This article form notes I have gathered on identity and access relating to Salesforce Mobile App (for users) and SalesforceA (for admins). Although not a big topic it is good to keep in mind as background knowledge for the Identity and Access Management Architect certification.
Salesforce Mobile App
Out of the box, all users can log into Salesforce using a smartphone using Android or IOS. However, access to versions of the app and security policies can be configured.
From Salesforce Settings, under the Mobile App menu in Setup, you can choose whether users can see onboarding tips or send feedback to Salesforce from the mobile app.
You can also control whether Salesforce imports Contacts from Mobile device contact lists.
Once your Mobile app is set up (with your app, navigation, branding, and offline access), and a user has logged in, the Connected App for Salesforce Mobile App and/or for SalesforceA will appear in the Connected Apps list.
In this screenshot, you can see I am working with an Android phone.
In Manage Connected Apps, the following will appear:
By clicking on Salesforce for Android (or IOS if you have users using IOS), you go through to the Connected App and can manage policies. Defaults are set and enable the app to operate from the get-go.
Use the “New” button on the Custom Attribute lists to set attributes different from the defaults. Here are some attributes I found interesting:
- DISABLE_EXTERNAL_PASTE: set to TRUE to disable copying and pasting within and outside of the Salesforce Mobile App. (Android and IOS)
- ENABLE_SHARE: set to FALSE to remove the share icon from all shareable pages in the Salesforce Mobile App. (Android and IOS)
- SHOW_PRINT: set to TRUE, lets users print from the Salesforce Mobile App. (IOS)
The OAuth Scopes applied to the Connected App are:
- Perform requests on your behalf at any time
- Provide access to custom applications
- Access your basic information
- Allow access to content resources
- Allow access to Lightning applications
- Provide access to your data via the Web
- Access and manage your data
It is possible to apply additional Custom Scopes. I have not yet had to apply them for Salesforce Mobile App.
SalesforceA
SalesforceA is the Salesforce Administrators Mobile App. It is a really useful app for those calls an Admin may receive about resetting passwords or freezing users when away from your desk. The IOS version of the app allows the admin to assign permission sets and create new users! It’s also useful for checking the current status of your org from Salesforce Trust. You can also now run a readiness check for Lightning Experience and Salesforce Optimizer!
The OAuth Scopes for the SalesforceA Connected App are:
- Perform requests on your behalf at any time
- Access your basic information
- Provide access to your data via the Web
- Access and manage your data
It is highly recommended that the OAuth Policies are set to Admin-approved users are pre-authorised and assigning the system administrators profile to the profiles list. Decisions may need to be made about whether to enforce IP restrictions and refresh tokens with this app.
I intend to cover more about Connected Apps with Connected App notes.
So how does the Salesforce Mobile App authenticate with Salesforce?
- Once the app is downloaded, you open the Salesforce mobile app and an authentication prompt displays. In this, you enter your username and password.
- The Salesforce Mobile App initiates the OAuth authorisation flow by sending the credentials to Salesforce.
- Salesforce successfully validates the user and sends mobile app access and refresh tokens.
- The mobile app screen will ask if you wish to grant access to the Salesforce Mobile App. If you approve, the Salesforce Mobile App starts and your session is active.
- If your session is “stale”, the refresh token sent with the initial authorisation can be used to request an updated session from Salesforce.
This is the OAuth 2.0 User Agent Flow. I’ll cover more about that in the OAUth 2.0 User Agent Flow notes.