Manage the Once Unmanageable OAuth Connected Apps

Flex your muscles, admins. You can now control security policies for all those OAuth connected apps that you couldn’t before. Previously, when a developer created a connected app in another Salesforce org but didn’t package it, users in your org could use it, but you couldn’t manage it. Say, what? That’s right. If you don’t install a connected app in your local org, you can’t set its security policies. With this release, we’ve added the ability to install OAuth connected apps locally so that you can manage their policies in your org. This feature is new in both Lightning Experience and Salesforce Classic.

User Permissions Needed
To manage, create, edit, and delete OAuth apps: “Manage Connected Apps”

Now you can set such security policies as:

  • Who can run the connected app
  • How long a user’s session can be
  • Whether IP restrictions are enforced
  • Whether a mobile connected app requires a PIN

Check it out. Go to your Connected Apps OAuth Usage page. From Setup, enter Connected Apps in the Quick Find box and select Connected Apps OAuth Usage. The page looks a little different with this release. Connect Apps Oauth Usage page

The connected apps in your org still have a link to adjust security policies, but we’ve renamed it to Manage App Policies. Clicking the link takes you to the app’s detail page. From there, you click Edit Policies to modify the app’s policies to meet your access and security needs.

But what about the connected apps that don’t have a link to the app’s detail page? These apps were created by developers in another org. Users can connect to them because OAuth apps are available throughout Salesforce. However, you can’t manage their security policies because they’re not installed in your org.

Until now. With this release, you can install the apps locally so that you can manage them. Click Install next to the app and the Manage App Policies link appears. Click the link to go to the app’s detail page, and then click Edit Policies to modify the policies to meet your access and security needs. Detail page for a connected app

After you’ve installed the app, the button changes to Uninstall. However, it’s recommended that you uninstall an app only when the original developer deletes the app on the other org. Uninstall doesn’t remove the connected app. Instead, it removes the OAuth policies that you set for the app in your org. You’re actually loosening your security measures. To make the connected app inaccessible to your org’s users, click Block. Blocking an app ends all current user sessions with the connected app and blocks all new sessions. You can restore access to the app by clicking Unblock.