Salesforce Connected Apps Security Update: Restrictions and Data Loader Changes (Q3 2025)

It might start with something simple.

An admin testing a new integration. A developer trying out a handy tool. A user installing a connected app to make their workday easier.
These small moments of convenience are exactly why Salesforce is tightening security around connected apps and the Data Loader tool. Beginning late August and early September 2025, Salesforce is rolling out two changes that will directly affect how teams connect external apps and authenticate with Data Loader.

If you read our earlier blog post about a recent extortion campaign that used a fake Data Loader, you’ll see the connection. Attackers thrive on gaps between convenience and control. Salesforce’s new measures aim to close those gaps.

Salesforce Connected Apps Restrictions and Data Loader Authentication Changes

On August 18th, 2025, Salesforce announced that they will restrict the use of uninstalled connected apps, and we’re detailing what this means for your organization.

1. Salesforce Restricts Uninstalled Connected Apps: New Permissions Required

Until now, a user could sometimes authorize an app that wasn’t formally installed in the org. That meant an individual could grant access without full admin oversight. Soon, that won’t be possible unless the user has a new permission: Approve Uninstalled Connected Apps.

Only users with that specific permission will be able to connect uninstalled apps. Everyone else will be blocked. Admins can still install apps, but Salesforce is sending a clear signal: review, install, and govern apps centrally.

There are some exceptions. Apps that were already installed before the rollout will continue to work, and users who previously authorized an uninstalled app will still be able to use it, unless it relies on the OAuth 2.0 Device Flow, which is being blocked entirely.

The effect also depends on whether API Access Control is turned on. If it’s disabled, users with either the new permission or the broader Use Any API Client permission can continue. If it’s enabled, only Use Any API Client works. External Client Apps remain unaffected.

2. Salesforce Removes OAuth 2.0 Device Flow in Data Loader (Sept 2025)

On September 2, 2025, the OAuth Device Flow option for the auto-installed Data Loader app goes away. Anyone still using it will suddenly find themselves unable to log in. The alternatives are password authentication or the OAuth Web Server Flow.

Salesforce will release a new version of Data Loader before the deadline that removes Device Flow support altogether. Command line use with encrypted passwords is not affected.

No exceptions. No extensions.

Here’s Salesforce’s help article if you’d like to learn more.

Why Salesforce Connected Apps Security Changes Matter

These changes are not about inconvenience. They’re about trust. Every time an app connects to Salesforce, data leaves the platform’s boundaries. Without careful review, an uninstalled app or an outdated authentication method becomes a weak link.

Attackers know this. The vishing campaign we wrote about earlier worked because people trusted a tool they had used before. The tool wasn’t the problem. The way it was installed and authorized was.

By restricting uninstalled apps and tightening Data Loader authentication, Salesforce is cutting down on the paths attackers can exploit.

How to Prepare for Salesforce Connected Apps and Data Loader Updates

Here’s what Aquiva Labs recommends:

  • Review and install apps now: Identify any connected apps in use that aren’t formally installed. Install what your teams need and block anything you don’t recognize.
  • Assign the new permission sparingly: Grant Approve Uninstalled Connected Apps only to a handful of trusted users with a clear business case.
  • Update Data Loader before September 2: Move away from OAuth Device Flow, switch to password authentication or Web Server Flow, and install the new version once it’s available.
  • Strengthen app governance: Review who can connect apps, how those apps are monitored, and whether they follow the principle of least privilege.
  • Remind users about security basics: Every time someone clicks “Allow” on a connected app, they’re granting a third party access to your Salesforce data. Train your teams to pause and report suspicious requests to IT or security.

Aquiva Labs Salesforce Security Consulting and App Governance Support

At Aquiva Labs, we work with Salesforce customers to build environments that are not only powerful but secure. That means helping you:

  • Audit and govern connected apps
  • Implement role-based and risk-based access controls
  • Prepare for authentication and security changes before they disrupt your teams
  • Integrate security into every layer of your Salesforce architecture

Want to learn more? Connect with our security experts here!

Let's Chat

Final Thoughts

Security doesn’t just mean patching vulnerabilities. It means anticipating the ways trusted tools can be misused.

Salesforce’s new restrictions are a reminder that convenience should never outrun control. By acting now, you can ensure your teams stay productive while keeping your data safe.

If you’d like to review your Salesforce org’s connected apps or prepare for the Data Loader changes, let’s talk.

A short consultation could help you avoid disruption in September and strengthen your security posture for the long term.

Author

Picture of Jakub Stefaniak
Jakub Stefaniak

Field CTO

More posts

Aquiva Key: Unlocking Simple and Secure API Monitoring for Salesforce

Aquiva on the Road ’25: From Agentforce to Trust, What’s Emerging Across the Ecosystem

Employee Spotlight: Daiana Andion

Are you interested?
if you want to join Aquiva, please take a look at our current offers. Join and start your Aquiva adventure!
GO TO JOB OFFERS
Contact Aquiva Labs today for solutions that are as ambitious as your goals. Let us guide you to Salesforce success.
CONTACT US