Using Smart Access

To prevent your sensitive content from being accidentally leaked, Smart Access enables you to configure access policies that Shield automatically enforces.  With Smart Access, you can use automated controls to restrict sharing, restrict viewing, and restrict downloading and printing based on classification of content.

Creating an access policy

Smart Access enables you to create and apply classification-based access policies to sharing and downloading so you can restrict the scope of access.

Creating an access policy enables you to

• select a classification label,
• specify collaboration restrictions for external users based on a whitelist or blacklist of domains you define,
• specify who can access shared links to content,
• select restrictions on download and print for different user types from all platforms or selected platforms,
• restrict third-party applications from downloading content via API calls based on a whitelist or blacklist, and
• restrict FTP downloads.

Based on your selections, Shield applies this access policy to either all content marked with the selected classification label, or to content that currently has no classification label.

After you apply an access policy to content, Shield applies the policy to new shared links going forward and retroactively to all existing ones.  For example, if you create an access policy for Confidential content and restrict link sharing to Collaborators Only, then users can enable shared links to Confidential content with only Invited People.  And if an existing shared link to that content was previously shared with people who are not invited, those uninvited people can no longer access the content through that link.

Here's a video showing how to create an access policy.

To create an access policy

1. In the left pane of Admin Console, click Shield.
2. In the top of the window, click Access Policies.
3. In the top-right corner, click Create Policy. Box displays the Create Access Policy window.
4. In Policy Name, type a name for your policy. 
5. In Description, optionally type a description.
6. In Content Type, click either
   • Apply the policy to unclassified content within your enterprise, or
   • Apply to only content with the following classification and then choose a classification label.
7. In Security Controls, under Shared Link Restriction, select a restriction to define who can access shared links to content bearing the selected classification. Click one of the following:
   • Public, or
   • Company and Collaborators only, or
   • Collaborators Only.
8. In Security Controls, click Add Security Policy. Box displays the restriction setup window.
9. In the restriction setup window, choose the restrictions you wish to enable. Click the following:
   • External Collaboration Restriction and then select to block all external collaboration, or create a domain whitelist, or create a domain blacklist.
   • Download and Print Restriction and then select restrictions on download and print for managed users and external users from all or some of Web App, Mobile App, and Desktop.
   • Application Restriction and then select whether to prevent all third-party apps from downloading content, or allow only selected third-party apps to download content. If allowing selected apps, create a whitelist or create a blacklist.
   • FTP Restriction and then select whether to forbid FTP downloads.
10. In the top-right corner of the window, click Next. Box displays the policy's review window.
11. To apply the policy, in the top-right corner of the review window, click Start Policy.

What security controls do

• Shared Link Restriction enables you to restrict who can access shared links for the criteria selected.
• External Collaboration Restriction enables you to restrict all external collaboration, or some external collaboration based on domain.
• Download Restriction enables you to restrict download, print, online and offline access to the content by managed and external users across platforms.  For example, after you enable the policy for Box Web App, for ineligible users, as selected in the policy
  • Box disables Download in Preview.
  • Box does not display the Print option in Preview, and ineligible users who attempt to print from a browser receive blank pages. 
  • Box also restricts saving a copy from Office Online, iWork, and Adobe Sign.
  • Additionally, the same restriction applies to the Box Embed Widget in any applications that have Box embedded.
• Application Download Restriction enables you to restrict all applications with which your organization is integrated, or some applications from downloading.
• FTP Restriction enables you to restrict FTP download.

Download and Print Restriction

Download and Print Restriction enables you to restrict download and print. After you select Security Controls > Add Security Policy > Download and Print Restriction > For Box Web App and enable the policy, Box

• disables the Download option and local editing on desktop via Box Drive, Box Tools, Box Sync, or Box for Office
• does not display the Print option in Box preview, and restricts on browser printing - users printing from a browser receive only blank pages,
• allows editing in Microsoft Office for the web, but does not display the Print option in Office for the web, and restricts printing from the browser  - users printing from a browser receive only blank pages,
• prevents Move and Copy operations for Editors and Viewers if Restrict Managed Users > Restrict all users except Owners/Co-owners is selected,
• prevents Copy operation for Viewers if Restrict Managed Users > Restrict all users except Owners/Co-owners and editors is selected.

Note:

Download and Print Restriction is not supported in Box Notes.

Here's a video showing how Box enforces an access policy, from a user's perspective.

Modifying an access policy

To modify an access policy:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Access Policies.
3. Click an access policy's name.
4. In the top-right corner, click Edit.

Deleting an access policy

To delete an access policy:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Access Policies.
3. Click an access policy's name.
4. In the top-right corner, click Delete.