Understanding Profile IP Range Restrictions in Salesforce

Salesforce provides administrators with the ability to enforce IP range restrictions at the profile level as a security control. This mechanism is especially useful for ensuring access compliance with corporate security policies—such as requiring VPN usage or limiting access to sensitive data (e.g., Personally Identifiable Information (PII) or Protected Health Information (PHI)) to users working from a trusted network, like a corporate office.

Two Levels of IP Restrictions

Salesforce supports two primary forms of IP-based access control.

Login IP Ranges (Authentication-Level Enforcement)

This method restricts users from logging in to Salesforce unless they are accessing it from an IP address within a defined range.

• This is configured at the profile level.

• If users attempt to log in from an IP address outside the allowed range, they will be blocked from authentication altogether.

• This is commonly used to enforce VPN usage or limit access to corporate networks.

• Reference: Set Login IP Ranges for a Profile – Salesforce Help

Session IP Address Restriction (Per-Request Enforcement)

In addition to login-level controls, Salesforce can enforce IP range validation throughout the user's session.

• • This option is configured via the Session Settings in Salesforce Setup.

  • If a user’s IP address changes mid-session (for example, due to a proxy rotation or spoofing attempt), Salesforce will invalidate the session.

  • This provides a stronger defense against session hijacking and spoofing attacks.

  • Reference: Session Settings – Salesforce Help

Pharos and IP Restrictions

A core capability of Pharos is its data enrichment process, which enhances log records with additional context-critical information. These enriched snapshots typically include:

• Automation metadata (e.g., Flow, Process Builder details)

• Audit trail information (e.g., Setup Audit Trail entries)

• Flex queue data

• Installed package metadata

• Other relevant system-level and configuration details

To collect this data, Pharos leverages various Salesforce APIs—including the Tooling API and Metadata API—and makes outbound requests from within your Salesforce org, where the Pharos managed package is installed.

The IP Address Challenge: Hyperforce & Metadata Access

Here’s where IP restrictions become a critical factor:

• The requests Pharos makes to fetch metadata originate from the Salesforce instance itself.

• Historically, Salesforce maintained static IP ranges for each instance, which admins could use to configure trusted IP ranges.

• However, with the transition to Hyperforce, Salesforce no longer guarantees static IP ranges. The public documentation confirms that IPs for instance-originated traffic can now span a much broader, undefined range. More details on this below.

  • Salesforce Hyperforce Overview

  • Salesforce IP Ranges

This change effectively prevents administrators from whitelisting a narrow IP range to allow Pharos metadata access, since the instance IP address cannot be reliably predicted or controlled.

Recommended Workaround: Connected App with Relaxed IP Restrictions

To work around the challenge of unpredictable Salesforce instance IPs (especially in Hyperforce environments), the recommended solution is to delegate metadata access through a Connected App with relaxed IP restrictions. Instead of relying on the IP address of your Salesforce instance, Pharos authenticates via OAuth using this Connected App, which is explicitly configured to bypass IP enforcement.

This approach provides a secure and manageable balance:

• Only one Connected App is given relaxed IP access.

• The rest of the org remains protected by existing IP restrictions.

• OAuth tokens issued through the app allow Pharos to retrieve metadata and perform enrichment tasks without triggering session-level IP enforcement errors.

Implementation Steps

Accessing Pharos Admin

Before opening the Admin tab, Temporarily relax IP restrictions on the setup user's profile to allow initial Connected App configuration. This is an important step to perform prior to doing anything else.

Create a Connected App and Configure Pharos

Follow the steps in the interactive video below. Here's what's involved:

1. During the Quickstart wizard, have Pharos create a Connected App in your Salesforce org.

2. Update the Connected App configuration to:

   • Allow OAuth usage.

   • Relax IP restrictions specifically for the app (this is done under the IP Relaxation setting in the Connected App details).

   • Reference: Manage Connected App Policies – Salesforce Help
     
     

3. Create a Connected Org in Pharos and authenticate via OAuth using the newly created Connected App. This authorizes Pharos to act on behalf of the user or system context.

4. Once authentication is complete, Pharos will route metadata API requests through this app, which is no longer subject to IP range checks.

5. Optionally, re-enable stricter IP restrictions on the original user profile after setup is complete.

Once the steps above are completed Pharos should be ready to roll!