Configuring Box for EMM integration

Configure Box for EMM integration with IBM® MaaS360®.

The IBM MaaS360 administrator (admin) notifies the Box Support about deploying Box for EMM. After the admin notifies Box, the admin must ask the MaaS360 representative to turn on Box for EMM for their account. The administrator must share the following information with Box Support.
- MaaS360 base URL (The base URL is usually https://services.fiberlink.com, but the URL is based on the MaaS360 instance that the customer account uses. The starting number of the MaaS360 Billing ID indicates the instance.)
  Note: For customers that do not use the base URL, use the following URLs.
- MaaS360 Billing ID
- .p12 certificate file
- Certificate password
The customer must generate the .p12 certificate file. The certificate password is obtained when you make the .p12 file.
The public key of .p12 certificate must be shared with the IBM MaaS360 support. The MaaS360 support uploads it for the customer from Docs > Content Sources > Configure Box for certificate workflow.
The Box support registers the enterprise EMM certificate and keys in the customer's Box account, and then they send the Public ID to use for the MaaS360 account.
The Box support uploads the .p12 certificate file and certificate password to the enterprise Box account configuration.
Note: When the .p12 certificate file and certificate password are uploaded to the enterprise Box account configuration, the Box server extracts the client certificate and private key, and then encrypts and stores the certificate and private key on the backend for Box. When Box makes an API call to the EMM provider to check the enterprise user management status, Box uses the certificate and private key to sign a message and includes the certificate and private key as the Authorization header in the request to the EMM provider.

After the admin receives the Public ID from Box, the admin must follow the steps to provision the Box for EMM app.

For Android, the admin must complete the following steps.
1. In the IBM MaaS360 Portal, go to Add > Android > Google Play App.
2. Search Box and add the app.
3. While adding the Box app, select Set app config, or, add the app and go to Apps > App Configurations.
4. Click the Configurations tab, and enter the following five key value pairs for the Box for EMM app, including the public ID that was provided by the Box support.
  Key Value
  
  User email %email%
  
  Public Id Enter the Public ID provided by Box.
  
  Management Id %deviceid%
  
  EMM Name MaaS360
  
  Billing Id Enter the customer Billing ID.
5. Click Add, and if prompted, enter the MaaS360 admin password. The Box for EMM app is successfully added to the MaaS360 App Catalog.
6. After the app is added to the App Catalog, the admin configures the Public ID in MaaS360.

Key	Value
User email	`%email%`
Public Id	Enter the Public ID provided by Box.
Management Id	`%deviceid%`
EMM Name	`MaaS360`
Billing Id	Enter the customer Billing ID.

For iOS, the admin must complete the following steps.

In the IBM MaaS360 Portal, go to Apps > App Catalog > Add iTunes App Store App.
In the App Search field, search for Box for EMM, and then select the app.

Click the Configuration tab, and enter the following six key value pairs for the Box for EMM app, including the public ID that was provided by the Box support.

Key	Value
Public ID	Enter the Public ID provide by Box
Management ID	`%CSN%`
com.box.mdm.oneTimeToken	`%CSN%`
Billing ID	Enter the customer Billing ID
User Email Address	`%email%`
Email ID	`%email%`

The Box for EMM app is added to the App Catalog. If prompted, the admin might need to enter the password.
The admin distributes the Box for EMM app to users. Make sure that the device that is receiving the app is managed by an MDM policy. If a new policy is required, click Add Policy to create a new iOS MDM policy.

Click Save and Publish. When prompted, the admin enters their MaaS360 admin credentials.
Note: If the policy is new, the admin must apply the policy to users and devices.
The admin distributes the Box for EMM app to users.
1. Click Apps > App Catalog.
2. Select the Box for EMM app, and click Distribute.
3. Select the target devices and distribute the app to users.
The admin configures the following settings in the Box admin console.
- Disable Box for iPhone, iPad, Android tablet, Android phone, and mobile web.
Note: When the admin disables these settings, users are prevented from belonging to enterprise deployments of Box. These settings also prevent MaaS360 from logging in to a regular (unmanaged) Box app, but still allows users to use other Box solutions for EMM providers.

Expected behavior

Scenario	Outcome
1. A user who is managed by MaaS360 requests to log in to the Box for EMM app that is provisioned by MaaS360.	The user can log in successfully.
2. A user who is managed by MaaS360 requests to log in to the Box for EMM app that they installed directly from a public app store.	The Public ID configured in the MaaS360 Admin Portal is not pushed to the Box for EMM app that was installed from the app store. The user cannot log in to the app.
3. A user backs up the app on one device and attempts to restore the app on another device.	The Box for EMM app validates the one-time token to determine whether the app was provisioned by MaaS360. The user cannot log in to the app.
4. A Box user who is not part of the enterprise deployment of Box for EMM requests to log in to the Box for EMM app that is provisioned by MaaS360.	The user's login info does not match the Public ID on the Box for EMM app. The user cannot log in to the app.
5. A user fakes an app installation through the EMM provider and pushes dummy-managed configurations to the app.	Box checks with the MaaS360 server to confirm whether the Management ID is valid and matches an authorized user. The user cannot log in to the app.
6. The Enterprise Administrator issues a selective wipe on a device that is managed by MaaS360.	The Box for EMM app is blocked from being used on the managed device.

Assumptions

All users in EMM enabled enterprises must be managed. A managed user is an enterprise user who is configured and registered with the company's EMM provider. The Box for EMM solution does not support an enterprise deployment where users are both managed and unmanaged. With this design, the app is updated by using a typical app upgrade instead of deleting an older version of the app to install a newer version of that app.
Box for EMM is designed to scale to multiple EMM providers.
Box for EMM for iOS allows users to use Box for EMM with a second instance of Box for iPhone or iPad. The login credentials for each instance of Box remain separate. However, Box for EMM for Android does not allow for another instance of Box on the device. Box for EMM replaces other instances of Box.
Box for EMM supports the following devices:
- iOS 7 and later
- Android 4.0 (Ice Cream Sandwich) and later