Restricting logins for the Zoom Client

It has been shown that different deployment types and application configuration software can be used in order to restrict users from joining Zoom meetings while they are hosted by certain accounts, that certain domains must be allowed to login, and that other settings can be disabled via remote management.

Currently, Zoom Desktop Client can be configured in 3 different ways: either through the MSI package, which automates the installation as well as configuration; through a Group Policy based admin template if you are using Active Directory; or via registry keys if you are using Windows. We have a Windows mass installation guide that will tell you how to deploy your own applications using these methods as well as other settings configurations.

It is possible to use plist configuration files in order to deploy the Zoom Desktop Client on macOS. In order to complete this installation, you will need to install Zoom for IT Admins Installer for Mac along with a .plist file configuration.

With Zoom for Android and iOS, you can lock the app so that you can only log in with certain email domains. In addition to this, MDM methods such as AirWatch and Intune can be used both for iOS and Android to accomplish this task.

Prerequisites

Windows:

  • MSI installer should be used

MacOS:

  • Use the macOS IT package for deployment 

Android OS:

  • With Android 5 or a later version, you can use most Android devices
  • Software like AirWatch or Microsoft Intune which can manage enterprise mobility (EMM)

iOS:

  • IPhones and iPads with iOS 4 or higher
  • An EMM platform such as AirWatch or Microsoft Intune is capable of securely managing mobile devices across the enterprise

Restricting logins to specific email domains

Configuring via MSI (Windows)

You would need to add the following parameter to the install command line on Windows Zoom in order to restrict the client’s ability to join meetings to certain accounts:

ZConfig=” login_domain=domain”. In the command, the domain will be the email domain for students and faculty.

Msiexec /package ZoomInstaller.msi /norestart /lex msi.log ZConfig= “login_domain=domain”

Example:

The installation command and ZConfig parameter would be as follows if the account ID for your organization is “school.com”:

Msiexec /package ZoomInstaller.msi /norestart /lex msi.log ZConfig= “login_domain=school.com”

Configuring via Group Policy Template (Windows)

By using the Group Policy Administrative Templates, System Administrators are also able to set these settings in order to restrict joining to specific accounts as well as other options. After adding a template, you will now see the following:

  • Click the Administrative Templates link in the navigation panel.
  • When using ADM files, you may click Classic Administrative Templates.
  • When zoom meetings is selected, click Zoom Meetings> Zoom Generally Setup.
  • After that click on Set email domains that clients will be restricted from logging into.

  • Click on Enabled at the bottom of the settings window.
  • Adding an & between each domain you wish to restrict access to, you can enter the email domains to which you wish to restrict access.
  • Click the Apply button.

Using Registry Keys (Windows)

The following String Value can be added to “HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Zoom/Zoom Meetings/General”:

  • Value name:
  • RestrictEmailDomainsToLogin
  • Value data:
  • User’s email address

Note:

The Value data can be entered in multiple domains by adding an & (and) between the domains.

Via plist configuration (macOS)

If you have an existing deployment, you would need to add the following key to the us.zoom.config.plist file to limit meeting participation to specific accounts, in order to restrict meeting participation to certain accounts using the Zoom macOS client:

<key>login_domain<key>
 <string>domain</string>

Example:

The .plist key would be: if the email domain for your organization is “school.edu”, then it would be:

<key>login_domain<key>
 <string>school.edu</string>

Allow joining meetings only on certain accounts

Configuring via MSI (Windows)

The following parameter would need to be added to the install command line in order to configure the Windows Zoom client to only allow joining meetings for certain accounts: ZConfig=”account=your_account_id”. This command includes your own organization’s Zoom account number as the account number for your organization.

Msiexec /package ZoomInstaller.msi /norestart /lex msi.log ZConfig=”account=your_account_id”

Example:

In the example above, your organization’s account ID would be “111111”. Therefore the installation command and the ZConfig parameter will be:

Msiexec /package ZoomInstaller.msi /norestart /lex msi.log ZConfig=”account=111111″

Configuring via Group Policy Template (Windows)

Using the Group Policy Administrative Templates, administrators can also set the setting that restricts users from joining the group based on their account details, along with other settings. This will enable an administrator to alter the template in the following manner:

  • To access Administrative Templates, click the navigation panel.
  • If using the ADM files, click Classic Administrative Templates.
  • Navigate to Zoom Meetings, and then Zoom General Preferences.
  • By clicking on Set account IDs, you can set which clients are restricted from joining meetings hosted by other clients.
  • Simply click Enabled in the setting window to enable this feature.

  • If you’re placing multiple IDs, it’s best to put commas between them to prevent them from joining at the same time.
  • Click on the Apply button.

Using Registry Keys (Windows)

The following String Value can be added to “HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Zoom/Zoom Meetings/General”:

  • Value name:
  •  RestrictAccountIDsToJoin
  • Value data:
  • The account ID

Note:

Adding an “,” between account numbers will allow you to enter multiple domains.

Via plist configuration (macOS)

If you have an existing deployment, you would need to add the following key to the us.zoom.config.plist file to limit meeting participation to specific accounts, in order to restrict meeting participation to certain accounts using the Zoom macOS client:

<key>CanOnlyJoinMeetingOfAccountID<key>
 <string>account ID</string>

Example:

The .plist key can be found by using your organization’s ID number which is “111111”.

<key>CanOnlyJoinMeetingOfAccountID<key>
 <string>111111</string>

 

Configuring restrictions via MDM for Android and iOS

You can remotely configure the Zoom application on managed iOS or Android devices using mobile device management (MDM), a feature of mobile device management (MDM). This allows you to restrict access to certain features of Zoom.

Feature Key Name Type Value Example
Restrict login to specific domains SetEmailDomainsRestrictedToLogin String Enter “school.edu” to restrict logins to users with school.edu as their email domain
Specify if users are required to log in with SSO ForceLoginWithSSO Boolean “True” or “1” to enable
The vanity URL used to log in using SSO. SetSSOURL String Enter “success” to set the SSO URL as https://success.zoom.us

AirWatch

  1. It is now possible to add Zoom to AirWatch for iOS.
  2. For an Android device, you can configure the app to be added with or without Google Play integration, depending on whether you need to do that or not.
  3. Click the Add Assignment button.
  4. Select the group to whom the configuration should be applied in the Assignment Groups field.
  5. Select the checkbox to enable Application Configuration right next to it.
  6. Then click Add.
  7. Enter the following information:
    • Please enter SetEmailDomainsRestrictedToLogin as the Configuration Key.
    • Select String as the Value Type.
    • Please enter the email domain as the Configuration Value. For example, school.edu.

 Intune

  • Access the Device Management dashboard by signing into the Microsoft 365 account.
  • Click Client apps on the left-side navigation bar and then click App configuration policies.

  • Click Add and enter the following information:
    • Name:
    • For this configuration, you will need to enter a name.
    • Description:
    • Provide a brief description of the configuration in order to assist in identifying it.
    • Device enrollment type:
    • Make sure the Managed option is selected.
    • Platform:
    • Choose between iOS and Android.
    • Associated app:
      • Choose the ZOOM Cloud Meetings App Store if you are using an iOS device.
      • Choose Zoom Cloud Meetings for Android if you are using an Android device.
  • Once you have selected your preferences, click Save.
  • Choose Use the configuration designer from the drop-down menu in the Configuration settings format section of the menu.
  • After specifying the configuration keys using the configuration designer, you must click OK after specifying them.
  • For each key value in the Configuration Value column, you should use the drop-down menus to specify it.
  • Then click OK.

Using XML with AirWatch and Intune

It is also possible for System Administrators to import XML configuration files into the system to be deployed to mobile devices. This can be helpful for deploying configuration files that contain more than one setting.

AirWatch

<managedAppConfiguration>
    <version>1.2.10</version>
    <bundleId>us.zoom.videomeetings</bundleId>
    <dict>
        <integer keyName="Key Name">
           <defaultValue>
                <value>Boolean Value</value>
          </defaultValue>
       </integer>
       <string keyName="Key Name">
           <defaultValue>
               <value>String Name</value>
           </defaultValue>
       </string>
    </dict>
</managedAppConfiguration>

Example:

Setting up a configuration with a login domain restriction of “school.edu”:

<managedAppConfiguration>
    <version>1.2.10</version>
    <bundleId>us.zoom.videomeetings</bundleId>
    <dict>
       <string keyName="SetEmailDomainsRestrictedToLogin">
           <defaultValue>
               <value>school.edu</value>
           </defaultValue>
       </string>
    </dict>
</managedAppConfiguration>

 

Intune

<dict>
 <key>Key Name</key>
 <integer>Boolean Value</integer>
 <key>Key Name</key>
 <string>String Value</string>
</dict>

Example:

Deploying configuration with login domains restricted to “school.edu”:

<dict>
 <key>SetEmailDomainsRestrictedToLogin</key>
 <string>school.edu</string>
</dict>