Using Smart Access

To prevent your sensitive content from being accidentally leaked, Smart Access enables you to configure access policies that Shield automatically enforces.  With Smart Access, you can use automated controls to restrict sharing, restrict viewing, and restrict downloading and printing based on classification of content.

Creating an access policy

Smart Access enables you to create and apply up to 25 classification-based access policies to sharing and downloading so you can restrict the scope of access.

Creating an access policy enables you to

• select a classification label,
• specify collaboration restrictions for external users based on a list of domains you define,
• specify who can access shared links to content,
• select restrictions on download and print for different user types from all platforms or selected platforms,
• restrict third-party applications from downloading content via API calls, and
• restrict FTP downloads.

Based on your selections, Shield applies this access policy to either all content marked with the selected classification label, or to content that currently has no classification label.

After you apply an access policy to content, Shield applies the policy to new shared links going forward and retroactively to all existing ones.  For example, if you create an access policy for Confidential content and restrict link sharing to Collaborators Only, then users can enable shared links to Confidential content with only Invited People.  And if an existing shared link to that content was previously shared with people who are not invited, those uninvited people can no longer access the content through that link.

Here's a video showing how to create an access policy.

To create an access policy

1. In the left pane of Admin Console, click Shield.
2. In the top of the window, click Access Policies.
3. In the top-right corner, click Create Policy. Box displays the Create Access Policy window.
4. In Policy Name, type a name for your policy. 
5. In Description, optionally type a description.
6. In Content Type, click either
   • Apply the policy to unclassified content within your enterprise, or
   • Apply to only content with the following classification and then choose a classification label.
7. In Security Controls, click Add Security Control. Box displays the restriction setup window.

8. In the restriction setup window, choose the restrictions you wish to enable. Click the following:

   • External Collaboration Restriction and then select one of the following:

     • Allow specified domains or external users, or
     • Block specified domains but optionally allow specified external collaborators who are in those domains, or
     • Block all external collaboration, and select one of the following:
       •  Apply to only new external collaborations, or
       • Apply to existing and new collaborations.
   • Shared Link Restriction and then select one of the following:
     • People with the link, or 
     • People in your company and invited people, or 
     • Invited people only.
   • Download and Print Restriction and then select restrictions on downloading and printing for managed users and external users, and for all or some of Web App, Mobile App, and Desktop.
   • Application Restriction and select one of the following:
     • Prevent all 3rd party apps from downloading content, or
     • Prevent only selected 3rd party apps from downloading content, or
     • Allow only selected 3rd party apps to download content.
   • FTP Restriction and then select whether to forbid FTP downloads.
9. In the top-right corner of the window, click Next. Box displays the policy's review window.
10. To apply the policy, in the top-right corner of the review window, click Start Policy.

What security controls do

• Shared Link Restriction enables you to restrict who can access shared links for the criteria selected.
• External Collaboration Restriction enables you to restrict all external collaboration, or some external collaboration based on domain.
• Download and Print Restriction enables you to restrict download, print, online and offline access to the content by managed and external users across platforms.  For example, after you enable the policy for Box Web App, for restricted users, as selected in the policy
  • Box disables Download in Preview.
  • Box does not display the Print option in Preview, and restricted users who attempt to print from a browser receive blank pages. 
  • Box also restricts saving a copy from Office Online and iWork.
  • Additionally, the same restriction applies to the Box Embed Widget in any applications that have Box embedded.
• Application Restriction enables you to restrict all applications with which your organization is integrated, or some applications from downloading.
• FTP Restriction enables you to restrict FTP download.

Download and Print Restriction

Download and Print Restriction enables you to restrict download and print. After you select Security Controls > Add Security Policy > Download and Print Restriction > For Box Web App and enable the policy, Box

• disables the Download option and local editing on desktop via Box Drive, Box Tools, Box Sync, or Box for Office
• does not display the Print option in Box preview, and restricts on browser printing - restricted users printing from a browser receive only blank pages,
• allows editing in Microsoft Office for the web, but does not display the Print option in Office for the web, and restricts printing from the browser  - restricted users printing from a browser receive only blank pages,
• prevents Move and Copy operations for Editors and Viewers if Restrict Managed Users > Restrict all users except Owners/Co-owners is selected,
• prevents Copy operation for Viewers if Restrict Managed Users > Restrict all users except Owners/Co-owners and editors is selected.

Note:

Download and Print Restriction is not supported in Box Notes.

Here's a video showing how Box enforces an access policy, from a user's perspective.

Modifying an access policy

To modify an access policy:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Access Policies.
3. Click an access policy's name.
4. In the top-right corner, click Edit.

Deleting an access policy

To delete an access policy:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Access Policies.
3. Click an access policy's name.
4. In the top-right corner, click Delete.