Blog Detail

Why companies should respond to Salesforce Critical Updates

leaf leaf

Vamsi Thiyyagura,

May 15, 2019

Why companies should respond to Salesforce Critical Updates

cloud bg


Periodic updates pertaining to organization-wide limitations, governor limits, etc. are released by Salesforce to improve the usability, stability and system performance. Because these updates may affect the existing customizations, Salesforce lists them in “Critical Updates” and sends out an alert to the admins to review the updates when they go to set up. Each update can be manually activated or deactivated several times to evaluate its impact on the organization and modify the affected customizations accordingly. If the manual activation or deactivation is not done in a particular time frame, Salesforce auto activates the update permanently. Let me explain this with a few examples –

Example 1: Text Encrypted Formulae Field

Suppose an admin has had a business use case wherein he needs to use a text encrypted formula field. But even though he used an encrypted field, data is visible, which is a security breach in Salesforce. To rectify this issue Salesforce would release critical updates, the same way as we get OS updates on our iPhone or Android devices. Some people might have already used this feature (text encrypted formula field), thinking it to be expected behavior. Now, if Salesforce imposes the updates all of a sudden, it impacts the business of the customer due to the existing customization done by them. Therefore, to avoid such impacts, Salesforce releases critical updates periodically and sends out an alert notification (to confirm) to all the admins asking them if they would manually update or let the system auto-update the fixes.

Example 2: Clickjacking in Visualforce

Clickjacking is a type of attack that tricks users to click something, such as a button or a link because they perceive they are clicking something safe. Instead, the button or link performs malicious actions on your site, leading to data intrusion, unauthorized emails, changed credentials, etc. We can hack using JavaScript. By using session Id, we can update data in Salesforce. Some users might have used JavaScript and session Id intentionally. Now, as the update would impact these kinds of users who have intentionally used session Id, Salesforce sends out an alert/notification so that the user gets to look for possible workarounds. Salesforce usually releases these updates with every release, where the Salesforce admin will manually update, even its ignored it will be auto-updated by Salesforce. In some cases, if Salesforce feels that it needs to be implemented immediately, Salesforce auto updates the features by communicating the same to the org administrators.

Example 3: Lightning Locker Service

One more example is the introduction of locker service critical update. Lightning locker service is a security feature in Lightning which protects us from security vulnerabilities and other loopholes which come along with the use of components from different sources and third-party libraries. When Salesforce introduced Lightning, there was no locker service feature. After a few releases, Salesforce released locker service which isolates components that belong to one namespace from the components with a different namespace. But even though Salesforce issued locker service feature now, few users might have already started using Lightning components without locker service. If Salesforce released this critical update immediately, all the communities and components they developed would have been impacted. So, Salesforce released critical updates with a particular time frame and sends out an alert asking developers to implement locker services in their code or else they would be auto-updated.

Example 4: Extension of critical updates time frame

Let’s assume an admin of the company received Locker Service critical update. A company implemented a lot of Lightning components in their org and the time frame given by Salesforce was not sufficient to update all the components. The admin decides to reach out to Salesforce by raising a critical ticket asking Salesforce not to impose the updates in their org as they are still working on updating the code. If several other admins also raise similar tickets to Salesforce, they would extend the time frame of the auto-activation window.

How to manage Critical Updates?

To manage critical updates

manage critical updates
Critical Updates Dashboard

This page shows the list of various updates issued for your organization. A summary on why the update is issued for, an activation link to test the update in sandbox or production before Salesforce auto activates it on the scheduled auto-activation date. A review link to view the impact it would have on the customizations with or without the update being executed.

Critical Updates Dashboard - 1

Why does a company need to respond to Critical Updates?

The Critical Updates fine-tune the drawbacks/loopholes in the system. These updates are scheduled to be automatically activated after a period of time. Even though these updates don’t impact every org, but sometimes may have a negative impact on the existing functionalities. Therefore, Salesforce recommends every admin to respond to the critical updates by analyzing the impact of a Critical Update, take proper steps or workarounds and activate the update manually.

New Critical Updates

Critical Updates of Summer'19

Enforced Critical Updates

These critical updates were announced in a previous release and are now enforced.

Enable External Org-Wide Defaults in Orgs with Communities or Portals (Critical Update, Enforced)

Enabling external org-wide defaults in orgs with communities or portals was a critical update in Spring ’19 and is enforced for the Summer ’19 release. This update enables the External Sharing Model and helps you secure your data. You can set more restrictive levels of access for external users instead of giving internal and external users the same default access.

Postponed Critical Updates

These critical updates were announced in a previous release and the auto-activation date was postponed.

Use without sharing for @Aura Enabled Apex Controllers with Implicit Sharing (Critical Update, Postponed)

This critical update, released in Spring ’18, was scheduled for auto-activation in Summer ’19 but has been postponed to Winter ’20.


About Solunus:

Solunus is a dedicated Salesforce partner organization, headquartered in Dallas, Texas. Our unrelenting focus on comprehending the unique needs of our clients coupled with our unrivaled expertise of the Salesforce platform enable us to deliver the perfect solutions that create the best value. Our unflinching commitment to quality and affordability has earned us a 100% Customer Satisfaction (CSAT) score from all our customers.