a similar scheme but I have not heard anything about it for a few years now.