Canvas Third-Party Integrations: Evaluating Faculty Needs, Use of Protected Data, and Accessibility
We love third party app integrations, but they bring up a host of data security and accessibility concerns. I will explore some of these concerns and some ways schools can develop policies and procedures to allow some flexibility for faculty while maintaining security and accessibility standards.
Alright. Welcome everyone. Before I get started, for the those who just came in, in, the QR code up here. If you'd like a Google slides version of this presentation, go ahead and scan that QR code. That should get you a slides version of it'll probably have a couple different things on there that aren't here. I made a few tweaks a day or two ago, but they're not on this laptop and we're not on the internet, I guess.
So you might get a few updates that you don't see here. I'll do my best, though. I'm sure I I can wing it. So this is, this section is talking about Canvas third party integrations, evaluating faculty needs, but balancing that with the use of protect, protected data and accessibility. So that's what we're kinda kinda be talking about overall today.
So my name is Christopher Casey. I'm the director of digital education at the University of Michigan Dearborn. I've been working there as a student since ninety nine, and been in various roles and just recently got upgraded to director of digital education So I oversee. I am our primary Canvas admin, and then also our primary LTI admin, everything to do with Canvas, falls under me, in my office. And for those of you who are in the Canvas community, you might recognize my name.
I'm all so, as of January, a community coach. So I'm often on the community answering questions there as well. And just a little bit about U of M dearborn, so to give you some context about some of the things that I'm gonna talk about and the size of our university. So We have approximately seven thousand FTE. We do about thirteen hundred courses, per semester, and we do collaborate pretty see with our, sister campuses, Ann Arbor, who everybody here probably knows, and also our Flint campus who is, more similar to, us in terms of size.
Come on. There we go. So hopping right in here. So third party integrations, I'm assuming most people in here, know what these are. But if not, these are the things that canvas, any learning management system, you know, it provides your core functionality.
Canvas provides you an area to do assignments area to do discussions. Third party integrations are what take those things and expand on them, add more functionality, Again, I assume most people who are here, know what these are. But that's what those do. So those third party, LTIs can send things to those, when you're using them. So things like a user's name, student ID number, email address, the course name, course IDs, great information, etcetera, etcetera.
That's all exchanged when users click on one of those links to an external tool. You know, it's important to know that there is a lot of data exchange going on in the background that you may not realize. So again, more about third party integrations. There's about five hundred apps when I wrote this. There's probably even more now on the edu app center, and there are even more of these integrations that aren't in the edu app center.
So that's just kind of the marketplace, the app store. If you're in a canvas course or you're in the admin area and you go into your settings and see the, external tools tab, that's what all these are. So there's quite a few of them. They all operate differently. Some of them use different data than others.
But there's a lot to go through. So as an admin, as a teacher, whoever is here, you might think, like, oh, that that looks great. Let's just install all of Right? Like, that that was some of everybody's initial reaction. That's just five hundred. Yeah.
We'll we'll take it all. Right? But hang on, you know, not so fast. There are some important issues to consider, and that's really what I wanna talk about today when we're looking at the integrations. We don't just necessarily want to hit the install button on everything. I will admit back in twenty thirteen when we were first implementing canvas.
We were more of the sure. Looks good. Let's just hit install on that. But over the years we've learned, you know, that's not the best approach. So if anybody's doing that right now, this is gonna be some great info for I would probably discourage you from doing that in the future.
So here are some considerations about that data, that I talked about. So some of the things you wanna think about, and again, this is gonna vary whether you're an admin like me, or whether you're a teacher, and you're gonna request this from your admin, or you might be a teacher, and you might have the ability to install these things on your then you would wanna think about these things. So before you install them, you're really gonna wanna think about, what data is this app getting from Canvas, it can vary. Right? I gave you a little list, earlier in the presentation, but this can vary based on how the app integrates with Canvas, what settings it's using, is it also using an API integration as well as an LTI So you wanna really evaluate what data is Canvas sending it. Is any of that data protected by ferpa for those of us in the US, if anybody here is in an I know there's GDPR, there's all kinds of, you know, local, and maybe even state level, concerns with the data.
So you wanna think about, right, are there any of these, are there concerns of any of this with the data that app is getting? Think about where is the data being stored. This is something we've run into, University of Michigan, dearborn, certain vendors are outside of the US. And for U of M dearborn, for the U of M system that presents challenges, for us, because we want the data to be stored in the US. If it's not, we want some assurances, our procurement office, once a assurances of where that data is being stored. Is it being encrypted, etcetera.
Do many of you guys hear that noise behind I don't know what's going on over. Sorry about I I thought like some amber of it was going off again, but, sorry if that's distracting. So where is the data being stored? And again, this is something you might not. And this is something. So me personally, as the Canvas admin, I have to go to different offices within u the U of M system to have this evaluated.
So I have learned over the years most of our rules but with a lot of this, I am still taking these as someone requests the integration. I'm looking at it, and I have to then go to different offices at U of M. So we have a procurement team. So if there's finances involved, we get them involved, when there's data issues, we have a a data privacy group that gets involved. So often, I end up being the coordinator.
I'm not necessarily a final decider. But that's gonna work differently at every institution, every school. So you're gonna have to, you know, figure out how this works at your school? What are your requirements? Where do you need to go? Who's in charge of these things? Maybe it is you? If it is, I am I am sorry that you're gonna have to deal with so many of these things, but even if it's not you, right, the the coordination, of all the different people, of all the different offices involved, can sometimes be overwhelming. But it is something I feel is really important, to do. So kind of continuing down the list here.
You know, things that we're looking for, this next bill a really important one to me is any of the data being resold. You know, that's a very important one. Even if you're not sending protected info, for vendors that might be reselling just email addresses. Right? I personally I hate spam. That is one of my biggest things I'm always in my inbox, marking things as spam.
I hate when vendors sell my email to other people. So that's something to consider. A lot of vendors don't do that, but there are some who do it. You know, and think about that, right? Think about it for your users. Not not from your personal perspective necessarily, but how are your students gonna feel about that? How are your faculty gonna feel about that? And then does the third party app maker claim ownership the data.
This is another very important point. There are some apps where if you use those to develop a course, you put data in there as a instructor, your instructor builds their content there. There are some providers who say, if you put your content in our system, we own that. Right? It's no longer the faculty's content. It's now owned by them.
Maybe they share ownership. Know, but some of them will say you put your data in our system. It's our data. It's now ours. At at u of m, those kind of systems, those are pretty much gonna be a no.
But again, that is your individual decision. You know, do you want to allow that? Are you okay with that? Do you wanna negotiate? Sometimes the vendors will negotiate other times they will not. And another important one, can your institution, you as a school, an institution, a faculty member, excuse me, can you request that the data be deleted? So, you know, if you discontinue using the app after a year or two years, can you say remove our data? We don't want it there any right, or a data breach happens. Can you request that your data be deleted? That's an important thing for us. It's not a necessarily a stopper.
But it is if a vendor says, no, you can't request your data be deleted. It is, you know, makes us halt and and do some additional thought about that integration. And then finally, who's liable if there is a data breach. Right? And again, this is something that probably some of your other teams, are gonna be involved in, like your legal team, might have some opinion on this. You of them often will make vendors have, data protection insurance depending on what data we're sending them we're sending them for a data.
We often make sure a vendor has a x dollar amount insurance policy to cover a data breach. Right? It can't get the data back, but if there, you know, if there is a breach and users have to, you know, say get it monitoring. I don't know. Whatever it could be, we wanna be able to reimburse our users, not have our students be out of that. Beyond data.
Right? So we've talked a lot about so far the data implications, but there's other things to think about when you're use integrations. Another very important one to U of M, and I hope to everybody here, is accessibility. Right? Canvas is great about accessibility, but when you're using a third party tool, you wanna make sure that that tool is also got accessibility in A lot of the vendors now know that this is important for education, but not all of them do. So there's two different kinds of accessibility to what these are what I call. So I call kind of device accessibility, which means does the app only work on the version of canvas? Can it work in the apps? Can it work on mobile? You know, does it work with safari? I I'm gonna throw safari out anybody who's an Apple person.
I am. I got a MacBook over there, but Safari is very Apple is a very data security conscious company. There are a lot of things that you try in Safari that just will not work. So you wanna at least explore that with these apps. Right? Again, that's not necessarily a blocker.
But if this app, if you're gonna purchase an app or install a free app that doesn't work universally on your devices, you need to think about how you're gonna communicate that students. Because it's it's really bad. If a student, let's say, for example, they're used to using their laptop. All of a sudden, they go on a trip Right? I'm speaking from higher ed here. So they go on a business trip to China.
Right? And maybe they just take their iPad with them. Well, if if they've been used to using web browser, all of a sudden, they just take their iPads. It's easy, and they can't use that thing for their class. That's a disaster for them. We don't wanna put them in that position.
You know, so generally, we will not install what, things that don't work pretty universally. But if you do, you know, think about, do you wanna have some kind of, you know, information that goes to the students about that, telling them that upfront, make sure they know it. And then, of course, we have accessibility for users with disabilities. So we have I put some categories on here to think about. I I will not call myself a disability accessibility expert, but I know because I deal with this.
I know a lot of these things. So there are some things like color blindness, hearing impairments, visual impairments, make sure that these apps are gonna work for all of your users. You know, you you you of them at least, and I don't think anybody here, we don't to be, you know, getting a lawsuit from somebody, you know, getting a disabilities act a lawsuit saying, I I couldn't complete this course because I have a disability this didn't work for me. So definitely think about those. So now you might be thinking that I don't know if I've overwhelmed anybody Right? So, you know, we went from thinking maybe let's just hit install to everything.
Now maybe some of you are thinking like, let's just forget these are even there. Right? But, you know, don't turn back just yet. There are some things we can do, to identify and reduce the risks. Talked a little bit about them, already some of these things that I've talked about the issues. But here's another thing you can do with app installations.
So, like I said, you have an app center in Canvas, about five hundred apps are there by default. You can restrict the list that's there. You can restrict it down to nothing. You can restrict it down to certain apps. You can whitelist things.
So there's a whitelist feature of the EDU App Center. There's also permissions. You can, as if you're an administrator, you can pick which users, you know, which roles have the ability to install an LTI. For us, I am pretty much the only one who can install, an integration, flat out. I have we have some other Canvas admins, sub account admins.
We don't give them the ability to install these. It is basically me and my backup when I'm gone. That is it. But again, that is for us. These things are something that you can decide.
I don't want I'm I'm not here to dictate to you what you should do because it's gonna be different for every institution, every school. So you have permissions. You have the white list. And then you can also, customize the text. I think I might talk about this in a slide, but I'm not sure if it's here now.
We have a way to customize that text in the edu app center so that if you do restrict the number of apps there, you can kind of still put a link back there to say, but there's more. Right? And you can put a link to your own policies in there. That's what we've done. So we don't have hardly any apps in there. We have the redirect tool.
For those of you familiar with it, faculty can add links to other websites. That's all they can do on their own, but we have a text on the top. It explains to them. This is why you don't them, here's where you go. If you want to request more, we're happy to install and and evaluate more.
We just have to get a request, and then we'll do the evaluation. So again, talking about the protecting institutional and user data, there are there is a mitigation for those of you who are familiar with installing an LTI. And for those in the live, can I get a hand can I see a hand for anybody who's installed an LTI before? Okay. It looks like almost everybody or at least a big majority. So hopefully you've seen this box before when you're working with either an one one or a one three, there is this privacy box when you're configuring the LTI.
I will tell you flat out almost every vendor I've dealt with when you look at their instructions, they say set it to public. Right? Public is send everything. Everything canvas has your your ID number your emails, your names, everything. If Canvas has it, basically send it. There there are about a hundred or so parameters that are sent.
A lot of them are innocuous. Some of them are not. But in probably about percent of cases, if you don't follow the directions and you just change that to anonymous, the integration still works perfectly. It may not. So something that might happen is in the integration, it might have a student's name somewhere there.
If you change it to anonymous, it's not gonna have their name anymore, but that's actually by design. That's for privacy. Right? But if everything the student does in there The grades still pass back. They can still do work. Like I said, there have been about ninety percent that work flawlessly.
There are a few that won't But my suggestion is, and I heard this from I I will admit I'm stealing this from a presentation. I heard here about six or seven years try it. Nothing. You're not gonna break anything by trying it. If it doesn't work, you know, it doesn't work and you need to set it back, but try anonymous.
Or if you do wanna have their names display, you can do name only. You know, but I would I would say avoid public if you can. Or if you're going to do public, that's where you really want to think about. Do you want to have some kind of agreement in place, with vendor about what they're doing with the data. Talking about API keys.
So some LTIs all also require an API key. When they're fancier, those, and I probably should put that in red and bold color those for us are a big red flag, when some event requires an API key, because then you are essentially giving that LTI or that integration. It's not NLCI anymore at that point. You're giving that integration even more access to data. When you're doing an LTI, it is really usually linked to a certain assignment, a single thing going back and forth, one grade coming back from a student submission, if you're doing the API, that would give them access to all grades.
Right? So one way to mitigate that a little bit is to use a scoped key. So you can limit what data that LTI or that API integration has access to. But you cannot limit it to just a single assignment. So if you if that thing's passing back grades, If you're using an API key, you are letting it pass that grades to any assignment from any course. So you really do want to be careful about that.
With if you trust a developer, maybe it's okay. But this has come up in a community thread just in the last couple weeks, where a vendor was asking this and saying, we can't figure out kind of how to get the LTI working. We're gonna go API and there were a bunch of myself and some other people said, no, you really should not do that. That's not the way to do this because you're gonna run into this. Universities like us are gonna tell you no.
We're not going to do that kind of operation. And then, again, with the API, if you if they need a service admin account, usually to go with API token, restrict the permissions on that as much as you can. Don't give them a full admin. Right? Again, some of the vendors will say, I need a full admin account. I'm not giving I'm sorry, but we're not giving a full admin account to anybody.
It's me and my backup. We're the only full admins. I'm not giving full admin access to a vendor. We're just not. So we have had a conversation with a couple of them to say, no.
What permit do you need, and then we evaluate, we'll create a special role and restrict the permissions down to what they need if we think it's appropriate. So again, around ferpa data, if you are going to use any of these things really in the non anonymous mode. If you're gonna be sending some of that public or anything, work with the appropriate team, usually the legal team to develop a data protection agreement. We have a standard one has. I wanted to share it with everybody, but our legal team says, no, we're not supposed to share it because they made it.
And again, this is something that every legal department is gonna have their own little spin on. I'm definitely not a lawyer, and I didn't sleep at Holiday and Express last night. So I don't want to tell you what, you know, exactly what should be in there, but I can give you the elements of ours. Right? So they're in that agreement. There is the ownership of data that we talked about.
There's the restrictions of use of that. We want the vendors to document their security practices. We wanna be notified of data breaches. That's a big one for us. You know, we we don't want vendors keeping the secret.
If they find out there's been a data breach, we want to be notified. And then again, like we talked about earlier, we want to be able to request deletion of data. That's in these are some of the in our agreement. So it's not all the legalese, but those are the main points of our data protection agreement. Again, I would recommend working with your vendors or sorry, your vendors.
Work with your legal team to develop your own and have any vendor sign that. If the vendor says no, for us, that's an automatic. If you will not agree to these simple things, we're not installing your integration. It's it's just point blank, but almost every vendor, knows that this, this these are now just requirements in education, and they're willing to work with us. I will admit it slows down the process, right, especially if they wanna negotiate.
We do get that sometimes where we send them our form and they you know, they send us back red line. We don't like that word. Use this one, then we have to get our legal team. So this can add some, you know, some time to the process, but I think it's really important to do. And then again, with the accessibility, Like I mentioned earlier, try that app on the different devices.
If you're school, if you're if you're kind of a school that gives students the device, that's actually awesome for you because you probably have less to test. We are a bring your own device school. So we pretty much have to support almost anything. We do draw some lines saying if, you know, if you're running Windows ninety five or you're you're running some I I I hate to say it for admins out there, but if you're running some version of Linux, the if it doesn't work on there, we're sorry. So we do kind of say anything major.
Right? So we we usually test for, We test on desktops, laptops, Mac windows, Windows anything usually for us now. It's like eight and forward and we also try to test on tablets and phones. And we do both iOS and Android trying to make sure we have the broadest possible compatibility. We also try different browsers. Because I know that, like I said, Safari for those Apple users out there, we want the things to work in Safari.
But that is the one where we do sometimes say. If it if it works in everything but Safari, we're going to you're, you know, we're gonna kinda put it on some of the faculty to tell users, tell their students, you can't use Safari for this, you know, should be available, Firefox, Edge, whatever are available for Mac devices. So sometimes we have to tell people do And I know there are even some canvas issues with with, Safari sometimes. So I usually don't recommend Safari anyway. And then another thing, if the app requires a download or installation of something, consider whether all your users are gonna have permission to do that.
Right? If you're, you know, if you're using school computers, a lot of those are usually locked down and people can't install stuff. So they might run into an error depending what this is. So think about that. And then does the app work with the Canvas student and the teacher apps? We find a lot of our students are using the student app. We have some students say that they exclusively use the student app to take the entire course.
They never we don't recommend it. I actually have a statement on our login page. It says, we highly recommend you use a laptop or desktop to do your quizzes and assignments, but some students exclusively use the app. So you do wanna make sure that the app works, if you have a student copy relation like ours. In terms of accessibility, does the vendor have a V Pat? Hopefully, some, a lot of people here know what that term is.
That's kind of the the voluntary, product accessibility template. It's what vendors fill out to kind of I'll I'll say to evaluate their accessibility. It's not perfect. It is not always complete, but it's a if they one available. It's a good sign that they are at least, knowledgeable about accessibility and probably have, a lot of the things they need in their product already.
There's also this website, or this kind of extension. I have the website there to get it. It's called the wave, evaluation tool. That will actually install a new Chrome you can go to any page. You can go to there.
That integration. It's gonna give you kind of a little warning number if there's issues. It's gonna tell you what they are. You can determine for yourself, are they something you're concerned about, or not? We happen to have an accessibility and disability services team who will help us evaluate these things, give us their opinion. You may not.
So that's where I said, I'm not an expert. I only I know enough to be address, but I usually, for us, I get that team involved and say, we're thinking about this. Can you take a look at it? Tell me what you think. Yes, no, are there issues? Do we need to communicate back with the vendor? And then, you know, kind of what we've been talking about all of this together. Right? This is really the the step here develop guidelines and procedures around this.
Everything we've talked about so far, we have put into a procedure. It's documented. So I have the links on the bottom there. I know they're small. Hopefully, you guys have the Google you can see them.
But document these so that you're doing the same processes for every installation you do. You don't wanna favor any certain leaders. You don't wanna favor certain faculty making a request. You really wanna make this a formal process that you use for every integration. That you do.
So, you know, all the things we've talked about, you know, who's gonna be the approver, something we haven't talked about is if there's fees, right? Who's gonna pay those fees? Cause there are a lot of free apps, but there's also plenty of then and a lot of them will come to me and say, Oh, you don't pay anything. So, great. I don't pay anything. Great. We'll install it tomorrow.
Right? But they say, oh, yeah, but we just charge students, thirty dollars. Right? But but don't worry. It's nothing to the university. For us that we generally don't do those either. We don't want to be passing on all these, I'll I'll just call them nickel and dime fees.
Right? We don't want to be passing those on to students. Often not aware of them until they actually get to the class, and then we start getting, you know, complaints about, well, why do I have to have this thing? I don't want that. So think about that. Right? Do you wanna do that? Or, you know, if you really wanna have the app, maybe you just pay as an institution. And then again, who's gonna review your data concerns, who's gonna review the accessibility, who's gonna provide support? That's another important thing when you're doing these apps.
I'm great at providing support for faculty and our students for Canvas itself. But we have about forty of these external apps installed right I support two of them. The I I did I cannot support forty. I don't have the brain power. I I don't know when the vendors change their app, you know, we don't get release notes for all these nor nor do I want them, honestly.
But think about that, and, and I would recommend and documenting it too. So we have a page documenting all of our, integrations, and then who to go to for support. Usually it's the vendors. Both of the vendors will provide support, but you wanna make sure of that, you know, or if there's gonna be no support, As long as you're okay with that, that's fine. Just say then, there's no support, be upfront with your users, and just think about that.
Right? Are you okay with that? Come on. There you go. So I just talked about that list. So publicize what you have installed. We have a, we have a page.
Oh, it's hidden on here. Alright. Well, sorry it's hidden by the sun this screen, but we have a page where you might to read it. If you have the slide, you can find it. And here is where I talk about earlier, we have that custom text.
So we customize the text they're telling people. This is what we have. You know, these are what you can install. There's the ones we already have. If you want more, here's the link to the process to do that.
So hopefully now are some people feeling a little better about this? Maybe it's manageable. Maybe not still. If it's not, I apologize. But I did have one final thing that I wanted to kind of throw in on this at the last minute here. So this is kind of near and dear to my heart.
And it is associated with what we've been talking about here. And that is educating your users about digital privacy. So a lot of these things that we talked about before were the ones, right, an admin or a legal department is gonna evaluate the security and what data is being sent, but we I feel it's important to educate our students, educate our faculty about this topic. Right? They need to know how to evaluate what they're doing on their own. And I know.
Right? Every time you install something, you get, you get that pop with, oh, you know, here's our legal agreement. I know nobody is gonna ever read all thirty pages. We're gonna I do it too. I click the darn. I button.
Is it the best practice? No. You know, but I do think it's really important that we talk to our students, talk to faculty, about that. So we've created, there. I have the link on here again. We've created a web page about this with a nice little flip book that one our student workers made, that really does a nice job about talking about these issues to faculty and to students.
So I would really encourage you if you have the ability to do something like this at your school, I'd highly recommend it. So with that being said, we have five minutes left maybe for any questions anybody might have. This bar this QR code will get you my contact information. So if you did wanna reach out to me, I I'm giving you my information there. Feel free to email call, probably email, because I'm usually remote.
But please scan that if you'd like my info and I see, hand right here for question. So my institution just, went into a partnership with our books or third private store for broad scale content delivery for digital materials, including things that were historically done through LTI's. And so the issue that I'm on the issue with it is that now these LTI's are secondary being installed through an existing LTI outside of the scope of our processes. And the legal contract is on just between us and the bookstore. Yes.
So it's like that blanket up, it gets blake gets applied to that entire legal contract, and we don't have any oversight over these other LTIs that are being delivered now through a single LTI in our platform. Any ideas or ways to navigate that moving forward? Sure. So the the question for the microphone here. So, what are there any suggestions for a situation where perhaps a bookstore or some other kind of integration is adding additional integrations on their side where you might not have control over So you install one integration in Canvas, and they then are installing ten other ones that connect to that, and then therefore, pass back to your Canvas, We have run into that with a couple vendors. I will say I don't have the the greatest advice because I don't think we've come up with a a great solution.
But one vendor, I'm not gonna name any vendors. I don't wanna, you know, shout anybody out. But we did talk to one vendor about that, and we put special language in our contract saying that, and, again, this is I don't I don't know how we know that it's being enforced, but we did put language in our contract that says everything that you as the vendor we're dealing with, all the agreements that we've signed with you for privacy and all those things, those apply to every vendor that you're integrating, you are responsible for enforcing our agreements with those vendors If there are issues, you are being held responsible as the vendor that we deal with. So again, I don't know in practice. Right? So we, theoretically, we have this legal agreement, and we have language there in practices that being done, and what would happen if there's a problem I don't know, but it's something to consider.
I know that took a lot of doing to get that vendor to agree to. But we really basically said if you don't agree to this, we're not gonna be able to move forward and keep using your integration. We're gonna have to find other options. And I I will say our bookstore has, requested that same thing. They really wanted to they requested that we actually not install any publisher LTIs.
They wanted them all to go through our bookstore. And we said no to that. We said absolutely not not. So, you know, they weren't happy about it, but they begrudgingly agreed to it because they went to continue being our bookstore. So maybe you have some leverage, but again, maybe you don't.
Alright. So that that is a tricky one. Does that help at all? I I hope it helps a little. I I'm gonna go to the back of the room because I know you had in the red shirt. I know you had your hand up first a while ago.
I'm wondering if you have any language for faculty to It has to go through all that. You know, and we just acknowledge your request and they want it to be five minutes. Yes. So the the question was do we have language directed faculty talking about these processes we've talked about today to let them know, because vendors will always say. Right? Like, oh, this is so easy.
Just install this. Right? I even got I I will say I got one last week from vendors that we need you to install our integration. Your faculty are using it, you know, they're they're to use it in a few weeks. I'm like, hang on a second. We're we're not.
It doesn't work that way here. So this first link here, and I know it's small, but if you grabbed the, PowerPoint on slide sixteen, the top link there, we do have an entire web page, outlining the process, This isn't hooked up to the internet, so I can't show you that page, but we do outline the entire process. We have a time frame. We actually went with, short. We we called it short medium and long for the time frame for all these items, you know, like like legal.
We said long. Because you never know how long it's gonna take. We didn't wanna give a number of days or anything. We just said, did it that way, but we outlined all this for faculty. So, yes.
And I would encourage you to look at that. If you want to use it as a model, feel free if you think it's too complex, make it as your see fit. I think we might have time for one more. I see it's four forty four. We'll go with fourth row, green.
One of the things we've struggled with is department schools that purchase a tool and then come to us. How have you dealt with that of of levels that are especially when you hit some of those big roadblocks and accessibility and unscoped keys, they've already paid for it. How do you manage that Sure. So the the question was, how do we manage when a department or, you know, a unit has went out and just bought, some of this software, it hasn't consulted us first, and then comes to us and said, Hey, we're ready to install this, and we have all these things, So part of it is actually this website we just talked about. So we have that process outlined.
I won't say that that you know, it is not perfect to tell people like, hey, yeah, you know, but this is what we do. We tell them, alright, we have this outlined. This is an officially approved procedure. For our university. We tell them this is great.
You paid for it. We do need to go through this process. You by paying for it, you've already taken care of a couple of the bullets, but there are more, you know, and technically you shouldn't have paid for it with, if you would have read the process. Right? But we do we try to work them as much as possible in that situation. There has there have I think there's been one time where somebody did buy something and we couldn't get all these agreements in place.
We had to end up telling them they could use it, and this isn't universal, but we did tell them you could use it as external tool. It's not gonna be an approved tool through Canvas. You they had they had a website. They could log in to separately but we told them we we cannot integrate this in canvas because, I don't I don't wanna say which one they didn't comply with, but they didn't comply all of our list of things. So we gave them that option because they'd already paid for it.
You know, we kind of made a little compromise because that was possible. So that might be a solution in some areas, but, yes, that is a very tricky thing. We did communicate this policy though, this procedure out. So that might be an important thing to do too. Is if you develop this, make sure you communicate it out.
So, again, I know we're we're past time, so thank everybody for coming. It's been great. If I could if I could have thirty seconds real quick before you guys housekeeping housekeeping items, if you're in the next session, a five o'clock session, you're welcome to stay in your seat. We'll come back around in scan you. Also realize you may have to take a restroom break or step out for a bit.
We will have to scan you to come back into the room if you do that. Also, don't forget that we love the session feedbacks. So, don't forget to rate the session in the app. We appreciate your patience. It's been different this year.
Also realize it's been a couple of years since we've been in person for a conference. So we're still learning how to get back into it as well. So we appreciate your patience in working with us and And then Oh. I see there's a QR code, and I'm I'm a QR code for your This is for swag. So Don't forget your swags.
Scan the QR code so you can get discounted for swag. And then finally, outside, it did rain while we're in this session, the panda does look really sad. He's crushed. So if you can give him some love, when you're out in the hallway, look down at him, give him some love wave at him so we can bring him back to life. He's deflated.
It rained a lot. Yeah. I think they just deflated him a little bit. This is just for the swag. Yeah. I think there's a feedback link or in the session itself. If you go back into it where you registered in the app, there should be a feedback.
So you might get a few updates that you don't see here. I'll do my best, though. I'm sure I I can wing it. So this is, this section is talking about Canvas third party integrations, evaluating faculty needs, but balancing that with the use of protect, protected data and accessibility. So that's what we're kinda kinda be talking about overall today.
So my name is Christopher Casey. I'm the director of digital education at the University of Michigan Dearborn. I've been working there as a student since ninety nine, and been in various roles and just recently got upgraded to director of digital education So I oversee. I am our primary Canvas admin, and then also our primary LTI admin, everything to do with Canvas, falls under me, in my office. And for those of you who are in the Canvas community, you might recognize my name.
I'm all so, as of January, a community coach. So I'm often on the community answering questions there as well. And just a little bit about U of M dearborn, so to give you some context about some of the things that I'm gonna talk about and the size of our university. So We have approximately seven thousand FTE. We do about thirteen hundred courses, per semester, and we do collaborate pretty see with our, sister campuses, Ann Arbor, who everybody here probably knows, and also our Flint campus who is, more similar to, us in terms of size.
Come on. There we go. So hopping right in here. So third party integrations, I'm assuming most people in here, know what these are. But if not, these are the things that canvas, any learning management system, you know, it provides your core functionality.
Canvas provides you an area to do assignments area to do discussions. Third party integrations are what take those things and expand on them, add more functionality, Again, I assume most people who are here, know what these are. But that's what those do. So those third party, LTIs can send things to those, when you're using them. So things like a user's name, student ID number, email address, the course name, course IDs, great information, etcetera, etcetera.
That's all exchanged when users click on one of those links to an external tool. You know, it's important to know that there is a lot of data exchange going on in the background that you may not realize. So again, more about third party integrations. There's about five hundred apps when I wrote this. There's probably even more now on the edu app center, and there are even more of these integrations that aren't in the edu app center.
So that's just kind of the marketplace, the app store. If you're in a canvas course or you're in the admin area and you go into your settings and see the, external tools tab, that's what all these are. So there's quite a few of them. They all operate differently. Some of them use different data than others.
But there's a lot to go through. So as an admin, as a teacher, whoever is here, you might think, like, oh, that that looks great. Let's just install all of Right? Like, that that was some of everybody's initial reaction. That's just five hundred. Yeah.
We'll we'll take it all. Right? But hang on, you know, not so fast. There are some important issues to consider, and that's really what I wanna talk about today when we're looking at the integrations. We don't just necessarily want to hit the install button on everything. I will admit back in twenty thirteen when we were first implementing canvas.
We were more of the sure. Looks good. Let's just hit install on that. But over the years we've learned, you know, that's not the best approach. So if anybody's doing that right now, this is gonna be some great info for I would probably discourage you from doing that in the future.
So here are some considerations about that data, that I talked about. So some of the things you wanna think about, and again, this is gonna vary whether you're an admin like me, or whether you're a teacher, and you're gonna request this from your admin, or you might be a teacher, and you might have the ability to install these things on your then you would wanna think about these things. So before you install them, you're really gonna wanna think about, what data is this app getting from Canvas, it can vary. Right? I gave you a little list, earlier in the presentation, but this can vary based on how the app integrates with Canvas, what settings it's using, is it also using an API integration as well as an LTI So you wanna really evaluate what data is Canvas sending it. Is any of that data protected by ferpa for those of us in the US, if anybody here is in an I know there's GDPR, there's all kinds of, you know, local, and maybe even state level, concerns with the data.
So you wanna think about, right, are there any of these, are there concerns of any of this with the data that app is getting? Think about where is the data being stored. This is something we've run into, University of Michigan, dearborn, certain vendors are outside of the US. And for U of M dearborn, for the U of M system that presents challenges, for us, because we want the data to be stored in the US. If it's not, we want some assurances, our procurement office, once a assurances of where that data is being stored. Is it being encrypted, etcetera.
Do many of you guys hear that noise behind I don't know what's going on over. Sorry about I I thought like some amber of it was going off again, but, sorry if that's distracting. So where is the data being stored? And again, this is something you might not. And this is something. So me personally, as the Canvas admin, I have to go to different offices within u the U of M system to have this evaluated.
So I have learned over the years most of our rules but with a lot of this, I am still taking these as someone requests the integration. I'm looking at it, and I have to then go to different offices at U of M. So we have a procurement team. So if there's finances involved, we get them involved, when there's data issues, we have a a data privacy group that gets involved. So often, I end up being the coordinator.
I'm not necessarily a final decider. But that's gonna work differently at every institution, every school. So you're gonna have to, you know, figure out how this works at your school? What are your requirements? Where do you need to go? Who's in charge of these things? Maybe it is you? If it is, I am I am sorry that you're gonna have to deal with so many of these things, but even if it's not you, right, the the coordination, of all the different people, of all the different offices involved, can sometimes be overwhelming. But it is something I feel is really important, to do. So kind of continuing down the list here.
You know, things that we're looking for, this next bill a really important one to me is any of the data being resold. You know, that's a very important one. Even if you're not sending protected info, for vendors that might be reselling just email addresses. Right? I personally I hate spam. That is one of my biggest things I'm always in my inbox, marking things as spam.
I hate when vendors sell my email to other people. So that's something to consider. A lot of vendors don't do that, but there are some who do it. You know, and think about that, right? Think about it for your users. Not not from your personal perspective necessarily, but how are your students gonna feel about that? How are your faculty gonna feel about that? And then does the third party app maker claim ownership the data.
This is another very important point. There are some apps where if you use those to develop a course, you put data in there as a instructor, your instructor builds their content there. There are some providers who say, if you put your content in our system, we own that. Right? It's no longer the faculty's content. It's now owned by them.
Maybe they share ownership. Know, but some of them will say you put your data in our system. It's our data. It's now ours. At at u of m, those kind of systems, those are pretty much gonna be a no.
But again, that is your individual decision. You know, do you want to allow that? Are you okay with that? Do you wanna negotiate? Sometimes the vendors will negotiate other times they will not. And another important one, can your institution, you as a school, an institution, a faculty member, excuse me, can you request that the data be deleted? So, you know, if you discontinue using the app after a year or two years, can you say remove our data? We don't want it there any right, or a data breach happens. Can you request that your data be deleted? That's an important thing for us. It's not a necessarily a stopper.
But it is if a vendor says, no, you can't request your data be deleted. It is, you know, makes us halt and and do some additional thought about that integration. And then finally, who's liable if there is a data breach. Right? And again, this is something that probably some of your other teams, are gonna be involved in, like your legal team, might have some opinion on this. You of them often will make vendors have, data protection insurance depending on what data we're sending them we're sending them for a data.
We often make sure a vendor has a x dollar amount insurance policy to cover a data breach. Right? It can't get the data back, but if there, you know, if there is a breach and users have to, you know, say get it monitoring. I don't know. Whatever it could be, we wanna be able to reimburse our users, not have our students be out of that. Beyond data.
Right? So we've talked a lot about so far the data implications, but there's other things to think about when you're use integrations. Another very important one to U of M, and I hope to everybody here, is accessibility. Right? Canvas is great about accessibility, but when you're using a third party tool, you wanna make sure that that tool is also got accessibility in A lot of the vendors now know that this is important for education, but not all of them do. So there's two different kinds of accessibility to what these are what I call. So I call kind of device accessibility, which means does the app only work on the version of canvas? Can it work in the apps? Can it work on mobile? You know, does it work with safari? I I'm gonna throw safari out anybody who's an Apple person.
I am. I got a MacBook over there, but Safari is very Apple is a very data security conscious company. There are a lot of things that you try in Safari that just will not work. So you wanna at least explore that with these apps. Right? Again, that's not necessarily a blocker.
But if this app, if you're gonna purchase an app or install a free app that doesn't work universally on your devices, you need to think about how you're gonna communicate that students. Because it's it's really bad. If a student, let's say, for example, they're used to using their laptop. All of a sudden, they go on a trip Right? I'm speaking from higher ed here. So they go on a business trip to China.
Right? And maybe they just take their iPad with them. Well, if if they've been used to using web browser, all of a sudden, they just take their iPads. It's easy, and they can't use that thing for their class. That's a disaster for them. We don't wanna put them in that position.
You know, so generally, we will not install what, things that don't work pretty universally. But if you do, you know, think about, do you wanna have some kind of, you know, information that goes to the students about that, telling them that upfront, make sure they know it. And then, of course, we have accessibility for users with disabilities. So we have I put some categories on here to think about. I I will not call myself a disability accessibility expert, but I know because I deal with this.
I know a lot of these things. So there are some things like color blindness, hearing impairments, visual impairments, make sure that these apps are gonna work for all of your users. You know, you you you of them at least, and I don't think anybody here, we don't to be, you know, getting a lawsuit from somebody, you know, getting a disabilities act a lawsuit saying, I I couldn't complete this course because I have a disability this didn't work for me. So definitely think about those. So now you might be thinking that I don't know if I've overwhelmed anybody Right? So, you know, we went from thinking maybe let's just hit install to everything.
Now maybe some of you are thinking like, let's just forget these are even there. Right? But, you know, don't turn back just yet. There are some things we can do, to identify and reduce the risks. Talked a little bit about them, already some of these things that I've talked about the issues. But here's another thing you can do with app installations.
So, like I said, you have an app center in Canvas, about five hundred apps are there by default. You can restrict the list that's there. You can restrict it down to nothing. You can restrict it down to certain apps. You can whitelist things.
So there's a whitelist feature of the EDU App Center. There's also permissions. You can, as if you're an administrator, you can pick which users, you know, which roles have the ability to install an LTI. For us, I am pretty much the only one who can install, an integration, flat out. I have we have some other Canvas admins, sub account admins.
We don't give them the ability to install these. It is basically me and my backup when I'm gone. That is it. But again, that is for us. These things are something that you can decide.
I don't want I'm I'm not here to dictate to you what you should do because it's gonna be different for every institution, every school. So you have permissions. You have the white list. And then you can also, customize the text. I think I might talk about this in a slide, but I'm not sure if it's here now.
We have a way to customize that text in the edu app center so that if you do restrict the number of apps there, you can kind of still put a link back there to say, but there's more. Right? And you can put a link to your own policies in there. That's what we've done. So we don't have hardly any apps in there. We have the redirect tool.
For those of you familiar with it, faculty can add links to other websites. That's all they can do on their own, but we have a text on the top. It explains to them. This is why you don't them, here's where you go. If you want to request more, we're happy to install and and evaluate more.
We just have to get a request, and then we'll do the evaluation. So again, talking about the protecting institutional and user data, there are there is a mitigation for those of you who are familiar with installing an LTI. And for those in the live, can I get a hand can I see a hand for anybody who's installed an LTI before? Okay. It looks like almost everybody or at least a big majority. So hopefully you've seen this box before when you're working with either an one one or a one three, there is this privacy box when you're configuring the LTI.
I will tell you flat out almost every vendor I've dealt with when you look at their instructions, they say set it to public. Right? Public is send everything. Everything canvas has your your ID number your emails, your names, everything. If Canvas has it, basically send it. There there are about a hundred or so parameters that are sent.
A lot of them are innocuous. Some of them are not. But in probably about percent of cases, if you don't follow the directions and you just change that to anonymous, the integration still works perfectly. It may not. So something that might happen is in the integration, it might have a student's name somewhere there.
If you change it to anonymous, it's not gonna have their name anymore, but that's actually by design. That's for privacy. Right? But if everything the student does in there The grades still pass back. They can still do work. Like I said, there have been about ninety percent that work flawlessly.
There are a few that won't But my suggestion is, and I heard this from I I will admit I'm stealing this from a presentation. I heard here about six or seven years try it. Nothing. You're not gonna break anything by trying it. If it doesn't work, you know, it doesn't work and you need to set it back, but try anonymous.
Or if you do wanna have their names display, you can do name only. You know, but I would I would say avoid public if you can. Or if you're going to do public, that's where you really want to think about. Do you want to have some kind of agreement in place, with vendor about what they're doing with the data. Talking about API keys.
So some LTIs all also require an API key. When they're fancier, those, and I probably should put that in red and bold color those for us are a big red flag, when some event requires an API key, because then you are essentially giving that LTI or that integration. It's not NLCI anymore at that point. You're giving that integration even more access to data. When you're doing an LTI, it is really usually linked to a certain assignment, a single thing going back and forth, one grade coming back from a student submission, if you're doing the API, that would give them access to all grades.
Right? So one way to mitigate that a little bit is to use a scoped key. So you can limit what data that LTI or that API integration has access to. But you cannot limit it to just a single assignment. So if you if that thing's passing back grades, If you're using an API key, you are letting it pass that grades to any assignment from any course. So you really do want to be careful about that.
With if you trust a developer, maybe it's okay. But this has come up in a community thread just in the last couple weeks, where a vendor was asking this and saying, we can't figure out kind of how to get the LTI working. We're gonna go API and there were a bunch of myself and some other people said, no, you really should not do that. That's not the way to do this because you're gonna run into this. Universities like us are gonna tell you no.
We're not going to do that kind of operation. And then, again, with the API, if you if they need a service admin account, usually to go with API token, restrict the permissions on that as much as you can. Don't give them a full admin. Right? Again, some of the vendors will say, I need a full admin account. I'm not giving I'm sorry, but we're not giving a full admin account to anybody.
It's me and my backup. We're the only full admins. I'm not giving full admin access to a vendor. We're just not. So we have had a conversation with a couple of them to say, no.
What permit do you need, and then we evaluate, we'll create a special role and restrict the permissions down to what they need if we think it's appropriate. So again, around ferpa data, if you are going to use any of these things really in the non anonymous mode. If you're gonna be sending some of that public or anything, work with the appropriate team, usually the legal team to develop a data protection agreement. We have a standard one has. I wanted to share it with everybody, but our legal team says, no, we're not supposed to share it because they made it.
And again, this is something that every legal department is gonna have their own little spin on. I'm definitely not a lawyer, and I didn't sleep at Holiday and Express last night. So I don't want to tell you what, you know, exactly what should be in there, but I can give you the elements of ours. Right? So they're in that agreement. There is the ownership of data that we talked about.
There's the restrictions of use of that. We want the vendors to document their security practices. We wanna be notified of data breaches. That's a big one for us. You know, we we don't want vendors keeping the secret.
If they find out there's been a data breach, we want to be notified. And then again, like we talked about earlier, we want to be able to request deletion of data. That's in these are some of the in our agreement. So it's not all the legalese, but those are the main points of our data protection agreement. Again, I would recommend working with your vendors or sorry, your vendors.
Work with your legal team to develop your own and have any vendor sign that. If the vendor says no, for us, that's an automatic. If you will not agree to these simple things, we're not installing your integration. It's it's just point blank, but almost every vendor, knows that this, this these are now just requirements in education, and they're willing to work with us. I will admit it slows down the process, right, especially if they wanna negotiate.
We do get that sometimes where we send them our form and they you know, they send us back red line. We don't like that word. Use this one, then we have to get our legal team. So this can add some, you know, some time to the process, but I think it's really important to do. And then again, with the accessibility, Like I mentioned earlier, try that app on the different devices.
If you're school, if you're if you're kind of a school that gives students the device, that's actually awesome for you because you probably have less to test. We are a bring your own device school. So we pretty much have to support almost anything. We do draw some lines saying if, you know, if you're running Windows ninety five or you're you're running some I I I hate to say it for admins out there, but if you're running some version of Linux, the if it doesn't work on there, we're sorry. So we do kind of say anything major.
Right? So we we usually test for, We test on desktops, laptops, Mac windows, Windows anything usually for us now. It's like eight and forward and we also try to test on tablets and phones. And we do both iOS and Android trying to make sure we have the broadest possible compatibility. We also try different browsers. Because I know that, like I said, Safari for those Apple users out there, we want the things to work in Safari.
But that is the one where we do sometimes say. If it if it works in everything but Safari, we're going to you're, you know, we're gonna kinda put it on some of the faculty to tell users, tell their students, you can't use Safari for this, you know, should be available, Firefox, Edge, whatever are available for Mac devices. So sometimes we have to tell people do And I know there are even some canvas issues with with, Safari sometimes. So I usually don't recommend Safari anyway. And then another thing, if the app requires a download or installation of something, consider whether all your users are gonna have permission to do that.
Right? If you're, you know, if you're using school computers, a lot of those are usually locked down and people can't install stuff. So they might run into an error depending what this is. So think about that. And then does the app work with the Canvas student and the teacher apps? We find a lot of our students are using the student app. We have some students say that they exclusively use the student app to take the entire course.
They never we don't recommend it. I actually have a statement on our login page. It says, we highly recommend you use a laptop or desktop to do your quizzes and assignments, but some students exclusively use the app. So you do wanna make sure that the app works, if you have a student copy relation like ours. In terms of accessibility, does the vendor have a V Pat? Hopefully, some, a lot of people here know what that term is.
That's kind of the the voluntary, product accessibility template. It's what vendors fill out to kind of I'll I'll say to evaluate their accessibility. It's not perfect. It is not always complete, but it's a if they one available. It's a good sign that they are at least, knowledgeable about accessibility and probably have, a lot of the things they need in their product already.
There's also this website, or this kind of extension. I have the website there to get it. It's called the wave, evaluation tool. That will actually install a new Chrome you can go to any page. You can go to there.
That integration. It's gonna give you kind of a little warning number if there's issues. It's gonna tell you what they are. You can determine for yourself, are they something you're concerned about, or not? We happen to have an accessibility and disability services team who will help us evaluate these things, give us their opinion. You may not.
So that's where I said, I'm not an expert. I only I know enough to be address, but I usually, for us, I get that team involved and say, we're thinking about this. Can you take a look at it? Tell me what you think. Yes, no, are there issues? Do we need to communicate back with the vendor? And then, you know, kind of what we've been talking about all of this together. Right? This is really the the step here develop guidelines and procedures around this.
Everything we've talked about so far, we have put into a procedure. It's documented. So I have the links on the bottom there. I know they're small. Hopefully, you guys have the Google you can see them.
But document these so that you're doing the same processes for every installation you do. You don't wanna favor any certain leaders. You don't wanna favor certain faculty making a request. You really wanna make this a formal process that you use for every integration. That you do.
So, you know, all the things we've talked about, you know, who's gonna be the approver, something we haven't talked about is if there's fees, right? Who's gonna pay those fees? Cause there are a lot of free apps, but there's also plenty of then and a lot of them will come to me and say, Oh, you don't pay anything. So, great. I don't pay anything. Great. We'll install it tomorrow.
Right? But they say, oh, yeah, but we just charge students, thirty dollars. Right? But but don't worry. It's nothing to the university. For us that we generally don't do those either. We don't want to be passing on all these, I'll I'll just call them nickel and dime fees.
Right? We don't want to be passing those on to students. Often not aware of them until they actually get to the class, and then we start getting, you know, complaints about, well, why do I have to have this thing? I don't want that. So think about that. Right? Do you wanna do that? Or, you know, if you really wanna have the app, maybe you just pay as an institution. And then again, who's gonna review your data concerns, who's gonna review the accessibility, who's gonna provide support? That's another important thing when you're doing these apps.
I'm great at providing support for faculty and our students for Canvas itself. But we have about forty of these external apps installed right I support two of them. The I I did I cannot support forty. I don't have the brain power. I I don't know when the vendors change their app, you know, we don't get release notes for all these nor nor do I want them, honestly.
But think about that, and, and I would recommend and documenting it too. So we have a page documenting all of our, integrations, and then who to go to for support. Usually it's the vendors. Both of the vendors will provide support, but you wanna make sure of that, you know, or if there's gonna be no support, As long as you're okay with that, that's fine. Just say then, there's no support, be upfront with your users, and just think about that.
Right? Are you okay with that? Come on. There you go. So I just talked about that list. So publicize what you have installed. We have a, we have a page.
Oh, it's hidden on here. Alright. Well, sorry it's hidden by the sun this screen, but we have a page where you might to read it. If you have the slide, you can find it. And here is where I talk about earlier, we have that custom text.
So we customize the text they're telling people. This is what we have. You know, these are what you can install. There's the ones we already have. If you want more, here's the link to the process to do that.
So hopefully now are some people feeling a little better about this? Maybe it's manageable. Maybe not still. If it's not, I apologize. But I did have one final thing that I wanted to kind of throw in on this at the last minute here. So this is kind of near and dear to my heart.
And it is associated with what we've been talking about here. And that is educating your users about digital privacy. So a lot of these things that we talked about before were the ones, right, an admin or a legal department is gonna evaluate the security and what data is being sent, but we I feel it's important to educate our students, educate our faculty about this topic. Right? They need to know how to evaluate what they're doing on their own. And I know.
Right? Every time you install something, you get, you get that pop with, oh, you know, here's our legal agreement. I know nobody is gonna ever read all thirty pages. We're gonna I do it too. I click the darn. I button.
Is it the best practice? No. You know, but I do think it's really important that we talk to our students, talk to faculty, about that. So we've created, there. I have the link on here again. We've created a web page about this with a nice little flip book that one our student workers made, that really does a nice job about talking about these issues to faculty and to students.
So I would really encourage you if you have the ability to do something like this at your school, I'd highly recommend it. So with that being said, we have five minutes left maybe for any questions anybody might have. This bar this QR code will get you my contact information. So if you did wanna reach out to me, I I'm giving you my information there. Feel free to email call, probably email, because I'm usually remote.
But please scan that if you'd like my info and I see, hand right here for question. So my institution just, went into a partnership with our books or third private store for broad scale content delivery for digital materials, including things that were historically done through LTI's. And so the issue that I'm on the issue with it is that now these LTI's are secondary being installed through an existing LTI outside of the scope of our processes. And the legal contract is on just between us and the bookstore. Yes.
So it's like that blanket up, it gets blake gets applied to that entire legal contract, and we don't have any oversight over these other LTIs that are being delivered now through a single LTI in our platform. Any ideas or ways to navigate that moving forward? Sure. So the the question for the microphone here. So, what are there any suggestions for a situation where perhaps a bookstore or some other kind of integration is adding additional integrations on their side where you might not have control over So you install one integration in Canvas, and they then are installing ten other ones that connect to that, and then therefore, pass back to your Canvas, We have run into that with a couple vendors. I will say I don't have the the greatest advice because I don't think we've come up with a a great solution.
But one vendor, I'm not gonna name any vendors. I don't wanna, you know, shout anybody out. But we did talk to one vendor about that, and we put special language in our contract saying that, and, again, this is I don't I don't know how we know that it's being enforced, but we did put language in our contract that says everything that you as the vendor we're dealing with, all the agreements that we've signed with you for privacy and all those things, those apply to every vendor that you're integrating, you are responsible for enforcing our agreements with those vendors If there are issues, you are being held responsible as the vendor that we deal with. So again, I don't know in practice. Right? So we, theoretically, we have this legal agreement, and we have language there in practices that being done, and what would happen if there's a problem I don't know, but it's something to consider.
I know that took a lot of doing to get that vendor to agree to. But we really basically said if you don't agree to this, we're not gonna be able to move forward and keep using your integration. We're gonna have to find other options. And I I will say our bookstore has, requested that same thing. They really wanted to they requested that we actually not install any publisher LTIs.
They wanted them all to go through our bookstore. And we said no to that. We said absolutely not not. So, you know, they weren't happy about it, but they begrudgingly agreed to it because they went to continue being our bookstore. So maybe you have some leverage, but again, maybe you don't.
Alright. So that that is a tricky one. Does that help at all? I I hope it helps a little. I I'm gonna go to the back of the room because I know you had in the red shirt. I know you had your hand up first a while ago.
I'm wondering if you have any language for faculty to It has to go through all that. You know, and we just acknowledge your request and they want it to be five minutes. Yes. So the the question was do we have language directed faculty talking about these processes we've talked about today to let them know, because vendors will always say. Right? Like, oh, this is so easy.
Just install this. Right? I even got I I will say I got one last week from vendors that we need you to install our integration. Your faculty are using it, you know, they're they're to use it in a few weeks. I'm like, hang on a second. We're we're not.
It doesn't work that way here. So this first link here, and I know it's small, but if you grabbed the, PowerPoint on slide sixteen, the top link there, we do have an entire web page, outlining the process, This isn't hooked up to the internet, so I can't show you that page, but we do outline the entire process. We have a time frame. We actually went with, short. We we called it short medium and long for the time frame for all these items, you know, like like legal.
We said long. Because you never know how long it's gonna take. We didn't wanna give a number of days or anything. We just said, did it that way, but we outlined all this for faculty. So, yes.
And I would encourage you to look at that. If you want to use it as a model, feel free if you think it's too complex, make it as your see fit. I think we might have time for one more. I see it's four forty four. We'll go with fourth row, green.
One of the things we've struggled with is department schools that purchase a tool and then come to us. How have you dealt with that of of levels that are especially when you hit some of those big roadblocks and accessibility and unscoped keys, they've already paid for it. How do you manage that Sure. So the the question was, how do we manage when a department or, you know, a unit has went out and just bought, some of this software, it hasn't consulted us first, and then comes to us and said, Hey, we're ready to install this, and we have all these things, So part of it is actually this website we just talked about. So we have that process outlined.
I won't say that that you know, it is not perfect to tell people like, hey, yeah, you know, but this is what we do. We tell them, alright, we have this outlined. This is an officially approved procedure. For our university. We tell them this is great.
You paid for it. We do need to go through this process. You by paying for it, you've already taken care of a couple of the bullets, but there are more, you know, and technically you shouldn't have paid for it with, if you would have read the process. Right? But we do we try to work them as much as possible in that situation. There has there have I think there's been one time where somebody did buy something and we couldn't get all these agreements in place.
We had to end up telling them they could use it, and this isn't universal, but we did tell them you could use it as external tool. It's not gonna be an approved tool through Canvas. You they had they had a website. They could log in to separately but we told them we we cannot integrate this in canvas because, I don't I don't wanna say which one they didn't comply with, but they didn't comply all of our list of things. So we gave them that option because they'd already paid for it.
You know, we kind of made a little compromise because that was possible. So that might be a solution in some areas, but, yes, that is a very tricky thing. We did communicate this policy though, this procedure out. So that might be an important thing to do too. Is if you develop this, make sure you communicate it out.
So, again, I know we're we're past time, so thank everybody for coming. It's been great. If I could if I could have thirty seconds real quick before you guys housekeeping housekeeping items, if you're in the next session, a five o'clock session, you're welcome to stay in your seat. We'll come back around in scan you. Also realize you may have to take a restroom break or step out for a bit.
We will have to scan you to come back into the room if you do that. Also, don't forget that we love the session feedbacks. So, don't forget to rate the session in the app. We appreciate your patience. It's been different this year.
Also realize it's been a couple of years since we've been in person for a conference. So we're still learning how to get back into it as well. So we appreciate your patience in working with us and And then Oh. I see there's a QR code, and I'm I'm a QR code for your This is for swag. So Don't forget your swags.
Scan the QR code so you can get discounted for swag. And then finally, outside, it did rain while we're in this session, the panda does look really sad. He's crushed. So if you can give him some love, when you're out in the hallway, look down at him, give him some love wave at him so we can bring him back to life. He's deflated.
It rained a lot. Yeah. I think they just deflated him a little bit. This is just for the swag. Yeah. I think there's a feedback link or in the session itself. If you go back into it where you registered in the app, there should be a feedback.