What security settings can I enforce for my users?
As an Enterprise admin, or above, you have access to additional security capabilities that enable you to set account-wide security settings for your managed users.
To access your security settings:
- Log into your account, and navigate to the Admin Console
- In the left sidebar, click Enterprise Settings.
- At the top of the page, click Security.
2-Step Login Verification: In this section, you can require people to provide a second source of verification to access your enterprise's content.
Password Requirements: In this section, Enterprise Admins can configure password policies for their managed users, including:
- Password strength requirements
- Password resets (automated or manual global password reset)
- Password re-use restrictions
- Notification after a set number of failed attempts
- Maximum session duration limits
If your enterprise has more than 1,000 managed users, please reach out to Box Support to perform a global password reset.
If your enterprise account is SSO-enabled, these password settings apply to a user's external "Box-specific password," not the user's SSO password. This is also where you can require strong passwords for external collaborators.
Session Duration for All Users: Here, you can set a limit on how long a managed user can stay logged into his or her account without activity. Default session duration is set for 48 hours.
Session duration settings apply only to the Box Web application. Any session duration limits set here do not apply to users accessing Box through any other Box endpoints (for example, Box mobile applications, Box desktop applications, m.box.com, Box Notes etc.).
- From the Admin Console, in the left sidebar, click Enterprise Settings.
- At the top of the page, click Device Trust.
- Check Enable Device Pinning.