> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zerotwo.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Admin App Controls

> Manage which connectors are available across your organization from the Apps panel.

The Apps panel at `/admin/apps` gives org Owners and Admins control over which connectors (integrations) are available to team members. Use app controls to standardize your org's toolset, restrict unauthorized data connections, and pre-configure connectors for all members.

<Info>
  App controls are available to **Owner** and **Admin** roles. Standard Members cannot access `/admin/apps`.
</Info>

## What Are App Controls?

Connectors are the integrations that let ZeroTwo access external services — things like GitHub, Google Drive, Notion, Supabase, Linear, and others. By default, members can connect any available integration to their personal ZeroTwo account.

App controls let you change that:

* **Allow** specific connectors for your org (and restrict everything else)
* **Block** specific connectors you don't want members using
* **Pre-configure** connectors so all members have org-level apps connected by default

## Why Use App Controls?

<CardGroup cols={2}>
  <Card title="Data Security" icon="lock">
    Prevent members from connecting personal accounts (social media, personal cloud storage) to a work AI workspace. Keep data flows within approved systems.
  </Card>

  <Card title="Standardization" icon="check-circle">
    Ensure your whole team uses the same set of tools. Avoid fragmentation where some members have GitHub connected and others don't.
  </Card>

  <Card title="Compliance" icon="shield">
    Some organizations have policies about which external services can access their data. App controls help enforce those policies.
  </Card>

  <Card title="Onboarding" icon="user-plus">
    Pre-connect org-level apps so new members are productive from day one without manual setup.
  </Card>
</CardGroup>

## What You Can Do

### Allow or Restrict Connectors

You can configure which connectors are available to org members:

* **Allow all** — members can connect any supported integration (default behavior)
* **Allow specific** — only the connectors you approve are available; others are hidden or blocked
* **Block specific** — most connectors remain available, but specified ones are restricted

To configure:

1. Navigate to `/admin/apps`
2. Find the connector you want to manage
3. Set its status: Allowed, Blocked, or Required
4. Save — the policy applies to all members

### Pre-Connect Org-Level Apps

Some connectors can be configured at the org level so that all members automatically have them connected. This is useful for:

* **Company GitHub** — connect your org's GitHub so all developers have immediate access
* **Shared Google Drive** — connect a shared workspace drive for the whole team
* **Project management tools** — pre-connect Linear, Notion, or Jira to a shared workspace

To set up a pre-connected org app:

1. Go to `/admin/apps`
2. Find the connector you want to configure org-wide
3. Add the org-level credentials or OAuth connection
4. Enable it for all members
5. New members who join the org will have this connector available automatically

### Block Personal Connectors

If your org doesn't want members connecting personal accounts that fall outside of work use:

1. Navigate to `/admin/apps`
2. Find connectors you want to restrict (e.g., personal Dropbox, Twitter/X, consumer apps)
3. Set them to **Blocked**
4. Members will not be able to connect these services

<Tip>
  Communicate connector policies to your team before implementing restrictions. Members may be confused if they try to connect an app and find it blocked. A short team note explaining the policy saves support headaches.
</Tip>

## Important Behavior Notes

<Warning>
  App control changes affect **new connections** going forward. Existing personal connections that members have already set up are **not automatically removed** when you block a connector. To fully remove an existing connection, the member (or an Admin) needs to disconnect it manually from their connector settings.
</Warning>

This means:

* If you block GitHub today, members who already have GitHub connected retain that connection
* New connection attempts for blocked connectors will be prevented
* If you need to remove existing connections, communicate with members to disconnect them, or contact ZeroTwo support for bulk revocation options

## Connector Availability by Plan

App controls only apply within the org workspace context. The connectors available for org-level control depend on which integrations ZeroTwo supports. For a full list of supported integrations, see the [Integrations section](/integrations).

## Best Practices

**Start permissive, then tighten:**
Rather than blocking everything upfront, start by allowing all connectors and then restrict specific ones as issues or policies arise. This avoids disrupting members' workflows unnecessarily.

**Document your connector policy:**
Maintain an internal doc (or use ZeroTwo itself) to document which connectors are approved, which are blocked, and why. This helps when onboarding new admins or answering team questions.

**Review periodically:**
As your team's tools evolve, review your app control settings. Outdated restrictions may block connectors that are now approved; old org-level connections may need to be updated.

**Test before broad rollout:**
When pre-connecting an org-level app, test with one or two members before applying it broadly. Confirm that the credentials have appropriate permissions and that the integration works as expected.

## Frequently Asked Questions

<Accordion title="Can I pre-connect an OAuth app for all members without sharing credentials?">
  Yes. Org-level connectors use a centralized OAuth connection scoped to the org, rather than individual member credentials. Members access the org connector without needing to provide their own credentials for that service.
</Accordion>

<Accordion title="If I block a connector, can members request access?">
  Members will see that the connector is unavailable. They can reach out to an Admin or Owner to request it be unblocked. There is no built-in request workflow — this is handled outside of ZeroTwo (e.g., via Slack or email).
</Accordion>

<Accordion title="Do app controls apply to the Owner and Admins?">
  App controls primarily govern Member access. Owners and Admins managing the `/admin/apps` panel are not subject to the same restrictions in the same way, as they have elevated access.
</Accordion>

<Accordion title="Can I require a specific connector for all members?">
  Some connector configurations allow you to designate connectors as required or pre-connected for all members. Check the individual connector options in `/admin/apps` for availability.
</Accordion>
