Box for EMM with MaaS360

How Box for Enterprise Mobility Management (EMM) works

Box for EMM performs server-to-server validation of EMM credentials and checks managed app configurations before users can access content on Box.

Enterprise Administrators can download Box for EMM from the public app store for iOS or as an enterprise build for Android. When Enterprise Administrators acquire the app, the Administrator provisions the app to users from the MaaS360 admin console. Box for EMM only work for users who acquired or received the app from their company's EMM provider. If the user downloads Box for EMM directly from an app store, they cannot log in to the Box for EMM app.

When the Box for EMM app loads into the MaaS360 App Catalog, the Administrator must set up a key value pair that is provided by Box. The Administrator distributes the new Box for EMM solution to a user's device, and MaaS360 passes the key value pair to the Box for EMM app. The key value information is passed to the app by using the Managed App Configuration function from Apple or directly from the MaaS360 app installed on an Android device. When a user requests to log in to the Box for EMM app, Box validates that the app is provisioned by the MaaS360 by using a one-time token, and then sends the key value pairs to the Box server. The Box server uses the key value pairs to check whether the enterprise and EMM combination is valid. The Box server then calls the MaaS360 Cloud to validate that the user is a member of that enterprise's managed deployment of Box. When the MaaS360 Cloud confirms that the device and user are managed by the enterprise, the user can log in to the app.

Server-to-server validation steps

The following diagram outlines how Box performs server-to-server validation of EMM credentials and checks managed app configurations.

1. The Enterprise Administrator (EA) works with the MaaS360 Customer Engineering team to enable Box for EMM for their MaaS360 account. The MaaS360 Customer Engineer (CE) completes the following steps:
   1. Enables webservices and enables Box for EMM for Android (iOS is turned on by default)
   2. Provides a webservices URL, a Billing ID, a .p12 certificate, and a password to the customer EA
2. The EA registers with Box for the Box for EMM app by providing the URL, Billing ID, certificate password to their Box Implementation Consultant (IC) or Customer Success Manager (CSM), who provides a key value pair (Public ID) that the EA uses for the MaaS360 account.
3. The EA adds Box for EMM to the MaaS360 App Catalog and enters the Public ID provided by Box.
   1. For Android, the EA enters the value of the Public ID in the WorkPlace Policy > Docs Sync > Box for EMM Instance ID field.
   2. For iOS, the EA enters the Public ID in the iOS MDM Policy under Managed App Configuration, including parameters that are listed in Configuring Box for EMM integration.
4. The EA clicks Save and Publish. MaaS360 completes the following steps:
   1. For Android, MaaS360 automatically generates a Management ID for Box for EMM on Android, which is the device CSN.
   2. For iOS, the customer enters the parameters that are listed in Configuring Box for EMM integration.
5. The EA distributes the Box for EMM app from the MaaS360 App Catalog to users, which includes the configuration for the app. The one-time token validates that the Box for EMM app is provisioned by MaaS360.
6. When a user requests to log in to Box for EMM, the app sends the user's login credentials, Public ID, and Management ID to the Box server. The Box server checks the user's login credentials and uses the key value pair to match the user to the corresponding EMM provider.
7. The Box server calls the MaaS360 Cloud to validate the Management ID, and MaaS360 checks the Management ID.
8. If the Box and EMM servers successfully validate the login credentials, Public ID, and Management ID, the user can log in to the app. If one of the checks fail, the user cannot log in to the app.