What security settings can I enforce for my users?
As an Enterprise admin, you have access to an additional Security tab within the Enterprise Settings that allows you to set account-wide security settings for your managed users.
To access your security settings, follow these steps:
- Log in to your account and navigate to the Admin Console
- Click on the gear icon in the top right corner and select Enterprise Settings from the drop-down menu
- Navigate to the Security tab
Signup and Login: This section gives you the option to enable self-signup, restrict users from changing their email address, set up admin notifications for user activity, prevent persistent account sessions, and require 2-step login verification for unrecognized logins.
Enterprise Admins can configure password policies for their managed users, including:
- Password strength requirements
- Password resets (automated or manual global password reset.)
- Password re-use restrictions
- Notification after a set number of failed attempts
- Prevention of persistent logins
- Maximum session duration limits
Note: If your enterprise account is SSO enabled, these password settings apply to a user's external "Box-specific password", not their SSO password. This is also where you can require strong passwords for external collaborators.
Uploads: This setting gives Enterprise and Elite admins the option to prevent users from accessing their Box accounts via regular (unencrypted) FTP.
Application Management: This section allows you to configure the number of applications allowed per user, and if users need to verify logins from unrecognized browsers and applications.
Session Duration: Here you can set a limit on how long a managed user can stay logged into their account without activity. Default session duration is set for 48 hours.