Security Implementation Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Restricting Login IP Ranges in the Enhanced Profile User Interface

Available in: Enterprise, Performance, Unlimited, Developer, and Database.com Editions

User Permissions Needed
To view login IP ranges: “View Setup and Configuration”
To edit login IP ranges: “Manage Users”
To delete login IP ranges: “Modify All Data”

You can control login access on a user’s profile by specifying a range of IP addresses. When you define IP address restrictions for a profile, any login from a restricted IP address is denied.

  1. From Setup, click Manage Users | Profiles.
  2. Select a profile and click its name.
  3. In the profile overview page, click Login IP Ranges.
  4. Use any of these methods to change login IP address ranges for the profile.
    • If you want to add ranges, click Add IP Ranges. Enter a valid IP address in the IP Start Address and a higher IP address in the IP End Address field. The start and end addresses define the range of allowable IP addresses from which users can log in. To allow logins from a single IP address, enter the same address in both fields. For example, to allow logins from only 125.12.3.0, enter 125.12.3.0 as both the start and end addresses.
    • If you want to edit or remove ranges, click Edit or Delete for that range.

    Both IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space ::ffff:0:0 to ::ffff:ffff:ffff, where ::ffff:0:0 is 0.0.0.0 and ::ffff:ffff:ffff is 255.255.255.255. A range can’t include IP addresses inside of the IPv4-mapped IPv6 address space if it also includes IP addresses outside of the IPv4-mapped IPv6 address space. Ranges such as 255.255.255.255 to ::1:0:0:0 or :: to ::1:0:0:0 are not allowed. You can set up IPv6 addresses in all organizations, but IPv6 is only enabled for login in sandbox organizations from the Spring ’12 release and later.

    • Partner User profiles are limited to 5 IP addresses. If you want to increase this limit, contact salesforce.com.
    • The Salesforce Classic app can bypass IP range definitions set up for profiles. Salesforce Classic initiates a secure connection to Salesforce over the mobile carrier’s network, but the mobile carrier’s IP addresses might be outside of the IP ranges allowed on the user’s profile. To prevent bypassing IP definitions set on a user’s profile, disable Salesforce Classic for that user.

    Important