Five Steps for Salesforce Admins Managing Critical Updates and Security Alerts

Posted in: Blog
By: Peter Bender

Salesforce has three major releases every year, during which they push out new features and fixes. You’ll likely see a lot of information about these via email, in the trailblazer and power-of-us communities, and in the release notes. Significant changes are generally scheduled and announced ahead of time, and for some features admins have to enable them as needed once they are available. Other changes require more attention. These updates can’t be automatically enabled because they may impact how your system works in meaningful ways, but they are required eventually because of their importance. Salesforce approaches these types of changes through Critical Updates and Security Alerts. This blog offers best practices for managing updates and alerts using five key steps.

NOTE: The Release Date for Summer ’20 was originally scheduled for June. Due to COVID-19 the release was delayed to a staggered roll-out culminating on July 17-18 (for the latest updates read more).

As Salesforce admin, you should be receiving email notifications about Critical Updates and Security Alerts. You can also find them in your Salesforce org (just search in setup). Regularly reviewing the impact of Critical Updates and Security Alerts is a key task for system admins. These are necessary changes. But Salesforce hasn’t automatically rolled out the update because they believe it impacts how your system functions in a way that could require action from you first. Critical Updates have a title, a description, and a date on which they will automatically activate, and Security Alerts have even more information. Your task is to evaluate the impact, make adjustments if needed, and enable it, preferably before it becomes forced upon you. Follow these five steps to ensure your success.

Step 1. Identify in Advance

Identify Critical Updates well before they expire, so that you have time to deal with them among everything else on your busy schedule. Ensure you are getting Salesforce admin emails so that you see formal announcements. Also, keep an eye on any third-party product newsletter emails, since vendors will generally be proactive in telling you when there is an impact to what you have bought from them. Vendor blogs can be helpful that way as well. Release notes for the thrice-yearly major releases will include details on new and often pre-existing Critical Updates, too.

Step 2. Evaluate the Risks

Read through the description to determine the impact for your system. Some are going to be quite technical and may require research or assistance from your consulting partner.  Other updates you may immediately recognize as significant for you. If you have a pretty simple instance, without a lot of automation or customization, then the risk of enabling such changes is often minimal.

If you aren’t sure of the impact to you, search for the Critical Update or Security Alert in the Trailblazer Community groups to find what your fellow Salesforce admins and consultants are saying about it. If you have an example of something that you aren’t sure whether it is impacted, post a question in the online comunity and use a tag like “Critical Updates” so others will see it more easily.

If your online research in the Salesforce user community has not addressed your concerns, then it is time to reach out to a consultant like Exponent Partners for advice before proceeding. 

Step 3. Test for Use Cases

Ultimately you’ll need to test some of the updates, and occasionally you may need to make changes to your Salesforce org. Be sure to do this well ahead of the date on it will be automatically (and irrevocably) enabled. The more complex your system is the more a Critical Update can affect it and the harder it will be to both detect a problem and determine its source.

If you can identify the places where the impact will be felt, set aside time to enable it in a sandbox where you can make changes and test. If you aren’t sure whether or where the impact might be, consider enabling it in a sandbox that is in regular use for something like user training. From there you can monitor its effects from typical use but problems won’t affect your production processes and data. 

Regression testing or the need to regularly test typical activity for unintended changes, is a great argument for having a documented set of use cases on hand. Your list can be short or quite detailed, depending on the complexity and breadth of the system. Start with a simple spreadsheet with columns for role, action, expected result, and testing status. The list will help ensure you won’t forget something, and you or anyone else can efficiently test whether a change has impacted something your users typically do. Documenting use cases is also very helpful when you or an implementation partner need to roll out new development or test the major releases.

Similar to the previous step in the process, if you find problems that you can’t resolve, look to the communities, contact your consulting support team or open a case with Salesforce. If the impact may be with a third-party product or service, contact the third party application developers for their advice as well.

If during your evaluation, you determined the risk is low for your organization, you can enable directly in production without testing in a sandbox environment, but it is not recommended.

Step 4. Enable Updates

Regardless of the deployment approach you’ve taken, enable the Critical Updates well before the scheduled activation date. This ensures that you have time to recognize and address related problems and you can disable it if necessary while fixing them.

Enabling them one at a time can be a good idea, with days or weeks between, so that if a problem occurs you’ll know which Critical Update potentially caused it. Otherwise, if you already have a release cycle for other improvements, incorporate these into it.

Do not ignore updates because at some point on or soon after the activation date it will be enabled for you and you won’t have the ability to disable the change.

Step 5. Stay Proactive

In reality, many Critical Updates and Security Alerts won’t have a significant impact on your system, but it is still a best practice to be proactive about them. If your organization is risk-averse or complex, you’ll need to assess more carefully. Treat Critical Updates and Security Alerts as mini-maintenance releases that require a methodical approach toward deployment. 

Are you not sure which Critical Updates will negatively impact your organization? Contact us today! We’re here to help.