Critical and Security Updates

This release includes new critical updates for locale formatting, @AuraEnabled Apex methods, actions, and other changes. Also check out updates on the Security Updates page, and previously released and newly enforced critical updates.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate each update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is permanently activated by Salesforce. For more details, see Respond to Critical Updates.

The Security Updates page in Setup gives a list of security updates that affect your org. Each updates comes with step-by-step recommendations for actions to take in your org.

New Critical Updates

These critical updates are new in Winter ’20.

Enable ICU Locale Formats (Critical Update)
To help you do business wherever you are, we’re adopting the International Components for Unicode (ICU) formats for dates and times. These new formats replace Oracle’s Java 8 Development Kit (JDK8) formats. ICU sets the international standard for these formats for all locales. The new formats provide a consistent experience across the Salesforce platform and improve integration with ICU-compliant applications across the globe.
Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile (Critical Update)
This critical update gives you more control over which guest or portal users can access Apex classes containing @AuraEnabled methods.
Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile (Critical Update)
This critical update gives you more control over which authenticated users can access Apex classes containing @AuraEnabled methods.
Use with sharing for @AuraEnabled Apex Controllers with Implicit Sharing (Critical Update)
This critical update changes the behavior of @AuraEnabled Apex controllers that don’t specify with sharing or without sharing to default to with sharing.
Enforce Access Modifiers on Apex Properties in Lightning Component Markup (Critical Update)
This critical update makes Lightning components consistent with the usage of Apex properties in other contexts. For example, a markup expression can no longer access an Apex property with a private Apex getter.
Route My Domains Through Salesforce Edge (Critical Update)
We’re accelerating domain requests for My Domains. With this update, you keep the same My Domain address, but requests go through Salesforce Edge. Salesforce Edge uses machine-learning technology to improve connectivity and performance. You can acknowledge this update to let Salesforce move your org’s My Domain to the new service before the July 2020 auto-activation date.
Migrate Legacy Policies to the Enhanced Transaction Security Framework (Critical Update)
With Salesforce’s new enhanced transaction security policy framework, you can create transaction security policies that execute actions on any standard or custom object. Now that the new framework in generally available, we are retiring the legacy framework in the Summer ’20 release. To prepare for this retirement and take advantage of the new features, migrate your legacy transaction security policies to the new framework as soon as possible.
Enable Partial Save for Invocable Actions (Critical Update)
This critical update improves the behaviors and effects of failed invocable actions. It only affects external REST API calls to invocable actions done in bulk. With this update, when invoking a set of actions in a single request, a single failed invocable action no longer causes the entire transaction to fail. Without this update, if a single invocable action fails, other invocable actions within the transaction are rolled back and the entire transaction fails.
Require a Deployment and Show the Right Actions (Critical Update)
This update requires that you select a deployment for the Actions & Recommendations component. When you configure Lightning Flow for Service, a deployment lets you control the actions that agents can start when they need an action that doesn’t appear in the component’s to-do list.
Require Customize Application Permission for Direct Read Access to Custom Metadata Types (Critical Update)
Users without the Customize Application permission can read unprotected custom metadata types using different APIs that are provided by Salesforce. Following the “secure by default” approach, read access for users who don’t have the Customize Application permission is revoked with this update. This change affects Visualforce pages and Lightning components that directly reference custom metadata types. For custom metadata types, an admin can explicitly grant access to a specific profile or permission set.
Keep Working with Tab-Focused Dialogs (Critical Update)
In Lightning console apps, dialogs no longer stop you from interacting with the rest of the UI. This critical update limits the focus of dialogs triggered by a workspace tab or subtab to only the tab that triggered it.

Previously Released Critical Updates

These critical updates were announced in a previous release and are still available.

Enable Manual Account Sharing in Enterprise Territory Management (Previously Released Critical Update)
This update changes the TerritoryManual reason code in AccountShare records to Territory2AssociationManual and is required to let users share accounts manually with territory groups. This critical update was first made available in Spring ’19.
Prevent Creation of Function Expressions in Dynamically Created Aura Components (Previously Released Critical Update)
To improve security and stability, this critical update prevents attribute values passed to $A.createComponent() or $A.createComponents() from being interpreted as Aura function expressions. This critical update was first made available in Summer ’19.
Stabilize the Hostname for My Domain URLs in Sandboxes (Previously Released Critical Update)
We’re removing instance names from MyDomain URLs for sandboxes. The instance name identifies where your Salesforce sandbox org is hosted. Removing the instance name makes the URL cleaner and easier for users to remember, for example, MyDomain--SandboxName.my.salesforce.com replaces MyDomain--SandboxName.cs5.my.salesforce.com. This critical update was first made available in Summer ’18.
Remove Instance Names from URLs for Visualforce, Community Builder, Site.com Studio, and Content Files (Previously Released Critical Update)
We’re removing the instance names from Visualforce, Community Builder, Site.com Studio, and content file URLs. An instance name identifies where your Salesforce org is hosted. Instanceless domains are cleaner and easier for users to remember. This critical update applies to orgs that have a deployed My Domain. After this update, a URL that includes the instance name, such as a bookmark, automatically redirects to the new hostname. This critical update was first made available in Spring ’18.

Enforced Critical Updates

These critical updates were announced in a previous release and are now enforced.

Turn On Lightning Experience Critical Update Now Activates Starting January 7, 2020
Previously, we announced that this critical update would activate with Winter ‘20. Out of an abundance of caution, we have decided to delay auto-activation of this update. It will now activate for your org within 72 hours of January 7, 2020.
Restrict Use of Salesforce Classic HTML-Based Email Templates to Secure Browsers (Critical Update, Enforced)
Restrict Use of Salesforce Classic HTML-Based Email Templates was a critical update in Summer ’18 and is enforced in Winter ’20. This critical update prevents using HTML-based email templates, such as custom, Visualforce, or standard HTML templates, when accessing Salesforce from Microsoft Internet Explorer. Internet Explorer doesn’t support the Salesforce Content Security Policy (CSP), so it can’t provide the required browser protection. We recommend a browser with CSP support, such as Microsoft Edge, Google Chrome, or Mozilla Firefox.
Improve Email Security with Redesigned DKIM Keys (Critical Update, Enforced)
Improve Email Security with Redesigned DKIM Keys was a critical update in Winter ’19 and is enforced in Winter ’20. To address potential security vulnerabilities with DomainKeys Identified Mail (DKIM) keys, we improved the way they’re created. You no longer have to work with public and private keys. Instead, Salesforce publishes the TXT record containing your public key to DNS. We also added automatic key rotation to reduce the risk of your keys becoming compromised by a third party. Keys generated via the old method continue to work, but in Winter ’20, when you generate new keys, you must use the more secure method. And, because sharing keys can introduce security vulnerabilities, we removed the ability to import DKIM keys.
Require TLS 1.2 for HTTPS Connections (Critical Update, Enforced)
Require TLS 1.2 for HTTPS Connections was a critical update in Summer ’19 and is enforced on October 25, 2019. To maintain the highest security standards and promote the safety of your data, Salesforce is disabling the older Transport Layer Security (TLS) 1.1 encryption protocol. All inbound connections to or outbound connections from your Salesforce org must use TLS 1.2. Verify that your browser access, API integrations, and other Salesforce features are compliant with TLS 1.2.
Require TLS 1.2 for HTTPS Connections in Communities and Sites (Critical Update, Enforced)
Require TLS 1.2 for HTTPS Connections in Communities and Sites was a critical update in Summer ’19 and is enforced on October 25, 2019. To maintain the highest security standards and promote the safety of your data, Salesforce is disabling the older Transport Layer Security (TLS) 1.1 encryption protocol. All inbound connections to or outbound connections from your Salesforce communities, sites, and portals must use TLS 1.2. Verify that your browser access, API integrations, and other Salesforce features are compliant with TLS 1.2.
API Only Users Can Access Only Salesforce APIs (Critical Update, Enforced)
API Only Users Can Access Only Salesforce APIs was a critical update in Spring ’19 and is enforced in Winter ’20. This critical update ensures that if a user has the API Only User permission, they can access Salesforce only via APIs, regardless of their other permissions.
Block Certain Fields in the User Record for Orgs with Communities and Portals (Security and Critical Update, Enforced)
Salesforce is giving customers the option to enable a user setting that allows the hiding of certain personal information fields on the user records in orgs with communities or portals. The fields are hidden from view when external users are accessing user records. External users can still see their own user records.
Restrict the Use of Standard External Profiles for Self-Registration and Assignment to Users (Security and Critical Update, Enforced)
This update restricts the use of standard external profiles for self-registration and assignment to users.

Postponed Critical Updates

These critical updates were announced in a previous release and the auto-activation date is postponed.

Disable Access to Non-global Apex Controller Methods in Managed Packages (Critical Update, Postponed)
This critical update, released in Summer ’17, was scheduled for auto-activation in Winter ’20, but has been postponed to Spring ’20. The critical update corrects access controls on Apex controller methods in managed packages. When this update is enabled, only methods marked with the global access modifier are accessible by Aura components from outside the package namespace. These access controls prevent you from using unsupported API methods that the package author didn’t intend for global access.
Check for Null Record Variables or Null Values of Lookup Relationship Fields in Process and Flow Formulas (Critical Update, Postponed)
This critical update, released in Spring ‘19, was scheduled for auto-activation in Summer ‘19, but has been postponed to Spring ’20. The critical update was previously called “Return Null Values in Process and Flow Formulas.”
Enable Improved Caching of Org Schema (Critical Update, Postponed)
This critical update was scheduled for auto-activation in Summer ’19 but has been postponed to Spring ’20. This critical update enables improved caching of org schema details and resolves known issues with version-specific object and field handling.
Require User Access to Apex Classes Invoked by Flow (Critical Update, Postponed)
This critical update, released in Summer ‘19, was scheduled for auto-activation in Winter ‘20, but has been postponed to Spring ‘21. The critical update was previously called “Improve Security by Requiring User Access to Apex Classes Invoked by Flow.”
Require Customize Application Permission for Direct Read Access to Custom Settings (Critical Update, Postponed)
This critical update will be enforced starting January 3, 2020, as part of the Spring ’20 release (originally planned for September 6, 2019, then postponed).

Retired Critical Updates

These critical updates were announced in a previous release but have been retired. They have been removed from the Critical Update Console and won’t be activated.

Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing (Critical Update, Retired)
This critical update, released in Spring ‘18, was scheduled for auto-activation in Winter ’20, but has been retired.

New Security Updates

These security updates are new in Winter ’20.

Automatically Assign Records Created by Guest Users to a Default Owner (Security Update)
To increase the security of your Salesforce data, set up your org so that guest users are no longer automatically the owner of records they create. Instead, when a guest user creates a record, the record is assigned to a default active user in the org, who becomes the owner.
View All Users and Other Permissions Disabled in Guest User Profiles (Security Update)
Guest users typically don’t need access to view all users in a Salesforce org, so to promote data security, we disabled the View All Users permission in guest user profiles. If you have an org created before Winter ’20, we recommend that you check guest user access and deselect the View All Users permission in all your guest user profiles. To enhance security, we also removed these permissions from the guest user profile: Can Approve Feed Post, Can Verify Comments, Close Conversation, Remove People Direct Messages, Assign Topics, Edit Topics, Delete Topics, Merge Topics, Enable UI Tier Architecture, Hide the Seen By List, Enable Record Visibility API, Use Any API Client, Allow User To Access Privacy Data, Share Internal Knowledge Articles Externally, and Modify Data Classification.
Secure Guest Users’ Org-Wide Defaults and Sharing Model (Security Update)
To increase the security of your Salesforce data, we‘re enforcing private org-wide defaults for guest users. We’re also restricting the sharing mechanisms that you can use to grant record access to guest users. If you have an org created before Winter ’20, we recommend that you review the external org-wide defaults, public groups, queues, and manual sharing that you use to grant access to guest users. Then replace the access previously granted by these sharing mechanisms with guest user sharing rules before the security update is enforced.