security· 10 min read

Securing Your Meeting Room Displays: A Sysadmin's Checklist

The security review your meeting-room display rollout is going to face, and how to pass it the first time. Network segmentation, MDM, OAuth scopes, firmware, GDPR for booking data, and a one-page InfoSec answer sheet.

Most meeting-room display rollouts get blocked twice: once by the office manager who can't pick a vendor, and once by InfoSec who can't decide whether the chosen vendor is safe to put on the network. The first one is a procurement problem. The second one is a checklist.

This is the checklist. It's the security review your rollout is going to face from any half-serious InfoSec team, and the answer sheet that lets you pass it the first time. It's vendor-neutral; everything here applies whether you're rolling out Joan, Robin, Archie, Lobby or a homegrown tablet kiosk.

1. What the display actually is, in security terms

Be precise about this in writing before you start. A meeting-room display is, almost always, one of three things:

  • A purpose-built e-ink panel that reads calendar data over the internet via OAuth (the modern category: Joan, Lobby, similar).
  • A consumer tablet (typically iPad or Fire) running a vendor app in kiosk mode (Robin Rooms, Archie, the DIY route).
  • A small Windows or Android device wired to a TV, running the vendor app full-screen.

These have different threat models. Treat them differently:

  • The e-ink panel is an IoT device on Wi-Fi. Worry about network segmentation, firmware update channel, and OAuth scope.
  • The tablet is a fully capable computer. Worry about MDM, kiosk lockdown, app updates, and "what happens if a guest pries it off the wall."
  • The Windows or Android stick is a server pretending to be a sign. Worry about everything in the tablet bucket, plus patch cadence on the OS itself.

The InfoSec questionnaire usually looks the same for all three. Your answer sheet should not.

2. Network segmentation

Put room displays on their own VLAN. Not the corporate network. Not the same VLAN as the laptops. A dedicated IoT or "rooms" VLAN, with firewall rules that allow:

  • Outbound HTTPS to the vendor's API endpoints (specific hostnames, not "any internet").
  • Outbound to Microsoft 365 or Google Workspace endpoints if the device authenticates directly.
  • NTP. Time drift breaks calendars in subtle, infuriating ways.
  • DNS to a controlled resolver.

Block:

  • Lateral movement to the corporate VLAN.
  • Inbound connections from anywhere except the management plane.
  • Direct internet on any port other than the ones above.

This single decision (a real VLAN with real ACLs) closes off most of the plausible attack chain on a room display, and it's the question InfoSec will ask first. Have the VLAN ID, the ACL summary, and the vendor's hostname allowlist ready in one document.

3. MDM and kiosk lockdown (for tablet and Windows displays)

If the display is a tablet or Windows stick, it must be enrolled in an MDM. No exceptions. The MDM profile should:

  • Lock the device to a single app in kiosk mode (Single App Mode on iPad, Assigned Access on Windows, Lock Task Mode on Android).
  • Disable Bluetooth pairing, AirDrop, AirPlay and any sharing surface a passer-by could trigger.
  • Disable the camera and microphone unless the vendor app actively needs them.
  • Force a long device passcode, with the vendor app whitelisted in Guided Access so users never see the prompt.
  • Auto-install OS and app updates on a controlled cadence.
  • Wipe-on-loss enabled, with the device location reported to a single admin account.

E-ink displays don't need MDM in the same sense, but they need an equivalent: a vendor-side device console where you can list every panel, see firmware versions, and remote-wipe a unit that walks off. If your prospective vendor doesn't have one, that's a flag.

4. OAuth scopes and the principle of least privilege

This is the question security teams are increasingly sharp on, and the one most vendors fudge. Three rules.

First, the display app must use application permissions (also called service-account permissions), not delegated user permissions. A display is not a user.

Second, the scopes must be the minimum that makes the product work. For most read-only displays:

  • Microsoft Graph: Calendars.Read on room mailboxes only.
  • Google Workspace: https://www.googleapis.com/auth/calendar.events.readonly on the room calendars only.

If the display offers check-in or release-from-the-display, it needs Calendars.ReadWrite or calendar.events. Don't grant write scopes to a display that doesn't need them. If your vendor insists on full-mailbox or domain-wide write, that's a flag.

Third, the access must be scoped at the tenant level so that even if the credential leaks, the blast radius is limited.

  • M365: ApplicationAccessPolicy scoped to a single mail-enabled security group containing only the room mailboxes.
  • Google Workspace: domain-wide delegation restricted to the specific OAuth client and the read-only scope, with the delegation reviewed quarterly.

You want the answer to "if this vendor is breached tomorrow, what could the attacker see?" to be: "the titles of meetings in our 47 conference rooms, for the period the credential was live, and nothing else."

5. Firmware and update channels

Two questions to ask the vendor, on paper:

  • How often do you ship firmware updates, and where can I see the changelog?
  • What's the update channel? Signed images pulled from a CDN over HTTPS, or pushed from your servers via a tunnel?

The good answer is: signed firmware images, distributed over HTTPS, pulled by the device on a schedule, with a published changelog. The questionable answer is: an always-on outbound tunnel with no signing. The bad answer is: silence.

For tablets and Windows displays, the same logic applies to the vendor app. Auto-update should be on. Pinning to a specific version is sometimes justifiable for change-control reasons, but only if you also commit to a manual review cadence. Stale versions are how known CVEs become incidents.

6. What data lives on the display, and where it goes

Three categories of data are touching a meeting-room display:

  • Calendar metadata. Meeting titles, organiser names, attendee count, start and end times.
  • Booking interactions. Who tapped check-in, who released the room, who booked the next slot from the panel.
  • Telemetry. Battery, firmware version, last-sync time, error logs.

The questions InfoSec will ask:

  • Where does this data live in transit? (Answer: TLS 1.2+ to the vendor's API, full-stop.)
  • Where does it live at rest, and for how long? (Answer: in the vendor's database; the retention period should be in the contract.)
  • What sub-processors does the vendor use? (Answer: a list. AWS, GCP, a CDN. Read it.)
  • Is the data ever used to train models or shared with anyone? (Answer in the DPA: no.)

The retention period for calendar data in particular matters. A lot of vendors quietly hold meeting metadata in logs for 90 days or more. For a room called "HR-1-4-Layoffs-Discussion," that retention is the question your CISO will lose sleep over. Get the number in writing.

7. GDPR and the privacy of meeting titles

This one trips up offices in the EU specifically.

Meeting titles can contain personal data. ("1:1 with Anna" is personal data. "Performance review, Anna" is personal data.) That makes the room display a processor of personal data on behalf of your company, with everything that implies under Article 28 of the GDPR.

Two things have to be in place:

  • A signed Data Processing Agreement with the vendor, listing the categories of data, the retention period, sub-processors, and the safeguards.
  • A way to operate the display without exposing meeting titles to walk-by viewers, when you need it. Most modern displays support a "private meeting" mode where the title is replaced with "Reserved" or "Busy" if the meeting is marked private. Configure this. Test it.

If you operate a room where titles are sensitive (HR, exec, M&A), default that room to private at the calendar level (M365: Set-MailboxFolderPermission with AvailabilityOnly; Google: free/busy only). The display should never see the title in the first place.

8. Physical security

The boring question that breaks rollouts.

Where is the display mounted, and is it bolted to the wall? E-ink panels are typically locked to a magnetic mount or a tamper-evident bracket. Tablets in kiosk mode are typically in a kiosk enclosure (Heckler, Bouncepad, Armodilo) with a key.

Three follow-up questions:

  • If the device walks off, what's on it? (For a tablet: cached Exchange tokens. For an e-ink panel: usually a refresh token. Both should be remote-revocable.)
  • Can the device be put into recovery mode by a determined visitor? (For iPads: yes, unless you use Activation Lock with Apple Business Manager. Use Apple Business Manager.)
  • Can someone read the screen from across a public area? (For rooms whose titles you've decided are sensitive: maybe. Default those rooms to "Reserved" mode.)

9. Logging, monitoring and incident response

Two questions, asked precisely:

  • What logs does the vendor surface to me, and how? (Should be at minimum: device-level connectivity, sync events, auth failures, firmware versions. Ideally exportable to your SIEM via webhook or syslog.)
  • What's your incident-disclosure SLA? (Should be in the DPA. 24 to 72 hours is normal.)

If the answers are "we don't surface logs" and "we'll let you know," you have a vendor that's not ready for an enterprise rollout. There are vendors that are. Pick one of those.

Have a written runbook for: a stolen display, a leaked OAuth credential, a vendor breach disclosure. One page each. The runbook is what the security review is really asking for.

10. The InfoSec answer sheet

The thing your security team actually wants is one document. Single page. Copy-pasteable. Here's the skeleton:

  • Vendor: name, primary contact, security contact.
  • Data flow: which calendars are read, what data is sent where, retention period.
  • Authentication model: application permission, scope list, tenant-side restriction.
  • Network: VLAN ID, allowlisted hostnames, ACL summary.
  • Device management: MDM profile name (or vendor console URL for e-ink), kiosk-lockdown configuration.
  • Update model: firmware update channel, app update cadence, signing.
  • Sub-processors: list, with regions.
  • Compliance: DPA signed (Y/N, link), SOC 2 report (link or upon request), ISO 27001 (Y/N), GDPR Art. 28 contract (Y/N).
  • Incident SLA: hours to disclosure.
  • Owners: who in your team owns the display estate, who's the on-call.

If you can fill that page in honestly, the rollout will pass review. If you can't fill a row, that row is the work.

The 20-minute pre-rollout review

Before the first display goes on the wall, walk this list:

  • VLAN exists, ACLs are tight, vendor hostnames documented?
  • MDM profile exists (tablets) or vendor device console exists (e-ink)?
  • OAuth registration uses application permissions, with read-only scopes only?
  • ApplicationAccessPolicy or scoped delegation in place, restricted to room mailboxes or room calendars?
  • Firmware and app auto-update enabled?
  • DPA signed, retention period in writing, sub-processor list reviewed?
  • Sensitive rooms set to free/busy-only or private-meeting mode?
  • Physical mounts ordered, with locks, and Activation Lock (or equivalent) configured?
  • Logging path documented; incident runbooks written?
  • The InfoSec answer sheet exists and is filled in?

Ten bullets, twenty minutes, before any panel powers on. Saves the three weeks of back-and-forth that otherwise happens.

TL;DR

  • A meeting-room display is one of three security archetypes: e-ink IoT, tablet kiosk, Windows or Android stick. Treat each accordingly.
  • Put displays on their own VLAN, with hostname-level allowlisting outbound and no lateral access inbound.
  • Tablet and Windows displays need MDM with single-app kiosk lockdown. E-ink displays need a vendor console with remote-wipe.
  • Use application-level OAuth, read-only scopes only, scoped to room mailboxes or room calendars at the tenant level.
  • Sign the DPA, write down retention, read the sub-processor list. Default sensitive rooms to free/busy-only.
  • Mount physically, with locks. Configure Activation Lock or equivalent.
  • Surface logs to your SIEM where the vendor allows. Write the incident runbook before you need it.
  • Fill in the InfoSec answer sheet on one page. That's the rollout review, in writing.

If you're early in the vendor selection and want a security review answer sheet that's already filled in, that's something Lobby's onboarding team will hand you on day one, alongside a clean device console and a Google Workspace integration scoped to room calendars only. Microsoft 365 support is on the way.

Sources

  • NIST IoT Device Cybersecurity Capability Core Baseline (NISTIR 8259A): csrc.nist.gov
  • Microsoft Learn, Limiting application permissions to specific Exchange Online mailboxes: learn.microsoft.com
  • Apple, Single App Mode and Activation Lock with Apple Business Manager: support.apple.com
  • UK Information Commissioner's Office, Article 28 controllers and processors: ico.org.uk
  • Cloud Security Alliance, IoT Security Controls Framework: cloudsecurityalliance.org

Try Lobby — free forever up to 3 displays

Room booking that just works.

Get started →