Enterprise Settings: Device Protection Tab

The Device Protection tab lets your organization Admin define settings that determine whether or not devices are allowed to access Box. This topic contains the following sections:

• Box Device Trust
• Endpoint Detection and Response Integrations
• Device Pinning

Box Device Trust

Device Trust settings define default how Device Trust policies are configured. 

Policy Name

Enter a short, unique, and descriptive name. 80 characters maximum.

Policy Description

Enter an optional description that provides a summary of the policy purpose and function. 255 characters maximum.

Apply To

Determines who the policy applies to. Select from:

• Enable for all users
• Enable for selected groups of users
• Enable for all users but exclude selected groups of users

If you need to add different levels of security to your company with the Device Trust policy, you can enable it for all users, for selected groups of users, or for all users excluding specific groups.

Example

Groups in the organization:

• IT
• Marketing
• Leadership
  • IT Leaders
  • Marketing Leaders

Enable for selected groups: you selected the Leadership group. The Device Trust policy will be enabled for all users from Leadership (including IT Leaders and Marketing Leaders).

Enable for all users but exclude selected groups of users: you selected Leadership. The Device Trust policy will be enabled for all users, except for everyone in the Leadership group (including IT Leaders and Marketing Leaders).

Device Trust Audit Mode

Audit mode allows you to test your device trust configuration without risk of impacting your users; users will be able to login without any impact on their experience, except for Box use via mobile browser. This setting could also be used to monitor access on your Box instance.

To monitor devices access:

• Reports can be generated in Admin Console Reports User Activity (select the Failed Device Trust Check under Login)
• Logs are available in Box Events Stream

Device Trust Requirements

Defines the requirements that devices must meet to use Box on those devices.

Require all devices meet the following security requirements for access to

Defines what Box apps are subject to this policy. Select one or more Box applications for which you want to enforce device trust ownership and/or security requirements. (If you do not enable any application, then users will be able to access that app without being required to meet device trust requirements.)

• Box Web App - Enables the Device Ownership and Device Security settings for the Box web app on Windows and macOS devices.
• Box Sync & Box Drive - Enables the Device Ownership and Device Security settings for the Box Sync and Box Drive on Windows and macOS devices
• Box for iPhone and iPad - Enables the Device Security settings for the Box app on iOS devices.
• Box for Android - Enables the Device Security settings for the Box app on Android devices
• Integrations with Third-Party Applications - Enables the Device Ownership and Device Security settings for third-party apps that work with the Box web app on Windows and macOS devices.

Notes

• Windows and macOS devices must have Box Tools installed for the Web App and third-party integrations to perform the necessary Device Trust security checks.
• When the Box Web App setting is enabled, mobile devices can't access the Box Web App because there is no Box Tools for mobile devices and Box Tools is required for this security check. This does not affect access via the Box app; you define that security access with the Box for iPhone and iPad or Box for Android settings.
• If Box for iPhone and iPad or Box for Android is enabled, Device Trust applies only to non-EMM (enterprise mobile management) mobile apps, and Device Trust security check is not run on EMM apps. For EMM apps, admins can apply the same functionality via their MDM (mobile device management) provider.

Device Ownership Requirements (Windows and macOS)

Available only when Web App & 3rd Party Apps or Box Sync & Box Drive are enabled. Determines ownership requirements to enable Box access from Windows or macOS computer and defines how we should recognize such a computer that you manage via either a domain membership check or a security certificate presence validation. Select one or both of:

• Domain membership on Windows and Mac - Requires that a macOS or Windows device be joined to a Windows Active Directory domain or an Azure AD tenant ID. You can enter multiple domains separated by commas.
• Certificate Presence - Requires that the certificate that you define be present on the device. In this scenario we will perform a client-side certificate validation, challenging the device for its identity defined by a unique certificate (and corresponding private key) signed by your enterprise or MDM Certificate Authority. Select from:
  • Device-specific certificate validation (recommended) - We require the device certificate to be stored in the KeyChain (macOS) or in the local or user certificate manager (Windows). The device certificate must be signed directly by the certificate uploaded on Box Admin Console and we don't verify the device certificate against a revocation list. Also, the device certificate must not be expired.
  • Enterprise certificate check - In this scenario we will look in the KeyChain (macOS) or in the local or user certificate manager (Windows) for the same certificate you upload in the Box Admin Console to establish the ownership of the device.

    Note

    If you enable the Enterprise certificate check, you must install the certificate into a certificate store available to the same user context under which Box Tools is running. For example, if Box Tools is running in a machine-wide installation, the device trust check runs in the context of the SYSTEM user. If you install the certificate only in the user's certificate store, then device trust checks can fail. For device trust to work, you must push out the certificate to the local machine's profile (in addition to other locations).

Device Security Requirements

Defines minimum security requirements on devices (regardless if they are managed or unmanaged).

• For Windows/For Mac - These sections are available only when either Web App & 3rd Party Apps or Box Sync & Box Drive is enabled. Select one or more from:
  • Minimum Windows/macOS version - Defines the minimum operating system (OS) version required to be on the Windows/macOS device. This enables you to enforce newer versions of macOS and Windows operating systems, which typically incorporate enhanced security features. The values you can select in these lists are updated with the latest OS versions after they have been released and have been tested by Box. (Several Windows server versions are included when their corresponding base Windows versions are selected: Windows Server 2012 with Windows 8, Windows Server 2012 R2 with Windows 8.1, Windows Server 2016 with Windows 10, and Windows Server 2022 with Windows 11.)
  • Antivirus* - Requires that antivirus software is installed and up-to-date on the device, which helps further protect sensitive content accessed by that device. In Windows, checks antivirus status in Windows Security Center. In macOS, checks for the existence of Avast, AVG, Bitdefender,  CarbonBlack, Cisco AMP, Cortex XDR, CrowdStrike Falcon, DarkTrace, ESET, FireEye, Jamf Protect, Kaspersky, Malwarebytes AV, Malwarebytes Threatdown, McAfee (+ePO), Microsoft Defender, Norton, Trend Micro, SentinelOne, Sophos, or Symantec.
  • Firewall* - Enables you to enforce the benefits of firewall protection on devices. In Windows, checks in Windows Security Center. In MacOS, checks in the Network Firewall setting.
  • Full disk encryption - Helps protect against data loss by requiring disk encryption software. In Windows, checks that any of Bitlocker, Symantec Encryption Software (Powered by PGP), McAfee, Check Point are used. In macOS, checks that any of Filevault or Check Point are used.

  * These checks are not supported on Windows Server operating systems.

• For iOS - This section is available only when Box for iPhone and iPad is enabled. Select one or more from:
  • Minimum iOS version - Defines the minimum iOS version required to be on the iOS device. This enables you to enforce newer versions of iOS operating systems, which typically incorporate enhanced security features. The values you can select in these lists are updated with the latest iOS versions after they have been released and have been tested by Box. (iOS versions 13 and newer include the corresponding iPadOS versions.)
  • Device Passcode - Requires that a device-level passcode be set.
  • Jailbreak Detection - Requires that the device not be jailbroken.
• For Android - This section is available only when Box for Android is enabled. Select one or more from:
  • Minimum Android version - Defines the minimum Android version required to be on the Android device. This enables you to enforce newer versions of Android operating systems, which typically incorporate enhanced security features. The values you can select in these lists are updated with the latest Android versions after they have been released and have been tested by Box.
  • Root Detection - Requires that the device not be rooted.

Requirements Scope

Available only if any Device Trust Requirements are enabled. Defines what requirements are necessary for a device to log in. Select either:

• Require devices to meet all requirements specified above - To require devices to meet all enabled requirements in both Device Ownership Requirements and Device Security Requirements to log in to Box.
• Allow devices to meet either Device Ownership or Device Security requirements - Default. To allow devices to log in to Box when either Device Ownership Requirements or Device Security Requirements are met.

Platform Restrictions

Device Trust is only supported on platform where Box is supported. Determines if devices on unsupported platforms are allowed to log in to Box. The default is enabled, which blocks access from unsupported platforms. The only supported devices are devices with a Windows, macOS, iOS, or Android operating system.

IT Help Email

Optional. Enter an email address that will connect with your organization's IT department. If left blank, the message your blocked users will receive will not contain any contact information.

Endpoint Detection and Response Integrations

Endpoint Detection and Response (EDR) Integrations are where you configure third-party security partners that protect your content from threats. For each partner integration that you can configure here, some settings are in this section of the Box Admin Console, and their use is described here, and some settings are within your partner integration account, and instructions for those settings are in that company's documentation.

In general, a security tool, typically an EDR, informs Box as soon as it detects any anomalous activity on an endpoint, where "endpoint" is defined as any device that connects to a network. Based on the risk score of EDR signal and additional contextual data shared with Box cloud backend, Box will take remediation actions on the device.

Account Details

Configured as part of the connection process, this is non-editable information about the account you established with the partner integration, including:

• Account Name - Your organization name as registered with the partner integration.
• Customer ID - The unique identifier given to your account with the partner integration.
• Contact Email - The contact information as registered with the partner integration.
• Status - Whether on not the partner integration is active. This is controlled in the partner integration account, and is just displayed here. Values can be:
  • Enabled - The partner integration is active and protecting your content.
  • Disabled - The partner integration is not active and is not protecting your content.
  • Pending - The partner integration is fetching device information. (This is typically a temporary status when initially configuring the integration.)

Remediation Actions

Defines remediation actions that will be taken when defined criteria are met. Remediation actions include:

• Terminate user session and block device

Criteria can depend on the security partner. See the security partner documentation for explanations of the criteria they use.

You can add multiple remediation actions each with its own criteria. However, best practice is to make sure the criteria for remediations do not overlap. For example, a partner generated a Trust Score on a scale of 0 to 100. You might define a 2-Step verification remediation for a score of 70 to 90 and a block device remediation for a score of 69 or less. But you would not define a block remediation for a score of 69 or less and a 2-Step verification remediation for a score of 50 to 90 because remediation actions would conflict for scores of 50 to 69.

Enforcement Action

Defines action that occurs when the remediation action is triggered. Select from:

• Enforce restrictions (default) - To enable the device protection once it is conencted and configured. Select this option if you are ready to enforce the device protection for your users.
• Monitor restriction violations only - To monitor user actions that violate the device protection without warning or restricting users. Select this option to gather data about how this device protection will affect your users.

IT Help Email

Optional. Enter an email address that will connect with your organization's IT department. If left blank, the message your blocked users will receive will not contain any contact information.

Device Pinning

Device pinning allows admins to limit which devices a user can access Box from, ensuring access is only allowed on trusted devices.

Enable Device Pinning

When enabled, allows admins to limit how many devcies per user can access the following Box apps:

• Box Sync
• Box Phone Application
• Box Tablet Application
• Browsers and Other Applications

For Box Sync, Box Phone Application, and Box Tablet Application, you can select from:

• 3
• 2 (default for Box Tablet Application)
• 1
• Unlimited (default for Box Sync and Box Phone Application, and static value for Browsers and Other Applications)