Level up your Box knowledge with brand new learning paths on Box University. Visit training.box.com to get started

Box Status
Print

Enterprise Settings: Device Protection Tab

The Device Protection tab lets your organization Admin define settings that determine whether or not devices are allowed to access Box. This topic contains the following sections:

Box Device Trust

Device Trust settings define default how Device Trust policies are configured. 

Policy Name
Enter a short, unique, and descriptive name. 80 characters maximum.
Policy Description
Enter an optional description that provides a summary of the policy purpose and function. 255 characters maximum.
Apply To
Determines who the policy applies to. Select from:
  • Enable for all users
  • Enable for selected groups of users
  • Enable for all users but exclude selected groups of users

If you need to add different levels of security to your company with the Device Trust policy, you can enable it for all users, for selected groups of users, or for all users excluding specific groups.

Example

Groups in the organization:

  • IT
  • Marketing
  • Leadership
    • IT Leaders
    • Marketing Leaders

Enable for selected groups: you selected the Leadership group. The Device Trust policy will be enabled for all users from Leadership (including IT Leaders and Marketing Leaders).

Enable for all users but exclude selected groups of users: you selected Leadership. The Device Trust policy will be enabled for all users, except for everyone in the Leadership group (including IT Leaders and Marketing Leaders).

Device Trust Audit Mode

Audit mode allows you to test your device trust configuration without risk of impacting your users; users will be able to login without any impact on their experience, except for Box use via mobile browser. This setting could also be used to monitor access on your Box instance.

To monitor devices access:

  • Reports can be generated in Admin Console Reports User Activity (select the Failed Device Trust Check under Login)
  • Logs are available in Box Events Stream
Device Trust Requirements

Defines the requirements that devices must meet to use Box on those devices.

Require all devices meet the following security requirements for access to

Defines what Box apps are subject to this policy. Select one or more Box applications for which you want to enforce device trust ownership and/or security requirements. (If you do not enable any application, then users will be able to access that app without being required to meet device trust requirements.)

  • Web App & 3rd Party Apps - Enables the Device Ownership and Device Security settings for the Box web app and third-party apps that work with the Box web app on Windows and macOS devices.

    Notes

    • Windows and macOS devices must have Box Tools installed for the Web App to perform the necessary Device Trust security checks.
    • When this setting is enabled, mobile devices can't access the Box Web App because there is no Box Tools for mobile devices and Box Tools is required for this security check. This does not affect access via the Box app; you define that security access with the Box for iPhone and iPad or Box for Android settings.
  • Box Sync & Box Drive - Enables the Device Ownership and Device Security settings for the Box Sync and Box Drive on Windows and macOS devices
  • Box for iPhone and iPad - Enables the Device Security settings for the Box app on iOS devices.
  • Box for Android - Enables the Device Security settings for the Box app on Android devices

Note

If Box for iPhone and iPad or Box for Android is enabled, Device Trust applies only to non-EMM (enterprise mobile management) mobile apps, and Device Trust security check is not run on EMM apps. For EMM apps, admins can apply the same functionality via their MDM (mobile device management) provider.

Device Ownership Requirements (Windows and macOS)

Available only when Web App & 3rd Party Apps or Box Sync & Box Drive are enabled. Determines ownership requirements to enable Box access from Windows or macOS computer and defines how we should recognize such a computer that you manage via either a domain membership check or a security certificate presence validation. Select one or both of:

  • Domain membership on Windows and Mac - Requires that a macOS or Windows device be joined to a Windows Active Directory domain or an Azure AD tenant ID. You can enter multiple domains separated by commas.
  • Certificate Presence - Requires that the certificate that you define be present on the device. In this scenario we will perform a client-side certificate validation, challenging the device for its identity defined by a unique certificate (and corresponding private key) signed by your enterprise or MDM Certificate Authority. Select from:
    • Device-specific certificate validation (recommended) - We require the device certificate to be stored in the KeyChain (macOS) or in the local or user certificate manager (Windows). The device certificate must be signed directly by the certificate uploaded on Box Admin Console and we don't verify the device certificate against a revocation list. Also, the device certificate must not be expired.
    • Enterprise certificate check - In this scenario we will look in the KeyChain (macOS) or in the local or user certificate manager (Windows) for the same certificate you upload in the Box Admin Console to establish the ownership of the device.

      Note

      If you enable the Enterprise certificate check, you must install the certificate into a certificate store available to the same user context under which Box Tools is running. For example, if Box Tools is running in a machine-wide installation, the device trust check runs in the context of the SYSTEM user. If you install the certificate only in the user's certificate store, then device trust checks can fail. For device trust to work, you must push out the certificate to the local machine's profile (in addition to other locations).

Device Security Requirements

Defines minimum security requirements on devices (regardless if they are managed or unmanaged).

  • For Windows/For Mac - These sections are available only when either Web App & 3rd Party Apps or Box Sync & Box Drive is enabled. Select one or more from:
    • Minimum Windows/macOS version - Defines the minimum operating system (OS) version required to be on the Windows/macOS device. This enables you to enforce newer versions of macOS and Windows operating systems, which typically incorporate enhanced security features. The values you can select in these lists are updated with the latest OS versions after they have been released and have been tested by Box. (Several Windows server versions are included when their corresponding base Windows versions are selected: Windows Server 2012 with Windows 8, Windows Server 2012 R2 with Windows 8.1, Windows Server 2016 with Windows 10, and Windows Server 2022 with Windows 11.)
    • Antivirus* - Requires that antivirus software is installed and up-to-date on the device, which helps further protect sensitive content accessed by that device. In Windows, checks antivirus status in Windows Security Center. In macOS, checks for the existence of Avast, AVG, Bitdefender,  CarbonBlack, Cisco AMP, Cortex XDR, CrowdStrike Falcon, DarkTrace, ESET, FireEye, Jamf Protect, Kaspersky, Malwarebytes AV, Malwarebytes Threatdown, McAfee (+ePO), Microsoft Defender, Norton, Trend Micro, SentinelOne, Sophos, or Symantec.
    • Firewall* - Enables you to enforce the benefits of firewall protection on devices. In Windows, checks in Windows Security Center. In MacOS, checks in the Network Firewall setting.
    • Full disk encryption - Helps protect against data loss by requiring disk encryption software. In Windows, checks that any of Bitlocker, Symantec Encryption Software (Powered by PGP), McAfee, Check Point are used. In macOS, checks that any of Filevault or Check Point are used.

    * These checks are not supported on Windows Server operating systems.

  • For iOS - This section is available only when Box for iPhone and iPad is enabled. Select one or more from:
    • Minimum iOS version - Defines the minimum iOS version required to be on the iOS device. This enables you to enforce newer versions of iOS operating systems, which typically incorporate enhanced security features. The values you can select in these lists are updated with the latest iOS versions after they have been released and have been tested by Box. (iOS versions 13 and newer include the corresponding iPadOS versions.)
    • Device Passcode - Requires that a device-level passcode be set.
    • Jailbreak Detection - Requires that the device not be jailbroken.
  • For Android - This section is available only when Box for Android is enabled. Select one or more from:
    • Minimum Android version - Defines the minimum Android version required to be on the Android device. This enables you to enforce newer versions of Android operating systems, which typically incorporate enhanced security features. The values you can select in these lists are updated with the latest Android versions after they have been released and have been tested by Box.
    • Root Detection - Requires that the device not be rooted.
Requirements Scope

Available only if any Device Trust Requirements are enabled. Defines what requirements are necessary for a device to log in. Select either:

  • Require devices to meet all requirements specified above - To require devices to meet all enabled requirements in both Device Ownership Requirements and Device Security Requirements to log in to Box.
  • Allow devices to meet either Device Ownership or Device Security requirements - Default. To allow devices to log in to Box when either Device Ownership Requirements or Device Security Requirements are met.
Platform Restrictions
Device Trust is only supported on platform where Box is supported. Determines if devices on unsupported platforms are allowed to log in to Box. The default is enabled, which blocks access from unsupported platforms. The only supported devices are devices with a Windows, macOS, iOS, or Android operating system.
IT Help Email
Optional. Enter an email address that will connect with your organization's IT department. If left blank, the message your blocked users will receive will not contain any contact information.

Device Pinning

Device pinning allows admins to limit which devices a user can access Box from, ensuring access is only allowed on trusted devices.

Enable Device Pinning

When enabled, allows admins to limit how many devcies per user can access the following Box apps:

  • Box Sync
  • Box Phone Application
  • Box Tablet Application
  • Browsers and Other Applications

For Box Sync, Box Phone Application, and Box Tablet Application, you can select from:

  • 3
  • 2 (default for Box Tablet Application)
  • 1
  • Unlimited (default for Box Sync and Box Phone Application, and static value for Browsers and Other Applications)

 

 

 

Related articles