Tekunda Team
Major Changes to Salesforce Connected App Security, Is Your Org Ready?
TL;DR: As of early September 2025, Salesforce began restricting access to uninstalled Connected Apps and removing OAuth 2.0 Device Flow from Data Loader. These security improvements require immediate action from admins to prevent disruptions to existing integrations.
This September, Salesforce introduced significant changes to Connected App security that are shifting this balance, and it's crucial you prepare now.
Why this Change?
In recent months, a wave of voice-phishing (“vishing”) and social-engineering attacks has targeted Salesforce customers. Attackers posing as IT help-desk staff tricked employees into granting OAuth access to malicious apps and used those credentials to exfiltrate customer data.
High-profile victims include Google, where attackers stole business contact details and sales notes, as well as Chanel, Farmers Insurance and LVMH brands such as Louis Vuitton, Dior and Tiffany & Co. In the aviation sector, Air France and KLM disclosed in August 2025 that a compromised third-party customer-service platform exposed names, email addresses, phone numbers and loyalty-programme details.
These incidents underscore why Salesforce is tightening control over uninstalled connected apps and deprecating the OAuth Device Flow.
As Salesforce administrators, we walk a delicate balance between accessibility and security. We want our users to have the tools they need while keeping our organizations safe from threats.
What's Changing?
1. Uninstalled Connected Apps Blocked by Default
The headline change is straightforward but impactful: uninstalled Connected Apps are no longer accessible to most users. If an app isn’t formally installed in your org, it’s blocked.
Here's what this means:
- New users trying to access uninstalled Connected Apps are completely blocked (unless they have special bypass permissions).
- Existing users who previously authorized an app can continue using it, but only if the app doesn’t rely on OAuth 2.0 Device Flow.
- All uninstalled apps using OAuth 2.0 Device Flow are blocked entirely, even for users who previously authorized them.
2. New Permissions for Bypass Access
Salesforce has introduced new ways for trusted users to bypass these restrictions, but with added responsibility:
- “Approve Uninstalled Connected Apps” — A new permission (introduced in Summer ’25) that allows specific users to self-authorize uninstalled apps.
- “Use Any API Client” — An existing broader permission that also provides bypass capabilities.
The effectiveness of these permissions depends on your org’s API Access Control settings.
3. Data Loader OAuth 2.0 Device Flow Removal
On September 2, 2025, the OAuth Device Flow option for the auto-installed Data Loader app was removed entirely. Users must now switch to password authentication or OAuth Web Server Flow.
Why Is Salesforce Making These Changes?
The answer is simple: security. Recent social engineering attacks have targeted Salesforce users, tricking them into authorizing malicious Connected Apps that masqueraded as legitimate tools like Data Loader. These attacks succeeded because they exploited the gap between user convenience and organizational control.
Security researchers note that groups such as ShinyHunters/UNC6040 conduct phone-based social-engineering to bypass multi-factor authentication and convince staff to approve OAuth scopes; once attackers obtain access, they quietly extract customer-care records and then use the data for extortion or further phishing.
As Google’s threat analysis revealed, attackers weren’t exploiting vulnerabilities in Salesforce itself, they were manipulating users into granting access to malicious apps. By defaulting to a “locked door” approach, Salesforce is forcing organizations to make deliberate decisions about which apps their users can access.
What You Need to Do Right Now
1. Audit Your Current Connected Apps
Immediate action required: Go to Setup → Connected Apps OAuth Usage and review every app in use.
Look for the “Install” button in the Actions column — if you see one, that app is uninstalled and affected by the new restrictions.
When reviewing, pay attention to:
- First and last use dates — is the app actively used or stale?
- Which users are accessing it — do they really need it?
- Trustworthiness — do you recognize the app and its publisher?
- Legitimate integrations — tools like Power BI, nonprofit apps, or partner solutions that may need to be installed to avoid disruption.
2. Make Installation Decisions
For every uninstalled app you identify:
- Install apps that are legitimate and actively used by your team.
- Block any apps you don’t recognize, trust, or need.
- Document the business justification for each app you keep, so you have a clear audit trail.
Stronger governance, fewer breaches
Audit, install, or block apps with a clear approval process. Use Serpent to track permissions and keep your org secure without slowing delivery.
3. Assign New Permissions Carefully
Grant the “Approve Uninstalled Connected Apps” permission only when absolutely necessary. Suitable candidates might include:
- Administrators who need to test apps before org-wide installation.
- Developers building or maintaining integrations.
- Select business users with a clear need and proven security awareness.
⚠️ Remember: This is an all-or-nothing permission. Users with this permission can authorize any uninstalled Connected App, so choose wisely.
4. Prepare for Data Loader Changes
If your users rely on Data Loader:
- Download the latest version before September 2, 2025
- Train users on password authentication or Web Server Flow
- Communicate the change early to prevent workflow disruptions
4. Prepare for Data Loader Changes
If your users rely on Data Loader:
- Update to the latest version (post–September 2, 2025)
- Train users to switch from OAuth Device Flow to Password Authentication or OAuth Web Server Flow
- Communicate the change clearly to prevent disruptions in regular workflows.
5. Strengthen Your Governance
Use this transition as an opportunity to level up your Connected App governance:
- Review who has permission to install new Connected Apps.
- Monitor app usage and user authorizations regularly.
- Enforce the principle of least privilege across all profiles and roles.
- Request API Access Control from your Salesforce Account Executive if you need even stricter guardrails.
Verify help-desk requests and limit third-party access: Many of the 2025 breaches began when attackers impersonated IT support and persuaded service-desk staff to grant or reset credentials. Require strict identity verification for any service-desk action, enforce multi-factor authentication on all accounts, audit third-party app scopes, and remove unused integrations. Regularly review connected apps and revoke long-lived tokens to minimise the blast radius if a third-party platform is compromised.
Stay compliant, stay release-ready
Let Tekunda design a security-first DevOps strategy tailored to your Salesforce setup, so you focus on business value while we handle governance.
Timeline and Rollout
The rollout began in late August and is continuing through September:
- August 28, 2025 — New orgs received the restrictions.
- September 2, 2025 — Existing orgs began receiving the changes (phased rollout over ~2 weeks).
- September 2, 2025 — OAuth 2.0 Device Flow was removed from Data Loader.
What Won't Change
it is important to know that not everything is shifting. Here’s what stays the same:
- Installed Connected Apps keep working without disruption.
- Permissions to install new apps remain unchanged.
- Previously authorized apps continue functioning for existing users — except those using OAuth 2.0 Device Flow.
The Bigger Picture: Security as a Team Sport
While Salesforce is providing these new security controls, remember that platform security is a shared responsibility. The strongest technical controls can't protect against a user who's been socially engineered into granting access to a malicious app.
Use this transition to reinforce security awareness across your organization:
- Train users to spot phishing and vishing attempts
- Define clear escalation procedures for suspicious requests
- Audit Connected App usage and permissions regularly.
- Document your app approval process so decisions are consistent and transparent.
Conclusion
These updates show Salesforce’s commitment to closing security gaps while preserving the flexibility that makes the platform powerful. By putting these changes in the context of recent incidents, from Google and Chanel to Air France–KLM, you can see why restricting uninstalled apps and removing the OAuth Device Flow are necessary steps. Attackers are increasingly abusing trust and convenience; your governance and user education need to evolve just as quickly.
These changes give admins more control, but they also demand proactive preparation. By auditing Connected Apps, updating permissions, and training users, you’ll avoid disruptions and strengthen your security posture throughout the rollout.
Your users depend on you to keep the right doors open, and the wrong ones firmly shut. September’s changes give you the tools to do exactly that.
Looking for a simpler way to stay ahead of Salesforce changes? Serpent helps teams manage Connected Apps, streamline deployments and releases, and prepare for future updates with confidence.
Prefer to leave it up to us to manage your Salesforce org so you can focus on your business stakeholders? Contact the Tekunda team today to discuss a tailored security and DevOps strategy that keeps your organisation compliant, resilient, and release-ready.