What's the best practice around Cloud User-Installed Apps?

Hello @David Yu 

If you’re coming from Server/DC, the Cloud model feels backwards at first, but the key is that “users installing apps” isn’t one thing. There are two different risks/controls:

Marketplace apps installed by admins (site-level apps)

User-connected apps (OAuth apps a user authorizes to access Jira data)

Your “any user can connect our Jira data to a 3rd party” concern is really #2.

My take: default to Blocked, but make approvals painless

• Leaving user-connected apps on Allow is convenient, but it effectively enables “shadow integrations” (Aka Shadow IT) (data can leave Jira through whatever app a user authorizes). In most orgs, that’s a security/compliance problem waiting to happen.

So I’d recommend:

Block user apps

Provide a lightweight request + fast-track process so you don’t become the bottleneck

How to avoid drowning in requests

If you block user apps, the trick is to avoid turning every request into a full security review:

Publish a pre-approved list of common/low-risk apps and rubber-stamp those quickly.

For anything not on the list, require a short request template:

What problem does it solve?

What Jira data does it need?

Who owns it (team/vendor contact)?

Set an internal SLA (e.g., “pre-approved apps within 24h”).

Also: do a periodic Connected apps review (monthly/quarterly) to remove anything unknown.

Where this lives in Atlassian

In Cloud, you can control this via Connected apps (user app access) and manage app requests centrally in Atlassian admin rather than by email ping-pong.

If you have Atlassian Guard

Guard makes this a lot more scalable because you can apply app access rules (effectively allow/block control) without having to rely on “everyone can approve everything”.

When would I leave it on Allow?

Only in small, low-risk environments where Jira doesn’t contain sensitive info and you’re comfortable with users authorizing third-party access — and even then, I’d still monitor connected apps.

Hope this helps you a little. 

Good luck and feel free to ask if you have any additional questions.

Cloud is constant changing Ecosystem, managing it feels sometimes like kind of Art for itself.

I would stick with pre-approved and apps and have them manually request them.

Hi,

Most organizations block app installation for regular users and allow only admins to install apps. This helps protect sensitive data, since third-party apps can access Jira content depending on their permissions.

To avoid bottlenecks, teams usually set up a simple request process (e.g., a service desk ticket) and maintain a list of pre-approved apps.

Leaving it open is generally only suitable for small or low-risk environments. A common best practice is:

👉 Blocked by default + quick approval workflow

Hope this helps 👍