Box Shield has several security control types that you can add to access policies. The following sections describe them in detail.
- External Collaboration Restriction
- Shared Link Restriction
- Download and Print Restriction
- Application Restriction
- FTP Restriction
- Box Sign Request Restriction
External Collaboration Restriction
External collaboration restrictions allow you to restrict all or some external collaboration based on domains and users. You can also define exceptions to external collaboration restrictions by entering business justifications for any exceptions you want to allow for an external collaboration restriction.
When you allow exceptions to an external collaboration restriction, enter one or more business justifications. Then, when your users attempt to share something with someone outside your organization, in the Share dialog box, they will be allowed to select a justification for the exception to the access policy.
Allow only specified domains and external users
Specifies only what the Smart Access policy allows for external collaboration. External collaboration will be limited to only what is specified, and blocked for anything else.
Click Select, and then enter one or more domain names, email addresses, Shield lists of domains, Shield lists of email addresses. Note that only primary emails are supported and email aliases are not.
Block specified domains
Specifies only what the Smart Access policy prevents for external collaboration. External collaboration will be blocked by what is specified, and allowed for anything else.
Block all external collaboration
All external collaboration is blocked for anything within Box to which the Smart Access policy is applied.
Only new external collaborators
Restrictions will be imposed only on external collaborations created after the Smart Access policy goes into effect.
Existing and new external collaborators
Restrictions will be imposed on all new and existing external collaborations.
Allow User Justifications
When you click to enable the Allow User Justifications toggle, a User Exception for External Collaboration dialog box appears.
Click Edit Justification if you want to make changes to, add, or delete any justifications.
Click Preview to see a sample of what your users will see.
Shared Link Restriction
Shared link restrictions enable you to specify who can access the content. The options you can select are:
- People with the link - anyone can use the link, including people outside of your company. No sign-in is required.
- People in your company and invited people - anyone in your company or people invited to the file or folder can use link.
- Invited people only - only the people invited to the file or folder can access the link content.
After you apply an access policy with a shared link restriction to content, Shield applies the security control to new shared links going forward and retroactively to all existing ones.
For example, if you create an access policy for confidential content and restrict link sharing to Invited people only, users can share links to confidential content only with invited people. If an existing shared link to that content was previously shared with people who are not invited, such people can no longer access the content through that link.
Download and Print Restriction
Download and print restrictions enable you to restrict download, print, online and offline access to the content by managed and external users across platforms. For example, after you enable the policy for Box Web App, for restricted users:
- Box disables the Download option and local editing on desktop via Box Drive, Box Tools, Box Sync, or Box for Office.
- Box does not display the Print option in Box preview, and restricts on browser printing - restricted users printing from a browser receive only blank pages.
- Box allows editing in Microsoft Office for the web, but does not display the Print option in Office for the web, and restricts printing from the browser - restricted users printing from a browser receive only blank pages.
- Box restricts saving a copy from Office Online and iWork.
- Box prevents file Move and Copy operations for Editors and Viewers if Restrict Managed Users > Restrict all users except Owners/Co-owners is selected,
- Box prevents file Copy operation for Viewers if Restrict Managed Users > Restrict all users except Owners/Co-owners and editors is selected.
- Workflows created by a user using Relay will be restricted from moving or copying content if the user is restricted from moving or copying the content from any modality, such as the web app, the mobile app, or the desktop app.
- Copying a file from one location in Box Drive and pasting it to a different location in Box Drive is considered a new upload. Because of this, the classification label of the original file will not be copied to the new file.
Additionally, the same restriction applies to the Box Embed Widget in any applications that have Box embedded.
Download and Print Restriction is not supported in Box Notes.
You can select download and print restrictions for any of:
- Box Web App
- Box Mobile
- Box Desktop
For each of these, you can choose to restrict:
- Managed Users, either all users except Owners and Co-owners or all users except Owners, Co-owners, and Editors
- All External Users
Application restrictions enable you to restrict all or some 3rd-party applications including published custom applications with which your organization is integrated from downloading. Note that Microsoft Office for the web, Google Workspace, Apple iWork, and Adobe Acrobat Online, which your users can select to open a file within the Box Web App, are not restricted from the application restrictions. The options you can select are:
- Block all applications from downloading content - No integrated applications (except Microsoft Office for the web, Google Workspace, Apple iWork, and Adobe Acrobat Online) or published custom applications will be able to download content protected by the access policy.
- Block specified applications from downloading content - Only the integrated applications and published custom applications that you specify will be blocked from downloading content protected by the access policy. Enter one or more applications or Shield lists of applications when you select this choice.
- Allow only specified applications to downloading content - Only the integrated applications and published custom applications that you specify as well as Microsoft Office for the web, Google Workspace, Apple iWork, and Adobe Acrobat Online will be allowed to download content protected by the access policy. Enter one or more applications or Shield lists of applications when you select this choice.
FTP restrictions enable you to restrict downloads via the FTP protocol. This is simply a toggle that you can enable or disable, and applies globally to all content protected by the access policy.
Note: FTP Restriction is not supported in Box Notes.
To automatically apply a watermark to files bearing the classification label you selected, click Enable watermarking slider button.
After you enable watermarking, Box places a semi-transparent overlay of the current viewer's name and time of access across the file's contents.
Watermarking is visible in Preview to all collaborator roles, and is applied to downloaded and printed files for certain collaborator roles. Box Notes and some file types do not support watermarking. To learn more about watermarking in Box, see this article.
Box Sign Request Restriction
Box Sign request restriction prohibits users from requesting signatures for classified and unclassified content.
When the feature is enabled for the Enterprise and available in the Admin Console, it means the following:
- Download and print restrictions won’t prevent you from initiating requests.
- External collaboration restrictions won’t prevent you from initiating requests.
- Share link restrictions won’t prevent you from initiating requests.
Applying the restriction to a specific policy means that you restrict initiating Box Sign requests. Here’s how Box Sign features behave with and without the restriction:
- Box Sign request restriction enabled
When the Box Sign request restriction is enabled, users cannot initiate sign requests. For example, if a Box admin enables a sign request restriction for content classified as Internal Only, users cannot request signatures for internal only files.
The option is grayed out in the menu.
- Box Sign request restriction disabled
When the Box Sign request restriction is not enabled, users can initiate sign requests. Additionally, download and print and shared links restrictions are ignored and do not prevent users from sending the request.
Watermarking restrictions will still prevent users from creating sign requests, even with sign request restrictions not in place.
Box Sign request restriction FAQ
- How does Box Sign enforce Shield Policies?
Box Sign checks for both the Box Sign Security and Watermarking security controls when selecting a file to be used during the e-signature process. The sender can pick any destination folder for the signing process regardless of any shield policies. Once the signing process is complete any shield policies will be applied based on auto-classification.
- Can the new security control interrupt any existing processes?
No, the new security control does not affect any past or in progress sign requests
- Can I download my classified content if sign request restrictions are enabled?
Yes, it is legally required that all signees can download a copy of the document. Even if there are coexisting download and print restrictions, you can still download the document.
- If Box Sign requests restriction is disabled, can the users send sign requests to external signees?
Yes, even if there are existing collaboration restrictions, users can still share content with external parties using Box Sign.