Restricting logins for the Zoom Client
A Zoom client can be customized using different types of deployment and configuration software in order to restrict it to joining meetings hosted by specific accounts, restricting login to certain domains, or disabling other configurations via remote management via different deployment types and configuration software.
As part of the Windows Zoom Desktop Client configuration, there are three methods available: using the MSI installer to configure and install the client program, using an Active Directory administrative template to configure the client program using Group Policy, or using registry keys for the configuration process. We recommend that you read our Windows mass installation guide for more information on how to deploy using these methods, as well as how to configure other settings.
It is possible to deploy the Zoom Desktop Client for macOS by using a list file that contains configuration. The Zoom for IT Admins Installer for Mac must be installed along with the Zoom for IT Admins .plist file in order to complete this installation.
With Zoom’s Android and iOS clients, it is possible to lock certain email domains from being able to log in to Zoom. As a result of this, there are multiple MDM methods that can be used for both Android and iOS including AirWatch and Intune.
Prerequisites
Windows:
-
MSI installer should be used for deployment
MacOS:
-
Use the macOS IT package to deploy the application
Android OS:
-
Android 5 and later versions of the operating system
-
Software that manages enterprise mobility activities (EMMs), such as AirWatch or Microsoft Intune, is the ideal solution
iOS:
-
The iOS 4 or later operating system is required for iOS devices
-
Software that manages enterprise mobility activities (EMMs), such as AirWatch or Microsoft Intune, is the ideal solution
Restricting logins to specific email domains
Configuring via MSI (Windows)
In order to specify that only certain accounts will be able to join meetings using the Windows Zoom client, the following parameters should be added to the install command line: ZConfig=” login_domain=domain”. There is a command that will set the domain as the student’s and faculty’s email domains.
ZConfig= “login_domain=domain” in the msi.log file ZConfig= “login_domain=domain” in the msi.log file
As an example,
Using the previous example, if the account ID number of your organization is “school.com”, then the installation command and ZConfig parameter would be:
Install the ZoomInstaller.msi package at school.com /norestart /lex msi.log and put “login_domain=school.com” in the ZConfig parameter.
Configuring via Group Policy Template (Windows)
By using the Group Policy Administrative Templates, System Administrators can also restrict joining to specific accounts. After adding the template:
-
Navigate to the Administrative Templates section of the navigation panel.
-
If you are using ADM files, click Classic Administrative Templates.
-
To edit Zoom General Settings, click Zoom Meetings.
-
You can restrict the client’s access to certain email domains by double clicking on Set email domains that are restricted.
-
To enable it, click the Enable button.
-
By adding an & between each domain, you can restrict login for the email domains you want to restrict.
-
Apply the change.
Using Registry Keys (Windows)
It is possible to add this String Value to the “HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Zoom/Zoom Meetings/General” key:
-
Value name: LoginRestrictedEmailDomains
-
Value data: Domain of the email address
Note: Value data may be entered in multiple domains by adding an & between each domain.
Via list configuration (macOS)
With a .plist deployment, it would be necessary to add the following key to the us.zoom.config.plist file to restrict meeting joining to certain accounts:
<key>login_domain<key>
<string>domain</string>
As an example,
A .plist key for an organization with the email domain “school.edu” would be as follows:
<key>login_domain<key>
<string>school.edu</string>
Allow joining meetings only on certain accounts
Configuring via MSI (Windows)
Windows Zoom clients can be configured to only allow joining meetings for certain accounts by adding the parameter ZConfig=”account=your_account_id” to their install command line. Your organization’s Zoom account number will be your_account_id in the command.
I suggest you install the package ZoomInstaller.msi without restarting it, and then you can run the installation with the following command.
Example:
It is important to note that the installation command and the ZConfig parameter would be as follows, if your organization’s account ID number is “111111”.
I am using msiexec /package ZoomInstaller.msi /norestart /lex msi.log with ZConfig=”account=111111″ as the value for ZConfig.
Configuring via Group Policy Template (Windows)
The Group Policy Administrative Templates can also be used by administrators to set the setting to restrict the joining of certain accounts, along with other settings. Having added the template to the document, the following steps should be taken:
-
Click on Administrative Templates in the navigation bar at the top of the page.
-
If you are using the ADM files, choose Classic Administrative Templates (optional).
-
To change your Zoom Meeting settings, click Zoom Meetings> Zoom General Settings.
-
Double click on Set account IDs that the client is not allowed to join meetings hosted by the account the client has been assigned.
-
Click the Enable button in the settings window to enable the feature.
-
If you are adding more than one ID, then add commas between them so that you can restrict joining based on their account IDs.
-
Please click the Apply button.
Using Registry Keys (Windows)
The following String Value can be used in order to accomplish this by adding it to the key “HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Zoom/Zoom Meetings/General” in the registry:
-
Value name: Account IDs should be restricted from joining
-
Value data: Account ID
Note: It is possible to enter more than one domain for the value data for an account by adding the character “,” between the account numbers.
Via list configuration (macOS)
Assuming that you have deployed Zoom via .plist, then the following key needs to be added to the us.zoom.config.plist file in order to restrict joining meetings to certain accounts:
<key>CanOnlyJoinMeetingOfAccountID<key>
<string>account ID</string>
As an example,
As an example, if the account ID number of your organization is “111111”, then this would be the .plist key for your organization:
<key>CanOnlyJoinMeetingOfAccountID<key>
<string>111111</string>
Configuring restrictions via MDM for Android and iOS
Zoom can be remotely configured on iOS and Android devices that are managed by the system administrator by using mobile device management (MDM). As a result of these restrictions, you are able to log in as follows:
Feature | Key Name | Type | Value Example |
---|---|---|---|
Specify which domains are allowed to log in | LoginRestrictedEmailDomains | String | Users with the email domain school.edu can be restricted from logging in |
Indicate whether SSO is required for users to login to the application | SSO with ForceLogin | Boolean | "1" or "True" will enable |
As part of the Single Sign-On (SSO) process, the vanity URL is used to log in. | SSOURL is set | String | SSO URL can be set to https://success.zoom.us by entering "success" |
AirWatch
-
Zoom should be included in AirWatch for iOS as a feature.
-
If the app is configured for Android devices, it is possible to include the app with or without integration with Google Play.
-
Once you have done that, click on the button labeled Add Assignment.
-
It is essential for the configuration to be applied if a group is selected in the Assignment Groups field.
-
There should be an option next to it to enable Application Configuration.
-
Click on the Add button after that.
-
Please enter the following details in the fields below:
-
The configuration key must be set to SetEmailDomainsRestrictedToLogin.
-
There should be a String Value Type set for the value.
-
In this case, the Configuration Value should be set to the email domain. School of Education.
-
Intune
-
Sign in to the dashboard using your Microsoft 365 Device Management account details and you will be able to view device information.
-
In the left-hand navigation menu, click the Client apps option. Then, click the Configuration policies option on the right-hand navigation menu.
-
By clicking the Add button on the form, you will be able to add the following information:
-
Name: Enter a different name if you would like the configuration to be displayed under a different name.
-
Description: You should provide as much information as you can about the configuration so that it can be identified as quickly as possible.
-
Device enrollment type: From the list of devices, select Managed devices.
-
Platform: You can choose either an iOS or an Android device as the one you would like to use.
-
Associated app:
-
The app Zoom Cloud Meetings can be downloaded from the Apple App Store for iOS devices.
-
Zoom Cloud Meetings can be selected from the list of Android apps by selecting it from the menu.
-
-
-
Click on the Configuration tab in order to configure the settings.
-
Under the Configuration settings format drop-down menu, select the Use configuration designer option and click OK.
-
In the configuration designer, once the configuration keys have been specified, click on the OK button.
-
For each key that you want to specify a value for, you can use the drop-down menu located in the Configuration Value column in order to do so by selecting the appropriate value from the list.
-
After you have clicked OK, the next step is to exit the program.
Using XML with AirWatch and Intune
It is also possible to deploy mobile devices using XML configuration files in addition to importing XML configuration files from XML configuration files. In this method, it is possible to deploy multiple settings together, which makes it very useful when you want to deploy a configuration with multiple settings.
AirWatch
<managedAppConfiguration>
<version>1.2.10</version>
<bundleId>us.zoom.videomeetings</bundleId>
<dict>
<integer keyName=”Key Name”>
<defaultValue>
<value>Boolean Value</value>
</defaultValue>
</integer>
<string keyName=”Key Name”>
<defaultValue>
<value>String Name</value>
</defaultValue>
</string>
</dict>
</managedAppConfiguration>
Example:
Deploying configuration with login domain restricted to “school.edu”:
<managedAppConfiguration>
<version>1.2.10</version>
<bundleId>us.zoom.videomeetings</bundleId>
<dict>
<string keyName=”SetEmailDomainsRestrictedToLogin”>
<defaultValue>
<value>school.edu</value>
</defaultValue>
</string>
</dict>
</managedAppConfiguration>
Intune
<dict>
<key>Key Name</key>
<integer>Boolean Value</integer>
<key>Key Name</key>
<string>String Value</string>
</dict>
Example:
Deploying configuration with login domain restricted to “school.edu”:
<dict>
<key>SetEmailDomainsRestrictedToLogin</key>
<string>school.edu</string>
</dict>