IP Address Restriction for Webapp and SELECTED API calls
We want to enable IP address restrictions only for the web app and selected applications.
Possible methods include submitting a list of client IDs exempt from restrictions during application, or providing a UI to specify an app list excluded from IP address restrictions.
Currently, only the following two options are available.
- Enable only for Webapp
- Enable for Webapp and All API calls
What we truly want is to apply IP address restrictions to the web app and BoxDrive. However, selecting “All APIs” renders nearly all other cloud-based integration apps unusable.
For example, losing integrations that significantly boost productivity—like Salesforce, Zoom, or Box connectors for Zapier and n8n—is a major issue. While we could ask providers for their IP addresses and allowlist them all, maintaining a list of potentially changing IP addresses is impossible.
Box itself recommends setting rules by domain in its firewall configuration support article, acknowledging IP addresses can change.
The reason IP address restrictions via SSO cannot solve this is that they cannot prevent scenarios where employees authenticate internally, then take their device outside and access the company Box from an unspecified access point. Box's own IP address restrictions are powerful because they can prevent this, and it is essential to configure them to work alongside various integrations.
Kengo Masuda-Marubeni IT Sol
shared this idea
-
matsumoto
commented
We really want this feature!