Enjoy a cleaner view of important updates and alerts in one location. Ensure that your org stays up to date on all changes that affect its performance, security, and users.

• Review Important Org Changes with Release Updates (Beta)
  Understand and act on updates that impact your Salesforce org using an improved user interface. View your updates and alerts information in a single, easy-to-use page.
• Release Updates (Beta)
  Salesforce periodically releases updates that improve the performance, logic, security, and usability of Salesforce, but which can affect your existing customizations. Find the Summer ’20 updates in the Release Updates node in Setup.
• Security Alerts
  Security Alerts help customers implement security-related updates in their org. Find the Summer ’20 alerts in the Security Alerts node in Setup.

https://help.salesforce.com/s/articleView?id=release-notes.rn_cruc_overview.htm&release=226&type=5

Private Connect (generally available) creates a secure connection with Amazon Web Services to protect your cross-cloud traffic from outside threats. Use the new Security Command Center (beta) to monitor security, privacy, and governance policies across multiple tenants. Choose a default owner for records created by a Salesforce Sites guest user. And the Crypto class supports more hashing algorithms for more secure key material.

• Secure Your Cross-Cloud Integrations with Private Connect (Generally Available)
  When you integrate your Salesforce org with applications hosted on third-party cloud services, it’s essential to be able to send and receive HTTP/s traffic securely. With Private Connect, you can increase security on your Amazon Web Services (AWS) integrations by setting up a fully managed network connection between your Salesforce org and your AWS Virtual Private Cloud (VPC). Route your cross-cloud traffic through the connection instead of over the public internet to reduce exposure to outsider security threats.
• Take Charge of Your Security with Security Command Center (Beta)
  Maintaining security, privacy, and governance policies across multiple tenants is critical and often time-intensive work. Enter Security Command Center, a tool for monitoring all of your tenants’ security settings in one app. Use Security Command Center to see who’s logging in with which authentication protocols, review permission assignment changes, and more. You can even review average and per-tenant health check scores without going to each tenants’ Health Check page.
• Use Stronger Hashing Algorithms with Apex Crypto Class
  The Crypto class now supports RSA-SHA384 and RSA-SHA512 hashing standards, giving you more options for generating cryptographically strong key material. You can pass RSA-SHA384 and RSA-SHA512 values into the algorithmName parameter for Crypto.sign, Crypto.signWithCertificate, Crypto.signXML(), and Crypto.verify() methods. Use a third-party application or the Crypto.generateAesKey method to generate this key for you.
• Assign New Records Created by Salesforce Sites Guest Users to a Default Owner
  To increase the security of your Salesforce data, Salesforce Sites guest users are no longer automatically the owner of records they create. Instead, when a Salesforce Sites guest user creates a record, the record is assigned to a default record owner that you choose.
• Permission Changes for Security Features
  Review access changes to Security features that take effect with the Summer ’20 release.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_other_changes.htm&release=226&type=5

We added features to improve how your users manage customer contact preferences. Use the contact point address field to record customer mailing address information and consent. Store consent records for new contact point channels, or create your own, with the Engagement Channel field. Use the Policy option for Consent Read API calls to require explicit consent for contact channels in an object.

Store a New Contact Point and Customer Consent Information
To help you store more information about customers, you can now specify multiple addresses for an individual or person account. Use the Contact Point Address field to specify multiple mailing addresses, and add details about a customer’s contact preferences. You can also reference these records from a contact point consent record to store a customer’s consent to being contacted this way.

Customize and Store More Customer Consent Channels
To help your org better communicate with customers, you can use the Engagement Channel field to manage consent records for more contact point channels. For example, you can use the Engagement Channel Type field to specify a customer’s consent to be contacted through SMS or fax, when previously you could only indicate the contact point type phone. Even better, you can create your own Engagement Channel type to meet customers’ unique needs.

Improve the Accuracy of Consent API Calls
Use a new value on the Policy parameter to require explicit consent for any object where explicit consent can be recorded. With the new value on the Policy parameter, the API returns an infoNotFound response when consent for a contact point isn’t specified. Consent is only returned in the API response when your customers specify that they opt in to a contact point channel.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_data_protection_privacy.htm&release=226&type=5

We enabled Online Certificate Status Protocol (OCSP) stapling to allow HTTPS to connect faster while ensuring that sensitive data remains private. For customers with a My Domain, we’re accelerating domain requests with Salesforce Edge and removing instance names from My Domain URLs through release updates.

• Streamline External Certificate Verification with OCSP Stapling
  To keep your information secure while improving performance, we implemented Online Certificate Status Protocol (OCSP) stapling. OCSP stapling allows HTTPS to connect faster and ensures that sensitive data remains private. When the application calls out to an external HTTPS encrypted website with OCSP stapling enabled, that website attaches—or “staples”—a verification of their HTTPS certificate to their response. The verification contains digitally signed and timestamped information from their Certificate Authority vendor, proving that the certificate is valid and current.
• Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and Content Files (Update, Postponed)
  We’re removing the instance names from Visualforce, Experience Builder, Site.com Studio, and content file URLs. An instance name identifies where your Salesforce org is hosted. Instanceless domains are cleaner and easier for users to remember. This update applies to orgs that have a deployed My Domain. After this update is activated, a URL that includes the instance name, such as a bookmark, automatically redirects to the new hostname. Released in Spring ’18, this update was scheduled for automatic activation on July 11, 2020 and has been postponed to Summer ’21.
• Stabilize the Hostname for My Domain URLs in Sandboxes (Update, Enforced)
  We’re removing instance names from MyDomain URLs for sandboxes. The instance name identifies where your Salesforce sandbox org is hosted. Removing the instance name makes the URL cleaner and easier for users to remember. For example, MyDomain–SandboxName.my.salesforce.com replaces MyDomain–SandboxName.cs5.my.salesforce.com. This update was first made available in Summer ’18 and is enforced in Summer ’20.
• Route My Domains Through Salesforce Edge (Update, Enforced)
  With this update, we accelerate domain requests for My Domains. You can keep the same My Domain address, but requests go through Salesforce Edge. Salesforce Edge uses machine-learning technology to improve connectivity and performance. This update was first available in Winter ’20 and is enforced in Summer ’20.
• My Domain Name Length Requirement Was Changed
  To meet iOS requirements, new My Domain names must be at least 3 characters long. If your existing My Domain name has only 2 characters, you can experience an inability to access Lightning Experience when accessing your sandbox My Domain URL using iOS. To resolve this issue, rename your My Domain.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_domains.htm&release=226&type=5

You can initiate two-factor authentication with two new Apex methods and enable it for external identity with a user permission. In addition, API-only users can register for two-factor authentication in the Salesforce UI. For easier integration with third-party identity providers, turn off case-sensitivity of Federation IDs for your Salesforce org. And stop your users from signing in to external identity providers with their Salesforce credentials, even when single sign-on is configured, by enabling delegated authentication through a Salesforce org preference.

• Initiate Two-Factor Authentication with Apex
  Initiate your two-factor authentication process with two new Apex methods in the System.UserManagement class. To verify a user’s identity with email, phone (SMS), or Salesforce Authenticator verification, pair the methods—one to initiate a verification service and one to complete the verification service. For password or time-based one-time password (TOTP) verification, you can use the second method alone to provide a complete verification service.
• Enable Two-Factor Authentication for External Users
  We added the Two-Factor Authentication for User Interface Logins user permission to the External Identity license. So now you can enable two-factor authentication for your external users, just like you do for your internal users. Simply enable this user permission on an external identity user profile or assign a permission set with this user permission to external identity users.
• API Only Users Can Register for Two-Factor Authentication in the Salesforce UI
  We now allow API only users access to the Salesforce UI to register for two-factor authentication. After a successful authentication, API only users are restricted from accessing the UI.
• Allow Highly Trusted Users to Skip Identity Verification
  Allow highly trusted users to log in to your Salesforce org from a new device without verifying their identity with a second factor, such as an SMS code. Because of security risks, we don’t recommend enabling this permission except for cases in which the user is highly trusted. For example, enable this permission if Salesforce Customer Support must log in to your org to troubleshoot an issue.
• Apply Delegated Authentication to Your Salesforce Org
  To improve your Salesforce org’s security, enable Delegated Authentication for your entire org, and manage this setting for your users at the permission level. Delegated Authentication redirects your users to an authentication provider of your choice, preventing users from logging in with their Salesforce credentials. Use this feature to prevent former employees from accessing your org with their Salesforce credentials, which are different from the credentials they use with the authentication provider. Previously, you contacted Salesforce Customer Support to enable this feature.
• Seamlessly Integrate Federation IDs with Identity Providers
  For easier integration with third-party identity providers, you can turn off case-sensitivity of Federation IDs for your entire Salesforce org. Previously, it was possible to create two unique users with similar Federation IDs because Salesforce recognized case-sensitivity; for example, ssmith and SSmith. Because some external identity providers don’t consistently recognize case-sensitivity, this created authentication issues.
• Customize Your Embedded Login Page Type
  Give your customers a better login experience. Configure Embedded Login to use the discoverable login page type or any other custom login page type already set up for your community.
• Improve SSO with Custom Community URLs
  Improve the login experience for your community users and reduce HTTP redirects by using optional community-specific URLs for single sign-on.
• Discover Login Page Attributes with New JSON Response Fields
  Use two new JSON response fields to discover login page attributes. The new LoginPageType field determines whether the type of page assigned to communities is discoverable, custom, or standard, or if Salesforce org pages are discoverable or standard. The new LoginPageTypeConfigs field defines whether the login prompt displays a preconfigured localized message for discoverable login page types. For custom login pages, it includes the custom login page URL and defines if the login page type is Designer or VisualForce. The LoginPageTypeConfigs field also displays whether the discoverable or custom login page type assigned to the community is assigned to the Embedded Login configuration.
• Access Pardot API Services with Connected Apps
  You can configure a connected app to access your Pardot API services. With this configuration, a client (represented by the connected app) accesses the Pardot services on behalf of the user. Manage the full extent of accessible services in Pardot.
• Filter Login History by Application and Login Types
  You can now filter Login History reports and list views by the type of application a user logged in from, such as a mobile device. You can also filter by the type of login, such as Outlook integration logins. These filters apply to login data captured over the past 6 months.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_and_identity.htm&release=226&type=5

Review access changes to Customization features that take effect with the Summer ’20 release.

Muting Permission Sets

• Access to muting permission sets is limited to authenticated users with the View Setup and Configuration, Manage Session Permission Set Activations, or Assign Permission Sets permission.

Object Settings, Assignments, and Permissions

– Users must have the View Setup and Configuration permission to access the following settings, assignments, and permissions for standard and custom objects in a specified profile or permission set:

• Client settings
• Field permissions
• Layout assignments
• Object permissions
• Permission dependencies
• Permission set tab settings
• Permission set group components
• Record types

Permission Dependencies

• Access to permission dependencies through the API is limited to authenticated users with the View Setup and Configuration permission.

Permission Set License Assignments

• Users must have the View Setup and Configuration or the Assign Permission Sets permission to access permission set license assignments through the API.

Profile Layouts and Record Visibility

• Users must have the View Setup and Configuration permission to access profile layouts, profile layout assignments, and the visibility of record types for users assigned to a profile.

Share Objects

• Access to sharing entries on the Account, Campaign, Case, Contact, Lead, Opportunity, and Order objects is limited to users with access to the object itself. Access to sharing entries on the User object is limited to standard users and users with the Customize Application permission.

User Roles

• Access to user roles is available for users with the View Roles and Role Hierarchy permission. Editing user roles is available for users with the Manage Roles permission.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_general_permissions.htm&release=226&type=5

To better protect your Salesforce org’s data, we restricted who can view record names in lookup fields. Users must have read access to these records or the View All Lookup Record Names permission to view this data. This update also applies to system fields, such as Created By and Last Modified By. This update, released in Spring ’20, was scheduled for auto-activation (enforcement) in Winter ’21, but was postponed in August 2020 to Spring ’21.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

When: Salesforce enforces this update in the Spring ’21 release. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab.

Why: Admins have more control over what users see on records. Currently, users can view record names in lookup fields without read access to those records.

After this update is enforced, users who don’t have read access or the View All Lookup Record Names permission see the lookup field labels, but not the data in the fields.

How: Admins can enable the View All Lookup Record Name permission in custom profiles or permission sets. Only enable this permission for users who must see record names in all lookup and system fields, regardless of sharing settings.

We recommend that you test this update in a sandbox or Developer Edition org before enabling it in your production org.

To apply this update, from Setup, in the Quick Find box, enter Release Updates, then select Release Updates. For Require Permission to View Record Names in Lookup Fields, click View Details or Get Started.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_general_lookup_field_postponed.htm&release=226&type=5

You can send up to 20,000 iOS and 10,000 Android push notifications per hour per org.

Where: This change applies to mobile apps installed from the AppExchange that send push notifications. Packages can be installed in Essentials, Group, Professional, Enterprise, Performance, Unlimited, and Developer editions.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_general_push_limits.htm&release=226&type=5

A profile or a permission set can have an entity, such as Account, with a master-detail relationship. A broken permission dependency exists if the child entity has permissions that the parent should have. Salesforce updates the parent entity for a broken permission dependency on the first save action for the profile or permission set.

Where: This change applies to Lightning Experience, Salesforce Classic, and all versions of the mobile app in all editions.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_general_self_healing.htm&release=226&type=5

Now you can assign a least-privilege profile to a user, and then add more permissions via permission sets and permission set groups. The Minimum Access – Salesforce profile includes Access Activities, Chatter Internal User, Lightning Console User, and View Help Link permissions.

Where: This change applies to Lightning Experience, Salesforce Classic, and all versions of the mobile app in all editions.

How: In Setup, enter Profiles in the Quick Find box, and click Profiles to see the new profile.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_general_new_profile.htm&release=226&type=5