Overview
The WorkSpan Salesforce package includes a connected app named WorkSpan Co-Sell referral integration that enables OAuth-based integration with WorkSpan’s third-party platform. As this connected app is distributed via a managed package, it may remain uninstalled in some orgs. However as of September 2, 2025 it is subject to Salesforce’s September 2025 restrictions on uninstalled connected apps. These restrictions require admins to explicitly install and manage access to ensure seamless OAuth authorization for all users.
Salesforce is enforcing these new connected app usage restrictions to enhance security. These changes primarily affect uninstalled connected apps and impose new authorization requirements.
What’s Changing?
Salesforce is enforcing tighter security around the use of uninstalled connected apps. These are apps that users have authorized but were never formally installed into the org via the AppExchange or admin processes.
Why this Matters
This change is aimed at reducing security risks - including social engineering attacks - by preventing non-admin users from authorizing or accessing uninstalled connected apps. It also addresses vulnerabilities in the OAuth 2.0 device flow.
Key Terms
-
Installed Connected App: A connected app explicitly installed by a Salesforce admin using the Install button in Setup. Admin controls OAuth access centrally.
-
Uninstalled Connected App: A connected app visible in the org (e.g., via managed package or user authorization) but not installed by an admin. OAuth access is granted by individual users.
For Uninstalled Apps
-
User-driven OAuth authorization for uninstalled connected apps will be blocked for new users.
-
Existing authorizations generally remain valid, but any session expiration or reauthorization attempt will be blocked unless conditions are met.
-
Only users with the “Approve Uninstalled Connected Apps” permission can authorize these apps post-restriction.
-
OAuth 2.0 Device Flow is blocked for uninstalled apps.
What are Uninstalled Apps?
-
Uninstalled App: This is a connected app that appears in your org (possibly from a managed package or external registration) but has not been explicitly installed by an admin using the Install button in Salesforce Setup.
-
User-Level Authorization: Such apps can be authorized on a per-user basis—each user can grant OAuth access themselves. This is the default scenario where any user can connect via OAuth without admin intervention.
For Installed Apps
-
No change in functionality if the app is installed by the admin.
-
Admins can configure who can authorize the app:
-
“All users may self-authorize” permits all users to authorize.
-
“Admin approved users are pre-authorized” restricts usage to assigned users only.
-
Impact Summary
| Connected App Status | Admin Install Required | Impact on New OAuth Authorizations | Existing OAuth Sessions |
| Uninstalled Connected App | No | Blocked for most users |
Generally preserved until expiry |
| Installed Connected App | Yes | Allowed per admin policy | Continues as per policy |
Actions for Existing Users
-
Existing users who already authorized the connected app before the restriction generally continue to have access as long as their OAuth session remains valid.
-
Admins should monitor for any session expirations or re-authorization attempts, which may be blocked if the app is uninstalled.
-
To avoid disruptions, admins should proactively install the connected app in the org and manage access centrally.
Actions for New Users
-
New users attempting to authorize an uninstalled connected app will be blocked unless:
-
The connected app is installed by an admin in the org, enabling centralized access control.
-
Or the user is granted the special “Approve Uninstalled Connected Apps” permission.
-
-
It is best to have the app installed and access managed by an admin rather than relying on broad user permissions.
Implications
-
Managed package connected apps are not impacted if installed in the target org.
-
Connected apps included in packages but not installed behave as uninstalled apps and are restricted.
-
OAuth authorization for uninstalled apps relies on user-level consent, which Salesforce will restrict.
-
Admin installation centralizes management and protects against ad-hoc user authorizations.
Recommendations
-
Audit connected apps using OAuth Connected App Usage and identify uninstalled apps.
-
Request admin installation of key connected apps to ensure smooth, ongoing access.
-
Assign “Approve Uninstalled Connected Apps” permission sparingly for exceptions.
Additional Notes
-
Apps created directly in packaging orgs without metadata files appear after package install but remain uninstalled until an admin installs them.
-
Uninstalled app: OAuth access count increases as users individually authorize the app.
-
New Salesforce restrictions apply only to uninstalled apps, not those installed and managed by admins.
Steps to Install WorkSpan Co-Sell Referrals Integration
-
Navigate to Connected Apps OAuth Usage:
-
Go to “Setup” in Salesforce.
-
In Quick Find, search for “Connected Apps OAuth Usage.”
-
Select “Connected Apps OAuth Usage” from the left sidebar.
-
-
Locate the WorkSpan App:
-
In the above list, find “WorkSpan Co-Sell referrals integration.”
-
You’ll see the “Install” button next to it under the Actions column.
-
-
Install the Connected App:
-
Click the “Install” button.
-
Salesforce will prompt you to configure access and security settings for the app.
-
-
Configure Access Policies:
-
Choose whether “All users may self-authorize” or “Admin-approved users are pre-authorized.”
-
To allow broad OAuth access, select “All users may self-authorize.”
-
For admin control, choose “Admin approved users are pre-authorized” and assign profiles/permission sets to authorized users.
-
-
All users may self-authorize –> No action required.
-
Steps to configure Admin-approved users are pre-authorized.
-
-
Click “Edit Policies”.
-
In the OAuth Policies section → go to “Permitted Users” → Select “Admin-approved users are pre-authorized.”
-
Click “Save.”
-
Profiles section: Manage Profiles
-
Choose an Integration Profile, e.g., “Salesforce API Only System Integrations.”
- Click “Save.”
-
Verify Integration:
-
Test the OAuth authorization flow from WorkSpan’s platform.
-
Validate that users (existing and new) can connect seamlessly as per updated access policies.
-
Additional Information
-
What is the impact of connected apps created and managed within the Org?
There is no impact from this change to connected apps created and managed on the org.
Example: WorkspanUserConnectedApp, which requires Post Deployment Steps and Canvas app
-
What are the benefits of this feature change?
This update enhances your control over connected apps and reduces the risk of unauthorized connected app access. -
What does this change impact?
Users will be blocked from accessing uninstalled connected apps. In order to access new connected apps, the apps must be installed on the org. While users who previously authorized the uninstalled connected app can continue using those apps, any new user trying to access the same uninstalled apps will be blocked. Also, all usage of uninstalled apps that use the OAuth 2.0 device flow will be blocked, even if the user has previously authorized the app.
Specific user permissions (“Approve Uninstalled Connected Apps” and “Use Any API Client”) are now required to use uninstalled connected apps. Salesforce recommends using care when assigning these permissions as it allows users to bypass the restriction on using uninstalled connected apps. For example, you might only give these permissions to users, such as an admin or developer, who manage connected apps and need to test the apps before installing them on the org for access by other end users. -
What does this change not impact?
Connected apps installed prior to this change will continue to function without interruption. If a Salesforce end-user has authorized a connected app prior to this change, that user can continue using it without interruption, even when the app is not installed on the org.
Comments
Please sign in to leave a comment.