ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Overview of Packages
Components Available in Managed Packages
About API and Dynamic Apex Access in Packages
Architectural Considerations for Group and Professional Editions
Connected Apps
Create a Connected App
Test Push Notifications
Edit a Connected App
Manage Access to a Connected App
Manage Third-Party Connected Apps
Install a Connected App
Uninstall a Third-Party Connected App
Manage Start URL Settings for a Connected App
Manage OAuth Access Policies for a Connected App
Connected App IP Relaxation and Continuous IP Enforcement
Manage Session Policies for a Connected App
Manage Mobile Policies for a Connected App
Manage Access Through a Custom Connected App Handler
Manage Other Access Settings for a Connected App
User Provisioning for Connected Apps
Manage Current OAuth Connected App Sessions
Manage OAuth-Enabled Connected Apps Access to Your Data
Environment Hub
Developer Hub
Notifications for Package Errors
Package and Test Your Solution
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Connected App IP Relaxation and Continuous IP Enforcement

For security reasons, if you relax IP restrictions for your connected app, and your org has enabled Enforce login IP ranges on every request, users can’t access the app in some circumstances. This access restriction applies to all OAuth-enabled connected apps, including mobile devices.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All Editions

SAML-enabled connected apps aren’t affected, unless they are also OAuth-enabled for single sign-on.

IP restrictions are enforced only when they’re configured on a user’s profile. SAML bearer assertion and JWT bearer token flows always enforce IP restrictions regardless of the connected app policy.

Note

Table 1. Connected App IP Relaxation Settings and Continuous IP Enforcement
IP Relaxation When Continuous IP Enforcement Is Disabled (Default) When Continuous IP Enforcement Is Enabled
Enforce IP restrictions A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile. A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile.
Enforce IP restrictions, but relax for refresh tokens A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile, during initial login. These restrictions are relaxed when the app later uses a refresh token to obtain a new access token. A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile, during initial login. These restrictions are relaxed when the app later uses a refresh token to obtain a new access token. However, for security reasons, users can’t:
  • Change their password
  • Register a verification method
  • Access pages in a login flow
Relax IP restrictions for activated devices A user running this app bypasses the org’s IP restrictions when either of these conditions is true.
  • The app has IP ranges whitelisted and is using the web server OAuth authentication flow. Only requests coming from the whitelisted IPs are allowed.
  • The app has no IP range whitelist and is using the web server or user-agent OAuth authentication flow. Also, the user successfully completed identity verification when the user accessed Salesforce from a new browser or device.
 A user running this app bypasses the org’s IP restrictions when either of the OAuth conditions in the previous column is true. However, for security reasons, users can’t:
  • Change their password
  • Register a verification method
  • Access pages in a login flow
Relax IP restrictions A user running this connected app is not subject to any IP restrictions. A user running this connected app is not subject to any IP restrictions. However, for security reasons, users can’t:
  • Change their password
  • Register a verification method
  • Access pages in a login flow