Print

Setting Up Device Trust Security Requirements

  • Posted Updated

Device Trust helps you enforce your enterprise's compliance or security policies by defining a minimum set of requirements for devices used to access Box. Device Trust verification is enforced at login, for your managed users, and access is prevented unless you have enabled Audit-Only mode.  (Scroll down to the bottom of the article for details about Audit-Only mode).

 

Note
Admins and co-admins who can edit enterprise settings are exempt from Device Trust checks. This keeps them from accidentally locking themselves out of the admin console.

Users who log in via FTP and WebDav are also exempted from Device Trust checks.

 

Device Policy in Use

When Device Trust is enabled and restrictions are set, users that don't meet these requirements will see a screen like the one below and won't be allowed to access Box.

mceclip0.png

 

Enabling Device Trust for managed users

  1. Go to Admin Console -> Enterprise Settings.
  2. Select Device Trust tab.
  3. Click Create.

Creating Device Trust policy

Once you've started the process to create a policy, first name the policy and then add a description to clarify the intention of the policy.

Note: If enabled for your organization, you can add multiple security policies.

 

Applying levels of security:

If you need to add different levels of security to your company with the Device Trust policy, you can:

  • Enable for all users.
  • Enable for selected groups of users.
    • Select the groups by entering the group name and click Save.
  • Enable for all users but exclude selected groups of users.
    • Select the groups by entering the group name and click Save.

 

Audit-Only Mode

Before enforcing your Device Trust requirements you can test your configuration without risk of impacting your users by enabling the audit-only mode. This setting could also be used to monitor access on your Box instance.

Note
 If the audit-only mode is turned on, users will be able to login without any impact on their experience. Please refer to the section about Audit-Only mode below to learn more. 

 

Configure Details

Select the Box applications for which you want to enforce device trust ownership and/or security requirements. If you do not toggle on a specific application, then users will be able to access that app without being required to meet device trust requirements.

 

mceclip0.png

 

Notes
  • If the Web App & 3rd Party Apps option is selected, mobile devices can't access the Box Web App. However, selecting Web App & 3rd Party Apps, does not prevent mobile site access at m.box.com and Box Web App access redirected from m.box.com. If the customer needs to restrict such access, either:
  • Also, for computers you must have Box Tools installed for the Web App to perform the necessary Device Trust security checks.
  • Device trust only applies to non-EMM (enterprise mobile management) mobile apps, and device trust security check is not run on EMM apps. For EMM apps, admins can apply the same functionality via their MDM provider.

 

Select the scope of your restrictions. You can choose to require your users to meet both Device Ownership Requirements and Device Security Requirements, or allow them to access Box if they only meet one or the other requirements set. 

 

Note
For Device Ownership requirement, you can decide to require both the Domain membership and the Certificate Presence or either one of them

 

Next, select the specific checks you want to enforce for each device/operating system. Below is information about each available verification.

 

Ownership verification on both macOS and Windows

Define how we should recognize a macOS or Windows computer that you manage via either a Domain membership check or a security certificate presence validation. 

mceclip1.png

  • Devices must be joined to a Windows domain: You can require that a macOS or Windows device be joined to a Windows Active Directory domain or an Azure AD tenant ID*. You can even add multiple domains- separated by commas.
  • Require certificate validation: Two certificate verification options are available.

Option 1 - Device-specific certificate validation*: In this scenario we will perform a client-side certificate validation, challenging the device for its identity defined by a unique certificate (and corresponding private key) signed by your enterprise or MDM Certificate Authority.

 

Note
For the device-specific certificate validation we require the device certificate to be stored in the KeyChain (macOS) or in the local or user certificate manager (Windows). The device certificate must be signed directly by the certificate uploaded on Box Admin Console and we don't verify the device certificate against a revocation list. Also, the device certificate must not be expired.

 

Option 2 - Enterprise certificate verification: In this scenario we will look in the KeyChain (macOS) or in the local or user certificate manager (Windows) for the same certificate you upload in the Box Admin Console to establish the ownership of the device.

 

Note
If you enable the Enterprise certificate check, you must install the certificate into a certificate store available to the same user context under which Box Tools is running. For example, if Box Tools is running in a machine-wide installation, the device trust check runs in the context of the SYSTEM user. If you install the certificate only in the user's certificate store, then device trust checks can fail. For device trust to work, you must push out the certificate to the local machine's profile (in addition to other locations).

*You must have the minimum versions of Box Drive 2.14.378, Box Sync 4.0.8004, and Box Tools 4.9.2 (Windows) and 4.12.2 (Mac) to pass this check.

 

Security requirements for macOS, Windows, iOS and Android

As an Admin you can define minimum security requirements on devices (regardless if they are managed or unmanaged).

mceclip2.png

macOS and Windows

  • Require minimum operating system version: Enables you to enforce newer versions of macOS and Windows operating systems, which incorporate enhanced security features. Supported minimum versions are (corresponding server OS versions in parentheses):
    • For Windows:
      • Windows 8 (Windows Server 2012)
      • Windows 8.1 (Windows Server 2012 R2)
      • Windows 10 (Windows Server 2016)
    • For macOS:
      • El Capitan (10.11)
      • Sierra (10.12)
      • High Sierra (10.13)
      • Mojave (10.14)
      • Catalina (10.15)
      • Big Sur (11.0)
  • Require antivirus is installed and up-to-date*: Helps further protect sensitive content accessed by a device by ensuring antivirus is installed and updated on that device.
    • Windows: checks antivirus status in Windows Security Center
    • Mac: checks McAfee (+ePO), Symantec, Norton, Trend Micro, ESET, Sophos, Kaspersky, Cisco AMP, AVG, Cortex XDR, CarbonBlack, CrowdStrike Falcon, Jamf Protect, FireEye, or Microsoft Defender
  • Require firewall to be enabled*: Enables you to enforce the benefits of firewall protection on devices.
    • For Windows: Windows Security Center
    • For Mac: OS X Firewall
  • Require all disks to be encrypted: Helps protect against data loss by requiring disk encryption software.
    • For Windows:
      • Bitlocker
      • Symantec Encryption Software (Powered by PGP)
      • McAfee
      • Check Point
    • For Mac:
      • Filevault
      • Check Point

* These checks are not supported on Windows Server operating systems.

iOS

  • Require a device passcode: requires that a device level passcode be set.
  • Jailbreak: requires that the device not be jailbroken.
  • Minimum OS: requires that a minimum version of iOS and iPadOS be installed on the device. Supported versions:
    • iOS 8
    • iOS 9
    • iOS 10
    • iOS 11
    • iOS 12
    • iOS 13/iPadOS 13
    • iOS 14/iPadOS 14

Android

  • Root Detection: requires that the device not be rooted.
  • Minimum OS: requires that a minimum version of Android be installed on the device. Supported versions:
    • 5.0 (Lollipop)
    • 5.1
    • 6.0 (Marshmallow)
    • 7.0 (Nougat)
    • 7.1
    • 8.0 (Oreo)
    • 8.1
    • 9.0 (Pie)
    • 10
    • 11

 

Additional Platform Restrictions 

Device Trust is only supported on platform where Box is supported. This means Windows, MacOS and also Android and iOS running Box Mobile applications.
If you would like to block access to Box from all device types for which device trust is not supported, click the slider to toggle on Block access for all unsupported platforms.
DeviceTrustToggle.png

When Device Trust is enabled for your enterprise, the checks you have selected above are performed on any net new logins to the platforms you have chosen.

 

Note
This setting will allow login even if users fail to meet your requirements (fail-open).

 

To monitor devices access:

  • Reports can be generated in Admin Console > Reports > User Activity (select the Failed Device Trust Check under Login)
  • Logs are available in Box Events Stream

 

 

 

tech_writers_swarm_kb

Related articles