Managed packages but installed outside of Appexchange

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












2















Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.



Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)



The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.










share|improve this question


























    2















    Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
    I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.



    Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)



    The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.










    share|improve this question
























      2












      2








      2








      Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
      I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.



      Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)



      The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.










      share|improve this question














      Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
      I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.



      Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)



      The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.







      appexchange app






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Feb 6 at 23:14









      SeanGormanSeanGorman

      626518




      626518




















          2 Answers
          2






          active

          oldest

          votes


















          2















          I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.




          That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.



          At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.




          Can managed apps come from outside the appexchange?




          A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.




          How do I know that this is legit? Are they gaining access to our data and selling it?




          If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.




          The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.




          Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.



          For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.






          share|improve this answer






























            2














            Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.



            Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.



            The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.



            It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.



            It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.






            share|improve this answer






















              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "459"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f249390%2fmanaged-packages-but-installed-outside-of-appexchange%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              2















              I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.




              That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.



              At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.




              Can managed apps come from outside the appexchange?




              A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.




              How do I know that this is legit? Are they gaining access to our data and selling it?




              If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.




              The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.




              Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.



              For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.






              share|improve this answer



























                2















                I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.




                That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.



                At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.




                Can managed apps come from outside the appexchange?




                A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.




                How do I know that this is legit? Are they gaining access to our data and selling it?




                If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.




                The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.




                Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.



                For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.






                share|improve this answer

























                  2












                  2








                  2








                  I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.




                  That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.



                  At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.




                  Can managed apps come from outside the appexchange?




                  A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.




                  How do I know that this is legit? Are they gaining access to our data and selling it?




                  If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.




                  The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.




                  Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.



                  For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.






                  share|improve this answer














                  I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.




                  That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.



                  At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.




                  Can managed apps come from outside the appexchange?




                  A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.




                  How do I know that this is legit? Are they gaining access to our data and selling it?




                  If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.




                  The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.




                  Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.



                  For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Feb 6 at 23:40









                  sfdcfoxsfdcfox

                  257k12201444




                  257k12201444























                      2














                      Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.



                      Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.



                      The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.



                      It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.



                      It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.






                      share|improve this answer



























                        2














                        Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.



                        Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.



                        The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.



                        It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.



                        It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.






                        share|improve this answer

























                          2












                          2








                          2







                          Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.



                          Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.



                          The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.



                          It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.



                          It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.






                          share|improve this answer













                          Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.



                          Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.



                          The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.



                          It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.



                          It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Feb 6 at 23:39









                          Mark PondMark Pond

                          18.4k13286




                          18.4k13286



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Salesforce Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f249390%2fmanaged-packages-but-installed-outside-of-appexchange%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown






                              Popular posts from this blog

                              How to check contact read email or not when send email to Individual?

                              Displaying single band from multi-band raster using QGIS

                              How many registers does an x86_64 CPU actually have?