During the login process
Posted: Wed May 28, 2025 4:53 am
Myth: We can’t use IP allowlisting or VPN to maintain strong security posture via Intune.
Fact: For VPN, review Intune MDM’s per-app-vpn option. Regarding IP allowlisting, you can continuously enforce ip restriction. Please note, Salesforce uses OAuth 2.0 for authentication through username/password or single sign-on credentials.
Myth: We can’t remote wipe using Intune since Salesforce Mobile App doesn’t work with Intune.
Fact: there’s a post authentication OAuth token established. When a user leaves the company or their device needs to be remote wiped (i.e., clear the cache and force logout the user), that token can be revoked using Salesforce UI or via an API. It’s important to note that data on the device is always encrypted, but customers can also disable the caching in the mobile app to prevent data being saved locally. This may impact performance as the app will need to refresh record details and feed items every time it’s viewed.
Myth: We can’t enforce device compliance check using Intune for Salesforce Mobile App.
Fact: If the device is enrolled via Intune MDM, the device can be marked “Compliant” by having a certificate and any additional attributes you need to check via Conditional Access Policy. In this scenario, you should america phone number list use native browser authentication to pass the required checks (see screenshot below). Read the Customize Your My Domain Login Page for Mobile Auth Methods Salesforce Help article to learn more.
For improved security on mobile apps, configure advanced browser-based authentication from the My Domain Setup page.
Myth: Device Compliance Check in Intune MDM is sufficient so we don’t need Salesforce MAM (Mobile App+).
Fact: While Device Compliance check or SSO/MFA/VPN are all the right tools, they are static in nature. To gain further visibility into Salesforce Mobile App user activity, you should use Mobile App+, or Salesforce MAM, which captures four real time events which tie into Salesforce Shield. See the list of full features here.
Fact: For VPN, review Intune MDM’s per-app-vpn option. Regarding IP allowlisting, you can continuously enforce ip restriction. Please note, Salesforce uses OAuth 2.0 for authentication through username/password or single sign-on credentials.
Myth: We can’t remote wipe using Intune since Salesforce Mobile App doesn’t work with Intune.
Fact: there’s a post authentication OAuth token established. When a user leaves the company or their device needs to be remote wiped (i.e., clear the cache and force logout the user), that token can be revoked using Salesforce UI or via an API. It’s important to note that data on the device is always encrypted, but customers can also disable the caching in the mobile app to prevent data being saved locally. This may impact performance as the app will need to refresh record details and feed items every time it’s viewed.
Myth: We can’t enforce device compliance check using Intune for Salesforce Mobile App.
Fact: If the device is enrolled via Intune MDM, the device can be marked “Compliant” by having a certificate and any additional attributes you need to check via Conditional Access Policy. In this scenario, you should america phone number list use native browser authentication to pass the required checks (see screenshot below). Read the Customize Your My Domain Login Page for Mobile Auth Methods Salesforce Help article to learn more.
For improved security on mobile apps, configure advanced browser-based authentication from the My Domain Setup page.
Myth: Device Compliance Check in Intune MDM is sufficient so we don’t need Salesforce MAM (Mobile App+).
Fact: While Device Compliance check or SSO/MFA/VPN are all the right tools, they are static in nature. To gain further visibility into Salesforce Mobile App user activity, you should use Mobile App+, or Salesforce MAM, which captures four real time events which tie into Salesforce Shield. See the list of full features here.