Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
The Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Restrict Login IP Ranges in the Enhanced Profile User Interface
Restrict Login IP Addresses in the Original Profile User Interface
View and Edit Login Hours in the Enhanced Profile User Interface
View and Edit Login Hours in the Original Profile User Interface
Set Trusted IP Ranges for Your Organization
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Create a Login Flow
Connect a Login Flow to a Profile
Set Up Two-Factor Authentication
Give Users Access to Data
Share Objects and Fields
Protect Your Salesforce Data with Shield Platform Encryption
Monitoring Your Organization’s Security
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Restrict Login IP Ranges in the Enhanced Profile User Interface

Control login access at the user level by specifying a range of allowed IP addresses on a user’s profile. When you define IP address restrictions for a profile, a login from any other IP address is denied.
Available in: Salesforce Classic and Lightning Experience
Available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions
Custom Profiles available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions

User Permissions Needed
To view login IP ranges: “View Setup and Configuration”
To edit and delete login IP ranges: “Manage Profiles and Permission Sets”
  1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
  2. Select a profile and click its name.
  3. In the profile overview page, click Login IP Ranges.
  4. Specify allowed IP addresses for the profile.
    • To add a range of IP addresses from which users can log in, click Add IP Ranges. Enter a valid IP address in the IP Start Address and a higher-numbered IP address in the IP End Address field. To allow logins from only a single IP address, enter the same address in both fields.
    • To edit or remove ranges, click Edit or Delete for that range.

    • The IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space ::ffff:0:0 to ::ffff:ffff:ffff, where ::ffff:0:0 is 0.0.0.0 and ::ffff:ffff:ffff is 255.255.255.255. A range can’t include IP addresses both inside and outside of the IPv4-mapped IPv6 address space. Ranges like 255.255.255.255 to ::1:0:0:0 or :: to ::1:0:0:0 aren’t allowed.
    • Partner User profiles are limited to five IP addresses. To increase this limit, contact Salesforce.
    • The Salesforce Mobile Classic app can bypass IP ranges that are defined for profiles. Salesforce Mobile Classic initiates a secure connection to Salesforce over the mobile carrier’s network. However, the mobile carrier’s IP addresses can be outside of the IP ranges allowed for the user’s profile. To prevent bypassing IP definitions on a profile, disable Salesforce Mobile Classic for that user.

    Important

  5. Optionally enter a description for the range. If you maintain multiple ranges, use the Description field to provide details, like which part of your network corresponds to this range.

You can further restrict access to Salesforce to only those IPs in Login IP Ranges. To enable this option, in Setup, enter Session Settings in the Quick Find box, then select Session Settings and select Enforce login IP ranges on every request. This option affects all user profiles that have login IP restrictions.

Note