Setting Up Device Trust Security Requirements

Note: Device Trust is available by request to all Enterprise and Elite customers. To request this feature, contact your Customer Success Manager, or click here to file a ticket with our User Services team.
 
Device Trust allows you to meet your enterprise's compliance or security standards by setting a minimum set of requirements for devices that are used to access Box. While Device Trust is enabled, anyone using a device that fails to meet these set requirements will not be able to log in to their Box account. 
 
Note: Admins and co-admins with the ability to edit enterprise settings are exempt from Device Trust checks. This is to prevent admins from accidentally locking themselves out of the admin console.
 
To enable Device Trust for managed users:
  1. Open the Admin Console, and in the lefthand navigation click Enterprise Settings. 
  2. Toward the top of the page click App Use Management.
  3. Scroll down to the Device Trust Settings section.
 
Begin by selecting the Box applications for which you would like to enforce device trust security requirements. If you do not check the box for a specific application, users will not be required to meet device trust requirements in order to access that app.
 
Select the scope of your restrictions. You can choose to require your users to meet both Device Ownership Requirements and Device Security Requirements, or allow them to access Box if they only meet one or the other.
 
Next, select the specific checks you would like to enforce for each device/operating system. Information about each check is listed below:
 

Desktops (Mac and Windows)

 

Both Mac and Windows:

  • Require certificate to be installed: you can require that all managed users have a specific root certificate installed to establish the ownership of a device.
    • Supported formats: pem, cer, der, crt
    • Checks for the same certificate on each machine 
    • Note: The Device Trust certificate check on Windows has the following special requirement when accessing Box through a web browser:
      • If the certificate check is enabled, the certificate must be installed into a certificate store available to the same user context under which Box Tools is running. For example, if Box Tools is running in a machine-wide installation, the device trust check will run in the context of the SYSTEM user. If the certificate is only installed in the user's certificate store, then device trust checks can fail. In order for device trust to work, administrators will need to push out the certificate to the local machine's profile (in addition to other locations).
  • Requires devices to be joined to a domain: you can require that a device be joined to an AD domain

 

For Mac or Windows:

  • Require minimum operating system version: you may select this setting to enforce newer versions of Mac and Windows operating systems, which incorporate enhanced security features. 
    • Supported minimum versions (corresponding server OS versions in parentheses):
      • Windows: Windows 7 (Windows Server 2008 R2), Windows 7 SP1 (Windows Server 2008 R2 SP1), Windows 8 (Windows Server 2012), Windows 8.1 (Windows Server 2012 R2), Windows 10 (Windows Server 2016)
      • Mac: Mavericks - 10.9, Yosemite - 10.10
  • Require antivirus is installed and up-to-date*: this setting helps further protect sensitive content accessed by a device by ensuring antivirus is installed and updated on that device.
    • Windows: checks antivirus status in Windows Security Center
    • Mac: checks McAfee (+ePO), Symantec, Norton, Trend Micro, ESET, Sophos, Kaspersky, Cisco AMP, or AVG 
  • Require firewall to be enabled*: this setting allows you to enforce the benefits of firewall protection on devices.
    • Supported versions:
      • Windows: Windows Security Center
      • Mac: OS X Firewall 
  • Require all disks to be encrypted: this setting helps protect against data loss by requiring disk encryption software.
    • Supported versions:
      • Windows: Bitlocker, Symantec Encryption Software (Powered by PGP), McAfee, Check Point
      • Mac: Filevault, Check Point

* Note: These checks are not supported on Windows Server operating systems.

 

iOS

  • Require a device passcode: requires that a device level passcode be set
    • Supported versions: iOS 8, iOS 9
  • Jailbreak: requires that the device not be jailbroken
  • Minimum OS: requires that a minimum version of iOS be installed on the device
    • Supported minimum versions: iOS 8, iOS 9 

 

Android

  • Root Detection: requires that the device not be rooted
  • Minimum OS: requires that a minimum version of Android be installed on the device
    • Supported minimum versions: 5.0 (Lollipop), 5.1, 6.0 (Marshmallow), 7.0 (Nougat), 7.1
 

Platform Restrictions 

Device Trust is only supported on Windows, Mac, Android, and iOS devices. If you would like to block access to Box from all device types for which device trust is not supported, check the box labelled Block access for all unsupported platforms
 
Once Device Trust is enabled for your enterprise, the checks you have selected above will be performed on any net new logins to the platforms you have chosen.

 

Version history
Revision #:
17 of 17
Last update:
‎04-09-2018 02:55 PM
Updated by: