Safer integrations for Workplace

Workplace has changed Platform Terms to ensure the safety of integrations using Workplace's Platform APIs.

Note: this information is applicable to customers who have integrations hosted and operated by a third-party developer. If you need help navigating the information in this article, please contact Workplace Support.

Protecting people's information is a core commitment for Workplace. In order to provide our customers with a safe and secure place to work, we need to ensure that not only Workplace, but also every single one of our platform developers, lives up to our high security standards. That's why, in May 2019, we announced an update to our Platform Terms, where third-party developers will need to pass a scaled review process in order to continue to have access to Workplace's APIs and to offer their integrations to Workplace customers. Since then, we've been working closely with developers to help them comply with our heightened standards and scaled review process.

To reinforce the security of our platform, on 16 December 2019, we will begin removing access to integrations that have not passed our updated review process.

Starting on 1 September 2019, you may have received messages on Workplace advising you that some of your integrations require attention. This page provides the resources you'll need to take action.

What types of integrations are available on Workplace?

Today, there are two ways that you can connect an integration with Workplace; we refer to these as "custom integrations" and "third-party integrations".

  • Custom integration: this way of installing an integration means you (or another admin of your Workplace instance), created an integration in the Admin Panel. To create such an integration in the Admin Panel, you had to go through some screens to select permissions for the integration, and then generate an access token (i.e. a long string of letters and numbers, such as a key or password) that you copied and pasted into an integration that you developed internally or sent to a developer. Only integrations written by you or on your behalf (e.g. custom software) that are used only by you and operated (hosted and run) in an environment that you control should be installed as custom integrations.
  • Third-party integration: This way of installing an integration means that you went to our integrations directory or another company's website and installed an integration, without creating or sending anyone an access token. As part of the installation process, you would have seen a consent screen telling you what permissions the third-party integration has access to, and asking you to accept these permissions. All integrations offered by third-party developers (e.g. non-custom software, even if certain aspects are customised) that are operated (hosted and run) in an environment you do not fully control, must be installed as third-party integrations.

At the moment, we know there are a number of integrations on Workplace installed as custom integrations that should instead be installed as third-party integrations, because they are hosted or run by third-party developers. The updated review process is applicable to third-party integrations, and not custom integrations, so it is important that all integrations are properly classified. If we suspect that an integration installed as a custom integration should instead be installed as a third-party integration, it will be treated as a third-party integration and we will begin removing access if it has not passed our review process by 16 December 2019.

Why am I seeing this message regarding "integrations that have not passed our updated review process"?

We think one or some of the integrations you are using is operating outside our new Platform Terms. This might be because:

  • You are using a third-party integration that has not passed our review process (see Section "What does it mean that an integration has not passed our updated review process?" for more details).
  • You are using an integration that is installed as a custom integration but that should instead be installed as a third-party integration, and it has not yet passed our required review process.

What do I do next?

You can choose to continue to use these integrations that have not passed review until 16 December 2019. After this date, we will begin removing access to integrations that have not passed our updated review process. Below, please find a timeline of key events as well as corresponding actions that you may take:

  • From 1 September 2019: We will share an initial reminder to notify admins with third-party integrations that have not passed review operating in their instances (including integrations installed as custom integrations that should be installed as third-party integrations). Admins can see which integrations we refer to on the Integrations page of the Admin Panel. You can choose to continue to use these integrations until 16 December 2019. We encourage you to speak to your developers to understand whether they have a plan in place to pass the review.
  • 1 October 2019: Any integrations that are currently installed as custom integrations that we believe are actually provided and operated by a third party will be automatically disabled unless an admin takes action in the Admin Panel to continue using this integration.
    If you find that an integration you need has been disabled, you can turn it back on in the Admin Panel and continue to use them until 16 December 2019. You should also contact the developer or company who provided you with the integration, or contact our direct support team if you believe that the integration has been incorrectly classified. All integrations that are already installed as third-party integrations will continue to function.
  • 16 December 2019: We will begin removing access to all custom integrations that we believe are actually provided and operated by a third party, and any third-party integrations that have not passed our updated review process. There will no longer be an option for you to continue to use these integrations.

    • You can install a similar integration from an approved developer in our integrations directory.
    • Upon request by you, certain integrations that have limited access to your data may be eligible to be grandfathered for continued use in your Workplace until 31 December 2020. Please contact us via Direct Support to ask us about this before 15 January 2020.
    • Integrations from developers that provide evidence of strong security practices and are engaged in the final step of our app review process have been granted until 28 February 2020* to complete that process. The deadline for the developer to complete our review process for each integration that is not yet approved is indicated in the Admin Panel.
    • *Update: The deadline for developers to convert unapproved custom integrations to third-party apps has been extended. Integrations affected by the change are displayed with the new deadline of 01 May 2020.
Did Workplace conduct security reviews for integrations in the past?

Yes, all integrations available in our directory announced at F8 2018 were security-reviewed prior to launch. The heightened app review process introduced this year is a formal, scaled review process to raise the standards for all developers that participate in our ecosystem.

My identity provider (IDP) is being flagged. Why is this and what can I do about it?

Most of the IDP integrations on Workplace so far have been installed as custom integrations. We are in the process of working with the developers to convert them into compliant third-party integrations. If you have an account manager with these developers, we encourage you to contact them to understand their plan and timeline.

Information from GSuite admins

To continue using GSuite for provisioning after 16 December, you'll need to set up a different way of importing people from your business into Workplace. Find directions on how to do this here.

What does it mean that an integration has not passed the updated review process?

In May 2019, we announced an updated Workplace integration review process to platform developers. This review process outlines verification steps that third-party integrations have to go through to be made available to Workplace customers.

  • For all integrations, these steps include: Business verification, acknowledgment of the Platform Terms and review.
  • For third-party integrations that have requested access to more data, the review process also includes a third-party penetration test, and a security request for information (RFI).

If your integrations are flagged, this means that they've not yet passed through all the review steps required.

You may turn off an integration we need! What can I do?

We recommend that you review which of your integrations have been labelled "not approved", and which may be disabled on the date indicated in the Admin Panel for that integration. If you're concerned that an integration that you need may be disabled, you have a couple of options:

  • You can install a similar integration from an approved developer in our integrations directory.
  • Upon request by you, certain integrations that have limited access to your data may be eligible to be grandfathered for continued use in your Workplace until 31 December 2020. Please contact us via Direct Support to ask us about this before 15 January 2020.

Integrations from developers that provide evidence of strong security practices and are engaged in the final step of our app review process have been granted until 28 February 2020* to complete that process. The deadline for the developer to complete our review process for each integration that is not yet approved is indicated in the Admin Panel.

*Update: The deadline for developers to convert unapproved custom integrations to third-party apps has been extended. Integrations affected by the change are displayed with the new deadline of 01 May 2020.

What if I want to keep using the integration after the final deadline?

Unfortunately, we will begin removing access to integrations that have still not passed our review process on 16 December 2019. We suggest that you speak to the developer to understand if they expect to pass the review by this date. You can also select an alternative approved provider with a similar integration from the integrations directory.

We know that integrations are important to your Workplace experience. Upon request by you, certain integrations that have limited access to your data may be eligible to be grandfathered for continued use in your Workplace until 31 December 2020. Please contact us via Direct Support to ask us about this before 15 January 2020.

I think that you've incorrectly flagged one of my custom integrations as being developed or operated by a third party.

If an integration operated (hosted and run) in an environment that you control has been flagged, please raise a ticket with Workplace Support, and we will take a look at it for you.

If you have specific questions, please contact Workplace Support.

The new Workplace experience

Keep reading