Setting Up Device Trust Security Requirements – Box Support

Device Trust helps you enforce your enterprise's compliance or security policies by defining a minimum set of requirements for devices used to access Box. Device Trust verification is enforced at login, for your managed users, and access is prevented unless you have enabled Audit-Only mode. (Scroll down to the bottom of the article for details about Audit-Only mode).

Note
Admins and co-admins who can edit enterprise settings are exempt from Device Trust checks. This keeps them from accidentally locking themselves out of the admin console.

Users who log in via FTP and WebDav are also exempted from Device Trust checks.

Experience for your users

When Device Trust is enabled and restrictions are set, users that don't meet these requirements will see a screen like the one below and won't be allowed to access Box.

Note
If the audit-only mode is turned on, users will be able to login without any impact on their experience. Please refer to the section about Audit-Only mode below to learn more.

Enable Device Trust for managed users

Open the Admin Console, and in the lefthand navigation click Enterprise Settings.
Toward the top of the page click Device Trust.
Scroll down to the Device Trust Requirements section.

Select the Box applications for which you want to enforce device trust ownership and/or security requirements. If you do not toggle on a specific application, then users will be able to access that app without being required to meet device trust requirements.

Notes
If the Web App & 3rd Party Apps option is selected, mobile devices can't access the Box Web App. Also, for computers you must have Box Tools installed for the Web App to perform the necessary Device Trust security checks.
Device trust only applies to non-EMM (enterprise mobile management) mobile apps, and device trust security check is not run on EMM apps. For EMM apps, admins can apply the same functionality via their MDM provider.

Select the scope of your restrictions. You can choose to require your users to meet both Device Ownership Requirements and Device Security Requirements, or allow them to access Box if they only meet one or the other requirements set.

Note
For Device Ownership requirement, you can decide to require both the Domain membership and the Certificate Presence or either one of them

Next, select the specific checks you want to enforce for each device/operating system. Below is information about each available verification.

Ownership verification on both macOS and Windows

Define how we should recognize a macOS or Windows computer that you manage via either a Domain membership check or a security certificate presence validation.

Devices must be joined to a Windows domain: You can require that a macOS or Windows device be joined to a Windows Active Directory domain or an Azure AD tenant ID*. You can even add multiple domains- separated by commas.

Require certificate validation: Two certificate verification options are available.

Option 1 - Device-specific certificate validation*: In this scenario we will perform a client-side certificate validation, challenging the device for its identity defined by a unique certificate (and corresponding private key) signed by your enterprise or MDM Certificate Authority.

Note
For the device-specific certificate validation we require the device certificate to be stored in the KeyChain (macOS) or in the local or user certificate manager (Windows). The device certificate must be signed directly by the certificate uploaded on Box Admin Console and we don't verify the device certificate against a revocation list. Also, the device certificate must not be expired.

Option 2 - Enterprise certificate verification: In this scenario we will look in the KeyChain (macOS) or in the local or user certificate manager (Windows) for the same certificate you upload in the Box Admin Console to establish the ownership of the device.

Note
If you enable the Enterprise certificate check, you must install the certificate into a certificate store available to the same user context under which Box Tools is running. For example, if Box Tools is running in a machine-wide installation, the device trust check runs in the context of the SYSTEM user. If you install the certificate only in the user's certificate store, then device trust checks can fail. For device trust to work, you must push out the certificate to the local machine's profile (in addition to other locations).

*You must have the minimum versions of Box Drive 2.14.378, Box Sync 4.0.8004, and Box Tools 4.9.2 (Windows) and 4.12.2 (Mac) to pass this check.

Security requirements for macOS, Windows, iOS and Android

As an Admin you can define minimum security requirements on devices (regardless if they are managed or unmanaged).

macOS and Windows

Require minimum operating system version: Enables you to enforce newer versions of macOS and Windows operating systems, which incorporate enhanced security features. Supported minimum versions are (corresponding server OS versions in parentheses):
- For Windows:
  - Windows 8 (Windows Server 2012)
  - Windows 8.1 (Windows Server 2012 R2)
  - Windows 10 (Windows Server 2016)
- For macOS:
  - El Capitan (10.11)
  - Sierra (10.12)
  - High Sierra (10.13)
  - Mojave (10.14)
  - Catalina (10.15)
  - Big Sur (11.0)

Require antivirus is installed and up-to-date*: Helps further protect sensitive content accessed by a device by ensuring antivirus is installed and updated on that device.

Windows: checks antivirus status in Windows Security Center
Mac: checks McAfee (+ePO), Symantec, Norton, Trend Micro, ESET, Sophos, Kaspersky, Cisco AMP, AVG, Cortex XDR, CarbonBlack, CrowdStrike Falcon, Jamf Protect, FireEye, or Microsoft Defender

Require firewall to be enabled*: Enables you to enforce the benefits of firewall protection on devices.
- For Windows: Windows Security Center
- For Mac: OS X Firewall

Require all disks to be encrypted: Helps protect against data loss by requiring disk encryption software.
- For Windows:
  - Bitlocker
  - Symantec Encryption Software (Powered by PGP)
  - McAfee
  - Check Point
- For Mac:
  - Filevault
  - Check Point

* These checks are not supported on Windows Server operating systems.

iOS

Require a device passcode: requires that a device level passcode be set.
Jailbreak: requires that the device not be jailbroken.
Minimum OS: requires that a minimum version of iOS and iPadOS be installed on the device. Supported versions:
- iOS 8
- iOS 9
- iOS 10
- iOS 11
- iOS 12
- iOS 13/iPadOS 13
- iOS 14/iPadOS 14

Android

Root Detection: requires that the device not be rooted.
Minimum OS: requires that a minimum version of Android be installed on the device. Supported versions:
- 5.0 (Lollipop)
- 5.1
- 6.0 (Marshmallow)
- 7.0 (Nougat)
- 7.1
- 8.0 (Oreo)
- 8.1
- 9.0 (Pie)
- 10
- 11

Additional Platform Restrictions

Device Trust is only supported on platform where Box is supported: Windows, Mac, Android, and iOS. If you would like to block access to Box from all device types for which device trust is not supported, click the slider to toggle on Block access for all unsupported platforms.

When Device Trust is enabled for your enterprise, the checks you have selected above are performed on any net new logins to the platforms you have chosen.

Audit-Only Mode

Before enforcing your Device Trust requirements you can test your configuration without risk of impacting your users by enabling the audit-only mode. This setting could also be used to monitor access on your Box instance.

Note
This setting will allow login even if users fail to meet your requirements (fail-open).

To monitor devices access:

Reports can be generated in Admin Console > Reports > User Activity (select the Failed Device Trust Check under Login)
Logs are available in Box Events Stream