API Enabled Permission Requirements for Salesforce Connected Apps (Mobile and Outlook)

Why Was This Change Made?

In October 2013, Salesforce introduced an API allowlisting program to allow certain apps to integrate with Salesforce editions (Professional, Group, and Contact Manager) that do not natively support API access. Approved apps receive an allowlisted client ID that permits API connections.
During a routine architecture review, Salesforce found that API calls from these allowlisted apps were not respecting the API Enabled profile permission on editions that do support API access (Enterprise, Unlimited, and Performance). This resulted in users having broader API access than their profile permitted. There is no evidence that customers were negatively impacted by this behavior.
To address this, Salesforce now requires all allowlisted apps to respect the API Enabled profile permission on Enterprise, Unlimited, and Performance editions.

Which Apps Are Affected?

The following Salesforce apps are impacted:

• Salesforce for iOS and Android downloadable mobile apps
• Salesforce Mobile Publisher apps (iOS and Android)
• Salesforce Mobile Publisher apps for Experience Sites (iOS and Android)
• Salesforce for Outlook (Retiring December 2027)
• Connect for Outlook
• Connect for Office (retired)
• Chatter Desktop (retired)
• Chatter Messenger (retired)
  
  Apps that were not reviewed and allowlisted through the program are not affected.
  

Error Messages Users May See

Salesforce Mobile App (iOS and Android) — Enterprise, Unlimited, Performance editions:
When a user without API access tries to log in, the login attempt fails. The user may see one of the following error messages:

• "You don't have access to the Salesforce mobile app. Ask your administrator to enable API access for you."
• "We couldn't establish a secure connection due to a network error. Check your network connectivity and try again. It is also possible that your org admin has not yet granted you the required permissions, please reach out to them."

If API access is disabled while a user is already logged in, the user sees action-specific errors when navigating the app.
Professional, Group, and Contact Manager editions: These editions continue to work as before and are not affected.
Chatter External users (with API Enabled turned on): Users may see "No Recently Viewed Items" when accessing groups. Use the app menu to access groups as a workaround. When composing a new post, use the @mention feature within the text editor instead of the Person+ icon.

Salesforce for Outlook — Error Behavior

Users on Enterprise, Unlimited, and Performance editions using Salesforce for Outlook v2.3.0 or later must have the API Enabled permission to log in. Without it, the following error appears: "API_Currently_Disabled: API is disabled for this user."
If API access is removed after a user is already logged in, records set to sync with Outlook stop syncing and the user cannot access settings from the system tray until the permission is restored.

Connect for Outlook — Error Behavior

Users without the API Enabled permission see: "Failed to login to Salesforce.com. An error occurred while attempting to contact Salesforce.com." Synced records stop syncing until the permission is re-enabled.

Connect for Office — Error Behavior

Users without the API Enabled permission see: "An internal server error has occurred while processing your request." Synced records stop syncing until the permission is re-enabled.

Group Edition and Professional Edition Customers

This update does not change the existing allowlisted connected app behavior for Group Edition or Professional Edition with the API Enabled and Customizable Profiles permissions turned off (the default for these editions). If you have both permissions turned on, follow the recommended actions above.