# Zoom for Intune Field Guide ## **Introduction** The Zoom Workplace for Intune mobile apps for iOS and Android are compatible with both mobile application management (MAM) and mobile device management (MDM). These apps can receive company-provided configurations to help enforce custom preferences, security settings, and data loss prevention policies within the application. This guide explains how to add and configure Zoom Workplace for Intune policies in your Microsoft Endpoint Manager tenant. ## **Before you begin** This guide includes instructions for both mobile device management (MDM) and mobile application management (MAM) deployments for Zoom Workplace for Intune on iOS/iPad and Android. Some sections apply to all deployments, while the applicability of others depends on whether you are managing fully managed devices or only the application itself. ## **Step 1: Add Zoom Workplace for Intune to your apps list** Add the Zoom Workplace for Intune application for your applicable operating systems. This is required before you can configure an App Protection Policy in the next section. ### iOS 1. Navigate to the [Apps menu](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/AppsMenu/overview) within Microsoft Endpoint Manager. 2. Select **iOS/iPadOS** under the **Platforms** menu. 3. Select **+ Create**. 4. Under *Select app type* choose **iOS store app** and press **Select** to continue. 5. On the next page, select **Search the App Store**, search *Zoom Workplace for Intune*, and select it. 6. Customize any information or settings such as the *Minimum operating system* or *Applicable device type* and select **Next**. 7. Assign the app to users or groups based on your company policies and select **Next**. {% hint style="info" %} **Note** We suggests only assigning the app to an initial testing group when first configuring to prevent user access before the application is fully configured. {% endhint %} 8. Review the app settings and assignments, and select **Create** to complete . ### Android 1. Navigate to the [Apps menu](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/AppsMenu/overview) within Microsoft Endpoint Manager. 2. Select **Android** under the **Platforms menu**. 3. Select **+ Create**. 4. Under *Select app type* choose **Managed Google Play app** and press **Select** to continue. 5. In the Managed Google Play store, locate Zoom Workplace for Intune. 6. Select the **Approve** option to review the app conditions and approve the app. 7. Press the 🔄 Sync button in the top-left corner to synchronize permissions and complete the app addition. 8. **Refresh** the application list and select the **Zoom Workplace for Intune** app from the **Managed Google Play store**. 9. Select **Properties** in the left-hand menu, and click **Edit** next to **Assignments**. 10. Assign the app to users or groups based on your company policies and select **Review + Save**. {% hint style="info" %} **Note** We suggests only assigning the app to an initial testing group when first configuring to prevent user access before the application is fully configured. {% endhint %} 11. Review the settings and click **Save** to complete. ## **Step 2 (Optional): Configure an App Protection Policy** App Protection Policies are optional Intune policies that apply app-level controls to help protect organizational data in supported mobile apps. They can enforce requirements such as work credentials or PIN access, restrict data transfer between apps, and help prevent data loss without requiring full device enrollment. Organizations may choose to use these policies when they need additional protection for company data, particularly in bring-your-own-device environments, while others may omit them if their deployment only requires basic app distribution or device-level management. The following steps outline how to configure an app protection policy, but an example is provided at the end of these steps for your convenience. 1. Navigate to the [**Apps**](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/overview) menu within Microsoft Endpoint Manager. 2. Select **Protection** under the **Manage Apps** menu. 3. Click **+ Create** and select your platform (**iOS/iPadOS** or **Android**) from the dropdown. 4. On the **Basics** page, **Name** your app protection policy (e.g., Zoom Workplace for Intune - Android/iOS), provide a description, and select **Next** to continue. 5. Below, click **+ Select public apps**, choose *Zoom for Intune,* and click **Next**. **Note:** In the App Protection Policy public app selector, the app is listed as *Zoom for Intune* — not *Zoom Workplace for Intune.*
6. On the **Data protection** page, choose the data loss prevention policies for the Zoom Workplace for Intune application and click **Next**. {% hint style="warning" %} **Heads Up** An example of policies is provided below for your reference. {% endhint %} 7. On the **Access requirements** page, configure applicable access policies and click **Next**. 8. On the **Conditional launch** page, configure any applicable settings and click **Next**. 9. On the **Assignments** page, assign the app protection policy to users or groups based on your company policies and select **Next.** 10. Review the policy’s settings and assignments, and select **Create** to complete. 11. Repeat this process for the remaining operating system if necessary. ### App Protection Policy Example The following example app protection policy settings reflect a common data loss prevention (DLP) baseline for Intune-managed mobile apps. These settings are provided for example purposes only and should be reviewed and adjusted to meet your organization's security and usability requirements. | Setting | Example configuration | Description | | ------------------------------------------------ | --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | | Send org data to other apps | Policy managed apps | Allows organizational data to transfer only to other Intune-managed apps. | | Restrict cut, copy, and paste between other apps | Policy managed apps | Prevents users from copying or pasting organizational data into unmanaged apps. | | Save copies of org data | Block | Prevents users from saving organizational data to unmanaged locations. | | Backup org data | Block | Prevents organizational data from being included in personal cloud backups. | | Encrypt org data | Require | Requires encryption for organizational data stored by the app. | | PIN for access | Require | Requires users to enter an app PIN before accessing work data. | | Recheck the access requirements after | 30 minutes | Requires the app to revalidate access requirements after inactivity. | | Max PIN attempts | 5 | Limits incorrect PIN attempts before the configured corrective action occurs. | | Offline grace period | Block access after 1440 minutes; wipe after 90 days | Allows temporary offline access, then blocks access or removes work data if the device remains offline too long. | | Jailbroken/rooted devices | Block access | Prevents access to work data from compromised devices. | ## **Step 3: Configure an App Configuration Policy** App Configuration Policies are optional Intune policies that provide app-specific settings to supported mobile apps, allowing organizations to preconfigure features and behavior without requiring users to manually enter those settings. They are commonly used to deliver company-defined values such as account setup information, feature preferences, or other app-specific options through either the managed device or managed app channel, depending on how the app is deployed and supported. The following steps outline how to configure an app protection policy, but an example is provided at the end of these steps for your convenience. Choose the section below that matches your deployment model. ### Option A: Managed Devices (MDM) This section explains how to configure Zoom Workplace for Intune for fully managed devices. If you only need to manage the Zoom Workplace for Intune app and not the entire device, see the Mobile Application Management instructions below instead. #### iOS 1. Navigate to the [**Apps**](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/overview) menu within Microsoft Endpoint Manager. 2. Select **Configuration** under the **Manage Apps** menu. 3. Click **+ Create** and select **Managed devices**. 4. On the following page, **Name** your app configuration policy (e.g., Zoom Workplace for Intune - iOS) and provide a description. 5. Device enrollment type should be set to **Managed devices**. 6. **Set the Platform** to **iOS/iPadOS**. 7. Click **Select app,** select **Zoom Workplace for Intune** app, and press **Next** at the bottom of the page.
8. On the following page, **set the Configuration settings format** to either *Use configuration designer* or *Enter XML data*, based on your configuration method: 1. *Use configuration designer* is a direct input method to specify the configuration *key*, *value type*, and *value* without XML encoding. 2. *Enter XML data* is an input method that can receive the configuration in XML format. 9. Configure the general application settings using either method from our available [configuration policies for iOS](https://support.zoom.us/hc/en-us/articles/360022302612-Mass-deploying-with-preconfigured-settings-for-iOS#h_42bcfc0d-995f-4645-a781-1cfde71b96b0) and click **Next** once complete (an example configuration is provided at the bottom of this section). 10. Assign the configuration policy to users or groups based on your company policies and select **Next**. 11. Review the configuration’s settings and assignments, and select **Create** to complete. #### Android 1. Navigate to the [**Apps**](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/overview) menu within Microsoft Endpoint Manager. 2. Select **Configuration** under the **Manage Apps** menu. 3. Click **+ Create** and select **Managed devices**. 4. On the following page, **Name** your app configuration policy (e.g., Zoom Workplace for Intune - Android) and provide a description. 5. Device enrollment type should be set to **Managed devices**. 6. **Set the Platform** to **Android Enterprise**. 7. Choose the **Profile Type** that you are creating the policy for. 8. Click **Select app,** select **Zoom Workplace for Intune**, and press **Next** at the bottom of the page. 9. On the following page, select your **Configuration settings format:** 1. *Use configuration designer* will present a comprehensive list of settings that can be individually selected and configured through the **+ Add** button. 2. *Enter JSON data* will present an editable text field with JSON formatting for configurable policies that can be applied. 10. Configure the general application settings using either method from our available [configuration policies for Android](https://support.zoom.us/hc/en-us/articles/360031913292-Mass-deploying-with-preconfigured-settings-for-Android#h_ded298c2-ef3c-4f03-bce6-66f28ee81fa9) and click **Next** once complete (an example configuration is provided at the bottom of this section). 11. Assign the configuration policy to users or groups based on your company policies and select **Next**. 12. Review the configuration’s settings and assignments, and select **Create** to complete. ### Option B: Managed Applications (MAM) This section details how to configure the Zoom Workplace for Intune application on devices that do not require full device management. This configuration allows users to install Zoom Workplace for Intune on their personal devices without granting full device management and is suitable for Bring-Your-Own-Device (BYOD) environments. #### iOS 1. Navigate to the [**Apps**](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/overview) menu within Microsoft Endpoint Manager. 2. Select **Configuration** under the **Manage Apps** menu. 3. Click **+ Add** and select **Managed apps**. 4. On the following page, **Name** your app configuration policy (e.g., Zoom Workplace for Intune - iOS) and provide a description. 5. Confirm **Target policy to** is set to *Selected apps*, click **+ Select public apps**, add **Zoom for Intune** for iOS/iPadOS from the list, and click **Next**. 6. Click **Next** on the **Settings Catalog** page. 7. On the **Settings** page, configure the general application settings from our available [configuration policies for iOS](https://support.zoom.us/hc/en-us/articles/360022302612-Mass-deploying-with-preconfigured-settings-for-iOS#h_42bcfc0d-995f-4645-a781-1cfde71b96b0) and click **Next** once complete (an example configuration is provided at the bottom of this section).

Warning

Boolean configuration values must use 0 for false and 1 for true.

8. Assign the configuration policy to users or groups based on your company policies and select **Next**. 9. Review the configuration’s settings and assignments, and select **Create** to complete. #### Android 1. Navigate to the [**Apps**](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/overview) menu within Microsoft Endpoint Manager. 2. Select **Configuration** under the **Manage Apps** menu. 3. Click **+ Add** and select **Managed apps**. 4. On the following page, **Name** your app configuration policy (e.g., Zoom Workplace for Intune - Android) and provide a description. 5. Confirm **Target policy to** is set to *Selected apps*, click **+ Select public apps**, add **Zoom for Intune** for Android from the list, and click **Next**. 6. Click **Next** on the **Settings Catalog** page. 7. On the **Settings** page, configure the general application settings using either method from our available [configuration policies for Android](https://support.zoom.us/hc/en-us/articles/360031913292-Mass-deploying-with-preconfigured-settings-for-Android#h_ded298c2-ef3c-4f03-bce6-66f28ee81fa9) and click **Next** once complete (an example configuration is provided at the bottom of this section).

Warning

Boolean configuration values must use 0 for false and 1 for true.

8. Assign the configuration policy to users or groups based on your company policies and select **Next**. 9. Review the configuration’s settings and assignments, and select **Create** to complete. ### App Configuration Policy Example The following example app configuration policies for iOS and Android use the settings below. These values represent common enterprise configuration choices and are included as an example only. Organizations should review and modify them as appropriate for their environment and security requirements. Refer to Zoom’s Support Center for the full list of configurable policies for [iOS](https://support.zoom.us/hc/en-us/articles/360022302612-Mass-deploying-with-preconfigured-settings-for-iOS#h_42bcfc0d-995f-4645-a781-1cfde71b96b0) and [Android](https://support.zoom.us/hc/en-us/articles/360031913292-Mass-deploying-with-preconfigured-settings-for-Android#h_ded298c2-ef3c-4f03-bce6-66f28ee81fa9). #### iOS | Configuration Key | Value | | -------------------------- | :-------------------: | | DisableFacebookLogin | 1 | | DisableGoogleLogin | 1 | | mandatory:EnableAppleLogin | 0 | | ForceLoginWithSSO | 1 | | IntuneMAMUPN | {{UserPrincipalName}} | | DisableLoginWithEmail | 1 | | EnforceLoginWithMicrosoft | 0 | | DisableUserSignUp | 1 | | EnableCloudSwitch | 0 | | DisableLoginWithMicrosoft | 1 | | SetSSOURL | "sample" | #### Android | Configuration Key | Value | | ------------------------------------------ | :------: | | mandatory:choice:DisableFacebookLogin | 1 | | mandatory:choice:DisableGoogleLogin | 1 | | mandatory:choice:DisableLoginWithEmail | 1 | | mandatory:choice:DisableUserSignUp | 1 | | mandatory:choice:EnableAppleLogin | 0 | | mandatory:choice:ForceLoginWithSSO | 1 | | mandatory:choice:EnforceLoginWithMicrosoft | 0 | | mandatory:choice:DisableLoginWithMicrosoft | 1 | | mandatory:choice:SetSSOURL | "sample" | ## **Additional Considerations** #### Users can use both Zoom Workplace for Intune and the commercial Zoom Workplace mobile app on the same device Users that enroll personally-owned devices can install both the managed Zoom Workplace for Intune app *and* the commercial Zoom Workplace mobile app on the same device. This allows users to have a personal Zoom Workplace app in addition to their company-managed Zoom Workplace application. Customers that wish to enforce a secure container and prevent data leakage between company-managed applications like Outlook or similar applications are recommended to configure an app protection policy that supports these goals. #### Accounts can require Zoom Workplace for Intune authentication from mobile devices for their account To maintain account security, Zoom accounts can be configured to require users to authenticate through the managed Zoom Workplace for Intune app on mobile devices. Once enabled, Zoom will reject any mobile client authentication requests from the commercial Zoom Workplace mobile app. This does not impact mobile browser authentication, including single sign-on (SSO), and only applies to mobile applications. To enable this feature, [submit a ticket](https://support.zoom.us/hc/en-us/requests/new) to Zoom Support from a Zoom admin account requesting to “Restrict the mobile client login type to Zoom Workplace for Intune.” #### Accounts can phase users into Zoom Workplace for Intune using group-level sign-in enforcement By default, enabling Zoom Workplace for Intune does not prevent users from continuing to sign in through the commercial Zoom Workplace mobile app. For accounts that need more control over their rollout, Zoom offers an optional account-level feature that allows administrators to enforce Zoom Workplace for Intune sign-in on a per-group basis. When enabled, a setting becomes available at the User Group level that restricts members of that group to signing in exclusively through the Zoom Workplace for Intune app — users in the group will be unable to authenticate through the commercial Zoom Workplace mobile app. This allows administrators to migrate users to the managed Zoom Workplace for Intune app incrementally, group by group, rather than enforcing the requirement across the entire account at once. This feature is not enabled by default and must be activated by the Zoom support team. To request access, [open a ticket](https://support.zoom.us/hc/en-us/requests/new) with Zoom Support and ask to enable the **group-specific Intune sign-in enforcement system property** for your account. #### Accounts can verify user identity against their Microsoft tenant to prevent authentication spoofing and remove one-time passwords Zoom provides an optional account-level setting that allows administrators to paste their **Microsoft Tenant ID** directly into their Zoom account. When configured, Zoom validates each user's authentication against that tenant at sign-in to confirm that the identity presented matches a verified record in the organization's Microsoft directory. This verification step also eliminates the current one-time password (OTP) prompt that users would otherwise receive during authentication. This feature is not enabled by default and requires activation by the Zoom support team before the setting will appear in your account. To request access, [open a ticket](https://support.zoom.us/hc/en-us/requests/new) with Zoom Support and ask to enable **Allow to add Microsoft tenant ID for user verification** for your account. To configure this once enabled, navigate to **Account Settings → Security** and locate the **Verify users using your Microsoft account tenant ID** setting. ## **Troubleshooting** ### Permissions Error If users receive an access error when attempting to open *Zoom for Intune*, this is typically caused by missing admin consent permissions for the *Zoom for Intune* Azure Gallery application. **To resolve this, complete the following steps:** 1. Construct the admin consent URL below, replacing `{tenant-id}` with your organization's Azure Tenant ID (available on the **Azure Active Directory Overview** page), then open it in a browser signed in with an admin account: `https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=ed58ed1a-51b6-4477-823b-e46f39d73587` **Note:** The `client_id` in this URL references the *Zoom for Intune* Azure Gallery application. Opening this URL will add the application to your tenant (if not already present) and set its initial permissions: **Read and write app management data** and **Sign in and read user profile**. 2. Navigate to the **Azure admin portal** () and sign in with an account assigned one of the following roles: **Global Administrator**, **Cloud Application Administrator**, **Application Administrator**, or **Owner** of the service principal. 3. In the left navigation, go to **Enterprise Applications** and search for *Zoom for Intune*. Select the application. 4. In the application's left menu, select **Permissions**, then select **Grant admin consent for \[your organization]**. ### Authentication Error 530021 The Zoom for Intune app may encounter authentication error 530021 because of certain Intune Conditional Access configurations. This happens when admins configure Conditional Access to require both **Require approved client app** and **Require all the selected controls enabled**, which blocks Zoom sign-in because only Microsoft applications are included on the approved client app list; updating the Conditional Access policy resolves the issue. Refer to Zoom’s support center for instructions on [Configuring the Conditional Access policy for Zoom for Intune](https://support.zoom.com/hc/en/article?id=zm_kb\&sysparm_article=KB0058176). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://library.zoom.com/admin-corner/account-and-endpoint-management/zoom-for-intune-field-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.