---

@lizlynch wrote:

ItemDescriptionFeatureNew governance policy to block external apps

A new governance policy, Block External Apps, is now available. The policy block apps created externally to your domain and Workspace organization (for Workspace users). See Define governance policies for more information.

 

---

@lizlynch 

Could you elabrate this new feature bit deeper? I read the documentation as well, but not really catching what sort of use cases this new policy is found useful.

Maybe this ?

- companyA creates an app, shares it with johnDoeB from companyB.

- companyB wants to make sure there is no data leakage ==> blockExternalApp ==> johnDoeB cannot share any information to companyA

@lizlynch I don't see this policy in my settings, in my Pro plan or the Enterprise Plus plan I'm using. When is it supposed to be made available ?

Correct. The main concern here is phishing and data leakage. A user outside of your organization could create an app which asks for private information and share that with users in your organization. This policy prevents your users from interacting with such an app.

Google Drive has a similar feature for file sharing. See the "Restrict all file sharing outside of your organization" section of this help doc.

Thank you, @shawncrabtree! I updated the documentation to convey the use case. 

@Aurelien  - The policy should be deployed to all users in the next day or so. Apologies for not communicating this in the release notes!

Liz

Hi @lizlynch 

I get the policy now, thank you for updating.

I have one question: how will the policy work if the app is from a subdomain ? 

Let's say:

John@fr.company.com, wishes to share an app to Jane@es.company.com.

They basically belong to the same company "company.com", but are part of different countries, hence the "fr." and "es." prefixes.

Would this policy prevent Jane from using John's app ?

If so, I would try to use a custom policy, but I don't know which component I should pick.

I assume it is not yet available.

I was thinking about something like this:

  INDEX(
    SPLIT([ownerCompany],"."),
    COUNT(
      SPLIT([ownerCompany],".")
    )-1
  )
=
  INDEX(
    SPLIT([userCompany],"."),
    COUNT(
      SPLIT([userCompany],".")
    )-1
  )

Any idea to suggest ?

---

@lizlynch wrote:

Thank you, @shawncrabtree! I updated the documentation to convey the use case. 

@Aurelien  - The policy should be deployed to all users in the next day or so. Apologies for not communicating this in the release notes!

Liz

---

 I'm still unsure what this new policy object will do and my question never been answered directly to me which is sad.

I checked the document which is said you made correction, but no new info to me.

Hi @Aurelien

We currently don't support subdomains for this feature. So in your example Jane would be prevented from using John's app. But, we do check the Workspace Organization of the user. So if both john@fr.company.com and jane@es.company.com are part of the same Workspace Organization then they will be allowed to share apps with each other.

We're also considering syncing "org owned domains" from Workspace. So if you had any domains that are owned by your Workspace Organization we could support sharing with users who are part of those domains as well.

Unfortunately writing a custom policy to enforce specific domains is not currently feasible.

Thank you very much @shawncrabtree for these additional and precious insights.

It may be of a huge help for my client, I will have a look to it and perhaps contact the Support Team for specifics  attached to its account.