Read on to learn how to configure MDM with Box.
Table of contents
Microsoft Intune
Microsoft Intune is one of the most popular Enterprise Mobility Management (EMM) providers.
For iOS, the enterprise admin (EA) can obtain Box integrations (Box for EMM, Box Mobile) using the public App Store. When the EA acquires one of the integrations, they can provision it through the admin console in Microsoft Intune.
For Android, an admin has to first connect to the managed Google Play store and approve the Company Portal integration.
iOS
Start with adding a new policy:
- Add app configuration policies for managed iOS/iPadOS devices.
- Choose Box for EMM or Box Mobile as the Targeted App.
- Use the configuration designer and enter the general and Intune-specific configuration keys/values.
If you’re using Intune for MAM and a third-party provider for MDM that doesn’t have User Principal Name as its variable, try using Email variable instead.
Add a new protection policy
Proceed to add a new protection policy for your integration. Choose the Box for EMM/Box Mobile as the public app. Select all the appropriate settings in next steps. Before you save your changes, make sure that all the settings are correct and assigned to the right group.
If you can't edit Office files in Box for EMM (for example after enabling the Office Co-Authoring feature), enable saving to Box in Intune in the protection policy. To do so, select Box in the Allow users to save copies to selected services setting*.
*Check the Microsoft documentation to make sure that the setting name is up to date.
Box configuration
Box for EMM is restricted to only MDM managed devices - it’s a default feature in Box for EMM. The users can log into Box for EMM only if their account was provisioned with the Microsoft Intune admin console. They have to use their enterprise credentials.
You can make sure that users access Box through Box for EMM.
To do so:
- Go to the Admin console > Integrations.
- Find iOS in the Box Official Clients section.
- Disable the following integrations by toggling the radio button next to them:
- Box for iPhone
- Box for iPad
- Scroll down to Mobile web and accessibility and disable Box.com mobile site. Make sure that Box for iPhone (EMM) and Box for iPad (EMM) are enabled.
If you deployed any other Box integrations, or you have an Android solution, check if you want to disable any additional integrations.
Changing the above settings prevents the enterprise’s users from accessing the regular (unmanaged) Box for Mobile and mobile site. Make sure you notify your Box users before taking this action.
Android
Start with connecting your Intune account to the Android Enterprise account. For more information, see Android Enterprise documentation and Intune documentation. Then, approve your company portal in the managed Google Play store and confirm that it works. Ensure that all approved integrations are synced and have the policies/assignments set up for them.
Integration configuration policy
Enter the general and Intune-specific configuration keys and their values in configuration settings.
Validate if Box for EMM or Box for Mobile is visible in the Play Store. Download it and check if it’s available in Workspace. Your users can now open the integration and log in.
User scenarios
Scenario | Outcome |
A user managed by Microsoft Intune requests to log in to the Box for EMM that was provisioned with Microsoft Intune. | User logs in successfully. |
A user managed by Microsoft Intune requests to log in to the Box for EMM that they installed directly from a public store. | The user can’t log in, as the Public ID configured in the Microsoft Intune admin console isn’t pushed to the Box for EMM installed from a public store. |
A user backs up the integration on one device and attempts to restore it on another device. | The user can’t log in, as the Box for EMM validates the one time token and determines that the integration was not provisioned with Microsoft Intune. |
A Box user who is not a part of the enterprise deployment of Box for EMM requests to log in to Box for EMM provisioned with Microsoft Intune. | The user can’t log in, as their login info doesn’t match the Public ID in Box for EMM. |
The enterprise admin issues a selective wipe to a device managed by Microsoft Intune. | The offline corporate data is removed from the managed device. |
The Box user un-enrolls their device from Microsoft Intune. | Box for EMM is removed from the device. |
Workspace ONE (AirWatch)
Learn how to configure MDM with Workspace ONE (AirWatch).
iOS
- After receiving the key value pair from Box, the EA should obtain the Box for EMM integration.
- Add Box for EMM or Box for Mobile in your EMM console.
- After the integration is loaded, enable the following deployment setting:
- Remove or Unenroll
- Prevent Integration Backup
- Integration Tunneling
- Disable the following deployment setting:
- Make Integration MDM Managed if User Installed
- Integration Configuration
Enter the general key-value pairs required for Workspace ONE.
Android
Add the integration in the Workspace ONE admin console.
- After the integration is loaded, configure the settings.
- Check the following policies:
- Remove on Unenroll: strongly recommended by Box. By checking this option you can remove a user's account in the Box admin console when you're retiring them. Doing so prevents the user from accessing the integration, as Box for Mobile and Box for EMM automatically log out users whose MDM profiles have been removed.
- Send Integration Configuration,
- Integration uses the AirWatch SDK.
- Add configuration keys:
- First key as Management ID,
- Second key as Public ID - enter the key - value pair provided by Box,
- OPTIONAL: you can add a third configuration key as EmailAddress. This option configures users' AirWatch email address to pre-populate on the Box for Mobile or Box for EMM login page.
Note:
If the integration was uploaded previously but not configured as above, edit the deployment settings.
Android Enterprise requires account integration in the AirWatch console before any devices can be configured. Then you need to register a device and push the integration to the device.
User scenarios
Scenario | Outcome |
Users managed by AirWatch request to log in to Box for EMM that has been provisioned with AirWatch. | A key-value pair is shared with enterprise admin, who then sets it up in their AirWatch console. This key-value pair and a one‐time token are pushed to Box. The integration checks for this pair and allows users to log in successfully. |
Users managed by AirWatch request to log in to Box for EMM that they installed from a public store. | The key-value pair set up in the AirWatch console is not pushed to Box for EMM that was installed from a public store. Users can't log in to the integration. |
Users back up the integration on one device and attempt to restore it on another device. | Box for EMM validates whether the integration was provisioned by the EMM provider, so users can't log in. |
Users not managed by AirWatch request to log in to Box for EMM installed from a public store. | The required key-value pair is not pushed to Box for EMM. Users can't log in to the integration. |
Users at enterprises not registered for Box for EMM request to log in to Box for EMM provisioned with AirWatch. | The custom key-value pair is not shared with admins whose enterprises are not registered with Box for EMM. Without a key-value pair pushed to Box for EMM, users can't log in to the integration. |
Users faking integration installation through AirWatch and pushing dummy managed configurations to the integration. | Box checks with AirWatch to confirm whether a ManagementID is valid and matches that of an authorized user, users can't log in. |
MaaS360
Learn how to configure MDM with MaaS360.
Note:
Sending the Public ID on Android is handled through an EMM client installed on the device. It is separate from the Box mobile integration.
iOS
When you receive the Public ID from Box (step 2 in the process flow), follow these steps:
- Go to the MaaS360 admin console.
- Add Box for EMM/Box for Mobile from the iTunes store.
- Add the required and MaaS360-specific key-value pairs as configuration.
Box for EMM/Box for Mobile is now added to the App Catalog. Select the target devices to distribute the integration to users. If prompted, enter the EA password.
Note:
Make sure that the device to which the integration is being distributed is managed by an MDM policy. If a new policy is required, add it in the MaaS360 admin console. Newly created policies have to be applied to the required users and devices.
Android
When you receive the Public ID from Box (step 2 in the process flow), follow these steps:
- Contact your enterprise's Box CSM or IC, who provide Box for EMM directly.
- Go to the MaaS360 and add the integration. For more information, see Adding apps to the App Catalog
- Upload the .apk file provided by Box CSM or IC. If prompted, enter the MaaS360 password.
Box for EMM/Box for Mobile is now successfully added to the MaaS360 App Catalog.
After adding the integration to the catalog, you need to select the WorkPlace Persona policy in MaaS360. If a new policy is required, add it. For more information, see MaaS360 security policies overview
Edit the WorkPlace Persona policy and enter the Public ID. For more information, see Configuring policy settings for an Android device.
User scenarios
Scenario | Outcome |
A user managed by MaaS360 requests to log in to Box for EMM that is provisioned with MaaS360. | The user logs in. |
A user managed by MaaS360 requests to log in to Box for EMM that they installed directly from a public store. | The Public ID configured in the MaaS360 admin console has not been pushed to Box for EMM that is installed from a public store. User can't log in. |
A user backs up the integration on one device and attempts to restore it on another device. | Box for EMM validates the one time token to determine whether the integration is provisioned with MaaS360. User can't log in. |
A Box user who is not a part of the enterprise deployment of Box for EMM requests to log in to Box for EMM provisioned with MaaS360. | The user's login info doesn't match the Public ID on Box for EMM. User can't log in. |
A user fakes an integration installation through the EMM provider and pushes dummy managed configurations to the integration. | Box checks with the MaaS360 server to confirm if the Management ID is valid and matches that of an authorized user. User can't log in. |
The enterprise admin issues a selective wipe to a device managed by MaaS360. | Box for EMM is blocked from being used on the managed device. |
Ivanti EPMM (previously MobileIron Core)
Learn how to configure MDM with MobileIron (Ivanti).
Before you start configuration of Box for EMM for iOS or Android, you need to:
- Contact your Box CSM or IC and inform them that you want to deploy Box for EMM with Ivanti EPMM.
- Ivanti provides the API hostname (URL), user ID, and password for Ivanti account to Box CSM or IC sd Box needs to access the Ivanti APIs.
- Create a MobileIron user.
- Assign correct roles to the user.
- Send the Box IC or CSM the user ID and password you created in the previous steps.
- Send the Box CSM or IC the Fully-Qualified Domain Name (FQDN) for your Ivanti EPMM server or the URL for your Connected Cloud tenant.
- The Box CSM or IC registers this information in your Box enterprise account, and provides you with a .plist file containing a Public ID to use in Ivanti EPMM.
Mobile integration configuration details
- Add Box for EMM integration in Ivanti. For more information, see Admin Portal workspace.
- Create a managed integration configuration, using the general key-value pairs provided in the integration configuration section.
- Edit the settings - recommended options are:
- Prevent backup of the app data,
- Remove app when MDM profile is removed,
- Remove app when the device is quarantined or signed out.
- For more information, see Managed App Settings.
- Edit Box for EMM and apply labels to it.
- Publish the integration.
- Create a new action to selectively wipe Box for EMM data for non-compliant devices.
Ivanti Neurons for MDM (previously MobileIron Cloud)
Learn how to configure MDM with Ivanti Neurons for MDM.
- Import the Box for EMM integration to the Ivanti App Catalog.
- Choose which users to distribute Box for EMM to.
- For Box for EMM, configure:
- app installation,
- app settings,
- Create a managed app configuration, using the general key-value pairs.
- Choose which users to distribute the configuration to.
User scenarios - Ivanti EPMM and Ivanti Neurons
Scenario | Behavior |
A user managed by Ivanti requests to log in to Box for EMM that has been provisioned with Ivanti. |
The user can log in. |
A user managed by Ivanti requests to log in to Box for EMM that they installed directly from a public store. |
The Public ID configured in the Ivanti admin console is not pushed to Box for EMM that was installed from a public store, and the user can’t log in. |
A user backs up the integration on one device and attempts to restore it on another device. |
Box for EMM validates the one time token to determine whether the integration was provisioned with Ivanti. The user can’t log in. |
A Box user who is not part of the enterprise deployment of Box for EMM requests to log in to Box for EMM provisioned with Ivanti. | The user's login info does not match the Public ID on Box for EMM, and the user can’t log in. |
A user fakes an installation through the EMM provider and pushes dummy managed configurations to the integration. |
Box checks with the Ivanti server to confirm whether the Management ID is valid and matches that of an authorized user. The user can’t log in. |
Citrix XenMobile
Learn how to configure MDM with Citrix XenMobile.
- Provision the Box for EMM integration on Citrix XenMobile server. For more information, see Add apps.
- Configure settings for Box for EMM. For more information, see Configure app settings for iOS apps or Configure app settings for Google Play apps.
- Enter com.box.mdmios in the Identifier field.
- Enter the following text in the Dictionary content field:
<plist version="1.0">
<dict>
<key>Public ID</key>
<string>Enter_Your_Public_Id_Here</string>
<key>com.box.mdm.oneTimeToken</key>
<string>string>$DEVICE_UDID$</string>
</dict>
</plist>
Note:
Remember to replace the {Enter_Your_Public_Id_Here} string with your actual Public ID. - Choose the delivery groups.
- Edit each delivery group and make sure the Box for EMM Config policy shows up.
User scenarios
Scenario | Outcome |
A user managed by Citrix XenMobile requests to log in to the Box for EMM integration that was provisioned through Citrix XenMobile. | The user logs in. |
A user managed by Citrix XenMobile requests to log in to Box for EMM that they installed directly from a public store. | The Public ID configured in the Citrix XenMobile admin console was not pushed to Box for EMM that was installed from a public store. The user can't log in. |
A user backs up the integration on one device and attempts to restore it on another device. | Box for EMM validates the one time token and determines that the integration was not provisioned through Citrix XenMobile. The user can't log in. |
A Box user who is not part of the enterprise deployment of Box for EMM requests to log in to Box for EMM provisioned through Citrix XenMobile. | The user's login info does not match the Public ID on Box for EMM. The user can't log in. |
The enterprise admin issues a selective wipe to a device managed by Citrix XenMobile. | Box for EMM is removed from the managed device. |