Can I block access to to my employees from outside of work? - Answers - Salesforce Trailblazer Community
Trailblazer Community
Ask Search:
James PosnettJames Posnett 

Can I block access to to my employees from outside of work?

I don't want them to be able to access salesforce from personal pcs at home.  However, I want to retain the capability for myself.  Thx.
Joey ChanJoey Chan
Yes you can!

You can set rules per profile on what IP Address range they can login from and you could also specify the time.

Simply go to any profile and you should be able to see a setting named Login Hours and Login IP Ranges
Pierre Despatis-DupontPierre Despatis-Dupont

Viewing and Editing Login IP Address Ranges in the Original Profile User Interface

Available in: All Editions

User Permissions Needed
To view login IP ranges: “View Setup and Configuration”
To edit login IP ranges: “Manage Users”
To delete login IP ranges: “Modify All Data”

You can set the IP addresses from which users with a particular profile can log in. When you define IP address restrictions for a profile, any login from an undesignated IP address is denied, and any login from a specified IP address is allowed. To set IP addresses on profiles:

  1. The procedure you use to restrict the range of valid IP addresses on profiles depends on your Edition:
    • If you're using Enterprise Edition, Unlimited Edition, or Developer Edition, click Your Name | Setup | Manage Users | Profiles, and select a profile.
    • For Professional Edition, Group Edition, and Personal Edition, click Your Name | Setup | Security Controls | Session Settings.
  2. Click New in the Login IP Ranges related list.
  3. Enter a valid IP address in the IP Start Address and a higher IP address in the IP End Address field.

    The start and end addresses define the range of allowable IP addresses from which users can log in. To allow logins from a single IP address, enter the same address in both fields. For example, to allow logins from only, enter as both the start and end addresses.

    • Partner User profiles are limited to 5 IP addresses. Contact to increase this limit.
    • The mobile application bypasses IP range definitions set up for profiles. When accessing dashboards and Visualforce pages, the mobile application initiates a secure connection to Salesforce over the mobile carrier's network, but the mobile carrier's IP addresses might be outside of the IP ranges allowed on the user's profile.

  4. Click Save.

Both IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space ::ffff:0:0 to ::ffff:ffff:ffff, where ::ffff:0:0 is and ::ffff:ffff:ffff is A range can't include IP addresses inside of the IPv4-mapped IPv6 address space if it also includes IP addresses outside of the IPv4-mapped IPv6 address space. Ranges such as to ::1:0:0:0 or :: to ::1:0:0:0 are not allowed. You can set up IPv6 addresses in all organizations, but IPv6 is only enabled for login in sandbox organizations for the Spring '12 release.

Cache settings on static resources are set to private when accessed via a site whose guest user's profile has restrictions based on IP range or login hours. Sites with guest user profile restrictions cache static resources only within the browser. Also, if a previously unrestricted site becomes restricted, it can take up to 45 days for the static resources to expire from the Salesforce cache and any intermediate caches.