Configuring Box for EMM integration

Follow these steps to configure Box for EMM integration with MaaS360®.

  1. The Enterprise Administrator (EA) notifies the Box Implementation Consultant (IC) or Customer Success Manager (CSM) about deploying Box for EMM. After the EA notifies Box, the EA must ask the MaaS360 representative to turn on Box for EMM for their account. MaaS360 provides the EA four pieces of information that the EA sends to the Box IC or CSM:
    • MaaS360 base URL (The base URL is usually https://services.fiberlink.com, but the URL is based on the MaaS360 instance that the customer account uses. The starting number of the MaaS360 Billing ID indicates the instance.)
      Note: For customers that do not use the base URL, use the URL https://services.mx.maas360.com (x=2,3,4), where x is the starting digit of the Billing ID that is displayed in the lower left corner of the MaaS360 Portal. Contact IBM® Support to determine the correct web services URL.
    • MaaS360 Billing ID
    • .p12 certificate file
    • certificate password
  2. The Box IC or CSM uploads the .p12 certificate file and certificate password to the enterprise Box account configuration.
    Note: When the .p12 certificate file and certificate password are uploaded to the enterprise Box account configuration, the Box server extracts the client certificate and private key, and then encrypts and stores the certificate and private key on the backend for Box. When Box makes an API call to the EMM provider to check the enterprise user management status, Box uses the certificate and private key to sign a message and includes the certificate and private key as the Authorization header in the request to the EMM provider.
  3. The IC or CSM registers the enterprise EMM certificate and keys in the customer's Box account, and then sends the EA the Public ID to use for the MaaS360 account in the Box admin console.
  4. After the EA receives the Public ID from Box, the EA must follow these steps to provision the Box for EMM app:
    • For Android, the EA completes the following steps:
      1. Contact the enterprise Box CSM or IC, who provides the Box for EMM app directly to users.
      2. In the MaaS360 Portal, go to Apps > App Catalog > Add Enterprise App for Android.
      3. Click Browse, and then upload the Box for EMM .apk file.
      4. Click Add, and if prompted, enter the MaaS360 admin password. The Box for EMM app is successfully added to the MaaS360 App Catalog.
      5. After the app is added to the App Catalog, the EA configures the Public ID in the MaaS360 security policies:
        • Go to Security Policies and select the WorkPlace Persona policy that is published to Box for EMM users. If a new policy is required, click Add Policy to create a new WorkPlace Persona policy.
        • Open the WorkPlace Persona policy and expand the Docs Sync tab.
        • Click the Box for EMM tab, and then click Edit.
        • Enter the Public ID provided by the Box CSM or IC. This value is displayed as EMM Instance ID in the MaaS360 Portal.
    • For iOS, the EA completes the following steps:
      1. In the MaaS360 Portal, go to Apps > App Catalog > Add iTunes App Store App.
      2. In the App Search field, search for Box for EMM, and then select the app.
      3. Click the Configuration tab, and then enter the following six key value pairs for the Box for EMM app, including the public ID that was provided by the Box CSM or IC.
        Key Value
        Public ID Enter the Public ID provide by Box
        Management ID %CSN%
        com.box.mdm.oneTimeToken %CSN%
        Billing ID Enter the customer Billing ID
        User Email Address %email%
        Email ID %email%
      4. The Box for EMM app is added to the App Catalog. If prompted, the EA might need to enter the EA password.
      5. The EA distributes the Box for EMM app to users. Make sure that the device that is receiving the app is managed by an MDM policy. If a new policy is required, click Add Policy to create a new iOS MDM policy.
  5. Click Save and Publish. When prompted, the EA enters their MaaS360 admin credentials.
    Note: If the policy is new, the EA must apply the policy to users and devices.
  6. The EA distributes the Box for EMM app to users:
    1. Click Apps > App Catalog.
    2. Select the Box for EMM app, and then click Distribute.
    3. Select the target devices and distribute the app to users.
  7. The EA configures the following settings in the Box admin console:
    • Disable Box for iPhone, iPad, Android tablet, Android phone, and mobile web.
    Note: When the EA disables these settings, users are prevented from belonging to enterprise deployments of Box. These settings also prevent MaaS360 from logging in to a regular (unmanaged) Box app, but still allows users to use other Box solutions for EMM providers.

Expected behavior

Scenario Outcome
1. A user who is managed by MaaS360 requests to log in to the Box for EMM app that is provisioned by MaaS360. The user can log in successfully.
2. A user who is managed by MaaS360 requests to log in to the Box for EMM app that they installed directly from a public app store. The Public ID configured in the MaaS360 Admin Portal is not pushed to the Box for EMM app that was installed from the app store. The user cannot log in to the app.
3. A user backs up the app on one device and attempts to restore the app on another device. The Box for EMM app validates the one-time token to determine whether the app was provisioned by MaaS360. The user cannot log in to the app.
4. A Box user who is not part of the enterprise deployment of Box for EMM requests to log in to the Box for EMM app that is provisioned by MaaS360. The user's login info does not match the Public ID on the Box for EMM app. The user cannot log in to the app.
5. A user fakes an app installation through the EMM provider and pushes dummy-managed configurations to the app. Box checks with the MaaS360 server to confirm whether the Management ID is valid and matches an authorized user. The user cannot log in to the app.
6. The Enterprise Administrator issues a selective wipe on a device that is managed by MaaS360. The Box for EMM app is blocked from being used on the managed device.

Assumptions

  • All users in EMM enabled enterprises must be managed. A managed user is an enterprise user who is configured and registered with the company's EMM provider. The Box for EMM solution does not support an enterprise deployment where users are both managed and unmanaged. With this design, the app is updated by using a typical app upgrade instead of deleting an older version of the app to install a newer version of that app.
  • Box for EMM is designed to scale to multiple EMM providers.
  • Box for EMM for iOS allows users to use Box for EMM with a second instance of Box for iPhone or iPad. The login credentials for each instance of Box remain separate. However, Box for EMM for Android does not allow for another instance of Box on the device. Box for EMM replaces other instances of Box.
  • Box for EMM supports the following devices:
    • iOS 7 and later
    • Android 4.0 (Ice Cream Sandwich) and later
Box for EMM one-time setup