- Notes
If the Web App & 3rd Party Apps option is selected, mobile devices can't access the Box Web App. Also, for computers you must have Box Tools installed for the Web App to perform the necessary Device Trust security checks. - Device trust only applies to non-EMM (enterprise mobile management) mobile apps, and device trust security check is not run on EMM apps. For EMM apps, admins can apply the same functionality via their MDM provider.
Select the scope of your restrictions. You can choose to require your users to meet both Device Ownership Requirements and Device Security Requirements, or allow them to access Box if they only meet one or the other requirements set.
Note
For Device Ownership requirement, you can decide to require both the Domain membership and the Certificate Presence or either one of them
Next, select the specific checks you want to enforce for each device/operating system. Below is information about each available verification.
macOS and Windows
- Require minimum operating system version: Enables you to enforce newer versions of macOS and Windows operating systems, which incorporate enhanced security features. Supported minimum versions are (corresponding server OS versions in parentheses):
- For Windows:
- Windows 8 (Windows Server 2012)
- Windows 8.1 (Windows Server 2012 R2)
- Windows 10 (Windows Server 2016)
- For macOS:
- El Capitan (10.11)
- Sierra (10.12)
- High Sierra (10.13)
- Mojave (10.14)
- Catalina (10.15)
- Big Sur (11.0)
- For Windows:
- Require antivirus is installed and up-to-date*: Helps further protect sensitive content accessed by a device by ensuring antivirus is installed and updated on that device.
- Windows: checks antivirus status in Windows Security Center
- Mac: checks McAfee (+ePO), Symantec, Norton, Trend Micro, ESET, Sophos, Kaspersky, Cisco AMP, AVG, Cortex XDR, CarbonBlack, CrowdStrike Falcon, Jamf Protect, FireEye, or Microsoft Defender
- Require firewall to be enabled*: Enables you to enforce the benefits of firewall protection on devices.
- For Windows: Windows Security Center
- For Mac: OS X Firewall
- Require all disks to be encrypted: Helps protect against data loss by requiring disk encryption software.
- For Windows:
- Bitlocker
- Symantec Encryption Software (Powered by PGP)
- McAfee
- Check Point
- For Mac:
- Filevault
- Check Point
- For Windows:
* These checks are not supported on Windows Server operating systems.
iOS
- Require a device passcode: requires that a device level passcode be set.
- Jailbreak: requires that the device not be jailbroken.
- Minimum OS: requires that a minimum version of iOS and iPadOS be installed on the device. Supported versions:
- iOS 8
- iOS 9
- iOS 10
- iOS 11
- iOS 12
- iOS 13/iPadOS 13
- iOS 14/iPadOS 14
Android
- Root Detection: requires that the device not be rooted.
- Minimum OS: requires that a minimum version of Android be installed on the device. Supported versions:
- 5.0 (Lollipop)
- 5.1
- 6.0 (Marshmallow)
- 7.0 (Nougat)
- 7.1
- 8.0 (Oreo)
- 8.1
- 9.0 (Pie)
- 10
- 11
Additional Platform Restrictions
Device Trust is only supported on platform where Box is supported: Windows, Mac, Android, and iOS. If you would like to block access to Box from all device types for which device trust is not supported, click the slider to toggle on Block access for all unsupported platforms.
When Device Trust is enabled for your enterprise, the checks you have selected above are performed on any net new logins to the platforms you have chosen.
Audit-Only Mode
Before enforcing your Device Trust requirements you can test your configuration without risk of impacting your users by enabling the audit-only mode. This setting could also be used to monitor access on your Box instance.
Note
This setting will allow login even if users fail to meet your requirements (fail-open).
To monitor devices access:
- Reports can be generated in Admin Console > Reports > User Activity (select the Failed Device Trust Check under Login)
- Logs are available in Box Events Stream