Setting Up Device Trust Security Requirements

Device Trust enables you to meet your enterprise's compliance or security standards by setting a minimum set of requirements for devices used to access Box. 


Note   Device Trust is available by request to all Enterprise and Elite customers. To request this feature, contact your Customer Success Manager, or file a ticket with our User Services team.


When Device Trust is enabled, you can log into your Box account ONLY if you use a device that meets these set requirements. 


Note   Admins and co-admins who can edit enterprise settings are exempt from Device Trust checks. This keeps them from accidentally locking themselves out of the admin console.


To enable Device Trust for managed users:

  1. Open the Admin Console, and in the lefthand navigation click Enterprise Settings
  2. Toward the top of the page click App Use Management.
  3. Scroll down to the Device Trust Settings section.








Select the Box applications for which you want to enforce device trust security requirements.  If you do not check the box for a specific application, no one is forced to meet device trust requirements to access that app.


Select the scope of your restrictions.  You can choose to require your users to meet both Device Ownership Requirements and Device Security Requirements, or allow them to access Box if they only meet one or the other.


Next, select the specific checks you want o enforce for each device/operating system.  Information about each check is listed below:


Both Mac and Windows:

  • Require certificate to be installed: you can require that all managed users have a specific root certificate installed to establish the ownership of a device.
    • Supported formats: pem, cer, der, crt
    • Checks for the same certificate on each machine 
    • Note: The Device Trust certificate check on Windows has the following special requirement when accessing Box through a web browser:
      • If the certificate check is enabled, the certificate must be installed into a certificate store available to the same user context under which Box Tools is running. For example, if Box Tools is running in a machine-wide installation, the device trust check will run in the context of the SYSTEM user. If the certificate is only installed in the user's certificate store, then device trust checks can fail. In order for device trust to work, administrators will need to push out the certificate to the local machine's profile (in addition to other locations).
  • Requires devices to be joined to a domain: you can require that a device be joined to an AD domain


For Mac or Windows:

  • Require minimum operating system version: you may select this setting to enforce newer versions of Mac and Windows operating systems, which incorporate enhanced security features. 
    • Supported minimum versions (corresponding server OS versions in parentheses):
      • Windows: Windows 7 (Windows Server 2008 R2), Windows 7 SP1 (Windows Server 2008 R2 SP1), Windows 8 (Windows Server 2012), Windows 8.1 (Windows Server 2012 R2), Windows 10 (Windows Server 2016)
      • Mac: Mavericks - 10.9, Yosemite - 10.10
  • Require antivirus is installed and up-to-date*: this setting helps further protect sensitive content accessed by a device by ensuring antivirus is installed and updated on that device.
    • Windows: checks antivirus status in Windows Security Center
    • Mac: checks McAfee (+ePO), Symantec, Norton, Trend Micro, ESET, Sophos, Kaspersky, Cisco AMP, or AVG 
  • Require firewall to be enabled*: this setting allows you to enforce the benefits of firewall protection on devices.
    • Supported versions:
      • Windows: Windows Security Center
      • Mac: OS X Firewall 
  • Require all disks to be encrypted: this setting helps protect against data loss by requiring disk encryption software.
    • Supported versions:
      • Windows: Bitlocker, Symantec Encryption Software (Powered by PGP), McAfee, Check Point
      • Mac: Filevault, Check Point

* Note: These checks are not supported on Windows Server operating systems.



  • Require a device passcode: requires that a device level passcode be set
    • Supported versions: iOS 11, iOS 12
  • Jailbreak: requires that the device not be jailbroken
  • Minimum OS: requires that a minimum version of iOS be installed on the device
    • Supported minimum versions: iOS 11, iOS 12



  • Root Detection: requires that the device not be rooted
  • Minimum OS: requires that a minimum version of Android be installed on the device
    • Supported minimum versions: 5.0 (Lollipop), 5.1, 6.0 (Marshmallow), 7.0 (Nougat), 7.1

Platform Restrictions 


Device Trust is only supported on Windows, Mac, Android, and iOS devices. If you would like to block access to Box from all device types for which device trust is not supported, check the box labelled Block access for all unsupported platforms
Once Device Trust is enabled for your enterprise, the checks you have selected above will be performed on any net new logins to the platforms you have chosen.


Version history
Revision #:
22 of 23
Last update:
‎12-14-2018 08:53 AM
Updated by: