Updating Box from the Transport Layer Security (TLS) 1.1 Encryption Protocol FAQ

Starting at 8:00 am PDT on March 31, 2020, Box will begin blocking traffic from ALL products and services that use the TLS 1.1 encryption protocol, including custom Box platform apps.

 

To minimize the impact on your business, please review the following:

 

What is TLS?

• TLS stands for “Transport Layer Security" and is a widely deployed security protocol that is used to securely exchange data over a network. Using encryption and endpoint identity verification, TLS ensures that when an application connects to a remote endpoint, it is in fact connecting to the intended endpoint. The versions of TLS, to date, are TLS 1.0, 1.1, 1.2, and 1.3.

• Box Web and API connections, along with applications such as Box Drive and third-party apps, use TLS as a key component of their security.

 

Why is TLS 1.1 being disabled?

• Box is requiring an upgrade to at least TLS 1.2 to align with industry best practices for security and data integrity. Box is focused on continually helping our customers improve their security by using the latest security protocols.
• For more information on the global effort to remove support for older versions of TLS, please reference this article from the PCI Security Standards Council.

 

What happens after TLS 1.1 is disabled?

• After TLS 1.1 is disabled, anyone using non-compliant versions of applications and browsers will not be able to access any Box services. For more details, please see this article.
• Anyone using a non-compliant Box application must manually update to resolve any issues. IT administrators looking to update their end users' Box applications through a deployment tool should review our recommendations here.
• Everyone must upgrade their browser to a version that supports TLS 1.2 or higher. Most modern browsers support TLS 1.2. To determine whether your browser supports TLS 1.2 or higher, go here.
• Anyone using third-party applications that do not support TLS 1.2 or higher must upgrade those applications. Developers of such third-party applications also must upgrade their applications to support TLS 1.2 or higher.

 

What do I need to do?

• Users must ensure they're using a compliant version of applications and browsers before the sunsetting of TLS 1.1 to continue using Box services.
• Using non-compliant versions of applications and browsers after we sunset TLS 1.1 will result in issues and may require manual updating of applications. For more details on end user impact, please see this article.
• Administrators may find this email template helpful when contacting their end users.
• Find more background information and the minimum compliant versions of each client in the sections below.

 

Who can I contact?

After reading this article, if you still have questions, or need assistance, please contact your Box account representative, or open a support ticket.

 

 

Why are my users on a non-compliant version?

All Box desktop applications have a built-in update process. More information on how Box's desktop products' updates work, and Box's recommendations on deploying manual updates, can be found here.

 

 

TLS 1.2+ Compliant Browsers

To be TLS 1.2+ compliant, make sure your browsers are updated to these minimum versions below before the sunsetting of TLS 1.1 to continue to access Box:

 

Browser	TLS 1.2
Chrome	30-32+
Safari	7+
Firefox	27–33+ ESR 31.0–31.2+
Internet Explorer	11+
Edge	All Versions

 

TLS 1.2+ Compliant Box Desktop Applications

Box desktop products have been updated to meet the TLS 1.2+ compliance. To comply, you must be on the minimum versions below on both Mac and Windows machines. Additionally, all Windows machines must be on .NET 4.5.2 or higher for desktop applications to continue to work after the TLS 1.1 support ends.

The minimum versions that comply are:

 

Box Product	Minimum Compliant Version	Download Latest Version	End user impact on non-compliant version
Box Tools	Version 4 Mac: v4.1+ Windows: v4.1+	Download here. Large scale deployments here.	Users will be unable to open files from Box.   For more details, please see this article.
Box Sync	Mac: 4.0.7900+ Windows: 4.0.7900+	Download here. Large scale deployments here.	Users will be logged out and will be unable to log in. The "Box Sync" folder will still exist but changes will not be synced.   For more details, please see this article.
Box Drive	Mac: 1.7+ Windows: 1.13.84+	Download here. Large scale deployments here.	Mac: Users will be logged out and will be unable to log in   Windows: Users may not be able to successfully update but all other functionality will continue to work.   For more details, please see this article.
Box for Office	Mac: N/A Box for Office is Windows only Windows: 4.5.1227+	Download here.	Users will be logged out and will be unable to log in.   For more details, please see this article.

 

 

Further clarification on Box Tools and the .NET framework:

• If you are currently on Box Tools 3.5 or 4.0.x, you MUST manually upgrade to the latest version of Box Tools (4.6.1 as of Q4 2019). If your organization blocks auto-updates, you must perform the Box Tools update manually.
• If you are currently on Box Tools 4.1 or above, you can keep using it without interruption. However, we strongly recommend you upgrade to the latest version of Box Tools (4.6.1 as of Q4 2019).
• If you are currently on Box Tools 4.6.1, there is nothing you need to do. You are up to date