Salesforce is making two big updates to keep your data safer. These changes start for new Salesforce orgs on August 28, 2025, and begin rolling out for existing orgs in early September 2025.
1. Restricting Uninstalled Connected Apps
What are uninstalled connected apps?
- These are apps that a user has linked to Salesforce but that no admin has officially installed in the org.
What is changing?
- After the update, users will not be able to connect these uninstalled apps unless they have a new permission called “Approve Uninstalled Connected Apps”. If your org has API Access Control enabled, you must instead grant “Use Any API Client” permission.
Why this matters:
- These changes stop random or unsafe apps from connecting and protect your org from attacks. For example, attackers tricking people into using fake tools could cause serious data breaches.
What keeps working:
- Apps already installed normally still work fine. Users who already connected an uninstalled app can keep using it, unless it used the unsafe OAuth Device Flow, which is also being blocked.
2. Removing OAuth 2.0 Device Flow in Data Loader
What is the OAuth Device Flow?
- It is an old way to log in where Data Loader shows a code and asks you to open a browser and type the code to connect. It was meant for devices like TVs but is now considered unsafe.
What is changing?
- Starting September 2, 2025, the Data Loader app will no longer support the OAuth Device Flow. You must switch to either password-based login (username, password, security token) or OAuth Web Server Flow.
Why this matters:
- The Device Flow can be tricked. An attacker could generate the device code and trick someone into granting access. That gives the attacker full access as the user, even if the user never shared their password.
Steps for Admins: How to Prepare
- Here are simple steps to follow before the changes begin:
Check which apps you or others have connected.
- Go to Setup → Connected Apps OAuth Usage and look for apps that were authorized by users but not installed.
- If an app is uninstalled, the action column displays an Install button
Decide what to do with those apps.
- If they are safe and needed, install them officially. That lets admins control who can use them. If they are not needed or untrusted, block or remove them.
Give special permissions carefully.
- Only give Approve Uninstalled Connected Apps or Use Any API Client to trusted admins or developers. Fewer users with these rights means fewer risks.
Update Data Loader.
- Get the latest Data Loader version before September 2, 2025. Change your login method to password login or OAuth Web Server Flow instead of Device Flow.
Teach your team.
- Let users know they might see login errors if their apps aren’t approved. Remind them not to approve unfamiliar apps and encourage them to ask if unsure.
Set up good governance.
- Be aware of hoe your Salesforce instance is configured, if you are working with a third party to setup your instance ask them how they are using connected apps
- Define who can approve new apps. Show users how to request access. Track which apps are installed and who uses them.
Important Links
- Data Loader OAuth 2.0 Device Flow Removal
- Prepare for Connected App Usage Restrictions Change
- Salesforce Hardens Connected Apps Security Amid Social Engineering Attacks
- Securing Salesforce Connected Apps: What’s Changing (and What You Must Do)
- Why OAuth Device Flow is a Security Risk to Salesforce Orgs