Understanding Mobile Security Settings

To control these features from your Admin Console, navigate to the Enterprise Settings > Mobile tab. Turn settings on and off by clicking the corresponding slider. The setting is On when the slider is blue and the button is on the right. The setting is Off when the slider is grey and the button is on the left. The setting is unavailable to you (that is, you cannot change it) when the slider is light grey.

Mobile Device Encryption

Device manufacturers generally encrypt devices by default. Box relies on system or device encryption for both iOS and Android.

iOS devices generally have a passcode and provide TouchID and FaceID verification, which further protects files on iOS. You can find more details from Apple. Additionally, Device Trust enables you to require iOS devices to have passcodes before using Box. 

If an Android device is not encrypted, the app data is also unencrypted but cannot be accessed by another app — app data is private for that app's use only. On Android, Device Trust doesn't directly enforce a device passcode for users, but Android Enterprise and other EMM providers have native control over the device and can enforce a requirement for passcodes.
To disable downloads on Android devices that have no passcodes, check Save to device only if encrypted (Android only), described below.

What are the main benefits?

• For users, mobile security settings can be enabled to provide additional protection when accessing Box from their mobile devices.
• For admins, Box mobile app management features provide visibility into all account activity—including users and their files—and let admins manage how content is shared and accessed both inside and outside the company.

File Security Settings

You have multiple options for controlling the level of content security with mobile devices:

• Files can be saved to device: Controls people's ability to download files or save them for offline use on their mobile devices. Effective Box for iOS 3.2+ and Box for Android 3.2+, to configure the following settings, you must click the slider for this setting to On (blue):
  • "Preview only" collaborators can save files for offline use
  • Content can be opened in external applications
  • Content can be printed
  • Save to device only if encrypted (Android only)
  • Files can be opened in applications that save back to Box (iOS only)
• "Preview-only" collaborators can save files for offline use: Box account holders with "Preview only” permissions for a folder can save folder content for offline use when you click the slider to On (blue). “Preview only” folder contents never leave the Box app container.
• Content can be opened in external applications: Enables you to control people's ability to open content from Box in other applications using the same operating system.
• Content can be printed: Enables you to control people's ability to print files from their devices.
• File contents can be copied and pasted: Enables you to control people's ability to copy text to their device clipboard and paste it elsewhere.
• Automatic uploading from device: Controls the appearance of an automatic uploading feature within the app. This setting is available only to customers with paid accounts.
• Contextual information included in push notifications: Enables you to control people's ability to receive contextual details, such as file names, with the push notification.
• Save to device only if encrypted (Android only): On versions of Android that support this feature, the Box application can detect if full-device encryption is enable:
  • If so, you can Allow savings files by clicking the slider to On (blue).
  • If not, this field remains Restricted.
• Files can be opened in applications that save back to Box (iOS only): Enables the file picker to open files from Box in external applications and save changes back to Box.
• Disable iOS Files functionality on devices running iOS 12.0 or older (iOS EMM only): Prevents people with iOS devices from accessing content via Box for Enterprise Mobility Management (EMM) in conjunction with mobile device management (MDM) protections. This setting does not affect the Box app.

Mobile security settings available to individual Box account holders

• Passcode lock: You can set an application-specific passcode (only used to open the Box app) and set the threshold for inactivity before you are prompted for it.
  • How to enable: The passcode lock can be turned on and off and the timeout can be set in the settings of the mobile app.
  • Why this is important: It's an extra layer of security on your Box account if your mobile device is lost or stolen.
• Remote log-out:You have the ability to remotely log out of the Box app installed on your mobile device.
  • How to use: Accessing Box from a web browser, you can navigate to Account Settings > Security tab. All of your login activity will be listed, and you can log out of Box from any phone, tablet, device or browser by clicking on “forget app”.
  • Why this is important: You can revoke access to your account and content even after your mobile device is lost or stolen.
• Require 2-step login verification: You can require 2-step login verification for any new or unrecognized login to your account—including logins from mobile apps. With the feature turned on, a security code is texted to your mobile phone and is required in addition to your password in order to access your Box account.
  • How to enable: From the Box web application, you can navigate to Account Settings > Account tab and turn on 2-step login verification.
  • Why this is important: Prevent imposters from logging into your Box account.

Mobile security settings available to admins

• Restrict saving files for offline use: Admins can choose to allow or block the Box mobile apps from saving files onto discrete devices.
  • How to enable: Navigate to Admin Console > Enterprise Settings > Mobile tab. Then in the User Permissions for Box Mobile Application section, next to Files can be saved to device, click the slider to On (blue). Admins can also view the features they’ve enabled or disabled for all employees in their security reports.
  • Why this is important: Maintain more control over content while still allowing employees mobile access to Box.
• Intune Mobile Application Management: Admins can choose to enforce Microsoft's Intune Mobile Application Management service even if Box account holders are not enrolled in this service.
  • How to enable: Navigate to the Admin Console > Enterprise Settings > Mobile tab. Then in the User Permissions for Box Mobile Application section, next to Intune Mobile Application Management, click the slider to On (blue). Admins can also view the features they’ve enabled or disabled for all employees in their security reports.
  • Why this is important: Exercise more control over access to content while still allowing employees mobile access to Box.
• Require an application-specific passcode lock: Admins can require their Box accountholders to set an application-specific passcode and set the threshold for inactivity. When people exceed the threshold, Box requires them to enter the passcode. Accountholders with this requirement on their devices can use FaceID (on iOS) or BiometricPrompt (on Android) to bypass this passcode.
  • How to enable: Navigate to Admin Console > Enterprise Settings > Mobile tab. Then, in the Passcode Settings for Box Mobile Application section, click the Require passcode lock down arrow and select a time limit. You can also view the features you’ve enabled or disabled for all employees in their security reports.
  • Why this is important: It's an extra layer of security if someone's a mobile device is lost or stolen.
• Require 2-step login verification: You can require 2-step login verification for any new or unrecognized logins—including on mobile apps. When you enable this setting, the system texts a security code to an individual's mobile phone. They must then use that code, in addition to their password, to log in.
  • How to enable: Navigate to Admin Console > Admin Settings > Security tab. In the Signup and Login section, check Login Verification to require 2-step login verification for everyone.
  • Why this is important: Prevent an imposter from logging in to an employee’s account. Everyone -- including administrators -- who has not set up a login verification will be required to enter their mobile phone number on their next log in to the Box Web site before they can access their account.
  • How to enable: Navigate to Admin Console > Enterprise Settings > Device Trust  tab. To make the device pinning options available, in the Application Settings section check Enable Device Pinning.
  • Why this is important: Exert more control over mobile access to corporate accounts, enabling you to limit access to trusted devices.
  • To limit the number of devices per person to which each Box application can be pinned, under Devices Per User click the corresponding down arrow. Click the number of devices you want.
    • To allow people to pin the Box application to an unlimited number of devices, click Unlimited.
    • To receive a notification each time someone pins the Box application to a new device, check the corresponding Notify Admin check box. When you're done, click Save.
  • Device pinning: Admins can enable people to access their corporate-managed Box account from any number of devices, but can also limit the types and number of those devices each person can use. For example, you can limit employees to logging in via only one iOS or one Android phone or tablet.
    • Important - Before you enable this feature, ensure your people have upgraded their mobile devices and Box apps. 

• Remove pinning or remote log-out per person: You can also un-pin specific devices for specific employees. When you do this, they system logs that person out on that device.
  • How to enable: Navigate to Admin Console > Enterprise Settings > Device Pinning tab. To un-pin a device, in the Application Usage section, in the Search Users box start typing the name of the person whose device you want to un-pin. Box displays a list of names. Click the name you want. The system displays the list of devices to which Box is pinned. For each device you want to un-pin, click Remove.
  • Why this is important: Secure corporate accounts and content even after an employee’s mobile device is lost or stolen.
  • Notes
    You can also use the All Application Types drop-down menu to specify device pins for a discrete Box application. When the list of application pins displays, you can remove an existing pin by checking the check box to the right of the application type, and then clicking Remove.

Why should admins care about all these settings?

• These granular security settings give admins the flexibility to allow mobile access for employees while maintaining control of company information.
• Admins can also customize their Box mobile deployments as needed by their use case and security needs.

What types of customers can use these settings?

• All the admin security options above are available in Business, and Enterprise accounts.
• Admins with business accounts also have the ability to enable device pinning and require 2-step login verification.

How is this different than what mobile device management providers like MobileIron?

• The settings help admins customize user access and file sharing options within Box’s mobile apps. However, many enterprises need MDM solutions to secure content across the entire mobile device (not just content on Box).

Where can I get more information?

• More info on device pinning: Device Pinning Settings