Can a Managed Package Enforce “Admin Approved” OAuth Policy?

Question

I am developing a Managed Package that includes an External Client App using the JWT Bearer Token Flow for authentication. I need to ensure that the OAuth Policy of the Connected App is automatically set to “Admin approved users are pre-authorized” when the package is installed in a subscriber org.

Is there a way to configure this setting directly within the Managed Package, or can it be enabled programmatically during the post-installation process? If not, what is the best practice for ensuring this setting is applied correctly?

Answer

Yes, it is possible to ensure that the OAuth policy of the Connected App in a Managed Package is automatically set to “Admin approved users are pre-authorized” in the subscriber org.

When you configure this setting in the source org (i.e., the Dev Hub org where the package is developed), Salesforce retains these settings in the packaged Connected App. Upon installation in a subscriber org, the Connected App will inherit the OAuth settings from the source org. This means that if the OAuth policy is set to “Admin approved users are pre-authorized” in the Dev Hub org before packaging, it will remain the same in all subscriber orgs.

Why Does This Work?

Salesforce allows packaged apps that include an OAuth plugin to either:

1. Deploy with their own unique OAuth settings, or
2. Reference the OAuth settings of the org where the app was developed.

Since the Connected App in the package is tied to the OAuth settings from the source org, the policy you configure before packaging will automatically carry over.

Verification After Installation

To verify that the setting has been applied correctly in the subscriber org, follow these steps:

1. Go to Setup in the subscriber org.
2. Search for App Manager in the Quick Find box.
3. Locate your Connected App and click on it.
4. Scroll to the OAuth policies section.
5. Ensure that the Permitted Users setting is “Admin approved users are pre-authorized”.

Can This Be Changed Programmatically After Installation?

Currently, Salesforce does not provide an API or Apex-based method to modify the OAuth policy of a Connected App during the post-installation script of a Managed Package. This means that:

If the setting is not carried over for some reason, an administrator in the subscriber org must manually update the policy.

The best approach is to ensure the correct setting in the Dev Hub org before packaging to avoid any manual intervention later.

Key Takeaways

1. If you set the OAuth policy to “Admin approved users are pre-authorized” in the Dev Hub org, it will carry over to the subscriber org when the Managed Package is installed.
2. Packaged apps with OAuth settings either retain their original settings or inherit them from the source org.
3. There is no way to modify this setting programmatically during the post-installation process.
4. If necessary, an administrator in the subscriber org can manually update the setting after installation.

Enroll for Salesforce Training Designed for Career Building Success

Our Salesforce course is structured to provide a deep understanding of the Salesforce platform, equipping you with the essential skills to thrive in the CRM industry. The curriculum covers key modules such as Salesforce Admin, Developer, and AI, blending theoretical concepts with hands-on practice. By working on real-world projects and interactive exercises, you’ll gain the expertise to solve complex business challenges using Salesforce solutions. Our expert instructors ensure you acquire both technical knowledge and industry insights to excel in the Salesforce ecosystem.

Beyond technical training, our Salesforce training in Bangalore offers personalized mentorship, certification assistance, and interview preparation to boost your career opportunities. You’ll receive access to extensive study materials, practical project experience, and continuous support throughout the course. By completion, you’ll be well-equipped for certification exams and real-world applications, with problem-solving abilities that employers seek. Start your Salesforce journey today and open doors to exciting career possibilities. Enroll in a Free Demo now!