Welcome to our community!

Whitelist custom extensions in 6.5+

Avatar
shawnkhall
  • updated
  • Considering for Future Release

Background: Control 6.5 imposes a signature validation scheme to ensure the integrity of the Connect install (per this post). This is a net good for most of the community base. For the rest of us it's more trouble than it's worth.


Request: We need the ability to either whitelist custom extensions from validation or disable the signature validation scheme entirely.


Reasoning: I've developed quite a few extensions in an on-premise Control installation to automate significant portions of my business. I'm not willing to share some of this code since it exposes the inner workings of my business, sometimes usernames and passwords, trigger URLs, and plenty of other information that would be useless for the rest of the world, but could increase the risk of my own business data should it be shared with a third party -- even ConnectWise. Microsoft, Google and Adobe have each been hacked in the past, so it's safe to assume that anything I share with CW will eventually be exposed as well.


The hosted developer instance option requires me to share business logic and requires significant rewrites to the code for each of my extensions to be able to prevent business information exposure. Furthermore, as far as I can tell, some of the functionality can not be rewritten in a way that prevents this exposure.


I've submitted an extension to CW in the past and it took weeks to have it approved. It took weeks to be approved for a developer instance. I can only imagine initial approval of each of my extensions to be able to use them in my own on-premise install will take weeks as well, and even minor updates to my extension (such as cosmetic changes or field formatting) will likely take weeks to be approved as well. 


On-premise users require the ability to continue to use and develop our extensions without exposure to ConnectWise. Please enable us to whitelist our custom extensions within the web.config so we can maintain the integrity of our own installations and source code.

Replies 22
Avatar
0
David T

Missed your meeting deadline...but from what I've seen Connectwise doesn't want to work with 3rd parties unless the 3rd parties are willing to let them rent seek double-digit profits from their partners. 

I've moved my development efforts to MeshCentral and Tactical RMM which are much more open (on github) and willing to work with integrations. Screenconnect will probably one day leave my infrastructure entirely after 10+ years of use.

Avatar
0
shawnkhall

I have a meeting scheduled with CW tomorrow morning on this topic. If anyone has anything else they'd like me to bring up before them please reply here or email me directly thru my name.

Avatar
2
iw_rylee
Quote from shawnkhall

Yes. Last year I installed an on-prem instance running 6.5 for testing and to look for how to disable the new "feature" myself so I don't have to get permission to use my own extensions. My instance was remotely disabled by CW after about 36 hours.


Before installing the 6.5 instance I read the license to make sure what I was doing was within the bounds of the terms of use, and it was, per my concurrent session license. Not once does the license stipulate how many on-prem instances I can install, only the number of concurrent sessions I can use. I never came close to the number of concurrent sessions across both instances (mostly because the second instance was NEVER used to login to any device and was used exclusively to review the code and test my extensions). There were zero external devices connected to it -- the only device it even had an Access client installed for was itself. I contacted CW when it was disabled to have it reinstated and they said that my use (installing a second instance for development purposes) was in violation of the license because I had the ability to use a "Hosted instance" for extension development and testing, which you can see from my concerns and screenshots in this thread, simply isn't true.

If anyone has a 6.5+ license installed and active I would love to be able to get a look at it in order to address this issue.

I'm not surprised at all. It seems like they want all extensions to go through their process.

I believe they want free development for future features by using developers code submitted along with their extensions.

I've submitted extensions in the past where they have been rejected since they might not work on a cloud instance due to possible issues in the code. These issues are completely irrelevant with our on-premise setup but the extension still would not get signed. A small example is included external DLL files (such as NewtonsoftJson) for easier JSON handling - not possible since the extension would never work on a cloud instance where you don't have access to include these files.

If they really wanted us to have our own extensions, they would allow all custom extensions for on-premise installs and only cloud instances require a signed extension

Avatar
1
shawnkhall
Quote from David T

...so since the code is local for on-prem, and it's all asp.net and C# code...anyone delved into how to customize connectwise and disable blocking of the developer extension and adding your own extensions? #AskingForAFriend

Yes. Last year I installed an on-prem instance running 6.5 for testing and to look for how to disable the new "feature" myself so I don't have to get permission to use my own extensions. My instance was remotely disabled by CW after about 36 hours.


Before installing the 6.5 instance I read the license to make sure what I was doing was within the bounds of the terms of use, and it was, per my concurrent session license. Not once does the license stipulate how many on-prem instances I can install, only the number of concurrent sessions I can use. I never came close to the number of concurrent sessions across both instances (mostly because the second instance was NEVER used to login to any device and was used exclusively to review the code and test my extensions). There were zero external devices connected to it -- the only device it even had an Access client installed for was itself. I contacted CW when it was disabled to have it reinstated and they said that my use (installing a second instance for development purposes) was in violation of the license because I had the ability to use a "Hosted instance" for extension development and testing, which you can see from my concerns and screenshots in this thread, simply isn't true.

If anyone has a 6.5+ license installed and active I would love to be able to get a look at it in order to address this issue.

Avatar
1
David T

...so since the code is local for on-prem, and it's all asp.net and C# code...anyone delved into how to customize connectwise and disable blocking of the developer extension and adding your own extensions? #AskingForAFriend

Avatar
1
shawnkhall

CW has changed their sites several times since this was requested. The link for the forum post is now only available through the wayback archive here. Since the CW docs domain blocked the wayback machine it was never able to capture the other pages. :(

Avatar
1
shawnkhall

As if punctuating my argument for the ability to edit our own extensions without having to deal with ConnectWise's "approval process," this is the current state of Extension Development as of March 2021 (and acknowledged for the last two months, but the sad reality much much longer):

Note specifically: "turn-around times for existing submissions may take 14 business days or longer." That's three "business" weeks OR LONGER. This is just so you can use your own code on your own on-premise installation. Insanity.

Can we please get an update from ConnectWise on this feature request?

Avatar
2
Benjamin

I completely agree. I went with connectwise several years ago for the customization labtech and screenconnect offered. Now they keep taking features away and making the product worse. I can't ever get any real support out of them anymore when something breaks either. Endless ticket blackholes and basically told that is just how it is and maybe they will fix it someday. Really sad to see a tech company go this way.

Avatar
2
GMCfourX4

It's been well over 2 years now, and still no change. The message is clear - "Find another solution, ConnectWise does not care, and does not want your business."

Avatar
0
Caitlin M Barnes Team Member
Quote from shawnkhall

I submitted one of my extensions almost FOUR MONTHS ago to the "approval process" and it has yet to be approved by ConnectWise. As far as I'm concerned this is breach of contract. 

Hi Shawn, 

Sorry for the delay in extension review. I'll follow up with the team today and see if I can get that pushed through. 

The ConnectWise Control team was recently restructured, leaving some extension reviews in an unknown status.

Best, 


Caitlin 



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar