How to Approach App Management for Microsoft Teams, Slack, and Workplace by Facebook
Whether an organization is using Microsoft Teams, Slack, Cisco Webex Teams, or even Workplace by Facebook, third-party add-on apps are an important part of the end-user experience. End users can customize their workstream collaboration experiences by selecting plug-in apps or integrations from app stores offered by all the major workstream collaboration (WSC) platform vendors. Increasingly, as API usage becomes more widespread, enterprise org DevOps teams are even writing their own internal custom apps to be downloaded and utilized by end-users. The number of available apps makes application management for workstream collaboration platforms essential.
Third-Party Apps – The Dilemma
Many enterprise SaaS applications that are already in use integrate cleanly into WSC platforms, which can make it easier for end-users to accomplish their day to day work. ModuleQ, for example, surfaces relevant news about sales leads in anticipation of meetings. There are also bots like Standuply that remind teams to update their status so overloaded project managers don’t need to remember to do these daily check-ins.
Given this configuration with default settings varying across every platform, we outline how to take control of app management on popular WSC platforms.
Configuring Third-Party Apps for Slack
Slack is one of the most app-friendly workstream collaboration platforms, with more than 1,500 apps in its App Directory. The enhance the Slack experience and integrate with other enterprise tools to provide end-users with a single place to get work done. By default, any member of a Slack workspace can install any app they so choose.
To change this, the workspace owner must turn on the setting to approve apps. The workspace owner can also expand the ability to approve or reject apps to other workspace members or even whole groups. With this setting in place, when end users wish to install a new app, a request will be sent that can be approved or rejected. If no action is taken, the app cannot be installed.
Enterprise Grid customers should note that these policies apply at the workspace level, rather than across an entire Slack deployment. It’s also worth noting that this app approval process doesn’t apply to existing installs.
To restrict existing apps, administrators must dig through each workspace’s activity log and individually restrict the set of apps found. Third-party tools such as PowerSuite can significantly aid in this process. Beyond the initial approval of an app, end-users will be prompted to send another app approval request if the app’s required permissions change. These permissions are an important part of a decision to allow or disallow app store installs when it comes to application management.
On Slack, there are a variety of possible permissions, and Slack calls out those with security implications with a yellow triangle. For example, an app that requires the ability to read channel messages would be called out with a caution sign, but posting messages to the channel as a bot would not be. Although moving to eliminate apps on Slack entirely without third-party tools is difficult, the “Approve Apps” setting does help to filter the seemingly endless App Directory down to those that end-users care about. From this point, a couple of questions remain:
- do you trust the application with the level of permissions it requests?
- does it help your end-users accomplish their work?
Navigating App Settings for Microsoft Teams
Compared to Slack, Microsoft Teams which has just under 200 apps available, uses more formal delineations. Bots post messages, connectors send notifications from other tools, and messaging extensions bring additional media capabilities to posts and chat. Most unique are tabs. These show within a Teams channel next to “Conversations” or “Files” and effectively allow users to enjoy the full experience of other software within Teams, which is especially helpful for visual-first apps.
By default, Microsoft Teams allows all apps. Unlike Slack, disabling all external apps is relatively straightforward for someone with access to Microsoft Teams Admin Center. From there, go to Teams Apps, then find Permission Policies. “Org Wide App Settings” allows a variety of options, including disallowing all apps or only allowing certain ones. There are two options around permitting some apps but not others: block a list of apps or approve a list of apps. These apps must be specified by searching for each individually, with no additional information available when making the selection. It is additionally difficult to tell whether these apps are already in use within the organization.
With the limited capabilities available, being able to approve apps based on permission level is not an easy task without a single tool to monitor, analyze, and secure collaboration and communication platforms – like PowerSuite. Permissions for Teams apps work similarly to Slack, but with some considerations based on the type of app. Tabs, for instance, don’t require anything beyond what is necessary to use the software within a web browser, and connectors typically only need posting permissions. With many organizations looking to transition their users to Teams, apps are an important feature that can keep users engaged on the platform. Even with less control, consider allowing third-party applications for Microsoft Teams.
Administering Integrations for Workplace by Facebook
Workplace by Facebook uses different terminology, calling third party apps within their app store integrations. Workplace integrations are at a more nascent stage than apps for Slack or Microsoft Teams. There are around 40 available currently, though the number continues to grow.
By default, no integrations are allowed, and each integration must be enabled individually. Given the current number, this is not difficult, but how this will scale over time is unknown. Integrations can be added to the entire workspace or to individual groups. Once integrations are installed, the administrator can manage them through the Permissions & Data tab. There are a variety of permissions apps may request, and there are a few that administrators will want to use caution when granting: read group content, impersonate account, and read all messages.
Workplace uses a more intensive review process for integrations, but weighing the risk versus benefit is still a necessary exercise. There are three things to consider with Workplace Integrations:
1) Is this something end-users want?
2) Do you trust the application with the level of permissions it requests?
3) Does it help your end-users accomplish their work?
Tackling Multiplatform Application Management with a Single Tool
Proper application management of third-party apps and integrations is difficult, and significant research into individual apps is required before blindly enabling them. Even more challenging is the inconsistency between workstream collaboration platforms – a serious problem for the majority of organizations operating a multiplatform environment. Each platform comes with different default app settings, and backtracking after initially allowing all installs is an arduous task. With out-of-the-box admin tools that are not yet fully baked and ongoing management across multiple platforms, app management is not getting any easier.
If you’re interested in simplifying the app management process and properly securing your workstream collaboration platform, PowerSuite provides a single pane of glass view for Slack, Microsoft Teams, and Workplace by Facebook. You can learn more about our products and services here.