Salesforce prides itself on the attention it pays to securing the platforms on which your Salesforce org sits – but that last mile which is your Salesforce org is in the hands of you and whomever you share your Salesforce administration duties with.
There are many, many facets to securing your Salesforce org, this blog post will cover only one aspect, a feature which arrived in the recent past but which I have seen few people adopt despite its benefits, that of ‘Time based tokens’ or ‘Two Factor authentication‘ (2FA for short).
Traditionally the first line of defence is an excellent password, but I believe it should be standard practice for anyone who has administrative rights to your Salesforce org be required to use 2FA to enhance authentication.
2FA works on the principle of using two separate mechanisms to prove your identity to Salesforce. In the real world this is as simple as a Debit card and your debit card pin: Something you have (the card) and something you know (your pin).
In Salesforce’s world, these two factors are your traditional username & password and the use of a mobile application called ‘Salesforce #’ (available in the iTunes App Store and Google Play stores).
Salesforce # a mobile application that produces a new random number every 30 seconds
using (one assumes) a secure and unpredictable mechanism. This is identical to what you may already use with your Google account using Google’s Authenticator, or with a physical RSA SecurId token your employer may use.
Setting up your token generator (To be repeated for all users who will use it)
Log into your Salesforce Org
Go to your ‘User Detail’ page and locate the ‘Time-Based Token’ item
Enter your username and password again
Start your mobile app.
Click ‘Add New key’
Take a photo of the QR code.
From now on Salesforce will use this token to verify you when you login from an unknown computer (instead of emailing you the verification code).
In order to get Salesforce to use 2FA on login, you need to add the use of Time-Based Tokens to your user.
If you are using a custom Profile, you can add this option in the ‘System Permissions’ section
However, I prefer to use a Permission Set to do this.
Create a new Permission Set called ‘Two-Factor Authentication’
Tick the ‘Two-Factor Authentication for User Interface Logins’ in the ‘System Permissions’ section
Save the Permission Set
Make sure everyone who is going to be affected knows about the change! (See below)
Add the Permission Set to all users with System Administrator profile (or any other profile with sensitive rights).
Now when you login you’ll see the traditional login screen, and then after you are successful with your username and password, you’ll see this screen.
Time to find where you left your phone!
What happens if the people assigned the permission set haven’t setup their time based token?
They’ll need to install the app, when they login they’ll get a screen like below:
What happens if I delete the app by mistake?
On the iPhone at least, reinstalling it from the app store will recover your 2FA setup without any issues.
What happens if I delete the token configuration on my phone?
You can remove the token setup by swiping it and deleting it, if its gone you’ll need another Administrator to remove your time based token on your User record to allow you to set it up again on your next login. It’s probably a good idea to have at least two Administrators configured for your org!
I picked up a copy of ‘Force.com Development Blueprints’ on Friday and I wanted to share some of my first impressions.
The book contains five blueprints:
Building a Salesforce community
An online store using Force.com and Heroku
A traditional CRM application
A reporting system with custom dashboards
A Force.com Mobile SDK application using Android and Microsoft Azure!
The first thing that surprised me was the technical breadth of the book, it’s not often you find one text that touches on Force.com, Android Development, Heroku, Azure and Angular.js. On this basis I think ‘Salesforce1 Development Blueprints’ may have been a more appropriate title.
The use of the word ‘Blueprint’ in the title of the book is, however, entirely accurate as these solutions are effectively reference architectures for the each of blueprint’s problem domain. They are the starting point from which you could build out your own solutions.
The book’s foreword states that it is targeted at ‘Intermediate Visualforce developers’ but I think its audience is much greater than that. Readers with a non-Salesforce development background may find this book quite useful as it quickly demonstrates the nature and style of solutions that you can build on the Salesforce1 Platform.
It’s currently on sale thanks to a Packt deal, and for $10 the ebook version is fantastic value (and the book is still good value at full price). You can buy it direct from Packt.
When I started working with Visualforce I found it quite time consuming to figure out what the various Visualforce tags and their options looked like when actually rendered on the page; I really wished that the tag reference included screenshots.
So, to help you out, that’s what I have done. I’ve put together some basic Visualforce tags and accompanying screenshots so you can:
see what that tag combination looks like
flick through the screenshots looking for the UI you need and then check the code sample to see how to create it.
This document will be continually improved with additional examples, in the meantime I hope you find it useful!
Recently I had a slightly interesting requirement.
A URL field needed to be url encoded so that the report export could be directly imported into another system that couldn’t handle an un-encoded URL.
I would normally have handled that requirement with a formula field that called the URLENCODE function that you have in Visualforce but it turns out that function isn’t available to you when defining a formula field.
So I had to resort to this rather terrifying use of the ‘SUBSTITUTE’ function in defining a new formula field. I thought I’d pass it on here for those who have similar needs.
It is the culmination of at least 18 months engineering to put Salesforce on an API and mobile first footing for future development.
It is a responsive webapp which is also wrapped in a native iOS or Android container and shipped as ‘Salesforce1′ hybrid app.
It is an umbrella marketing term for the collection Salesforce.com owned platforms. It encompasses the traditional ‘force.com’ platform that Salesforce1 is built on and also the existing non-force.com API/Platforms underpinning Pardot, ExactTarget, Heroku and others.
Thinking of getting into Salesforce.com in the new year? It would be a great time as it has never been busier – Salesforce.com is growing their business over 30% in revenue year on year and this success is flowing into the partner and customer ecosystem; my employer Cloud Sherpas has grown by over 300 staff in 2013 (and we’re still hiring ).
If you are thinking of jumping in a career here are some practical tips I wish people had told me when I first started out 3.5 years ago:
Get a password manager and use it.
Lastpass or 1Password, you are likely to get a LOT of usernames/passwords for different Salesforce orgs, these tools will help you.
You will register more developer editions over time, but I’ve got one I use as the basis of my ‘official’ identity on success.salesforce.com and its the place I do most of my training and self education.
The official accounts are the starting point but there are lots of lists around with MVPs and Salesforce staff on them, following these people on Twitter will give you useful insights into what the community is doing.
Book early for both accommodations and flights if you are going (And you should hope to go at least once) … and by early, think… 10-12 months early!
Always be learning – Read the manual…. and experiment
Salesforce publishes so much information so it can be overwhelming, but it is vital you know the platform. Reading the manuals and watching the videos is a start but nothing beats experimenting in your developer edition org.