ISVforce Guide

Introduction
ISVforce Quick Start
Designing and Building Your App
Packaging and Testing Your App
Passing the Security Review
Publish Your Offering on the AppExchange
Manage Orders
Managing Licenses
Provide a Free Trial
Supporting Your Customers
Upgrading Your App
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Connected App IP Relaxation and Continuous IP Enforcement

This topic describes how the Enforce login IP ranges on every request Session Settings option affects OAuth-enabled connected app IP relaxation settings.
Available in: both Salesforce Classic and Lightning Experience
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All Editions

If you relaxed IP restrictions for your OAuth-enabled connected app, and your organization has the Enforce login IP ranges on every request option enabled, the access to your connected app can change. This access change applies to client access, including mobile devices, for all OAuth-enabled connected apps. IP relaxation does not apply to SAML-enabled connected apps.

Table 1. Connected App IP Relaxation Settings and Continuous IP Enforcement
IP Relaxation When Continuous IP Enforcement Is Disabled (Default) When Continuous IP Enforcement Is Enabled
Enforce IP restrictions A user running this app is subject to the organization’s IP restrictions, such as IP ranges set in the user’s profile. A user running this app is subject to the organization’s IP restrictions, such as IP ranges set in the user’s profile.
Relax IP restrictions with second factor A user running this app bypasses the organization’s IP restrictions when either of these conditions is true:
  • The app has IP ranges whitelisted and is using the Web server OAuth authentication flow. Only requests coming from the whitelisted IPs are allowed.
  • The app has no IP range whitelist, is using the Web server or user-agent OAuth authentication flow, and the user successfully completes identity confirmation.
 A user running this app bypasses the organization’s IP restrictions when either of the OAuth conditions in the previous column is true. However, the user can’t access the following for security reasons:
  • Change password
  • Add a time-based token
  • Any pages in a login flow
Relax IP restrictions A user running this connected app is not subject to any IP restrictions. A user running this connected app is not subject to any IP restrictions. However, the user can’t access the following for security reasons:
  • Change password
  • Add a time-based token
  • Any pages in a login flow