Settings for Securing Zoom

UC Berkeley Zoom 

UC Berkeley's Zoom service may only be used for P3 (and below) data according to the Berkeley Data Classification Standard and may not be used to transmit or store P4 data including, but not limited to: Social Security numbers, financial account numbers, or export controlled data. Refer to the Data Classification Standard for a comprehensive list of P4 data types.  

This applies to video and audio transmission of data in Zoom meetings, and storage of data via Zoom cloud recordings. 

Zoom HIPAA accounts may only be used to transmit HIPAA data (e.g. telehealth sessions). Zoom HIPAA accounts may *NOT* be used to transmit other P4 data.


1. Keep Zoom Up-to-Date

Zoom is continuously releasing new and improved features for their application. Therefore, it is important that you have the latest version installed.

To update through the desktop-client:

  • Open the Zoom application on your system and select “Check for Updates...” from the zoom.us drop-down menu

To download and install new versions through the Zoom site:

Note: depending on how Zoom was initially installed on your device an admin password may be needed to install updates. Contact ITCS itcsshelp@berkeley.edu or your departmental IT staff for assistance if your system prompts you for admin credentials. 

2. Prevent Zoom-bombing

At the first sign of problems, select "Security" then "Suspend Participant Activities", then remove unwanted visitors.

Zoom-bombing is the term for when individuals "gate-crash" Zoom meetings. These uninvited guests share their screens to bombard real attendees with disturbing pornographic and/or violent imagery. Be sure to secure your Zoom  with this tips below. For a complete list see Zoom's manual on Securing Zoom Settings.

If you experience abuse while using Zoom report it to: zoom-misuse@berkeley.edu.

2.1 Avoid Hosting Public Meetings

If you share your meeting link on social media or another public location (like a public bCal invite) anyone with the link can join your meeting. Here are some tips you can use to help when needing a public meeting space:

  • Do not use your Personal Meeting ID (PMI) to host public events. Your PMI is essentially one continuous meeting and people can pop in and out all the time. Learn about meeting IDs and how to generate a random meeting ID (at the 0:27 mark) in this video tutorial
  • Familiarize yourself with Zoom’s settings and features. Understand how to protect your virtual space. See Zoom's manual on Securing Zoom Settings.
  • Password Protect your Zoom Meetings. UC Berkeley Zoom defaults to require a password for new meetings, instant meetings, PMI meetings or even phone participants. You can also choose not to include the password in the meeting link.
  • Avoid ‘Join Before Host.’  The UC Berkeley Zoom 'Join Before Host' setting will be disabled by default so that a meeting will not start until the host starts the meeting. Participants who try to join before the meeting has started will see a pop up dialog that says "The meeting is waiting for the host to join." If you must use the ‘Join Before Host’ option, you should assign a password to protect the meeting.

3. Manage Security Settings 

Security iconZoom’s security features are grouped together and found by clicking the Security icon in the meeting menu bar on the host's interface.

Zoom security button

You can also lock the Screen Share by default for all your meetings in your web settings.

Screen Sharing

4. Manage your participants

4.1 Allow only signed-in users to join

All participants and hosts will be required to sign into a Zoom account prior to joining meetings hosted by UC Berkeley. If someone tries to join your event and isn’t logged into Zoom with the email they were invited through, they will receive this message:

Denied Screen

UC Berkeley's Zoom instance has been configured to allow *.berkeley.edu users who are authenticated in when this setting is selected. 

4.2 Lock the meeting:

When you lock a Zoom Meeting after it has started, no new participants can join, even if they have the meeting ID and password (if you have required one). This setting can be found via the security icon in the settings bar.

4.3 Set a password: 

UC Berkeley's Zoom defaults to require all new meetings and webinars to use a password. 

4.4 Remove unwanted or disruptive participants:

From the Participants menu, hover over a participant’s name, and several options will appear, including Remove. 

  • When you do remove someone, they can’t rejoin the meeting. But you can toggle your settings to allow removed participants to rejoin, in case you remove the wrong person.
  • Alternatively, you can put each participant on a temporary hold, including the attendees’ video and audio connections. Click on someone’s video thumbnail and select Start Attendee On Hold to activate this feature. Click Take Off Hold in the Participants list if/when you’re ready to have them back.
  • Hosts can turn participant's video off. This will allow hosts to block unwanted, distracting, or inappropriate gestures on video.
  • Hosts can mute/unmute individual participants or all of them at once. Hosts can block unwanted, distracting, or inappropriate noise from other participants. You can also enable Mute Upon Entry in your settings to keep the noise down in large meetings.

4.5 Turn off file transfer: 

In-meeting file transfer allows people to share files through the in-meeting chat. Turn this off to keep the chat from getting unwanted content.

4.6 Turn off annotation:

You and your attendees can doodle and mark up content together using annotations during screen share. You can disable the annotation feature in your Zoom settings to prevent people from using it.

4.7 Disable private chat: 

Zoom has in-meeting chat for everyone or participants can message each other privately. Restrict participants’ ability to chat with each another during your meeting. This prevents anyone from getting messages during the meeting.

4.8 Use a waiting room or passcode:

Zoom requires all meetings to use a waiting room or passcode. When attendees join a meeting, place them in a waiting room and require the host to admit them individually. Enabling the waiting room automatically disables the setting for allowing attendees to join before host

Meeting hosts can customize Waiting Room settings for additional control, and you can even personalize the message people see when they hit the Waiting Room so they know they’re in the right spot. 

5. Secure Zoom Recordings

On occasion, you may need to record the audio and/or video of a Zoom meeting to share with others. It’s important that these files are stored appropriately according to the protection level of the data captured in the recording. 

5.1 Local Recordings

The UC Berkeley Zoom team recommends using local recordings by default. Local recordings are the most cost effective and afford you the most flexibility afterwards.

Enabling local recordings:

You can enable local recordings and configure settings by signing into the Zoom web portal. See the “For your own use” section in the linked support article.

Sharing local recordings:

Local recordings may be uploaded and shared using the following campus collaboration tools:

NOTE: When using these collaboration tools, you may only store and share Zoom recordings containing P1, P2, or P3 data according to the Berkeley Data Classification Standard.

5.2 Cloud Recordings

The only time you may want to consider using the “Record to the Cloud” option is if you want to make recordings available to others to download or stream directly. 

When a campus member uses their UC Berkeley Zoom account to host a meeting that is recorded to the Zoom Cloud, the resulting recording will be automatically copied to UC Berkeley’s campus video management system, Kaltura. One of two things will happen:

  1. If the Zoom account owner has no Kaltura account, the recording will be deleted from Kaltura within 24 hours (this does not affect the Zoom Cloud recording, which will still be available in Zoom for 30 days). It will never be shared with anybody else.

  2. If the Zoom account owner has a Kaltura account (which they do, if they’ve ever interacted with the Kaltura system, either in bCourses or Mediaspace), the copy of the media will be saved permanently in the owner’s personal media repository in Kaltura (“My Media”). Further action will be required to share with others.
    Update 1/15/21: For those who access Kaltura thru bCourses, it is also critical that the email address you have starred under "Ways to Contact" in your bCourses Account Settings matches the Sign-in Email address listed in your Zoom Profile. We expect that these do match for the vast majority of campus members; you would have to have actively added an additional email address to your bCourses Account Settings and selected it as your default—clicked the star next to it—in order for it NOT to match your Zoom email address. If they do not match, it is best that you change your default email address in bCourses so that it matches what is in Zoom. (If making this change has undesirable impacts, please contact us at kalturahelp@berkeley.edu and they will try to find a workaround.)

5.2.1 Enabling authentication options:

To prevent your cloud recordings from being discovered publicly, you must enable the “Only authenticated users can view cloud recordings” option under your user/account “Recordings” settings. 

Once authentication options are enabled (via the blue toggle button), there are two ways to control who has access to your cloud recordings:

  1. UC Berkeley Domain -- use if all users in the *.berkeley.edu domain should have access to your cloud recordings
  2. Signed-in users in my account --  use if only you, the account holder, should have access to your cloud recordings

5.2.2 Password-protection of cloud recordings:

"Require password to access shared cloud recordings" is the default setting on all accounts. This means password protection will be enforced for shared cloud recordings. A random password will be generated which can be modified by the account holder. This setting has been automatically applied to recordings made after Apr. 12, 2020.

If your account has the "Only authenticated users can view cloud recordings" activated, the viewer will be asked to log in with both a CalNet ID and with the recording password. You can turn off the "authenticated" feature on individual recordings and activate the password protection, then the viewer will not have to log in with a CalNet ID but will need to enter the password.

Be aware: Although you can turn off the "Require Password" and "Only authenticated users can view cloud recordings" options, the recordings are not secure and will make them publicly accessible. We recommend using one or both options unless your recording is intended for public use.

Berkeley Zoom Related Resources: