It’s that time again - Spring has sprung for our northern hemisphere neighbours, and so have the latest Salesforce updates! We’ve dug through the Spring ‘26 release notes and handpicked the most exciting features for business users and admins.
Check out our latest blog, where we break down the highlights and what they mean for you! Keep reading below for the Enforced Updates.
The following items may impact some clients. For those who are impacted, please check the date by which they will need to be reviewed and rectified. Enrite recommends creating a sandbox to enable the relevant changes and performing the necessary regression tests.
What’s Changing?
Salesforce is enforcing a security update that automatically protects the labels used on form fields in Visualforce pages. From Spring ’26, Salesforce will automatically escape all label text so it is treated as plain text and cannot be used to run malicious code. This update has been available since Winter ’23 and will now be enforced for all remaining orgs.
What Does This Mean?
If you use Visualforce pages, it’s worth checking whether any field labels were manually escaped in the past. With this update now enforced, Salesforce automatically escapes labels, which can result in double-escaping. When this happens, labels may not render correctly on Visualforce pages.
To review and address this:
➡️ For technical details, see this link.
What’s Changing?
Salesforce is completing the phase-out of legacy Salesforce host name redirections. This update is automatically enabled in Winter ’26 and will be permanently enforced in Spring ’26, meaning redirections for older host names will no longer work in production and demo orgs.
What Does This Mean?
If any integrations, bookmarks, or processes are still using old Salesforce host names, they may stop working once redirections are fully removed. We have covered this change in our Winter ’26 enforced updates blog, which you can refer to for more background and context.
➡️ For technical details, see this link.
What’s Changing?
Salesforce is replacing Connected Apps with External Client Apps (ECAs) to improve security.
Starting with the Spring ’26 release, Salesforce will disable the creation of new Connected Apps by default. Existing Connected Apps will continue to work, but Salesforce recommends preparing for their eventual end of support by migrating to ECAs.
What Does This Mean?
You should use External Client Apps for all new integrations and start planning the migration of existing Connected Apps.
➡️ For technical details, see this link.
These changes are important to be aware of to keep your org secure and running smoothly.
Salesforce will stop chaining its SSL/TLS certificates to the legacy DigiCert Global Root (G1) and switch to DigiCert Global Root G2.
Deadline: Update your trust stores before February 5, 2026, to ensure continued connectivity.
Note: For MuleSoft, review this Help article to ensure your trust stores are up to date. Self-signed certificates and CA-signed certificates that you upload to your org are not in scope for this change.
Salesforce began updating how Device Activation works for Single Sign-On (SSO) logins on January 20, 2026. Device Activation is a security feature that requires users to verify their identity when logging in from an unrecognized device, browser, or location outside a trusted IP range. After this update, Salesforce will ensure that MFA (multi-factor authentication) was performed by your SSO Identity Provider (IdP). If the IdP does not signal that MFA was used, Salesforce will prompt the user to complete Device Activation.
What Does This Mean?
To align with industry standards, Salesforce is implementing a phased reduction in maximum TLS server certificate lifespans, dropping to 200 days from March 15, 2026, and eventually to 47 days by 2029. This change will require more frequent certificate renewals and rotations to ensure continuous service.
Starting June 15, 2026, Chrome will enforce a strict "Dual-use" ban, requiring a separation between server and client authentication certificates. This means the standard way most users implement mTLS will change.
Customers must ensure client certificates do not originate from the same public roots used for website trust. Salesforce has investigated this and identified a small subset of Public CAs that will still be able to issue Client Auth EKU-only certificates. Review this article for a list of CAs that Salesforce supports for Client Auth EKUs.
If you think the Spring '26 release may affect your setup or wish to get ahead, reach out to us as soon as possible. We can review your environment and take action or provide advice to address any issues. To contact us, please raise a ticket in our portal.
This also applies to the other important changes outlined above, including the DigiCert root certificate update and Device Activation for SSO logins.
Also, consider joining the Release Readiness Trailblazers group for more information, or sign up for the Salesforce Release Readiness Live Webinars to stay updated.
Beyond the Salesforce Health Check: 5 Steps to Full System MaturityWhen most organisations begin their journey toward system optimisation, they start with the Salesforce Health Check. It is the industry-standard starting point, and for good reason. But a "healthy" org isn’t just one that is secure; it’s one that is purpose-built to scale. True System Maturity is the transition from a passive database to an […]
Salesforce Spring ’26 Release Date & HighlightsThe Salesforce Spring '26 release is here, and it's a significant one! There's a focus on enhancing Flows, improving setup tools, and increasing visibility into records and errors, aimed at making Salesforce easier and more efficient to manage. Depending on your instance, you'll be upgraded on one of the following dates: If you want to […]
Down Under Dreaming Brisbane 2025: Top Takeaways on AI, Quality, and Nonprofit TechDown Under Dreaming Brisbane 2025 was packed with great sessions this year, and I walked away with dozens of slide photos and more than a few “I need to try that” moments. While every speaker brought something valuable to the table, three talks in particular felt especially relevant for the organisations we work with. They […]
