ISVforce Guide

Introduction
ISVforce Quick Start
Grow Your AppExchange Business
Designing and Building Your App
Packaging and Testing Your App
Passing the Security Review
Publish Your Offering on the AppExchange
Manage Orders
Managing Licenses
Manage Features
Provide a Free Trial
Supporting Your AppExchange Customers
Upgrading Your App
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Connected App IP Relaxation and Continuous IP Enforcement

If you relaxed IP restrictions for your OAuth-enabled connected app and your org has Enforce login IP ranges on every request enabled, the access to your connected app can change.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All Editions

This change applies to client access, including mobile devices, for all OAuth-enabled connected apps. IP relaxation does not apply to SAML-enabled connected apps unless they are also OAuth-enabled for single sign-on.

IP restrictions are enforced only if they are configured on a user’s profile. The SAML bearer assertion and JWT bearer token flows always enforce IP restrictions regardless of the connected app policy.

Note

Table 1. Connected App IP Relaxation Settings and Continuous IP Enforcement
IP Relaxation When Continuous IP Enforcement Is Disabled (Default) When Continuous IP Enforcement Is Enabled
Enforce IP restrictions A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile. A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile.
Enforce IP restrictions, but relax for refresh tokens A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile, during initial login. However, these restrictions are relaxed when the app is later using a refresh token to obtain a new access token. A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile, during initial login. These restrictions are relaxed when the user is later using a refresh token to obtain a new access token. However, the user can’t access the following for security reasons:
  • Change password
  • Add a time-based token
  • Any pages in a login flow
Relax IP restrictions for activated devices A user running this app bypasses the org’s IP restrictions when either of these conditions is true:
  • The app has IP ranges whitelisted and is using the web server OAuth authentication flow. Only requests coming from the whitelisted IPs are allowed.
  • The app has no IP range whitelist, is using the web server or user-agent OAuth authentication flow, and the user successfully completes identity verification if accessing Salesforce from a new browser or device.
 A user running this app bypasses the org’s IP restrictions when either of the OAuth conditions in the previous column is true. However, the user can’t access the following for security reasons:
  • Change password
  • Add a time-based token
  • Any pages in a login flow
Relax IP restrictions A user running this connected app is not subject to any IP restrictions. A user running this connected app is not subject to any IP restrictions. However, the user can’t access the following for security reasons:
  • Change password
  • Add a time-based token
  • Any pages in a login flow