The purpose of this blog is to provide you with policy recommendations which will provide you with guidance and governance when using Salesforce1® Mobile on mobile phones, tablets, and other mobile devices.

This policy is our recommendation only but please ensure that you read it in conjunction with any other company policy and legal requirements relating to mobile devices.

Background – Why Employ a Mobile Policy?

Depending on how Salesforce1 Mobile has been configured by the company’s system administrator, much of the business data is accessible within it. Utilising mobile devices to access this information is often important for the business to achieve its goals in an efficient manner.

However mobile devices also represent a significant risk to data security and information security. If appropriate security procedures are not applied, mobile devices can allow unauthorised access to the company’s data, some of which may be confidential information. This can subsequently lead to data leakage and system infection.

Users often do not recognise that mobile devices are a threat to IT, business and data security; and therefore do not apply the same level of protection as they would to desktop computers within an office. This is especially the case when users access business information on their own personal device.

The policies outlined in this document provides a set of recommendations for users to safely use mobile devices to maintain the privacy and integrity of company information via Salesforce1 Mobile.

All mobile devices, inclusive of mobile phones and tablets, whether company-owned or personal, that are used to access business information should be included within the scope of this policy recommendation.

Recommended Salesforce1 Mobile Policy

1. All mobile devices provide the ability to add passcode access to the operating system including all installed applications and data. Without this passcode, the device is ‘locked’. In order to protect company data within Salesforce1 Mobile, users must activate this passcode access to lock the device during periods of inactivity. The passcode should be as strong as possible to prevent guessing by unauthorised users.
2. The Salesforce1 Mobile application should be kept up-to-date. This should be done using the mobile device’s automatic application updates. If manual updating of applications is used, the user should perform a check at least once a month for any new Salesforce1 Mobile updates.
3. Users must report all lost or stolen devices to the Salesforce system administrator immediately.
4. If a user suspects that there has been any unauthorised access to Salesforce1 Mobile via their device, they must report the incident to the Salesforce system administrator immediately.
5. Users should not copy any confidential information from Salesforce to their mobile device or external application. If information has to be copied and emailed and users are utilising multiple email accounts on the mobile device, they must be cautious about copying to the work email rather than a personal email account.
6. The mobile device must not be Jailbroken / Rooted.
7. Mobile devices must not have any software or firmware installed that is designed to gain unauthorised access to other applications.
8. Devices must not be connected to a PC which does not have up-to-date and enabled anti-malware protection.
9. System administrators should utilise Salesforce1 security features to restrict user access to the Salesforce1® platform to fit company requirements. Options for restricting access include restricting mobile access by platform (Apple iOS, Android, Windows, Blackberry) or restricting login hours.

Salesforce1 Security

The Salesforce1 application provides access to data and functions based upon the core permissions and rights defined for each user by their Salesforce administrator. Mobile users are never able to view or access more than their permissions allow.

During the initial login, the device is uniquely identified and paired with the mobile user’s account using the OAuth 2.0 protocol. After initial login, there is no exchange of a password in the communication between the mobile client and the salesforce server. Therefore, the Salesforce password is not stored on the device and is not required even when the password is changed or has expired.

Upon initial activation of the Salesforce1 Mobile application, the user is prompted (if required by the administrator) to create a passcode, which is used to unlock the application after an administrator defined period of inactivity or reboot. The passcode lock protects lost or stolen devices that may have their wireless connection disabled and cannot have their OAuth token revoked. Salesforce1 guards against brute force attacks on the passcode by erasing all locally stored data after 10 failed attempts. Reactivation is required to continue using the application.

Salesforce1 does not currently support any external memory. The data stored locally on the device is saved in the device’s embedded memory and never on an external memory card.

Optional Enhanced Security

If Salesforce data contains confidential information and mobile access is still required, the company should consider using Good for Salesforce1. This enhances the security and protection of data within Salesforce1 Mobile.

* This policy is a recommendation only and should be read in conjunction with any other company policies or legislation that is operational within your organisation in relation to mobile devices.