Integrating Box for EMM app with Intune app protection policies (APP)

Published Apr 22 2021 12:31 PM 6,274 Views

By Masaki Iwamaru – Service Engineer | Microsoft Endpoint Manager – Intune


Box for EMM is an app for the iOS platform developed by Box Inc. The Box for EMM app is intended for enterprise customers with mobile device management (MDM) solutions such as Microsoft Endpoint Manager - Microsoft Intune. The app provides secure access to data in Box cloud storage workspace from iOS devices.


When you integrate Box for EMM app with Intune, you can apply app protection policies (APP) to enable data protection features of the app built with the Intune App SDK. You can control data transfer between apps, restrict copy-paste between apps, set access requirements, and force conditional launch settings.


This blog post provides a step-by-step guidance on integrating the Box for EMM app with Intune for managed devices.



There is a separate Box app that is available for both personal and enterprise use. This article focuses on the Box for EMM app, which has supported Intune since 2015. Both the Box for EMM and Box app can access the same cloud storage space provided by the Box EMM Enterprise workspace.


Integrate Box for EMM with Intune

Step 1. Add and deploy the Box for EMM app in Intune.

First, add the Box for EMM app in Intune through the iOS store.


To add Box for EMM to Intune:

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Go to Apps > All apps > Add.
  3. In the Select app type pane, under the available Store app types, select iOS store app.
  4. Search for “Box for EMM” and complete the steps to add the app to Intune.
  5. Select to add the app to Intune. For detailed instructions, see Add iOS store apps to Microsoft Intune.


After you add the app to Intune, assign it to users and devices. For detailed instructions, see Assign apps to groups in Microsoft Intune



You can also deploy the Box for EMM app that’s purchased through the Apple Volume Purchasing Program (VPP).


Step 2. Create and deploy an app configuration policy.

You are required to create an app configuration policy to allow your users to sign in to the Box for EMM app.


  1. In the Microsoft Endpoint Manager admin center, go to Apps > App configuration policies.
  2. Select + Add and choose Managed devices from the list.
    Be aware you need to create and deploy an app configuration policy using a managed device. Managed apps won't work for the Box for EMM app.
  3. In the Name field, enter a policy name,  and in the Platform field, select iOS/iPadOS.
  4. For Targeted app, Select app, and then select Box for EMM from the list.

    Figure 1. Box for EMM policy in the Microsoft Endpoint Manager admin centerFigure 1. Box for EMM policy in the Microsoft Endpoint Manager admin center
  5. Continue to the Settings page.

  6. Choose Use configuration designer from the Configuration settings format list and specify the following values from the XML property list.

    Configuration key Value type Configuration value
    Public ID String <The value provided by>
    Management ID String AnyString
    Intune Enterprise String 1 String AnyString
    userprincipalname String {{UserPrincipalName}}

    Figure 2. App configuration policy settingsFigure 2. App configuration policy settings

  7. Continue to the Assignments page and  assign the policy to the applicable groups, users, or devices. Use the same assignments you configured for the Box for EMM app in Step 1.


Step 3. Create and deploy an app protection policy (APP) for the Box for EMM app.

You can create a new app protection policy for iOS and iPad operating systems (OS) or use an existing one. Here are a few best practices:

  • Make sure that the Box for EMM app is included in the Targeted apps list of the policy.
  • Make sure the policy is assigned to the correct users. App protection policies should be assigned to users instead of devices.
  • Set Target to apps on all device types to Yes in app protection policies to avoid misconfigurations.


If you set this field to No, you might need to deploy the IntuneMAMUPN key. This often overlooked by administrators, so we recommend setting it to Yes. See the Intune documentation for more information about the iOS app configuration settings about and an example using this key.

Figure 3. App configuration policy settingsFigure 3. App configuration policy settingsStep 4. Install the Box for EMM app on iOS/iPadOS devices.

Make sure both the app and the app configuration policy are configured and assigned in Intune. Either push the app to managed devices using Intune (Required assignment), or users will install the app from the Company Portal (Available assignment).

You can check deployment status in the Microsoft Endpoint Manager admin center.


Step 5. Launch the Box for EMM app.

When a user launches the app, they will see the Microsoft Azure Active Directory (Azure AD) sign-in screen. The user name is automatically populated. It should be the same as the user who enrolled the device. When they sign in to Azure AD, the app protection policy will be applied. The user will then see an app restart request.


Step 6. Relaunch the app.

When a user relaunches the app, it might ask them to set an app PIN at sign in (if you configured it to require one). They can now use the app with Intune app protection.



Here are common issues to be aware of when you’re integrating the Box for EMM app with Intune:

The Box for EMM app is not installed on iOS devices.

Make sure you assigned the app to the correct groups. You can check app installation status in Device install status in each app or Managed Apps in each device.

If you use VPP for app deployment, make sure the VPP token is valid, and you have enough app licenses.


App configuration policy for Box for EMM app shows Not applicable.

Ensure that the Box for EMM app is installed using Intune instead of the App Store.

Check that the app configuration policy targets the Box for EMM app that you are deploying. Sometimes it targets the incorrect applicationID of the same app name because you have multiple Box for EMM apps in the Microsoft Endpoint Manager admin center or you have deleted and re-added the app.

The app configuration policy type should be Managed devices instead of Managed apps.


App protection policy is not applied after sign-in.

Make sure the policy is assigned to correct users. App protection policy should be assigned to users instead of devices.

Be sure that Target to apps on all device types is set to Yes.

It can take time for the policy to be applied if end users are signed-in to the app before the policy assignment. This article provides more information about expected policy delivery timing.

How can I get Public ID for my Box tenant?

Public ID is provided by Box, Inc. for your tenant. Contact Box support for this information

Should I set up single sign-on (SSO) between Azure AD and Box service?

You can use Box for EMM features without SSO integration. While it is optional, SSO provides a simplified and excellent user experience. Check out this article to learn about SSO integration guidance.

I want to allow access with Box for EMM app only while blocking personal Box app.

You can use the iOS device restriction profile to hide and disable the Box for EMM app. The Show or hide apps setting is applicable only to supervised iOS devices.

There is also a setting for enabling and disabling Official Box Apps in Box Admin Console - Apps.

I want to disable Files app functionality on iOS devices to prevent unintended file sharing.

Intune doesn't have this setting. There is a setting for disabling Files app functionality in Box Admin Console - Enterprise Settings - Mobile.

Are there recommended settings for the Box for EMM app?

The following recommended settings allow end users to open, modify, and save files directly in Box storage with Microsoft Office applications.


Setting name Value
Send Org data to other apps Policy managed apps with OS sharing
Receive data from other apps All Apps with incoming Org Data
Save copies of Org data Block
Allow user to save copies to selected services

Select locations you want to save org data into

We also recommend adding the following key/value pair in the app configuration policy.

Key Value (if you’re using Intune as the MDM)


The actual value specified for the IntuneMAMUPN key depends on the MDM provider you are using. You can find examples of the value you should enter for a third-party MDM provider in this article.


More info and feedback

For further resources on this subject, please see the links below.

iOS/iPadOS app protection policy settings

Validate your app protection policy setup

Create and deploy app protection policies

Set up app protection policies for iOS devices

Box for EMM Overview and FAQ


If you have any questions reply to this post or reaching out to @IntuneSuppTeam on Twitter.

Version history
Last update:
‎Jul 13 2021 12:35 PM
Updated by: