Safer Integrations for Workplace

Workplace has changed Platform Terms to ensure the safety of integrations using Workplace's Platform APIs.

Note: this information is applicable to customers who have integrations hosted and operated by a third party developer. If you need help navigating the information in this article, please contact Workplace Support.

Protecting people’s information is a core commitment for Workplace. In order to provide our customers with a safe and secure place to work, we need to ensure that not only Workplace, but also every single one of our platform developers, lives up to our high security standards. That's why, in May 2019, we announced an update to our Platform Terms where third party developers will need to pass a scaled review process in order to continue to have access to Workplace's APIs and to offer their integrations to Workplace customers. Since then, we have been working closely with developers to help them comply to our heightened standards and scaled review process.

To reinforce the security of our platform, on December 16, 2019, we will begin removing access to integrations that have not passed our updated Review Process.

Starting on September 1, 2019, you may have received messages on Workplace advising you that some of your integrations require attention. This page provides the resources you'll need to take action.

What types of integrations are available on Workplace?

Today, there are two ways that you can connect an integration with Workplace; we refer to these as “custom integrations” and “third party integrations”.

  • Custom integration: this way of installing an integration means you (or another admin of your Workplace instance), created an integration in the Admin Panel. To create such an integration in the Admin Panel, you had to go through some screens to select permissions for the integration, and then generate an access token (i.e., a long string of letters and numbers, like a key or password) that you copied and pasted into an integration that you developed internally or sent to a developer. Only integrations written by you or on your behalf (e.g., custom software) that are used only by you and operated (hosted and run) in an environment you control should be installed as custom integrations.
  • Third party integration: this way of installing an integration means that you went to our integrations directory or another company’s website and installed an integration, without creating or sending anyone an access token. As part of the installation process, you would have seen a consent screen telling you what permissions the third party integration has access to, and asking you to accept these permissions. All integrations offered by third party developers (e.g., non-custom software, even if certain aspects are customized) that are operated (hosted and run) in an environment you do not fully control must be installed as third party integrations.

Right now, we know there are a number of integrations on Workplace installed as custom integrations that should instead be installed as third party integrations, because they are hosted or run by third party developers. The updated Review Process is applicable to third party integrations, and not custom integrations, so it is important that all integrations are properly classified. If we suspect that an integration installed as a custom integration should instead be installed as a third party integration, it will be treated as a third party integration and we will begin removing access if it has not passed our Review Process by 16 December, 2019.

Why am I seeing this message regarding “integrations that have not passed our updated Review Process”?

We think one or some of the integrations you are using is operating outside of our new Platform Terms. This might be because:

  • You are using a third party integration that has not passed our Review Process (see Section “What does it mean that an integration has not passed our updated Review Process?” for more details).
  • You are using an integration that is installed as a custom integration but that should instead be installed as a third party integration, and it has not yet passed our required Review Process.

What do I do next?

You can choose to continue to use these integrations that have not passed review until December 16, 2019. After this date, we will begin removing access to integrations that have not passed our updated Review Process. Below please find a timeline of key events as well as corresponding actions you may take:

  • Starting September 1, 2019: We will share an initial reminder to notify admins with third party integrations that have not passed review operating in their instances (including integrations installed as custom integrations that should be installed as third party integrations). Admins can see which integrations we refer to on the Integrations page of the Admin Panel. You can choose to continue to use these integrations until December 16, 2019. We encourage you to speak to your developers to understand whether they have a plan in place to pass the review.
  • October 1, 2019: Any integrations that are currently installed as custom integrations that we believe are actually provided and operated by a third party will be automatically disabled unless an admin takes action in the Admin Panel to continue using this integration.
    If you find that an integration you need has been disabled, you can turn it back on in the Admin Panel and continue to use them until December 16, 2019. You should also reach out to the developer or company who provided you with the integration, or contact our direct support team if you believe that the integration has been incorrectly classified. All integrations that are already installed as third party integrations will continue to function.
  • December 16, 2019: We will begin removing access to all Custom Integrations that we believe are actually provided and operated by a third party, and any third party integrations, that have not passed our updated Review Process. There will no longer be an option for you to continue to use these integrations.

    • You can install a similar integration from an approved developer in our integrations directory.
    • Upon request by you, certain integrations that have limited access to your data may be eligible to be grandfathered for continued use in your Workplace until December 31, 2020. Please contact us via Direct Support to ask us about this before January 15, 2020.
    • Integrations from developers that provide evidence of strong security practices and are engaged in the final step of our app review process have been granted until 28 February 2020* to complete that process. The deadline for the developer to complete our review process for each integration that is not yet approved is indicated in the Admin Panel.
    • *Update: The deadline for developers to convert unapproved custom integrations to third party apps has been extended. Integrations affected by the change are displayed with the new deadline of 01 May 2020.
Did Workplace conduct security reviews for integrations in the past?

Yes, all integrations available in our directory announced at F8 2018 were security reviewed prior to launch. The heightened app review process introduced this year is a formal, scaled review process to raise the standards for all developers that participate in our ecosystem.

My Identity Provider (IDP) is being flagged. Why is this and what can I do about it?

Most of the IDP integrations on Workplace so far have been installed as custom integrations. We are in the process of working with the developers to convert them into compliant third party integrations. If you have an account manager with these developers, we encourage you to reach out to them to understand their plan and timeline.

Information from GSuite Admins

To continue using GSuite for provisioning after December 16, you’ll need to set up a different way of importing people from your business into Workplace. Find directions on how to do this here.

What does it mean that an integration has not passed the updated Review Process?

In May 2019, we announced an updated Workplace integration Review Process to platform developers. This Review Process outlines verification steps that third party integrations have to go through to be made available to Workplace customers.

  • For all integrations, these steps include: Business Verification, Acknowledgment of the Platform Terms, and Review.
  • For third party integrations that have requested access to more data, the Review Process also includes a third party Penetration Test, and a Security Request for Information (RFI).

If your integrations are flagged, this means that they have not yet passed through all the review steps required.

You may turn off an integration we need! What can I do?

We recommend that you review which of your integrations have been labeled “not approved”, and which may be disabled on the date indicated in the Admin Panel for that integration. If you are concerned that an integration that you need may be disabled, you have a couple of options:

  • You can install a similar integration from an approved developer in our integrations directory.
  • Upon request by you, certain integrations that have limited access to your data may be eligible to be grandfathered for continued use in your Workplace until December 31, 2020. Please contact us via Direct Support to ask us about this before January 15, 2020.

Integrations from developers that provide evidence of strong security practices and are engaged in the final step of our app review process have been granted until 28 February 2020* to complete that process. The deadline for the developer to complete our review process for each integration that is not yet approved is indicated in the Admin Panel.

*Update: The deadline for developers to convert unapproved custom integrations to third party apps has been extended. Integrations affected by the change are displayed with the new deadline of 01 May 2020.

What if I want to keep using the integration after the final deadline?

Unfortunately, we will begin removing access to integrations that have still not passed our Review Process on December 16, 2019. We suggest that you speak to the developer to understand if they expect to pass review by this date. You can also select an alternative approved provider with a similar integration from the integrations directory.

We know that integrations are important to your Workplace experience. Upon request by you, certain integrations that have limited access to your data may be eligible to be grandfathered for continued use in your Workplace until December 31, 2020. Please contact us via Direct Support to ask us about this before January 15, 2020.

I think you have incorrectly flagged one of my Custom Integrations as being developed or operated by a third party.

If an integration operated (hosted and run) in an environment you control has been flagged, please raise a ticket with Workplace Support, and we will take a look at it for you.

If you have specific questions, please reach out to Workplace Support.

The New Workplace Experience

Keep Reading