Salesforce provides us with several mechanisms to hide sensitive information from our managed package users. These include hiding the packaged code and logs produced by it, protected custom settings/custom metadata, or Subscriber → License Management Org (LMO) feature parameters.

This is great and crucial to ensure that nobody steals your intellectual property and to guarantee the security of your app. However, when problems appear in your customer’s org, these same mechanisms make it hard to debug issues and provide effective support.

That’s why Salesforce introduced the Subscriber Console – a mechanism that allows you to log into your subscriber’s org in the context of your customer’s user, with some additional AppExchange app provider superpowers.

See and Modify Packaged Protected Custom Settings

Imagine you have a setup page where you track the status of all the configuration steps that a customer must perform after installing your app. The progress is saved in protected custom setting records.
Now, one of your customers has a very specific case where they just cannot complete the first configuration step, and all the other steps are disabled for them until they complete it.

The custom setting is protected, meaning your customer can’t just go to Setup and modify it. Luckily, you can do this after logging into the Subscriber Console. 🙂

Notice that you can Manage the Protected custom settings records.

You can edit, delete, and create new records.

Of course, this example applies to any other configuration stored in custom settings, such as bypassing certain validations, restoring default config values, or adjusting integration details.

It’s worth mentioning that all of this wouldn’t be equally easy with packaged protected custom metadata types (which makes sense, as they’re deployed during package installations/upgrades).
As of the time of publishing this post (December 2024), the official Salesforce documentation does not mention custom metadata types in the context of the Subscriber Console. I’ve done some testing, and here are the results:

• You won’t see protected custom metadata types in the setup.
• You will see both protected and public records of public custom metadata types.
• You will be able to edit only fields marked as SubscriberControlled in the records of public custom metadata types.

Debug Your Managed Code

After logging into your customer’s org via the Subscriber Console, you can see the logs produced by your app’s code. Below are images comparing what your customer sees and what you see while logged in via the Subscriber Console.

Logs visible when I was "normally" logged into my org with the package installed:

Logs visible when I logged in via the Subscriber Console:

Monitor Customer Details

You also get access to up-to-date subscriber-related information. Here’s a screenshot of what you get:

In my opinion, the most useful features are:

1. Access to Subscriber → LMO feature parameters – the page displays their current values. While these values are also visible on your PBO, there is often a significant delay between a parameter value change in your subscriber’s org and its synchronization to your PBO. If you need to know the value immediately (e.g., when troubleshooting feature parameters), the Subscriber Console is the place to go.
2. Access to some of the subscriber org limit consumption statuses – if your app relies on API requests sent to the Salesforce org and is consistently failing for your customer, it might be due to hitting the per-24-hour API request limit. Similarly, other limits listed there might be worth checking in certain scenarios.

Use Subscriber Console Step by Step

Now that we know why this is super useful, here’s how to use it:

1. Ask your customer to grant you login access to their org. The steps YOUR CUSTOMER (not you) must follow are:
   1. Click on their user avatar and select Settings.
      
   2. Select Grant Login Access from the My Personal Information section in the left panel.
   3. Select the application provider (the owner company of the AppExchange app – this is you, my fellow AppExchange app creator) and the period for which access will be granted.
      
   4. Save.
2. Log in to your License Management Org (LMO) – the org where you manage your app licenses – and open the License Management App.
3. Go to the Licenses tab and open the record related to your customer.
4. Use the Log Into Subscriber Console action to log into your customer’s org.
   
5. The next page should look familiar. Here, you can monitor basic info about your customer (such as feature parameter values). The Login Access Granted section displays all the users on the subscriber org who have granted you access to log in on their behalf. Click Login to proceed.
   
6. If the org opens in Classic mode, click the Switch to Lightning Experience button.
7. Now perform any of the steps described earlier in this article – go to Setup to modify custom settings or set up debug logs and observe them in real-time in the Developer Console.

Note: You’re logged in the context of a specific user in your customer’s org. If they don’t have access to certain configurations, you won’t either (e.g., if the user isn’t an admin, you won’t access Setup; if they lack a particular permission set, you won’t access the data controlled by it).

Conclusion

The Subscriber Console is a useful tool for debugging your app in your customer’s org. It allows you to see and control things hidden from your customers. It’s simple to use and definitely worth remembering during your AppExchange journey.

Note: if you’re further interested in providing a personalized customer support for your AppExchange app, be sure to check out our AppExchange Analytics solution that enables you to do exactly that.

Resources

• Subscriber Console – Salesforce Official Documentation