Automating Admin Approved Users Policy for Managed Package Apps

Question:

I am building a Managed Package that includes an External Client App using the JWT Bearer Token Flow for authentication. One critical requirement is to ensure that the OAuth Policy of the Connected App is set to “Admin approved users are pre-authorized” automatically when the package is installed in a subscriber org.

The key question is whether this setting can be predefined in the Managed Package or enabled programmatically during the post-installation process. This is important to streamline the setup process for administrators in subscriber orgs and ensure consistent authentication policies.

CRS Info Solutions offers industry-leading Salesforce Online Training with real-time projects, Salesforce training certification guidance, interview coaching, and a practical approach to ensure you’re job-ready.

Answer:

To automate the “Admin Approved Users” policy for Managed Package Apps, you can leverage Salesforce’s Metadata API to manage the connected app settings programmatically. This eliminates the need for manual configuration and ensures a consistent authentication policy for all users of the Managed Package.

Here’s how you can automate the process:

Metadata API to Set Admin Approved Users Policy

You can use the following metadata XML to define the OAuth settings for a Connected App. This XML can be used in a deployment script to automatically update the policy.

1. Define the Metadata for the Connected App:

Create a ConnectedApp metadata file (connectedApp-meta.xml):

<?xml version="1.0" encoding="UTF-8"?>
<ConnectedApp xmlns="http://soap.sforce.com/2006/04/metadata">
    <oauthConfig>
        <callbackUrl>https://yourapp.com/callback</callbackUrl>
        <consumerKey>yourConsumerKey</consumerKey>
        <consumerSecret>yourConsumerSecret</consumerSecret>
        <scopes>
            <scope>full</scope>
            <scope>api</scope>
        </scopes>
        <oauthPolicy>AdminApproved</oauthPolicy>
    </oauthConfig>
</ConnectedApp>

Explanation : The provided XML defines a Connected App configuration for Salesforce, specifying the OAuth settings like callbackUrl, consumerKey, and consumerSecret. It also sets the oauthPolicy to AdminApproved, which requires admin approval for user access to the app.

2. Deploy the Metadata to Salesforce

You can use Salesforce CLI (sfdx) to deploy the metadata.

sfdx force:source:deploy -p path/to/your/connectedApp-meta.xml -u yourOrgAlias

Explanation : The command sfdx force:source:deploy -p path/to/your/connectedApp-meta.xml -u yourOrgAlias deploys metadata files from your local project to a Salesforce org. It uses the Salesforce CLI to push the connectedApp-meta.xml configuration to the specified org, ensuring the Connected App settings are updated.

This will set the OAuthPolicy for the Connected App to AdminApproved, ensuring only users authorized by the admin can use the app.

Automating via Apex (Optional)

If you prefer to automate it directly within Salesforce, you could write an Apex class to handle the Connected App configuration, but Salesforce restricts certain metadata modifications through Apex for security reasons. Therefore, using the Metadata API or Salesforce CLI is recommended for this kind of task.

By automating the Admin Approved Users policy, you can streamline the app setup process, ensuring that only users approved by the admin can access the app, which improves security and consistency.

Summing up

To ensure a seamless deployment of External Client Apps using the JWT Bearer Token Flow in Managed Packages, Salesforce allows developers to predefine the OAuth Policy during package creation. By setting the policy to “Admin approved users are pre-authorized” in the source org (DevHub org), this configuration is automatically applied in subscriber orgs upon installation. This simplifies the setup process for administrators, maintaining consistent security and authentication standards across orgs without requiring additional manual configuration. Salesforce’s packaging mechanism ensures that OAuth settings are preserved and deployed as part of the package metadata.

This approach highlights Salesforce’s commitment to streamlining the development and deployment of Managed Packages, empowering developers to embed best practices directly into their applications. By leveraging this capability, organizations can enhance their authentication workflows, reduce post-installation setup time, and ensure secure user access with minimal effort, meeting the requirements of scalable and efficient app deployment in a multi-org environment.

Empower Your Career with Salesforce Training in Singapore

Elevate your professional journey with CRS Info Solutions’ top-rated Salesforce training in Singapore, crafted to provide the skills and expertise required to excel in the ever-evolving Salesforce ecosystem. Our industry-focused courses span Salesforce Admin, Developer, and AI modules, blending in-depth theoretical knowledge with hands-on experience through practical, real-world projects. Whether you’re new to Salesforce or a seasoned professional, our well-structured program ensures you master the tools and techniques needed to stand out.

With a strong emphasis on practical application, Salesforce training in Singapore we offer personalized mentorship, detailed study resources, and expert-led certification preparation to fully equip you for success in interviews and beyond. Gain the confidence and skills to thrive in your Salesforce career.

join our free demo class today and take the first step toward a rewarding future! Enroll now for a free demo!

Related Posts :

• Salesforce Apps
  
• Objects and Tabs in Salesforce