Does this have any impact?

[nirav777-create]

Dear Org Admins,

As part of our ongoing efforts to help our customers protect their Salesforce accounts, Salesforce is implementing new proactive security measures to prevent the compromise of customer data through unauthorized connected app use.

First, Salesforce will restrict the use of uninstalled connected apps in Salesforce orgs. Salesforce will start rolling out this change on August 28, 2025 for new orgs, and beginning early September 2025 for existing orgs.

Second, specifically for the Data Loader connected app, Salesforce will remove OAuth 2.0 Device Flow Authentication. This change will roll out on September 2, 2025 for all orgs.

What’s changing:Only users with the new ‘Approve Uninstalled Connected Apps’ permission will be able to use uninstalled connected apps.Users without this permission will be prevented from self-authorizing and using uninstalled connected apps.Admins will be able to assign the ‘Approve Uninstalled Connected Apps’ permission to certain users for specific use cases, such as testing an app before it is installed and made widely available to all users. We recommend only assigning this permission to users when absolutely necessary.Admins will still be able to authorize the installation of connected apps.How should I prepare for this change?Admins should immediately take steps in order to minimize interruption when additional security features for connected apps are released. Admins are advised to review connected apps installed on their org, and can prepare for this change by taking the following steps:Review your organization's needs and install any additional connected apps that should be permitted for all users. Additional connected apps can be installed from AppExchange or similar sources provided by the connected app developer.Consider blocking apps you do not recognize.Are there any exceptions to this change?The following exceptions include:Connected apps installed prior to this change will continue to function without interruption.If a Salesforce user has authorized a connected app prior to this change, that user can continue using it without interruption. However, all usage of uninstalled apps that use the OAuth 2.0 device flow will be blocked, even if the user has previously authorized the app.If API Access Control is not enabled, users can use uninstalled apps if they have either "Approve Uninstalled Connected Apps" or "Use Any API Client" permissions.If API Access Control is enabled, only the "Use Any API Client" permission grants access to uninstalled apps.External Client Apps are not affected by this change.Resources: Prepare for Connected App Usage Restrictions Change Knowledge Article -- Change 2: Removing Data Loader Connected App OAuth 2.0 Device Flow Authentication   What is changing?On September 2, 2025, Salesforce will remove support in the auto-installed Data Loader Connected App for the OAuth Device Flow for authentication. There will be no exceptions or extensions to this removal.Data Loader users who use the OAuth Device Flow to authenticate will be unable to login and will need to change to use either the password authentication or the OAuth Web Service Flow to login.How should I prepare for this change?Users must adopt one of the following login methods in order to use Data Loader: Password Authentication or Web Server FlowSalesforce will release a new version of Data Loader before September 2, 2025 that removes support for OAuth 2.0 Device Flow. An alternative to configuring an installed Data Loader client not to use OAuth 2.0 Device Flow is to download and install this new version.Are there any exceptions to this change?Data Loader users who use password authentication or OAuth Web Server Flow to authenticate will not be impacted by this change and do not need to take any action.Command line use with encrypted password is not impacted.Resources: Data Loader OAuth 2.0 Device Flow Removal What’s changing: Only users with the new ‘Approve Uninstalled Connected Apps’ permission will be able to use uninstalled connected apps. Users without this permission will be prevented from self-authorizing and using uninstalled connected apps. Admins will be able to assign the ‘Approve Uninstalled Connected Apps’ permission to certain users for specific use cases, such as testing an app before it is installed and made widely available to all users. We recommend only assigning this permission to users when absolutely necessary. Admins will still be able to authorize the installation of connected apps. How should I prepare for this change?

Admins should immediately take steps in order to minimize interruption when additional security features for connected apps are released. Admins are advised to review connected apps installed on their org, and can prepare for this change by taking the following steps:
Review your organization's needs and install any additional connected apps that should be permitted for all users. Additional connected apps can be installed from AppExchange or similar sources provided by the connected app developer.
Consider blocking apps you do not recognize.
Are there any exceptions to this change?

The following exceptions include:
Connected apps installed prior to this change will continue to function without interruption.
If a Salesforce user has authorized a connected app prior to this change, that user can continue using it without interruption. However, all usage of uninstalled apps that use the OAuth 2.0 device flow will be blocked, even if the user has previously authorized the app.
If API Access Control is not enabled, users can use uninstalled apps if they have either "Approve Uninstalled Connected Apps" or "Use Any API Client" permissions.
If API Access Control is enabled, only the "Use Any API Client" permission grants access to uninstalled apps.
External Client Apps are not affected by this change.
Resources: Prepare for Connected App Usage Restrictions Change Knowledge Article
Change 2: Removing Data Loader Connected App OAuth 2.0 Device Flow Authentication
trailblazer icon
What is changing?
On September 2, 2025, Salesforce will remove support in the auto-installed Data Loader Connected App for the OAuth Device Flow for authentication. There will be no exceptions or extensions to this removal.
Data Loader users who use the OAuth Device Flow to authenticate will be unable to login and will need to change to use either the password authentication or the OAuth Web Service Flow to login.
How should I prepare for this change?
Users must adopt one of the following login methods in order to use Data Loader: Password Authentication or Web Server Flow
Salesforce will release a new version of Data Loader before September 2, 2025 that removes support for OAuth 2.0 Device Flow. An alternative to configuring an installed Data Loader client not to use OAuth 2.0 Device Flow is to download and install this new version.
Are there any exceptions to this change?
Data Loader users who use password authentication or OAuth Web Server Flow to authenticate will not be impacted by this change and do not need to take any action.
Command line use with encrypted password is not impacted.
Resources: Data Loader OAuth 2.0 Device Flow Removal

[rachelbell27]

Also curious about this!

[paustint]

Yes, there will be an impact to some users. We have added a banner on our home page once you log in to Jetstream.

Prepare for upcoming changes to Salesforce Connected Apps. You may need to install the Jetstream Connected App to connect to new orgs.

Here is the summary:

• If you are a System Admin, then you will not have any impact unless you remove the Approve Uninstalled Connected Apps permission
• For all other users, if you have already connected an org to Jetstream, it will continue to work without any impact
• Otherwise, you will need to "install" the Jetstream app, which will appear in the Connected Apps OAuth Usage section in the setup menu. Note: this will only show up in orgs where at least one user has attempted to connect this org to Jetstream
• After installing, you can adjust permissions if desired (e.g. restrict access to specific Profiles or Permission Sets)
• If you don't install the app in production, then on every sandbox refresh you will need to go through the process to install again as part of your sandbox setup process.

The "Data Loader" part of the email does not impact Jetstream in any way.

Jetstream does not use "OAuth Device Flow" - this flow is for things like TVs where entering a password is difficult and a code is displayed so that login can happen cross-device or at least cross-context.

[TOTALLYMAJOR]

Hey @paustint cc[@nirav777-create ]
First I'll commend my fellow poster and second, instead of appending the missing bit I'll throw ya a quick run down and action items. Sound good? Awesome

1. I will try to get you the rest of the way there.

Jetstream & Security Implications/Actions

Connected Apps Restriction

Jetstream works as a connected app.

If you already installed and authorized Jetstream, it will continue working without interruption.

If Jetstream is not installed, users will need either:

• The new “Approve Uninstalled Connected Apps” permission, or

• To have Jetstream installed in the org by an Admin.

Note: System Admins are not automatically exempt — they must still install Jetstream or assign the new permission where needed.

Sandbox Refreshes

• If Jetstream is not installed in production, every sandbox refresh will require re-installation.

• To avoid repeated installs, install Jetstream in the source org before refresh so it carries forward.

API Access Control

• If your org has API Access Control disabled, users may still connect with Use Any API Client or Approve Uninstalled Connected Apps.

• If API Access Control is enabled, only Use Any API Client bypasses the restriction.

Recommend leaving API Access Control enabled for stronger governance.

Data Loader

• The change to remove OAuth Device Flow in Data Loader (September 2, 2025) does not affect Jetstream.

• Jetstream does not use Device Flow — it uses standard OAuth 2.0 authentication.

Recommended Actions If interested [ @nirav777-create @rachelbell27 @joiecosby]

Admins:

1. Install Jetstream in all production and sandbox orgs that use it.
2. Assign Approve Uninstalled Connected Apps only to a limited set of test users if needed.
3. Audit profiles/permission sets that should have access to Jetstream.

Developers/Testers:

1. Expect that ad-hoc connections to Jetstream without prior install will fail.
2. Work with Admins to ensure Jetstream is installed in the target org before testing.

End Users:

1. If Jetstream is already connected in your org, nothing changes.
2. If you’re onboarding to a new org, request your Admin to install Jetstream.

Existing Jetstream connections keep working.

New orgs or new users need Jetstream installed or explicit permission.

Data Loader changes are unrelated to Jetstream.

Sincerely - The Dude

[TOTALLYMAJOR]

[paustint]

@TOTALLYMAJOR - This is awesome, thank you so much for the clear and detailed write up!

[TOTALLYMAJOR]

Respect - thx