Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            External Client Apps: Mobile App Settings: Mobile Screen Lock Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            External Client Apps: Mobile App Settings: Mobile Screen Lock Control

            The control enforces a mandatory authentication mechanism, such as a PIN, password, or biometric factor, that must be successfully validated before a user can access the mobile application or the device environment.

            Control Name

            External Client Apps: Mobile App Settings: Screen lock - Select

            Recommended Configuration

            Screen lock - Select.

            Control Overview

            The control enforces a mandatory authentication mechanism, such as a PIN, password, or biometric factor, that must be successfully validated before a user can access the mobile application or the device environment.

            Security Risk If Not Configured

            The absence of a screen lock allows unauthorized individuals with physical access to the device to bypass local authentication and gain immediate entry to sensitive application data and authenticated sessions.

            Threat Scenarios

            A threat actor could exploit a lost or stolen device by accessing the mobile application to exfiltrate cached data, perform unauthorized transactions, or harvest session tokens for lateral movement.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            The potential impact includes the unauthorized disclosure of personally identifiable information (PII), loss of intellectual property, and regulatory non-compliance resulting from a failure to protect data at rest.

            Higher Risk When

            If the application caches sensitive credentials locally, retains long-lived session tokens, or operates in a high-theft environment where device turnover is frequent.

            Low Risk When

            If the application uses short session timeouts, enforces its own application-level re-authentication, or if the device is managed via a sandbox that encrypts data independently of the OS lock.

            Business and Integration Considerations

            Implementation may require integration with mobile device management (MDM) policies or local API calls to verify device compliance, which could impact user friction and support overhead for legacy hardware.

            Recommended Remediation

            Configure the mobile application to query the operating system’s security status and restrict access to the application interface unless a system-level screen lock is verified as active.

            Security Health Review Guidance

            Align the mobile security posture with the principle of least privilege by making sure that local data remains encrypted and inaccessible until a cryptographic key is released via successful user authentication.

            See Also

             
            Loading
            Salesforce Help | Article