Debunking Salesforce Mobile App and Microsoft Intune Integration Myths

The Salesforce mobile app is Salesforce on the go! This enterprise mobile experience gives you access to the same information you see in the office, but organized for getting work done between customer meetings, while waiting for a flight, and even when you’re in line for coffee. The mobile app includes many of your company’s customizations (done within Salesforce), so it’s tailored to your business needs. 

By integrating the Salesforce Mobile App with Microsoft Intune*, organizations can leverage the features and capabilities of both platforms to enhance mobile device management, security, app deployment, compliance, and user experience. This integration provides a seamless and secure environment for accessing Salesforce data on mobile devices while maintaining control and protecting sensitive information. Let’s demystify how this works.

Myth: Salesforce Mobile App can’t work with Microsoft Intune.

Fact: Salesforce mobile app’s interoperability with Mobile Device Management (MDM) providers is oriented around the standards-based AppConfig Community. Taking this standards-based approach to compatibility gives our customers maximum flexibility. Intune can leverage Salesforce Mobile’s MDM interoperability features to push specific configurations into the Salesforce app on managed devices (Intune MDM). Customers with Intune MDM pre-provision all supported settings into the Salesforce app, like the custom URL (MyDomain) for the customer’s Salesforce org. To learn more, check out the resources below.

• Salesforce Mobile supported property injection (and more config)
• Microsoft Intune iOS App configuration injection
• Add app configuration policies for managed Android Enterprise devices…

Myth: Customers who don’t use Intune MDM can’t use App Protection/Intune MAM.

Fact: For Mobile Application Management (MAM), Salesforce relies on our own implementation through Mobile App Plus to deliver all security capabilities. This enables us to maintain control over our entire stack instead of integrating third party technologies. However, this doesn’t mean you can’t successfully deploy the Salesforce App in an Intune-controlled corporate environment. Intune MAM’s app protection policies make use of Conditional Access/Azure along with Single Sign-On/Multi-Factor Authentication. By enabling advanced authentication for mobile users, you can swizzle the authentication process out of the app and into the native device browser, which Intune supports. To learn more, check out the resources below.

• Salesforce Mobile SSO config documentation
• Advanced Authentication toggle in MyDomain docs
• Trailblazer Community Discussion

Remember, Intune MDM is based on standards while Intune MAM is entirely proprietary. We do not support a wrapper or container app that tries to run the Salesforce App within it (which is essentially what Intune MAM does — requiring wrapping up Microsoft SDK into the Mobile App code).

Myth: The ability to copy/paste outside of the Salesforce Mobile App poses a huge risk.

Fact: Customers can block copy/paste other attributes, as well as use the Salesforce Mobile Security add-on for even more granular monitoring and security. Read the How to Secure Your Salesforce Mobile App Salesforce Help article to learn more.

Myth: It’s more work to have non-standard settings outside of Intune.

Fact: Connected App settings are fairly common practice for Salesforce admins and architects. This is done to ensure you have control over your entire stack, rather than integrating third party technologies. You can also use Event Monitoring for visibility into security events that occur on mobile devices and automate actions based on those events. Intune provides similar visibility for its MAM enabled applications.

Myth: We can’t use IP allowlisting or VPN to maintain strong security posture via Intune.

Fact: For VPN, review Intune MDM’s per-app-vpn option. Regarding IP allowlisting, you can continuously enforce ip restriction. Please note, Salesforce uses OAuth 2.0 for authentication through username/password or single sign-on credentials.

Myth: We can’t remote wipe using Intune since Salesforce Mobile App doesn’t work with Intune.

Fact: During the login process, there’s a post authentication OAuth token established. When a user leaves the company or their device needs to be remote wiped (i.e., clear the cache and force logout the user), that token can be revoked using Salesforce UI or via an API. It’s important to note that data on the device is always encrypted, but customers can also disable the caching in the mobile app to prevent data being saved locally. This may impact performance as the app will need to refresh record details and feed items every time it’s viewed. 

Myth: We can’t enforce device compliance check using Intune for Salesforce Mobile App.

Fact: If the device is enrolled via Intune MDM, the device can be marked “Compliant” by having a certificate and any additional attributes you need to check via Conditional Access Policy. In this scenario, you should use native browser authentication to pass the required checks (see screenshot below). Read the Customize Your My Domain Login Page for Mobile Auth Methods Salesforce Help article to learn more.

Myth: Device Compliance Check in Intune MDM is sufficient so we don’t need Salesforce MAM (Mobile App+).

Fact: While Device Compliance check or SSO/MFA/VPN are all the right tools, they are static in nature. To gain further visibility into Salesforce Mobile App user activity, you should use Mobile App+, or Salesforce MAM, which captures four real time events which tie into Salesforce Shield. See the list of full features here.

Myth: Intune can’t containerize Salesforce Mobile App. So we can’t enforce policies like Outlook client to present sensitive data leakage.

Fact: Customers can enforce email client using out of the box connected app attribute. Read the Salesforce article How to Secure Your Salesforce Mobile App to learn more.

Myth: If we have Mobile App+, we don’t need Salesforce Shield.

Fact: It depends on your security requirements. Salesforce Shield services allow you to satisfy compliance, regulatory and stringent security requirements around encryption, monitoring, auditing, data loss prevention, and retention. While a user is using the Salesforce mobile app, Shield security controls are all still applicable to mobile users while they are using the mobile app. With Mobile App+ (MAM), you can also extend your security policies, especially for bring your own device (BYOD) scenarios.

Customer Security and Compliance with Salesforce Mobile App and Microsoft Intune

Customers can use Salesforce Mobile App with Microsoft Intune MDM, and leverage advanced authentication options with Azure to control most of their security requirements. Once the user is in Salesforce App post-authentication, users can decide whether or not to use Mobile App+, or Salesforce MAM (depending on their security and compliance requirements). However, Microsoft Intune cannot capture user activity the way Salesforce MAM does, since it’s Salesforce on Salesforce. In the end, it depends on customer security and compliance requirements to decide what Microsoft Intune controls and what Salesforce enables.

*Disclaimer: Salesforce has made a good faith effort to provide you with Salesforce Mobile and Intune specific responses. The information provided here is for informational purposes only, and based on numerous customer conversations and public documentation. Salesforce can only provide details on how Salesforce Mobile App works and integrates with various MDM solutions and Intune based on standards. For Intune specific questions, see Microsoft documentation.