Tuesday, September 23, 2014

How to enable Salesforce1 access by Profile / User?

By default, all users able to login to able to login to Salesforce1 mobile app. But, can we control Salesforce1 app only for some users or by user profiles?  YES, here we go:

1. Setup Connected Apps
  • Setup - Manage Apps - Connected Apps, select both Salesforce1 for iOS and Salesforce1/Chatter for Android as user may use both devices.
  • Click Edit next to Salesforce1 for iOS
  • Change Permitted Users under OAuth policies from All Users may self-authorize to Admin-approved users are pre-authorized
  • To enhance security, you can enable PIN under Mobile Integration in this page
  • Save
  • Repeat the same for Salesforce1/Chatter for Android

2. Enable Profiles or Permission Sets
  • Once step 1 above done, click on Salesforce1 for iOS & Salesforce1/Chatter for Android link (not Edit link)
  • You will notice Profiles & Permission Sets related list added (this is because Permitted Users now is set to Admin-approved users are pre-authorized)
  • Click Manage Profiles or Manage Permission Sets button 
  • Select Profiles or Permission Sets to enable
  • Save
You can do the same from Profile page as well, look for Connected App Access section, then enable Salesforce1/Chatter for Android and .

The same for Permission Set:

When Permitted Users set to All Users may self-authorize, user will see below screen to self approve

Once it change to Admin-approved users are pre-authorized, for user not in the approved list, user will see error below:

You can monitor user login using Salesforce1 from Login History, see Application column.

Note: until Winter '15 release, even access to Salesforce1 is not success, because user is not in approve list, but login history Status for that login is still captured as Success.

Reference: Editing a Connected App