Admin With Nick

Learn Salesforce Concepts With Me

IP Ranges in Salesforce

by ·

IP ranges in Salesforce can be broken down into 2 main categories: Trusted IP Ranges and Login IP Ranges. In this guide, I’ll go over the main differences, and some use case scenarios you may run into during your admin career.

Trusted IP Ranges

First, let’s look at the Salesforce definition for what trusted IP ranges are. Salesforce classifies trusted IP ranges as the following, “Trusted IP Ranges define a list of IP addresses from which users can log in without receiving a login challenge for verification of their identity, such as a code sent to their mobile phone.” Now let’s dissect this for what that means as an admin.

The key point to understand is that trusted IP ranges are set at an org-wide level. This means that it applies to every user when they login. So, why would a company want to do this? From a security point, this would allow an org to set a range of IP’s in which it knows are secure, such as an orgs corporate office. This ensures that if someone is trying to login from outside the trusted IP range, the system would flag and require an additional verification step. This extra verification step still allows a user to login from home, coffee shop, or any IP address not on the trusted range. This also helps stop fraudulent user logins attempts from compromised login credentials.

Trusted IP ranges are a great first step to ensuring that an org and its data is secure. Most orgs will have some kind of trusted IP range because it allows us to ensure that the person logging in is who they say they are. But what if we wanted to take our security to the next level and only allow users to login from a set IP range.

Login IP Ranges

Just like with trusted IP ranges, let’s first look at the Salesforce definition of what login IP ranges are. Salesforce classifies login IP ranges as, “For each profile, you can view and specify the IP addresses from which users can log in. When you define IP address restrictions for a profile, logins from undesignated IP addresses are denied, and addresses from specified IP addresses are allowed.” The key takeaway here is that it allows us admins to take the security of the org one step further to the profile level.

Being able to control security at the profile level allows us to really specify which kinds of users we want to only be able to login from a given IP range. So let’s say that you’re a call support center who uses Service Cloud to handle cases and provide solutions. For this use case, let’s say that we as the admin have created a profile for our support agents, and another profile for our support managers. What if we wanted to ensure that support agents couldn’t login from anywhere outside the corporate office, but their managers could login from anywhere. Unlike trusted IP ranges, which would apply to every user in the org, we could set up a login IP range for the support agent profile. This would only allow a support agent to login from within the IP range, and would not interfere with the support manager profile.

Closing Thoughts

The key take away here is that each use case we run into will vary depending on the orgs needs. Do we need the changes to apply to every user, or only a select subset? Do we need to ensure that there is no login potential, or maybe just a verification code is needed? These types of questions will help you brainstorm, and narrow down the best strategy for implementation. As is with every post, please feel free to reach out to me with any question.