Updating Box from the Transport Layer Security (TLS) 1.1 Encryption Protocol FAQ – Box Support

Starting at 8:00 am PDT on March 31, 2020, Box will begin blocking traffic from ALL products and services that use the TLS 1.1 encryption protocol, including custom Box platform apps.

To minimize the impact on your business, please review the following:

What is TLS?

TLS stands for “Transport Layer Security" and is a widely deployed security protocol that is used to securely exchange data over a network. Using encryption and endpoint identity verification, TLS ensures that when an application connects to a remote endpoint, it is in fact connecting to the intended endpoint. The versions of TLS, to date, are TLS 1.0, 1.1, 1.2, and 1.3.

Box Web and API connections, along with applications such as Box Drive and third-party apps, use TLS as a key component of their security.

Why is TLS 1.1 being disabled?

Box is requiring an upgrade to at least TLS 1.2 to align with industry best practices for security and data integrity. Box is focused on continually helping our customers improve their security by using the latest security protocols.
For more information on the global effort to remove support for older versions of TLS, please reference this article from the PCI Security Standards Council.

What happens after TLS 1.1 is disabled?

After TLS 1.1 is disabled, anyone using non-compliant versions of applications and browsers will not be able to access any Box services. For more details, please see this article.
Anyone using a non-compliant Box application must manually update to resolve any issues. IT administrators looking to update their end users' Box applications through a deployment tool should review our recommendations here.
Everyone must upgrade their browser to a version that supports TLS 1.2 or higher. Most modern browsers support TLS 1.2. To determine whether your browser supports TLS 1.2 or higher, go here.
Anyone using third-party applications that do not support TLS 1.2 or higher must upgrade those applications. Developers of such third-party applications also must upgrade their applications to support TLS 1.2 or higher.

What do I need to do?

Users must ensure they're using a compliant version of applications and browsers before the sunsetting of TLS 1.1 to continue using Box services.
Using non-compliant versions of applications and browsers after we sunset TLS 1.1 will result in issues and may require manual updating of applications. For more details on end user impact, please see this article.
Administrators may find this email template helpful when contacting their end users.
Find more background information and the minimum compliant versions of each client in the sections below.

Who can I contact?

After reading this article, if you still have questions, or need assistance, please contact your Box account representative, or open a support ticket.

Why are my users on a non-compliant version?

All Box desktop applications have a built-in update process. More information on how Box's desktop products' updates work, and Box's recommendations on deploying manual updates, can be found here.

TLS 1.2+ Compliant Browsers

To be TLS 1.2+ compliant, make sure your browsers are updated to these minimum versions below before the sunsetting of TLS 1.1 to continue to access Box:

Browser	TLS 1.2
Chrome	30-32+
Safari	7+
Firefox	27–33+ ESR 31.0–31.2+
Internet Explorer	11+
Edge	All Versions

TLS 1.2+ Compliant Box Desktop Applications

Box desktop products have been updated to meet the TLS 1.2+ compliance. To comply, you must be on the minimum versions below on both Mac and Windows machines. Additionally, all Windows machines must be on .NET 4.5.2 or higher for desktop applications to continue to work after the TLS 1.1 support ends.

Note:

For details regarding how non-compliant versions of Box Sync, Box Tools, Box for Office, and Box Drive will behave after TLS 1.1 is disabled, please see this article.

The minimum versions that comply are:

Box Product	Minimum Compliant Version	Download Latest Version	End user impact on non-compliant version
Box Tools	Version 4 Mac: v4.1+ Windows: v4.1+	Download here. Large scale deployments here.	Users will be unable to open files from Box. For more details, please see this article.
Box Sync	Mac: 4.0.7900+ Windows: 4.0.7900+	Download here. Large scale deployments here.	Users will be logged out and will be unable to log in. The "Box Sync" folder will still exist but changes will not be synced. For more details, please see this article.
Box Drive	Mac: 1.7+ Windows: 1.13.84+	Download here. Large scale deployments here.	Mac: Users will be logged out and will be unable to log in Windows: Users may not be able to successfully update but all other functionality will continue to work. For more details, please see this article.
Box for Office	Mac: N/A Box for Office is Windows only Windows: 4.5.1227+	Download here.	Users will be logged out and will be unable to log in. For more details, please see this article.

Further clarification on Box Tools and the .NET framework:

If you are currently on Box Tools 3.5 or 4.0.x, you MUST manually upgrade to the latest version of Box Tools (4.6.1 as of Q4 2019). If your organization blocks auto-updates, you must perform the Box Tools update manually.
If you are currently on Box Tools 4.1 or above, you can keep using it without interruption. However, we strongly recommend you upgrade to the latest version of Box Tools (4.6.1 as of Q4 2019).
If you are currently on Box Tools 4.6.1, there is nothing you need to do. You are up to date

TLS 1.2+ Compliant Third-Party Applications

Finally, to ensure that all third-party applications used by your organization are in compliance, please take action for the following before we sunset TLS 1.1 to continue to access Box:

Application Name	Upgrade Path
Third-Party Integrations	Ensure your integration with Box is updated to TLS 1.2+ using the documentation found here.
FTP	Ensure your FTP client is configured to support TLS 1.2+. Steps may include updating FTPS connection settings to support a minimum version of TLS 1.2 or higher. Please refer to documentation from your preferred FTP client.
WebDAV	Ensure your WebDAV client is configured to support TLS 1.2+. Steps may include updating WebDAVS connection settings to support a minimum version of TLS 1.2 or higher. Please refer to documentation from your preferred WebDAV client.

TLS 1.2+ Compliant Box Mobile Applications

Box mobile products have been updated to meet the TLS 1.2+ compliance. To remain compliant you must be on the minimum versions below on both Android and iOS devices.

Unless they've somehow customized their installation of Box mobile products, all users are updated automatically to at least the minimum compliant version below; no action is required. However, if you have customized the installation of these applications for your users in any way, you may need to ensure they all upgrade to a minimum compliant version to continue accessing Box.

Note:

Box for Android was ended for versions of Android 4.4.x (KitKat) and earlier in February 2018. These versions of Android are no longer supported by the Box app and will be unable to log in with existing versions of the Box app following the retirement of TLS 1.1.
Mobile Box for Windows 8/10 app was ended on March 1, 2018. Box for Windows Phone, Box for Windows 8, and Box for Windows 10 applications are not functional.
Support for Mobile Blackberry 10 ended as of November 12, 2018.

Box Product	Minimum Compliant Version
Box for iPhone and iPad (including EMM versions)	Version 4.3.2 and later Available now!
Box Capture for iPhone and iPad (including EMM versions)	Version 1.3.3 and later Available now!
Box for Android Phones and Tablets (including EMM versions)	Android: 4.15 and later Available now!

Box Mobile Download for iOS and Android

Download the latest Box app version for iOS and Android here: https://www.box.com/resources/downloads

Box EMM Download Instructions

Background, details, and download instructions for Box for EMM.

TLS and Proxy

If your organization sends your Box traffic through a proxy then please make sure your proxy is configured to send TLS 1.2+ traffic. Reach out to your internal networking team if you suspect your proxy is not sending TLS 1.2+ traffic.

TLS and DICOM Proxy

If you’re using an incompatible version of the DICOM Proxy to upload DICOM files to Box, your DICOM Proxy will stop working following the sunsetting of TLS 1.1.

On June 18, 2019, we released an updated and compliant version of the DICOM Proxy. You must update your organization manually as automatic updates are not available for this product. Here’s the link to download the compliant version of the DICOM Proxy and here are instructions for manually deploying it.