At Ohio State, the safety and privacy of our students, faculty and staff is top a priority. Now that Zoom is a crucial part of Buckeye life, we are working continuously to make our virtual classrooms and (home) office meetings safer. You may be wondering what you can do to help secure your CarmenZoom meetings. Below we have outlined a number of suggestions to help keep your virtual meetings and class sessions safe and secure. Expand each section for more information.
General Tips
- Log in to CarmenZoom at carmenzoom.osu.edu to manage your meeting security settings and before joining or starting a meeting to ensure that you have full access to the functionality of a Zoom pro account provided by your Ohio State license. See the Getting Started with CarmenZoom guide for more information on the various ways to access CarmenZoom.
- Update Zoom to the latest version. Zoom is regularly adding functionality to address security concerns. Make sure you have the latest version of the desktop client and mobile apps on your devices.
- These updates will be pushed automatically to Managed IT Services (MITS) devices.
- Generally, Zoom will automatically prompt you to update your desktop client when a new version is available. However, you can manually check for updates by opening the desktop app, clicking your profile picture, then clicking Check for Updates.
- Don't share the link to meetings in any public space, such as X (formerly Twitter) or Facebook. Some alternatives to sharing out the link include:
- If you want your event available to a wide audience, consider using Zoom’s registration options to better track who will be joining.
- With a smaller group of attendees who have registered and provided contact information, it may be feasible to send a passcode separately just to those you anticipate in the meeting.
- If you want only the host and designated panelists to be able to share during the event, consider requesting a webinar instead of using a standard meeting.
- Zoom should not be used for conversations that involve restricted (S4) data. Learn more about the Institutional Data Policy at the it.osu.edu site.
- If you intend to record and share your Zoom meetings, learn more about Zoom cloud recordings and protecting the privacy of your students.
Meeting Setup
The best way to deal with uninvited attendees is to set up your meeting to help keep them out in the first place.
Default Settings
CarmenZoom has a number of default security settings enabled to make your meetings more secure. Think of these default settings like wearing a helmet when you ride a bike. They are designed to protect you and removing those protections opens you up to risks. If you choose to alter some of these settings, it may be harder for Ohio State to look into a situation and identify the offenders in the case of a Zoom bombing attack.
- Meeting passcodes. Meeting passcodes create an additional layer that hackers must work to breach. While passcodes will be embedded in meeting links by default, you can choose to turn off this setting and send passcodes to your participants separately. If you are using the Canvas integration to schedule Zoom meetings with your students, you should leave the passcode embedded in the link.
- Join Before Host is disabled. The Join before Host option allows meeting participants, unwanted or not, to join your meeting before you.
Additional Settings
Consider the following additional meeting settings:
- Create scheduled meetings with a unique URL for each class session or meeting. Avoid using your Personal Meeting ID (PMI) to host public events. Your PMI is essentially one continuous meeting, and once someone has the link to your PMI, they can pop in and out at any time the meeting room is in use. To make your personal room more secure, turn on the waiting room option and/or lock the meeting once it begins.
- Turn on the Waiting Room. The Waiting Room is a virtual staging area that stops your guests from joining until you're ready for them.
- Restrict access to authenticated users. Requiring authentication to join Zoom meetings is a very powerful security measure. We strongly encourage you to select Require authentication to join in your meeting settings when your meeting includes only those associated with Ohio State. While the authentication setting doesn’t stop misbehavior from meeting attendees, it does keep those outside the university out of your meeting. The setting also ensures your poll and attendance reports identify participants by their Ohio State usernames, makes pre-assigned breakout rooms more feasible, and also makes it easier for Office of Institutional Equity (OIE) staff and cybersecurity experts to identify those who cause a disturbance.
This setting is Off by default to accommodate Extension offices and other groups with frequent contact outside Ohio State. To enable this setting, in the Settings menu at carmenzoom.osu.edu, under Schedule Meeting select Only authenticated users can join.
Ohio State students, faculty and staff can log into the Zoom Desktop Client or App by typing in their university email address and at least one character in the password box or by clicking Sign In with SSO. CarmenZoom users will also be automatically logged into the desktop client after logging in to other university services.
See the Getting Started with CarmenZoom guide for more information about accessing and logging in to CarmenZoom.
If some of your attendees do not have an Ohio State username, see the options below for allowing non-university guests.
Options for allowing non-university guests
Using the Only authenticated users can join setting will prevent guests who do not have an Ohio State Zoom account from entering the meeting, including some users from the College of Food, Agriculture and Environmental Sciences, Fisher College of Business, and some international students.
If your meeting includes non-university participants, you can use other strategies to control who can attend.
- Authentication Exception: Zoom's Authentication Exception allows you to invite specific non-university guests to your secure meetings. Each guest that is invited as an Authentication Exception will receive a unique link permitting them access to the meeting.
- Registration: Use Zoom's registration option for your meeting or webinar. You can customize the fields for your attendees to complete; Zoom will send them an individualized meeting link and passcode. Adding custom fields that relate to your event and using the option to manually approve registrations will give you an opportunity to screen potential attendees and block those who don’t have a legitimate interest in your event.
- Waiting Room: The Waiting Room is a virtual staging area that stops your guests from joining until you're ready for them. This way you can screen participants and only allow those you are expecting to join. Take a good look at the display name for each entrant before letting them in to the meeting. Many of the people who have disrupted Zoom meetings at Ohio State and elsewhere have advertised their bad intentions by using obviously offensive display names or names that are gross puns when said out loud.
In-Meeting Controls
Once your meeting begins, you have a number of options for reducing the chances of disruptions.
Record to the Cloud. Recordings saved to the cloud are helpful in the event of a disruption as they provide more information about the meeting and can help the appropriate authorities identify bad actors. This step is also beneficial as it provides a recording you can share with those unable to attend as well as auto-generated captions for the meeting. Learn more about cloud recordings.
Designate a moderator. For large profile meetings, it would be beneficial to designate one or more co-hosts to respond to disruptive behavior (see suggestions below).
Click on the Security icon, visible to meeting hosts and co-hosts, to manage the following in-meeting security options:
- By default, Zoom prevents participants from:
- Renaming themselves
- Sharing their screens (As the host, you can enable screen sharing)
- Lock the meeting. This setting may prevent invited guests from rejoining your meeting if they drop out due to internet connectivity issues.
- Enable the Waiting Room (even if it's not already enabled)
- Remove participants
- Restrict participants' ability to:
Using the advanced host controls you can also:
- Disable video and file transfer options
Addressing Disruptive Behavior
You've taken preventative steps, but Zoom bombing can still happen. If it does, use the following suggestions to help mitigate the disruptive behavior or participants.
- Remove disruptive users. From the Participants menu, you can hover over a participant's name, and several options will appear, including Remove. If you accidentally remove a participant, you can allow removed participants to rejoin; this option must be selected before the meeting begins.
- Put disruptive users on hold. You can put each participant on a temporary hold, including the attendees' video and audio connections.
- Disable video. Hosts can turn someone's video off. This will allow hosts to block unwanted, distracting, or inappropriate gestures on video.
- Mute participants. Hosts can mute/unmute individual participants or all of them at once. Hosts can block unwanted, distracting, or inappropriate noise from other participants. You can also enable Mute Upon Entry in your settings to keep the noise down in large meetings.
Sharing Cloud Recordings
By default, CarmenZoom cloud recordings require a passcode. Unlike meeting passcodes, recording passcodes cannot be embedded within the link for the recording.
If you are using the Zoom integration within CarmenCanvas, your students won't need a separate passcodes; when clicking to view the cloud recording, the passcode will be copied to the clipboard for them to paste when prompted, allowing them easy access directly from your Carmen course.
Cloud recordings are available to all students enrolled in a course. Students are not allowed to share these recordings. This is to protect the FERPA rights of all students in the course.
If you have a secure way of doing so (for instance, in your Carmen course, as mentioned above), please leave the setting in place and share the passcode. If sharing the password securely is not feasible, you may disable the passcode from specific recordings or change the default for your account.
Reporting an Incident
If you do experience zoom bombing or other inappropriate behavior in a Zoom meeting, contact carmenzoom@osu.edu with the following information:
- Meeting ID - For more information see the How do I find a Zoom Meeting ID? FAQ
- Ohio State username (lastname.#) of the person who created the meeting
- Date and time of the incident
- Brief description of the incident
- If you have a recording of the meeting, do not delete it
- Save the chat text, if applicable
If the incident involved any type of harassment, discrimination, or sexual misconduct, please report the incident to the Office of Institutional Equity.
See additional information regarding virtual meeting security for both Zoom and Skype at Cybersecurity For You.