Table of contents
Box for EMM provides two types of deployment configurations for MDM: Box-verified MDM deployment (recommended) and MDM deployment with Managed Status Check (MSC). In the Box-verified configuration, during login Box checks if the app is deployed under your MDM solution. MSC is an extra check which verifies during login if the device is managed by and in good standing with the MDM server.
The diagram below shows how Box MDM deployment configuration works.
Box-verified MDM deployment flow (recommended)
- Enterprise Admin registers the EMM certificate for the user. Box CSM configures the instance for the user and provides the Public ID to the Enterprise Admin. The Public ID is a unique ID that ties the Box for EMM instance to the specific Box user.
- Enterprise Admin loads the EMM application, adds the Public ID of the Box user and adds the Management ID generated by the EMM provider to check if the device is compliant and the user is valid.
- EMM provider provisions the EMM application to the user’s mobile device.
- The installed application sends Management ID, Public ID, and Box credentials to Box.
- Upon user login, Box calls the EMM provider to verify the Management ID. Box allows or blocks EMM access depending on the validation result.
MDM deployment with Managed Status Check (MSC)
If the Box-verified configuration is not sufficient for your company, you can add a Managed Status Check (MSC) step that will check the Box servers. With MSC, the MDM server checks device compliance during Box login. It doesn’t rely only on public ID, so if this ID is compromised, MSC provides protection against such breach.
Box does not recommend using the added status check. Deployments with MSC are prone to login errors, depend on stable connection between MDM service and Box servers, and add to the deployment complexity. In most cases the additional check that MSC offers is not necessary.
To enable MAM for all users in your enterprise, navigate to the Admin console and turn it on.
Turning on MAM
MAM solution works only if all users are using the same email address for both their Box and Intune accounts and it must be the primary email address of their Box account.
Flexible MAM deployment
If you need more flexibility, either in deploying the solution just for some employees or having different Box and Intune email addresses, deploy using your MDM configuration.
In the MDM app configuration, the administrator can set the Intune Enterprise value to “1”to enable MAM for a user, and also specify the User Principal Name that the user must use to log into Intune. The administrator can use the capabilities of their MDM provider to deploy different configurations to different users.
Then, when the user logs in to Box and MDM is checked, the MAM solution is launched. User needs to login to Intune using the correct email address and accept the app protection policy.
Enterprise Admin has to configure the app protection policy in Intune for the Box app beforehand for the app that the users will be using.
MDM with MAM
You can use MDM together with the MAM configuration. To do so, deploy your MDM solution, and configure MAM separately. For more details, refer to the related documentation.