Other Security Changes: TLS 1.2 Compliance and Session-Security-Level Policies

Starting in October 2019, all inbound connections to or outbound connections from your Salesforce org must use TLS 1.2. You can now require that users have a high-assurance session security level before accessing sensitive Setup pages or objects, or you can block users based on session level.

Require TLS 1.2 for HTTPS Connections (Critical Update)

To maintain the highest security standards and promote the safety of your data, Salesforce is disabling the older Transport Layer Security (TLS) 1.1 encryption protocol. Starting in October 2019, all inbound connections to or outbound connections from your Salesforce org must use TLS 1.2. Verify that your browser access, API integrations, and other Salesforce features are compliant with TLS 1.2.

Where: This change applies to Lightning Experience, Salesforce Classic, and all versions of the Salesforce app in all editions.

When: This critical update is enforced on October 25, 2019. Orgs created after this date require TLS 1.2 by default.

How: We recommend that you test this update in a sandbox or Developer Edition org to verify end-to-end compatibility before enabling it in your production org.

To activate this critical update before October 25, 2019, from Setup, enter Critical Updates in the Quick Find box, then select Critical Updates. For Require TLS 1.2 for HTTPS Connections, click Activate.

Manage Access to Certificates and Event Log Files with Session-Security-Level Policies

Require that users have a high-assurance session level before accessing certain Setup pages or objects. You can even block users altogether. Manage access to two-factor authentication, certificates, connected apps, and event log files by modifying session-security-level policies.

Where: This change applies to Salesforce Classic and Lightning Experience in all editions.

Why: These session-security-level policies are new.
  • Manage Certificates (1)—Controls access to the Certificate and Key Management Setup page, Single Sign-On Settings Setup page, and the Certificate object.
  • Manage Connected Apps (2)—Controls access to the Connected Apps Setup pages and to creating connected apps through the App Manager Setup page.
  • Manage Two-Factor Authentication in API (3)—Controls access to the VerificationHistory, TwoFactorInfo, and TwoFactorTempCode objects.
  • Manage Two-Factor Authentication in User Interface (4)—Controls access to the Identity Verification History Setup page and the VerificationHistory, TwoFactorInfo, and TwoFactorTempCode objects.
  • View Event Log Files (5)—Controls access to the EventLogFile object.
Session Security Level Policies Setup page

How: From Setup, enter Identity Verification in the Quick Find box, then select Identity Verification. Locate the Session Security Level Policies section, and update the Manage Sharing setting.

Stabilize the Hostname for My Domain URLs in Sandboxes (Critical Update, Postponed)

This critical update, released in Summer ’18, was scheduled for auto-activation in Winter ’20, but has been postponed to Summer ’20.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Database.com editions.