In this document you can find general information about configuration of EMM with Box for available providers.
Table of contents
- Read first
- Prerequisites
- Process flow
- Configuration keys and values
- Related Box reference
- Related provider's reference
Read first
To understand the concepts in the configuration guides, start with reading the following documents:
Prerequisites
Before configuring Box for EMM for a specific provide, make sure that:
- you have a role of Enterprise Admin to set up EMM with Box
- you are an Admin in the provider's console. You can find more information in provider’s documentation:
- all users in EMM-enabled enterprises are managed Box users
- all users have their devices enrolled in the selected vendor's admin console
- Box for EMM and/or Box for Mobile is added to the selected vendor's admin console
- the correct app policy is added
Important:
The Box for EMM solution does not support an enterprise deployment where users are both managed and unmanaged.
Box for EMM for iOS allows users to have Box for EMM alongside a second instance of Box for iPhone/iPad, but it is not recommended. The credentials for each remain separate.
The Box for EMM solution does not support an enterprise deployment where users are both managed and unmanaged.
Box for EMM for iOS allows users to have Box for EMM alongside a second instance of Box for iPhone/iPad, but it is not recommended. The credentials for each remain separate.
Process flow
- Work with the Box Customer Success Manager (CSM) or Box Implementation Consultant (IC) to register for Box for EMM.
- CSM or IC provides you with a Public ID to connect with your selected vendor (provider).
- Upload the Box for EMM app into the admin console of your vendor.
- Create a managed app config that includes the Public ID provided by Box.
- Specify the variables that generate the values pushed to the app.
- Distribute the application to users with your vendor's enterprise app store. The one-time token is used to validate that the Box for EMM app is provisioned by the vendor.
- When a user requests to log in to Box for EMM, the app sends, among others, the user's login credentials and Public ID to the Box server. See the table below for more information.
- The Box server checks the above information to match a user to a vendor's server.
- The Box server calls the vendor's server to validate the security or status of the device, using the Management ID.
- If the Box and vendor's servers validated the user's credentials, Public ID, and Management ID, the user can log in.
Note:
Process flow details might slightly differ depending on the vendor of your choice. Go to a specific vendor's configuration to learn more.
Process flow details might slightly differ depending on the vendor of your choice. Go to a specific vendor's configuration to learn more.
Configuration keys and values
Required
Below table lists all configuration keys that are required for the Box for EMM application to run successfully.
| Configuration key | Description | Required for | Configuration value |
| Public ID |
A shared secret provided by Box to MDM admin. Identifies the enterprise managing the device and settings to apply. | Microsoft Intune | the public ID provided by Box |
| Workspace ONE | the public ID provided by Box | ||
| MaaS360 | the public ID provided by Box | ||
| Ivanti | the public ID provided by Box | ||
| Management ID - MSC only | Identifies the device during the management status check. | Microsoft Intune | AnyString |
| Workspace ONE | {ManagementID} | ||
| MaaS360 | %CSN% | ||
| Ivanti | ${deviceUDID} | ||
|
com.box.mdm.oneTimeToken (iOS Only) |
Precaution against tampering with the deploy after Box login. | Microsoft Intune | AnyString |
| Workspace ONE | {DeviceUid} | ||
| MaaS360 | %CSN% | ||
| Ivanti | ${deviceUDID} | ||
| User Email Address |
Box account to pre-fill and allow during login. | Microsoft Intune | {{userprincipalname}} |
| Workspace ONE | {EmailAddress} | ||
| MaaS360 | %email% | ||
| Ivanti | ${userEmailAddress} | ||
|
Allow Microphone (iOS Only) |
Disable all features which ask for microphone access. | Microsoft Intune | false |
| Workspace ONE | false | ||
| MaaS360 | false | ||
| Ivanti | false |
Note:
Key-value pairs may differ depending on your provider. There can be additional key-value pairs needed for a vendor.
Key-value pairs may differ depending on your provider. There can be additional key-value pairs needed for a vendor.
Microsoft Intune
The following key-value pairs are specific for Intune.
| Configuration key | Configuration value | Comments |
| Intune Enterprise | 1 | required for MAM |
| userprincipalname | {{userprincipalname}} | required for MAM |
| IntuneMAMUPN | {{userprincipalname}} | required for MAM |
MaaS360
The following key-value pair is specific for MaaS360.| Configuration key | Configuration value |
| Billing ID | the customer billing ID (MSC only) |
Optional
| Configuration key | Optional for | Configuration value |
| User Email Address | Microsoft Intune |
{{userprincipalname}} |
Box admin console configuration
1. Open the Box admin portal.
2. Go to Apps and disable the following options.
Box for EMM:
- iOS:
- Box for iPhone,
- Box for iPad,
- Capture for iOS.
- Android:
- Box for Android phones,
- Box for Android Tablets,
- Box for Android MDMs.
- Enable or keep enabled the Box for MobileIron and Box for Good Technology if they're also deployed.
Depending on other Box apps you deployed you may need to disable additional apps.
Note:
Performing these steps prevents users belonging to the enterprise’s deployments of Box and vendors from logging into the regular (unmanaged) Box app and mobile site. Make sure to notify your Box users before taking this step.
Related Box reference
Specific configuration for each type of deployment:
Related provider's reference
Microsoft Intune
- MAM FAQs
- App protection policies (iOS)
- App protection policies (Android)
- Support contacts for Endpoint Manager
Workspace ONE (AirWatch):
MaaS360:
- IBM MaaS360 Mobile Device Management (SaaS)
- Getting started with the MaaS360 Portal
- MaaS360 Portal Home page