Control messaging with external users in your Webex App spaces
How does restricting external messaging work?
When you restrict external messaging for your users (or groups), this is what happens:
- 
          Your restrictions apply to all new spaces (spaces created after you change your restriction settings). 
- 
          We apply your restrictions to your users' participation in existing spaces; both those owned by your organization and those owned by external organizations. When you disable external communication, new external participants can’t join internal spaces, and new internal participants can’t join external spaces. However, existing members can still communicate between internal and external spaces as before. These restrictions apply only to new participants joining after you disable external communication. Existing members retain their communication privileges within their spaces. 
- 
          People are prevented from joining spaces if your settings restrict their participation. 
- 
          We don’t retroactively remove users or groups from spaces if your changes would prevent them from joining. 
- 
          After you have restricted external messaging, users who leave group spaces could be prevented from rejoining. This is because we apply the restrictions as people join. 
- 
          Your restrictions don’t apply to bots. 
Webex currently doesn't allow restricting certain users from creating spaces while permitting them to participate in existing ones. You should consider this limitation when managing user permissions.
Which domains are restricted?
You can use the External Communications controls to define a sophisticated policy that meets your organization's requirements, whether those are more permissive or more restrictive.
- Allow all external messaging
- The most permissive option, which doesn’t restrict messaging with users from external domains.
- Allow all domains except the blocked domains
- A permissive option, which allows communications with all domains except a list of blocked domains.
- Allow selected domains only
- A restrictive option, which prevents communications with all domains except a list of allowed domains. If you have an empty allow list, this becomes the most restrictive option. It is equivalent to "Block all external messaging".
Who is affected by the restrictions?
You can further refine your External Communications by defining which user groups are affected by the allow list or block list.
- Allow all users except for selected groups
- The policy has a wide effect. If you leave the groups list empty, it means all users in your organization are governed by the allow list or block list. Add groups to the list if you want to exempt them from the allow/block list.
- Allow selected groups only
- The policy has a narrow effect. If you leave the groups list empty, no users are governed by the allow list or block list. You can add groups to the list to include them in the allow/block policy
| 1 | Sign in to Control Hub ( https://admin.webex.com) and go to . | 
| 2 | Select Allow selected domains only. | 
| 3 | Read the caution and Confirm. | 
| 4 | Click Manage allowed domains and then remove all domains from the allow list. An empty allow list means that no domains are allowed for external communications. | 
| 5 | Click Manage group permissions and select Allow all users except the selected groups. Remove all groups from the list. No groups are exempted from the allow list. That means everybody is governed by the empty allow list. | 
All users in your organization are restricted from communicating with anyone in external organizations.
| 1 | On the Organization Settings page, find External Communication and select Allow all domains except the blocked domains. You see who this setting currently applies to, and links to Manage allowed domains and Manage group permissions. | 
| 2 | Click Manage blocked domains to create your block list. You'll see your list of Blocked domains. The list is empty if this is your first time. Otherwise, you can sort or search (filter) the list. | 
| 3 | To remove domains, check the boxes next to the domains and click Remove. Confirm you want to Remove the domains. The domains are removed from the block list. | 
| 4 | Click Manage group permissions to define who can use the list: You'll see a list of groups that are related to the block list. The default state is Allow all users except for the selected groups. If there are no groups on the list, then all groups are affected by the block list. You can also choose Allow selected groups only. If there are no groups on the list, then no groups are affected by the block list. Either way, you create a list of groups as follows: | 
| 5 | To remove groups from the list: | 
Before you begin
| 1 | On the Organization Settings page, find External Communication and select Allow selected domains only. You see who this setting currently applies to, and links to Manage allowed domains and Manage group permissions. | 
| 2 | Click Manage allowed domains to create your allow list. You'll see your list of Allowed Domains and the status of each. The list is empty if this is your first time. Otherwise, you can sort or search (filter) the list. | 
| 3 | To remove domains, check the boxes next to the domains and click Remove. Confirm you want to Remove the domains. The domains are removed from the allow list. | 
| 4 | Click Manage group permissions to define who can use the list: You'll see a list of groups that are related to the allow list. The default state is Allow all users except for the selected groups. If there are no groups on the list, then all groups may use the allow list. You can also choose Allow selected groups only. If there are no groups on the list, then no groups may use the allow list. Either way, you create a list of groups as follows: | 
| 5 | To remove groups from the list: | 
How does the allow list affect my users (or groups)?
Users or groups in your organization can communicate with users whose email addresses are in the domains on your allow list. Specifically, users or groups can:
- 
            Add people from those domains into spaces owned by your organization. 
- 
            Join spaces created by people from those domains. 
- 
            Create spaces with people from those domains. 
When users from your organization start to share a space with users in an external organization using a Webex board, the allowed domains list is not applied and the space is not shared.
What does the status mean?
- 
            Claimed in Webex means one organization controls this domain, and other organizations cannot have users with this domain. 
- 
            Verified means an organization has proved that it owns the domain. 
- 
            Unverified means that no organization has yet proven that it owns the domain. That does not mean users from these domains are impostors, because Webex organizations are not required to verify their domains. 
Read more about Managing domains and why we recommend verifying your domains.
| 1 | Sign in to Control Hub ( https://admin.webex.com) and go to . | 
| 2 | Enable Group Spaces. | 
Users in your organization can't be invited to group spaces owned by another organization. This ensures that for compliance your organization has access to all data generated by participants across spaces.
Sometimes you want to add or remove more than a few domains to your allow list. For these bulk operations, you can use CSV file import and/or export.
We don't remove domains from the list if they are not in the imported CSV file. We also don't add (duplicate) domains from the CSV file if they are already on your list.
| 1 | On the Organization Settings page, find External Communication. | 
| 2 | Click Manage allowed domains. You'll see your list of domains. | 
| 3 | Add up to 1000 domains to the list: | 
| 4 | To remove multiple domains from the list: | 
People in your organization may be able to make calls to external people in the following scenarios:
- 
          If your users make calls using a Webex SIP address. For more information, see Cisco Webex SIP Addresses. 
- 
          
          If you have an on-premises call environment and assign Hybrid Calling to your users. For more information, see the Deployment Guide for Cisco Webex Hybrid Call Service. 
- 
          
          If you have cloud calling through Webex Calling and assign the Webex Calling service to your users.