Note:Device Trust is available by request to all Enterprise and Elite customers. To request this feature, contact your Customer Success Manager, or click here to file a ticket with our User Services team.
Device Trust allows you to meet your enterprise's compliance or security standards by setting a minimum set of requirements for devices that are used to access Box. While Device Trust is enabled, anyone using a device that fails to meet these set requirements will not be able to log in to their Box account.
Note: Admins and co-admins with the ability to edit enterprise settings are exempt from Device Trust checks. This is to prevent admins from accidentally locking themselves out of the admin console.
To enable Device Trust for managed users, open the AdminConsole, then click the Gear icon and click on Enterprise Settings. Open the App Use Management tab and scroll down to Device Trust Settings.
Begin by selecting the Box applications for which you would like to enforce device trust security requirements. If you do not check the box for a specific application, users will not be required to meet device trust requirements in order to access that app.
Select the scope of your restrictions. You can choose to require your users to meet both Device Ownership Requirements and Device Security Requirements, or allow them to access Box if they only meet one or the other.
Next, select the specific checks you would like to enforce for each device/operating system. Information about each check is listed below:
Desktops (Mac and Windows)
Both Mac and Windows:
Require certificate to be installed: you can require that all managed users have a specific root certificate installed to establish the ownership of a device.
Supported formats: pem, cer, der, crt
Checks for the same certificate on each machine
Note:The Device Trust certificate check on Windows has the following special requirement when accessing Box through a web browser:
If the certificate check is enabled, the certificate must be installed into a certificate store available to the same user context under which Box Tools is running. For example, if Box Tools is running in a machine-wide installation, the device trust check will run in the context of the SYSTEM user. If the certificate is only installed in the user's certificate store, then device trust checks can fail. In order for device trust to work, administrators will need to push out the certificate to the local machine's profile (in addition to other locations).
Requires devices to be joined to a domain: you can require that a device be joined to an AD domain
For Mac or Windows:
Require minimum operating system version: you may select this setting to enforce newer versions of Mac and Windows operating systems, which incorporate enhanced security features.
Supported minimum versions (corresponding server OS versions in parentheses):
Windows: Windows 7 (Windows Server 2008 R2), Windows 7 SP1 (Windows Server 2008 R2 SP1), Windows 8 (Windows Server 2012), Windows 8.1 (Windows Server 2012 R2), Windows 10 (Windows Server 2016)
Mac: Mavericks - 10.9, Yosemite - 10.10
Require antivirus is installed and up-to-date*: this setting helps further protect sensitive content accessed by a device by ensuring antivirus is installed and updated on that device.
Windows: checks antivirus status in Windows Security Center
Device Trust is only supported on Windows, Mac, Android, and iOS devices. If you would like to block access to Box from all device types for which device trust is not supported, check the box labelled Block access for all unsupported platforms.
Once Device Trust is enabled for your enterprise, the checks you have selected above will be performed on any net new logins to the platforms you have chosen.