Device Trust helps you enforce your enterprise's compliance or security policies by defining a minimum set of requirements for devices used to access Box. Device Trust verification is enforced at login, for your managed users, and access is prevented unless you have enabled Audit-Only mode. (Scroll down to the bottom of the article for details about Audit-Only mode).
Experience for your users
When Device Trust is enabled and restrictions are set, users that don't meet these requirements will see a screen like the one below and won't be allowed to access Box.

Enable Device Trust for managed users
- Open the Admin Console, and in the lefthand navigation click Enterprise Settings.
- Toward the top of the page click Device Trust.
- Scroll down to the Device Trust Settings section.

Select the Box applications for which you want to enforce device trust ownership and/or security requirements. If you do not toggle on a specific application, then users will be able to access that app without being required to meet device trust requirements.
Select the scope of your restrictions. You can choose to require your users to meet both Device Ownership Requirements and Device Security Requirements, or allow them to access Box if they only meet one or the other requirements set.
Next, select the specific checks you want to enforce for each device/operating system. Below is information about each available verification.
Ownership verification on both macOS and Windows
Define how we should recognize a macOS or Windows computer that you manage via either a Domain membership check or a security certificate presence validation.

- Devices must be joined to a Windows domain: You can require that a macOS or Windows device be joined to an Windows Active Directory domain or an Azure AD tenant ID*. You can even add multiple domains- separated by commas.
- Require certificate validation: Two certificate verification options are available
Option 1 - Device-specific certificate validation*: In this scenario we will perform a client-side certificate validation, challenging the device for its identity defined by a unique certificate (and corresponding private key) signed by your enterprise or MDM Certificate Authority.
Option 2 - Enterprise certificate verification: In this scenario we will look in the KeyChain (macOS) or in the local or user certificate manager (Windows) for the same certificate you upload in the Box Admin Console to establish the ownership of the device.
*You must have the minimum versions of Box Drive 2.14.378, Box Sync 4.0.8004, and Box Tools 4.9.2 (Windows) and 4.12.2 (Mac) to pass this check.
Security requirements for macOS, Windows, iOS and Android
As an Admin you can define minimum security requirements on devices (regardless if they are managed or unmanaged).

macOS and Windows
- Require minimum operating system version: Enables you to enforce newer versions of macOS and Windows operating systems, which incorporate enhanced security features. Supported minimum versions are (corresponding server OS versions in parentheses):
- For Windows:
- Windows 7 (Windows Server 2008 R2)
- Windows 7 SP1 (Windows Server 2008 R2 SP1)
- Windows 8 (Windows Server 2012)
- Windows 8.1 (Windows Server 2012 R2)
- Windows 10 (Windows Server 2016)
- For macOS:
- El Capitan (10.11)
- Sierra (10.12)
- High Sierra (10.13)
- Mojave (10.14)
- Catalina (10.15)
- Require antivirus is installed and up-to-date*: Helps further protect sensitive content accessed by a device by ensuring antivirus is installed and updated on that device.
- Windows: checks antivirus status in Windows Security Center
- Mac: checks McAfee (+ePO), Symantec, Norton, Trend Micro, ESET, Sophos, Kaspersky, Cisco AMP, AVG, Cortex XDR, CarbonBlack or CrowdStrike Falcon
- Require firewall to be enabled*: Enables you to enforce the benefits of firewall protection on devices.
- For Windows: Windows Security Center
- For Mac: OS X Firewall
- Require all disks to be encrypted: Helps protect against data loss by requiring disk encryption software.
- For Windows:
- Bitlocker
- Symantec Encryption Software (Powered by PGP)
- McAfee
- Check Point
- For Mac:
* These checks are not supported on Windows Server operating systems.
iOS
- Require a device passcode: requires that a device level passcode be set
- Supported versions: iOS 11, iOS 12
- Jailbreak: requires that the device not be jailbroken
- Minimum OS: requires that a minimum version of iOS be installed on the device
- Supported minimum versions: iOS 11, iOS 12
Android
- Root Detection: requires that the device not be rooted
- Minimum OS: requires that a minimum version of Android be installed on the device
- Supported minimum versions: 5.0 (Lollipop), 5.1, 6.0 (Marshmallow), 7.0 (Nougat), 7.1
Additional Platform Restrictions
Device Trust is only supported on platform where Box is supported: Windows, Mac, Android, and iOS. If you would like to block access to Box from all device types for which device trust is not supported, check the box labelled Block access for all unsupported platforms.
When Device Trust is enabled for your enterprise, the checks you have selected above are performed on any net new logins to the platforms you have chosen.
Audit-Only Mode
Before enforcing your Device Trust requirements you can test your configuration without risk of impacting your users by enabling the audit-only mode. This setting could also be used to monitor access on your Box instance.
To monitor devices access:
- Reports can be generated in Admin Console > Reports > User Activity (select the Failed Device Trust Check under Login)
- Logs are available in Box Events Stream
tech_writers_swarm_kb