I find it really infuriating when companies put a tax on security. “Your choices are to use our platform and put your data at risk – or – use our platform and pay a lot more to actually secure your data”.
This is very common with SSO. A vast majority of the SaaS platforms make you pay for a higher pricing tier to get access to SSO. While I completely disagree with this methodology of pay-walling necessary security features, I respect a company’s right to do so. Salesforce, however, takes this a step farther by essentially denying that they are doing it, calling a lack of support “a myth” and touting how they are actually “doing it right”. Completely unethical.
The source of this is their own blog post, written by “Distinguished Security Architect” Babar Khan here: https://security.salesforce.com/blog/debunking-salesforce-mobile-app-and-microsoft-intune-integration-myths
By the way, when you self-promote yourself as a “distinguished” anything, I tend to assume you are anything but…. Just saying…
In this post, we’ll be using a handful of acronyms, so I’d like to define them for you first.
- MDM = Mobile Device Management
- MAM = Mobile Application Management
- BYOD = Bring Your Own Device
Let’s touch on their first “Myth” correction…
Myth: Salesforce Mobile App cannot work with Microsoft Intune
I haven’t actually tested Salesforce with Intune MDM, so I don’t have a whole lot to say here. This is probably true and probably works. But… MDM means complete pwnage of the mobile device. It’s undesirable for BYOD situations by both companies and end users. MDM gives the company access to far more data than other choices that the company probably doesn’t want (liability) and the user definitely doesn’t want (privacy). So, yea, for companies that issue corporate devices, this is probably a perfectly good choice.
Myth: Customers who don’t use Intune MDM can’t use App Protection / Intune MAM.
Let’s read between the lines here for a moment.
Salesforce relies on our own implementation through Mobile App Plus to deliver all security capabilities
Translated:
In order to protect the mobile app only (MAM), you must pay Salesforce more money to get access to their Mobile App Plus licenses.
“Proprietary Tech”…
Remember, Intune MDM is based on standards while Intune MAM is entirely proprietary.
Microsoft Intune is one of the most prevalent solutions on the market for MAM. Many software companies (Adobe, Align, Box, Cisco Jabber, Re:Work, RICOH, RingCentral, SAP Fiori, ServiceNow, Slack [A Salesforce company], Tableau, Webex, Zoom and many more (See: Supported Microsoft Intune apps | Microsoft Learn)
The truth behind Salesforce’s response to this isn’t about proprietary tech. It’s entirely about locking necessary security behind a paywall and milking companies that focus on security for more of their valuable dollars.
But wait….
Intune MAM’s app protection policies make use of Conditional Access/Azure along with Single Sign-On/Multi-Factor Authentication. By enabling advanced authentication for mobile users, you can swizzle the authentication process out of the app and into the native device browser, which Intune supports.
Sure. This would work great. IF users choose to use Microsoft Edge (the only Intune supported browser) as their primary browser on their personal device. Which most won’t want to do because that means their day-to-day personal web browsing is done in a browser that their company manages. Nice try, Mr. Khan. But you and I both know this isn’t happening.
Myth: The ability to copy/paste outside of the Salesforce Mobile App poses a huge risk.
Great. We both agree that copy/paste is a huge risk. Salesforce’s solution? “If you pay us more … to get the Salesforce Mobile Security add-on … then you can protect your data from copy/paste. Yep. ANOTHER money grab.
Myth: It is more work to have non-standard settings outside of Intune.
Translated:
“Fact: Having to do the same task multiple times in different systems is normal here at Salesforce. Your SF admins already have to do that. What’s wrong with duplicating this kind of work too? You can just hire more admins.”
Myth: We cannot remote wipe using Intune since Salesforce Mobile App does not work with Intune.
Translated:
For MDM, you sure can. For MAM, you can either not care about remote wipe (um… no.) or you can disable caching (and make the user experience much worse).
Myth: Device Compliance Check in Intune MDM is sufficient so we don’t need Salesforce MAM (Mobile App+).
Waaaaiiiiit, so now you’re even telling me MDM isn’t enough? I should still pay you more for your proprietary security license? Come on now.
Their disclaimer
Translation:
We’re being bombarded with questions about Intune, so we thought we’d work up a PR spin on the situation to try to make it look like we care about security, when, in reality, we only care about what can generate more revenue.
In conclusion….
Fact: In order to be a successful business, you must generate revenue and be profitable.
Also fact: You can achieve this goal without unethically milking your customers for every last penny they have. Their Jan 2024 quarterly financials show a 10% YoY increase in revenue, 1575% (not a typo) YoY increase in Net income, a 1430% (again, not a typo) YoY increase in Net profit margin for a total “Net cash in hand” or 2.02 BILLION dollars. And despite being wildly profitable and the absolute leader in CRM platforms, they still find it fair and justified to put a financial premium on bare minimum of security essentials. Shame on you, Salesforce. Shame!
