Cloud Sherpas: Your expert guide to Google's cloud

Cloud Sherpas

Subscribe to Cloud Sherpas: eMailAlertsEmail Alerts
Get Cloud Sherpas via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Cloud Computing, Sarbanes Oxley on Ulitzer, Java in the Cloud, Android

Blog Feed Post

Managing External Apps with Connected Apps

Any organization that cares about how data moves in and out of its Salesforce org should care about a new feature called Connected Apps and how it can be used to understand and manage the apps end users may be installing, especially on mobile devices. In highly regulated industries and organizations with varying global privacy requirements, controlling apps used to access Salesforce data is critical, but there hasn’t been a flexible option to do so…until now.


For a few releases now, admins have had the ability to monitor what third party apps were being connected to their orgs via OAuth using the Connected Apps OAuth Usage page under Setup > Manage Apps. This setting provides admins with information like what apps users are connecting with and how many times they connected, and it also gives admins the ability to revoke any active OAuth tokens. This is great insight, but it did little to help admins control the apps connecting to their orgs. Furthermore, revoking the OAuth tokens is not a permanent fix, as it means a user simply needs to log back in again to reconnect – this is not a sustainable model for controlling usage.


With Winter ’14 comes a new capability on the Connected Apps OAuth Usage page – the ability to outright block an app from being used by any user in the org. Perhaps there’s a third party mobile app that users shouldn’t be using because it hasn’t yet been vetted for internal security compliance – an admin can simply block it now.

Tip: If there are known apps that should be blocked, have an admin connect to the org with each app initially and then block each one. This process prevents additional users from connecting using that app in the future.


The most exciting thing about the update to Connected Apps is that it now allows app developers to create what are called Admin Installs. These are packages that admins can install into their org like any other AppExchange app and they give the admin the ability to create policies around the usage of those apps. Imagine being able to grant the ability to use an app to one group of users and deny it to others – perhaps for regulatory reasons or maybe to support a pilot of that app. You could have some apps that are totally open that everyone can use and others that are locked down to specific Profiles or Permission Sets. In the case of a mobile app, setting app level PIN policies and timeouts becomes a reality – and it can all be controlled by the admin.

This great feature requires that the app developer adhere to the Connected Apps framework and provide an Admin Install package – so app customers should start requesting this setup from their vendors if they want to have this kind of management capability. The great news is that salesforce.com has already taken the initiative to provide Admin Installs for almost all of its official apps as of Winter ’14. These Admin Installs will automatically be installed the first time any user in the org connects with one of the official apps, such as Chatter for iOS, Mobile Dashboards or Salesforce for Outlook. Salesforce.com even included developer and data management tools like Workbench, the Force.com IDE and Data Loader. You can access these Connected Apps management tools under Setup > Manage Apps > Connected Apps.

Here are some tips for getting started configuring a few of the official salesforce.com Connected Apps:

Apps Audience Recommended Policies
Chatter for iOS
Chatter for Android
All Chatter Users * Asssuming no regulatory concerns, allow all users to self-authorize
* Set session timeout to 5 minutes or less
* Set PIN length to 4 or more
Chatter Desktop All Chatter Users * Assuming no regulatory concerns, allow all users to self-authorize
Salesforce for Outlook All Outlook Users * Assuming no regulatory concerns, allow all users to self-authorize
Salesforce Mobile Dashboards All Salesforce Users * Assuming no regulatory concerns, allow all users to self-authorize
Dataloader Bulk,
Dataloader Partner,
Force.com IDE,
Ant Migration Tool
System Admins,
* Only allow users with specific  profiles or permission sets to authorize
* For additional security, consider enforcing Two Factor Authentication by requiring a High Assurance session

Note: By default, all apps are available for self-authorization. If the policy is changed, the next time a user tries to access the app the new policy is enforced.

The post Managing External Apps with Connected Apps appeared first on Cloud Sherpas.

Read the original blog entry...

More Stories By Cloud Sherpas

Cloud Sherpas [www.cloudsherpas.com] is a leading Google Apps Reseller, systems integrator and application developer. Our Google Apps Certified Deployment Specialists have migrated tens of thousands of users from legacy, on-premise messaging systems to Google Apps and Google App Engine. We help organizations adopt cloud computing to innovate and dramatically reduce their IT expenses. SherpaTools for Google Apps [www.sherpatools.com] is a free app from Cloud Sherpas that enhances the functionality and ease-of-use of Google Apps for both administrators and end-users.