PRO TIPS

Summer '24 and Winter '25 Release Updates

`

It's almost release time again–which means it's time to review the upcoming Release Updates under Setup to make sure you've addressed Salesforce 's recommendations. Below is a summary of what you need to know about each upcoming update.

Summer '24 Release Updates

These items are scheduled to be enforced in the Summer '24 release, which goes live for most customers on either June 7 or June 14. There are two new items, and three that have been previously available:

First the new ones:

  1. Allow Only Trusted Cross-Org Redirections: historically, Salesforce has allowed you to redirect a user to another Salesforce org via link with no additional security or warning, but redirections to non-Salesforce sites have required creating an entry in the Trusted URLs section in setup. To tighten security and avoid potential phishing attacks, Salesforce will now treat redirections to other orgs the same as standard redirections, and require you to add them to Trusted URLs.
  2. Run Flows in Bot User Context: Bot users (like Service Cloud bots) have been able to trigger Flows, which have always run in System Context, which means they can access all objects. With this release update, the Flow will now run in the permission context of the bot user that launches it, which could affect Flows that counted on having access to all data. You may need to look at any such Flows and adjust the bot user that launches them.

The three previously available items that will now be enforced in Summer '24 are:

  1. Enable EmailSimple Invocable Action to Respect Organization-Wide Profile Settings: Org-wide email addresses have always had Profile permission settings to allow users to access them, but the Flow component that sends emails has not respected those permissions. With this update (which was delayed from the Spring '24 release), the Flow component will now consider Profile permissions to access addresses. This could mean that Flows that send email in response to user actions (for example, creating a Task or Case) could fail if the user who creates the record doesn't have access to the org wide address.
  2. Enable ICU Locale Formats: This has been enforced on a rolling basis since Spring '24. Salesforce is converting its backend handling of Locale settings for things like dates, times, and currencies from the Java Development Kit (JDK) format to the ICU format set by the Unicode Consortium to comply with industry standards. This may lead to minor adjustments to data presented to users. It could also affect custom Apex code, or unmanaged packages that haven't yet been updated–but all managed Apex packages should have been updated to comply.
  3. Migrate to a Multiple-Configuration SAML Framework: this only applies to a subset of orgs that use single sign on with an external identity provider like Okta or Azure–if you don't see the release update in your org, there's nothing you need to do. This update represents an upgrade for Salesforce's framework; if the release update appears in your org, follow the steps to ensure SSO continues to function properly.

Winter '25 Release Updates

These items are scheduled to be enforced in the Winter '25 release, which goes live for most customers this fall, most likely in late September or early October.

  1. Prevent Guest User from Editing or Deleting Approval Requests: this update has been delayed from a prior release; basically, it prevents unauthenticated guest users (like those in partner sites) from editing approval requests, although they can continue accepting or rejecting them.
  2. Migrate from Maintenance Plan Frequency Fields to Maintenance Work Rules: for users of Field Service, this is a potentially big change. Maintenance Plans have been able to generate recurring schedules in two different ways; either by using Frequency fields found on the Maintenance Plan record itself, or by using newer, Maintenance Work Rules that offer more flexibility in defining recurring schedules. With Winter '25, Salesforce will deprecate the Frequency fields, and move to using Work Rules exclusively, so if you still have Maintenance Plans using the old fields, you'll need to build a transition plan.
  3. Transition to the Lightning Editor for Email Composers in Email-to-Case: the new email-to-case email editor finally goes GA with a large upgrade in functionality, adding features like drag and drop attachments, inline images, and full-screen editor mode. You can enable this now if you want to get a head start.
  4. Turn On Lightning Article Editor and Article Personalization for Knowledge: in the same vein, a large upgrade to the Lightning Knowledge editor goes live, enabling better localization (both in language and in formatting dates), the ability to create collapsible sections in long articles, and to leverage existing quick text and audience segmentation features. Just like the email editor, you can enable this now if you want to get a head start.
  5. Create and Verify a Default No-Reply Organization-Wide Email Address to Send Email: Salesforce has steadily tightened email security policies, and this update continues the trend. Going forward, every org will be required to have a default no-reply Organization-Wide Email Address (settable in settings) in order to ensure email is delivered. For most organizations, this is an address like info@xyz.org or no-reply@xyz.org. It's always been good practice to have one of these, but now it's going to be a formal requirement.
  6. Adopt Updated Content Security Policy (CSP) Directives: to improve security in Lightning pages, Salesforce will update its practices on embedding external content. This may cause some desirable content (like embedded fonts) to be blocked in sites. You may need to individually whitelist blocked components using the Trusted URL and Browser Policy Violations page in Setup.
  7. Restrict User Access to Run Flows: Salesforce is deprecating the FlowSites license, which previously allowed some users to run Flows even if they didn't have the Run Flow permission applied on their Profile or a Permission Set. Going forward, any user who needs to run a Flow will have to have that permission applied. This will simplify the permissions modeling for all orgs.
  8. Enforce Sharing Rules when Apex Launches a Flow: if you use Apex to launch Flows, and those Apex classes are defined using the sharing keyword (which means they respect sharing rules and don't have access to all data), those Flows will now run in that context, and only have access to the data
  9. Pass the Conversation Intelligence Rule Name as Input to a Flow: this is a new feature; if you use Service Cloud Voice, its conversation intelligence rules can launch Flows. Now, you can pass the name of the rule that launched the Flow as an input to the Flow, which can be useful for troubleshooting or processing inside of it.
  10. Enforce View Roles and Role Hierarchy Permission When Editing Public List View Visibility: users have long had the ability to create and edit list views on Salesforce objects (like the Accounts or Contacts tabs) if you granted the appropriate permission. As part of that process, they can also specify who can see the list view. Historically, those users have been able to see the org's full role hierarchy as a matter of course. Salesforce is now separating those permissions; meaning that if a user needs to grant access to a list view and see the role hierarchy, they'll need to have both permissions applied to either their Profile or via a Permission Set.
  11. Use REST API for Access to External Client App OAuth Consumer Credentials: Salesforce has always allowed developers to use the Metadata API to access OAuth credentials to use in their applications, but this has led to cases where those credentials get stored in source control management (e.g. Github) and exposed publicly. To combat this, Salesforce has added a credentials resource to the Connect REST API that can retrieve OAuth credentials. You should note, however, that if your application relies on Metadata API, Salesforce will remove the capability after this release unless you file a case with support before Winter '25 is released for your org.

As always, Prolocity is here to help you navigate your system administration needs–please reach out if you need further guidance!