Connected App IP Relaxation and Continuous IP Enforcement

For security reasons, if you relax IP restrictions for your connected app, and your org has enabled Enforce login IP ranges on every request, users can’t access the app in some circumstances. This access restriction applies to all OAuth-enabled connected apps, including mobile devices.

Required Editions

Available in: both Salesforce Classic and Lightning Experience

Connected Apps can be created in: Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All editions

Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

See New connected apps can no longer be created in Spring ‘26 for more details.

SAML-enabled connected apps aren’t affected, unless they are also OAuth-enabled for single sign-on.

Note IP restrictions are enforced only when they’re configured on a user’s profile. SAML bearer assertion and JWT bearer token flows always enforce IP restrictions regardless of the connected app policy.

Connected App IP Relaxation Settings and Continuous IP Enforcement
IP Relaxation	When Continuous IP Enforcement Is Disabled (Default)	When Continuous IP Enforcement Is Enabled
`Enforce IP restrictions`	A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile.	A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile.
`Enforce IP restrictions, but relax for refresh tokens`	A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile, during initial login. These restrictions are relaxed when the app later uses a refresh token to obtain a new access token.	A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile, during initial login. These restrictions are relaxed when the app later uses a refresh token to obtain a new access token. However, for security reasons, users can’t: Change their password Register a verification method Access pages in a login flow
`Relax IP restrictions for activated devices`	A user running this app bypasses the org’s IP restrictions when either of these conditions is true. The app has a list of allowed IP ranges and is using the web server OAuth authorization flow. Only requests coming from these IPs are allowed. The app doesn’t have a list of allowed IP-ranges, but it uses the web server authentication flow, and the user successfully completes identity verification if accessing Salesforce from a new browser or device.	A user running this app bypasses the org’s IP restrictions when either of the OAuth conditions in the previous column is true. However, for security reasons, users can’t: Change their password Register a verification method Access pages in a login flow
`Relax IP restrictions`	A user running this connected app is not subject to any IP restrictions.	A user running this connected app is not subject to any IP restrictions. However, for security reasons, users can’t: Change their password Register a verification method Access pages in a login flow

Did this article solve your issue?

Let us know so we can improve!

Connected App IP Relaxation and Continuous IP Enforcement

Required Editions

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List

Product Area

Feature Impact

Edition

Experience

Connected App IP Relaxation and Continuous IP Enforcement

Required Editions