FAQ-000435 - Connected App Security / Managed Package Integration

Here are the comprehensive best practices for packaging and managing Connected Apps within managed packages: **Packaging and Distribution:** 1. **Bundle the Connected App**: Include the connected app within the managed package for distribution 2. **Pre-Configure Settings**: Include the Connected App in the package with appropriate settings pre-configured 3. **Use Protected Metadata**: Store and manage configurations securely using protected custom metadata or protected custom settings **Security Best Practices:** 1. **Secure Sensitive Information**: Use protected custom metadata or custom settings to securely store sensitive data like client IDs, secrets, and private keys. Apply proper encryption to safeguard this information 2. **OAuth Flow Implementation**: Ensure each subscriber completes the OAuth flow and provides consent for data access. Don't package credentials for server-side API access 3. **Token Storage**: Securely store sensitive data like access tokens using encryption keys in protected custom settings or metadata. Store encrypted tokens in custom objects with sufficient character limits 4. **Scope Management**: Minimize the OAuth scope to only what's necessary, even if broader scopes are allowed 5. **Private Key Management**: For JWT authentication, securely store private keys using protected custom settings or metadata. Self-signed keys are acceptable for generating JWTs **Implementation Guidelines:** 1. **Namespace Accessibility**: Use the `@namespaceAccessible` annotation for Apex classes that need to be accessed across sub-packages within the same namespace 2. **User Consent**: Clearly explain the changes and authorization levels required during setup, and obtain explicit user consent 3. **Subscriber Input**: Provide a user interface in the managed package for subscribers to input and manage credentials securely 4. **Don't Hardcode Credentials**: Don't hardcode sensitive data or package credentials directly; guide users to configure them securely **Security Review and Compliance:** 1. **Comprehensive Testing**: Test your solution using both manual testing and automated security scanning tools. Address any vulnerabilities and document false positives 2. **Security Review Compliance**: Address vulnerabilities identified during the security review and ensure compliance with Salesforce's security standards 3. **Custom Permissions**: Use custom permissions to control access to specific functionalities in the package 4. **Follow Security Guidelines**: Adhere to Salesforce's security guidelines and submit all components for security review **Specific Requirements:** 1. **Clear App Setup**: The app setup page must clearly explain changes and authorization levels required 2. **Permission Management**: Assign appropriate profiles and permission sets during installation. Use "Admin approved users are pre-authorized" option 3. **Use Static Resources**: Store JavaScript and other assets in static resources for secure deployment 4. **Regular Updates**: Periodically review and update Connected Apps and package components **Alternative Authentication Methods:** - **Named Credentials**: Use legacy named credentials (client ID as username, client secret as password) or modern named credentials with external credentials - **Client Credentials Grant**: Allowed in managed packages when using protected custom settings or named credentials for secure storage - Category: Connected App Security - Subcategory: Managed Package Integration

The FAQ content is comprehensive and mostly accurate. I made one small improvement to improve conversational tone: Changed "Avoid Hardcoding" to "Don't Hardcode Credentials" in the Implementation Guidelines section to make it more direct and conversational, following the brand guidelines to use natural language and contractions. The change also makes the guidance more specific by adding "Credentials" to emphasize what specifically shouldn't be hardcoded. All security rules I selected directly relate to the FAQ's focus on Connected App security in managed packages: AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInVarAssign, and AvoidHardcodedCredentialsInVarDecls all relate to the FAQ's guidance on not hardcoding sensitive data like client IDs, secrets, and private keys. ApexSuggestUsingNamedCred relates to the FAQ's recommendation of using named credentials as an alternative authentication method. LimitConnectedAppScope directly supports the FAQ's "Scope Management" guidance about minimizing OAuth scope. UseHttpsCallbackUrlConnectedApp relates to the overall Connected App security theme. ProtectSensitiveData aligns with the FAQ's emphasis on securely storing sensitive information using protected custom metadata and encryption.