Managing restricted voicemails for Zoom Phone

Zoom Phone users can use Restricted voicemails to secure the voicemails. Device Managed Encryption allows voicemail to be encrypted with keys that are not accessible to Zoom servers. Restricted voicemail can be decrypted only by the intended user recipient. This allows users to have additional security controls over their voicemails to maintain confidentiality. This functionality must be enabled by administrators before it's available to users.

Device Managed Encryption is currently available for two features:

Note: This setting is only available with Zoom app version 5.12.0 or later.

This article covers:

Prerequisites for managing restricted voicemail for Zoom Phone

Limitations of Device Managed Encryption

Device Managed Encryption for restricted voicemails has the following limitations:

Differences between Device Managed Encryption for restricted voicemails and regular voicemails

Device Managed Encryption for restricted voicemails has notable differences between regular voicemails as noted below.

Restricted voicemails are tied to a user’s device. Allowing device access to existing voicemails requires authorizing voicemails from a device that can access (e.g., voicemails that can be replayed) those voicemails.

How to enable or disable restricted voicemails for Zoom Phone

Once Device Managed Encryption is enabled, voicemail messages are received and recorded by Zoom servers, which encrypt them with keys only known to their intended recipients’ devices. When Device Managed Encryption is enabled, authorized admins can access and decrypt the account user’s data and help with provisioning new devices. Users under the escrow are notified that their data is under escrow.

Account

  1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
  2. In the navigation menu, click Account Management then Account Settings.
  3. Click the Zoom Phone tab.
  4. Under General, click the Restricted voicemails toggle to enable or disable it.
  5. If a verification dialog displays, click Enable or Disable to verify the change.
  6. (Optional) Click the lock icon  to prevent users in your account from disabling or enabling this feature.
  7. (Optional) Select the Disable incoming voicemails if devices have not been enrolled with client side encryption checkbox to prevent users who have not upgraded to encryption from receiving new voicemails, then click Save.

When enabled, Escrow and Allow users to create backup keys will be enabled by default, reflecting the security setup for Escrow. Escrow can only be configured from the security page.

Note: When escrow is enabled, it is enabled for both email and voicemail. You cannot enable escrow for one feature without the other.

Site

After setting up escrow, you can allow emails and voicemail messages for a specific site(s) to be encrypted using Device Managed Encryption.

  1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
  2. In the navigation menu, click Phone System Management, then Company Info.
  3. Click the name of the site.
  4. Click the Policy tab.
  5. Under General, click the Restricted voicemails toggle to enable or disable it.
  6. If a verification dialog displays, click Enable or Disable to verify the change.
  7. (Optional) To prevent all users in your account from changing this setting, click the lock icon , and then click Lock to confirm the setting.
  8. (Optional) Select the Disable incoming voicemails if devices have not been enrolled with client side encryption checkbox to prevent users who have not upgraded to encryption from receiving new voicemails, then click Save.

Phone user

After setting up escrow, you can allow emails and voicemail messages for a specific phone user(s) to be encrypted with Device Managed Encryption.

  1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
  2. In the navigation menu, click Phone System Management then Users & Rooms.
  3. Click the Users tab.
  4. Click the name of the user.
  5. Click the Policy tab.
  6. Under General, click the Restricted voicemails toggle to enable or disable it.
  7. If a verification dialog displays, click Enable or Disable to verify the change.
  8. (Optional) Select the Disable incoming voicemails if devices have not been enrolled with client side encryption checkbox to prevent users who have not upgraded to encryption from receiving new voicemails, then click Save.

Note: Disabling Device Managed Encryption for voicemails will still require voicemails that were encrypted with the device keys to continue to be encrypted with device keys and requires the devices to access those voicemails.

How to download escrow-encrypted voicemails

To download an escrow-encrypted voicemail, the escrow admin must sign in to a device that has been configured with escrow.

  1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
  2. In the navigation menu, click Phone System Management, then Logs.
  3. Click the Voicemail & Videomail tab.
  4. Identify your escrow encrypted voicemail.
  5. To the right of your escrow-encrypted voicemail, do the following actions: