Setting Up Device Trust Security Requirements

    Posted Updated

Device Trust helps you enforce your enterprise's compliance or security policies by defining a minimum set of requirements for devices used to access Box. Device Trust verification is enforced at login, for your managed users, and access is prevented unless you have enabled Audit-Only mode.  (Scroll down to the bottom of the article for details about Audit-Only mode).

 

Note
Admins and co-admins who can edit enterprise settings are exempt from Device Trust checks. This keeps them from accidentally locking themselves out of the admin console.

 

Experience for your users

When Device Trust is enabled and restrictions are set, users that don't meet these requirements will see a screen like the one below and won't be allowed to access Box.

mceclip0.png

Note
 If the audit-only mode is turned on, users will be able to login without any impact on their experience. Please refer to the section about Audit-Only mode below to learn more. 

 

Enable Device Trust for managed users

  1. Open the Admin Console, and in the lefthand navigation click Enterprise Settings.
  2. Toward the top of the page click Device Trust.
  3. Scroll down to the Device Trust Settings section.

mceclip0.png

Select the Box applications for which you want to enforce device trust ownership and/or security requirements. If you do not toggle on a specific application, then users will be able to access that app without being required to meet device trust requirements. 

 

Note
If the Web App & 3rd Party Apps option is selected, mobile devices can't access the Box Web App. Also, for computers you must have Box Tools installed for the Web App to perform the necessary Device Trust security checks.

 

Select the scope of your restrictions. You can choose to require your users to meet both Device Ownership Requirements and Device Security Requirements, or allow them to access Box if they only meet one or the other requirements set. 

 

Note
For Device Ownership requirement, you can decide to require both the Domain membership and the Certificate Presence or either one of them

 

Next, select the specific checks you want to enforce for each device/operating system. Below is information about each available verification.

 

Ownership verification on both macOS and Windows

Define how we should recognize a macOS or Windows computer that you manage via either a Domain membership check or a security certificate presence validation. 

mceclip1.png

  • Devices must be joined to a Windows domain: You can require that a macOS or Windows device be joined to an Windows Active Directory domain or an Azure AD tenant ID*. You can even add multiple domains- separated by commas.
  • Require certificate validation: Two certificate verification options are available

Option 1 - Device-specific certificate validation*: In this scenario we will perform a client-side certificate validation, challenging the device for its identity defined by a unique certificate (and corresponding private key) signed by your enterprise or MDM Certificate Authority.

 

Note
For the device-specific certificate validation we require the device certificate to be stored in the KeyChain (macOS) or in the local or user certificate manager (Windows). The device certificate must be signed directly by the certificate uploaded on Box Admin Console and we don't verify the device certificate against a revocation list.

 

Option 2 - Enterprise certificate verification: In this scenario we will look in the KeyChain (macOS) or in the local or user certificate manager (Windows) for the same certificate you upload in the Box Admin Console to establish the ownership of the device.

 

Note
If you enable the Enterprise certificate check, you must install the certificate into a certificate store available to the same user context under which Box Tools is running. For example, if Box Tools is running in a machine-wide installation, the device trust check runs in the context of the SYSTEM user. If you install the certificate only in the user's certificate store, then device trust checks can fail. For device trust to work, you must push out the certificate to the local machine's profile (in addition to other locations).

*You must have the minimum versions of Box Drive 2.14.378, Box Sync 4.0.8004, and Box Tools 4.9.2 (Windows) and 4.12.2 (Mac) to pass this check.

 

Security requirements for macOS, Windows, iOS and Android

As an Admin you can define minimum security requirements on devices (regardless if they are managed or unmanaged).

mceclip2.png

macOS and Windows

  • Require minimum operating system version: Enables you to enforce newer versions of macOS and Windows operating systems, which incorporate enhanced security features. Supported minimum versions are (corresponding server OS versions in parentheses):
    • For Windows:
      • Windows 7 (Windows Server 2008 R2)
      • Windows 7 SP1 (Windows Server 2008 R2 SP1)
      • Windows 8 (Windows Server 2012)
      • Windows 8.1 (Windows Server 2012 R2)
      • Windows 10 (Windows Server 2016)
    • For macOS:
      • El Capitan (10.11)
      • Sierra (10.12)
      • High Sierra (10.13)
      • Mojave (10.14)
      • Catalina (10.15)
  • Require antivirus is installed and up-to-date*: Helps further protect sensitive content accessed by a device by ensuring antivirus is installed and updated on that device.
    • Windows: checks antivirus status in Windows Security Center
    • Mac: checks McAfee (+ePO), Symantec, Norton, Trend Micro, ESET, Sophos, Kaspersky, Cisco AMP, AVG, Cortex XDR, CarbonBlack or CrowdStrike Falcon
  • Require firewall to be enabled*: Enables you to enforce the benefits of firewall protection on devices.
    • For Windows: Windows Security Center
    • For Mac: OS X Firewall
  • Require all disks to be encrypted: Helps protect against data loss by requiring disk encryption software.
    • For Windows:
      • Bitlocker
      • Symantec Encryption Software (Powered by PGP)
      • McAfee
      • Check Point
    • For Mac:
      • Filevault
      • Check Point

* These checks are not supported on Windows Server operating systems.

iOS

  • Require a device passcode: requires that a device level passcode be set
    • Supported versions: iOS 11, iOS 12
  • Jailbreak: requires that the device not be jailbroken
  • Minimum OS: requires that a minimum version of iOS be installed on the device
    • Supported minimum versions: iOS 11, iOS 12

 Android

  • Root Detection: requires that the device not be rooted
  • Minimum OS: requires that a minimum version of Android be installed on the device
    • Supported minimum versions: 5.0 (Lollipop), 5.1, 6.0 (Marshmallow), 7.0 (Nougat), 7.1

 

Additional Platform Restrictions 

Device Trust is only supported on platform where Box is supported: Windows, Mac, Android, and iOS. If you would like to block access to Box from all device types for which device trust is not supported, check the box labelled Block access for all unsupported platforms.
When Device Trust is enabled for your enterprise, the checks you have selected above are performed on any net new logins to the platforms you have chosen.

 

Audit-Only Mode

Before enforcing your Device Trust requirements you can test your configuration without risk of impacting your users by enabling the audit-only mode. This setting could also be used to monitor access on your Box instance.

 

Note
This setting will allow login even if users fail to meet your requirements (fail-open).

 

To monitor devices access:

  • Reports can be generated in Admin Console > Reports > User Activity (select the Failed Device Trust Check under Login)
  • Logs are available in Box Events Stream

 

 

 

tech_writers_swarm_kb

Related articles