As part of the broader access controls available to administrators, administrators can ensure only approved apps are installed and available to users.
If a workspace has Admin-Approved Apps enabled, apps will need to be approved by an administrator (as set in your workspace settings) before they can be deployed.
Even if a workspace has Admin-Approved Apps enabled however, workspace owners can still run slack deploy to deploy apps or slack run to run apps locally without requesting Admin-Approved Apps permission.
When a developer deploys an app, administrators will receive a notification, either from Slackbot or using the Admin-Approved Apps API workflow as determined by the organization. The approval notification will include which OAuth scopes the app is requesting, as well as any outgoing domains the app may want to access.
Outgoing domains are a new concept, and apply only to apps deployed to Slack's managed infrastructure. These are domains the app may require access to β for example, if a developer writes a function that makes a request to an external API, they will need to include that API in their outgoing domains. Outgoing domains do not constrain which ports on those domains a function can communicate with. Administrators can now approve or deny apps based on these defined outgoing domains, in the same way they would OAuth scopes.
If you are using the Admin-Approved Apps APIs to manage your app approval process, there will be some changes to the API responses you receive as well as some new parameters that you can send to account for the new concept of outgoing domains that applies to apps deployed to Slack's managed infrastructure.
The following endpoints will now have a domains field next to the existing scopes field, as a string array:
A response would look like this:
"scopes": [
{
"name": "app_mentions:read",
"description": "View messages that directly mention @your_slack_app in conversations that the app is in",
"token_type": "bot"
}
],
"domains": ['slack.com'],
Additionally, the following endpoints will now have an optional domains string array field for including outgoing domains that should be included in the approve or deny request:
If the domains array is left empty, the method will look up the domains specified by the app.
For developers, the most important thing to know is that you may run into extra steps when deploying your apps. If the administrators of your workspace have enabled Admin-Approved Apps, it means your app will need approval before it can be deployed.
In this case, after you run slack deploy, a prompt will notify you via the CLI that admin approval is required on this workspace. You'll also be prompted to enter y or n to send a request to the workspace admin for approval to install your app.
Administrators will see which OAuth scopes your app is requesting, as well as which outgoing domains your app is requesting access to. Outgoing domains are specified in the outgoingDomains array of your apps manifest.ts file as comma-separated strings. Administrators may also ask for an additional description for your app. If this is enabled, you will be asked to provide that information when you deploy your app using the CLI.
Once you have admin approval, you'll receive a notification from Slackbot, and can then deploy your app. If you receive a Slackbot notification that your app was denied, reach out to your workspace administrator.
Finally, if your app needs to request a new OAuth scope or outgoing domain, it will again trigger the approval process above. The existing app installation will continue to function, but the new scope or outgoing domain will not be functional until the app is reapproved and redeployed.
Have 2 minutes to provide some feedback?
We'd love to hear about your experience building modular Slack apps. Please complete our short survey so we can use your feedback to improve.