First time building for AppExchange?
Launching your app on AppExchange is a fantastic way to gain visibility into more buyers, deepen your product’s integration to Salesforce, or just build a great solution for Salesforce users. If it’s your first time, though, you should understand the process that it takes to list your app and make sure you are planning appropriately and sticking to best-practices to make sure you minimize any speedbumbs along the way.
To launch an app on Appexchange, you have to be an approved ISV partner. You will need to submit your application, complete due diligence, and submit the business case for your app for approval. These shouldn’t hold you up, just make sure you have the training and reporting channels requested during due diligence.
You don’t need to be approved to start development, of course, but you don’t want to have a pending application hold up your security review or launch process.
Part of this process will likely include a call with a partner account manager who can help you navigate the process to get launched. If you get a PAM, take advantage of the information they can give you and questions they can answer. Post-launch, they can also be extremely helpful navigating the marketing options within AppExchange and beyond.
First, make sure you have planned for the time a couple of rounds of security review will take, as nearly every app will go through a couple of rounds. Even if it’s a simple app and you have been extremely thorough, you should prepare to have at least one or two rounds of security review.
There are some great tools to help you make sure your reviews are minimal, though. OWASP code scanners can be extremely helpful to identify gaps and areas of concern before you submit. Be sure to also conduct unit tests and check code coverage - you can see specific instructions on how to do that here.
There are a few reasons not to skip any of the best practices leading into security review. First, it can sometimes take several weeks to get results back. Once you also factor in the time required to rectify issues, you have a significantly extended timeline. Secondly (at the time of writing), partners get three free scans per review. After that, you will be paying for additional reviews.
If it’s your first time building for AppExchange - save yourself time, heartache, and money by sticking to the established best practices and minimizing your security reviews. This is one of the most common places we see many first-time AppExchange partners stumble.
Another thing to consider for security review are any 3rd party apis you are integrating to. Make sure you include those into any security scanning you do, since they are considered part of oyur package.
Another great feature of building for AppExchange is the ability to rapidly and easily deploy demo/trial orgs for potential buyers. This starts in environment hub - Salesforce’s tool for partners to create orgs on demand. This is where you’ll create your Trialforce templates, and if you need specific packages enabled, you can create a case to have those enabled as well. Just make sure they are packages you have actually tested against and can support, or expect your customer’s demo orgs to have lots of unexpected outcomes.
You need to be a fully-approved partner to get access to environment hub and all the these features, which is just another reason to take care of the business-side of things as early as possible. Having a trial/demo org will clearly differentiate you and make you stand out on AppExchange.
These three tips are great places to start - but there is a lot more to think about once you actually start developing for AppExchange. From our experience doing this over and over again, the biggest advice we would give for a first time launch is expect it to take longer than you think. There will always be unknown-unknowns that pop-up and throw off your ideal timeline. We do this all day - you can always reach out and have a conversation with our team to get a realistic assessment and a clear checklist of things to think about.