Critical Updates

This release includes new critical updates for Lightning Experience, External Profiles, Aura Components, and HTTPS Connections. Also check out the previously released and enforced critical updates sections.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is activated. For more details, see Respond to Critical Updates.

New Critical Updates

These critical updates are new in Summer ’19.

Disable the API Enabled User Permission Defaults for External Profiles (Critical Update)
Salesforce is disabling the API enabled permission on all standard and cloned external profiles. The API enabled permission allows external applications or connectors, such as Workbench, Dataloader.io, Jitterbit, Excel Connector, Salesforce Mobile App, Mobile SDK Apps, Salesforce IoT, or Connected Apps to use the API to authenticate or access Salesforce data.
Prevent Creation of Function Expressions in Dynamically Created Aura Components (Critical Update)
To improve security and stability, this update prevents attribute values passed to $A.createComponent() or $A.createComponents() from being interpreted as Aura function expressions.
Require TLS 1.2 for HTTPS Connections (Critical Update)
To maintain the highest security standards and promote the safety of your data, Salesforce is disabling the older Transport Layer Security (TLS) 1.1 encryption protocol. Starting in October 2019, all inbound connections to or outbound connections from your Salesforce org must use TLS 1.2. Verify that your browser access, API integrations, and other Salesforce features are compliant with TLS 1.2.
Require TLS 1.2 for HTTPS Connections in Communities and Sites (Critical Update)
To maintain the highest security standards and promote the safety of your data, Salesforce is disabling the older Transport Layer Security (TLS) 1.1 encryption protocol. Starting in October 2019, all inbound connections to or outbound connections from your Salesforce communities, sites, and portals must use TLS 1.2. Verify that your browser access, API integrations, and other Salesforce features are compliant with TLS 1.2.
Use the BR() Function in Flows and Processes Correctly (Critical Update)
This critical update ensures that BR() functions in flows and processes result in a line break. Previously, a BR() in a formula resource resolved to _BR_ENCODED_ and not to a line break.
Evaluate Criteria Based on Original Record Values in Process Builder (Critical Update)
This critical update ensures that a process with multiple criteria and a record update evaluates the original value of the field that began the process with a value of null.
Improve Security by Requiring User Access to Apex Classes Invoked by Flow (Critical Update)
This critical update requires a user running a flow to have access to all Apex classes invoked by that flow. If a flow invokes Apex, the running user must have the corresponding Apex class assignment in their profile or permission set.

Previously Released Critical Updates

These critical updates were announced in a previous release and are still available.

Turn On Lightning Experience (Previously Released Critical Update)
As mentioned in the Spring ’19 release, Salesforce will turn on Lightning Experience on a rolling basis starting in Winter ‘20 to empower users to move faster, do more, and be more productive. Users can continue working in Salesforce Classic after Lightning Experience is turned on. However, we encourage everyone to start preparing to transition to Lightning Experience soon so that your users can benefit from everything the new interface has to offer. Better yet, choose your own schedule by turning on Lightning Experience for your users before this update is auto-activated.
Enable Manual Account Sharing in Enterprise Territory Management (Previously Released Critical Update)
This update changes the TerritoryManual reason code in AccountShare records to Territory2AssociationManual and is required to let users share accounts manually with territory groups. After you activate the update in production, it can take up to two weeks before you see the changes.
Disable Access to Non-global Apex Controller Methods in Managed Packages (Previously Released Critical Update)
As mentioned in the Spring ’19 release notes, this critical update corrects access controls on Apex controller methods in managed packages. When this update is enabled, only methods marked with the global access modifier are accessible by Aura components from outside the package namespace. These access controls prevent you from using unsupported API methods that the package author didn’t intend for global access.
Block Certain Fields in the User Record for Orgs with Communities and Portals (Critical Update)
Salesforce is giving customers the option to enable a user setting that allows the hiding of certain personal information fields on the user records in orgs with communities or portals. The fields are hidden from view when external users are accessing user records. External users can still see their own user records.

Enforced Critical Updates

These critical updates were announced in a previous release and are now enforced.

Enable External Org-Wide Defaults in Orgs with Communities or Portals (Critical Update, Enforced)
Enabling external org-wide defaults in orgs with communities or portals was a critical update in Spring ’19 and is enforced for the Summer ’19 release. This update enables the External Sharing Model and helps you secure your data. You can set more restrictive levels of access for external users instead of giving internal and external users the same default access.
Add a Namespace Prefix to pageReference.state Properties and Query Parameters (Critical Update, Enforced)
Add a Namespace Prefix to Query Parameters and pageReference.state Properties was a critical update in Winter ’19 and is enforced for the Summer ’19 release. This critical update resolves naming conflicts for query parameters between package components. Starting on May 17, 2019, this update begins to auto-activate on a rolling basis. The actual date it auto-activates for your org depends on when you update to the Summer '19 release. All orgs will be updated by June 17, 2019. As with all critical updates, you can activate the update manually before Salesforce auto-activates it.

Postponed Critical Updates

These critical updates were announced in a previous release and the auto-activation date was postponed.

Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing (Critical Update, Postponed)
This critical update, released in Spring ’18, was scheduled for auto-activation in Summer ’19, but has been postponed to Winter ’20.