This article is contributed. See the original author and article here.
By Masaki Iwamaru – Service Engineer | Microsoft Endpoint Manager – Intune
The Box – Cloud Content Management app (iOS/Android) by Box Inc. provides quick access to data in Box cloud storage for personal and enterprise use. Since October 2020, the app supports Intune app protection policies (APP) . These policies use data protection features, built with the Intune App SDK, to provide secure data access and use. For example, you can control data transfer between apps, restrict copy-paste between apps, set access requirements, and force conditional launch settings. You do not need to implement a mobile device management (MDM) solution or deploy app config policies to use Box app with Intune app protection policies.
This blog post provides step-by-step guidance on using the Box – Cloud Content Management app with Intune app protection policies.
There is a separate Box for EMM app that you can use with Intune MDM. This article focuses on the Box – Cloud Content Management (iOS/Android) app for unmanaged devices. If you are interested in using the Box for EMM app for managed devices, see Integrating Box for EMM app with Intune app protection policies (APP).
Use the Box app with Intune app protection policies (without MDM)
Step 1. Enable Intune MAM feature in the Box admin console.
You need to enable the Intune mobile application management (MAM) feature in the Box admin console. Otherwise, the Box app won’t receive Intune app protection policies. This will require administrative privileges.
- Sign in to your Box tenant with a web browser.
- Go to Admin Console > Enterprise Settings > Mobile.
- Enable the toggle button next to Intune Mobile Application Management (Intune MAM) and select Save.
Step 2. Apply an app protection policy to the Box app.
You can create a new app protection policy or use an existing one.
- Sign in to the Microsoft Endpoint Manager admin center.
- Go to Apps > App configuration policies.
- Create a new app configuration policy or select an existing policy.
- Go to the Apps properties page for your policy, and confirm the following settings:
- In the Public apps list, make sure that the Box – Cloud Content Management app is included.
- Set Target to apps on all device types to Yes to avoid misconfigurations.
5. Make sure the policy is assigned to the correct users. App protection policies should be assigned to users instead of devices.
Step 3. Install the Box – Cloud Content Management app.
If you set Target to apps on all device types to Yes in the app protection policy, end users can install the Box app either directly from Intune or from a public app store.
If you set this field to No and select Managed for Device types, users will need to install the app from Intune to receive an app config policy with the IntuneMAMUPN key. See the Intune documentation for more information about the iOS app configuration settings about and an example using this key.
Step 4. Launch the Box – Cloud Content Management app.
When an end user launches the app, they will see the Microsoft Azure Active Directory (Azure AD) sign-in screen. The user name is automatically populated. It should be the same as the user who enrolled the device. When they sign in to Azure AD, the app protection policy will be applied. The user will then see an app restart request.
Step 5. Relaunch the app.
When an end user relaunches the app, it might ask them to set an app PIN at sign in (if you configured it to require one). They can now use the app with Intune app protection.
Here are common issues to be aware of when you’re integrating the Box app with Intune app protection policies:
- App protection policy is not applied after sign-in.
Make sure the policy is assigned to correct users. The app protection policy should be assigned to users, not devices.
Confirm that Target to apps on all device types is set to Yes.
It can take time for the policy to be applied if end users are signed in to the app before the policy assignment. This article provides more information about expected policy delivery timing.
- Do I need to deploy a Public ID app config key, which is required for Box for EMM?
No. You don’t need to deploy a Public ID app config key to use the Box – Cloud Content Management app with Intune app protection policies. Instead, you need to enable the Intune MAM feature in Box admin console.
- Should I set up single sign-on (SSO) between Azure AD and Box service?
You can use Box features without SSO integration. However, your end users must sign in with identical user names for both the Box app and Azure AD (Step 4 above). While it is optional, SSO provides a simplified and excellent user experience. Check out this article to learn about SSO integration guidance.
- Should I enroll devices to MDM to protect the Box app with Intune app protection policies?
No, you don’t need to enroll devices to MDM such as Intune. The Box – Cloud Content Management app supports app protection policies without MDM enrollment scenario.
- Can I use Box app with MDM managed devices?
Yes, you can use Box app with MDM managed devices. Intune app protection policies can be applied to the Box – Cloud Content Management app on MDM managed devices. Check out this article how to target app protection policies based on device management state.
More info and resources
For further resources on this subject, please see the links below.
If you have any questions, reply to this post or reach out to @IntuneSuppTeam on Twitter.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.