Security Updates in Spring ‘18


Every Spring season brings with it the opportunity for a fresh start. Another thing that Spring brings every year: a new Salesforce release! What better time to think about making some updates to the way you secure your data? In this post, we’ll highlight some of the most important security updates for Admins in the Spring ‘18 release.

Security Health Check

First up is Health Check – the amazing, free security tool that comes standard with every CRM implementation. What’s new in this release? Health Check has six new settings, including a setting requiring secure connections (verified by the green padlock icon next to the URL in your browser) for all third-party domains. Enabling this setting will help protect your users from visiting unsecured, or non-HTTPS, web domains.

If you’re already a Health Check expert and using custom baselines, it’s now possible to update them right from the UI! Rather than having to import a whole new set of baselines, you are able to add individual settings directly from the interface. If you already have a custom baseline uploaded, you’ll be prompted to update it the next time you log in with new Health Check settings. Just click “Update Baseline” when promoted to automatically add the settings. If you cancel, you are prompted again the next time you load the baseline.

Authentication and Identity

Starting with Spring ‘18, you can now control when community users are challenged to verify their identity, making it easier for users to log in to community sites. In addition, the process to set up identity verification is simpler through a centralized Setup page.

If you have a community set up in your org, you can now specify different login policies, making the login process faster and easier for internal users. You are able to control access to the Salesforce app and communities separately, which allows you to create less strict policies for device activation and IP constraints for internal, trusted users to provide a better login experience. For example, you can set up less restrictive access policies for employees that log in to your community, but external users are subject to profile IP restrictions.

Improved social sign-on experiences with optimized authorization provider URLs is now standard in both Lightning Experience and Salesforce Classic. When implementing social sign-on (for example, logging in to Salesforce using Facebook credentials) users will now experience fewer HTTP redirects and improved performance by using subdomain and community-specific URLs. To further optimize and simplify URLs, the orgID was removed. These enhancements are available to orgs with My Domain deployed.

Already using social sign-on and loving it? You can now add dynamic branding to your Embedded Login and authentication providers, allowing you to extend your brand across multiple login experiences.

Other Security Updates

We’ve talked a little bit about the importance of educating your users about phishing. To help protect users from malicious links, we’ve added the ability to enable a warning to alert users before they leave the domain. This alert will occur whenever a user clicks a link taking them outside the domain. For added security, we also show the full URL and domain they’re navigating to.

To enable this feature, go to Setup and search “Session Settings.” Under “Redirections,” select “Warn users before they are redirected outside of Salesforce.” And that’s it. You’re done!

Hopefully, you learned something valuable by reading this post that will help in your everyday life as an #AwesomeAdmin. Keeping your org secure can be a challenge at times, but we’re here to help you make it as easy as possible! If you’re interested in learning more about how to secure your Salesforce data, we’ve included some helpful resources, below:

Get hands on with this trail
Learn how you and your users can work together to keep your data safe.

Multi-Factor Authentication: As Easy as Washing Your Hands!

How many times a day do you wash your hands? If you think this seems like an absurd question, and totally unrelated to security, you’re wrong… kind of. How are security and health connected? Both require good personal hygiene, a concept as familiar as washing your hands or (you guessed it!) brushing your teeth. So, […]


Critical Update: Ensure Users Have Access to @AuraEnabled Methods

Winter ’21 is just around the corner and will include a critical update that could impact any page leveraging a custom component. As a Salesforce Admin, you’ve probably noticed this alert in your Security Alerts (Setup | Security | Security Alerts) and might have overlooked this. But because it involves permissions and user management, we […]


Learn MOAR with Summer ’20 Release Updates Setup Page

Discover Summer ’20 Release features! We are sharing five release highlights for admins and developers, curated and published by our evangelists as part of Learn MOAR. Complete the trailmix by July 31, 2020, to get a special community badge and unlock a $10 contribution to Bibliothèques Sans Frontières (Libraries Without Borders). Every Salesforce Release holds […]


Have an Idea for a Story?

We are all about the community and sharing ideas.
Do you have an interesting idea or useful tip that you want to share?