Deprecation: Transport Layer Security (TLS) 1.0 Encryption Protocol

Box Employee

Box will no longer provide support for products and services that rely on the Transport Layer Security (TLS) 1.0 encryption protocol as of June 25, 2018.

 

Starting on 8:00 AM PST on November 12, 2018, Box will block products and services using the TLS 1.0 encryption protocol.

 

Update 09-21-2018

We've consolidated our FAQs into a new KB article and added new details, including:

  • The minimum compliant version of Box Sync on Windows is 4.0.6416, not 4.0.7900.
  • IE v11 is needed for Box Drive and Box Sync to login successfully. This was called out in the "Compliant Browsers" section, but we've added additional notes to make it more clear.
  • Added a note that Box for Windows Phone, Box for Windows 8, or Box for Windows 10 applications have been deprecated.
  • Added a note that Mobile Blackberry 10 will be deprecated as well.

Please review the following FAQs for more details about the change and what you may need to do.

 

The content below is out of date. Please refer to the FAQs for the most recent and accurate information about this change.

 

What do I need to do? 

  • Users need to ensure they're using a compliant version of applications and browsers before November 12, 2018 in order to avoid issues using Box services.
  • Using non-compliant versions of applications and browsers after November 12, 2018 will result in issues and may require manually updating of applications. For more details on end user impact, please see this article.
  • Administrators may find this email template helpful when contacting their end users. 
  • More background information and the minimum compliant versions of each client can be found in the sections below.  

What is TLS?

  • TLS stands for “Transport Layer Security" and is a widely deployed security protocol that is used to securely exchange data over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification. The versions of TLS, to date, are TLS 1.0, 1.1 and 1.2.
  • Box Web and API connections, along with applications such as Box Drive and 3rd party apps, use TLS as a key component of their security. 

Why is TLS 1.0 being disabled?

  • Box is requiring an upgrade to TLS 1.1 or higher in order to align with industry best practices for security and data integrity. Box is focused on continually helping our customers improve their security by using the latest security protocols.  
  • For more information on the global effort to remove support for TLS 1.0, please reference this article from the PCI Security Standards Council.

What happens after TLS 1.0 is disabled?

  • Any users using non-compliant versions of applications and browsers after TLS is disabled will see issues. For more details, please see this article.
  • Users on a non-compliant Box application will need to manually update to resolve any issues. IT administrators looking to update their end users' Box applications through a deployment tool should review our recommendations here.
  • Users are required to upgrade their browser to a version that supports TLS 1.1 or higher. Most modern browsers support TLS 1.1 and 1.2. To determine whether your browser supports TLS 1.1 or higher, go here.
  • Anyone using 3rd-party applications that do not support TLS 1.1 or higher must upgrade those applications. Developers of such 3rd-party applications also must upgrade their applications to support TLS 1.1 or higher.

 

 

TLS 1.1+ Compliant Box Desktop Applications

Box desktop products have been updated to meet the TLS 1.1+ compliance.  In order to be in compliance, you must be on the minimum versions below on both Mac and Windows machines. Additionally, all Windows machines must be on .NET 4.5.2 or higher in order for desktop applications to continue to work after the TLS 1.0 deprecation on November 12, 2018.  

 

 

The minimum versions that comply are as follows:

Note: For more details on regarding how non-compliant versions of Box Sync, Box Tools, Box for Office and Box Drive will behave after TLS 1.0 is disabled, please see this article.

 

Box Product

Minimum Compliant Version

Download Latest Version

End user impact on non-compliant version

Box Tools 

Box Tools v4:

Mac & Windows: v4.1+

 

Note: We recommend users upgrade to the latest Box Tools version 4.1.x. Box Tools 4.0.x is a non-compliant version as it utilizes the .NET 4.0 framework. 

Download here.


Users will be unable to open files from Box. For more details, 

please see this article.

 Box Sync

Mac & Windows: 4.0.7900+

Download here.

Long Term Supported installer available here.

Users will be logged out and will be unable to log in. 

The "Box Sync" folder will still exist but changes will not be synced.

 

For more details,

please see this article.

Box Drive

Mac: 1.7+
Windows: all Box Drive versions On Windows are compliant in terms of core functionality such as accessing Box content and uploading changes. However, 1.13.84+ is required for Windows users in order for Box Drive's update functionality to remain compliant. 

Download here.

 

Mac: 
Users will be logged out and will be unable to log in

Windows: 

Users may not be able to successfully update but  all other functionality will continue to work. 

 

For more details,

please see this article.

Box for Office

4.5.1227+

 Download here.

Users will be logged out and will be unable to log in.  

 

For more details,

please see this article.

  

Why are my users on a non-compliant version? 

All Box desktop applications have a built-in update process. More information on how Box's desktop products' updates work and Box's recommendations on deploying manual updates can be found here.

 

Further clarification on Box Tools and the .NET framework:

  • If you are currently on Box Tools 3.5, you can keep using it without interruption. However, we strongly recommend you upgrade to the latest version of Box Tools, which is Tools 4.1
  • If you are currently on Box Tools 4.0, you MUST upgrade your .NET framework to .NET 4.5.2 +. Box then auto-updates you to the latest, compliant version of Box Tools (4.1+). If your organization blocks auto-updates, you will have to perform the Box Tools update manually.
  • If you are currently on Box Tools 4.1, there is nothing you need to do. You are up-to-date.

TLS 1.1+ Compliant Box Mobile Applications

Box mobile products have been updated to meet the TLS 1.1+ compliance. To remain in compliance you must be on the minimum versions below on both Android and iOS devices.

Unless they've somehow customized their installation of Box mobile products, all users should automatically update to at least the minimum compliant version below; no action is required. However, i f you have customized the installation of these applications for your users in any way, you may need to ensure all your users upgrade to a minimum compliant version prior to November 12, 2018 to continue to access Box.

 

Note  Box for Android was deprecated for versions of Android 4.4.x (KitKat) and earlier in February 2018. These versions of Android are no longer supported by the Box app and will be unable to log in with existing versions of the Box app following the deprecation of TLS 1.0 on November 12, 2018.

 

Box Product

Minimum Compliant Version

Box for iPhone and iPad
(including EMM versions)

Version 4.3.2 and later


Available now!

Box Capture for iPhone and iPad

Version 1.3.3 and later


Available now!

Box for Android Phones and Tablets (including EMM versions)

Android: 4.15 and later


Available now! 

Box Capture for EMM

Version 1.3.1 and later

Available now!

 

 

 

Box Mobile Download for iOS and Android
Download the latest Box app version for iOS and Android here.

https://www.box.com/resources/downloads

 

Box EMM Download Instructions

 

TLS 1.1+ Compliant Browsers

To ensure that you are TLS 1.1+ compliant, make sure your browsers are updated to these minimum versions below prior to November 12, 2018 to continue to access Box:

 

Browser

TLS 1.1

TLS 1.2

Chrome

22-25+

30-32+

Safari

7+

7+

Firefox

27–33+

ESR 31.0–31.2+

27–33+

ESR 31.0–31.2+

Internet Explorer

11+

11+

Edge

All Versions

All Versions

 

TLS and DICOM Proxy
If you’re using an incompatible version of the DICOM Proxy to upload DICOM files to Box, your DICOM Proxy will stop working as of November 12, 2018, when we deprecate TLS 1.0.

 

On Monday, June 18, we released an updated and compliant version of the DICOM Proxy. You will have to update your organization manually as automatic updates are not available for this product.


Here’s the link to download the compliant version of the DICOM Proxy and here are instructions for manually deploying it.

 

TLS 1.1+ Compliant 3rd Party Applications

Finally, in order to make sure that all 3rd party applications used by your organization are in compliance, please take action for the following prior to November 12, 2018 to continue to access Box:

 

Application Name

Upgrade Path

3rd Party Integrations 

Ensure your integration with Box is updated to TLS 1.1+ using the documentation found here

FTP

Ensure your FTP client is configured to support TLS 1.1+. Steps may include updating FTPS connection settings to support a minimum version of TLS 1.1 or higher. Please refer to documentation from your preferred FTP client.

WebDAV

Ensure your WebDAV client is configured to support TLS 1.1+.  Steps may include updating WebDAVS connection settings to support a minimum version of TLS 1.1 or higher. Please refer to documentation from your preferred WebDAV client

 

 

Comments
Occasional Contributor

I received an email that stated "We are emailing you because you have been identified as a Box admin or co-admin for your enterprise and you have users with non-compliant versions of Box Desktop Applications that support only TLS 1.0."

 

Through various links I found this page that does a nice job of explaining the situation. My question, is there a way to see who the noncompliant users are?

First-time Contributor

I am also interested in the answer to the question Razor has posed.

First-time Contributor

I concur! It'd be a lot easier to target those users, than to have to blanket everyone. Smiley Happy 

 

Thank you!

Box Certified Professional

I would recommend if you have a Customer Success Manager to contact them and have them pull this report. 

 

That's what I did to get this information. 

 

I don't know what to do for those who do not have a Customer Success Manager.

Occasional Contributor

I asked support, but am still waiting for the promised copy.

First-time Contributor

The list above says that the compatible Drive versions for Mac are 1.7+ but the download link gives me version 1.13.83. So I am a bit confused which version we need. 

First-time Contributor

@jaubrey It will have you download the most current version, which is apparently 1.13.83, but if you are already running version 1.7 or newer, it is compatible. Note that version 1.13.xx is at least 6 versions newer than 1.7. Hope that helps clarify.

First-time Contributor

Razor,

 

Below is the script I am using to identify Macs which are on the wrong version of Box Sync. I am pairing it with our jamf pro server to create target groups for deployment. You should be able to modify the name of the app and the version number for whichever application you are using. I am, however, looking to find if there is a terminal command to force Box Sync to update itself. Hope this helps.

#!/bin/bash

BoxSyncVer=$(mdls -name kMDItemVersion /Applications/Box\ Sync.app | tr -d "." | sed 's/[^0-9]*//g' | cut -c-6)
if [ $BoxSyncVer -lt 407901 ]
    then
        echo "<result>update</result>"
    else
        echo "<result>noupdate</result>"
fi

 

First-time Contributor

So in a nutshell... we all need to be using the latest versions of the app and web browsers to use BOX?

 

Random question, but if I share a folder with a client will they also need to have the most up to date versions to view their files?

Box Certified Professional

@rebrandyou,

 

It doesn't necessarily have to be the latest version. Any user accessing content in Box will need to be using a "minimally compliant version" (see above) of any tool they are using to connect. This could be one of the Box applications, their web browser or a third party application. This is an upgrade to the protocol used to interact with Box securely. The old protocol will be shut down on the deadline. 

 

 

HTH,

 

Bob

First-time Contributor

I used to have access a URL link to download digital products.  Now they are masked with  invalid link making me to go into shopping cart and copy and paste the product.  This makes a window of 7 days to download unlimited access 24/7 to my box cloud. Please advise this is creating a lot of work for me to change everything.

-Best Regards, 

Don Butler

www.bellefleurtextures.com

Occasional Contributor

This has been a frustrating experience for me. I'm not a systems analyst or networking guy, and most of the above was meaningless to me, and will be to the average Box user. I tried to find an updated version of Box for Office and there was none newer than 2025. Does that simply mean you want us to remove it and just start using your Windows application? If that's true, it would have been simple to just say so.

 

I avoided doing using your Windows tool because you won't make it possible to  move the cache directory from the C: drive, but it looks as if I don't have a choice. My C: drive is not huge and it's an SSD which I try not to overuse. If you can't or won't fix this issue then Box is useless for large storage.

Box Certified Professional

@Darrell_Leland,

 

Does the link to the Box for Office installer listed above not work for you?

 

Bob

Box Certified Professional

@bellefleur324,

 

All of the download links are listed in the article above.

 

Bob

Occasional Contributor

I keep getting a 2015 version.

Box Certified Professional

@Darrell_Leland,

 

Does it give a version number? It just needs to be higher than 4.5.1227. I'm not a Windows user so I can't run the installer exe to see what you are seeing. Perhaps @Howard can confirm that the installer you are being directed to here is the right one.

 

Best of luck,

 

Bob

Occasional Contributor

I just tried the installer above and according to the version number in MS Word it loads 4.5.1227, so these download instructions are incorrect.

Box Certified Professional

In what way are the instructions incorrect? That is precisely the version you need according to the documentation above. Is there some other part of the document that is contradicting that? There is a lot of details and it wouldn't be surprised if someone missed something. Is it the information on this page or on the Box for Office page?

 

Bob

Community Manager
Hi @Darrell_Leland, Yes Bob is correct and the Box for Office version is the correct one to download for these new TLS updates. If you have any other issues with downloading other Box products and updating to the latest version, please let us know in the forums or for more immediate help, contact our support team! https://community.box.com/t5/Contact-Support/ct-p/BoxSupport#
Occasional Contributor

OK, forgive my confusion. Bob Flynn said "It just needs to be higher than 4.5.1227." The version I am getting and is on my machine is version 4.5.1227. So that's correct?

 

thanks!

Box Certified Professional
Sorry, meant to say that number OR higher. I was just referring to what was on the page.
Occasional Contributor

Ah. Got it. I'm ok then! Thanks.

First-time Contributor

In basic laymans' terms, what exact steps do I & my clients need to take? If there are updates that need to be made on computers, can you please send that link?

Box Certified Professional

@cmmurphy46,

 

All of the links you need are in this document. The explanation and links for the desktop apps are in the section above, titled TLS 1.1+ Compliant Box Desktop Applications. Also have users update their browsers to the latest version. See TLS 1.1+ Compliant Browsers for specific version thresholds, but going to the latest makes it simpler.

 

I manage over 100K users in Box. Of those 113 needed to upgrade a Box application. The needed to do so because they neglected to update previously. Most, if not all, Box desktop applications have been auto-updating for a while. It is only pretty old versions that do not. You can ask your CSM or Box Support for a list of users with outdated versions. It's likely to be quite small.

 

HTH,

 

Bob

Box Employee

Thanks @BobFlynn-IU for assisting here!

 

I want to provide two additional resources that should help address some frequently asked questions:

 

For more details on what users will see if they use a non-compliant application after June 25, please see https://community.box.com/t5/Box-Customer-Resource-News/How-to-Tell-if-Your-Box-Product-is-not-Compl....

 

For more details on how Box's desktop applications perform updates normally and for recommendations on manually deploying updates can be found here: https://community.box.com/t5/How-to-Guides-for-Admins/Box-Desktop-Application-Update-Behavior/ta-p/5....

 

If you have any specific questions or issues, please do not hesitate to open a support case with Box User Services and we'll be happy to get you the information you need: https://community.box.com/t5/Contact-Support/ct-p/BoxSupport#

Occasional Visitor

This should be written in Layman. 

 

You're building a product that's meant for the mass market. 

 

Maybe start by using words like "As of [this date] Box will no longer be supporting the following browsers" 

 

Rather than "Deprecation" and Acronyms that the common person may not understand.. specially considering you needed to create an FAQ just to explain what TLS meant... 

 

To be honest, I can only speak from my experience, but I've worked in multiple startups and now have founded my own. Seeing a message like this gave me a little spike of anxiety wondering "**removed**, will this affect our files??" and the email notifications didn't really explain what was going on or what I needed to do... so it created even more stress.. I must have spent an hour contacting support to finally understand that this was simply a browser support thing. 

 

Whoever was in charge of this messaging and update rollout should really take the time to reflect and see this mistake. My assumption is that it's been implemented by a developer who has a hard time making complicated things sound simple. Which is incredibly important when dealing with a large community of users from different levels.

 

I'm still not sure I totally understand, and It's making me wonder if I should use Dropbox or Google Drive who may have less features, but communicate in a far more clear and user friendly manner. 

Occasional Contributor

Absolutely. I'm a technical writer and run into this all the time. Doctors do this constantly:

 

"Thoroblaziphezipinde is contraindicated for the ephisiation of Maltec-Mendoza Hyperdramaticalide Syndrome..."

First-time Contributor

Hi,

Will the deprecation of TLS1.0 affect existing customers with Box for Salesforce product installed? If yes, can you please advise the actions to upgrade? We have installed Box for Salesforce (https://appexchange.salesforce.com/appxListingDetail?listingId=a0N30000001qNeKEAU) for many customers.

 

Thanks.

Community Manager

Hi @CarmenWong,

 

This will not affect the integration itself. If you do have any trouble with the Box for SalesForce integration, you can submit a case to our support team through this link here.