Category filter
Securing Corporate Data: Managing Copy/Paste in Managed Apps
In enterprise environments, one of the most common causes of data leakage is not a sophisticated cyberattack but a simple clipboard operation such as copying and pasting data. For example, a user may copy sensitive information from a Managed App and paste it into a personal messaging platform such as WhatsApp, a personal email service like Gmail, or another unmanaged application.
To mitigate this risk, organizations implement Data Loss Prevention (DLP) policies that control how corporate data moves between applications. Using Hexnode UEM, administrators can enforce application-level data controls that restrict clipboard operations, document sharing, and data transfer between managed and unmanaged apps.
These controls ensure that:
- Data originating from managed apps remains within the managed application ecosystem.
- Corporate information cannot be pasted into unmanaged or personal applications.
- Enterprise data flows only through approved applications deployed through the Hexnode App Management framework.
1. Operational Logic: Managed vs. Unmanaged Application Boundary
Hexnode enforces DLP through the concept of Managed Applications and Managed Containers. Applications deployed through Hexnode App Management policies are considered managed apps, while applications installed by users outside administrative control are treated as unmanaged apps.
Clipboard and data-sharing restrictions enforce the following behaviour:
| Source Application | Destination Application | Result |
|---|---|---|
| Managed app | Managed app | Allowed |
| Managed app | Unmanaged app | Blocked (if restrictions are applied) |
| Unmanaged app | Managed app | Controlled based on container policies |
2. Implementation Framework
Clipboard and data transfer controls are implemented differently depending on the operating system and its enterprise management framework.
A. iOS/iPadOS: Hexnode Business Container Data Separation
On iOS and iPadOS devices, Hexnode provides data separation through the Hexnode Business Container. The Business Container is a secure workspace that isolates enterprise apps and corporate data from personal applications on the same device.
Navigation Path: Policies > iOS > Hexnode Business Container > Business Container.
Data Sharing Restrictions:
| Setting | Description |
|---|---|
| Open documents from managed apps in unmanaged apps | Controls whether corporate documents can be opened in personal applications. |
| Open documents from unmanaged apps in managed apps | Controls whether personal files can be opened inside managed apps. |
| Manage Copy/Paste between managed/unmanaged apps | Specifically controls clipboard sharing between managed and unmanaged apps. |
When copy and paste restrictions are enabled, users cannot paste data copied from applications inside the Business Container into unmanaged applications outside the container.
B. Android Enterprise: Work Profile Data Isolation
On Android devices managed using Android Enterprise, enterprise apps are deployed within a Work Profile. The Work Profile acts as a secure container (marked by a briefcase icon) that separates corporate applications from personal applications.
Navigation Path: Policies > Android > Restrictions > Advanced Restrictions > Allow Device Functionality.
Clipboard Control Setting:
| Restriction | Description |
|---|---|
| Copy contents between normal and work profiles | Controls clipboard data transfer between work profile apps and personal apps. |
If this restriction is disabled, clipboard sharing between the two profiles is blocked. Data copied from apps in the Work Profile cannot be pasted into Personal Profile apps.
3. Productivity vs. Security Considerations
When implementing DLP policies, organizations must balance data protection with usability.
| Approach | Impact |
|---|---|
| Completely disabling clipboard access | Strong security but disrupts user productivity significantly. |
| Restricting access between Managed/Unmanaged | Strong security with minimal workflow disruption for work tasks. |
Hexnode UEM’s container-based approach ensures that enterprise applications can continue sharing data with each other while preventing leakage to unmanaged applications.
4. Additional Security Controls
Clipboard restrictions are often implemented alongside other security features within Hexnode UEM:
- Screen Capture Restrictions: Administrators can disable screenshots or screen recording to prevent visual capture of corporate data.
- Managed Application Deployment: Apps deployed through Hexnode UEM are recognized as managed, ensuring policy consistency.
- Container-Based Data Isolation: Clear separation is maintained via the Hexnode Business Container (iOS) and Android Enterprise Work Profile.
5. Troubleshooting & Best Practices
Issue: Certain departments (for example, Marketing or Social Media teams) cannot move data between corporate apps and personal social platforms.
- Cause: Clipboard and data-sharing restrictions enforced through managed app policies or container policies block data transfer from managed applications to unmanaged applications.
- Fix: Place the affected users into a dedicated Exclusion Group and assign a modified policy that relaxes the restriction.
Issue: Users cannot paste data from one managed application into another managed application.
- Cause: One of the applications may not be recognized as a managed app. This can occur if the app was installed manually instead of being deployed through Hexnode UEM App Management, or if the applications are not signed with the same enterprise certificate.
- Fix: Verify that both applications appear in the Managed App inventory within the Hexnode UEM console and ensure they are deployed through App Management policies. If required, redeploy the applications using the enterprise distribution method so they are correctly recognized as managed applications.
