Enterprise settings define how Box works in your enterprise, and the settings in the Security tab define settings for security and access to Box. This topic contains the following sections:
- Signup and Login
- 2-Step Login Verification
- Password Requirements
- Session Duration for All Users
- KeySafe
Signup and Login Section
This section allows you to set up options for managed users to create accounts and sign in.
- Self signup
-
Available only if you have defined a custom URL for your enterprise, which you do in Enterprise Settings > Custom Setup > Company Profile > Custom Subdomain.
Allows people in your enterprise to create their own managed user Box accounts, as well as allowing admins to create managed user accounts. This can be a good option if you’re not concerned about your seat count. If you enable this option, you may also want to enable the Account Creation Notification option.
- Account Creation Notification
-
Determines if an email notification is sent to all Box admins and co-admins in your enterprise when a managed user account is created. When you select this option, also select the notification frequency:
- Immediately (default): To have a notification sent as soon as a managed user account is created.
- In daily summary emails: To have a notification sent once per day with a list of all managed user accounts created during the past day.
You may not want to select this option if you have not selected the Self signup option because without self signup, only admins can create managed user accounts.
- User email/login
- Select this option to prevent users from changing the email address in their managed user account.
- Failed logins
-
Determines is an email notification is sent to the primary Box admin in your enterprise after a set number of failed login attempts over any amount of time of a managed user account.
When you select this option, select also how many failed login attempts must occur before a notification is sent. You can select any number from 3 (default) to 8.
2-Step Verification Section
This section allows you to define requirements for 2-step verification, also known as 2-factor authentication (2FA).
Managed Users
- Require 2-step verification for all managed users
- Determines if 2-step verification must be used for all managed users when logging in to either the web app or the mobile app. When you enable this option, you must also select an Authentication Method for managed users.
- Authentication Method
-
When you enable Require 2-step verification for all managed users, you must select a 2FA authentication method:
- Authenticator app (TOTP): The default and recommended option, requires managed users to authenticate using a one-time password generated by the TOTP algorithm in an authenticator app.
- Text message (SMS), authenticator app (TOTP), or Email: Allows managed users to authenticate by either a one-time password sent by SMS, which is less secure, or by using a one-time password generated by the TOTP algorithm in an authenticator app, or sending a code to the user's email for logging into a Box account.
External Collaborators
- Require 2-step verification for external collaborators
- Determines if 2-step verification must be used for all external collaborators. When you enable this option, you must also select an Authentication Method for external collaborators.
- Authentication Method (External Collaborators)
-
When you enable Require 2-step verification for external collaborators, you must select a 2FA authentication method:
- Authenticator app (TOTP): The default and recommended option, requires external collaborators to authenticate using a one-time password generated by the TOTP algorithm in an authenticator app.
- Text message (SMS), authenticator app (TOTP) or Email: Allows external collaborators to authenticate by either a one-time password sent by SMS, which is less secure, by using a one-time password generated by the TOTP algorithm in an authenticator app, or sending a code to the user's email for logging into a Box account.
You can also click Configure to configure which external collaborators require 2-step verification and when 2-step verification is required. If you do not define any additional configuration when you select 2-step verification for external collaborators, it will be required for all external collaborators and as soon as you save your settings.
- (Configure) 2-Step Verification for External Collaborators
-
Determines which external collaborators will require 2-step verification and when 2-step verification will be enforced. This dialog box has 2 sections, one where you select who 2-step verification will be enabled for and one where you select when it will be enforced.
Enable for...
Select from:
- Enable for all external collaborators: To require 2-step verification for all external collaborators.
- Enable only for select domains or users: To require 2-step verification for only external collaborators in the Domains field.
- Enable for all external collaborators except select domains or users: To require 2-step verification for all external collaborators except those entered in the Domains field.
Domains
When Enable only for select domains or users or Enable for all external collaborators except select domains or users is selected, a Domains field will appear. Enter one or more valid email addresses or domains. Press Enter after entering each email address or domain.
Enforcement...
Select from:
- Enforce immediately: To require 2-step verification for the external collaborators you define to begin as soon as you save 2-Step Login Verification settings.
- Enforce on a future date and send notification warnings to existing affected users: To require 2-step verification for the external collaborators you define to begin on the Enforcement Date you select.
If you select Enforce on a future date and send notification warnings to existing affected users, notification email messages will be sent out to all external collaborators affected, which means:
- If Enable only for select domains or users is selected, notification email messages will be sent to any email addresses listed in the Domains field plus all email addresses from any domain in the Domains field that exist as external collaborators in your Box enterprise.
- If Enable for all external collaborators except select domains or users is selected, notification email messages will be sent to all external collaborators except the ones whose email is specifically listed in the Domains field or who have email addresses from any domains listed.
If you select Enforce immediately, Box sends an email to external collaborators and enforces 2FA immediately. Depending on the number of external collaborators, activation of enforcement may take a few minutes. While enforcement activation is in progress, you cannot edit the configuration. If you try to edit the configuration before enforcement is active, Box displays a warning message.
If you select Enforce on a future date and send notification warnings to existing affected users, external collaborators affected by the configuration receive up to 3 notifications:
- Within a few hours after you click Save.
- One week before enforcing 2FA.
- One day before enforcing 2FA.
External collaborators can enroll in 2FA before the 2FA requirement is enforced. You can edit the 2FA configuration, including the enforcement date, any time before the configured enforcement date.
If any additional external collaborators are added in your Box enterprise before the selected date and will be affected by this configuration, they will also receive a notification email message with information about the future 2-step verification requirement.
Notes
- To change the enforcement date, you must first disable 2FA.
- Edits to an existing configuration are enforced immediately.
- In the Security Logs report, Box includes a record of all configuration changes made by admins. You can generate the Security Logs report from the Reports window of the Admin Console.
- After setting 2FA configuration as Enforce on a future date, admins can subsequently either change the enforcement date or cancel altogether.
- If folders with external collaborators are deleted up to two weeks before the 2FA enforcement date, collaborators will receive 2FA notification warnings even after the folders have been deleted.
Password Requirements Section
This section allows you to define password requirements.
Note
If your enterprise account is SSO-enabled, these password settings apply to a user's external "Box-specific password," not the user's SSO password. This is also where you can require strong passwords for external collaborators.
- Minimum required characters
-
Defines the minimum number of characters required for passwords. Select from:
- 6
- 7
- 8 (default)
- 10
- 12
- Require Number(s)
-
Determines if numbers (numerals, characters from 0 to 9) are required for passwords, and if so, the minimum number required. This counts towards the minimum number of characters required. Select from:
- 1
- 2 (default)
This option is cleared as its default value.
- Require special character(s)
-
Determines if special characters (non alpha-numeric characters such as ! @ / $ &) are required for passwords, and if so, the minimum number required. This counts towards the minimum number of characters required. Select from:
- 1 (default)
- 2
This option is cleared as its default value.
- Require at least one uppercase letter
-
Determines if at least one of the alphabetic characters required for passwords must be uppercase (a capital letter).
This option is cleared as its default value.
- Prevent common words/email address as a password.
-
Determines whether you prevent users from choosing common words or email addresses as passwords.
Using common words or words in the dictionary or using email addresses makes it easier for unwanted users to guess passwords and to log in to your users' accounts. Box recommends selecting this option (its default value), which will make your users' accounts more secure.
- Require users to reset passwords every [number] days
-
Determines whether you require users to reset their passwords every selected time period. If selected, on the next login after the time period selected past a user's previous password reset, Box prompts the user to reset their password before allowing them to log in.
This setting's behavior is retroactive, so if a user hasn't reset their password for 90 days and you set a new policy of 30 days, at the user's next login Box prompts the user to reset their password before allowing them to log in.
If enabled, select from:
- 30 days (default)
- 60 days
- 90 days
- Perform a global password reset now
-
Click to require all users and admins to change their passwords immediately.
Note
If your enterprise has more than 1,000 managed users, please reach out to Box Support to perform a global password reset.
- Prevent reusing passwords from last [number] times
- Determines if users are prevented from reusing passwords. If enabled, you can select any number from 4 (default) through 12.
- Notify admins when users request a forget password email
-
Determines if all of your enterprise Box admins will receive an email when a user requests a forgotten password email.
This option is cleared as its default value.
- Notify admins when users change passwords in Settings
-
Determines if all your enterprise Box admins will receive an email when a user changes their password in their Account Settings.
This option is cleared as its default value.
- Require strong passwords (for external collaborators)
-
Determines if external collaborator accounts require strong passwords. With this setting enabled, passwords from external collaborators have to meet certain security criteria before the user will be able to access the content owned by your organization.
A "strong" password is not the same as the one you define in the Password Requirements section, but it does meet the following requirements:
- At least 8 characters
- Include numerals, uppercase letters or special characters
This option is cleared as its default value. Box will send an email notification to new and existing external collaborators when you enable this setting, and they need to log in and change their password to access content owned by your organization. If they reject the password change, they will not be able to access content shared with them. If they decide later that they’d like to change their password to access the content, they will need to be invited again by a collaborator.
Note
If your organization has SSO (single sign-on) enabled, but not required, external collaborators who are informed that they must use a strong password must still update that password to access shared content.
- Enable exposed password detection (for external collaborators)
- Determines if an external collaborator will be required to change their password before they can access content shared with them if the password was found in a data breach. Enforced when external collaborators log in to the Box web app.
Session Duration for All Users Section
- Session Duration for All Users
-
Determines the amount of time that managed users can be logged in to the Box web app with no activity, defined as any explicit user action, before being logged out automatically. The logout will occur upon the next user action after session expiration.
Select an option from the second drop-down list first, from:
- minutes
- hours
- days
Then select a number of minutes, hours, or days from the first drop-down list. The range you can select for each is:
- 10 to 59 minutes (default is 10)
- 1 to 71 hours (default is 1)
- 3 to 90 days (default is 14)
If you do not make any selection, the default value is 14 days.
Note
Session duration settings apply only to the Box web application. Any session duration limits set here do not apply to users accessing Box through any other Box endpoints (for example, Box mobile applications, Box desktop applications, Box Notes, etc.).
KeySafe Section
This section is visible only if your organization has added KeySafe to your Box service and if it has been configured by Box Support.
- Enable KeySafe/KeySafe Enabled
-
- If KeySafe is not enabled, this section contains an Enable button that you can select and enable KeySafe with either Amazon Web Services or Google Cloud Platform.
- If Key Safe is enabled, you will see hints for your Amazon Web Services or Google Cloud Platform IDs. These cannot be edited in the Admin Console.