Print this page

Salesforce1 MDM and EMM Support

Knowledge Article Number 000229996
Description If you're looking for additional level of security compliance, Salesforce1 will provide inter-operation with the most popular MDM (Mobile Device Management) suites and support application containerization.

Customers can integrate the v8.0+ Salesforce1 Android and v10.0+ Salesforce1 iOS with enhanced functionality provided by MDM systems for distribution and control over the device.

Additional information is available in our Public Salesforce1 Mobile Security Guide.

Notes on Salesforce MDM Support 

  • We do not provide instructions on how to configure your MDM systems. Please discuss specific implementation or setup steps with your specific MDM vendor.
  • We do not support a wrapper or container app that tries to run Salesforce1 within it.  
  • We do not provide .ipa files at this time. 

Highlight of features available with S1 v8.0+ hybrid clients:

Prerequisite for Salesforce1 for Android: Configure Android for Work (getting started link) for your org.
NOTE: Here is a brief summary on Android for Work that customers might find useful. IMPORTANT to note that Android customers can choose any compliant Enterprise Mobility provider. Android for Work is primarily utilized to expose APIs that enterprise mobility management (EMM) providers and enterprise application developers can use to deliver secure data transmission.
  • Certificate based authentication Use x.509 certificates to either speed up user authentication or as a second factor in the login process.
  • Per-App VPN Unlike bulky device-wide VPNs, Salesforce1 can automatically route data through a lightweight VPN connection.
  • Automatic custom host provisioning Use MDM configuration policies to push custom login host settings to Salesforce1.
  • Only Run Salesforce1 On Managed DevicesSalesforce1 can be configured to only authenticate on devices with MDM software and block access everywhere else.

Available Keys Passable in Configuration Settings:
KeyData TypePlatformDescription
RequireCertAuthBooleanAndroid, iOSIf true, the certificate-based authentication flow initiates. Android: Uses the user certificate on the device for authentication inside a webview. 
iOS: Redirects the user to Safari for all authentication requests
ManagedApp String Android CertAliasStringAndroidAlias of the certificate deployed on the device picked by the application for user authentication. Required for Android only.
AppServiceHostsString, String ArrayAndroid, iOSLogin hosts. First value in the array is the default host.
Android: Requires https:// in the host URL. iOS: Doesn't require https:// in the host URL.
AppServiceHostLabelsString, String ArrayAndroid, iOSLabels for the hosts. The number of AppServiceHostLabels entries must match the number of AppServiceHosts entries.
OnlyShow Boolean iOS AuthorizedHostsBooleaniOSIf true, prevents users from modifying the list AuthorizedHosts of hosts that Salesforce1 can connect to.
ClearClipboard Boolean iOS OnBackgroundBooleaniOSIf true, the contents of the iOS clipboard are cleared when the mobile app is backgrounded. This prevents the user from accidentally copying and pasting sensitive data outside of the application.

Answers for specific technical implementation questions

Please review the ACE (Application Configuration for Enterprise) or work with your MDM provider's support. 

Note: This page discusses the new standard-based aspects of MDM and EMM around mobile devices and offers technical details around the following capabilities:

App Configuration
App Tunnel
Single Sign On
Access Control
Security Policies

promote demote