TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https. Danger Will Robinson

TLS 1.0 Disablement & You

TLS 1.0 has been disabled in this organization.
Please use TLS 1.1 or higher when connecting to Salesforce using https

If you are seeing this error, take a deep breath.  There is no need to panic, this is not a showstopper.

As of June 25, your Sandbox instances no longer allow for TLS 1.0 access, and July 22, 2017, production will no longer allow for TLS 1.0 access.  Now, let’s break this down so everyone knows what’s going on.

OVERVIEW

What is TLS?

TLS, Transport Layer Security, is used to make sure that when you connect to your destination (E.g. Salesforce) that you are connecting to the actual destination that you wanted to connect to.  TLS does this using encryption and the endpoint identity verification.

Why is Salesforce blocking TLS 1.0?

Back in April, the PCI Security Council, which stands for Payment Card Industry Security Standards Council, decided that TLS 1.0 no longer meets the required security standards.  This council was started by AmEx, Discover, MasterCard, Visa, the “big guys”, and they are a leading authority on security. Salesforce wants our data to be secure, and if it isn’t secure enough for me to buy shoes online, it’s not secure enough for your company data.

Where does this come into play for my org?

A number of places actually, some of the functionality this will impact includes: your Salesforce Communities, Customer & Partner Portals, Force.com Sites, Site.com, your IDE, the DataLoader, Outbound Messaging (Workflow Rules), Web-to-Lead, Web-to-Case, Web-to-Custom Object, Lightning Connect to remote endpoints, Standard Mail Merge, Connect for Office, Connect for Outlook, Chatter Desktop, the CTI Toolkit, Salesforce Files Sync, Pardot, Marketing Cloud, Single Sign-On, Delegated Authentication, SMAL, some AppExchange Apps, Mobile Apps, the Force.com Migration Tool, and anything referencing My Domain/custom login pages, just to name a few.  (Don’t freak, it’s not that bad, promise)

SOLUTIONS

Don’t be scared by that list, it looks intimidating, but as always, Salesforce has taken the time to create some pretty fantabulous documentation, and solutions so you don’t end up without the tool or functionality you love. 

BROWSER EXPERIENCE

Your browser experience covers whatever you would do in your web browser, from Communities to Portals to Sites to Sites.com.  Lotof information here, so let’s break it down to the basics.  First off, make sure you are using a supported browser.  This may seem like common sense, but you might be surprised to learn that even Internet Explorer isn’t supported for all functionality.  

SALESFORCE CLASSIC BROWSERS

  1. Microsoft Edge, is supported so long as you are not using the Developer Console
  1. Internet Explorer 9, 10, and 11 – WITH RESTRICTIONS. Make sure to check out the details on the supported browser page for what is and isn’t supported with each version, and to update your configuration settings as Salesforce recommends if you are going to try and use IE. Personally, I’ve seen numerous issues with IE11, and do not recommend using it.
  2. Mozilla Firefox, the latest stable version only.  Again, Salesforce has configuration settings that are recommended to avoid issues, but keep in mind; Firefox is supported for desktop users only for Community Templates for Self-Service.
  3. Google Chrome, latest stable version.  Now Chrome is my browser of choice, and there are no special configuration settings you need to mess with. The one thing Chrome isn’t recommended for, is the Console Tab
  4. Safari 8.x on OS X not supported for the Console, Wave Analytics, or the Call Center functionality.  It is recommended to have the scroll bar show always, and just as a heads up, I have also noticed, that Visualforce pages don’t always display the same on Safari as Chrome, and can be missing things.

LIGHTNING BROWSERS

Now, for Lightning, which has different supported browsers than classic.  You can find the details on the Help & Training site.

  1. Microsoft Edge if you are running Windows 10.
  2. IE 11 – but that’s starting retirement in Summer 16, so not recommended.  If you do go the IE route, make sure to
    use the 
    configuration settings Salesforce recommends 
  3. Mozilla Firefox – latest stable version with the configuration settings supplied.
  4. Google Chrome – latest stable version.  There are again, no special configuration settings, and Salesforce works hard to keep this one tested and supported.  I highly recommend going Chrome.
  5. Safari 8.x & 9.0 – not supported for Wave Analytics or the CTI toolkit 4.0 or earlier.

BROWSER SETTINGS

Your browser settings to ensure you are using TLS 1.0 have been laid out by Salesforce on the Help & Training site, with some pretty awesome screenshots of what you will see when you need to change your settings, that include how to do it. BOOM! Salesforce FTW!

CHROME & Firefox

If you are using Chrome version 21 or below, you will need to upgrade your browser, no way around that.

If using Chrome version 22-37, you will be fine as long as you are running on Windows XP SP3 (Service Pack 3), Vista, or newer on your desktop/laptop, or for the Mac users like myself, Snow Leopard or newer on your desktop/laptop, or
Android 2.3 (Gingerbread) on mobile.

If you are using Firefox version 22 or below, you need to upgrade your browser to access Salesforce

If you are using Firefox 23-26, you may see the following message as well, however you can adjust your settings.

  1. Go to  about:config
  2. update  security.tls.version.max config value to 2
  3. BOOM! That’s it!

word-image

INTERNET EXPLORER

Internet Explorer is a doozie, not only with the restrictions on what is supported, but also how to set your settings.  

  •     If you are using IE 7 or below, you have to upgrade.
  •     For IE versions 8-10, if you see the message below, you need to update your configuration, just follow the directions in the image below.
  •     If you are using IE 11, you’re in the clear by default

word-image<

IPHONE & IPAD BROWSER

On your iPhone/iPad, if you are using iOS 4.2.1, you will need to update your OS, I know that means you will have to have the iCloud lock on your device, but it’s worth it to access Salesforce don’t you think?

ios-stronger-security-required

OTHER UNSUPPORTED BROWSERS

Now, if you have chosen to not use a supported browser, and you decided to go with something like Opera that has tons of security issues, you will see the following message:

word-image

MOBILE APPS

So we all love our mobile apps, at least most of the time (drives me crazy that I click on a help & training link on Google and it opens the SF1 browser, but just hold down on the link and open in incognito and you won’t have that issue).  To keep using the awesome mobile apps, it is important to make sure you are using the right version on your device.

SALESFORCE CLASSIC

There is no minimum SF Classic version for Android and iOS.  

SALESFORCE1

IPhone: SF1 for iOS v7.3.4 requires iOS 8.x or later

Android:  SF1 for Android v8.0 requires Android 4.4.x or later

SALESFORCEA

IPhone: AwesomeAdmins with SFA v 3.0.0 and later, must have iOS 8.x or later

Android: AwesomeAdmins w/ SFA 3.0.0 and later, must have Android 4.4.x or later

Office Integration

OUTLOOK

To continue using Lightning for Outlook, (previously known as Salesforce App for Outlook), the Lightning Sync (previously known as Exchange Sync), or Salesforce for Outlook (still called Salesforce for Outlook) you need to have the following:

SALESFORCE FOR OUTLOOK
  1. You must be running Salesforce for Outlook 3.0.0
  2. You need to have IE, and have the settings listed above.
  3. You must be on Windows 7+, Vista is not supported.
  4. If you downloaded the .exe onto your laptop yourself, this step does not apply to you. If IT controls your Salesforce for Outlook, and you did not install it, and/or you do not upgrade it yourself, then this applies to you. For users with IT controlled apps, you need to ensure the correct version of Microsoft .NET is installed.
    • Salesforce for Outlook v3.0.0 supports NET 4.6 and 4.6.1
    • Salesforce for Outlook v3.0.1 supports NET 5.6.2, 4.6

Very little is changing here guys, no more Vista, you need the new IE settings, use the latest version, most of you should be just fine. If you need to upgrade something, now you know what you need.

LIGHTNING FOR OUTLOOK/LIGHTNING SYNC
  1. You need your email server to be either Exchange 16 or 13 on-premise, or Exchange Online with Office 365.
    • Don’t know? Ask your friend in IT, dude (or lady) knows, for sure. Don’t forget to show them appreciation with a bottle of their favorite adult beverage of appropriate level of quality, as we will need him/her in the future… must keep close….
  2. This email server, whatever it is, it must have Security encryption protocol of TLS 1.1 or later. It is a must.
CONNECT FOR OUTLOOK

This feature was retired, to access Salesforce via Outlook, Switch to one of the options for Outlook above.

CONNECT FOR OFFICE

I hate to tell you this folks, but this guy is finally being retired. There is no guarantee that Connect for Office will work. Salesforce recommended a couple of partner apps, but I haven’t tried the apps personally, so I can’t vouch for them.

I can tell you that PowerBI is AWESOME. Microsoft Power BI/Microsoft Power Query, is the best way to analyze Salesforce data in Office. You get great visuals, easy access, and you can setup auto-refresh. I highly recommend checking it out.  

For updating data, check out Enabler4Excel, it has some sweet, sweet functionality that will straight up rock your world. 

STANDARD MAIL MERGE

This one is going away folks, another one for the retirement list. Check out the Extended Mail Merge instead.

API

If you attempt to login to Salesforce via the API with TLS 1.0 once it is disabled, you will see the following Error:

TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.

DATALOADER

If you see the message above in red while using the DataLoader, and you look at your URL thinking it DOES say HTTPS, WTF, you are not alone, again, just upgrade to the latest version and you will be fine.  (I was so there with you).  Easy & like Christmas, upgrading to the most recent version, released in the Spring 16 release.

Your IDE

MAVENSMATE

If your MM stopped working, it’s probably because you haven’t switched over to the App yet.  First, you need to update your Package Control settings in Sublime to let you download pre-release versions of packages.  

You can do this by going to: Sublime Text – Settings – Package Settings – Package Control – Settings (User), and adding:

"install
  [
  "MavensMate"
  ]

Then, you need to download and install v0.0.10 of the MM App, now you should be good to go. 

HAOIDE

This one almost had me, but I found the solution, thank goodness because it’s my favorite IDE. 

  1. You need to find the sublime_plugins.py file in your Sublime Text 3 folder; Mac users can right click on the App in the applications folder and select Contents to find it.
  2. Then update the line:
print(f, "in", zippath, "is not utf-8 encoded, unable to load plugin")

to

print(f, "in", self.zippath, "is not utf-8 encoded, unable to load plugin")

Now, depending on the version of Sublime Text 3 you have, the exact location of this line with vary, but it’s right around 700-730, just do Command+F and search for ” zippath” and you will find it in the results.

Force.com IDE (Eclipse)

If you are using Java 8, you are in the clear, but if you are using Java 7, you won’t be able to create or edit projects unless you disable TLS 1.0 in your Eclipse.ini file. It’s not as scary as it sounds, but you probably should upgrade to Java 8 anyway.

Just add the following line to the eclipse.ini file (find where it is here, https://wiki.eclipse.org/Eclipse.ini):

-Dhttps.protocols=TLSv1.1,TLSv1.2

You can find out how to deal with other TLS 1.0 related issues, and how to prepare your users, in Help & Training on the Success Community site.

Don’t forget to use the TLS 1.0 Disablement Checklist!

Advertisements

8 thoughts on “TLS 1.0 Disablement & You

What are your thoughts? Seriously, comment.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s