Workplace App Review

All Third Party Apps are reviewed by Workplace before they can be used by customers and annually thereafter. This page will help you to prepare for and successfully pass the app review process.

What is App Review?

App Review is a process that we use to ensure the best possible Workplace experience for your app’s audience. The process aims to help people feel in control of how your app is using their data by requesting only the permissions your app needs to provide a great user experience. App Review happens at the permission level,so even if you have completed it once, and then decide to add permissions to your integration, you may need to submit for review again.

When to Submit?

You can begin the review process at any time, and you can edit your submission before it is reviewed, but we recommend that you begin a submission only after you have thoroughly tested your app and you are ready for release. If your app has already gone through App Review and has been approved for specific permissions then changing the information in Integration Directory will require you to complete the review process here.

Prerequisites

App review follows having requested a Third Party app and having completed your app development. When ready, this page describes what you need to do to submit your app for App Review and to complete Business Verification.

Prepare for App Review

If you are an independent software vendor (ISV) that wants to integrate your SaaS product with Workplace and make it available to our customers, you must first request a third party app. If your request is approved, you will then need to integrate your product with Workplace's install flows, APIs, and webhooks (as applicable).

During the app creation request, you are required to supply a User ID of a Facebook user who can be added as a Admin on your Workplace app. This individual can configure your app via developers.facebook.com/apps.

The following steps describe how to prepare for App Review:

Complete Business Verification

Business verification allows us to verify your identity as a business entity, which we require if your app will be accessing sensitive data. All ISVs that offer Third Party Apps to Workplace customers must have completed Facebook's Business Verification. This step is required once per company, irrespective of the number of apps the company supports. The instructions to complete this step is outlined below (Please ensure the person initiating the above steps is the admin of both the app and the business in the Business Manager).

You can begin the Business Verification process using the link in your App Dashboard Inbox alert, or within the App Dashboard's Settings > Basic tab.

If you haven't connected your app to a Facebook Business Manager account, you will be asked to do so.

Once connected, clicking any of the verification links or buttons will take you to the Business Manager's Business Settings > Business Info tab. From there, navigate to the Security Center and click Start Verification.

If we can locate your business details via our trusted 3rd party data sources, we will ask you to confirm your association with the business via email or phone. If we cannot locate your business details, you may need to submit additional documentation to complete the business verification process.

If you submitted documentation, but are still having issues getting verified, you may need to submit additional documentation. If you are unable to provide this extra information within 1 week, you'll need to start the process again.

For more information about the business verification process and steps for troubleshooting, please refer to our Business Manager help document.

Configure your App

Your app admin will need to configure the following values:

  • App Name (no more than 30 characters)
  • App Icon (1024x1024, PNG format with transparent background)
  • Redirect URL (under "Facebook Login")
  • Tagline (recommend 40 chars max) (under "App Center")
  • Short Description (recommend 50 words max) (under "App Center")
  • Publisher (under "App Center", no more than 30 characters)
  • Marketing URL (under "App Center")
  • Terms of Service URL (under "App Center")
  • Privacy Policy URL

Prepare Your Workplace Directory Listing

Selected apps will featured within the Workplace Integration Directory. Therefore you are required to configure your app with the following information:

  • Integration name
  • Developer / publisher Name
  • App logos and icons
  • A subtitle / tagline
  • A description of your integration
  • External links
  • Privacy policy and terms of service page URLs
  • Showcase images or screenshots

The requirements for each of these items are described below:

Integration Name

A string which represents your app's name. This will be visible in the directory and wherever your app is referred to. If your integration has a bot, this will also be the bot's name, unless your app supports white-labeling.

Maximum Character Length: 32

Examples:
  • “Dropbox”
  • “Envoy”
  • “Jira”

Developer/Publisher Name

A string that represents your company/organization. Will be used alongside the integration name to help people understand who is responsible for the functionality of the integration.

Maximum Character Length: 32

Examples:
  • “Dropbox, Inc.”
  • “Recognize Services, Inc.”

App Logo & Icons

  • A 1024 x 1024 png. This will be used as the icon image for your integration in the directory, the install dialog and various other places where we need a larger icon. If your integration has a bot, this will also be the bot's icon. We will scale this down to multiple sizes.
  • A 64x64 colour app favicon (transparent PNG). This will be scaled down to 32x32 and 16x16 formats.
  • A 64x64 monochrome (black) app icon (transparent PNG). This will be scaled down to 32x32 and 16x16 formats.
  • Primary Brand Color (hex). This will be used to colorize your app's monochrome icon in certain circumstances and may be user as background/header colour where we promote your integration.

App Subtitle / Tagline

A short sentence description of what your integration does. This will be shown in the directory where we list multiple integrations together, and in the integration install dialog.

Examples:
  • “High quality video conferencing.”
  • “Quick and simple surveys via Chat.”
  • “The new standard for visitor registration.”

Maximum Character Length: 40

Integration Description

A clear description of what your integration/app does and why people should install/enable it. This will use shown in your integration's directory listing.

Maximum Character Length: 400

  • Learn More - direct link(public to the internet) where users can go to learn more about what your app/product does and how your integration works. This may be a blog post which details your integration's functionality, or a help center/support article that gives more detail to people on what they can expect once your integration is added to their Workplace. For example:
  • Setup Guide - direct link (public to the internet) to a document containing the setup / configuration steps that an admin needs to take to prepare your app for use with Workplace. If the app needs to be setup outside of Workplace then ensure to list the steps required for the same.
  • Privacy Policy - direct link (public to the internet) to a document containing your app's privacy policy. This URL will be linked for all admins upon initiating an install of your app.
  • Terms of Service - direct link (public to the internet) to a document containing your app's terms of use. This URL will be linked for all admins upon initiating an install of your app.

Customer Support

You may supply one or both of Customer Support Documentation or a Customer Support Email address, but at least one of these is required.

  • Customer Support Documentation - A publicly visible user-facing URL to where users/customers of your integration can go to ask questions and raise bugs. Ideally this URL should directly let a user input a support request, but at a minimum there must be clear instructions on how to do so.
  • Customer Support Email - A user-facing email addreess where users/customers of your integration can go to ask questions and raise bugs. Please endeavour to ensure that people receive a reply within 24 hours. If you're unable to provide that turnaround, you should setup an auto-reply which confirms receipt and provides an expected timeframe for your response or directs people to another channel where they can file bugs or give feedback about your integration. Our support team will pass this email address to Workplace customers if they contact us about a problem with your integration.

Screenshots

A set of images that showcase what your integration does. You can include a mix of mobile and desktop screenshots. You must supply between three and eight images.

Each image must be:

  • 800px high
  • between 400px wide (min) and 1000px wide (max)
  • full-bleed PNG

Submit For App Review

Once the above steps are completed, you are ready to submit for App Review.

As part of the review, our team will verify that your integration uses the minimum number of required permissions to provide your app's functionality and that your configuration is complete. You may be given feedback on your integration at this stage.

App Review Submission Steps

  • Make sure to fill out all the fields (as described above) in the Details tab under Workplace
  • Click on the Review tab under Workplace to start the submission
  • For every permission click on "Add to Submission" button (All the permission granted will be subjected to app review)
  • In the Current Submission section, for every permission click on Edit Details and complete the following:
    • Detailed explanation on how the permission is enabling the intended functionality and interaction with the user
    • Upload a screencast based on the specified requirements which demoes the use of the permission(Atleast one submission should also include the installation demo).
  • Click on the Edit Details for App Verification and provide 2 test user credentials for the review team to configure and test the app in Workplace.
    Please Note:
    • The installation of the app should be automated i.e: the customer should be able to install the application by either clicking on "Add to Workplace/Visit Site to install" from the Integration Directory or from the the partner's tenant. Installation of the app should not involve any manual configuration that can be done using the Graph API.
    • If the test users provided needs to be an admin in both your tenant as well as the Workplace instance then ensure to provide a test user that does not have a pre-existing Workplace instance. During the review process, the reviewer will create a Workplace account with the test user's email address in their Workplace instance and will test the functionality acccording to the screencast(s) provided in the previous step.
  • On completion of all the above steps you can submit the app for review by clicking on Submit for Review button.

Annual App Review

To keep customer data safe, Workplace requires all 3rd party apps to pass an annual App Review. Apps that do not pass the review within the deadline will be removed from the Workplace Integration Directory and will ultimately be disabled and removed from customers' Workplace communities.

The anniversary date is defined as the date when the app was first approved with a minimum of one permission. Every year App Review will be conducted on this anniversary date and developers will be notified accordingly.

The timeline and process is outlined as below:

  • Your app will be automatically added to the App Review queue on the anniversary date. The previous review information and screencasts would be used to review the app.
  • On the anniversary date the app admins will get either of the following notifications:
    • The app is approved and the Annual App Review is complete for the current year.
    • OR more information is needed to complete the Annual App Review.The developers are required to complete the next steps within the timeline specified.
      • Integration Directory details have to be fixed and reviewed within fourteen days after the anniversary date.
      • Any app/permission issues have to be fixed and reviewed within thirty days after the anniversary date.
  • Fourteen days after the anniversary date, the app admins will get either of the following notifications:
    • The app is approved and the Annual App Review is complete for the current year.
    • The Integration Directory detail(s) are fixed.TThe app/permission issues need to be fixed and reviewed within thirty days after the anniversary date.
    • OR the app has been removed from the Integration Directory and no new installs will be allowed. Open a ticket to update Integration Directory detail(s).
  • Thirty days after the anniversary date, the app admins will get either of the following notifications:
    • The app is approved and the Annual App Review is complete for the current year.
    • OR the violating permissions have been revoked and app will have reduced functionality.
    • OR the app has been removed from the Integration Directory and has been disabled for existing customers, and no new installs will be allowed.You will have to go through a new App Review submission after this step as described in Submit for App Review section.

      Workplace will not send out notification to customers on reduced functionality or app being disabled. Partners are expected to send out this communication to mutual customers.

  • Sixty days after the anniversary date, if you have not successfully completed a new App Review submission then you will be notified that the app has been removed from all customers' Workplace instance.

All alerts for Annual App Review will be sent to the app admins of the app via email. If you would like to be notified then ask an existing admin to add you as an admin.

Next Steps

Your app may be required to pass Workplace's security review process, which is required for:

  • Any app that uses at least one medium- or high-sensitivity permission
  • Chat bots that can be added to group chats
  • Any chat bot that inherently sends sensitive Personally Identifiable Information (PII) in chat messages
  • Any chat bot that meets a certain threshold of usage, as defined by Workplace
  • Other circumstances, as deemed necessary by Workplace