You can associate applications with their own security policies, just as you can set up security policies for users. Specifically, application security policies define:
- Whether you require one-time password (OTP) authentication when users sign into a specific app.
- Whether users can skip entering an OTP if they already entered one within a defined number of minutes earlier in their session.
- The IP addresses from which users can access the app.
By allowing specific applications to have their own OTP policies, you can remove the OTP requirement from individual user policies while still maintaining strong authentication for the applications that require it. Likewise, by restricting app usage to particular IP addresses, you can prevent users from accessing that app from outside your firewall, regardless of their user-based security policy.
You can apply an application security policy to all users of an app, and you can add an alternate application security policy for users in a particular role.
Creating an application security policy
- Go to Settings > Policies and click the New App Policy button.
On the Settings page, name the policy and select your policy options.
Require OTP verification on launch: require users to provide an OTP to access the app.
Skip if OTP received within n minutes: ask for OTP only if the user hasn't already entered one within the number of minutes you select from the drop-down (when accessing OneLogin to sign into another app, for example).
IP Address Restrictions: lets you enter a whitelist of allowed IP addresses. Enter the IP addresses from which your users will be able to access the apps that use this policy. Leave this field blank to enable users to access the apps from any and all IP addresses. Whether or not you restrict user access to the apps from a particular set of IP addresses, the OTP policy set under One-time passwords remains in effect. If you enter an IP address and require OTP verification, your users will have to provide OTP verification when they attempt to access a policy-restricted app from that IP address. If a user attempts to access the app from an unlisted IP address, they will be unable to gain access, regardless of OTP setting.
Applying the policy
You can apply an application security policy to all users of an app, and you can add an alternate application security policy for users in a particular role. This section describes how to apply an application security policy that applies to all users. For role-based application policies, see Adding a role-based policy.
Go to Apps > Company Apps > App Name and select the Access Control tab.
Select the policy from the Policy drop-down.
After you click Save, in our example, your Salesforce app will adhere to the new security policy and demand an OTP unless the user has already entered one within the last 30 minutes.
Adding a role-based policy
Instead of applying the same application security policy to all users of an app, you can specify an alternate policy for a specific role. This enables you to require some users to provide OTP verification for the app, for example, while letting other users sign in with only a user ID and password.
- On the Access tab for the app, click ADD ROLE-SPECIFIC POLICY.
Under Role-Based Policy, select a role and the policy that you want to apply to the role from the drop-downs.
The role must be enabled for the app. You can enable it by clicking the role name under Roles.
Now the users in the selected role will have the access requirements specified by the application security policy you applied to the role, and the users in the other roles with access to the app will have the policy that you enabled under Policy.