Other Security Changes: Salesforce Edge, Setup Enhancements, TLS 1.2 Enforcement, and Instanceless Sandboxes

We’re moving customers with My Domains and Custom Domains to Salesforce Edge. The Domains Setup page now shows more details, and new session-security-level policies control access to certain Setup pages and objects. TLS 1.2 is required for all HTTPS connections, and instance names are scheduled to be removed from My Domain sandbox URLs.

Route My Domains Through Salesforce Edge (Critical Update)

We’re accelerating domain requests for My Domains. With this update, you keep the same My Domain address, but requests go through Salesforce Edge. Salesforce Edge uses machine-learning technology to improve connectivity and performance. You can acknowledge this update to let Salesforce move your org’s My Domain to the new service before the July 2020 auto-activation date.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Database.com editions.

When: You can acknowledge this update in Winter ’20. Otherwise, we’ll auto-activate it on July 13, 2020.

Who: Only customers with a My Domain or Custom Domain can be moved to Salesforce Edge. Salesforce Government Cloud orgs are currently excluded from the move to Salesforce Edge.

How: To acknowledge this critical update, from Setup, enter Critical Updates in the Quick Find box, and select Critical Updates. Next to Route My Domains Through Salesforce Edge, click Acknowledge.

Speed Up Custom Domain Requests Through Salesforce Edge

Behind the scenes, we’re accelerating requests for Custom Domains by moving them to Salesforce Edge. This move improves performance through machine learning. You don’t need to do anything for this move. Keep using the same Custom Domain addresses for your Sites and Communities, and we’ll do the rest.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Database.com editions.

Who: All Custom Domains will be moved to Salesforce Edge, except Custom Domains for Salesforce Government Cloud orgs.

Get More Details About Your Domains

We updated the Domains Setup page with more specific HTTPS options and information on pending changes to HTTPS options. Customers with Custom Domains or a My Domain use this page to manage them.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Why: The Current HTTPS Option column now describes the option for each domain, such as My Domain or Salesforce Sites Subdomain. The new Pending HTTPS Option column shows upcoming changes, such as a custom domain moving to Salesforce Cloud.

Domains setup screen example

How: From Setup, enter Sites and Domains in the Quick Find box, then select Domains.

Manage Access to Permission Sets, Profiles, and Password Resets with Session-Security-Level Policies

Require that users have a high-assurance session level before accessing certain Setup pages or objects. You can even completely block users for some sensitive operations. Manage access to permission sets, profiles, password resets, data export, and Health Check by modifying session-security-level policies.

Where: This change applies to Salesforce Classic and Lightning Experience in all editions.

Why: These session-security-level policies are new.
  • Manage Data Export (1)—Controls access to the Data Export Setup page.
  • Manage Permission Sets and Profiles (2)—Controls access to the Permission Sets and Profile Setup pages and related objects.
  • Unlock Users and Reset Passwords (3)—Controls permission to reset passwords and unlock users on the Users Setup page.
  • View Health Check (4)—Controls access to the Health Check Setup page.
The Session Security Level Policies section of the Identity Verification Setup page.

How: From Setup, enter Identity Verification in the Quick Find box, then select Identity Verification. In the Session Security Level Policies section, update the settings.

Require TLS 1.2 for HTTPS Connections (Critical Update, Enforced)

Require TLS 1.2 for HTTPS Connections was a critical update in Summer ’19 and is enforced on October 25, 2019. To maintain the highest security standards and promote the safety of your data, Salesforce is disabling the older Transport Layer Security (TLS) 1.1 encryption protocol. All inbound connections to or outbound connections from your Salesforce org must use TLS 1.2. Verify that your browser access, API integrations, and other Salesforce features are compliant with TLS 1.2.

Where: This change applies to Lightning Experience, Salesforce Classic, and all versions of the Salesforce app in all editions.

When: This critical update is enforced for production orgs on October 25, 2019. Orgs created after this date require TLS 1.2 by default. For other implementation dates, see the knowledge article, Salesforce Disabling TLS 1.1.

How: We recommend that you test this update in a sandbox or Developer Edition org to verify end-to-end compatibility before enabling it in your production org.

To activate this critical update before October 25, 2019, from Setup, enter Critical Updates in the Quick Find box, then select Critical Updates. For Require TLS 1.2 for HTTPS Connections, click Activate.

Stabilize the Hostname for My Domain URLs in Sandboxes (Previously Released Critical Update)

We’re removing instance names from MyDomain URLs for sandboxes. The instance name identifies where your Salesforce sandbox org is hosted. Removing the instance name makes the URL cleaner and easier for users to remember, for example, MyDomain--SandboxName.my.salesforce.com replaces MyDomain--SandboxName.cs5.my.salesforce.com. This critical update was first made available in Summer ’18.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Database.com editions.

When: This critical update is activated automatically on July 11, 2020.

How: If you have existing sandbox orgs, activate the critical update in those sandbox orgs. To have this update activated in subsequently created or refreshed sandbox orgs, activate this critical update in your production org. Activating this critical update on a production org applies the update to new and refreshed sandbox orgs.

To activate this critical update, from Setup, enter Critical Updates in the Quick Find Box, and select Critical Updates. For Stabilize the Hostname for My Domain URLs in Sandboxes, click Activate.

Secure Your Guest User Profiles

We’ve improved guest user access to adhere with the Salesforce principle of least access. Check out all the changes in store for guest user data access and visibility.

Where: This change applies to Lightning and Salesforce Tabs + Visualforce communities accessed through Lightning Experience and Salesforce Classic in Essentials, Enterprise, Performance, Unlimited, and Developer editions.