Security Implementation Guide

Salesforce Security Implementation Guide
Security Overview
User Authentication
Passwords
Single Sign-on Overview
My Domain
Identity Providers
Network-Based Security
Session Security
Custom Login Flows
Configure User Authentication
Setting Login Restrictions
Restricting Login IP Ranges in the Enhanced Profile User Interface
Restrict Login IP Addresses in the Original Profile User Interface
View and Edit Login Hours in the Enhanced Profile User Interface
View and Edit Login Hours in the Original Profile User Interface
Set Password Policies
Expire Passwords for Your Users
Set Trusted IP Ranges for Your Organization
Modify Session Security Settings
Create a Login Flow
Connect a Login Flow to a Profile
Salesforce Two-Factor Authentication
Enabling Single Sign-On
Connected Apps
Desktop Client Access
User Authorization
Data Sharing Tools
Monitoring Your Organization's Security
Platform Encryption
Security Tips for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Restricting Login IP Ranges in the Enhanced Profile User Interface

Available in: Salesforce Classic and Lightning Experience
Available in: Enterprise, Performance, Unlimited, Developer, and Database.com Editions

User Permissions Needed
To view login IP ranges: “View Setup and Configuration”
To edit and delete login IP ranges: “Manage Profiles and Permission Sets”

You can control login access on a user’s profile by specifying a range of IP addresses. When you define IP address restrictions for a profile, any login from a restricted IP address is denied.

  1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
  2. Select a profile and click its name.
  3. In the profile overview page, click Login IP Ranges.
  4. Use any of these methods to change login IP address ranges for the profile.
    • If you want to add ranges, click Add IP Ranges. Enter a valid IP address in the IP Start Address and a higher IP address in the IP End Address field. The start and end addresses define the range of allowable IP addresses from which users can log in. To allow logins from a single IP address, enter the same address in both fields. For example, to allow logins from only 125.12.3.0, enter 125.12.3.0 as both the start and end addresses.
    • If you want to edit or remove ranges, click Edit or Delete for that range.
    • Optionally, enter a description for the range. If you maintain multiple ranges, use the Description field to provide details, such as which part of your network corresponds to this range.

    Both IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space ::ffff:0:0 to ::ffff:ffff:ffff, where ::ffff:0:0 is 0.0.0.0 and ::ffff:ffff:ffff is 255.255.255.255. A range can’t include IP addresses inside of the IPv4-mapped IPv6 address space if it also includes IP addresses outside of the IPv4-mapped IPv6 address space. Ranges such as 255.255.255.255 to ::1:0:0:0 or :: to ::1:0:0:0 are not allowed. You can set up IPv6 addresses in all organizations, but IPv6 is only enabled for login in sandbox organizations from the Spring ’12 release and later.

    • Partner User profiles are limited to five IP addresses. If you want to increase this limit, contact Salesforce.
    • The Salesforce Classic Mobile app can bypass IP range definitions set up for profiles. Salesforce Classic Mobile initiates a secure connection to Salesforce over the mobile carrier’s network, but the mobile carrier’s IP addresses might be outside of the IP ranges allowed on the user’s profile. To prevent bypassing IP definitions set on a user’s profile, disable Salesforce Classic Mobile for that user.

    Important

You can limit all access to Salesforce to only those IPs in Login IP Ranges. For example, suppose a user logs in successfully from an IP address defined in Login IP Ranges. The user then moves to a different location and has a new IP address that is outside of Login IP Ranges. When the user tries to access Salesforce, including access from a client application, the user is denied. To enable this option, in Setup, enter Session Settings in the Quick Find box, then select Session Settings and select Enforce login IP ranges on every request. This option affects all user profiles that have login IP restrictions.

Note