IP Addresses And User Access

As a Salesforce administrator, have you ever wondered when and where your users are accessing their data?  A recent new feature gives you even greater information about user access through a list of IP addresses and browsers used.  If you run a really secure database, looking at the list of IP addresses where users have accessed data is a must for security review, but even administrators of more relaxed orgs can use this information to better understand their users' needs.

User Access History By IP and Browser

You can see where in the world your data has been.

 With the Activated Login List,   you can see every IP address users have used throughout their history with your org.  This view provides even more information than the user login history.  You can even review the access addresses for users you have deactivated.  And, if you have any concerns about an IP address in the list, you can just remove access for that address after talking to the user about where they may be when they access Salesforce data.

Before you remove any IP addresses and browsers from the Activated list, you may want to save the information for future reference.  You will not see the removed data in your recycle bin!  So if you want to keep a record of which users activated their accounts for which IP addresses and browsers, save before you remove. 

Note that Salesforce documentation states that removing a user's IP address activation may only trigger a new activation confirmation request for that address if you remove activations for both the address and the browser used for that access, which you can find in a second list on the Settings>Security Controls>Activations screen. 

Just below the Activated Login List, Salesforce, the browser list contains recently Activated Client Browsers and gives you a more clues about how your users access data. This can be useful when you review your mobile access policies since many mobile devices can be obvious according to the browser listed here.

Unfortunately, the browser and IP address lists don't always coincide.  The browser list does not go as far back in time as the IP address list, and for my own personal activations, I found an IP address I activated at a specific date and time and three different browser activations listed within an hour of activating that address as I used different Connected Apps.

Dynamic, Static, Fixed Or Sticky

If you are surprised by the number of IP addresses that individuals have used to access the database, keep in mind that an Internet Service Provider (ISP) and local hosts may provide dynamic IP addresses from a set list of addresses.  In that case, the last digits of the address may be different for one user on a single device. 

Learning about your user's IP addresses and browsers gives you a more complete picture of what is needed to provide or deny data access for users.  Combining the Activated Login List with the login history report gives you a more complete view of what your users have been doing in Salesforce and with mobile applications like Salesforce Touch and Salesforce1.

The Most Important Thing I Learned About Salesforce1 And Connected Apps At Dreamforce

The big news at Dreamforce this year centered around Salesforce1 as a new way of accessing your Salesforce data via mobile devices.  With APIs, you can expect to see a lot of new mobile apps taking advantage of this as well, and you may be surprised to learn that some of your existing Installed Packages from the AppExchange can be monitored more closely now as connected apps.

New Settings to Consider

Restricting access to mobile apps with salesforce.com.

For administrators, Salesforce1 and the mobile APIs require new attention to security settings.  If you have IP restrictions on your Salesforce org, they are automatically applied to mobile apps.  With IP restrictions on user profiles, you can ensure that data is only accessed through your company WiFi by specifying the appropriate address range for Salesforce user profiles.


But, if you are trying to limit the devices from which users can access Salesforce data, IP restrictions may not be enough.  Make sure mobile devices cannot access your WiFi by limiting access based on a device's MAC address or similar security controls that
allow you to selectively allow devices to connect to your WiFi.

To provide access to acceptable mobile devices when they are outside the range of your company WiFi, install a Virtual Private Network (VPN) to give the device access from any location.

Login and Authorization Settings

Mobile and connected apps provide even more opportunities to specify security settings.  In addition to limiting IP addresses based on user profile, you can define how frequently users are required to login from a mobile device and whether users can automatically authorize their own mobile access. To do this, go to Setup | Manage Apps | Connected Apps  Select the application to edit access settings.

Salesforce also provides a means for reviewing who is able to use mobile and connected apps and blocking access for a specific app or revoking any user's access via a specific app.  For example, you may want to revoke access to Salesforce 1 for certain users while leaving it available to others.  Or you may want to block the app altogether.  This option is available through  Manage Apps | Connected Apps OAuth Usage

More Connected Apps Than You Might Think

In addition to Salesforce1, other apps may appear in your Connected Apps list.  For example,  SalesforceA for administrators all appear in the list after it has been accessed in your org.  The list of connected apps extends beyond mobile with the following apps likely to appear among others your users have accessed:

• Saleforce Help and Training, 
• Community, 
• Power of Us Hub, 
• Salesforce for Outlook, 
• AppExchange and 
• Workbench.  

You may also find older mobile applications such as Chatter Mobile, Salesforce Touch and even Mobile CRM.  As administrator, you may want to monitor the apps that have access to your data and consider Blocking some of the older apps or revoking access from selected users.

Installed Packages and Mobile Administration Changes

Administrators will likely also notice another recent change to their org under Installed Packages that is related to Salesforce1 and the APIs.  "Salesforce Connected Apps" along with "Salesforce1 and Chatter Apps", both managed packages, likely have been installed in your org by "Automated Process". This change relates to users accessing the org via any of the connected or mobile apps and is pushed out automatically by Salesforce.

One final consideration for setting up Salesforce1 is whether users should have access to the new mobile interface via the browser on their mobile device, as opposed to via an app.  By default, Salesforce has enabled access to Salesforce1 through the browser.  To edit this so that mobile browsers go directly to the full site instead, use the Mobile Administration options: Setup | Mobile Administration | Salesforce1

Even for administrators who were not planning to roll out Salesforce1, consider looking into the new settings available for connected apps and Salesforce.