Mobile Application Management (MAM) allows an enterprise to restrict the data that passes in and out of specific applications on an end user's mobile device, without the need to control the device itself. It is often the top choice for enterprises that practice a Bring Your Own Device (BYOD) strategy.
Microsoft Intune - iOS and Android
Add app policy
To start using MAM with Box for EMM or Box for Mobile, first enable it in Intune. For more information, refer to Microsoft documentation.
When you’re adding an app protection policy, type “Box” in the search field. For iOS, select Box - Cloud Content Management; for Android, you should see Box.
If you can't edit Office files in Box for EMM (for example after enabling the Office Co-Authoring feature), enable saving to Box in Intune in the app protection policy. To do so, select Box in the Allow users to save copies to selected services setting*.
*Check the Microsoft documentation to make sure that the setting name is up to date.
For information on further configuration, see Add app configuration policies for managed iOS/iPadOS devices and Add app configuration policies for managed Android Enterprise devices.
Configure MAM in the Box Admin Console
As an Admin, you can enforce Microsoft's Intune MAM service even if Box account holders are not enrolled in it:
- Log in to the Box Admin console.
- Go to Enterprise Settings -> Mobile.
- Scroll down to find the User Permissions for Box Mobile Application section.
- Toggle on the Intune Mobile Application Management (Intune MAM) option.
Conditional Access
In addition to the MAM service, Admins can enforce Intune’s Conditional Access to set mobile device-based and app-based policies. For more information, visit Learn about Conditional Access and Intune.
Requirements to use all the existing signals in Conditional Access:
- Intune MAM must be enabled in the Admin Console as shown above in Configure MAM in the Box Admin Console.
- Users must add their Microsoft User Principle Name (UPN) as a secondary email in their Box account(s) if in case their Microsoft UPN cannot be found in their primary and secondary email addresses in their Box account(s).
- Example:
- Box Primary Email: user@company.com
- Microsoft UPN: user@company.onmicrosoft.com
- Example:
Note:
Conditional Access is supported for the following Box for Mobile and Box for EMM versions and above:
- iOS and iPadOS: 5.34 and above
- Android: 6.33 and above
Depending on your organization’s Conditional Access configuration, an Authentication Broker app may need to be installed on the mobile device. The broker app can be Microsoft Authenticator for iOS, or Microsoft Company portal for Android devices. Refer to Microsoft documentation for more details on further requirements and instructions on using app-based Conditional Access.