Managed packages but installed outside of Appexchange
Clash Royale CLAN TAG#URR8PPP
Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.
Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)
The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.
appexchange app
add a comment |
Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.
Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)
The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.
appexchange app
add a comment |
Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.
Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)
The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.
appexchange app
Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.
Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)
The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.
appexchange app
appexchange app
asked Feb 6 at 23:14
SeanGormanSeanGorman
626518
626518
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.
That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.
At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.
Can managed apps come from outside the appexchange?
A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.
How do I know that this is legit? Are they gaining access to our data and selling it?
If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.
The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.
Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.
For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.
add a comment |
Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.
Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.
The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.
It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.
It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "459"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f249390%2fmanaged-packages-but-installed-outside-of-appexchange%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.
That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.
At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.
Can managed apps come from outside the appexchange?
A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.
How do I know that this is legit? Are they gaining access to our data and selling it?
If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.
The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.
Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.
For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.
add a comment |
I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.
That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.
At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.
Can managed apps come from outside the appexchange?
A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.
How do I know that this is legit? Are they gaining access to our data and selling it?
If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.
The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.
Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.
For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.
add a comment |
I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.
That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.
At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.
Can managed apps come from outside the appexchange?
A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.
How do I know that this is legit? Are they gaining access to our data and selling it?
If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.
The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.
Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.
For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.
I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.
That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.
At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.
Can managed apps come from outside the appexchange?
A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.
How do I know that this is legit? Are they gaining access to our data and selling it?
If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.
The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.
Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.
For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.
answered Feb 6 at 23:40
sfdcfoxsfdcfox
257k12201444
257k12201444
add a comment |
add a comment |
Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.
Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.
The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.
It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.
It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.
add a comment |
Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.
Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.
The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.
It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.
It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.
add a comment |
Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.
Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.
The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.
It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.
It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.
Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.
Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.
The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.
It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.
It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.
answered Feb 6 at 23:39
Mark PondMark Pond
18.4k13286
18.4k13286
add a comment |
add a comment |
Thanks for contributing an answer to Salesforce Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f249390%2fmanaged-packages-but-installed-outside-of-appexchange%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown