Zoom IOS App configuration

promalley
New Contributor III

01a278446e964745b80f9678a42ea05d
I wanted to share my configuration XML for those wanting to rollout zoom to IOS and lock it down.

I am working through Zoom's documentation here:
Using MDM to configure Zoom on iOS

The following is the configuration I used:

<dict> <key>SetSSOURL</key> <string>yourdomain</string> <key>SetEmailDomainsRestrictedToLogin</key> <string>yourdomain.org</string> <key>ForceLoginWithSSO</key> <integer>1</integer> </dict>
35 REPLIES 35

twall
New Contributor III

@promalley I don't see the SetEmailDomainsRestrictedToLogin key in the Zoom documentation, does that work...?

promalley
New Contributor III

It works for me! One thing to note is that it would be your domain URL not just the domain.

promalley
New Contributor III

I just noticed they removed the SetEmailDomainsRestrictedToLogin from their support page and added a few other options. I am unsure as to if it will continue to be supported.

mainelysteve
Valued Contributor II

As of 4.6.9 it still functions but like you said its future may be in doubt.

The Chrome OS app supports disabling Facebook logins. I tried in vain yesterday to disable that but could only block email sign ins. We aren't allowing students to create accounts or login using school email addresses/accounts. They should only be joining teacher created meetings. Many other keys are available too, but the iOS/iPadOS app doesn't quite have that parity.

The force SSO login prompt should have the X removed from the prompt window. What's the point of forcing it if it can be easily bypassed?

ralvarezOES
Contributor

Hi. I'm having a hard time uploading this file to my Jamf Pro. I'm using using the built-in Propertylist editor in MacOS to create a plist with those three configuration items. But it doesn't appear to be a proper plist. What's the easiest way to create a plist or mobileconfig with those items in it? I also downloaded ProfileCreator from Github, but I can't figure out how to make a custom profile with it.

atomczynski
Valued Contributor

Is it possible to create an app config for iOS/iPadOS where it locks in domain name but the user does not actually log in to the app? The user only connects to a channel?

This would be helpful for our student iPad devices where they would not be creating Zoom accounts and be able to connect with persons outside the domain.

ralvarezOES
Contributor

So I've been trying to create a configuration profile to accomplish this. Is that not what this is? what is an app config?

mainelysteve
Valued Contributor II

@ralvarezOES Managed app configurations are XML just like property lists and config profiles but they're stripped to just a dictionary array and the settings inside it.
I.e. it should look like this:
<dict>
settings here
</dict>

ralvarezOES
Contributor

Ok thanks. I see there is an "app configuration" section in the managed Mobile device Apps. I'll start playing with this, but maybe you can answer a question. If the app is already installed on the devices, would a new configuration take affect? Or would I have to uninstall and reinstall the app on all the devices?

mainelysteve
Valued Contributor II

The app doesn't need to be reinstalled. Once a valid config is saved it will send a Managed App Configuration command to the devices. They may need to quit the app if it's open during that time. The worst case scenario is a reinstall using Self Service.

promalley
New Contributor III

I edited the post with a screenshot of where the configuration should be pasted.

hodgesji
Contributor

Not applicable

Thanks! Working fine for me

jaellington
New Contributor III

Works well - just wish there was an option to keep kids from uploading custom backgrounds. They can get...creative.

mrandle
New Contributor

Does anyone have an example of the XML for configuring Zoom for iPads within Jamf School?
I tried to create a Managed App Configuration on the Zoom app and apply it to a group.
I thought I would just try to disable the facebook login. It does display an error "malformed document. First element should be <plist>". Yet it lets me apply to a group and save. But it doesn't work. Any help would be appreciated.

Here is my configuration:
<dict>
<key>DisableFacebookLogin</key> <integer>1</integer>
</dict>

bmacedo
New Contributor

@jaellington It looks like they do have support for this feature! Zoom Documentation Here

It would look like this:
<dict>
<key>DisableVirtualBkgnd</key> <integer>1</integer>
</dict>

Columbo
New Contributor II

Unfortunately, this is different in Jamf School. So, when I go into Managed Configuration for the Zoom App, I put in:
<dict> <key>ForceLoginWithSSO</key> <integer>0</integer> <key>mandatory:EnableAppleLogin</key> <integer>0</integer>
<key>mandatory:DisableFacebookLogin</key> <integer>1</integer> <key>mandatory:DisableGoogleLogin</key> <integer>1</integer> <key>mandatory:DisableLoginWithEmail</key> <integer>1</integer>
</dict>

But, I get this error: "malformed document. First element should be <plist>"

So, logically, one would think it should look something like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>nogoogle</key> <true/> <key>nofacebook</key> <true/> <key>disableloginwithemail</key> <true/> <key>nosso</key> <true/>
</dict>
</plist>

Is there any documentation that shows how the plist should be:

  1. Written for Zoom
  2. Where it is placed
  3. Is it a plist or .mobileconfig

mainelysteve
Valued Contributor II

A quick Google search shows that it's:

<plist version="1.0">
<dict>
.......
</dict>
</plist>

bvondeylen
Contributor II

This should work for Jamf School, but you need to make it the 2nd TAB, not the 1st TAB (leave the 1st TAB blank) and then set the 2nd TAB as the default. The below is if you purchased Zoom and are using SSO.

<plist>
<dict>
<key>ForceLoginWithSSO</key>
<integer>1</integer>
<key>ForceSSOURL</key>
<string>yourdistrict.com</string>
<key>MeetingReminder</key>
<integer>1</integer>
<key>SyncMeetingFromCalendar</key>
<integer>0</integer>
</dict>
</plist>

JamesG
New Contributor II

Out of curiosity, why does it need to be on the 2nd tab?

Columbo
New Contributor II

If you look at my directions further down the page (post 3/5/2021), no second tab needed. You just need the one and then choose whether or not to scope it to the group in step 3.

 

I hope this helps.

user-tfABOollWd
New Contributor

Hello! Apologies if this has already been answered, but we're starting to notice students using the chat function of Zoom as a texting service during classes. Ideally, we would rather students only be able to join meetings, and not sign-in with their gsuite accounts. Is there a way to do this with xml? I've sent in a ticket already, but was curious to know if anyone here could help me out. Thank you in advance!

blackholemac
Valued Contributor III

@user-tfABOollWd We had that same problem and I solved it by essentially yanking all the authentication methods from their iPads. Use this Managed App Config to do so with Jamf Pro. When they open the app and try to sign in, they then have no method to do so. Of course I have the unrestricted version scoped to the staff:

<dict>
<key>mandatory:EnableAppleLogin</key>
<integer>0</integer>
<key>mandatory:DisableGoogleLogin</key>
<integer>1</integer>
<key>mandatory:DisableFacebookLogin</key>
<integer>1</integer>
<key>mandatory:DisableLoginWithSSO</key>
 <integer>1</integer>
<key>mandatory:DisableLoginWithEmail</key>
 <integer>1</integer>
</dict>

YanW
Contributor III

@blackholemac How do you scope a same app with different App Config to two different groups?

blackholemac
Valued Contributor III

@YanW Two instances of the app in the app catalog. So we have two VPP accounts, one scoped to go to Staff which has no app config and the other scoped to Students which has the app config shown above.

user-parrfaAIYt
New Contributor

Is it possible to use add something in to this xml file to force a sign out of the users account when they close the App? We'd like to have this on some shared sets of iPads (not the 'Shared iPad' feature) but not have the worry of it staying signed into the user's Zoom account when they put the iPad back. Anyone know if this is possible?

mrmiller
New Contributor III

Has anyone gotten Zoom iOS configuration to work in jamf school? I am testing Jamf School and am very frustrated. While I appreciate the responses in the thread, none of them seem to work for me. I'm likely missing something. But I just get errors or no change to the app. Thanks

ctarbox
Contributor II

@user-parrfaAIYt I am also looking for this functionality. Did you have any luck with getting this to work?

mainelysteve
Valued Contributor II

@ctarbox @user-parrfaAIYt Don't think so. The link below lists all the available keys you can use.

https://support.zoom.us/hc/en-us/articles/360022302612-Using-MDM-to-configure-Zoom-on-iOS

Columbo
New Contributor II

Good Morning,

I am able to do it for our ipads within Jamf School. The configuration below doesn't allow a student to login whatsoever. Basically, when the student taps on "Join", the screen is blank as there are no options to log in.

To use this, you need to:

  1. Go to Apps and select the Zoom Cloud Meetings app.
  2. Create a Managed Configuration and copy the below script to it.
  3. Scope where you want to apply the Managed Configuration. Be sure to also click on the gear on the top right of the device group you want to apply the configuration to and select the newly created Managed Configuration.

<plist>
<dict>
<key>DisableLoginWithSSO</key>
<integer>1</integer>
<key>DisableFacebookLogin</key>
<integer>1</integer>
<key>DisableGoogleLogin</key>
<integer>1</integer>
<key>DisableLoginWithEmail</key>
<integer>1</integer>
<key>mandatory:EnableAppleLogin</key>
<integer>0</integer>
</dict>
</plist>

I hope this helps!
55be73015ed348cbbff3b9804e27588b

JamesG
New Contributor II

Haven't been able to get this to work at all in Jamf School.

Columbo
New Contributor II

What exactly isn't working? Did you do step 3? Step 3 I initially missed when attempting this. 

JamesG
New Contributor II

No part of the config works at all for Zoom. I did copy/paste yours verbatim to eliminate any potential errors. I changed it to Automatic installation for all groups with the gear icon, no effect.

mainelysteve
Valued Contributor II

See @Columbo's response above. It's sounding like you've overlooked the managed configuration portion of the setup. Make sure your managed configuration is checked as shown in the example below.

Screen Shot 2022-01-07 at 2.11.51 PM.png

kevin_v
Contributor

Just chiming in with what worked for me as of 09/2022 on iOS 15:

<dict>
<key>ForceLoginWithSSO</key>
<true/>
<key>ForceSSOURL</key>
<string>YourOrgName</string>
</dict>

 

For whatever reason, integers of 1 or 0 were not working, but true/false values did.