Get Ready: Changes to Connected App Usage Restrictions Coming This September

One of our most important responsibilities as admins is making sure users can access the tools they need, while also protecting the security of the org. Starting in early September 2025, Salesforce is making a change that shifts how connected apps work, and it’s worth preparing for now.

What’s changing in September 2025

The change is simple on the surface: uninstalled connected apps will no longer be accessible to most users. If an app isn’t installed in your org, it’s blocked. There are some exceptions: users who already authorized an app may continue to use it, but only if the app doesn’t rely on the OAuth 2.0 device flow. And for those of us with higher-level permissions, there are new ways to bypass the restriction, but they come with responsibility.

Essential permissions to be aware of

Two permissions stand out. The first is a new one, Approve Uninstalled Connected Apps, introduced in Summer ’25. It allows trusted users to self-authorize and continue using uninstalled apps.

The second, Use Any API Client, is broader and covers uninstalled and blocked apps alike. Both are powerful, and both should only be granted sparingly—to admins, developers, or others who are actively managing connected apps. Everyday users don’t need them, and giving them out too freely could undercut the whole point of this change.

What stays the same

It’s also worth noting what won’t change. Any connected app you’ve already installed will continue working without disruption. And if a user has previously authorized a connected app, they can keep using it even after September, unless it’s tied to that OAuth 2.0 device flow. The permissions to install new connected apps also remain the same, so your process for approving and installing new tools doesn’t shift.

Why Salesforce is making this change

Why is Salesforce doing this? It comes down to security and control. Connected apps are powerful—they open doors into your org. This change locks those doors by default, leaving you as the admin to decide who gets a key. It’s a way to reduce the risk of unauthorized access while giving you clearer oversight of the apps your users depend on.

Steps admins should take now

So, what should you be doing now? First, communicate the change to your users. Let them know that starting in September, some apps may stop working if they haven’t been properly installed. Give them a path to request access—something as simple as “If you run into trouble, reach out with the app name and why you need it” will save a lot of confusion.

Second, spend some time in Setup reviewing your Connected Apps OAuth Usage. That view will show you which apps are currently in play, how many users rely on them, and whether they’re installed or not.

From there, group them into two categories: trusted and untrusted. Trusted apps should be installed now to avoid disruption, while untrusted ones should be blocked to prevent future access.

When installing a trusted app, take a moment to configure who can actually use it. Under OAuth Policies you’ll find the Permitted Users setting, and Salesforce recommends choosing “Admin approved users are pre-authorized.” That way you’re explicitly deciding which profiles or permission sets grant access. It’s a more controlled, thoughtful approach than letting every user authorize an app on their own.

Blocking untrusted apps is just as important. Doing so ends all active sessions immediately and prevents anyone from connecting in the future. Users who try to access a blocked app will see an error message, with slightly different behavior depending on whether your org has API Access Control enabled. Either way, the message points them back to you, so it’s better to have a communication plan in place before that happens.

Your key takeaway

The key takeaway is that this change isn’t just another checkbox on your to-do list. It’s a reminder of how central admins are to both productivity and security. By reviewing your connected app usage now, installing what you trust, and blocking what you don’t, you’ll minimize disruption for your users and reinforce your role as the gatekeeper of your org.

Being an admin isn’t just about keeping things running smoothly—it’s also about making sure the right doors are open, and the wrong ones stay shut. This September’s change is your chance to do just that.