Managed packages but installed outside of Appexchange












2















Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.



Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)



The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.










share|improve this question



























    2















    Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
    I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.



    Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)



    The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.










    share|improve this question

























      2












      2








      2








      Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
      I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.



      Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)



      The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.










      share|improve this question














      Prior to having a professional team on board, my current employer signed on with a vendor who installed an application in their production environment. It is riddled with issues but mainly in a managed package. They insist that they have full admin access (which I removed, replace with API Only access and will not replace for real reasons).
      I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.



      Is this correct: Can managed apps come from outside the appexchange? How do I know that this is legit? Are they gaining access to our data and selling it? (it's possible)



      The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.







      appexchange app






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked yesterday









      SeanGormanSeanGorman

      626518




      626518






















          2 Answers
          2






          active

          oldest

          votes


















          2















          I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.




          That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.



          At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.




          Can managed apps come from outside the appexchange?




          A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.




          How do I know that this is legit? Are they gaining access to our data and selling it?




          If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.




          The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.




          Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.



          For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.






          share|improve this answer
























          • Thank you again SFDCFox

            – SeanGorman
            yesterday



















          2














          Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.



          Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.



          The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.



          It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.



          It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.






          share|improve this answer
























          • Thank you Mark.

            – SeanGorman
            yesterday











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "459"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f249390%2fmanaged-packages-but-installed-outside-of-appexchange%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          2















          I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.




          That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.



          At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.




          Can managed apps come from outside the appexchange?




          A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.




          How do I know that this is legit? Are they gaining access to our data and selling it?




          If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.




          The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.




          Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.



          For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.






          share|improve this answer
























          • Thank you again SFDCFox

            – SeanGorman
            yesterday
















          2















          I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.




          That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.



          At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.




          Can managed apps come from outside the appexchange?




          A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.




          How do I know that this is legit? Are they gaining access to our data and selling it?




          If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.




          The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.




          Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.



          For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.






          share|improve this answer
























          • Thank you again SFDCFox

            – SeanGorman
            yesterday














          2












          2








          2








          I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.




          That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.



          At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.




          Can managed apps come from outside the appexchange?




          A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.




          How do I know that this is legit? Are they gaining access to our data and selling it?




          If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.




          The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.




          Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.



          For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.






          share|improve this answer














          I asked why they couldn't just use the Grant Login Access protocol and their reason is that as the app isn't installed from the appexchange, they cannot be granted access.




          That's an oversimplification, but is most likely truthful. There is a special package called LMA (License Management App) that needs to be installed in a vendor's org to use this feature. Older orgs, like my really old Dev Org from 2007, would have been able to install this because they just handed out the installation link to anyone who asked.



          At some point, they changed this policy and only provided this LMA installation link as part of the Partner on-boarding process, so the vendor would have been vetted first for potential security problems. I'm pretty sure if I tried to use my outdated version of LMA, it wouldn't allow me to log in as a subscriber even if they granted me access.




          Can managed apps come from outside the appexchange?




          A managed package is separate from AppExchange. All managed apps start out this way by default. The listing is added later. All you need is an installation link and optional password. You yourself could create a Developer Edition org if you wanted to play around with this feature and see how it works.




          How do I know that this is legit? Are they gaining access to our data and selling it?




          If they have an admin account, they would have access to everything, there's no immediately obvious way to know. You may want to invest in Event Monitoring if you suspect they may be stealing data, or you may be able to request audit logs for a user for some time (I don't know if they still offer this service, since EM is superior to the older log requests). You can use those logs to determine what they've done, including reports, exports, etc.




          The issue is that now every issue that occurs is immediately put down to the fact that they do not have admin access.




          Not having admin access shouldn't affect the app, but of course would hinder their ability to debug the application. That said, if you have any major concerns about the vendor, you should probably change vendors to someone you can trust, or perhaps even get a developer of your own, which isn't intrinsically expensive compared to having a outside vendor handle your code.



          For example, vendors typically charge $200 or more per hour of work, charged in very small time slices. If they had to work on your project for even one work day a week, you could have paid your own developer for a whole week or two, and you'd have more control over your own project.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered yesterday









          sfdcfoxsfdcfox

          254k11197437




          254k11197437













          • Thank you again SFDCFox

            – SeanGorman
            yesterday



















          • Thank you again SFDCFox

            – SeanGorman
            yesterday

















          Thank you again SFDCFox

          – SeanGorman
          yesterday





          Thank you again SFDCFox

          – SeanGorman
          yesterday













          2














          Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.



          Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.



          The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.



          It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.



          It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.






          share|improve this answer
























          • Thank you Mark.

            – SeanGorman
            yesterday
















          2














          Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.



          Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.



          The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.



          It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.



          It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.






          share|improve this answer
























          • Thank you Mark.

            – SeanGorman
            yesterday














          2












          2








          2







          Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.



          Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.



          The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.



          It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.



          It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.






          share|improve this answer













          Managed applications can be installed directly and do not need to be sourced from the AppExchange, yes.



          Consider the use case of a company that wanted to build an app and distribute it to a few orgs that they control, they could use a private, unlisted managed package and install it into their own orgs. The app does not need to be listed on the AppExchange for this to occur, they just use the installation URL for their package and install in the target org.



          The tool that a partner typically uses to log into your org (the subscriber) after you've granted them access to do so, is the License Management App.



          It sounds like your vendor hasn't been granted access by Salesforce to use this partner tool. The main eligibility requirement is that the vendor needs a signed partner agreement with Salesforce.



          It would also explain why they want admin access to your org. It's the only other real access mechanism available to them to troubleshoot.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered yesterday









          Mark PondMark Pond

          18.3k13285




          18.3k13285













          • Thank you Mark.

            – SeanGorman
            yesterday



















          • Thank you Mark.

            – SeanGorman
            yesterday

















          Thank you Mark.

          – SeanGorman
          yesterday





          Thank you Mark.

          – SeanGorman
          yesterday


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Salesforce Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f249390%2fmanaged-packages-but-installed-outside-of-appexchange%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

          Alcedinidae

          Origin of the phrase “under your belt”?