Building on the login tracking feature – which allows admins to set limits on the number of devices a user can access Box from and sends alerts to them and the user whenever a new device is used to access that Box account – Box has additional device management functionality to increase security when accessing Box on mobile or desktop devices: device pinning.
This feature allows admins to limit which devices a user can access Box from, ensuring access is only allowed on trusted devices.
What is device pinning?
Device pinning allows enterprise admins to associate their users' corporate-managed Box accounts to a particular mobile device or Box Sync client. A user who uninstalls Box from a pinned device cannot reinstall it on a new device (past the device number limit). Admins have access to a dashboard in the admin console for managing the following:
- Enable/disable device pinning
- Set the number of devices to which the Box application can be pinned
- View all devices associated with each managed user’s account
- View all devices across managed users
- Disassociate a device from a user (this will log the user out)
- The devices an admin can manage are computer (Box Sync), phone and tablet
How does the feature work?
When device pinning is enabled for a business, admins can set a limit on the number of devices that a managed user can pin the Box app to. Uninstalling the Box app from a device will not allow the user to log in to their corporate Box account from another device that is not on their pinned list if they have already reached the pinning limit for that application type.
When device pinning is turned on, the Box app can be pinned to a device as follows:
- The user logs into the Box application from a device.
- If a managed user already has the Box app installed on a device and is logged in when device pinning is turned on, the next time the user performs any Box server operation (such as refreshing All Files or uploading a new file) will pin the application to that device.
- The first mobile app client that is (1) logged in from or (2) an action is performed on, will pin the application to that device. Once an application has been pinned to certain device, the admin is the only person who can remove that pin.
- Box Sync only sends in the Device ID or token request at login/session renewal.
How do device limits work?
If an admin sets the number of devices that a user within their enterprise can install the Box app on to a number greater than one, each subsequent login to a new device will pin the Box app to that device until the limit has been reached.
Once the number of devices for a managed user has been reached, that user will be prohibited from logging in on an additional devices.
If you do not want to place a limit on the number of devices the Box app can be pinned to but you want to monitor and manage device pins, you can enable the device pinning feature and set the device limit to unlimited.
What ID is stored from the device?
For Box Sync, the Device ID is pinned. See the next questions Can I use Box Sync with device pinning enabled? for additional information.
For mobile clients, Box stores a unique string per device based on the available properties of the device.
Can I use Box Sync with device pinning enabled?
Device pinning is compatible with Sync on Windows and Mac, including virtual machines.
Users will receive an error message when attempting to login to Box Sync without a Device ID:
- Windows: If the CPU or hard drive device ID is unavailable.
- Mac: If the serial number is unavailable.
Which types of accounts can use device pinning?
The feature is available for Business, Business Plus, and Enterprise accounts.
Who can enable and manage this feature?
Admins and co-admins have access to the device pinning feature.
Where is the feature in the Admin Console?
To pin (or un-pin) Box to people's devices, navigate to Enterprise Settings > Device Trust tab.
- To enable the device pinning feature, click Enable Device Pinning slider.
- To limit the number of devices to which your managed users can pin the Box application, select a number from Devices Per User drop down and click Save.
- To track the devices to which your managed users are pinning the Box application, but do not want to limit the number of devices, click the Devices Per User down arrow, and from the list that displays click Unlimited.
- You can exempt an individual from the device limit set for your enterprise. To do this, navigate to Users & Groups > Managed Users tab. Select the user you want, and scroll down to the Edit User Access Permissions section. Check the Device Pinning check box.
If device pinning is not enabled for your enterprise as a whole, you cannot exempt an individual from device pinning.
After enabling device pinning, use the Application Usage table to track the devices to which your users pin the Box application.
You can search for a particular user by typing their name into the Name field to view the devices to which the user has pinned the application.
You can view a filtered list of a specific application by using the All Applications drop down.
To remove a pin or multiple pins, check the box to the right of the user’s application you want to unpin. Once a box or multiple boxes are selected, a Remove button displays at the top of the table.
Navigate to Users & Groups > Managed Users tab. Select the user you want, and scroll down to the Edit User Access Permissions section:
- You can also view the devices a specific user has pinned the Box application to by going to their user page.
- To remove a specific pin for a user, to the right of the application you want to remove, click X.
- To remove all pins for a user, click the Remove All link.
What system requirements are there for this feature? What do I need my managed users to do in preparation for the feature?
Before enabling the device pinning feature, admins will want to make sure their managed users are prepared with devices and versions of the Box apps that meet these requirements:
- Operating system requirements – Device pinning is supported on the following platforms
- iOS 6 and higher for use on iPhones/iPads
- Android OS 2.2 (Froyo) and higher for use on Android devices
- No other devices have minimum operating system requirements
- BB10 is not supported at this time
- Device requirements – Device pinning is not supported on the following mobile devices
- iPhone 3G or older
- iPad 1
- Box App requirements– Device pinning is supported for the following app versions
- Box for iPhone and iPad 2.8.3 and higher
- Box for Android 2.1 and higher
- Box for Windows 8 1.5 and higher
- Box for Windows Phone 1.5 and higher
- Box Sync 3.3 and higher
If device pinning is enabled and one of your managed users has an out of date operating system, unsupported device or old version of the Box application, they will be automatically and unexpectedly logged out of the app when they next attempt to access Box on that device.
If a user is automatically logged out of the Box application:
- They will need to log in again to access the application
- They may be confused over why they need to log in again when they normally can just click the app icon to use it
- They will also receive an error message telling them they must upgrade their operating system, device or Box app
To avoid logging your managed users out of their Box application, make sure they have upgraded their operating systems, devices and Box apps before turning on the feature
What if I’m already using application limits?
Application limits will be deprecated in favor of device pinning. If you already have device limits enabled for your enterprise, you will need to enable device pinning and select the limit for how many devices the Box application can be pinned to for your managed users.
What happens if a user hits their limits?
If a managed user has pinned the Box app to the maximum number of devices, they will be unable to log in or will be logged out of the app when they:
- Attempt to log in to the application from an additional device
- Attempt to perform an action on an application from an additional device (in the case the app was installed prior to device pinning being enabled)
The Admin can remove the device. See instructions in this article section: What If the Device is Lost or Stolen?
What happens if I lower the device limit?
If you reduce the number of devices the Box app can be pinned to, your managed users will be automatically logged out of all Box applications
What are the different errors a user might encounter?
If a user’s operating system, device or apps are not up to date before device pinning is enabled, they may receive one of the following error messages:
- iOS update required.
- Device not supported (only for iPad 1) – Your Box administrator restricted the use of this application on first generation iPads. Please contact your administrator regarding your access.
- Device limits exceeded – Your admin has restricted the use of this application. Please contact your admin to authorize this device.
- Box App update required.
- Device limits exceeded.
- Box Sync is unable to obtain a unique Device ID.