ZDM for Zoom desktop and mobile clients


Today in expanding Zoom Device Management process, the Zoom desktop and mobile clients support is designed to control device specific client policies, allowing administrators to configure client behavior. Once applied, these policies will always control the behavior of the client the same way, regardless of the identity of the user logged in. These settings must be distributed and applied manually via MSI/GPO and other similar processes. The Zoom Device Management (ZDM) functionality will allow enterprise administrators to manage clients, group them as needed, and apply client policies to client groups through the Zoom web portal. ZDM supports policy management across Windows, macOS, Linux, iOS & Android.

Notes:

This article covers:

Prerequisites for Zoom Device Management for Zoom desktop and mobile clients

How to create device groups to manage your Zoom desktop and mobile clients

As different teams and departments have different security requirements and access to different features, you will need to create groups to divide your managed devices and apply policies based on each group or team’s needs. As soon as a group is created , a token will be created. At a minimum, one group will need to be created to enroll your devices into ZDM. 

Note: Please refer to the How to access an enrollment token section to access your token.

  1. Sign in to the Zoom web portal as an admin.
  2. In the navigation menu, click Device Management then Device List.
  3. Switch to the Groups tab and click + Add Group.
  4. In the Group Name box, enter the name of the group.
  5. (Optional) In the Description box, enter a description for the group.
  6. Click Finish.
  7. (Optional) Click Save & Add Another to create additional groups.

How to access the enrollment token to enroll a Zoom desktop and mobile client

Now that your device groups have been established, you can access the unique token created for each group. This token, when deployed to the desktop client or mobile app, will enroll that device into the corresponding device group.

  1. Sign in to the Zoom web portal as an admin.
  2. In the navigation menu, click Device Management then Device List.
  3. Switch to the Groups tab and click Edit to the right of the desired group.
  4. Click the Profile tab.
  5. In the Enrollment section do the following:
    • If enrolling devices running Windows or macOS, click Download enrollment configuration file, then go to step 6.
    • If enrolling devices running operating systems other than Windows or macOS, click Copy next to the token generated for this group.
      Notes:
      • The token will be saved to your clipboard.
      • You can also manually select the token to copy and paste if desired instead of using the clipboard.
  6. For GPO enrollment, verify the policy has been applied at:
    ...H    KEY_LOCAL_MACHINE\SOFTWARE\Policies\Zoom\Zoom Meetings\General
  7. Quit the Zoom application on the desktop that was just enrolled in ZDM and then sign back in.
  8. On the Zoom web portal, refresh the Device List page, and verify that the added device is in the list.

How to deploy the enrollment token

Now that you have generated the enrollment token, it’s time to deploy that token to your managed installations. This is accomplished by setting the enrollment token with the SetEnrollToken4CloudMDM Key. You can refer to these examples related to your operating system:

Deploying the enrollment token on Windows devices

The enrollment configuration file you downloaded can be pushed to your MSI/GPO process to enroll your devices. The following are examples if you want to copy the token to the key: 

Using MSI

A simple MSI deployment would be as such, replacing <Token> with the one you generated: 

msiexec /i ZoomInstallerFull.msi ZConfig=”SetEnrollToken4CloudMDM=<Token>”

Note: For more detailed information about MSI deployment, please refer to the mass installation for Windows support article.

Using GPO

A simple GPO deployment would be as such, replacing <Token> with the one you generated:  

"SetEnrollToken4CloudMDM"="<Token>"

This configuration key and value would be set in the configuration file located here:

...HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Zoom\Zoom Meetings\General

Note: For more detailed information about GPO deployment, please refer to the Group Policy options for Windows support article

Deploying the enrollment token on macOS devices using PLIST

A simple plist deployment would be as such, replacing <Token> with the one you generated: 

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

 <key>SetEnrollToken4CloudMDM</key>

 <string><Token></string>

</dict>

</plist>

Note: For more detailed information about PLIST deployment, please refer to the mass installation for macOS support article.

Deploying the enrollment token on Linux devices using config file

A simple deployment would be as such, replacing <Token> with the one you generated. 

SetEnrollToken4CloudMDM="<Token>"

This configuration key and value would be set in the configuration file located here: 

 ~/.config/zoomus.conf

Deploying the enrollment token on Android devices using MDM

The Zoom App for Android can be deployed to managed devices through AirWatch, Intune, and Google Workspace. Whichever method you choose to deploy, you will need to set a configuration key as mandatory:SetEnrollToken4CloudMDM, with the configuration value being the token you created for this device/group of devices. 

An example XML for deploying through Intune would be as follows, replacing <Token> with the one you generated:

<dict>

 <key>SetEnrollToken4CloudMDM</key>

 <string><Token></string>

</dict>

Note: For more detailed information about MDM deployment for Android, please refer to the MDM for Android support article.

Deploying the enrollment token on iOS devices using MDM

The Zoom App for iOS can be deployed to managed devices through AirWatch and Intune. Whichever method you choose to deploy, you will need to set a configuration key as SetEnrollToken4CloudMDM, with the configuration value being the token you created for this device/group of devices.

An example XML for deploying through AirWatch would be as follows, replacing <Token> with the one you generated:

<managedAppConfiguration>

    <version>1.2.10</version>

    <bundleId>us.zoom.videomeetings</bundleId>

    <dict>

       <string keyName="SetEnrollToken4CloudMDM">

           <defaultValue>

               <value><Token></value>

           </defaultValue>

       </string>

    </dict>

</managedAppConfiguration>

Note: For more detailed information about MDM deployment for Android, please refer to the MDM for iOS support article

How to unenroll a device from ZDM

After the device is enrolled, it can be unenrolled from ZDM at any time. 

  1. First, clear the token value set with SetEnrollToken4CloudMDM, which was deployed by MSI/GPO/PLIST/MDM. 
  2. Sign in to the Zoom web portal as an admin. 
  3. In the navigation menu, click Device Management then Device List.
  4. Identify the device you wish to unenroll then click the empty box to the left of it. 
  5. On the top-right of the device list, click the ellipsis button and select Unenroll from ZDM

How to delete a device group

After creating a group, it can be deleted at any time. Any group deleted, will automatically delete the enrollment token for that group.

Note: If you wish to delete several groups, you can select as many as you want to delete at once.

  1. Sign in to the Zoom web portal as an admin.
  2. In the navigation menu, click Device management then Device List.
  3. Click the Groups tab.
  4. Identify the group you wish to delete and click the empty box to the left of it.
  5. On the top right of the tab, click Delete.
  6. In the pop-up window, click Delete to confirm.

How to change group settings for your managed Zoom desktop and mobile clients

For more information visit Changing group settings for ZDM managed clients.