Critical Updates and Security Alerts

Salesforce periodically releases updates that improve the performance, logic, and usability of Salesforce, but which can affect your existing customizations. These are the updates available in the Critical Update Console in Spring ’20. Also review updates on the Security Alerts page, and previously released and newly enforced critical updates.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate each update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is permanently activated by Salesforce. For more details, see Respond to Critical Updates.

The Security Alerts page in Setup gives a list of security alerts that affect your org. Each alert comes with step-by-step recommendations for actions to take in your org.

New Critical Updates

These critical updates are new in Spring ’20.

Opt Out of Turning Off Community-Specific Setting for Guest Users to See Other Members (Critical Update)
By activating this critical update, you opt out of turning off the community-specific Let guest users see other members of this community setting in the Winter ’21 release.
Enforce Data Access in Flow Formulas (Critical Update)
This update enforces the running user’s data access when a flow uses a formula resource or a formula field on a record variable to access a field on a record.
Make Flows Respect Access Modifiers for Legacy Apex Actions (Critical Update)
With this critical update enabled, developers can trust that their legacy Apex actions are properly protected and available only to other components in their managed packages. This update makes a flow fail if it contains a public legacy Apex action.
Require Permission to View Record Names in Lookup Fields (Critical Update)
To better protect your Salesforce org’s data, we restrict who can view record names in lookup fields. Beginning in Winter ’21, users must have read access to these records or the View All Lookup Record Names permission to view this data. This critical update also applies to system fields, such as Created By and Last Modified By.
Enable the New Salesforce Mobile App (Critical Update)
This update upgrades all mobile users to the new Salesforce mobile app.
Restrict Reflective Access to Non-Global Controller Constructors in Packages (Critical Update)
When this critical update is enabled, regardless of API version, you can initiate only Apex classes that have a no-arguments constructor that is visible to the code running Type.newInstance.
Enable Improved Caching of Org Schema (Critical Update)
Improved caching of org schema resolves known issues with version-specific object and field handling.
Require Secure HTTPS Connections (Critical Update)
As part of updates related to Google Chrome’s SameSite cookie changes, HTTPS connections are required to access Salesforce. HTTP connections are no longer permitted. This update enables the Require secure connections (HTTPS) setting on the Session Settings Setup page and prevents it from being disabled. The Require secure connections (HTTPS) for all third-party domains setting isn’t affected by this update.
Opt Out of Two Guest User Security Policies Before Summer ’20 (Critical Update)
By activating this update, you opt out of two policies aimed at increasing your data security with regards to guest, or unauthenticated, users. Activating this critical update opts your org out of having the two following settings automatically enabled with the Summer ’20 release: Secure guest user record access and Assign new records created by guest users to the default owner. If your org already has these two settings enabled, activating this critical update doesn’t change your configuration.

Previously Released Critical Updates

These critical updates were announced in a previous release and are still available.

Open Hyperlinks in Formula Fields Correctly (Previously Released Critical Update)
If you have formula fields that contain a HYPERLINK function, Lightning Experience ignores the target value when attempting to open the link. This critical update ensures that the target value for hyperlinks is honored, whether it’s explicitly configured or set by default. This critical update was first made available in Winter ’19.
Enable ICU Locale Formats (Previously Released Critical Update)
To help you do business wherever you are, we’re adopting the International Components for Unicode (ICU) formats for dates and times. These new formats replace Oracle’s Java 8 Development Kit (JDK8) formats. ICU sets the international standard for these formats for all locales. The new formats provide a consistent experience across the Salesforce platform and improve integration with ICU-compliant applications across the globe. This critical update was first made available in Winter ’20.
Stabilize the Hostname for My Domain URLs in Sandboxes (Previously Released Critical Update)
We’re removing instance names from MyDomain URLs for sandboxes. The instance name identifies where your Salesforce sandbox org is hosted. Removing the instance name makes the URL cleaner and easier for users to remember. For example, MyDomain--SandboxName.my.salesforce.com replaces MyDomain--SandboxName.cs5.my.salesforce.com. This critical update was first made available in Summer ’18.
Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and Content Files (Previously Released Critical Update)
We’re removing the instance names from Visualforce, Experience Builder, Site.com Studio, and content file URLs. An instance name identifies where your Salesforce org is hosted. Instanceless domains are cleaner and easier for users to remember. This critical update applies to orgs that have a deployed My Domain. After this update, a URL that includes the instance name, such as a bookmark, automatically redirects to the new hostname. This critical update was first made available in Spring ’18.
Route My Domains Through Salesforce Edge (Previously Released Critical Update)
We’re accelerating domain requests for My Domains. With this update, you keep the same My Domain address, but requests go through Salesforce Edge. Salesforce Edge uses machine-learning technology to improve connectivity and performance. You can acknowledge this update to let Salesforce move your org’s My Domain to the new service before the July 2020 auto-activation date. This critical update was first made available in Winter ’20.
Prevent Creation of Function Expressions in Dynamically Created Aura Components (Previously Released Critical Update)
To improve security and stability, this critical update prevents attribute values passed to $A.createComponent() or $A.createComponents() from being interpreted as Aura function expressions. This critical update was first made available in Summer ’19.
Migrate Legacy Policies to the Enhanced Transaction Security Framework (Previously Released Critical Update)
With Salesforce’s enhanced transaction security policy framework, you can create transaction security policies that execute actions on any standard or custom object. Now that the new framework is generally available, we no longer allow users to create legacy transaction security policies. We're retiring the legacy framework in the Summer ’20 release. To prepare for this retirement and take advantage of the new features, migrate your legacy transaction security policies to the new framework as soon as possible. This critical update was first made available in Winter ’20.
Keep Working with Tab-Focused Dialogs (Previously Released Critical Update)
In Lightning console apps, dialogs no longer stop you from interacting with the rest of the UI. This critical update limits the focus of dialogs triggered by a workspace tab or subtab to only the tab that triggered it. This critical update was first made available in Winter ’20.
Evaluate Criteria Based on Original Record Values in Process Builder (Previously Released Critical Update)
This critical update ensures that a process with multiple criteria and a record update evaluates the original value of the field that began the process with a value of null. This critical update was first made available in Summer ‘19.
Remove the Manage Encryption Keys Permission from the System Admin Profile (Previously Released Critical Update)
Admins must actively assign the ability to perform key management roles. The Manage Encryption Keys permission is revoked for the standard admin profile when you activate this Critical Update. Custom profiles that include the Manage Encryption Keys permission are not affected. Any user who has the permission through a custom profile or permission still has the permission. This critical update was first made available in Spring ’16 and applies only to customers who enabled Shield Platform Encryption before the Spring ’16 release.

Enforced Critical Updates

These critical updates were announced in a previous release and are now enforced.

Turn On Lightning Experience Critical Update Activates Starting January 7, 2020
Salesforce is turning on Lightning Experience for all orgs that don’t already have it enabled. The Turn on Lightning Experience Critical Update begins activating on January 7, 2020. Orgs will be activated on a rolling basis, with all orgs expected to be activated by January 31, 2020. After we turn on Lightning Experience, users still have access to Salesforce Classic. But Lightning Experience is where everyone should be for driving business growth and improving productivity. To get ready, verify your org’s existing features and customizations in the new interface, and prepare your users with change management best practices.
Enable Manual Account Sharing in Enterprise Territory Management (Critical Update, Enforced)
Enable Manual Account Sharing in Enterprise Territory Management was a critical update in Spring ’19 and is enforced in Spring ’20. This critical update changes the TerritoryManual reason code in AccountShare records to Territory2AssociationManual and is required to let users share accounts manually with territory groups.
API Only Users Can Access Only Salesforce APIs (Critical Update, Enforced)
API Only Users Can Access Only Salesforce APIs was a critical update in Spring ’19 and is enforced in Spring ’20. If a user has the API Only User permission, they can access Salesforce only via APIs, regardless of their other permissions. This restriction already applies to other Salesforce features, but this critical update enforces the restriction in Lightning Out.
Require Customize Application Permission for Direct Read Access to Custom Metadata Types (Critical Update, Enforced)
Access for users without the Customize Application permission to read unprotected custom metadata types is revoked as part of this critical update. Using different APIs that are provided by Salesforce, users without the Customize Application permission could read unprotected custom metadata types. Following the “secure by default” approach, this access is revoked.
Require Customize Application Permission for Direct Read Access to Custom Settings (Critical Update, Enforced)
Access for users without the Customize Application permission to read unprotected custom settings is revoked as part of this critical update. Using different APIs that are provided by Salesforce, users without the Customize Application permission could read unprotected custom settings. Following the “secure by default” approach, this access is revoked.
Make Actions & Recommendations Deployments Mandatory (Critical Update, Enforced)
This update requires that you select a deployment for the Actions & Recommendations component. When you configure Lightning Flow for Service, a deployment lets you control the actions that agents can start when they need an action that doesn’t appear in the component’s to-do list. Make Actions & Recommendations deployments mandatory was a critical update in Winter ’20 and is enforced in Spring ’20.
Return Null Values in Process and Flow Formulas (Critical Update, Enforced)
Check for Null Record Variables or Null Values of Lookup Relationship Fields in Process and Flow Formulas was a critical update in Spring ’19 and is enforced in Spring ’20, on February 18, 2020. This update enables process and flow formulas to return null values when the calculations involve a null record variable or null lookup relationship field.
Enable Partial Save for Invocable Actions (Critical Update, Enforced)
Enable Partial Save for Invocable Actions was a critical update in Winter ‘20 and is enforced in Spring ’20, on April 9, 2020. This critical update improves the behaviors and effects of failed invocable actions. It only affects external REST API calls to invocable actions done in bulk. With this update, when invoking a set of actions in a single request, a single failed invocable action no longer causes the entire transaction to fail. Without this update, if a single invocable action fails, other invocable actions within the transaction are rolled back and the entire transaction fails.
Stop Automated Field Updates from Suppressing Email Notifications (Critical Update, Enforced)
Stop Automated Field Updates from Suppressing Email Notifications was a critical update in Summer ’17 and is enforced in Spring ’20, on March 1, 2020. For various operations, such as assigning a task to someone, you can choose to notify the affected user by email. This update stops processes, workflow rules, and Apex triggers from suppressing these email notifications.
Prevent Using Standard External Profiles for Self-Registration and User Creation (Security Alert and Critical Update, Enforced)
This update restricts the use of standard external profiles for self-registration and assignment to users.

Postponed Critical Updates

Disable Access to Non-global Apex Controller Methods in Managed Packages (Critical Update, Postponed)
This critical update is postponed to Summer ’21. Released in Summer ’17, it was scheduled for auto-activation in Winter ’20. The critical update corrects access controls on Apex controller methods in managed packages. When this update is enabled, only methods marked with the global access modifier are accessible by Aura components from outside the package namespace. These access controls prevent you from using unsupported API methods that the package author didn’t intend for global access.
Use with sharing for @AuraEnabled Apex Controllers with Implicit Sharing (Critical Update, Postponed)
This critical update is postponed to Spring ’21. It was scheduled for auto-activation in Spring ’20. This critical update changes the behavior of @AuraEnabled Apex controllers that don’t specify with sharing or without sharing to default to with sharing. This critical update applies only to orgs created after Spring ’18 or orgs that activated the retired “Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing” critical update that had the opposite effect and set the default to without sharing. Orgs created before Spring ’18 already default to with sharing. Those orgs don't see the critical update unless they enabled the now retired without sharing critical update.
Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile (Critical Update, Postponed)
This critical update is postponed to Winter ’21. It was scheduled for auto-activation in Spring ’20. This critical update gives you more control over which guest, portal, or community users can access Apex classes containing @AuraEnabled methods. Add guest user profile access to any @AuraEnabled Apex class used by a community or portal. When this critical update is activated, a guest, portal, or community user can access an @AuraEnabled Apex method only when the user’s profile allows access to the Apex class.
Enable Dependency Access Checks In Lightning Components (Critical Update, Postponed)
This critical update is postponed to Winter ’21. It was scheduled for auto-activation in Summer ’20. This critical update improves Lightning component access checks by checking the access level of all component dependencies. A dependency is any resource used within a top-level component. For example, a component can use or extend another component in its markup or implement an interface.
Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile (Critical Update, Postponed)
This critical update is postponed to Winter ’21. It was scheduled for auto-activation in Summer ’20. This critical update gives you more control over which authenticated users can access Apex classes containing @AuraEnabled methods. When this critical update is activated, an authenticated user can access an @AuraEnabled Apex method only when the user’s profile allows access to the Apex class.
Enforce Access Modifiers on Apex Properties in Lightning Component Markup (Critical Update, Postponed)
This critical update is postponed to Summer ’21. It was scheduled for auto-activation in Summer ’20. This critical update makes Lightning components consistent with the use of Apex properties in other contexts. For example, a markup expression can no longer access an Apex property with a private Apex getter. This critical update was first made available in Winter ’20.
Require User Access to Apex Classes Invoked by Flow (Critical Update, Postponed)
This critical update, released in Summer ’19, was scheduled for auto-activation in Winter ’20, but has been postponed to Spring ’21. The critical update was previously called “Improve Security by Requiring User Access to Apex Classes Invoked by Flow.”

Retired Critical Updates

These critical updates were announced in a previous release but have been retired. They have been removed from the Critical Update Console and won’t be activated.

Generate Valid HTML Output from Formulas in Processes and Flows (Critical Update, Retired)
This critical update was released and retired in Spring '20. This change affects your Salesforce org if you activated the critical update in the short time that it was available. And, if you modified any HTML in your formulas to prepare for this critical update, this retirement affects your org.

New Security Alerts

These security alerts are new in Spring ’20.

Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile (Security Alert)
This security alert is related to a critical update that gives you more control over which guest, portal, and community users can access Apex classes with @AuraEnabled methods in Aura and Lightning web components.
Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile (Security Alert)
This security alert is related to a critical update that gives you more control over which authenticated users can access Apex classes with @AuraEnabled methods in Aura and Lightning web components.

Previously Released Security Alerts

These security alerts were announced in a previous release.

Automatically Assign Records Created by Guest Users to a Default Owner (Previously Released Security Alert)
To increase the security of your Salesforce data, set up your org so that guest users are no longer automatically the owner of records they create. Instead, when a guest user creates a record, the record is assigned to a default active user in the org, who becomes the owner.
View All Users and Other Permissions Disabled in Guest User Profiles (Security Alert, Enforced)
Guest users typically don’t need access to view all users in a Salesforce org, so to promote data security, we disabled the View All Users permission in guest user profiles. If you have an org created before Winter ’20, we recommend that you check guest user access and deselect the View All Users permission in all your guest user profiles. To enhance security, we also removed these permissions from the guest user profile: Can Approve Feed Post and Comments, Enable UI Tier Architecture, Remove People from Direct Messages, View Topics, and Send Non-Commercial Email.

Enforced Security Alerts

These security alerts were announced in a previous release and are now enforced.

Secure Guest Users’ Org-Wide Defaults and Sharing Model (Security Alert, Enforced)
Learn about the Secure guest user record access setting in this security alert, and how to safeguard your org’s data. This setting enforces private org-wide defaults for guest users and restricts the sharing mechanisms that you can use to grant record access to guest users. If you have a Salesforce org created before Winter ’20, we recommend that you review the external org-wide defaults, public groups, queues, manual sharing, and Apex managed sharing that you use to grant access to guest users. Then replace the access previously granted by these sharing mechanisms with guest user sharing rules before the security alert is enforced.
Block Certain Fields in the User Record for Orgs with Communities and Portals (Security Alert and Critical Update, Enforced)
Salesforce is giving customers the option to enable a user setting that allows the hiding of certain personal information fields on the user records in orgs with communities or portals. The fields are hidden from view when external users are accessing user records. External users can still see their own user records. This change doesn’t apply to queries running in System Mode.