Read on to learn how to configure MDM with Box.
Table of contents
Microsoft Intune
Microsoft Intune is one of the most popular Enterprise Mobility Management (EMM) providers.
For iOS, the enterprise admin (EA) can obtain Box apps (Box for EMM, Box Mobile) using the public App Store. When the EA acquires one of the apps, they can provision it through the admin console in Microsoft Intune.
For Android, an admin has to first connect to the managed Google Play store and approve the Company Portal app.
iOS
Start with adding a new app policy:
- Add app configuration policies for managed iOS/iPadOS devices.
- Choose Box for EMM or Box Mobile as the Targeted App.
- Use the configuration designer and enter the general and Intune-specific configuration keys/values.
If you’re using Intune for MAM and a third-party provider for MDM that doesn’t have User Principal Name as its variable, try using Email variable instead.
Add a new protection policy
Proceed to add a new protection policy for your app. Choose the Box for EMM/Box Mobile as the public app. Select all the appropriate settings in next steps. Before you save your changes, make sure that all the settings are correct and assigned to the right group.
If you can't edit Office files in Box for EMM (for example after enabling the Office Co-Authoring feature), enable saving to Box in Intune in the app protection policy. To do so, select Box in the Allow users to save copies to selected services setting*.
*Check the Microsoft documentation to make sure that the setting name is up to date.
Box configuration
Box for EMM is restricted to only MDM managed devices - it’s a default feature in Box for EMM. The users can log into Box for EMM only if their account was provisioned with the Microsoft Intune admin console. They have to use their enterprise credentials.
You can make sure that users access Box through Box for EMM.
To do so:
- Go to the Admin console > Apps.
- Find iOS Apps in the Official Box Apps section.
- Disable the following apps by toggling the radio button next to them:
- Box for iPhone
- Box for iPad
- Capture for iOS (EOL: Aug 30, 2024)
- Scroll down to Mobile web and accessibility and disable Box.com mobile site. Make sure that Box for iPhone (EMM) and Box for iPad (EMM) are enabled.
If you deployed any other Box apps, or you have an Android solution, check if you want to disable any additional apps.
Changing the above settings prevents the enterprise’s users from accessing the regular (unmanaged) Box for Mobile app and mobile site. Make sure you notify your Box users before taking this action.
Android
Start with connecting your Intune account to the Android Enterprise account. For more information, see Android Enterprise documentation and Intune documentation. Then, approve your company portal in the managed Google Play store and confirm that it works. Ensure that all approved apps are synced and have the policies/assignments set up for the app.
App configuration policy
Enter the general and Intune-specific configuration keys and their values in configuration settings.
Validate if Box for EMM or Box for Mobile is visible in the Play Store. Download it and check if it’s available in the Workspace app. Your users can now open the app and log in.
User scenarios
| Scenario | Outcome |
| A user managed by Microsoft Intune requests to log in to the Box for EMM app that was provisioned with Microsoft Intune. | User logs in successfully. |
| A user managed by Microsoft Intune requests to log in to the Box for EMM app that they installed directly from a public app store. | The user can’t log in, as the Public ID configured in the Microsoft Intune admin console isn’t pushed to the Box for EMM app installed from a public app store. |
| A user backs up the app on one device and attempts to restore it on another device. | The user can’t log in, as the Box for EMM app validates the one time token and determines that the app was not provisioned with Microsoft Intune. |
| A Box user who is not a part of the enterprise deployment of Box for EMM requests to log in to the Box for EMM app provisioned with Microsoft Intune. | The user can’t log in, as their login info doesn’t match the Public ID in the Box for EMM app. |
| The enterprise admin issues a selective wipe to a device managed by Microsoft Intune. | The offline corporate data is removed from the managed device. |
| The Box user un-enrolls their device from Microsoft Intune. | The Box for EMM app is removed from the device. |
Workspace ONE (AirWatch)
Learn how to configure MDM with Workspace ONE (AirWatch).
iOS
- After receiving the key value pair from Box, the EA should obtain the Box for EMM application.
- Add Box for EMM or Box for Mobile application in your EMM console.
- After the application is loaded, enable the following deployment setting:
- Remove or Unenroll
- Prevent Application Backup
- App Tunneling
- Disable the following deployment setting:
- Make App MDM Managed if User Installed
- Application Configuration
Enter the general key-value pairs required for Workspace ONE.
Android
Add the application in the Workspace ONE admin console.
- After the application is loaded, configure the settings.
- Check the following policies:
- Remove on Unenroll: strongly recommended by Box. By checking this option you can remove a user's account in the Box admin console when you're retiring them. Doing so prevents the user from accessing the app, as Box for Mobile and Box for EMM automatically log out users whose MDM profiles have been removed.
- Send Application Configuration,
- Application uses the AirWatch SDK.
- Add configuration keys:
- First key as Management ID,
- Second key as Public ID - enter the key - value pair provided by Box,
- OPTIONAL: you can add a third configuration key as EmailAddress. This option configures users' AirWatch email address to pre-populate on the Box for Mobile or Box for EMM login page.
Note:
If the application was uploaded previously but not configured as above, edit the deployment settings.
Android Enterprise requires account integration in the AirWatch console before any devices can be configured. Then you need to register a device and push the app to the device.
User scenarios
| Scenario | Outcome |
| Users managed by AirWatch request to log in to the Box for EMM app that has been provisioned with AirWatch. | A key-value pair is shared with enterprise admin, who then sets it up in their AirWatch console. This key-value pair and a one‐time token are pushed to the Box app. The app checks for this pair and allows users to log in successfully. |
| Users managed by AirWatch request to log in to the Box for EMM app that they installed from an app store. | The key-value pair set up in the AirWatch console is not pushed to the Box for EMM app that was installed from an app store. Users can't log in to the app. |
| Users back up the app on one device and attempt to restore it on another device. | The Box for EMM app validates whether the app was provisioned by the EMM provider, so users can't log in. |
| Users not managed by AirWatch request to log in to the Box for EMM app installed from an app store. | The required key-value pair is not pushed to the Box for EMM app. Users can't log in to the app. |
| Users at enterprises not registered for Box for EMM request to log in to the Box for EMM app provisioned with AirWatch. | The custom key-value pair is not shared with admins whose enterprises are not registered with Box for EMM. Without a key-value pair pushed to the Box for EMM app, users can't log in to the app. |
| Users faking app installation through AirWatch and pushing dummy managed configurations to the app. | Box checks with AirWatch to confirm whether a ManagementID is valid and matches that of an authorized user, users can't log in. |
MaaS360
Learn how to configure MDM with MaaS360.
Note:
Sending the Public ID on Android is handled through an EMM client installed on the device. It is separate from the Box mobile app.
iOS
When you receive the Public ID from Box (step 2 in the process flow), follow these steps:
- Go to the MaaS360 admin console.
- Add the Box for EMM/Box for Mobile app from the iTunes store.
- Add the required and MaaS360-specific key-value pairs as configuration.
The Box for EMM/Box for Mobile app is now added to the App Catalog. Select the target devices to distribute the app to users. If prompted, enter the EA password.
Note:
Make sure that the device to which the app is being distributed is managed by an MDM policy. If a new policy is required, add it in the MaaS360 admin console. Newly created policies have to be applied to the required users and devices.
Android
When you receive the Public ID from Box (step 2 in the process flow), follow these steps:
- Contact your enterprise's Box CSM or IC, who provide the Box for EMM application directly.
- Go to the MaaS360 and add an app. For more information, see Adding apps to the App Catalog
- Upload the .apk file provided by Box CSM or IC. If prompted, enter the MaaS360 password.
The Box for EMM/Box for Mobile app is now successfully added to the MaaS360 app catalog.
After adding the application to the catalog, you need to select the WorkPlace Persona policy in MaaS360. If a new policy is required, add it. For more information, see MaaS360 security policies overview
Edit the WorkPlace Persona policy and enter the Public ID. For more information, see Configuring policy settings for an Android device.
User scenarios
| Scenario | Outcome |
| A user managed by MaaS360 requests to log in to the Box for EMM app that is provisioned with MaaS360. | The user logs in. |
| A user managed by MaaS360 requests to log in to the Box for EMM app that they installed directly from a public app store. | The Public ID configured in the MaaS360 admin console has not been pushed to the Box for EMM app that is installed from an app store. User can't log in. |
| A user backs up the app on one device and attempts to restore it on another device. | The Box for EMM app validates the one time token to determine whether the app is provisioned with MaaS360. User can't log in. |
| A Box user who is not a part of the enterprise deployment of Box for EMM requests to log in to the Box for EMM app provisioned with MaaS360. | The user's login info doesn't match the Public ID on the Box for EMM app. User can't log in. |
| A user fakes an app installation through the EMM provider and pushes dummy managed configurations to the app. | Box checks with the MaaS360 server to confirm if the Management ID is valid and matches that of an authorized user. User can't log in. |
| The enterprise admin issues a selective wipe to a device managed by MaaS360. | The Box for EMM app is blocked from being used on the managed device. |
Ivanti EPMM (previously MobileIron Core)
Learn how to configure MDM with MobileIron (Ivanti).
Before you start configuration of Box for EMM for iOS or Android, you need to:
- Contact your Box CSM or IC and inform them that you want to deploy Box for EMM with Ivanti EPMM.
- Ivanti provides the API hostname (URL), user ID, and password for Ivanti account to Box CSM or IC sd Box needs to access the Ivanti APIs.
- Create a MobileIron user.
- Assign correct roles to the user.
- Send the Box IC or CSM the user ID and password you created in the previous steps.
- Send the Box CSM or IC the Fully-Qualified Domain Name (FQDN) for your Ivanti EPMM server or the URL for your Connected Cloud tenant.
- The Box CSM or IC registers this information in your Box enterprise account, and provides you with a .plist file containing a Public ID to use in Ivanti EPMM.
Mobile app configuration details
- Add the Box for EMM app in Ivanti. For more information, see Admin Portal workspace.
- Create a managed app configuration, using the general key-value pairs provided in the app configuration section.
- Edit your app settings - recommended options are:
- Prevent backup of the app data,
- Remove app when MDM profile is removed,
- Remove app when the device is quarantined or signed out.
- For more information, see Managed App Settings.
- Edit Box for EMM app and apply labels to it.
- Publish the application.
- Create a new action to selectively wipe Box for EMM data for non-compliant devices.
Ivanti Neurons for MDM (previously MobileIron Cloud)
Learn how to configure MDM with Ivanti Neurons for MDM.
- Import the Box for EMM app to the Ivanti app catalog.
- Choose which users to distribute the Box for EMM app to.
- For the Box for EMM app, configure:
- app installation,
- app settings,
- Create a managed app configuration, using the general key-value pairs.
- Choose which users to distribute the configuration to.
User scenarios - Ivanti EPMM and Ivanti Neurons
| Scenario | Behavior |
|
A user managed by Ivanti requests to log in to the Box for EMM app that has been provisioned with Ivanti. |
The user can log in. |
|
A user managed by Ivant requests to log in to the Box for EMM app that they installed directly from an app store. |
The Public ID configured in the Ivanti admin console is not pushed to the Box for EMM app that was installed from an app store, and the user can’t log in. |
|
A user backs up the app on one device and attempts to restore it on another device. |
The Box for EMM app validates the one time token to determine whether the app was provisioned with Ivanti. The user can’t log in. |
| A Box user who is not part of the enterprise deployment of Box for EMM requests to log in to the Box for EMM app provisioned with Ivanti. | The user's login info does not match the Public ID on the Box for EMM app, and the user can’t log in. |
|
A user fakes an app installation through the EMM provider and pushes dummy managed configurations to the app. |
Box checks with the Ivanti server to confirm whether the Management ID is valid and matches that of an authorized user. The user can’t log in. |
Citrix XenMobile
Learn how to configure MDM with Citrix XenMobile.
- Provision the Box for EMM app on Citrix XenMobile server. For more information, see Add apps.
- Configure settings for the Box for EMM app. For more information, see Configure app settings for iOS apps or Configure app settings for Google Play apps.
- Enter com.box.mdmios in the Identifier field.
- Enter the following text in the Dictionary content field:
<plist version="1.0">
<dict>
<key>Public ID</key>
<string>Enter_Your_Public_Id_Here</string>
<key>com.box.mdm.oneTimeToken</key>
<string>string>$DEVICE_UDID$</string>
</dict>
</plist>
Note:
Remember to replace the {Enter_Your_Public_Id_Here} string with your actual Public ID. - Choose the delivery groups.
- Edit each delivery group and make sure the Box for EMM Config policy shows up.
User scenarios
| Scenario | Outcome |
| A user managed by Citrix XenMobile requests to log in to the Box for EMM app that was provisioned through Citrix XenMobile. | The user logs in. |
| A user managed by Citrix XenMobile requests to log in to the Box for EMM app that they installed directly from a public app store. | The Public ID configured in the Citrix XenMobile admin console was not pushed to the Box for EMM app that was installed from an app store. The user can't log in. |
| A user backs up the app on one device and attempts to restore it on another device. | The Box for EMM app validates the one time token and determines that the app was not provisioned through Citrix XenMobile. The user can't log in. |
| A Box user who is not part of the enterprise deployment of Box for EMM requests to log in to the Box for EMM app provisioned through Citrix XenMobile. | The user's login info does not match the Public ID on the Box for EMM app. The user can't log in. |
| The enterprise admin issues a selective wipe to a device managed by Citrix XenMobile. | The Box for EMM app is removed from the managed device. |
Okta Mobility Management
Learn how to configure MDM with Okta Mobility Management.
- Upload the Box for EMM app to the app store.
- Edit settings of the Box for EMM app and provide the Public ID you received from Box CSM or IC in the Box Public ID field.
- Choose other options according to your needs.
User scenarios
| Scenario | Outcome |
| A user managed by vendor requests to log in to the Box for EMM app that is provisioned through the vendor. | The user can log in. |
| A user managed by vendor requests to log in to the Box for EMM app that they installed directly from a public app store. | The Public ID configured in the vendor admin console is not pushed to the Box for EMM app that was installed from an app store. The user can't log in. |
| A user backs up the app on one device and attempts to restore it on another device. | The Box for EMM app validates the one time token and determines that the app was not provisioned through the vendor. The user can't log in. |
| A Box user who is not part of the enterprise deployment of Box for EMM requests to log in to the Box for EMM app provisioned through the vendor. | The user's login info doesn't match the Public ID on the Box for EMM app. The user can't log in. |
| The enterprise admin issues a selective wipe to a device managed by the vendor. | The Box for EMM app is removed from the managed device. |