Prepare for Connected App Usage Restrictions - connected app is not packaged yet, adding causes duplicates

Question

Salesforce is going to rollout this security change: https://help.salesforce.com/s/articleView?id=005132365&type=1&utm_source=techcomms&utm_medium=email&utm_campaign=FY26_Core_4013001

We have a managed package that is accessed from external API through connected app. So I can see the CONNECTED_APP_NAME in Setup -> Connected Apps OAuth Usage and I see Install button for it.

We want to avoid asking our users to click Install for it and put our Connected App to the managed package components. We did it for beta to try, and after upgrading the package version to the beta version I see CONNECTED_APP_NAME in the Setup -> Manage Connected Apps. Now, in the Setup -> Connected Apps OAuth Usage I see Uninstall beside the name, BUT I get duplicate records in Setup -> Manage Connected Apps.

Is it a way to NOT see the duplication? For the clean package installation it works fine: we login to sf, allow the usage and the connected app from managed package appears already installed (as expected), the problem is only in upgrades.

UPDATE:

I have replicated the flow on three different orgs and on the one in the initial question (after reinstalling the package and upgrading it again), no more duplications: also connected app appears to be installed after upgrade of the package to the version, where connected app is inside the components.

Answer 1

So I am going through the same thing (as a customer). While there does not seem to be a way to automate the install of a Connected App, you do have the ability to insert SetupEntityAccess records to make sure during an API Access Control cutover from Self-Authorized to Admin approved users are pre-authorized, you can ensure there won't be a drop in connections (automatic revoking of Access Tokens / Refresh tokens).

Here is a rough script of what I am using to insert these records before cutover:

OauthToken[] oaList = [
    SELECT
        LastUsedDate,AppMenuItemId,AppName,User.Profile.Name,User.ProfileId
    FROM OauthToken
    WHERE User.IsActive = true
    AND LastUsedDate = THIS_YEAR
    ORDER BY AppName
];

Set<Id> profileIds = new Set<Id>();
Set<String> connAppNames = new Set<String>();

for(OauthToken oa : oaList){
    profileIds.add(oa.User.ProfileId);
    connAppNames.add(oa.AppName);
}

From there, you can set query for each result set:

//API Access Migration Anon Apex Script
ConnectedApplication[] cAppList = [
    Select Id,Name
    From ConnectedApplication
    WHERE Name IN: connAppNames
    ORDER BY Name ASC
];

PermissionSet[] permSetList = [
    Select Id,Name,Profile.Name,ProfileId
    From PermissionSet
    WHERE ProfileId IN: profileIds
];

And then these two result sets allows to insert SetupEntityAccess records

//This holds what Profiles/PermissionSets have access to which ConnectedApplications
//Instead of being selective for the cutover, we will apply all profiles to all
//Connected Applications for the cutover. Once we verify everything is still working,
//we can re-query and slim down what profiles have access to which ConnectedApplications

SetupEntityAccess[] seaListToInsert = new SetupEntityAccess[]{};

for(ConnectedApplication cApp : cAppList){
    for(PermissionSet permSet : permSetList){
        //Add a row for each ConnectedApp/PermissonSet(Profile) combo
        SetupEntityAccess sea = new SetupEntityAccess();
        sea.SetupEntityId = cApp.Id;
        sea.ParentId = permSet.Id;
        seaListToInsert.add(sea);
    }
}

//insert seaListToInsert;

Answer 2

There is no solution for this as this can create a security hole for the organization that is installing your app.Letting org admin know about this is ethical practice.

Best strategy is to work with org administrator where you want install to happen, establish trust and have them install your app.