Restricting logins for the Zoom Client

Using different deployment types and application configuration software, the Zoom client can be locked down to join meetings hosted by certain accounts, have login restricted to certain domains, and have other settings disabled via remote management. 

The Windows Zoom Desktop Client can be configured in 3 different ways: via the MSI installer for both configuration and installation, an Active Directory administrative template utilizing Group Policy for configuration, or via registry keys for configuration. For more information on deploying using these methods, as well as other setting configurations, please see our Windows mass installation guide

For macOS, the Zoom Desktop Client can be deployed using plist configuration files. This installation requires configuring a .plist file and installing it along with the Zoom for IT Admins Installer for Mac.

For Android and iOS, the Zoom client can be locked to allow login with certain email domains. This can be done using multiple MDM methods including using AirWatch and Intune for both Android and iOS

This article covers:

Prerequisites

Windows:

 macOS:

Android OS:

 iOS:

Restricting logins to specific email domains

Configuring via MSI (Windows)

To configure the Windows Zoom client to only allow joining meetings for certain accounts, the following parameter would need to be added to the install command line: ZConfig=" login_domain=domain". In the command, the domain will be the email domain for students and faculty.

msiexec /package ZoomInstaller.msi /norestart /lex msi.log ZConfig= "login_domain=domain"

Example:

If your organization's account ID number is "school.com", then the install command and ZConfig parameter would be:

msiexec /package ZoomInstaller.msi /norestart /lex msi.log ZConfig= "login_domain=school.com"

Configuring via Group Policy Template (Windows)

System Administrators can also set the setting to restrict joining to certain accounts, as well as other settings, using the Group Policy Administrative Templates. Once the template has been added:

  1. In the navigation panel click Administrative Templates.
  2. (Optional) Click Classic Administrative Templates if using the ADM files.
  3. Click Zoom Meetings> Zoom General Settings.
  4. Double click Set email domains that client is restricted to log in with.
  5. In the setting window, click Enabled.
  6. Enter the email domains, you want to restrict login too, adding an & between each domain. 
  7. Click Apply.

Using Registry Keys (Windows)

Under "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Zoom\Zoom Meetings\General" the following String Value can be added:

Note: To enter multiple domains for the Value data, add an & between the domains. 

Via plist configuration (macOS)

To configure the Zoom macOS client to only allow joining meetings for certain accounts, with a .plist deployment, the following key would need to be added to the us.zoom.config.plist file: 

<key>login_domain<key>
<string>domain</string>

Example:

If your organization's email domain is "school.edu", then the .plist key would be:

<key>login_domain<key>
<string>school.edu</string>

Allow joining meetings only on certain accounts

Configuring via MSI (Windows)

To configure the Windows Zoom client to only allow joining meetings for certain accounts, the following parameter would need to be added to the install command line ZConfig="account=your_account_id". In the command, your_account_id, will be the account number for your organization's Zoom account.

msiexec /package ZoomInstaller.msi /norestart /lex msi.log ZConfig="account=your_account_id"

Example:

If your organization's account ID number is "111111", then the install command and ZConfig parameter would be:

msiexec /package ZoomInstaller.msi /norestart /lex msi.log ZConfig="account=111111"

Configuring via Group Policy Template (Windows)

Admins can also set the setting to restrict joining to certain accounts, as well as other settings, using the Group Policy Administrative Templates. Once the template has been added:

  1. In the navigation panel click Administrative Templates.
  2. (Optional) Click Classic Administrative Templates if using the ADM files.
  3. Click Zoom Meetings> Zoom General Settings.
  4. Double click Set account IDs that client is restricted to join meeting hosted by.
  5. In the setting window, click Enabled.
  6. Enter the account IDs, you want to restrict joining, adding commas between the IDs if you are adding multiple. 
  7. Click Apply.

Using Registry Keys (Windows)

Under "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Zoom\Zoom Meetings\General" the following String Value can be added:

Note: To enter multiple account IDs for the Value data, add an "," between the account numbers. 

Via plist configuration (macOS)

To configure the Zoom macOS client to only allow joining meetings for certain accounts, with a .plist deployment, the following key would need to be added to the us.zoom.config.plist file: 

<key>CanOnlyJoinMeetingOfAccountID<key>
<string>account ID</string>

Example:

If your organization's account ID number is "111111", then the .plist key would be:

<key>CanOnlyJoinMeetingOfAccountID<key>
<string>111111</string> 

 

Configuring restrictions via MDM for Android and iOS

System administrators can use mobile device management (MDM) to remotely configure the Zoom app on managed iOS or Android devices. The following login restrictions are available:

FeatureKey NameTypeValue Example
Restrict login to specific domainsSetEmailDomainsRestrictedToLoginStringEnter "school.edu" to restrict logins to users with school.edu as their email domain
Specify if users are required to log in with SSOForceLoginWithSSOBoolean"True" or "1" to enable
The vanity URL used to log in using SSO. SetSSOURLStringEnter "success" to set the SSO URL as https://success.zoom.us

 

AirWatch

  1. Add the Zoom application to AirWatch for iOS.
  2. (optional) If configuring for an Android device, the app can be added with Google Play integration or without the Google Play integration
  3. Click Add Assignment.
  4. In the Assignment Groups field, select a group to apply the configuration to.
  5. Next to Application Configuration, select Enabled.
  6. Click Add.
  7. Enter the following information:

 Intune

  1. Sign in to the Microsoft 365 Device Management dashboard.
  2. In the left-side navigation menu, click Client apps then App configuration policies.
  3. Click Add and enter the following information:
  4. Click Configuration settings.
  5. In the Configuration settings format drop-down menu, select Use configuration designer.
  6. Use the configuration designer to specify configuration keys, then click OK.
  7. Use the drop-down menus in the Configuration Value column to specify the values for each key.
  8. Click OK.

Using XML with AirWatch and Intune

System Administrators can also import XML configuration files to deploy to mobile devices as well. This can be useful of deploying configuration with multiple settings. 

AirWatch

<managedAppConfiguration>
   <version>1.2.10</version>
    <bundleId>us.zoom.videomeetings</bundleId>
    <dict>
        <integer keyName="Key Name">
           <defaultValue>
                <value>Boolean Value</value>
          </defaultValue>
       </integer>
       <string keyName="Key Name">
           <defaultValue>
               <value>String Name</value>
           </defaultValue>
       </string>
    </dict>
</managedAppConfiguration>

Example:

Deploying configuration with login domains restricted to "school.edu":

<managedAppConfiguration>
   <version>1.2.10</version>
    <bundleId>us.zoom.videomeetings</bundleId>
    <dict>
       <string keyName="SetEmailDomainsRestrictedToLogin">
           <defaultValue>
               <value>school.edu</value>
           </defaultValue>
       </string>
    </dict>
</managedAppConfiguration>

 

Intune

<dict>
<key>Key Name</key>
<integer>Boolean Value</integer>
<key>Key Name</key>
<string>String Value</string>
</dict>

Example:

Deploying configuration with login domains restricted to "school.edu":

<dict>
<key>SetEmailDomainsRestrictedToLogin</key>
<string>school.edu</string>
</dict>